PolicyKit oddities

Richard Hughes hughsient at gmail.com
Mon Jun 9 13:22:45 PDT 2008 

On Fri, 2008-06-06 at 09:35 -0400, David Zeuthen wrote:
> On Fri, 2008-06-06 at 12:02 +0100, Richard Hughes wrote:
> > I've just been reviewing how we are using polkit in PackageKit and
> > changing it to use an authentication agent rather than hardcoding
> > polkit-gnome.
> > 
> > Some oddities I noticed...
> > 
> > * polkit_auth_obtain uses DBusError rather than PolKitError when it's
> > nothing to do with DBUS...
> 
> That's because it happens over the bus; besides you ought to be using
> 
> http://hal.freedesktop.org/docs/PolicyKit-gnome/polkit-gnome-polkit-gnome-auth.html#polkit-gnome-auth-obtain
> 
> since you really want it to be async.

Sure, this is what I use in the libpackagekit (designed for console too)
library, by I agree with you for the gnome bits.

> > * polkit_action_get_action_id returns a action_id as a type (char **)
> > and in the docs it says that it shouldn't be freed. Shouldn't this
> > therefore be a (char * const *)?
> 
> Probably even const * char *; however the pattern is that most libraries
> that return an array of strings don't do the const-dance; mostly because
> most existing utility functions taking an array of strings are wrong wrt
> const, e.g. g_strv_length() and friends. So that's why.

Yes, g_strv_length confuses me a bit why it's char **.

> > * polkit_dbus_error_parse_from_strings takes a error_name and
> > error_message parameter. Using a GError you only get the domain, code
> > and message, and so it might be worth mentioning in the docs to use
> > dbus_g_error_get_name on the GError.
> 
> Yeah, what I want to do is to have a libpolkit-gobject library that
> includes some parts of what's in libpolkit-gnome. Including G-versions
> of polkit_dbus_error_parse_from_strings(), polkit_dbus_error_generate(),
> polkit_auth_obtain() etc.

Excellent.

> > * Also, when using polkit_dbus_error_parse, the error name is hardcoded
> > to org.freedesktop.PolicyKit.Error.NotAuthorized when the error
> > PackageKit generates is org.freedesktop.PackageKit.RefusedByPolicy - is
> > this my bug or yours?
> 
> So initially there was no recommendation of what error names to use;
> however I decided it would be more useful if everyone just used the same
> name. Also, when I add object support the contents of the error will
> need to include the object path, e.g. instead of just being
> 
>  org.nm.can_dial_number auth_admin
> 
> it will be
> 
>  org.nm.can_dial_number:telephone-number:1-555-1234-5678 auth_admin
> 
> and assuming that software follows this recommendation, adding support
> for objects will be mostly free.

Cool.

> So I'd recommend you switch PackageKit to using
> 
>  polkit_dbus_error_generate()

Ahh, I'm using the glib bindings, so I have to generate a GError - which
I do using:

*error = g_error_new (PK_TRANSACTION_ERROR,
PK_TRANSACTION_ERROR_REFUSED_BY_POLICY, "%s", error_detail);

> on the daemon side; and
> 
>  polkit_dbus_error_parse_from_strings()

Yup, I use this now, thanks.

> It's because the "Simple convenience interface" which is a dumbed down
> interface.. that interface was mostly added so patching legacy apps like
> crontab(1) is easy, e.g.
> 
> http://gitweb.freedesktop.org/?p=PolicyKit.git;a=commit;h=a712e78e69220b43695463e00983e9316a646d32
> 
> which is a lot simpler than creating PolKitAction and PolKitCaller
> objects and what not.

Agreed. Cheers dude.

Richard.

More information about the hal mailing list