packages/kiran-authentication-service
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
kiran-authentication-service/0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch

301 lines
11 KiB
Diff
Raw Permalink Normal View History

fix(*): Fixed an issue with the first round of test in Part 2.5 - 修复部分第一轮测试出现的问题
2023-05-31 16:27:58 +08:00
From 74cff73678e966b232d70aba787476f34fa0d584 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Tue, 30 May 2023 11:11:48 +0800
Subject: [PATCH 3/5] fix(Interface permission): Upgrade the permission of some
interfaces of the authentication service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 提升部分认证服务接口权限至root调用前需认证polkit
Closes #I795QI
---
data/com.kylinsec.Kiran.Authentication.xml | 7 ++-
src/daemon/auth-manager.cpp | 66 ++++++++++++++--------
src/daemon/auth-manager.h | 46 ++++++++++-----
src/daemon/user.cpp | 2 +-
src/pam/authentication.cpp | 1 -
5 files changed, 82 insertions(+), 40 deletions(-)
diff --git a/data/com.kylinsec.Kiran.Authentication.xml b/data/com.kylinsec.Kiran.Authentication.xml
index b575ebd..12b077f 100644
--- a/data/com.kylinsec.Kiran.Authentication.xml
+++ b/data/com.kylinsec.Kiran.Authentication.xml
@@ -51,7 +51,7 @@
</arg>
</method>
- <method name="SetDrivereEanbled">
+ <method name="SetDrivereEnabled">
<arg name="driver_name" direction="in" type="s">
<description>driver name</description>
</arg>
@@ -73,7 +73,7 @@
<arg name="auth_type" direction="in" type="i">
<description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
</arg>
- <arg name="device_id" type="s">
+ <arg name="device_id" direction="in" type="s">
<description>The default device ID.</description>
</arg>
</method>
@@ -82,6 +82,9 @@
<arg name="auth_type" direction="in" type="i">
<description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
</arg>
+ <arg name="device_id" direction="out" type="s">
+ <description>The default device ID.</description>
+ </arg>
</method>
<method name="SetAuthTypeEnabledForApp">
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
index 0a74682..7ebef89 100644
--- a/src/daemon/auth-manager.cpp
+++ b/src/daemon/auth-manager.cpp
@@ -21,6 +21,7 @@
#include "src/daemon/device/device-adaptor-factory.h"
#include "src/daemon/error.h"
#include "src/daemon/proxy/dbus-daemon-proxy.h"
+#include "src/daemon/proxy/polkit-proxy.h"
#include "src/daemon/session.h"
#include "src/daemon/user-manager.h"
#include "src/utils/utils.h"
@@ -34,6 +35,9 @@
#include <QMetaEnum>
#include <QSettings>
#include <QTime>
+
+#define AUTH_USER_ADMIN "com.kylinsec.kiran.authentication.user-administration"
+
namespace Kiran
{
// 会话ID的最大值
@@ -85,7 +89,7 @@ QDBusObjectPath AuthManager::CreateSession(const QString &username, int timeout,
.arg(authApp)
.arg(this->message().service())
.arg(sessionID);
-
+
return QDBusObjectPath(session->getObjectPath());
}
@@ -108,15 +112,6 @@ QString AuthManager::GetDriversForType(int authType)
return DeviceAdaptorFactory::getInstance()->getDriversForType(authType);
}
-void AuthManager::SetDrivereEanbled(const QString &driverName, bool enabled)
-{
- if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
- {
- DBUS_ERROR_REPLY(QDBusError::InternalError,
- KADErrorCode::ERROR_FAILED);
- }
-}
-
QDBusObjectPath AuthManager::FindUserByID(qulonglong uid)
{
auto pwent = getpwuid(uid);
@@ -164,21 +159,11 @@ bool AuthManager::GetAuthTypeEnabled(int authType)
return m_authConfig->getAuthTypeEnable((KADAuthType)authType);
}
-void AuthManager::SetAuthTypeEnabled(int authType, bool enabled)
-{
- m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
-}
-
bool AuthManager::GetAuthTypeEnabledForApp(int authType, int authApp)
{
return m_authConfig->getAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp);
}
-void AuthManager::SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled)
-{
- m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
-}
-
/// @brief 通过认证应用枚举获取支持的认证类型或认证顺序
/// @param authApp 应用程序所属的认证应用类型
/// @return 与模式下为需认证类型的认证顺序,或模式下为可选的认证类型
@@ -202,9 +187,9 @@ QList<int> AuthManager::GetAuthTypeByApp(int32_t authApp)
auto sortedAuthTypes = authOrder;
auto enabledAuthTypeIter = enabledAuthTypes.begin();
- while(enabledAuthTypeIter != enabledAuthTypes.end())
+ while (enabledAuthTypeIter != enabledAuthTypes.end())
{
- if(!sortedAuthTypes.contains(*enabledAuthTypeIter))
+ if (!sortedAuthTypes.contains(*enabledAuthTypeIter))
{
sortedAuthTypes << *enabledAuthTypeIter;
}
@@ -257,6 +242,10 @@ void AuthManager::onNameLost(const QString &serviceName)
}
}
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetDrivereEnabled, onSetDriverEnabled, AUTH_USER_ADMIN, const QString &, bool);
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetAuthTypeEnabled, onSetAuthTypeEnabled, AUTH_USER_ADMIN, int, bool);
+CHECK_AUTH_WITH_3ARGS(AuthManager, SetAuthTypeEnabledForApp, onSetAuthTypeEnabledForApp, AUTH_USER_ADMIN, int, int, bool);
+
void AuthManager::init()
{
auto systemConnection = QDBusConnection::systemBus();
@@ -276,6 +265,11 @@ void AuthManager::init()
connect(m_authConfig, SIGNAL(defaultDeviceChanged(int, QString)), this, SIGNAL(defaultDeviceChanged(int, QString)));
}
+QString AuthManager::calcAction(const QString &originAction)
+{
+ return AUTH_USER_ADMIN;
+}
+
int32_t AuthManager::generateSessionID()
{
// 最多生成10次超过次数则返回失败
@@ -288,4 +282,32 @@ int32_t AuthManager::generateSessionID()
}
return -1;
}
+
+void AuthManager::onSetDriverEnabled(const QDBusMessage &message, const QString &driverName, bool enabled)
+{
+ if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
+ {
+ DBUS_ERROR_REPLY_ASYNC(message, QDBusError::InternalError, KADErrorCode::ERROR_FAILED);
+ }
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
+void AuthManager::onSetAuthTypeEnabled(const QDBusMessage &message, int authType, bool enabled)
+{
+ m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
+void AuthManager::onSetAuthTypeEnabledForApp(const QDBusMessage &message, int authType, int authApp, bool enabled)
+{
+ m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
} // namespace Kiran
diff --git a/src/daemon/auth-manager.h b/src/daemon/auth-manager.h
index 696dc96..e707e0b 100644
--- a/src/daemon/auth-manager.h
+++ b/src/daemon/auth-manager.h
@@ -48,46 +48,64 @@ public:
int getMaxFailures();
public Q_SLOTS: // DBUS METHODS
+ /// normal
+ // 获取认证服务中用户DBUS对象
+ QDBusObjectPath FindUserByID(qulonglong uid);
+ QDBusObjectPath FindUserByName(const QString &userName);
+
// 认证会话创建以及销毁
QDBusObjectPath CreateSession(const QString &userName, int timeout,int authApp);
void DestroySession(uint sessionID);
+ // 根据认证类型获取驱动列表
QString GetDriversForType(int authType);
- void SetDrivereEanbled(const QString& driverName,bool enabled);
- // 获取认证服务中用户DBUS对象
- QDBusObjectPath FindUserByID(qulonglong uid);
- QDBusObjectPath FindUserByName(const QString &userName);
-
- // 获取认证设备
+ // 根据认证类型获取设备列表
QString GetDevicesForType(int authType);
- // 获取默认认证设备
- QString GetDefaultDeviceID(int authType);
- // 设置默认设备ID
- void SetDefaultDeviceID(int authType, const QString &deviceID);
- // 认证类型总开关
+ // 获取认证类型是否启用
bool GetAuthTypeEnabled(int authType);
- void SetAuthTypeEnabled(int authType,bool enabled);
- // 获取/设置指定认证场景下认证类型的开关
+ // 获取认证类型认证场景(认证应用)是否启用
bool GetAuthTypeEnabledForApp(int authType,int authApp);
- void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
+
+ // 默认设备
+ QString GetDefaultDeviceID(int authType);
+ void SetDefaultDeviceID(int authType, const QString &deviceID);
// 通过pam服务名查询属于哪个认证场景
+ // 例如:
+ // lightdm->KAD_AUTH_APPLICATION_LOGIN,
+ // iran-screensaver->KAD_AUTH_APPLICATION_UNLOCK
int QueryAuthApp(const QString &pamServiceName);
+
// 通过指定的认证应用获取支持的认证类型,返回值为有序列表
QList<int> GetAuthTypeByApp(int32_t authApp);
void onNameLost(const QString &serviceName);
+ // root
+ // 设备驱动控制
+ void SetDrivereEnabled(const QString& driverName,bool enabled);
+
+ // 认证类型总开关
+ void SetAuthTypeEnabled(int authType,bool enabled);
+
+ // 获取/设置指定认证场景下认证类型的开关
+ void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
+
signals:
void defaultDeviceChanged(int authType,const QString& deviceID,QPrivateSignal);
private:
void init();
+ // 需要管理员权限
+ QString calcAction(const QString &originAction);
// 生成一个唯一的会话ID
int32_t generateSessionID();
+ void onSetDriverEnabled(const QDBusMessage &message,const QString& driverName,bool enabled);
+ void onSetAuthTypeEnabled(const QDBusMessage &message,int authType,bool enabled);
+ void onSetAuthTypeEnabledForApp(const QDBusMessage &message,int authType, int authApp, bool enabled);
private:
static AuthManager *m_instance;
diff --git a/src/daemon/user.cpp b/src/daemon/user.cpp
index 1b77bf0..c9d98bb 100644
--- a/src/daemon/user.cpp
+++ b/src/daemon/user.cpp
@@ -290,7 +290,7 @@ void User::onDeleteIdentification(const QDBusMessage &message, const QString &ii
if (!getIIDs().contains(iid))
{
USER_WARNING() << "delete identification" << iid << "error,can not find!";
- DBUS_ERROR_REPLY_AND_RET(QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
+ DBUS_ERROR_REPLY_ASYNC_AND_RET(message,QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
}
USER_DEBUG() << "delete identification" << iid;
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
index 192a1b1..6a165fd 100644
--- a/src/pam/authentication.cpp
+++ b/src/pam/authentication.cpp
@@ -42,7 +42,6 @@ Authentication::Authentication(PAMHandle *pamHandle,
{
}
-// TODO polkit 认证 超时,未结束认证
Authentication::~Authentication()
{
if (this->m_authSessionProxy && this->m_authManagerProxy)
--
2.33.0
Reference in New Issue Copy Permalink