301 lines
11 KiB
Diff
301 lines
11 KiB
Diff
From 74cff73678e966b232d70aba787476f34fa0d584 Mon Sep 17 00:00:00 2001
|
||
From: liuxinhao <liuxinhao@kylinsec.com.cn>
|
||
Date: Tue, 30 May 2023 11:11:48 +0800
|
||
Subject: [PATCH 3/5] fix(Interface permission): Upgrade the permission of some
|
||
interfaces of the authentication service
|
||
MIME-Version: 1.0
|
||
Content-Type: text/plain; charset=UTF-8
|
||
Content-Transfer-Encoding: 8bit
|
||
|
||
- 提升部分认证服务接口权限至root,调用前需认证polkit
|
||
|
||
Closes #I795QI
|
||
---
|
||
data/com.kylinsec.Kiran.Authentication.xml | 7 ++-
|
||
src/daemon/auth-manager.cpp | 66 ++++++++++++++--------
|
||
src/daemon/auth-manager.h | 46 ++++++++++-----
|
||
src/daemon/user.cpp | 2 +-
|
||
src/pam/authentication.cpp | 1 -
|
||
5 files changed, 82 insertions(+), 40 deletions(-)
|
||
|
||
diff --git a/data/com.kylinsec.Kiran.Authentication.xml b/data/com.kylinsec.Kiran.Authentication.xml
|
||
index b575ebd..12b077f 100644
|
||
--- a/data/com.kylinsec.Kiran.Authentication.xml
|
||
+++ b/data/com.kylinsec.Kiran.Authentication.xml
|
||
@@ -51,7 +51,7 @@
|
||
</arg>
|
||
</method>
|
||
|
||
- <method name="SetDrivereEanbled">
|
||
+ <method name="SetDrivereEnabled">
|
||
<arg name="driver_name" direction="in" type="s">
|
||
<description>driver name</description>
|
||
</arg>
|
||
@@ -73,7 +73,7 @@
|
||
<arg name="auth_type" direction="in" type="i">
|
||
<description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
|
||
</arg>
|
||
- <arg name="device_id" type="s">
|
||
+ <arg name="device_id" direction="in" type="s">
|
||
<description>The default device ID.</description>
|
||
</arg>
|
||
</method>
|
||
@@ -82,6 +82,9 @@
|
||
<arg name="auth_type" direction="in" type="i">
|
||
<description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
|
||
</arg>
|
||
+ <arg name="device_id" direction="out" type="s">
|
||
+ <description>The default device ID.</description>
|
||
+ </arg>
|
||
</method>
|
||
|
||
<method name="SetAuthTypeEnabledForApp">
|
||
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
|
||
index 0a74682..7ebef89 100644
|
||
--- a/src/daemon/auth-manager.cpp
|
||
+++ b/src/daemon/auth-manager.cpp
|
||
@@ -21,6 +21,7 @@
|
||
#include "src/daemon/device/device-adaptor-factory.h"
|
||
#include "src/daemon/error.h"
|
||
#include "src/daemon/proxy/dbus-daemon-proxy.h"
|
||
+#include "src/daemon/proxy/polkit-proxy.h"
|
||
#include "src/daemon/session.h"
|
||
#include "src/daemon/user-manager.h"
|
||
#include "src/utils/utils.h"
|
||
@@ -34,6 +35,9 @@
|
||
#include <QMetaEnum>
|
||
#include <QSettings>
|
||
#include <QTime>
|
||
+
|
||
+#define AUTH_USER_ADMIN "com.kylinsec.kiran.authentication.user-administration"
|
||
+
|
||
namespace Kiran
|
||
{
|
||
// 会话ID的最大值
|
||
@@ -85,7 +89,7 @@ QDBusObjectPath AuthManager::CreateSession(const QString &username, int timeout,
|
||
.arg(authApp)
|
||
.arg(this->message().service())
|
||
.arg(sessionID);
|
||
-
|
||
+
|
||
return QDBusObjectPath(session->getObjectPath());
|
||
}
|
||
|
||
@@ -108,15 +112,6 @@ QString AuthManager::GetDriversForType(int authType)
|
||
return DeviceAdaptorFactory::getInstance()->getDriversForType(authType);
|
||
}
|
||
|
||
-void AuthManager::SetDrivereEanbled(const QString &driverName, bool enabled)
|
||
-{
|
||
- if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
|
||
- {
|
||
- DBUS_ERROR_REPLY(QDBusError::InternalError,
|
||
- KADErrorCode::ERROR_FAILED);
|
||
- }
|
||
-}
|
||
-
|
||
QDBusObjectPath AuthManager::FindUserByID(qulonglong uid)
|
||
{
|
||
auto pwent = getpwuid(uid);
|
||
@@ -164,21 +159,11 @@ bool AuthManager::GetAuthTypeEnabled(int authType)
|
||
return m_authConfig->getAuthTypeEnable((KADAuthType)authType);
|
||
}
|
||
|
||
-void AuthManager::SetAuthTypeEnabled(int authType, bool enabled)
|
||
-{
|
||
- m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
|
||
-}
|
||
-
|
||
bool AuthManager::GetAuthTypeEnabledForApp(int authType, int authApp)
|
||
{
|
||
return m_authConfig->getAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp);
|
||
}
|
||
|
||
-void AuthManager::SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled)
|
||
-{
|
||
- m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
|
||
-}
|
||
-
|
||
/// @brief 通过认证应用枚举获取支持的认证类型或认证顺序
|
||
/// @param authApp 应用程序所属的认证应用类型
|
||
/// @return 与模式下为需认证类型的认证顺序,或模式下为可选的认证类型
|
||
@@ -202,9 +187,9 @@ QList<int> AuthManager::GetAuthTypeByApp(int32_t authApp)
|
||
auto sortedAuthTypes = authOrder;
|
||
|
||
auto enabledAuthTypeIter = enabledAuthTypes.begin();
|
||
- while(enabledAuthTypeIter != enabledAuthTypes.end())
|
||
+ while (enabledAuthTypeIter != enabledAuthTypes.end())
|
||
{
|
||
- if(!sortedAuthTypes.contains(*enabledAuthTypeIter))
|
||
+ if (!sortedAuthTypes.contains(*enabledAuthTypeIter))
|
||
{
|
||
sortedAuthTypes << *enabledAuthTypeIter;
|
||
}
|
||
@@ -257,6 +242,10 @@ void AuthManager::onNameLost(const QString &serviceName)
|
||
}
|
||
}
|
||
|
||
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetDrivereEnabled, onSetDriverEnabled, AUTH_USER_ADMIN, const QString &, bool);
|
||
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetAuthTypeEnabled, onSetAuthTypeEnabled, AUTH_USER_ADMIN, int, bool);
|
||
+CHECK_AUTH_WITH_3ARGS(AuthManager, SetAuthTypeEnabledForApp, onSetAuthTypeEnabledForApp, AUTH_USER_ADMIN, int, int, bool);
|
||
+
|
||
void AuthManager::init()
|
||
{
|
||
auto systemConnection = QDBusConnection::systemBus();
|
||
@@ -276,6 +265,11 @@ void AuthManager::init()
|
||
connect(m_authConfig, SIGNAL(defaultDeviceChanged(int, QString)), this, SIGNAL(defaultDeviceChanged(int, QString)));
|
||
}
|
||
|
||
+QString AuthManager::calcAction(const QString &originAction)
|
||
+{
|
||
+ return AUTH_USER_ADMIN;
|
||
+}
|
||
+
|
||
int32_t AuthManager::generateSessionID()
|
||
{
|
||
// 最多生成10次,超过次数则返回失败
|
||
@@ -288,4 +282,32 @@ int32_t AuthManager::generateSessionID()
|
||
}
|
||
return -1;
|
||
}
|
||
+
|
||
+void AuthManager::onSetDriverEnabled(const QDBusMessage &message, const QString &driverName, bool enabled)
|
||
+{
|
||
+ if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
|
||
+ {
|
||
+ DBUS_ERROR_REPLY_ASYNC(message, QDBusError::InternalError, KADErrorCode::ERROR_FAILED);
|
||
+ }
|
||
+
|
||
+ auto replyMessage = message.createReply();
|
||
+ QDBusConnection::systemBus().send(replyMessage);
|
||
+}
|
||
+
|
||
+void AuthManager::onSetAuthTypeEnabled(const QDBusMessage &message, int authType, bool enabled)
|
||
+{
|
||
+ m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
|
||
+
|
||
+ auto replyMessage = message.createReply();
|
||
+ QDBusConnection::systemBus().send(replyMessage);
|
||
+}
|
||
+
|
||
+void AuthManager::onSetAuthTypeEnabledForApp(const QDBusMessage &message, int authType, int authApp, bool enabled)
|
||
+{
|
||
+ m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
|
||
+
|
||
+ auto replyMessage = message.createReply();
|
||
+ QDBusConnection::systemBus().send(replyMessage);
|
||
+}
|
||
+
|
||
} // namespace Kiran
|
||
diff --git a/src/daemon/auth-manager.h b/src/daemon/auth-manager.h
|
||
index 696dc96..e707e0b 100644
|
||
--- a/src/daemon/auth-manager.h
|
||
+++ b/src/daemon/auth-manager.h
|
||
@@ -48,46 +48,64 @@ public:
|
||
int getMaxFailures();
|
||
|
||
public Q_SLOTS: // DBUS METHODS
|
||
+ /// normal
|
||
+ // 获取认证服务中用户DBUS对象
|
||
+ QDBusObjectPath FindUserByID(qulonglong uid);
|
||
+ QDBusObjectPath FindUserByName(const QString &userName);
|
||
+
|
||
// 认证会话创建以及销毁
|
||
QDBusObjectPath CreateSession(const QString &userName, int timeout,int authApp);
|
||
void DestroySession(uint sessionID);
|
||
|
||
+ // 根据认证类型获取驱动列表
|
||
QString GetDriversForType(int authType);
|
||
- void SetDrivereEanbled(const QString& driverName,bool enabled);
|
||
|
||
- // 获取认证服务中用户DBUS对象
|
||
- QDBusObjectPath FindUserByID(qulonglong uid);
|
||
- QDBusObjectPath FindUserByName(const QString &userName);
|
||
-
|
||
- // 获取认证设备
|
||
+ // 根据认证类型获取设备列表
|
||
QString GetDevicesForType(int authType);
|
||
- // 获取默认认证设备
|
||
- QString GetDefaultDeviceID(int authType);
|
||
- // 设置默认设备ID
|
||
- void SetDefaultDeviceID(int authType, const QString &deviceID);
|
||
|
||
- // 认证类型总开关
|
||
+ // 获取认证类型是否启用
|
||
bool GetAuthTypeEnabled(int authType);
|
||
- void SetAuthTypeEnabled(int authType,bool enabled);
|
||
|
||
- // 获取/设置指定认证场景下认证类型的开关
|
||
+ // 获取认证类型认证场景(认证应用)是否启用
|
||
bool GetAuthTypeEnabledForApp(int authType,int authApp);
|
||
- void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
|
||
+
|
||
+ // 默认设备
|
||
+ QString GetDefaultDeviceID(int authType);
|
||
+ void SetDefaultDeviceID(int authType, const QString &deviceID);
|
||
|
||
// 通过pam服务名查询属于哪个认证场景
|
||
+ // 例如:
|
||
+ // lightdm->KAD_AUTH_APPLICATION_LOGIN,
|
||
+ // iran-screensaver->KAD_AUTH_APPLICATION_UNLOCK
|
||
int QueryAuthApp(const QString &pamServiceName);
|
||
+
|
||
// 通过指定的认证应用获取支持的认证类型,返回值为有序列表
|
||
QList<int> GetAuthTypeByApp(int32_t authApp);
|
||
|
||
void onNameLost(const QString &serviceName);
|
||
|
||
+ // root
|
||
+ // 设备驱动控制
|
||
+ void SetDrivereEnabled(const QString& driverName,bool enabled);
|
||
+
|
||
+ // 认证类型总开关
|
||
+ void SetAuthTypeEnabled(int authType,bool enabled);
|
||
+
|
||
+ // 获取/设置指定认证场景下认证类型的开关
|
||
+ void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
|
||
+
|
||
signals:
|
||
void defaultDeviceChanged(int authType,const QString& deviceID,QPrivateSignal);
|
||
|
||
private:
|
||
void init();
|
||
+ // 需要管理员权限
|
||
+ QString calcAction(const QString &originAction);
|
||
// 生成一个唯一的会话ID
|
||
int32_t generateSessionID();
|
||
+ void onSetDriverEnabled(const QDBusMessage &message,const QString& driverName,bool enabled);
|
||
+ void onSetAuthTypeEnabled(const QDBusMessage &message,int authType,bool enabled);
|
||
+ void onSetAuthTypeEnabledForApp(const QDBusMessage &message,int authType, int authApp, bool enabled);
|
||
|
||
private:
|
||
static AuthManager *m_instance;
|
||
diff --git a/src/daemon/user.cpp b/src/daemon/user.cpp
|
||
index 1b77bf0..c9d98bb 100644
|
||
--- a/src/daemon/user.cpp
|
||
+++ b/src/daemon/user.cpp
|
||
@@ -290,7 +290,7 @@ void User::onDeleteIdentification(const QDBusMessage &message, const QString &ii
|
||
if (!getIIDs().contains(iid))
|
||
{
|
||
USER_WARNING() << "delete identification" << iid << "error,can not find!";
|
||
- DBUS_ERROR_REPLY_AND_RET(QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
|
||
+ DBUS_ERROR_REPLY_ASYNC_AND_RET(message,QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
|
||
}
|
||
|
||
USER_DEBUG() << "delete identification" << iid;
|
||
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
|
||
index 192a1b1..6a165fd 100644
|
||
--- a/src/pam/authentication.cpp
|
||
+++ b/src/pam/authentication.cpp
|
||
@@ -42,7 +42,6 @@ Authentication::Authentication(PAMHandle *pamHandle,
|
||
{
|
||
}
|
||
|
||
-// TODO polkit 认证 超时,未结束认证
|
||
Authentication::~Authentication()
|
||
{
|
||
if (this->m_authSessionProxy && this->m_authManagerProxy)
|
||
--
|
||
2.33.0
|
||
|