packages/kiran-authentication-service
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
kiran-authentication-service/0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch
liuxinhao 9ca8030f94 fix(*): Fixed an issue with the first round of test in Part 2.5 
- 修复部分第一轮测试出现的问题
2023-05-31 16:27:58 +08:00

301 lines
11 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 74cff73678e966b232d70aba787476f34fa0d584 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Tue, 30 May 2023 11:11:48 +0800
Subject: [PATCH 3/5] fix(Interface permission): Upgrade the permission of some
interfaces of the authentication service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 提升部分认证服务接口权限至root调用前需认证polkit
Closes #I795QI
---
data/com.kylinsec.Kiran.Authentication.xml | 7 ++-
src/daemon/auth-manager.cpp | 66 ++++++++++++++--------
src/daemon/auth-manager.h | 46 ++++++++++-----
src/daemon/user.cpp | 2 +-
src/pam/authentication.cpp | 1 -
5 files changed, 82 insertions(+), 40 deletions(-)
diff --git a/data/com.kylinsec.Kiran.Authentication.xml b/data/com.kylinsec.Kiran.Authentication.xml
index b575ebd..12b077f 100644
--- a/data/com.kylinsec.Kiran.Authentication.xml
+++ b/data/com.kylinsec.Kiran.Authentication.xml
@@ -51,7 +51,7 @@
</arg>
</method>
- <method name="SetDrivereEanbled">
+ <method name="SetDrivereEnabled">
<arg name="driver_name" direction="in" type="s">
<description>driver name</description>
</arg>
@@ -73,7 +73,7 @@
<arg name="auth_type" direction="in" type="i">
<description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
</arg>
- <arg name="device_id" type="s">
+ <arg name="device_id" direction="in" type="s">
<description>The default device ID.</description>
</arg>
</method>
@@ -82,6 +82,9 @@
<arg name="auth_type" direction="in" type="i">
<description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
</arg>
+ <arg name="device_id" direction="out" type="s">
+ <description>The default device ID.</description>
+ </arg>
</method>
<method name="SetAuthTypeEnabledForApp">
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
index 0a74682..7ebef89 100644
--- a/src/daemon/auth-manager.cpp
+++ b/src/daemon/auth-manager.cpp
@@ -21,6 +21,7 @@
#include "src/daemon/device/device-adaptor-factory.h"
#include "src/daemon/error.h"
#include "src/daemon/proxy/dbus-daemon-proxy.h"
+#include "src/daemon/proxy/polkit-proxy.h"
#include "src/daemon/session.h"
#include "src/daemon/user-manager.h"
#include "src/utils/utils.h"
@@ -34,6 +35,9 @@
#include <QMetaEnum>
#include <QSettings>
#include <QTime>
+
+#define AUTH_USER_ADMIN "com.kylinsec.kiran.authentication.user-administration"
+
namespace Kiran
{
// 会话ID的最大值
@@ -85,7 +89,7 @@ QDBusObjectPath AuthManager::CreateSession(const QString &username, int timeout,
.arg(authApp)
.arg(this->message().service())
.arg(sessionID);
-
+
return QDBusObjectPath(session->getObjectPath());
}
@@ -108,15 +112,6 @@ QString AuthManager::GetDriversForType(int authType)
return DeviceAdaptorFactory::getInstance()->getDriversForType(authType);
}
-void AuthManager::SetDrivereEanbled(const QString &driverName, bool enabled)
-{
- if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
- {
- DBUS_ERROR_REPLY(QDBusError::InternalError,
- KADErrorCode::ERROR_FAILED);
- }
-}
-
QDBusObjectPath AuthManager::FindUserByID(qulonglong uid)
{
auto pwent = getpwuid(uid);
@@ -164,21 +159,11 @@ bool AuthManager::GetAuthTypeEnabled(int authType)
return m_authConfig->getAuthTypeEnable((KADAuthType)authType);
}
-void AuthManager::SetAuthTypeEnabled(int authType, bool enabled)
-{
- m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
-}
-
bool AuthManager::GetAuthTypeEnabledForApp(int authType, int authApp)
{
return m_authConfig->getAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp);
}
-void AuthManager::SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled)
-{
- m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
-}
-
/// @brief 通过认证应用枚举获取支持的认证类型或认证顺序
/// @param authApp 应用程序所属的认证应用类型
/// @return 与模式下为需认证类型的认证顺序,或模式下为可选的认证类型
@@ -202,9 +187,9 @@ QList<int> AuthManager::GetAuthTypeByApp(int32_t authApp)
auto sortedAuthTypes = authOrder;
auto enabledAuthTypeIter = enabledAuthTypes.begin();
- while(enabledAuthTypeIter != enabledAuthTypes.end())
+ while (enabledAuthTypeIter != enabledAuthTypes.end())
{
- if(!sortedAuthTypes.contains(*enabledAuthTypeIter))
+ if (!sortedAuthTypes.contains(*enabledAuthTypeIter))
{
sortedAuthTypes << *enabledAuthTypeIter;
}
@@ -257,6 +242,10 @@ void AuthManager::onNameLost(const QString &serviceName)
}
}
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetDrivereEnabled, onSetDriverEnabled, AUTH_USER_ADMIN, const QString &, bool);
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetAuthTypeEnabled, onSetAuthTypeEnabled, AUTH_USER_ADMIN, int, bool);
+CHECK_AUTH_WITH_3ARGS(AuthManager, SetAuthTypeEnabledForApp, onSetAuthTypeEnabledForApp, AUTH_USER_ADMIN, int, int, bool);
+
void AuthManager::init()
{
auto systemConnection = QDBusConnection::systemBus();
@@ -276,6 +265,11 @@ void AuthManager::init()
connect(m_authConfig, SIGNAL(defaultDeviceChanged(int, QString)), this, SIGNAL(defaultDeviceChanged(int, QString)));
}
+QString AuthManager::calcAction(const QString &originAction)
+{
+ return AUTH_USER_ADMIN;
+}
+
int32_t AuthManager::generateSessionID()
{
// 最多生成10次超过次数则返回失败
@@ -288,4 +282,32 @@ int32_t AuthManager::generateSessionID()
}
return -1;
}
+
+void AuthManager::onSetDriverEnabled(const QDBusMessage &message, const QString &driverName, bool enabled)
+{
+ if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
+ {
+ DBUS_ERROR_REPLY_ASYNC(message, QDBusError::InternalError, KADErrorCode::ERROR_FAILED);
+ }
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
+void AuthManager::onSetAuthTypeEnabled(const QDBusMessage &message, int authType, bool enabled)
+{
+ m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
+void AuthManager::onSetAuthTypeEnabledForApp(const QDBusMessage &message, int authType, int authApp, bool enabled)
+{
+ m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
+
+ auto replyMessage = message.createReply();
+ QDBusConnection::systemBus().send(replyMessage);
+}
+
} // namespace Kiran
diff --git a/src/daemon/auth-manager.h b/src/daemon/auth-manager.h
index 696dc96..e707e0b 100644
--- a/src/daemon/auth-manager.h
+++ b/src/daemon/auth-manager.h
@@ -48,46 +48,64 @@ public:
int getMaxFailures();
public Q_SLOTS: // DBUS METHODS
+ /// normal
+ // 获取认证服务中用户DBUS对象
+ QDBusObjectPath FindUserByID(qulonglong uid);
+ QDBusObjectPath FindUserByName(const QString &userName);
+
// 认证会话创建以及销毁
QDBusObjectPath CreateSession(const QString &userName, int timeout,int authApp);
void DestroySession(uint sessionID);
+ // 根据认证类型获取驱动列表
QString GetDriversForType(int authType);
- void SetDrivereEanbled(const QString& driverName,bool enabled);
- // 获取认证服务中用户DBUS对象
- QDBusObjectPath FindUserByID(qulonglong uid);
- QDBusObjectPath FindUserByName(const QString &userName);
-
- // 获取认证设备
+ // 根据认证类型获取设备列表
QString GetDevicesForType(int authType);
- // 获取默认认证设备
- QString GetDefaultDeviceID(int authType);
- // 设置默认设备ID
- void SetDefaultDeviceID(int authType, const QString &deviceID);
- // 认证类型总开关
+ // 获取认证类型是否启用
bool GetAuthTypeEnabled(int authType);
- void SetAuthTypeEnabled(int authType,bool enabled);
- // 获取/设置指定认证场景下认证类型的开关
+ // 获取认证类型认证场景(认证应用)是否启用
bool GetAuthTypeEnabledForApp(int authType,int authApp);
- void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
+
+ // 默认设备
+ QString GetDefaultDeviceID(int authType);
+ void SetDefaultDeviceID(int authType, const QString &deviceID);
// 通过pam服务名查询属于哪个认证场景
+ // 例如:
+ // lightdm->KAD_AUTH_APPLICATION_LOGIN,
+ // iran-screensaver->KAD_AUTH_APPLICATION_UNLOCK
int QueryAuthApp(const QString &pamServiceName);
+
// 通过指定的认证应用获取支持的认证类型,返回值为有序列表
QList<int> GetAuthTypeByApp(int32_t authApp);
void onNameLost(const QString &serviceName);
+ // root
+ // 设备驱动控制
+ void SetDrivereEnabled(const QString& driverName,bool enabled);
+
+ // 认证类型总开关
+ void SetAuthTypeEnabled(int authType,bool enabled);
+
+ // 获取/设置指定认证场景下认证类型的开关
+ void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
+
signals:
void defaultDeviceChanged(int authType,const QString& deviceID,QPrivateSignal);
private:
void init();
+ // 需要管理员权限
+ QString calcAction(const QString &originAction);
// 生成一个唯一的会话ID
int32_t generateSessionID();
+ void onSetDriverEnabled(const QDBusMessage &message,const QString& driverName,bool enabled);
+ void onSetAuthTypeEnabled(const QDBusMessage &message,int authType,bool enabled);
+ void onSetAuthTypeEnabledForApp(const QDBusMessage &message,int authType, int authApp, bool enabled);
private:
static AuthManager *m_instance;
diff --git a/src/daemon/user.cpp b/src/daemon/user.cpp
index 1b77bf0..c9d98bb 100644
--- a/src/daemon/user.cpp
+++ b/src/daemon/user.cpp
@@ -290,7 +290,7 @@ void User::onDeleteIdentification(const QDBusMessage &message, const QString &ii
if (!getIIDs().contains(iid))
{
USER_WARNING() << "delete identification" << iid << "error,can not find!";
- DBUS_ERROR_REPLY_AND_RET(QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
+ DBUS_ERROR_REPLY_ASYNC_AND_RET(message,QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
}
USER_DEBUG() << "delete identification" << iid;
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
index 192a1b1..6a165fd 100644
--- a/src/pam/authentication.cpp
+++ b/src/pam/authentication.cpp
@@ -42,7 +42,6 @@ Authentication::Authentication(PAMHandle *pamHandle,
{
}
-// TODO polkit 认证 超时,未结束认证
Authentication::~Authentication()
{
if (this->m_authSessionProxy && this->m_authManagerProxy)
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink