2010-05-06 20:13:59 +02:00
|
|
|
/* GDBus - GLib D-Bus Library
|
|
|
|
*
|
2010-05-09 19:14:55 +02:00
|
|
|
* Copyright (C) 2008-2010 Red Hat, Inc.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
2017-05-27 18:21:30 +02:00
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General
|
2014-01-23 12:58:29 +01:00
|
|
|
* Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
|
|
|
* Author: David Zeuthen <davidz@redhat.com>
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
|
|
|
#include "gdbusauthobserver.h"
|
|
|
|
#include "gcredentials.h"
|
|
|
|
#include "gioenumtypes.h"
|
|
|
|
#include "giostream.h"
|
2011-04-08 21:14:47 +02:00
|
|
|
#include "gdbusprivate.h"
|
2010-05-06 20:13:59 +02:00
|
|
|
|
2010-05-06 22:34:23 +02:00
|
|
|
#include "glibintl.h"
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
/**
|
|
|
|
* SECTION:gdbusauthobserver
|
|
|
|
* @short_description: Object used for authenticating connections
|
2010-05-06 21:31:45 +02:00
|
|
|
* @include: gio/gio.h
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
|
|
|
* The #GDBusAuthObserver type provides a mechanism for participating
|
|
|
|
* in how a #GDBusServer (or a #GDBusConnection) authenticates remote
|
|
|
|
* peers. Simply instantiate a #GDBusAuthObserver and connect to the
|
|
|
|
* signals you are interested in. Note that new signals may be added
|
|
|
|
* in the future
|
|
|
|
*
|
2019-06-05 14:48:13 +02:00
|
|
|
* ## Controlling Authentication Mechanisms
|
|
|
|
*
|
|
|
|
* By default, a #GDBusServer or server-side #GDBusConnection will allow
|
|
|
|
* any authentication mechanism to be used. If you only
|
|
|
|
* want to allow D-Bus connections with the `EXTERNAL` mechanism,
|
|
|
|
* which makes use of credentials passing and is the recommended
|
|
|
|
* mechanism for modern Unix platforms such as Linux and the BSD family,
|
|
|
|
* you would use a signal handler like this:
|
|
|
|
*
|
|
|
|
* |[<!-- language="C" -->
|
|
|
|
* static gboolean
|
|
|
|
* on_allow_mechanism (GDBusAuthObserver *observer,
|
|
|
|
* const gchar *mechanism,
|
|
|
|
* gpointer user_data)
|
|
|
|
* {
|
|
|
|
* if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
|
|
|
|
* {
|
|
|
|
* return TRUE;
|
|
|
|
* }
|
|
|
|
*
|
|
|
|
* return FALSE;
|
|
|
|
* }
|
|
|
|
* ]|
|
|
|
|
*
|
2019-06-05 14:47:09 +02:00
|
|
|
* ## Controlling Authorization # {#auth-observer}
|
2014-02-08 23:52:21 +01:00
|
|
|
*
|
2019-06-05 14:44:10 +02:00
|
|
|
* By default, a #GDBusServer or server-side #GDBusConnection will accept
|
|
|
|
* connections from any successfully authenticated user (but not from
|
|
|
|
* anonymous connections using the `ANONYMOUS` mechanism). If you only
|
|
|
|
* want to allow D-Bus connections from processes owned by the same uid
|
|
|
|
* as the server, you would use a signal handler like the following:
|
2014-02-08 23:52:21 +01:00
|
|
|
*
|
2014-06-01 15:38:49 +02:00
|
|
|
* |[<!-- language="C" -->
|
2010-05-06 20:13:59 +02:00
|
|
|
* static gboolean
|
2010-05-13 22:20:31 +02:00
|
|
|
* on_authorize_authenticated_peer (GDBusAuthObserver *observer,
|
|
|
|
* GIOStream *stream,
|
|
|
|
* GCredentials *credentials,
|
|
|
|
* gpointer user_data)
|
2010-05-06 20:13:59 +02:00
|
|
|
* {
|
2010-05-13 22:20:31 +02:00
|
|
|
* gboolean authorized;
|
2010-05-12 19:01:40 +02:00
|
|
|
*
|
2010-05-13 22:20:31 +02:00
|
|
|
* authorized = FALSE;
|
2010-07-20 21:02:36 +02:00
|
|
|
* if (credentials != NULL)
|
|
|
|
* {
|
|
|
|
* GCredentials *own_credentials;
|
|
|
|
* own_credentials = g_credentials_new ();
|
|
|
|
* if (g_credentials_is_same_user (credentials, own_credentials, NULL))
|
|
|
|
* authorized = TRUE;
|
|
|
|
* g_object_unref (own_credentials);
|
|
|
|
* }
|
2010-05-12 19:01:40 +02:00
|
|
|
*
|
2010-05-13 22:20:31 +02:00
|
|
|
* return authorized;
|
2010-05-06 20:13:59 +02:00
|
|
|
* }
|
2014-02-08 23:52:21 +01:00
|
|
|
* ]|
|
2010-05-06 20:13:59 +02:00
|
|
|
*/
|
|
|
|
|
2010-07-07 22:35:17 +02:00
|
|
|
typedef struct _GDBusAuthObserverClass GDBusAuthObserverClass;
|
|
|
|
|
2010-07-07 21:57:37 +02:00
|
|
|
/**
|
|
|
|
* GDBusAuthObserverClass:
|
|
|
|
* @authorize_authenticated_peer: Signal class handler for the #GDBusAuthObserver::authorize-authenticated-peer signal.
|
|
|
|
*
|
|
|
|
* Class structure for #GDBusAuthObserverClass.
|
|
|
|
*
|
|
|
|
* Since: 2.26
|
|
|
|
*/
|
|
|
|
struct _GDBusAuthObserverClass
|
|
|
|
{
|
|
|
|
/*< private >*/
|
|
|
|
GObjectClass parent_class;
|
|
|
|
|
|
|
|
/*< public >*/
|
|
|
|
|
|
|
|
/* Signals */
|
|
|
|
gboolean (*authorize_authenticated_peer) (GDBusAuthObserver *observer,
|
|
|
|
GIOStream *stream,
|
|
|
|
GCredentials *credentials);
|
2012-04-12 05:30:48 +02:00
|
|
|
|
|
|
|
gboolean (*allow_mechanism) (GDBusAuthObserver *observer,
|
|
|
|
const gchar *mechanism);
|
2010-07-07 21:57:37 +02:00
|
|
|
};
|
|
|
|
|
2010-07-07 22:35:17 +02:00
|
|
|
/**
|
|
|
|
* GDBusAuthObserver:
|
|
|
|
*
|
|
|
|
* The #GDBusAuthObserver structure contains only private data and
|
|
|
|
* should only be accessed using the provided API.
|
|
|
|
*
|
|
|
|
* Since: 2.26
|
|
|
|
*/
|
|
|
|
struct _GDBusAuthObserver
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
2010-07-07 22:35:17 +02:00
|
|
|
GObject parent_instance;
|
2010-05-06 20:13:59 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
enum
|
|
|
|
{
|
2010-05-13 22:20:31 +02:00
|
|
|
AUTHORIZE_AUTHENTICATED_PEER_SIGNAL,
|
2012-04-12 05:30:48 +02:00
|
|
|
ALLOW_MECHANISM_SIGNAL,
|
2010-05-06 20:13:59 +02:00
|
|
|
LAST_SIGNAL,
|
|
|
|
};
|
|
|
|
|
|
|
|
static guint signals[LAST_SIGNAL] = { 0 };
|
|
|
|
|
2014-10-17 12:54:02 +02:00
|
|
|
G_DEFINE_TYPE (GDBusAuthObserver, g_dbus_auth_observer, G_TYPE_OBJECT)
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|
|
|
|
|
|
|
|
static void
|
|
|
|
g_dbus_auth_observer_finalize (GObject *object)
|
|
|
|
{
|
2010-05-12 19:01:40 +02:00
|
|
|
G_OBJECT_CLASS (g_dbus_auth_observer_parent_class)->finalize (object);
|
2010-05-06 20:13:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
static gboolean
|
2010-05-13 22:20:31 +02:00
|
|
|
g_dbus_auth_observer_authorize_authenticated_peer_real (GDBusAuthObserver *observer,
|
|
|
|
GIOStream *stream,
|
|
|
|
GCredentials *credentials)
|
|
|
|
{
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2012-04-12 05:30:48 +02:00
|
|
|
static gboolean
|
|
|
|
g_dbus_auth_observer_allow_mechanism_real (GDBusAuthObserver *observer,
|
|
|
|
const gchar *mechanism)
|
|
|
|
{
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
static void
|
|
|
|
g_dbus_auth_observer_class_init (GDBusAuthObserverClass *klass)
|
|
|
|
{
|
|
|
|
GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
|
|
|
|
|
2010-05-12 19:01:40 +02:00
|
|
|
gobject_class->finalize = g_dbus_auth_observer_finalize;
|
2010-05-06 20:13:59 +02:00
|
|
|
|
2010-05-13 22:20:31 +02:00
|
|
|
klass->authorize_authenticated_peer = g_dbus_auth_observer_authorize_authenticated_peer_real;
|
2012-04-12 05:30:48 +02:00
|
|
|
klass->allow_mechanism = g_dbus_auth_observer_allow_mechanism_real;
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
/**
|
2010-05-13 22:20:31 +02:00
|
|
|
* GDBusAuthObserver::authorize-authenticated-peer:
|
2010-05-06 20:13:59 +02:00
|
|
|
* @observer: The #GDBusAuthObserver emitting the signal.
|
|
|
|
* @stream: A #GIOStream for the #GDBusConnection.
|
2016-10-29 03:29:02 +02:00
|
|
|
* @credentials: (nullable): Credentials received from the peer or %NULL.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
|
|
|
* Emitted to check if a peer that is successfully authenticated
|
2010-05-13 22:20:31 +02:00
|
|
|
* is authorized.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
2010-05-13 22:20:31 +02:00
|
|
|
* Returns: %TRUE if the peer is authorized, %FALSE if not.
|
2010-05-06 22:02:08 +02:00
|
|
|
*
|
|
|
|
* Since: 2.26
|
2010-05-06 20:13:59 +02:00
|
|
|
*/
|
2010-05-13 22:20:31 +02:00
|
|
|
signals[AUTHORIZE_AUTHENTICATED_PEER_SIGNAL] =
|
2015-09-12 06:00:40 +02:00
|
|
|
g_signal_new (I_("authorize-authenticated-peer"),
|
2010-05-06 20:13:59 +02:00
|
|
|
G_TYPE_DBUS_AUTH_OBSERVER,
|
|
|
|
G_SIGNAL_RUN_LAST,
|
2010-05-13 22:20:31 +02:00
|
|
|
G_STRUCT_OFFSET (GDBusAuthObserverClass, authorize_authenticated_peer),
|
|
|
|
_g_signal_accumulator_false_handled,
|
2010-05-06 20:13:59 +02:00
|
|
|
NULL, /* accu_data */
|
2011-07-19 19:18:10 +02:00
|
|
|
NULL,
|
2010-05-06 20:13:59 +02:00
|
|
|
G_TYPE_BOOLEAN,
|
|
|
|
2,
|
|
|
|
G_TYPE_IO_STREAM,
|
|
|
|
G_TYPE_CREDENTIALS);
|
2012-04-12 05:30:48 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* GDBusAuthObserver::allow-mechanism:
|
|
|
|
* @observer: The #GDBusAuthObserver emitting the signal.
|
2014-02-06 14:04:52 +01:00
|
|
|
* @mechanism: The name of the mechanism, e.g. `DBUS_COOKIE_SHA1`.
|
2012-04-12 05:30:48 +02:00
|
|
|
*
|
|
|
|
* Emitted to check if @mechanism is allowed to be used.
|
|
|
|
*
|
|
|
|
* Returns: %TRUE if @mechanism can be used to authenticate the other peer, %FALSE if not.
|
|
|
|
*
|
|
|
|
* Since: 2.34
|
|
|
|
*/
|
|
|
|
signals[ALLOW_MECHANISM_SIGNAL] =
|
2015-09-12 06:00:40 +02:00
|
|
|
g_signal_new (I_("allow-mechanism"),
|
2012-04-12 05:30:48 +02:00
|
|
|
G_TYPE_DBUS_AUTH_OBSERVER,
|
|
|
|
G_SIGNAL_RUN_LAST,
|
|
|
|
G_STRUCT_OFFSET (GDBusAuthObserverClass, allow_mechanism),
|
|
|
|
_g_signal_accumulator_false_handled,
|
|
|
|
NULL, /* accu_data */
|
|
|
|
NULL,
|
|
|
|
G_TYPE_BOOLEAN,
|
|
|
|
1,
|
|
|
|
G_TYPE_STRING);
|
2010-05-06 20:13:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
g_dbus_auth_observer_init (GDBusAuthObserver *observer)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* g_dbus_auth_observer_new:
|
|
|
|
*
|
|
|
|
* Creates a new #GDBusAuthObserver object.
|
|
|
|
*
|
|
|
|
* Returns: A #GDBusAuthObserver. Free with g_object_unref().
|
2010-05-06 22:02:08 +02:00
|
|
|
*
|
|
|
|
* Since: 2.26
|
2010-05-06 20:13:59 +02:00
|
|
|
*/
|
|
|
|
GDBusAuthObserver *
|
|
|
|
g_dbus_auth_observer_new (void)
|
|
|
|
{
|
|
|
|
return g_object_new (G_TYPE_DBUS_AUTH_OBSERVER, NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|
|
|
|
|
|
|
|
/**
|
2010-05-13 22:20:31 +02:00
|
|
|
* g_dbus_auth_observer_authorize_authenticated_peer:
|
2010-05-06 20:13:59 +02:00
|
|
|
* @observer: A #GDBusAuthObserver.
|
|
|
|
* @stream: A #GIOStream for the #GDBusConnection.
|
2016-10-29 03:29:02 +02:00
|
|
|
* @credentials: (nullable): Credentials received from the peer or %NULL.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
2010-05-13 22:20:31 +02:00
|
|
|
* Emits the #GDBusAuthObserver::authorize-authenticated-peer signal on @observer.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
2010-07-20 21:02:36 +02:00
|
|
|
* Returns: %TRUE if the peer is authorized, %FALSE if not.
|
2010-05-06 22:02:08 +02:00
|
|
|
*
|
|
|
|
* Since: 2.26
|
2010-05-06 20:13:59 +02:00
|
|
|
*/
|
|
|
|
gboolean
|
2010-05-13 22:20:31 +02:00
|
|
|
g_dbus_auth_observer_authorize_authenticated_peer (GDBusAuthObserver *observer,
|
|
|
|
GIOStream *stream,
|
|
|
|
GCredentials *credentials)
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
|
|
|
gboolean denied;
|
|
|
|
|
|
|
|
denied = FALSE;
|
|
|
|
g_signal_emit (observer,
|
2010-05-13 22:20:31 +02:00
|
|
|
signals[AUTHORIZE_AUTHENTICATED_PEER_SIGNAL],
|
2010-05-06 20:13:59 +02:00
|
|
|
0,
|
|
|
|
stream,
|
|
|
|
credentials,
|
|
|
|
&denied);
|
|
|
|
return denied;
|
|
|
|
}
|
2012-04-12 05:30:48 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* g_dbus_auth_observer_allow_mechanism:
|
|
|
|
* @observer: A #GDBusAuthObserver.
|
2014-02-06 14:04:52 +01:00
|
|
|
* @mechanism: The name of the mechanism, e.g. `DBUS_COOKIE_SHA1`.
|
2012-04-12 05:30:48 +02:00
|
|
|
*
|
|
|
|
* Emits the #GDBusAuthObserver::allow-mechanism signal on @observer.
|
|
|
|
*
|
|
|
|
* Returns: %TRUE if @mechanism can be used to authenticate the other peer, %FALSE if not.
|
|
|
|
*
|
|
|
|
* Since: 2.34
|
|
|
|
*/
|
|
|
|
gboolean
|
|
|
|
g_dbus_auth_observer_allow_mechanism (GDBusAuthObserver *observer,
|
|
|
|
const gchar *mechanism)
|
|
|
|
{
|
|
|
|
gboolean ret;
|
|
|
|
|
|
|
|
ret = FALSE;
|
|
|
|
g_signal_emit (observer,
|
|
|
|
signals[ALLOW_MECHANISM_SIGNAL],
|
|
|
|
0,
|
|
|
|
mechanism,
|
|
|
|
&ret);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|