mirror/flatpak
1
0
Fork 0
mirror of https://github.com/flatpak/flatpak.git synced 2026-05-24 08:51:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

authenticator: Fix sandboxed authenticators

Browse Source 
We rely on broadcast signals for authenticator replies rather than unicast
as these are not filtered by the sandbox (due to them being opt-in by the
receiver).

Actually this already worked fine in the flatpak side as the generated
code already subscribes to the signals, this just switches the internal
authenticators (test and oci) to using the new way to emit signals.
This commit is contained in:
Alexander Larsson
2019-12-19 09:08:55 +01:00
committed by Alexander Larsson
parent 1291663a5a
commit aabadfdc8e
4 changed files with 24 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
common/flatpak-auth-private.h
View File

@@ -61,20 +61,5 @@ gboolean flatpak_auth_request_ref_tokens (FlatpakAuth
char * flatpak_auth_create_request_path (const char *peer,
const char *token,
GError **error);
void flatpak_auth_request_emit_response (FlatpakAuthenticatorRequest *request,
const gchar *destination_bus_name,
guint arg_response,
GVariant *arg_results);
void flatpak_auth_request_emit_webflow (FlatpakAuthenticatorRequest *request,
const gchar *destination_bus_name,
const char *arg_uri,
GVariant *options);
void flatpak_auth_request_emit_webflow_done (FlatpakAuthenticatorRequest *request,
const gchar *destination_bus_name,
GVariant *options);
void flatpak_auth_request_emit_basic_auth (FlatpakAuthenticatorRequest *request,
const char *destination_bus_name,
const char *arg_realm,
GVariant *options);
#endif /* __FLATPAK_AUTH_H__ */

116
common/flatpak-auth.c
View File

@@ -177,119 +177,3 @@ flatpak_auth_request_ref_tokens (FlatpakAuthenticator *authenticator,
return TRUE;
}
void
flatpak_auth_request_emit_response (FlatpakAuthenticatorRequest *request,
const gchar *destination_bus_name,
guint arg_response,
GVariant *arg_results)
{
FlatpakAuthenticatorRequestSkeleton *skeleton = FLATPAK_AUTHENTICATOR_REQUEST_SKELETON (request);
GList *connections, *l;
g_autoptr(GVariant) signal_variant = NULL;
connections = g_dbus_interface_skeleton_get_connections (G_DBUS_INTERFACE_SKELETON (skeleton));
signal_variant = g_variant_ref_sink (g_variant_new ("(u@a{sv})", arg_response, arg_results));
for (l = connections; l != NULL; l = l->next)
{
GDBusConnection *connection = l->data;
g_dbus_connection_emit_signal (connection, destination_bus_name,
g_dbus_interface_skeleton_get_object_path (G_DBUS_INTERFACE_SKELETON (skeleton)),
"org.freedesktop.Flatpak.AuthenticatorRequest",
"Response", signal_variant, NULL);
}
g_list_free_full (connections, g_object_unref);
}
void
flatpak_auth_request_emit_webflow (FlatpakAuthenticatorRequest *request,
const gchar *destination_bus_name,
const char *arg_uri,
GVariant *options)
{
FlatpakAuthenticatorRequestSkeleton *skeleton = FLATPAK_AUTHENTICATOR_REQUEST_SKELETON (request);
GList *connections, *l;
g_autoptr(GVariant) signal_variant = NULL;
g_autoptr(GVariant) default_options = NULL;
if (options == NULL)
{
default_options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0));
options = default_options;
}
connections = g_dbus_interface_skeleton_get_connections (G_DBUS_INTERFACE_SKELETON (skeleton));
signal_variant = g_variant_ref_sink (g_variant_new ("(s@a{sv})", arg_uri, options));
for (l = connections; l != NULL; l = l->next)
{
GDBusConnection *connection = l->data;
g_dbus_connection_emit_signal (connection, destination_bus_name,
g_dbus_interface_skeleton_get_object_path (G_DBUS_INTERFACE_SKELETON (skeleton)),
"org.freedesktop.Flatpak.AuthenticatorRequest", "Webflow",
signal_variant, NULL);
}
g_list_free_full (connections, g_object_unref);
}
void
flatpak_auth_request_emit_webflow_done (FlatpakAuthenticatorRequest *request,
const gchar *destination_bus_name,
GVariant *options)
{
FlatpakAuthenticatorRequestSkeleton *skeleton = FLATPAK_AUTHENTICATOR_REQUEST_SKELETON (request);
GList *connections, *l;
g_autoptr(GVariant) signal_variant = NULL;
g_autoptr(GVariant) default_options = NULL;
if (options == NULL)
{
default_options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0));
options = default_options;
}
connections = g_dbus_interface_skeleton_get_connections (G_DBUS_INTERFACE_SKELETON (skeleton));
signal_variant = g_variant_ref_sink (g_variant_new ("(@a{sv})", options));
for (l = connections; l != NULL; l = l->next)
{
GDBusConnection *connection = l->data;
g_dbus_connection_emit_signal (connection, destination_bus_name,
g_dbus_interface_skeleton_get_object_path (G_DBUS_INTERFACE_SKELETON (skeleton)),
"org.freedesktop.Flatpak.AuthenticatorRequest", "WebflowDone",
signal_variant, NULL);
}
g_list_free_full (connections, g_object_unref);
}
void
flatpak_auth_request_emit_basic_auth (FlatpakAuthenticatorRequest *request,
const char *destination_bus_name,
const char *arg_realm,
GVariant *options)
{
FlatpakAuthenticatorRequestSkeleton *skeleton = FLATPAK_AUTHENTICATOR_REQUEST_SKELETON (request);
GList *connections, *l;
g_autoptr(GVariant) signal_variant = NULL;
g_autoptr(GVariant) default_options = NULL;
if (options == NULL)
{
default_options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0));
options = default_options;
}
connections = g_dbus_interface_skeleton_get_connections (G_DBUS_INTERFACE_SKELETON (skeleton));
signal_variant = g_variant_ref_sink (g_variant_new ("(s@a{sv})", arg_realm, options));
for (l = connections; l != NULL; l = l->next)
{
GDBusConnection *connection = l->data;
g_dbus_connection_emit_signal (connection, destination_bus_name,
g_dbus_interface_skeleton_get_object_path (G_DBUS_INTERFACE_SKELETON (skeleton)),
"org.freedesktop.Flatpak.AuthenticatorRequest", "BasicAuth",
signal_variant, NULL);
}
g_list_free_full (connections, g_object_unref);
}

21
oci-authenticator/flatpak-oci-authenticator.c
View File

@@ -225,6 +225,7 @@ run_basic_auth (FlatpakAuthenticatorRequest *request,
BasicAuthData auth = { FALSE };
int id1, id2;
g_autofree char *combined = NULL;
g_autoptr(GVariant) options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0));
g_cond_init (&auth.cond);
g_mutex_init (&auth.mutex);
@@ -236,7 +237,7 @@ run_basic_auth (FlatpakAuthenticatorRequest *request,
id1 = g_signal_connect (request, "handle-close", G_CALLBACK (handle_request_ref_tokens_close), &auth);
id2 = g_signal_connect (request, "handle-basic-auth-reply", G_CALLBACK (handle_request_ref_tokens_basic_auth_reply), &auth);
flatpak_auth_request_emit_basic_auth (request, sender, realm, NULL);
flatpak_authenticator_request_emit_basic_auth (request, realm, options);
while (!auth.done)
g_cond_wait (&auth.cond, &auth.mutex);
@@ -292,9 +293,9 @@ cancel_request (FlatpakAuthenticatorRequest *request,
GVariantBuilder results;
g_variant_builder_init (&results, G_VARIANT_TYPE ("a{sv}"));
flatpak_auth_request_emit_response (request, sender,
FLATPAK_AUTH_RESPONSE_CANCELLED,
g_variant_builder_end (&results));
flatpak_authenticator_request_emit_response (request,
FLATPAK_AUTH_RESPONSE_CANCELLED,
g_variant_builder_end (&results));
return TRUE;
}
@@ -307,9 +308,9 @@ error_request (FlatpakAuthenticatorRequest *request,
g_variant_builder_init (&results, G_VARIANT_TYPE ("a{sv}"));
g_variant_builder_add (&results, "{sv}", "error-message", g_variant_new_string (error_message));
flatpak_auth_request_emit_response (request, sender,
FLATPAK_AUTH_RESPONSE_ERROR,
g_variant_builder_end (&results));
flatpak_authenticator_request_emit_response (request,
FLATPAK_AUTH_RESPONSE_ERROR,
g_variant_builder_end (&results));
return TRUE;
}
@@ -526,9 +527,9 @@ handle_request_ref_tokens (FlatpakAuthenticator *authenticator,
g_variant_builder_add (&results, "{sv}", "tokens", g_variant_builder_end (&tokens));
g_debug ("emiting OK response");
flatpak_auth_request_emit_response (request, sender,
FLATPAK_AUTH_RESPONSE_OK,
g_variant_builder_end (&results));
flatpak_authenticator_request_emit_response (request,
FLATPAK_AUTH_RESPONSE_OK,
g_variant_builder_end (&results));
return TRUE;
}

28
tests/test-authenticator.c
View File

@@ -31,7 +31,6 @@ FlatpakAuthenticator *authenticator;
typedef struct {
FlatpakAuthenticatorRequest *request;
GSocketService *server;
char *sender;
char **arg_refs;
} TokenRequestData;
@@ -41,21 +40,18 @@ token_request_data_free (TokenRequestData *data)
g_clear_object (&data->request);
g_socket_service_stop (data->server);
g_clear_object (&data->server);
g_free (data->sender);
g_strfreev (data->arg_refs);
g_free (data);
}
static TokenRequestData *
token_request_data_new (GDBusMethodInvocation *invocation,
FlatpakAuthenticatorRequest *request,
token_request_data_new (FlatpakAuthenticatorRequest *request,
GSocketService *server,
const gchar *const *arg_refs)
{
TokenRequestData *data = g_new0 (TokenRequestData, 1);
data->request = g_object_ref (request);
data->server = g_object_ref (server);
data->sender = g_strdup (g_dbus_method_invocation_get_sender (invocation));
data->arg_refs = g_strdupv ((char **)arg_refs);
return data;
}
@@ -116,9 +112,9 @@ finish_request_ref_tokens (TokenRequestData *data)
g_variant_builder_add (&results, "{sv}", "tokens", g_variant_builder_end (&tokens));
g_debug ("emiting response");
flatpak_auth_request_emit_response (data->request, data->sender,
FLATPAK_AUTH_RESPONSE_OK,
g_variant_builder_end (&results));
flatpak_authenticator_request_emit_response (data->request,
FLATPAK_AUTH_RESPONSE_OK,
g_variant_builder_end (&results));
}
static gboolean
@@ -128,14 +124,15 @@ http_incoming (GSocketService *service,
gpointer user_data)
{
TokenRequestData *data = user_data;
g_autoptr(GVariant) options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0));
g_assert (data->request != NULL);
/* For the test, just assume any connection is a valid use of the web flow */
g_debug ("handling incomming http request for %s", data->sender);
g_debug ("handling incomming http request");
g_debug ("emiting webflow done");
flatpak_auth_request_emit_webflow_done (data->request, data->sender, NULL);
flatpak_authenticator_request_emit_webflow_done (data->request, options);
finish_request_ref_tokens (data);
@@ -162,9 +159,9 @@ handle_request_close (FlatpakAuthenticatorRequest *object,
g_debug ("Webflow was cancelled by client");
g_variant_builder_init (&results, G_VARIANT_TYPE ("a{sv}"));
flatpak_auth_request_emit_response (data->request, data->sender,
FLATPAK_AUTH_RESPONSE_CANCELLED,
g_variant_builder_end (&results));
flatpak_authenticator_request_emit_response (data->request,
FLATPAK_AUTH_RESPONSE_CANCELLED,
g_variant_builder_end (&results));
}
else
{
@@ -251,7 +248,7 @@ handle_request_ref_tokens (FlatpakAuthenticator *authenticator,
}
g_ptr_array_add (refs, NULL);
data = token_request_data_new (invocation, request, server, (const char *const*)refs->pdata);
data = token_request_data_new (request, server, (const char *const*)refs->pdata);
g_signal_connect (server, "incoming", (GCallback)http_incoming, data);
g_signal_connect (request, "handle-close", G_CALLBACK (handle_request_close), data);
@@ -260,9 +257,10 @@ handle_request_ref_tokens (FlatpakAuthenticator *authenticator,
if (request_webflow ())
{
g_autoptr(GVariant) options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0));
uri = g_strdup_printf ("http://localhost:%d", (int)port);
g_debug ("Requesting webflow %s", uri);
flatpak_auth_request_emit_webflow (request, g_dbus_method_invocation_get_sender (invocation), uri, NULL);
flatpak_authenticator_request_emit_webflow (request, uri, options);
}
else
{