From aabadfdc8e8d48fe7dd861b622d11cd7375ade4b Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 19 Dec 2019 09:08:55 +0100 Subject: [PATCH] authenticator: Fix sandboxed authenticators We rely on broadcast signals for authenticator replies rather than unicast as these are not filtered by the sandbox (due to them being opt-in by the receiver). Actually this already worked fine in the flatpak side as the generated code already subscribes to the signals, this just switches the internal authenticators (test and oci) to using the new way to emit signals. --- common/flatpak-auth-private.h | 15 --- common/flatpak-auth.c | 116 ------------------ oci-authenticator/flatpak-oci-authenticator.c | 21 ++-- tests/test-authenticator.c | 28 ++--- 4 files changed, 24 insertions(+), 156 deletions(-) diff --git a/common/flatpak-auth-private.h b/common/flatpak-auth-private.h index db1f7be2..8a1088bd 100644 --- a/common/flatpak-auth-private.h +++ b/common/flatpak-auth-private.h @@ -61,20 +61,5 @@ gboolean flatpak_auth_request_ref_tokens (FlatpakAuth char * flatpak_auth_create_request_path (const char *peer, const char *token, GError **error); -void flatpak_auth_request_emit_response (FlatpakAuthenticatorRequest *request, - const gchar *destination_bus_name, - guint arg_response, - GVariant *arg_results); -void flatpak_auth_request_emit_webflow (FlatpakAuthenticatorRequest *request, - const gchar *destination_bus_name, - const char *arg_uri, - GVariant *options); -void flatpak_auth_request_emit_webflow_done (FlatpakAuthenticatorRequest *request, - const gchar *destination_bus_name, - GVariant *options); -void flatpak_auth_request_emit_basic_auth (FlatpakAuthenticatorRequest *request, - const char *destination_bus_name, - const char *arg_realm, - GVariant *options); #endif /* __FLATPAK_AUTH_H__ */ diff --git a/common/flatpak-auth.c b/common/flatpak-auth.c index 7a00634b..69fde280 100644 --- a/common/flatpak-auth.c +++ b/common/flatpak-auth.c @@ -177,119 +177,3 @@ flatpak_auth_request_ref_tokens (FlatpakAuthenticator *authenticator, return TRUE; } - - -void -flatpak_auth_request_emit_response (FlatpakAuthenticatorRequest *request, - const gchar *destination_bus_name, - guint arg_response, - GVariant *arg_results) -{ - FlatpakAuthenticatorRequestSkeleton *skeleton = FLATPAK_AUTHENTICATOR_REQUEST_SKELETON (request); - GList *connections, *l; - g_autoptr(GVariant) signal_variant = NULL; - - connections = g_dbus_interface_skeleton_get_connections (G_DBUS_INTERFACE_SKELETON (skeleton)); - signal_variant = g_variant_ref_sink (g_variant_new ("(u@a{sv})", arg_response, arg_results)); - for (l = connections; l != NULL; l = l->next) - { - GDBusConnection *connection = l->data; - g_dbus_connection_emit_signal (connection, destination_bus_name, - g_dbus_interface_skeleton_get_object_path (G_DBUS_INTERFACE_SKELETON (skeleton)), - "org.freedesktop.Flatpak.AuthenticatorRequest", - "Response", signal_variant, NULL); - } - g_list_free_full (connections, g_object_unref); -} - -void -flatpak_auth_request_emit_webflow (FlatpakAuthenticatorRequest *request, - const gchar *destination_bus_name, - const char *arg_uri, - GVariant *options) -{ - FlatpakAuthenticatorRequestSkeleton *skeleton = FLATPAK_AUTHENTICATOR_REQUEST_SKELETON (request); - GList *connections, *l; - g_autoptr(GVariant) signal_variant = NULL; - g_autoptr(GVariant) default_options = NULL; - - if (options == NULL) - { - default_options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0)); - options = default_options; - } - - connections = g_dbus_interface_skeleton_get_connections (G_DBUS_INTERFACE_SKELETON (skeleton)); - - signal_variant = g_variant_ref_sink (g_variant_new ("(s@a{sv})", arg_uri, options)); - for (l = connections; l != NULL; l = l->next) - { - GDBusConnection *connection = l->data; - g_dbus_connection_emit_signal (connection, destination_bus_name, - g_dbus_interface_skeleton_get_object_path (G_DBUS_INTERFACE_SKELETON (skeleton)), - "org.freedesktop.Flatpak.AuthenticatorRequest", "Webflow", - signal_variant, NULL); - } - g_list_free_full (connections, g_object_unref); -} - -void -flatpak_auth_request_emit_webflow_done (FlatpakAuthenticatorRequest *request, - const gchar *destination_bus_name, - GVariant *options) -{ - FlatpakAuthenticatorRequestSkeleton *skeleton = FLATPAK_AUTHENTICATOR_REQUEST_SKELETON (request); - GList *connections, *l; - g_autoptr(GVariant) signal_variant = NULL; - g_autoptr(GVariant) default_options = NULL; - - if (options == NULL) - { - default_options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0)); - options = default_options; - } - - connections = g_dbus_interface_skeleton_get_connections (G_DBUS_INTERFACE_SKELETON (skeleton)); - - signal_variant = g_variant_ref_sink (g_variant_new ("(@a{sv})", options)); - for (l = connections; l != NULL; l = l->next) - { - GDBusConnection *connection = l->data; - g_dbus_connection_emit_signal (connection, destination_bus_name, - g_dbus_interface_skeleton_get_object_path (G_DBUS_INTERFACE_SKELETON (skeleton)), - "org.freedesktop.Flatpak.AuthenticatorRequest", "WebflowDone", - signal_variant, NULL); - } - g_list_free_full (connections, g_object_unref); -} - -void -flatpak_auth_request_emit_basic_auth (FlatpakAuthenticatorRequest *request, - const char *destination_bus_name, - const char *arg_realm, - GVariant *options) -{ - FlatpakAuthenticatorRequestSkeleton *skeleton = FLATPAK_AUTHENTICATOR_REQUEST_SKELETON (request); - GList *connections, *l; - g_autoptr(GVariant) signal_variant = NULL; - g_autoptr(GVariant) default_options = NULL; - - if (options == NULL) - { - default_options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0)); - options = default_options; - } - - connections = g_dbus_interface_skeleton_get_connections (G_DBUS_INTERFACE_SKELETON (skeleton)); - - signal_variant = g_variant_ref_sink (g_variant_new ("(s@a{sv})", arg_realm, options)); - for (l = connections; l != NULL; l = l->next) - { - GDBusConnection *connection = l->data; - g_dbus_connection_emit_signal (connection, destination_bus_name, - g_dbus_interface_skeleton_get_object_path (G_DBUS_INTERFACE_SKELETON (skeleton)), - "org.freedesktop.Flatpak.AuthenticatorRequest", "BasicAuth", - signal_variant, NULL); - } - g_list_free_full (connections, g_object_unref); -} diff --git a/oci-authenticator/flatpak-oci-authenticator.c b/oci-authenticator/flatpak-oci-authenticator.c index 2d5fefb8..0957a1cc 100644 --- a/oci-authenticator/flatpak-oci-authenticator.c +++ b/oci-authenticator/flatpak-oci-authenticator.c @@ -225,6 +225,7 @@ run_basic_auth (FlatpakAuthenticatorRequest *request, BasicAuthData auth = { FALSE }; int id1, id2; g_autofree char *combined = NULL; + g_autoptr(GVariant) options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0)); g_cond_init (&auth.cond); g_mutex_init (&auth.mutex); @@ -236,7 +237,7 @@ run_basic_auth (FlatpakAuthenticatorRequest *request, id1 = g_signal_connect (request, "handle-close", G_CALLBACK (handle_request_ref_tokens_close), &auth); id2 = g_signal_connect (request, "handle-basic-auth-reply", G_CALLBACK (handle_request_ref_tokens_basic_auth_reply), &auth); - flatpak_auth_request_emit_basic_auth (request, sender, realm, NULL); + flatpak_authenticator_request_emit_basic_auth (request, realm, options); while (!auth.done) g_cond_wait (&auth.cond, &auth.mutex); @@ -292,9 +293,9 @@ cancel_request (FlatpakAuthenticatorRequest *request, GVariantBuilder results; g_variant_builder_init (&results, G_VARIANT_TYPE ("a{sv}")); - flatpak_auth_request_emit_response (request, sender, - FLATPAK_AUTH_RESPONSE_CANCELLED, - g_variant_builder_end (&results)); + flatpak_authenticator_request_emit_response (request, + FLATPAK_AUTH_RESPONSE_CANCELLED, + g_variant_builder_end (&results)); return TRUE; } @@ -307,9 +308,9 @@ error_request (FlatpakAuthenticatorRequest *request, g_variant_builder_init (&results, G_VARIANT_TYPE ("a{sv}")); g_variant_builder_add (&results, "{sv}", "error-message", g_variant_new_string (error_message)); - flatpak_auth_request_emit_response (request, sender, - FLATPAK_AUTH_RESPONSE_ERROR, - g_variant_builder_end (&results)); + flatpak_authenticator_request_emit_response (request, + FLATPAK_AUTH_RESPONSE_ERROR, + g_variant_builder_end (&results)); return TRUE; } @@ -526,9 +527,9 @@ handle_request_ref_tokens (FlatpakAuthenticator *authenticator, g_variant_builder_add (&results, "{sv}", "tokens", g_variant_builder_end (&tokens)); g_debug ("emiting OK response"); - flatpak_auth_request_emit_response (request, sender, - FLATPAK_AUTH_RESPONSE_OK, - g_variant_builder_end (&results)); + flatpak_authenticator_request_emit_response (request, + FLATPAK_AUTH_RESPONSE_OK, + g_variant_builder_end (&results)); return TRUE; } diff --git a/tests/test-authenticator.c b/tests/test-authenticator.c index f6dd7eff..6b16b26d 100644 --- a/tests/test-authenticator.c +++ b/tests/test-authenticator.c @@ -31,7 +31,6 @@ FlatpakAuthenticator *authenticator; typedef struct { FlatpakAuthenticatorRequest *request; GSocketService *server; - char *sender; char **arg_refs; } TokenRequestData; @@ -41,21 +40,18 @@ token_request_data_free (TokenRequestData *data) g_clear_object (&data->request); g_socket_service_stop (data->server); g_clear_object (&data->server); - g_free (data->sender); g_strfreev (data->arg_refs); g_free (data); } static TokenRequestData * -token_request_data_new (GDBusMethodInvocation *invocation, - FlatpakAuthenticatorRequest *request, +token_request_data_new (FlatpakAuthenticatorRequest *request, GSocketService *server, const gchar *const *arg_refs) { TokenRequestData *data = g_new0 (TokenRequestData, 1); data->request = g_object_ref (request); data->server = g_object_ref (server); - data->sender = g_strdup (g_dbus_method_invocation_get_sender (invocation)); data->arg_refs = g_strdupv ((char **)arg_refs); return data; } @@ -116,9 +112,9 @@ finish_request_ref_tokens (TokenRequestData *data) g_variant_builder_add (&results, "{sv}", "tokens", g_variant_builder_end (&tokens)); g_debug ("emiting response"); - flatpak_auth_request_emit_response (data->request, data->sender, - FLATPAK_AUTH_RESPONSE_OK, - g_variant_builder_end (&results)); + flatpak_authenticator_request_emit_response (data->request, + FLATPAK_AUTH_RESPONSE_OK, + g_variant_builder_end (&results)); } static gboolean @@ -128,14 +124,15 @@ http_incoming (GSocketService *service, gpointer user_data) { TokenRequestData *data = user_data; + g_autoptr(GVariant) options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0)); g_assert (data->request != NULL); /* For the test, just assume any connection is a valid use of the web flow */ - g_debug ("handling incomming http request for %s", data->sender); + g_debug ("handling incomming http request"); g_debug ("emiting webflow done"); - flatpak_auth_request_emit_webflow_done (data->request, data->sender, NULL); + flatpak_authenticator_request_emit_webflow_done (data->request, options); finish_request_ref_tokens (data); @@ -162,9 +159,9 @@ handle_request_close (FlatpakAuthenticatorRequest *object, g_debug ("Webflow was cancelled by client"); g_variant_builder_init (&results, G_VARIANT_TYPE ("a{sv}")); - flatpak_auth_request_emit_response (data->request, data->sender, - FLATPAK_AUTH_RESPONSE_CANCELLED, - g_variant_builder_end (&results)); + flatpak_authenticator_request_emit_response (data->request, + FLATPAK_AUTH_RESPONSE_CANCELLED, + g_variant_builder_end (&results)); } else { @@ -251,7 +248,7 @@ handle_request_ref_tokens (FlatpakAuthenticator *authenticator, } g_ptr_array_add (refs, NULL); - data = token_request_data_new (invocation, request, server, (const char *const*)refs->pdata); + data = token_request_data_new (request, server, (const char *const*)refs->pdata); g_signal_connect (server, "incoming", (GCallback)http_incoming, data); g_signal_connect (request, "handle-close", G_CALLBACK (handle_request_close), data); @@ -260,9 +257,10 @@ handle_request_ref_tokens (FlatpakAuthenticator *authenticator, if (request_webflow ()) { + g_autoptr(GVariant) options = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("{sv}"), NULL, 0)); uri = g_strdup_printf ("http://localhost:%d", (int)port); g_debug ("Requesting webflow %s", uri); - flatpak_auth_request_emit_webflow (request, g_dbus_method_invocation_get_sender (invocation), uri, NULL); + flatpak_authenticator_request_emit_webflow (request, uri, options); } else {