Commit Graph

7164 Commits

Author SHA1 Message Date
Alexander Larsson
7caa41a716 portal: Document the new sandbox options
This adds missing docs for sandbox-expose-fd, sandbox-expose-fd-ro and
sandbox-flags.
2019-11-27 14:21:25 +01:00
Alexander Larsson
e6ae979cc4 run: Document new --parent-pid and --parent-expose-pid args 2019-11-27 14:21:25 +01:00
Alexander Larsson
38fecb08d3 portal: Add supports flag and set a bit if EXPOSE_PIDS is supported
We can only support this if the host bwrap is not setuid (at least for
now). This allows callers to detect this case ahead of time. We also
detect this case when called and return a better error code that
can be detected.
2019-11-27 14:21:25 +01:00
Alexander Larsson
ae50843851 portal: Add EXPOSE_PIDS flag
This uses the new bwrap feature via flatpak run --parent-expose-pids to
make new new sandbox pid namespace be a child of the callers sandbox.

Pretty obvious, the only weird thing is that we can't get the peer pid
directly from the caller (as it goes via the dbus proxy) so we have
to look that up from the instance data.
2019-11-27 14:21:25 +01:00
Alexander Larsson
2f628d11ff Make flatpak_instance_new_for_id non-static
We want to use this from the portal
2019-11-27 14:21:25 +01:00
Alexander Larsson
62797b4be9 flatpak run: Add --parent-pid=$pid --parent-expose-pids
Given the pid of an existing flatpak process, if --parent-expose-pids is
specified, the new sandbox is run such that its processes are visible in
the specified sandbox.

In all other senses the two are disjoint though. The new sandbox is
still isolated from the host and the existing sandbox.
2019-11-27 14:21:25 +01:00
Alexander Larsson
7a47c9df87 Bump bubblewrap to 0.4.0
This updates both the internal copy and the required version
for using the system copy.

We will need this for reusing existing user and pid namespaces
2019-11-27 14:21:25 +01:00
Matthew Leeds
9f1c5a7033 dir: Improve comments about deleting mirror refs
Make it clear which refs we delete and why, per the discussion here:
https://github.com/endlessm/flatpak/pull/200#discussion_r350053918
2019-11-27 08:49:03 +01:00
Alexander Larsson
5a6b364ee5 transaction: Add xa-default-token-type support
This is from the summary and can be used as the default token type
if all/most refs need a token.
2019-11-26 16:37:01 +01:00
Alexander Larsson
a615113a83 Split out and document org.freedesktop.Flatpak.Authenticator API 2019-11-26 16:37:01 +01:00
Alexander Larsson
3f6245d41b authenticator: Add a parent_window handle to request_tokens
This allows the authenticator to directly do UI and parent it to the
relevant window. The actual parent string is specified just like
the xdg-desktop-portal one.

There is a new flatpak_transaction_set_parent_window() function that
clients can use to signal the what window they want to be parented to.
2019-11-26 16:37:01 +01:00
Alexander Larsson
90dc9ace2a authenticator: Pass token-type for each ref
This allows the authenticator to handle each token type differently.
For example, this allows a "purchase" type to run the donation
webflow, but not require login (and then store the fact that this was
run locally).
2019-11-26 16:37:01 +01:00
Alexander Larsson
e0cef17c0c tokens: Allow authenticators to send an error message 2019-11-26 16:37:01 +01:00
Alexander Larsson
b77f7c9383 authenticator: Pass remote name to RequestRefTokens
This makes it very easy to reuse a single authenticator for several
remotes. This is useful for the a default authenticator implementation
that we can ship with flatpak and use for e.g. flathub.
2019-11-26 16:37:01 +01:00
Alexander Larsson
3411cf0336 tests: Test the webflow handling
We just verify that we can roundtrip via the cli by setting
BROWSER=curl to "finish" the webflow.
2019-11-26 16:37:01 +01:00
Alexander Larsson
f420fad6a9 cli transaction: Handle webflow signals
This shows the url in the default browser. Currenly it just looks
at $BROWSER and falls back to xdg-open.
2019-11-26 16:37:01 +01:00
Alexander Larsson
0ca1a1624f FlatpakTransaction: Add webflow-start/done signals and abort_webflow()
These signals are emitted when the authenticator needs some kind of
web-based authentication. If the caller implements webflow-start and
returns TRUE, then it needs to show the user the URL and allow the user
to interact with it.

Typically this ends with the web-page being redirected to a url to
localhost or similar which tells the authenticator the result of the
operations. This will cause the webflow-done signal to be emitted and
the transaction operation to continue. If something goes wrong (or the
signal is not handled) it will also report webflow-done, but then the
transaction will fail in a normal way.

Generally all users of FlatpakTransaction need to do is:

 On webflow-start, show a browser window with the url and return TRUE.

 On webflow-done, close the browser window if its still visible.

 If the user closes the browser window early, call
 flatpak_transaction_abort_webflow().
2019-11-26 16:37:01 +01:00
Alexander Larsson
2b06b0328c test-authenticator: Support requesting a web flow
If request-webflow file exists, then the authenticator will listen
to a local socket and start a webflow request with a uri pointing to it.
If anything connects to the uri it will consider the flow ok and continue.
If the client calls close() instead it will silently succeed anyway
if require-webflow doesn't exists, and fail if is exists.
2019-11-26 16:37:01 +01:00
Alexander Larsson
9a8bf2be31 auth: Add helpers dbus helpers for sending webflow signals 2019-11-26 16:37:01 +01:00
Alexander Larsson
dd71bf720e Authenticator dbus api: Add Webflow signal
When resolving the transactions we call RequestRefTokens as needed
to get bearer tokens for some refs. These calls can also emit
the Webflow signal on the request object with a url. It is then
up to the client to show this url in some way.

Once the required operations are done in the browser it will redirect
to some url that will reach the authenticator, telling it that the
operation is done and the final result of it. At that point the
authenticator will emit the WebflowDone signal and continue.

If the cliend doesn't want to do the web flow it can call the close
operation on the request object.
2019-11-26 16:37:01 +01:00
Alexander Larsson
2cb51e5e57 tests: Fix installing org.flatpak.Authenticator.test.service.in 2019-11-26 16:37:01 +01:00
Alexander Larsson
ae13e31510 transaction: Request required tokens from configured authenticator
When we need a bearer token, look up the configured authenticator for
the remote and ask it for tokens. Also updates the test-auth test
with to use the new test authenticator instead of the previous
env var hack.
2019-11-26 16:37:01 +01:00
Alexander Larsson
8d02d86463 add/modify-remote: Add options to set authenticator options 2019-11-26 16:37:01 +01:00
Alexander Larsson
094c1ee0ff tests: Add a test authenticator
This is a trivial implementation of org.freedesktop.Flatpak.Authenticator
that just reads the contents of the "required-token" file and returns
that as the tokens for all refs.
2019-11-26 16:37:01 +01:00
Alexander Larsson
e6465da03b Add some helper functions for working with authenticators
This will be used by later code in combination with the gdbus
generated code.
2019-11-26 16:37:01 +01:00
Alexander Larsson
74a161d61c Add initial version of 'org.freedesktop.Flatpak.Authenticator dbus API
For now this just has a portal-like API for requesting tokens
for a list of refs.
2019-11-26 16:37:01 +01:00
Alexander Larsson
d44864a74e tests: Add p2p token tests
Unfortunately we lose some error information when we pull multiple
refs, ending with a generic "something failed" error rather than the
401 error so in the p2p case we can't verify that we get the right
errors.
2019-11-26 16:37:01 +01:00
Alexander Larsson
ddc60ad179 Transaction: Support tokens for all p2p pulls
The p2p case is kinda weird wrt tokens. We can do most of the basics,
like which refs need updating using the partial summary from the p2p
mirrors, but we can't rely 100% on the ostree-metadata info for core
info like permissions or dependencies, since it may be out-of-sync.

So, if the information in the ostree-metadata doesn't match the
commit we're resolving, the p2p resolve code actually pulls the actual
commit objects as part of a resolve.

Now, the commit objects are protected by bearer tokens, so we need to
pass them while doing this pull. Unfortunately the information about
which refs requires tokens are part of the commit, which is a circular
dependency. We resolve this by relying on the (possibly stale, but
probably ok) copy of the need-token info in the ostree-repo metadata.

So, we do the first part of the p2p resolve, then for all the
not-yet-resolved ops (i.e. ones that actually need updates) we look
in the ostree-metadata for which refs need tokens, generate tokens
and then do the pulling with the tokens.

This is an iterative process, because resolving a ref can create more
update operations, which may need more tokens.
2019-11-26 16:37:01 +01:00
Alexander Larsson
59a2e9b704 p2p resolve: Support tokens in flatpak_dir_finish_resolve_p2p_refs
Also, since the lower level APIs don't allow you to pass different tokens
for different parts change this function to support passing a subset
of the resolves, so that we can pass all that need a specific token in
one go, and then call this multiple times. The way we handle this is
by saving all the original ref_to_checksum hashtables for all results
and then re-create them with the subset of refs needed when pulling.
2019-11-26 16:37:01 +01:00
Alexander Larsson
3d47dc02fa p2p: When updating/installing, resolve via ostree-metadata if possible
If the commit is available in the ostree-metadata and it matches what
the latest available commit in the p2p results then resolve it to that, so
we don't have to download the commit object.
2019-11-26 16:37:01 +01:00
Alexander Larsson
54415b79c7 p2p: Add flatpak_dir_resolve_maybe_resolve_from_metadata
This tries to resolve the p2p resolve operation from the info in
a ostree-metadata commit. This only works if the resolve ended up
on the same commit id as what was available in the ostree-metadata
which may not be correct if the two are not synchronized.
2019-11-26 16:37:01 +01:00
Alexander Larsson
7f5ed5020f p2p resolve: Resolve the token_type data from the commit 2019-11-26 16:37:01 +01:00
Alexander Larsson
f51cb45a4f tests: Add initial tests for token-needing installs 2019-11-26 16:37:01 +01:00
Alexander Larsson
c8e1ba41e1 Transaction: non-p2p support for tokens
We extract the need-token key from the summary and if set we
calculate a token to use for the operation, which we then pass
to install/update.

For now the actual token just comes from the FLATPAK_TEST_TOKEN
environment var. The details of this will be fleshed out later.

Additionally, this does not support the p2p case, because there
we need the token in order to request the commit during the resolve.
This will also be added later.
2019-11-26 16:37:01 +01:00
Alexander Larsson
077006ecc8 Add token-type per-commit metadata key and export it to summary
We store this in the sparse cache, because we don't expect it to be
set for everything.
2019-11-26 16:37:01 +01:00
Alexander Larsson
86ccfd9b99 Add support for bearer tokens to flatpak_dir_install/update
Anything passed in here will be added as a bearer token for all http
requests in the operation.
2019-11-26 16:37:01 +01:00
Alexander Larsson
99ce123215 transaction: Break out some shared code.
This moves some code into helper functions so it can be easily shared.
No behavioural change.
2019-11-26 16:37:01 +01:00
Alexander Larsson
e2379d20e2 Optionally return commit id in flatpak_remote_state_lookup_cache
This will only work if xa.commits is in the metadata, which is only
available in the p2p case and was only added recently.
2019-11-26 16:37:01 +01:00
Alexander Larsson
b1eaad3fa2 p2p: Generate xa.commits array in ostree-metadata
This is in the same order as the xa.cache array and contains the id of
the commit that the cached data is about. This is not necessary in the
non-p2p summary metadata, because in that we always have a matching
ref -> commit array.

However, in the p2p case this information can be useful.
2019-11-26 16:37:01 +01:00
Alexander Larsson
64f8a26e33 prepare_resolve_p2p() return last_remote_commit
We want this in the transaction code, to see what commit would
be pulled, and thus if the data in the ostree-metadata is good enough
2019-11-26 16:37:01 +01:00
Alexander Larsson
5a01ff44d6 dir: Split up the p2p resolve code into two phases
Historically the p2p resolve code always did a parallel call to find
all the available commits for the refs, and then it took the results
and pulled only the commits for all the refs so that it could resolve
against the exact commits that were available (which might not match
with whatever metadata we have in the local ostree-metadata copy.

This splits this into two phases, the first that uses the summary only,
and a second one that pulls the commit.

The reason for this is that we want to be able to do some stuff inbetween
these, such as resolving some refs via the ostree-metadata and maybe
requesting bearer tokens that we need for pulling the commit objects.
2019-11-26 16:37:01 +01:00
Alexander Larsson
3c74199549 Print errors on stderr in install/update
If we're not doing fancy ui, print errors on stderr. This was biting me
in some tests where I'd like to grep for some strings in the stderr
output.
2019-11-26 16:37:01 +01:00
Alexander Larsson
2db1c6e6c4 Add defines for existing summary sparse cache keys
These are explicitly made short to save space, so lets have defines
for them to make sure we don't mistype them, especially as we
will be adding new keys.
2019-11-26 16:37:01 +01:00
Alexander Larsson
ca5ba625a5 libtest.sh: Add gdb_bt helper
This is unused, but can be inserted in the tests if something is
segfaulting so that you can see the backtrace.
2019-11-26 16:37:01 +01:00
Alexander Larsson
0af4249c60 Don't pull dependencies for extension points unless strictly needed
These were added so that extra-data would work in #2954, however that
was a bit broad. We only need extension deps for extensions that:
1) Uses extra data (so we can run apply-extra)
2) Doesn't specify NoRuntime=true (because the apply-extra is static)

Fixes https://github.com/flatpak/flatpak/issues/3173
2019-11-26 10:19:55 +01:00
Alexander Larsson
c486cc461e run: Document the sandbox related swtiches 2019-11-26 09:52:07 +01:00
Alexander Larsson
834c23edc6 portal: Add sandbox-expose-fd[-ro] options that allow you to share any path
I you can open(O_PATH) any path in your sandbox you can now share that
with the sub-sandbox.
2019-11-26 09:52:07 +01:00
Alexander Larsson
7dad37f1b3 portal: Spawn clean up handling of file descriptors
We were using i instead of handle to index the file descriptors, which
is likely to be the same (due to ordering) but not really
correct. Also rename the variables to make this code easier to read.

Also, add some bounds check on the handles wrt the fd list.
2019-11-26 09:52:07 +01:00
Alexander Larsson
080a5c07a1 portal: Add sandbox flags for allowing ally/ and session bus access 2019-11-26 09:52:07 +01:00
Alexander Larsson
921d1c9b87 run: In sandboxed mode, if still allowing dbus, only allow $appid.Sandboxed.*
This means sandboxes with dbus access can use portals etc, but they can't
talk to the main app, or impersonate it, but you can still use dbus and
well-known names to talk to them if needed.

It does mean however that if you use this, different sandboxes can see each
other on the bus, so be careful.
2019-11-26 09:52:07 +01:00