1 /* GDBus - GLib D-Bus Library
3 * Copyright (C) 2008-2010 Red Hat, Inc.
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 * Author: David Zeuthen <davidz@redhat.com>
23 #include "gdbusauth.h"
25 #include "gdbusauthmechanismanon.h"
26 #include "gdbusauthmechanismexternal.h"
27 #include "gdbusauthmechanismsha1.h"
28 #include "gdbusauthobserver.h"
30 #include "gdbuserror.h"
31 #include "gdbusutils.h"
32 #include "gioenumtypes.h"
33 #include "gcredentials.h"
34 #include "gcredentialsprivate.h"
35 #include "gdbusprivate.h"
36 #include "giostream.h"
37 #include "gdatainputstream.h"
38 #include "gdataoutputstream.h"
41 #include "gnetworking.h"
42 #include "gunixconnection.h"
43 #include "gunixcredentialsmessage.h"
50 debug_print (const gchar *message, ...)
52 if (G_UNLIKELY (_g_dbus_debug_authentication ()))
59 _g_dbus_debug_print_lock ();
61 va_start (var_args, message);
62 s = g_strdup_vprintf (message, var_args);
65 str = g_string_new (NULL);
66 for (n = 0; s[n] != '\0'; n++)
68 if (G_UNLIKELY (s[n] == '\r'))
69 g_string_append (str, "\\r");
70 else if (G_UNLIKELY (s[n] == '\n'))
71 g_string_append (str, "\\n");
73 g_string_append_c (str, s[n]);
75 g_print ("GDBus-debug:Auth: %s\n", str->str);
76 g_string_free (str, TRUE);
79 _g_dbus_debug_print_unlock ();
90 static void mechanism_free (Mechanism *m);
92 struct _GDBusAuthPrivate
96 /* A list of available Mechanism, sorted according to priority */
97 GList *available_mechanisms;
106 G_DEFINE_TYPE_WITH_PRIVATE (GDBusAuth, _g_dbus_auth, G_TYPE_OBJECT)
108 /* ---------------------------------------------------------------------------------------------------- */
111 _g_dbus_auth_finalize (GObject *object)
113 GDBusAuth *auth = G_DBUS_AUTH (object);
115 if (auth->priv->stream != NULL)
116 g_object_unref (auth->priv->stream);
117 g_list_free_full (auth->priv->available_mechanisms, (GDestroyNotify) mechanism_free);
119 if (G_OBJECT_CLASS (_g_dbus_auth_parent_class)->finalize != NULL)
120 G_OBJECT_CLASS (_g_dbus_auth_parent_class)->finalize (object);
124 _g_dbus_auth_get_property (GObject *object,
129 GDBusAuth *auth = G_DBUS_AUTH (object);
134 g_value_set_object (value, auth->priv->stream);
138 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
144 _g_dbus_auth_set_property (GObject *object,
149 GDBusAuth *auth = G_DBUS_AUTH (object);
154 auth->priv->stream = g_value_dup_object (value);
158 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
164 _g_dbus_auth_class_init (GDBusAuthClass *klass)
166 GObjectClass *gobject_class;
168 gobject_class = G_OBJECT_CLASS (klass);
169 gobject_class->get_property = _g_dbus_auth_get_property;
170 gobject_class->set_property = _g_dbus_auth_set_property;
171 gobject_class->finalize = _g_dbus_auth_finalize;
173 g_object_class_install_property (gobject_class,
175 g_param_spec_object ("stream",
177 P_("The underlying GIOStream used for I/O"),
181 G_PARAM_CONSTRUCT_ONLY |
182 G_PARAM_STATIC_NAME |
183 G_PARAM_STATIC_BLURB |
184 G_PARAM_STATIC_NICK));
188 mechanism_free (Mechanism *m)
194 add_mechanism (GDBusAuth *auth,
195 GDBusAuthObserver *observer,
196 GType mechanism_type)
200 name = _g_dbus_auth_mechanism_get_name (mechanism_type);
201 if (observer == NULL || g_dbus_auth_observer_allow_mechanism (observer, name))
204 m = g_new0 (Mechanism, 1);
206 m->priority = _g_dbus_auth_mechanism_get_priority (mechanism_type);
207 m->gtype = mechanism_type;
208 auth->priv->available_mechanisms = g_list_prepend (auth->priv->available_mechanisms, m);
213 mech_compare_func (Mechanism *a, Mechanism *b)
216 /* ensure deterministic order */
217 ret = b->priority - a->priority;
219 ret = g_strcmp0 (b->name, a->name);
224 _g_dbus_auth_init (GDBusAuth *auth)
226 auth->priv = _g_dbus_auth_get_instance_private (auth);
230 _g_dbus_auth_add_mechs (GDBusAuth *auth,
231 GDBusAuthObserver *observer)
233 /* TODO: trawl extension points */
234 add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_ANON);
235 add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_SHA1);
236 add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_EXTERNAL);
238 auth->priv->available_mechanisms = g_list_sort (auth->priv->available_mechanisms,
239 (GCompareFunc) mech_compare_func);
243 find_mech_by_name (GDBusAuth *auth,
251 for (l = auth->priv->available_mechanisms; l != NULL; l = l->next)
253 Mechanism *m = l->data;
254 if (g_strcmp0 (name, m->name) == 0)
266 _g_dbus_auth_new (GIOStream *stream)
268 return g_object_new (G_TYPE_DBUS_AUTH,
273 /* ---------------------------------------------------------------------------------------------------- */
274 /* like g_data_input_stream_read_line() but sets error if there's no content to read */
276 _my_g_data_input_stream_read_line (GDataInputStream *dis,
277 gsize *out_line_length,
278 GCancellable *cancellable,
283 g_return_val_if_fail (error == NULL || *error == NULL, NULL);
285 ret = g_data_input_stream_read_line (dis,
289 if (ret == NULL && error != NULL && *error == NULL)
291 g_set_error_literal (error,
294 _("Unexpected lack of content trying to read a line"));
300 /* This function is to avoid situations like this
302 * BEGIN\r\nl\0\0\1...
304 * e.g. where we read into the first D-Bus message while waiting for
305 * the final line from the client (TODO: file bug against gio for
309 _my_g_input_stream_read_line_safe (GInputStream *i,
310 gsize *out_line_length,
311 GCancellable *cancellable,
317 gboolean last_was_cr;
319 str = g_string_new (NULL);
324 num_read = g_input_stream_read (i,
333 if (error != NULL && *error == NULL)
335 g_set_error_literal (error,
338 _("Unexpected lack of content trying to (safely) read a line"));
343 g_string_append_c (str, (gint) c);
348 g_assert (str->len >= 2);
349 g_string_set_size (str, str->len - 2);
353 last_was_cr = (c == 0x0d);
357 if (out_line_length != NULL)
358 *out_line_length = str->len;
359 return g_string_free (str, FALSE);
362 g_assert (error == NULL || *error != NULL);
363 g_string_free (str, TRUE);
367 /* ---------------------------------------------------------------------------------------------------- */
370 hexdecode (const gchar *str,
379 s = g_string_new (NULL);
381 for (n = 0; str[n] != '\0'; n += 2)
387 upper_nibble = g_ascii_xdigit_value (str[n]);
388 lower_nibble = g_ascii_xdigit_value (str[n + 1]);
389 if (upper_nibble == -1 || lower_nibble == -1)
394 "Error hexdecoding string '%s' around position %d",
398 value = (upper_nibble<<4) | lower_nibble;
399 g_string_append_c (s, value);
403 ret = g_string_free (s, FALSE);
410 g_string_free (s, TRUE);
415 /* ---------------------------------------------------------------------------------------------------- */
417 static GDBusAuthMechanism *
418 client_choose_mech_and_send_initial_response (GDBusAuth *auth,
419 GCredentials *credentials_that_were_sent,
420 const gchar* const *supported_auth_mechs,
421 GPtrArray *attempted_auth_mechs,
422 GDataOutputStream *dos,
423 GCancellable *cancellable,
426 GDBusAuthMechanism *mech;
427 GType auth_mech_to_use_gtype;
430 gchar *initial_response;
431 gsize initial_response_len;
438 debug_print ("CLIENT: Trying to choose mechanism");
440 /* find an authentication mechanism to try, if any */
441 auth_mech_to_use_gtype = (GType) 0;
442 for (n = 0; supported_auth_mechs[n] != NULL; n++)
444 gboolean attempted_already;
445 attempted_already = FALSE;
446 for (m = 0; m < attempted_auth_mechs->len; m++)
448 if (g_strcmp0 (supported_auth_mechs[n], attempted_auth_mechs->pdata[m]) == 0)
450 attempted_already = TRUE;
454 if (!attempted_already)
456 auth_mech_to_use_gtype = find_mech_by_name (auth, supported_auth_mechs[n]);
457 if (auth_mech_to_use_gtype != (GType) 0)
462 if (auth_mech_to_use_gtype == (GType) 0)
468 debug_print ("CLIENT: Exhausted all available mechanisms");
470 available = g_strjoinv (", ", (gchar **) supported_auth_mechs);
472 tried_str = g_string_new (NULL);
473 for (n = 0; n < attempted_auth_mechs->len; n++)
476 g_string_append (tried_str, ", ");
477 g_string_append (tried_str, attempted_auth_mechs->pdata[n]);
482 _("Exhausted all available authentication mechanisms (tried: %s) (available: %s)"),
485 g_string_free (tried_str, TRUE);
490 /* OK, decided on a mechanism - let's do this thing */
491 mech = g_object_new (auth_mech_to_use_gtype,
492 "stream", auth->priv->stream,
493 "credentials", credentials_that_were_sent,
495 debug_print ("CLIENT: Trying mechanism '%s'", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype));
496 g_ptr_array_add (attempted_auth_mechs, (gpointer) _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype));
498 /* the auth mechanism may not be supported
499 * (for example, EXTERNAL only works if credentials were exchanged)
501 if (!_g_dbus_auth_mechanism_is_supported (mech))
503 debug_print ("CLIENT: Mechanism '%s' says it is not supported", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype));
504 g_object_unref (mech);
509 initial_response_len = 0;
510 initial_response = _g_dbus_auth_mechanism_client_initiate (mech,
511 &initial_response_len);
513 g_printerr ("using auth mechanism with name '%s' of type '%s' with initial response '%s'\n",
514 _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype),
515 g_type_name (G_TYPE_FROM_INSTANCE (mech)),
518 if (initial_response != NULL)
520 //g_printerr ("initial_response = '%s'\n", initial_response);
521 encoded = _g_dbus_hexencode (initial_response, initial_response_len);
522 s = g_strdup_printf ("AUTH %s %s\r\n",
523 _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype),
525 g_free (initial_response);
530 s = g_strdup_printf ("AUTH %s\r\n", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype));
532 debug_print ("CLIENT: writing '%s'", s);
533 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
535 g_object_unref (mech);
547 /* ---------------------------------------------------------------------------------------------------- */
551 CLIENT_STATE_WAITING_FOR_DATA,
552 CLIENT_STATE_WAITING_FOR_OK,
553 CLIENT_STATE_WAITING_FOR_REJECT,
554 CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD
558 _g_dbus_auth_run_client (GDBusAuth *auth,
559 GDBusAuthObserver *observer,
560 GDBusCapabilityFlags offered_capabilities,
561 GDBusCapabilityFlags *out_negotiated_capabilities,
562 GCancellable *cancellable,
566 GDataInputStream *dis;
567 GDataOutputStream *dos;
568 GCredentials *credentials;
572 gchar **supported_auth_mechs;
573 GPtrArray *attempted_auth_mechs;
574 GDBusAuthMechanism *mech;
576 GDBusCapabilityFlags negotiated_capabilities;
578 debug_print ("CLIENT: initiating");
580 _g_dbus_auth_add_mechs (auth, observer);
583 supported_auth_mechs = NULL;
584 attempted_auth_mechs = g_ptr_array_new ();
586 negotiated_capabilities = 0;
589 dis = G_DATA_INPUT_STREAM (g_data_input_stream_new (g_io_stream_get_input_stream (auth->priv->stream)));
590 dos = G_DATA_OUTPUT_STREAM (g_data_output_stream_new (g_io_stream_get_output_stream (auth->priv->stream)));
591 g_filter_input_stream_set_close_base_stream (G_FILTER_INPUT_STREAM (dis), FALSE);
592 g_filter_output_stream_set_close_base_stream (G_FILTER_OUTPUT_STREAM (dos), FALSE);
594 g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF);
597 if (G_IS_UNIX_CONNECTION (auth->priv->stream))
599 credentials = g_credentials_new ();
600 if (!g_unix_connection_send_credentials (G_UNIX_CONNECTION (auth->priv->stream),
607 if (!g_data_output_stream_put_byte (dos, '\0', cancellable, error))
611 if (!g_data_output_stream_put_byte (dos, '\0', cancellable, error))
615 if (credentials != NULL)
617 if (G_UNLIKELY (_g_dbus_debug_authentication ()))
619 s = g_credentials_to_string (credentials);
620 debug_print ("CLIENT: sent credentials '%s'", s);
626 debug_print ("CLIENT: didn't send any credentials");
629 /* TODO: to reduce roundtrips, try to pick an auth mechanism to start with */
631 /* Get list of supported authentication mechanisms */
633 debug_print ("CLIENT: writing '%s'", s);
634 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
636 state = CLIENT_STATE_WAITING_FOR_REJECT;
642 case CLIENT_STATE_WAITING_FOR_REJECT:
643 debug_print ("CLIENT: WaitingForReject");
644 line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
647 debug_print ("CLIENT: WaitingForReject, read '%s'", line);
650 if (!g_str_has_prefix (line, "REJECTED "))
655 "In WaitingForReject: Expected 'REJECTED am1 am2 ... amN', got '%s'",
660 if (supported_auth_mechs == NULL)
662 supported_auth_mechs = g_strsplit (line + sizeof ("REJECTED ") - 1, " ", 0);
664 for (n = 0; supported_auth_mechs != NULL && supported_auth_mechs[n] != NULL; n++)
665 g_printerr ("supported_auth_mechs[%d] = '%s'\n", n, supported_auth_mechs[n]);
669 mech = client_choose_mech_and_send_initial_response (auth,
671 (const gchar* const *) supported_auth_mechs,
672 attempted_auth_mechs,
678 if (_g_dbus_auth_mechanism_client_get_state (mech) == G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA)
679 state = CLIENT_STATE_WAITING_FOR_DATA;
681 state = CLIENT_STATE_WAITING_FOR_OK;
684 case CLIENT_STATE_WAITING_FOR_OK:
685 debug_print ("CLIENT: WaitingForOK");
686 line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
689 debug_print ("CLIENT: WaitingForOK, read '%s'", line);
690 if (g_str_has_prefix (line, "OK "))
692 if (!g_dbus_is_guid (line + 3))
697 "Invalid OK response '%s'",
702 ret_guid = g_strdup (line + 3);
705 if (offered_capabilities & G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING)
707 s = "NEGOTIATE_UNIX_FD\r\n";
708 debug_print ("CLIENT: writing '%s'", s);
709 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
711 state = CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD;
716 debug_print ("CLIENT: writing '%s'", s);
717 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
719 /* and we're done! */
723 else if (g_str_has_prefix (line, "REJECTED "))
725 goto choose_mechanism;
729 /* TODO: handle other valid responses */
733 "In WaitingForOk: unexpected response '%s'",
740 case CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD:
741 debug_print ("CLIENT: WaitingForAgreeUnixFD");
742 line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
745 debug_print ("CLIENT: WaitingForAgreeUnixFD, read='%s'", line);
746 if (g_strcmp0 (line, "AGREE_UNIX_FD") == 0)
749 negotiated_capabilities |= G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING;
751 debug_print ("CLIENT: writing '%s'", s);
752 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
754 /* and we're done! */
757 else if (g_str_has_prefix (line, "ERROR") && (line[5] == 0 || g_ascii_isspace (line[5])))
759 //g_strstrip (line + 5); g_debug ("bah, no unix_fd: '%s'", line + 5);
762 debug_print ("CLIENT: writing '%s'", s);
763 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
765 /* and we're done! */
770 /* TODO: handle other valid responses */
774 "In WaitingForAgreeUnixFd: unexpected response '%s'",
781 case CLIENT_STATE_WAITING_FOR_DATA:
782 debug_print ("CLIENT: WaitingForData");
783 line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
786 debug_print ("CLIENT: WaitingForData, read='%s'", line);
787 if (g_str_has_prefix (line, "DATA "))
791 gsize decoded_data_len = 0;
793 encoded = g_strdup (line + 5);
795 g_strstrip (encoded);
796 decoded_data = hexdecode (encoded, &decoded_data_len, error);
798 if (decoded_data == NULL)
800 g_prefix_error (error, "DATA response is malformed: ");
801 /* invalid encoding, disconnect! */
804 _g_dbus_auth_mechanism_client_data_receive (mech, decoded_data, decoded_data_len);
805 g_free (decoded_data);
807 if (_g_dbus_auth_mechanism_client_get_state (mech) == G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND)
812 data = _g_dbus_auth_mechanism_client_data_send (mech, &data_len);
813 encoded_data = _g_dbus_hexencode (data, data_len);
814 s = g_strdup_printf ("DATA %s\r\n", encoded_data);
815 g_free (encoded_data);
817 debug_print ("CLIENT: writing '%s'", s);
818 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
825 state = CLIENT_STATE_WAITING_FOR_OK;
827 else if (g_str_has_prefix (line, "REJECTED "))
829 /* could be the chosen authentication method just doesn't work. Try
832 goto choose_mechanism;
839 "In WaitingForData: unexpected response '%s'",
847 g_assert_not_reached ();
851 }; /* main authentication client loop */
855 g_object_unref (mech);
856 g_ptr_array_unref (attempted_auth_mechs);
857 g_strfreev (supported_auth_mechs);
858 g_object_unref (dis);
859 g_object_unref (dos);
861 /* ensure return value is NULL if error is set */
862 if (error != NULL && *error != NULL)
868 if (ret_guid != NULL)
870 if (out_negotiated_capabilities != NULL)
871 *out_negotiated_capabilities = negotiated_capabilities;
874 if (credentials != NULL)
875 g_object_unref (credentials);
877 debug_print ("CLIENT: Done, authenticated=%d", ret_guid != NULL);
882 /* ---------------------------------------------------------------------------------------------------- */
885 get_auth_mechanisms (GDBusAuth *auth,
886 gboolean allow_anonymous,
889 const gchar *separator)
895 str = g_string_new (prefix);
897 for (l = auth->priv->available_mechanisms; l != NULL; l = l->next)
899 Mechanism *m = l->data;
901 if (!allow_anonymous && g_strcmp0 (m->name, "ANONYMOUS") == 0)
905 g_string_append (str, separator);
906 g_string_append (str, m->name);
910 g_string_append (str, suffix);
911 return g_string_free (str, FALSE);
917 SERVER_STATE_WAITING_FOR_AUTH,
918 SERVER_STATE_WAITING_FOR_DATA,
919 SERVER_STATE_WAITING_FOR_BEGIN
923 _g_dbus_auth_run_server (GDBusAuth *auth,
924 GDBusAuthObserver *observer,
926 gboolean allow_anonymous,
927 gboolean require_same_user,
928 GDBusCapabilityFlags offered_capabilities,
929 GDBusCapabilityFlags *out_negotiated_capabilities,
930 GCredentials **out_received_credentials,
931 GCancellable *cancellable,
936 GDataInputStream *dis;
937 GDataOutputStream *dos;
941 GDBusAuthMechanism *mech;
943 GDBusCapabilityFlags negotiated_capabilities;
944 GCredentials *credentials;
945 GCredentials *own_credentials = NULL;
947 debug_print ("SERVER: initiating");
949 _g_dbus_auth_add_mechs (auth, observer);
955 negotiated_capabilities = 0;
958 if (!g_dbus_is_guid (guid))
963 "The given guid '%s' is not valid",
968 dis = G_DATA_INPUT_STREAM (g_data_input_stream_new (g_io_stream_get_input_stream (auth->priv->stream)));
969 dos = G_DATA_OUTPUT_STREAM (g_data_output_stream_new (g_io_stream_get_output_stream (auth->priv->stream)));
970 g_filter_input_stream_set_close_base_stream (G_FILTER_INPUT_STREAM (dis), FALSE);
971 g_filter_output_stream_set_close_base_stream (G_FILTER_OUTPUT_STREAM (dos), FALSE);
973 g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF);
975 /* read the NUL-byte, possibly with credentials attached */
977 #ifndef G_CREDENTIALS_PREFER_MESSAGE_PASSING
978 if (G_IS_SOCKET_CONNECTION (auth->priv->stream))
980 GSocket *sock = g_socket_connection_get_socket (G_SOCKET_CONNECTION (auth->priv->stream));
983 credentials = g_socket_get_credentials (sock, &local_error);
985 if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED))
987 g_propagate_error (error, local_error);
992 /* Clear the error indicator, so we can retry with
993 * g_unix_connection_receive_credentials() if necessary */
994 g_clear_error (&local_error);
999 if (credentials == NULL && G_IS_UNIX_CONNECTION (auth->priv->stream))
1002 credentials = g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth->priv->stream),
1005 if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED))
1007 g_propagate_error (error, local_error);
1014 (void)g_data_input_stream_read_byte (dis, cancellable, &local_error);
1015 if (local_error != NULL)
1017 g_propagate_error (error, local_error);
1023 (void)g_data_input_stream_read_byte (dis, cancellable, &local_error);
1024 if (local_error != NULL)
1026 g_propagate_error (error, local_error);
1030 if (credentials != NULL)
1032 if (G_UNLIKELY (_g_dbus_debug_authentication ()))
1034 s = g_credentials_to_string (credentials);
1035 debug_print ("SERVER: received credentials '%s'", s);
1041 debug_print ("SERVER: didn't receive any credentials");
1044 own_credentials = g_credentials_new ();
1046 state = SERVER_STATE_WAITING_FOR_AUTH;
1051 case SERVER_STATE_WAITING_FOR_AUTH:
1052 debug_print ("SERVER: WaitingForAuth");
1053 line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
1054 debug_print ("SERVER: WaitingForAuth, read '%s'", line);
1057 if (g_strcmp0 (line, "AUTH") == 0)
1059 s = get_auth_mechanisms (auth, allow_anonymous, "REJECTED ", "\r\n", " ");
1060 debug_print ("SERVER: writing '%s'", s);
1061 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
1070 else if (g_str_has_prefix (line, "AUTH "))
1073 const gchar *encoded;
1074 const gchar *mech_name;
1075 GType auth_mech_to_use_gtype;
1077 tokens = g_strsplit (line, " ", 0);
1079 switch (g_strv_length (tokens))
1082 /* no initial response */
1083 mech_name = tokens[1];
1088 /* initial response */
1089 mech_name = tokens[1];
1090 encoded = tokens[2];
1097 "Unexpected line '%s' while in WaitingForAuth state",
1099 g_strfreev (tokens);
1106 /* TODO: record that the client has attempted to use this mechanism */
1107 //g_debug ("client is trying '%s'", mech_name);
1109 auth_mech_to_use_gtype = find_mech_by_name (auth, mech_name);
1110 if ((auth_mech_to_use_gtype == (GType) 0) ||
1111 (!allow_anonymous && g_strcmp0 (mech_name, "ANONYMOUS") == 0))
1113 /* We don't support this auth mechanism */
1114 g_strfreev (tokens);
1115 s = get_auth_mechanisms (auth, allow_anonymous, "REJECTED ", "\r\n", " ");
1116 debug_print ("SERVER: writing '%s'", s);
1117 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
1124 /* stay in WAITING FOR AUTH */
1125 state = SERVER_STATE_WAITING_FOR_AUTH;
1129 gchar *initial_response;
1130 gsize initial_response_len;
1132 g_clear_object (&mech);
1133 mech = g_object_new (auth_mech_to_use_gtype,
1134 "stream", auth->priv->stream,
1135 "credentials", credentials,
1138 initial_response = NULL;
1139 initial_response_len = 0;
1140 if (encoded != NULL)
1142 initial_response = hexdecode (encoded, &initial_response_len, error);
1143 if (initial_response == NULL)
1145 g_prefix_error (error, "Initial response is malformed: ");
1146 /* invalid encoding, disconnect! */
1147 g_strfreev (tokens);
1152 _g_dbus_auth_mechanism_server_initiate (mech,
1154 initial_response_len);
1155 g_free (initial_response);
1156 g_strfreev (tokens);
1159 switch (_g_dbus_auth_mechanism_server_get_state (mech))
1161 case G_DBUS_AUTH_MECHANISM_STATE_ACCEPTED:
1162 if (require_same_user &&
1163 (credentials == NULL ||
1164 !g_credentials_is_same_user (credentials, own_credentials, NULL)))
1167 g_set_error_literal (error,
1170 _("User IDs must be the same for peer and server"));
1173 else if (observer != NULL &&
1174 !g_dbus_auth_observer_authorize_authenticated_peer (observer,
1179 g_set_error_literal (error,
1182 _("Cancelled via GDBusAuthObserver::authorize-authenticated-peer"));
1187 s = g_strdup_printf ("OK %s\r\n", guid);
1188 debug_print ("SERVER: writing '%s'", s);
1189 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
1195 state = SERVER_STATE_WAITING_FOR_BEGIN;
1199 case G_DBUS_AUTH_MECHANISM_STATE_REJECTED:
1200 s = get_auth_mechanisms (auth, allow_anonymous, "REJECTED ", "\r\n", " ");
1201 debug_print ("SERVER: writing '%s'", s);
1202 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
1208 state = SERVER_STATE_WAITING_FOR_AUTH;
1211 case G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA:
1212 state = SERVER_STATE_WAITING_FOR_DATA;
1215 case G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND:
1220 data = _g_dbus_auth_mechanism_server_data_send (mech, &data_len);
1223 gchar *encoded_data;
1225 encoded_data = _g_dbus_hexencode (data, data_len);
1226 s = g_strdup_printf ("DATA %s\r\n", encoded_data);
1227 g_free (encoded_data);
1230 debug_print ("SERVER: writing '%s'", s);
1231 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
1244 g_assert_not_reached ();
1254 "Unexpected line '%s' while in WaitingForAuth state",
1261 case SERVER_STATE_WAITING_FOR_DATA:
1262 debug_print ("SERVER: WaitingForData");
1263 line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
1264 debug_print ("SERVER: WaitingForData, read '%s'", line);
1267 if (g_str_has_prefix (line, "DATA "))
1270 gchar *decoded_data;
1271 gsize decoded_data_len = 0;
1273 encoded = g_strdup (line + 5);
1275 g_strstrip (encoded);
1276 decoded_data = hexdecode (encoded, &decoded_data_len, error);
1278 if (decoded_data == NULL)
1280 g_prefix_error (error, "DATA response is malformed: ");
1281 /* invalid encoding, disconnect! */
1284 _g_dbus_auth_mechanism_server_data_receive (mech, decoded_data, decoded_data_len);
1285 g_free (decoded_data);
1286 /* oh man, this goto-crap is so ugly.. really need to rewrite the state machine */
1294 "Unexpected line '%s' while in WaitingForData state",
1300 case SERVER_STATE_WAITING_FOR_BEGIN:
1301 debug_print ("SERVER: WaitingForBegin");
1302 /* Use extremely slow (but reliable) line reader - this basically
1303 * does a recvfrom() system call per character
1305 * (the problem with using GDataInputStream's read_line is that because of
1306 * buffering it might start reading into the first D-Bus message that
1307 * appears after "BEGIN\r\n"....)
1309 line = _my_g_input_stream_read_line_safe (g_io_stream_get_input_stream (auth->priv->stream),
1315 debug_print ("SERVER: WaitingForBegin, read '%s'", line);
1316 if (g_strcmp0 (line, "BEGIN") == 0)
1323 else if (g_strcmp0 (line, "NEGOTIATE_UNIX_FD") == 0)
1326 if (offered_capabilities & G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING)
1328 negotiated_capabilities |= G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING;
1329 s = "AGREE_UNIX_FD\r\n";
1330 debug_print ("SERVER: writing '%s'", s);
1331 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
1336 s = "ERROR \"fd passing not offered\"\r\n";
1337 debug_print ("SERVER: writing '%s'", s);
1338 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
1344 g_debug ("Unexpected line '%s' while in WaitingForBegin state", line);
1346 s = "ERROR \"Unknown Command\"\r\n";
1347 debug_print ("SERVER: writing '%s'", s);
1348 if (!g_data_output_stream_put_string (dos, s, cancellable, error))
1354 g_assert_not_reached ();
1360 g_set_error_literal (error,
1363 "Not implemented (server)");
1366 g_clear_object (&mech);
1367 g_clear_object (&dis);
1368 g_clear_object (&dos);
1369 g_clear_object (&own_credentials);
1371 /* ensure return value is FALSE if error is set */
1372 if (error != NULL && *error != NULL)
1379 if (out_negotiated_capabilities != NULL)
1380 *out_negotiated_capabilities = negotiated_capabilities;
1381 if (out_received_credentials != NULL)
1382 *out_received_credentials = credentials != NULL ? g_object_ref (credentials) : NULL;
1385 if (credentials != NULL)
1386 g_object_unref (credentials);
1388 debug_print ("SERVER: Done, authenticated=%d", ret);
1393 /* ---------------------------------------------------------------------------------------------------- */