gio/gdbusauthobserver.c

   1 /* GDBus - GLib D-Bus Library
   2  *
   3  * Copyright (C) 2008-2010 Red Hat, Inc.
   4  *
   5  * This library is free software; you can redistribute it and/or
   6  * modify it under the terms of the GNU Lesser General Public
   7  * License as published by the Free Software Foundation; either
   8  * version 2.1 of the License, or (at your option) any later version.
   9  *
  10  * This library is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13  * Lesser General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU Lesser General
  16  * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
  17  *
  18  * Author: David Zeuthen <davidz@redhat.com>
  19  */
  20
  21 #include "config.h"
  22
  23 #include "gdbusauthobserver.h"
  24 #include "gcredentials.h"
  25 #include "gioenumtypes.h"
  26 #include "giostream.h"
  27 #include "gdbusprivate.h"
  28
  29 #include "glibintl.h"
  30 #include "gmarshal-internal.h"
  31
  32 /**
  33  * SECTION:gdbusauthobserver
  34  * @short_description: Object used for authenticating connections
  35  * @include: gio/gio.h
  36  *
  37  * The #GDBusAuthObserver type provides a mechanism for participating
  38  * in how a #GDBusServer (or a #GDBusConnection) authenticates remote
  39  * peers. Simply instantiate a #GDBusAuthObserver and connect to the
  40  * signals you are interested in. Note that new signals may be added
  41  * in the future
  42  *
  43  * ## Controlling Authentication Mechanisms
  44  *
  45  * By default, a #GDBusServer or server-side #GDBusConnection will allow
  46  * any authentication mechanism to be used. If you only
  47  * want to allow D-Bus connections with the `EXTERNAL` mechanism,
  48  * which makes use of credentials passing and is the recommended
  49  * mechanism for modern Unix platforms such as Linux and the BSD family,
  50  * you would use a signal handler like this:
  51  *
  52  * |[<!-- language="C" -->
  53  * static gboolean
  54  * on_allow_mechanism (GDBusAuthObserver *observer,
  55  *                     const gchar       *mechanism,
  56  *                     gpointer           user_data)
  57  * {
  58  *   if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
  59  *     {
  60  *       return TRUE;
  61  *     }
  62  *
  63  *   return FALSE;
  64  * }
  65  * ]|
  66  *
  67  * ## Controlling Authorization # {#auth-observer}
  68  *
  69  * By default, a #GDBusServer or server-side #GDBusConnection will accept
  70  * connections from any successfully authenticated user (but not from
  71  * anonymous connections using the `ANONYMOUS` mechanism). If you only
  72  * want to allow D-Bus connections from processes owned by the same uid
  73  * as the server, you would use a signal handler like the following:
  74  *
  75  * |[<!-- language="C" -->
  76  * static gboolean
  77  * on_authorize_authenticated_peer (GDBusAuthObserver *observer,
  78  *                                  GIOStream         *stream,
  79  *                                  GCredentials      *credentials,
  80  *                                  gpointer           user_data)
  81  * {
  82  *   gboolean authorized;
  83  *
  84  *   authorized = FALSE;
  85  *   if (credentials != NULL)
  86  *     {
  87  *       GCredentials *own_credentials;
  88  *       own_credentials = g_credentials_new ();
  89  *       if (g_credentials_is_same_user (credentials, own_credentials, NULL))
  90  *         authorized = TRUE;
  91  *       g_object_unref (own_credentials);
  92  *     }
  93  *
  94  *   return authorized;
  95  * }
  96  * ]|
  97  */
  98
  99 typedef struct _GDBusAuthObserverClass GDBusAuthObserverClass;
 100
 101 /**
 102  * GDBusAuthObserverClass:
 103  * @authorize_authenticated_peer: Signal class handler for the #GDBusAuthObserver::authorize-authenticated-peer signal.
 104  *
 105  * Class structure for #GDBusAuthObserverClass.
 106  *
 107  * Since: 2.26
 108  */
 109 struct _GDBusAuthObserverClass
 110 {
 111   /*< private >*/
 112   GObjectClass parent_class;
 113
 114   /*< public >*/
 115
 116   /* Signals */
 117   gboolean (*authorize_authenticated_peer) (GDBusAuthObserver  *observer,
 118                                             GIOStream          *stream,
 119                                             GCredentials       *credentials);
 120
 121   gboolean (*allow_mechanism) (GDBusAuthObserver  *observer,
 122                                const gchar        *mechanism);
 123 };
 124
 125 /**
 126  * GDBusAuthObserver:
 127  *
 128  * The #GDBusAuthObserver structure contains only private data and
 129  * should only be accessed using the provided API.
 130  *
 131  * Since: 2.26
 132  */
 133 struct _GDBusAuthObserver
 134 {
 135   GObject parent_instance;
 136 };
 137
 138 enum
 139 {
 140   AUTHORIZE_AUTHENTICATED_PEER_SIGNAL,
 141   ALLOW_MECHANISM_SIGNAL,
 142   LAST_SIGNAL,
 143 };
 144
 145 static guint signals[LAST_SIGNAL] = { 0 };
 146
 147 G_DEFINE_TYPE (GDBusAuthObserver, g_dbus_auth_observer, G_TYPE_OBJECT)
 148
 149 /* ---------------------------------------------------------------------------------------------------- */
 150
 151 static void
 152 g_dbus_auth_observer_finalize (GObject *object)
 153 {
 154   G_OBJECT_CLASS (g_dbus_auth_observer_parent_class)->finalize (object);
 155 }
 156
 157 static gboolean
 158 g_dbus_auth_observer_authorize_authenticated_peer_real (GDBusAuthObserver  *observer,
 159                                                         GIOStream          *stream,
 160                                                         GCredentials       *credentials)
 161 {
 162   return TRUE;
 163 }
 164
 165 static gboolean
 166 g_dbus_auth_observer_allow_mechanism_real (GDBusAuthObserver  *observer,
 167                                            const gchar        *mechanism)
 168 {
 169   return TRUE;
 170 }
 171
 172 static void
 173 g_dbus_auth_observer_class_init (GDBusAuthObserverClass *klass)
 174 {
 175   GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
 176
 177   gobject_class->finalize = g_dbus_auth_observer_finalize;
 178
 179   klass->authorize_authenticated_peer = g_dbus_auth_observer_authorize_authenticated_peer_real;
 180   klass->allow_mechanism = g_dbus_auth_observer_allow_mechanism_real;
 181
 182   /**
 183    * GDBusAuthObserver::authorize-authenticated-peer:
 184    * @observer: The #GDBusAuthObserver emitting the signal.
 185    * @stream: A #GIOStream for the #GDBusConnection.
 186    * @credentials: (nullable): Credentials received from the peer or %NULL.
 187    *
 188    * Emitted to check if a peer that is successfully authenticated
 189    * is authorized.
 190    *
 191    * Returns: %TRUE if the peer is authorized, %FALSE if not.
 192    *
 193    * Since: 2.26
 194    */
 195   signals[AUTHORIZE_AUTHENTICATED_PEER_SIGNAL] =
 196     g_signal_new (I_("authorize-authenticated-peer"),
 197                   G_TYPE_DBUS_AUTH_OBSERVER,
 198                   G_SIGNAL_RUN_LAST,
 199                   G_STRUCT_OFFSET (GDBusAuthObserverClass, authorize_authenticated_peer),
 200                   _g_signal_accumulator_false_handled,
 201                   NULL, /* accu_data */
 202                   _g_cclosure_marshal_BOOLEAN__OBJECT_OBJECT,
 203                   G_TYPE_BOOLEAN,
 204                   2,
 205                   G_TYPE_IO_STREAM,
 206                   G_TYPE_CREDENTIALS);
 207   g_signal_set_va_marshaller (signals[AUTHORIZE_AUTHENTICATED_PEER_SIGNAL],
 208                               G_TYPE_FROM_CLASS (klass),
 209                               _g_cclosure_marshal_BOOLEAN__OBJECT_OBJECTv);
 210
 211   /**
 212    * GDBusAuthObserver::allow-mechanism:
 213    * @observer: The #GDBusAuthObserver emitting the signal.
 214    * @mechanism: The name of the mechanism, e.g. `DBUS_COOKIE_SHA1`.
 215    *
 216    * Emitted to check if @mechanism is allowed to be used.
 217    *
 218    * Returns: %TRUE if @mechanism can be used to authenticate the other peer, %FALSE if not.
 219    *
 220    * Since: 2.34
 221    */
 222   signals[ALLOW_MECHANISM_SIGNAL] =
 223     g_signal_new (I_("allow-mechanism"),
 224                   G_TYPE_DBUS_AUTH_OBSERVER,
 225                   G_SIGNAL_RUN_LAST,
 226                   G_STRUCT_OFFSET (GDBusAuthObserverClass, allow_mechanism),
 227                   _g_signal_accumulator_false_handled,
 228                   NULL, /* accu_data */
 229                   _g_cclosure_marshal_BOOLEAN__STRING,
 230                   G_TYPE_BOOLEAN,
 231                   1,
 232                   G_TYPE_STRING);
 233   g_signal_set_va_marshaller (signals[ALLOW_MECHANISM_SIGNAL],
 234                               G_TYPE_FROM_CLASS (klass),
 235                               _g_cclosure_marshal_BOOLEAN__STRINGv);
 236 }
 237
 238 static void
 239 g_dbus_auth_observer_init (GDBusAuthObserver *observer)
 240 {
 241 }
 242
 243 /**
 244  * g_dbus_auth_observer_new:
 245  *
 246  * Creates a new #GDBusAuthObserver object.
 247  *
 248  * Returns: A #GDBusAuthObserver. Free with g_object_unref().
 249  *
 250  * Since: 2.26
 251  */
 252 GDBusAuthObserver *
 253 g_dbus_auth_observer_new (void)
 254 {
 255   return g_object_new (G_TYPE_DBUS_AUTH_OBSERVER, NULL);
 256 }
 257
 258 /* ---------------------------------------------------------------------------------------------------- */
 259
 260 /**
 261  * g_dbus_auth_observer_authorize_authenticated_peer:
 262  * @observer: A #GDBusAuthObserver.
 263  * @stream: A #GIOStream for the #GDBusConnection.
 264  * @credentials: (nullable): Credentials received from the peer or %NULL.
 265  *
 266  * Emits the #GDBusAuthObserver::authorize-authenticated-peer signal on @observer.
 267  *
 268  * Returns: %TRUE if the peer is authorized, %FALSE if not.
 269  *
 270  * Since: 2.26
 271  */
 272 gboolean
 273 g_dbus_auth_observer_authorize_authenticated_peer (GDBusAuthObserver  *observer,
 274                                                    GIOStream          *stream,
 275                                                    GCredentials       *credentials)
 276 {
 277   gboolean denied;
 278
 279   denied = FALSE;
 280   g_signal_emit (observer,
 281                  signals[AUTHORIZE_AUTHENTICATED_PEER_SIGNAL],
 282                  0,
 283                  stream,
 284                  credentials,
 285                  &denied);
 286   return denied;
 287 }
 288
 289 /**
 290  * g_dbus_auth_observer_allow_mechanism:
 291  * @observer: A #GDBusAuthObserver.
 292  * @mechanism: The name of the mechanism, e.g. `DBUS_COOKIE_SHA1`.
 293  *
 294  * Emits the #GDBusAuthObserver::allow-mechanism signal on @observer.
 295  *
 296  * Returns: %TRUE if @mechanism can be used to authenticate the other peer, %FALSE if not.
 297  *
 298  * Since: 2.34
 299  */
 300 gboolean
 301 g_dbus_auth_observer_allow_mechanism (GDBusAuthObserver  *observer,
 302                                       const gchar        *mechanism)
 303 {
 304   gboolean ret;
 305
 306   ret = FALSE;
 307   g_signal_emit (observer,
 308                  signals[ALLOW_MECHANISM_SIGNAL],
 309                  0,
 310                  mechanism,
 311                  &ret);
 312   return ret;
 313 }