#include "dbus-sha.h"
#include "dbus-protocol.h"
#include "dbus-credentials.h"
+#include "dbus-authorization.h"
/**
* @defgroup DBusAuth Authentication
{
DBusAuth base; /**< Parent class */
+ DBusAuthorization *authorization; /* DBus Authorization callbacks */
+
int failures; /**< Number of times client has been rejected */
int max_failures; /**< Number of times we reject before disconnect */
DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
auth->credentials))
return FALSE;
-
- if (!send_ok (auth))
- return FALSE;
- _dbus_verbose ("%s: authenticated client based on socket credentials\n",
- DBUS_AUTH_NAME (auth));
+ /* Do a first authorization of the transport, in order to REJECT
+ * immediately connection if needed (FDO#39720), transport will
+ * re-authorize later, but it will close the connection on fail,
+ * we want to REJECT now if possible */
+ if (_dbus_authorization_do_authorization (DBUS_AUTH_SERVER (auth)->authorization,
+ auth->authorized_identity))
+ {
+ if (!send_ok (auth))
+ return FALSE;
+ }
+ else
+ {
+ _dbus_verbose ("%s: desired identity does not match server identity: "
+ "not authorized\n", DBUS_AUTH_NAME (auth));
+ return send_rejected (auth);
+ }
+
+ _dbus_verbose ("%s: authenticated and authorized client based on "
+ "socket credentials\n", DBUS_AUTH_NAME (auth));
return TRUE;
}
{
_dbus_verbose ("%s: Received invalid UTF-8 trace data from ANONYMOUS client\n",
DBUS_AUTH_NAME (auth));
-
- {
- DBusString plaintext;
- DBusString encoded;
- _dbus_string_init_const (&plaintext, "D-Bus " DBUS_VERSION_STRING);
- _dbus_string_init (&encoded);
- _dbus_string_hex_encode (&plaintext, 0,
- &encoded,
- 0);
- _dbus_verbose ("%s: try '%s'\n",
- DBUS_AUTH_NAME (auth), _dbus_string_get_const_data (&encoded));
- }
return send_rejected (auth);
}
case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
_dbus_assert(auth->unix_fd_possible);
auth->unix_fd_negotiated = TRUE;
- _dbus_verbose("Sucessfully negotiated UNIX FD passing\n");
+ _dbus_verbose("Successfully negotiated UNIX FD passing\n");
return send_begin (auth);
case DBUS_AUTH_COMMAND_ERROR:
/**
* Creates a new auth conversation object for the server side.
- * See doc/dbus-sasl-profile.txt for full details on what
- * this object does.
+ * See http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
+ * for full details on what this object does.
*
* @returns the new object or #NULL if no memory
*/
DBusAuth*
-_dbus_auth_server_new (const DBusString *guid)
+_dbus_auth_server_new (const DBusString *guid,
+ DBusAuthorization *authorization)
{
DBusAuth *auth;
DBusAuthServer *server_auth;
server_auth = DBUS_AUTH_SERVER (auth);
server_auth->guid = guid_copy;
-
+ server_auth->authorization = _dbus_authorization_ref (authorization);
+
/* perhaps this should be per-mechanism with a lower
* max
*/
/**
* Creates a new auth conversation object for the client side.
- * See doc/dbus-sasl-profile.txt for full details on what
- * this object does.
+ * See http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
+ * for full details on what this object does.
*
* @returns the new object or #NULL if no memory
*/
_dbus_assert (DBUS_AUTH_IS_SERVER (auth));
_dbus_string_free (& DBUS_AUTH_SERVER (auth)->guid);
+ _dbus_authorization_unref (DBUS_AUTH_SERVER (auth)->authorization);
}
if (auth->keyring)
}
/**
- * Queries whether unix fd passing was sucessfully negotiated.
+ * Queries whether unix fd passing was successfully negotiated.
*
* @param auth the auth conversion
* @returns #TRUE when unix fd passing was negotiated.