X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=dbus%2Fdbus-auth.c;h=35efa3a891682da2c08eb2f1f56d363c0620ca48;hb=75f5b682cc57828fa8593b00f83342c03743cad1;hp=3173f34f94484346c56828fc0afd76f51d7004d4;hpb=3ac6915e3cc214cb8115a38667a5b66dfbeef35f;p=platform%2Fupstream%2Fdbus.git

diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
index 3173f34..35efa3a 100644
--- a/dbus/dbus-auth.c
+++ b/dbus/dbus-auth.c
@@ -30,6 +30,7 @@
 #include "dbus-sha.h"
 #include "dbus-protocol.h"
 #include "dbus-credentials.h"
+#include "dbus-authorization.h"
 
 /**
  * @defgroup DBusAuth Authentication
@@ -213,6 +214,8 @@ typedef struct
 {
   DBusAuth base;    /**< Parent class */
 
+  DBusAuthorization *authorization;             /* DBus Authorization callbacks */
+
   int failures;     /**< Number of times client has been rejected */
   int max_failures; /**< Number of times we reject before disconnect */
 
@@ -1115,12 +1118,26 @@ handle_server_data_external_mech (DBusAuth         *auth,
                                              DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
                                              auth->credentials))
         return FALSE;
-      
-      if (!send_ok (auth))
-        return FALSE;
 
-      _dbus_verbose ("%s: authenticated client based on socket credentials\n",
-                     DBUS_AUTH_NAME (auth));
+      /* Do a first authorization of the transport, in order to REJECT
+       * immediately connection if needed (FDO#39720), transport will
+       * re-authorize later, but it will close the connection on fail,
+       * we want to REJECT now if possible */
+      if (_dbus_authorization_do_authorization (DBUS_AUTH_SERVER (auth)->authorization,
+            auth->authorized_identity))
+        {
+          if (!send_ok (auth))
+            return FALSE;
+        }
+      else
+        {
+          _dbus_verbose ("%s: desired identity does not match server identity: "
+              "not authorized\n", DBUS_AUTH_NAME (auth));
+          return send_rejected (auth);
+        }
+
+      _dbus_verbose ("%s: authenticated and authorized client based on "
+          "socket credentials\n", DBUS_AUTH_NAME (auth));
 
       return TRUE;
     }
@@ -1202,18 +1219,6 @@ handle_server_data_anonymous_mech (DBusAuth         *auth,
         {
           _dbus_verbose ("%s: Received invalid UTF-8 trace data from ANONYMOUS client\n",
                          DBUS_AUTH_NAME (auth));
-
-          {
-            DBusString plaintext;
-            DBusString encoded;
-            _dbus_string_init_const (&plaintext, "D-Bus " DBUS_VERSION_STRING);
-            _dbus_string_init (&encoded);
-            _dbus_string_hex_encode (&plaintext, 0,
-                                     &encoded,
-                                     0);
-              _dbus_verbose ("%s: try '%s'\n",
-                             DBUS_AUTH_NAME (auth), _dbus_string_get_const_data (&encoded));
-          }
           return send_rejected (auth);
         }
       
@@ -2079,7 +2084,7 @@ handle_client_state_waiting_for_agree_unix_fd(DBusAuth         *auth,
     case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
       _dbus_assert(auth->unix_fd_possible);
       auth->unix_fd_negotiated = TRUE;
-      _dbus_verbose("Sucessfully negotiated UNIX FD passing\n");
+      _dbus_verbose("Successfully negotiated UNIX FD passing\n");
       return send_begin (auth);
 
     case DBUS_AUTH_COMMAND_ERROR:
@@ -2250,13 +2255,14 @@ process_command (DBusAuth *auth)
 
 /**
  * Creates a new auth conversation object for the server side.
- * See doc/dbus-sasl-profile.txt for full details on what
- * this object does.
+ * See http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
+ * for full details on what this object does.
  *
  * @returns the new object or #NULL if no memory
  */
 DBusAuth*
-_dbus_auth_server_new (const DBusString *guid)
+_dbus_auth_server_new (const DBusString *guid,
+    DBusAuthorization *authorization)
 {
   DBusAuth *auth;
   DBusAuthServer *server_auth;
@@ -2284,7 +2290,8 @@ _dbus_auth_server_new (const DBusString *guid)
   server_auth = DBUS_AUTH_SERVER (auth);
 
   server_auth->guid = guid_copy;
-  
+  server_auth->authorization = _dbus_authorization_ref (authorization);
+
   /* perhaps this should be per-mechanism with a lower
    * max
    */
@@ -2296,8 +2303,8 @@ _dbus_auth_server_new (const DBusString *guid)
 
 /**
  * Creates a new auth conversation object for the client side.
- * See doc/dbus-sasl-profile.txt for full details on what
- * this object does.
+ * See http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
+ * for full details on what this object does.
  *
  * @returns the new object or #NULL if no memory
  */
@@ -2375,6 +2382,7 @@ _dbus_auth_unref (DBusAuth *auth)
           _dbus_assert (DBUS_AUTH_IS_SERVER (auth));
 
           _dbus_string_free (& DBUS_AUTH_SERVER (auth)->guid);
+          _dbus_authorization_unref (DBUS_AUTH_SERVER (auth)->authorization);
         }
 
       if (auth->keyring)
@@ -2806,7 +2814,7 @@ _dbus_auth_set_unix_fd_possible(DBusAuth *auth, dbus_bool_t b)
 }
 
 /**
- * Queries whether unix fd passing was sucessfully negotiated.
+ * Queries whether unix fd passing was successfully negotiated.
  *
  * @param auth the auth conversion
  * @returns #TRUE when unix fd passing was negotiated.