From 50dcb370edc365114fa6640770ebc253d39570ab Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Fri, 6 Jul 2012 10:19:45 -0400 Subject: [PATCH] Introduce a polkit.Result enumeration for authorization rules This way an authorization rule can do this return polkit.Result.YES; which is slightly nicer than return "yes"; https://bugs.freedesktop.org/show_bug.cgi?id=50983 Signed-off-by: David Zeuthen --- docs/man/polkit.xml | 52 ++++++++++++------- src/polkitbackend/init.js | 10 ++++ .../etc/polkit-1/rules.d/10-testing.rules | 48 ++++++++--------- .../etc/polkit-1/rules.d/15-testing.rules | 6 +-- .../share/polkit-1/rules.d/10-testing.rules | 4 +- .../share/polkit-1/rules.d/20-testing.rules | 6 +-- 6 files changed, 74 insertions(+), 52 deletions(-) diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml index d48b1a0..1aebfc9 100644 --- a/docs/man/polkit.xml +++ b/docs/man/polkit.xml @@ -514,7 +514,7 @@ System Context | | void addRule - string function(action, subject) {...} + polkit.Result function(action, subject) {...} @@ -553,26 +553,38 @@ System Context | | /etc/polkit-1/rules.d with a name that sorts before other rules files, for example 00-early-checks.rules. Each function should - return one of the values "no", - "yes", "auth_self", - "auth_self_keep", - "auth_admin", - "auth_admin_keep" as defined above. If the - function returns null, - undefined or does not return a value at - all, the next function is tried. + return a value from polkit.Result + + + + corresponding to the values that can be used as defaults. If + the function returns + polkit.Result.NOT_HANDLED, + null, undefined or + does not return a value at all, the next user function is + tried. - Keep in mind that if "auth_self_keep" or - "auth_admin_keep" is returned, + Keep in mind that if polkit.Result.AUTH_SELF_KEEP + or polkit.Result.AUTH_ADMIN_KEEP is returned, authorization checks for the same action identifier and - subject will succeed (that is, return "yes") for the next + subject will succeed (that is, return polkit.Result.YES) for the next brief period (e.g. five minutes) even if the variables passed along with the check are different. Therefore, if the result of an authorization rule depend on such variables, it should not use the - "*_keep" variants (if similar functionality + "*_KEEP" constants (if similar functionality is required, the authorization rule can easily implement temporary authorizations using the Date @@ -825,7 +837,7 @@ May 24 14:28:50 thinkpad polkitd[32217]: /etc/polkit-1/rules.d/10-test.rules:4: polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.accounts.user-administration" && subject.isInGroup("admin")) { - return "yes"; + return polkit.Result.YES; } }); ]]> @@ -850,9 +862,9 @@ polkit.addAdminRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.hostname1.") == 0) { if (subject.isInGroup("children")) { - return "no"; + return polkit.Result.NO; } else { - return "auth_self_keep"; + return polkit.Result.AUTH_SELF_KEEP; } } }); @@ -869,10 +881,10 @@ polkit.addRule(function(action, subject) { // only if the passed username is authorized polkit.spawn(["/opt/company/bin/user-may-reboot", subject.user]); - return "yes"; + return polkit.Result.YES; } catch (error) { // Nope, but do allow admin authentication - return "auth_admin"; + return polkit.Result.AUTH_ADMIN; } } }); @@ -888,7 +900,7 @@ polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.policykit.exec" && action.lookup("program") == "/usr/bin/cat") { - return "auth_self"; + return polkit.Result.AUTH_SELF; } }); ]]> @@ -910,7 +922,7 @@ polkit.addRule(function(action, subject) { action.lookup("drive.vendor") == "SEAGATE" && action.lookup("drive.model") == "ST3300657SS" && subject.isInGroup("engineers")) { - return "yes"; + return polkit.Result.YES; } } }); diff --git a/src/polkitbackend/init.js b/src/polkitbackend/init.js index 16862d4..af85d05 100644 --- a/src/polkitbackend/init.js +++ b/src/polkitbackend/init.js @@ -81,3 +81,13 @@ polkit._deleteRules = function() { this._adminRuleFuncs = []; this._ruleFuncs = []; }; + +polkit.Result = { + NO : "no", + YES : "yes", + AUTH_SELF : "auth_self", + AUTH_SELF_KEEP : "auth_self_keep", + AUTH_ADMIN : "auth_admin", + AUTH_ADMIN_KEEP : "auth_admin_keep", + NOT_HANDLED : null +}; diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules index 4a17f8c..446e622 100644 --- a/test/data/etc/polkit-1/rules.d/10-testing.rules +++ b/test/data/etc/polkit-1/rules.d/10-testing.rules @@ -37,19 +37,19 @@ polkit.addAdminRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "net.company.productA.action0") { - return "auth_admin"; + return polkit.Result.AUTH_ADMIN; } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.productA.action1") { - return "auth_self"; + return polkit.Result.AUTH_SELF; } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order0") { - return "yes"; + return polkit.Result.YES; } }); @@ -59,11 +59,11 @@ polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "net.company.group.variables") { if (action.lookup("foo") == "1") - return "yes"; + return polkit.Result.YES; else if (action.lookup("foo") == "2") - return "auth_self"; + return polkit.Result.AUTH_SELF; else - return "auth_admin"; + return polkit.Result.AUTH_ADMIN; } }); @@ -74,9 +74,9 @@ polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "net.company.group.only_group_users") { if (subject.isInGroup("users")) - return "yes"; + return polkit.Result.YES; else - return "no"; + return polkit.Result.NO; } }); @@ -86,9 +86,9 @@ polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) { if (action.id == "net.company.group.only_netgroup_users") { if (subject.isInNetGroup("foo")) - return "yes"; + return polkit.Result.YES; else - return "no"; + return polkit.Result.NO; } }); @@ -99,9 +99,9 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.spawning.non_existing_helper") { try { polkit.spawn(["/path/to/non/existing/helper"]); - return "no"; + return polkit.Result.NO; } catch (error) { - return "yes"; + return polkit.Result.YES; } } }); @@ -110,9 +110,9 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.spawning.successful_helper") { try { polkit.spawn(["/bin/true"]); - return "yes"; + return polkit.Result.YES; } catch (error) { - return "no"; + return polkit.Result.NO; } } }); @@ -121,9 +121,9 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.spawning.failing_helper") { try { polkit.spawn(["/bin/false"]); - return "no"; + return polkit.Result.NO; } catch (error) { - return "yes"; + return polkit.Result.YES; } } }); @@ -133,11 +133,11 @@ polkit.addRule(function(action, subject) { try { var out = polkit.spawn(["echo", "-n", "-e", "Hello\nWorld"]); if (out == "Hello\nWorld") - return "yes"; + return polkit.Result.YES; else - return "no"; + return polkit.Result.NO; } catch (error) { - return "no"; + return polkit.Result.NO; } } }); @@ -146,11 +146,11 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.spawning.helper_timeout") { try { polkit.spawn(["sleep", "20"]); - return "no"; + return polkit.Result.NO; } catch (error) { if (error == "Error: Error spawning helper: Timed out after 10 seconds (g-io-error-quark, 24)") - return "yes"; - return "no"; + return polkit.Result.YES; + return polkit.Result.NO; } } }); @@ -168,8 +168,8 @@ polkit.addRule(function(action, subject) { ; } catch (error) { if (error == "Terminating runaway script") - return "yes" - return "no"; + return polkit.Result.YES; + return polkit.Result.NO; } } }); diff --git a/test/data/etc/polkit-1/rules.d/15-testing.rules b/test/data/etc/polkit-1/rules.d/15-testing.rules index b64d731..00e214b 100644 --- a/test/data/etc/polkit-1/rules.d/15-testing.rules +++ b/test/data/etc/polkit-1/rules.d/15-testing.rules @@ -4,18 +4,18 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.order0") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order1") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order2") { - return "yes"; + return polkit.Result.YES; } }); diff --git a/test/data/usr/share/polkit-1/rules.d/10-testing.rules b/test/data/usr/share/polkit-1/rules.d/10-testing.rules index c60e262..1d553f6 100644 --- a/test/data/usr/share/polkit-1/rules.d/10-testing.rules +++ b/test/data/usr/share/polkit-1/rules.d/10-testing.rules @@ -6,12 +6,12 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.order0") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order1") { - return "yes"; + return polkit.Result.YES; } }); diff --git a/test/data/usr/share/polkit-1/rules.d/20-testing.rules b/test/data/usr/share/polkit-1/rules.d/20-testing.rules index 5c5bb2c..071f135 100644 --- a/test/data/usr/share/polkit-1/rules.d/20-testing.rules +++ b/test/data/usr/share/polkit-1/rules.d/20-testing.rules @@ -4,18 +4,18 @@ polkit.addRule(function(action, subject) { if (action.id == "net.company.order0") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order1") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); polkit.addRule(function(action, subject) { if (action.id == "net.company.order2") { - return "no"; // earlier rule should win + return polkit.Result.NO; // earlier rule should win } }); -- 2.34.1