From 31c0ce425a03c59726b7c1a83aaf8cd8dfab79f7 Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Mon, 21 May 2012 13:42:43 -0400 Subject: Add netgroup support Signed-off-by: David Zeuthen --- docs/man/polkit.xml | 15 ++++++++ src/polkitbackend/init.js | 4 +++ src/polkitbackend/polkitbackendjsauthority.c | 41 ++++++++++++++++++++++ test/Makefile.am | 3 +- test/data/etc/polkit-1/rules.d/10-testing.rules | 18 ++++++++++ test/polkitbackend/test-polkitbackendjsauthority.c | 24 +++++++++++++ 6 files changed, 103 insertions(+), 2 deletions(-) diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml index 4fbc117..ee658c5 100644 --- a/docs/man/polkit.xml +++ b/docs/man/polkit.xml @@ -652,6 +652,21 @@ System Context | | + + + + boolean isInNetGroup + string netGroupName + + + + + The isInGroup() method can be used to + check if the subject is in a given group and + isInNetGroup() can be used to check if + the subject is in a given netgroup. + + diff --git a/src/polkitbackend/init.js b/src/polkitbackend/init.js index 0e8bcfb..29f13fc 100644 --- a/src/polkitbackend/init.js +++ b/src/polkitbackend/init.js @@ -26,6 +26,10 @@ function Subject() { return false; }; + this.isInNetGroup = function(netGroup) { + return polkit._userIsInNetGroup(this.user, netGroup); + }; + this.toString = function() { var ret = "[Subject"; for (var i in this) { diff --git a/src/polkitbackend/polkitbackendjsauthority.c b/src/polkitbackend/polkitbackendjsauthority.c index 8c1d189..7798d45 100644 --- a/src/polkitbackend/polkitbackendjsauthority.c +++ b/src/polkitbackend/polkitbackendjsauthority.c @@ -144,11 +144,13 @@ static JSClass js_polkit_class = { static JSBool js_polkit_log (JSContext *cx, uintN argc, jsval *vp); static JSBool js_polkit_spawn (JSContext *cx, uintN argc, jsval *vp); +static JSBool js_polkit_user_is_in_netgroup (JSContext *cx, uintN argc, jsval *vp); static JSFunctionSpec js_polkit_functions[] = { JS_FS("log", js_polkit_log, 0, 0), JS_FS("spawn", js_polkit_spawn, 0, 0), + JS_FS("_userIsInNetGroup", js_polkit_user_is_in_netgroup, 0, 0), JS_FS_END }; @@ -1225,3 +1227,42 @@ js_polkit_spawn (JSContext *cx, } /* ---------------------------------------------------------------------------------------------------- */ + + +static JSBool +js_polkit_user_is_in_netgroup (JSContext *cx, + uintN argc, + jsval *vp) +{ + /* PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (JS_GetContextPrivate (cx)); */ + JSBool ret = JS_FALSE; + JSString *user_str; + JSString *netgroup_str; + char *user; + char *netgroup; + JSBool is_in_netgroup = JS_FALSE; + + if (!JS_ConvertArguments (cx, argc, JS_ARGV (cx, vp), "SS", &user_str, &netgroup_str)) + goto out; + + user = JS_EncodeString (cx, user_str); + netgroup = JS_EncodeString (cx, netgroup_str); + + if (innetgr (netgroup, + NULL, /* host */ + user, + NULL)) /* domain */ + { + is_in_netgroup = JS_TRUE; + } + + JS_free (cx, netgroup); + JS_free (cx, user); + + ret = JS_TRUE; + + JS_SET_RVAL (cx, vp, BOOLEAN_TO_JSVAL (is_in_netgroup)); + out: + return ret; +} + diff --git a/test/Makefile.am b/test/Makefile.am index 8426977..598e426 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -2,7 +2,7 @@ SUBDIRS = mocklibc . polkit polkitbackend AM_CFLAGS = $(GLIB_CFLAGS) -check_LTLIBRARIES = libpolkit-test-helper.la +noinst_LTLIBRARIES = libpolkit-test-helper.la libpolkit_test_helper_la_SOURCES = polkittesthelper.c polkittesthelper.h libpolkit_test_helper_la_LIBADD = $(GLIB_LIBS) @@ -17,7 +17,6 @@ export TESTS_ENVIRONMENT := $(abs_top_builddir)/test/mocklibc/bin/mocklibc # Include path to mock config files export POLKIT_TEST_DATA := $(abs_top_srcdir)/test/data - clean-local : rm -f *~ diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules index 4cd184c..0cad62c 100644 --- a/test/data/etc/polkit-1/rules.d/10-testing.rules +++ b/test/data/etc/polkit-1/rules.d/10-testing.rules @@ -16,6 +16,12 @@ polkit.addAdminRule(function(action, subject, details) { } }); +polkit.addAdminRule(function(action, subject, details) { + if (action == "net.company.action3") { + return ["unix-netgroup:foo"]; + } +}); + // Fallback polkit.addAdminRule(function(action, subject, details) { return ["unix-group:admin", "unix-user:root"]; @@ -53,3 +59,15 @@ polkit.addRule(function(action, subject, details) { return "no"; } }); + +// --------------------------------------------------------------------- +// netgroup membership + +polkit.addRule(function(action, subject, details) { + if (action == "net.company.group.only_netgroup_users") { + if (subject.isInNetGroup("foo")) + return "yes"; + else + return "no"; + } +}); diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c index a210f68..f81c7fb 100644 --- a/test/polkitbackend/test-polkitbackendjsauthority.c +++ b/test/polkitbackend/test-polkitbackendjsauthority.c @@ -130,6 +130,12 @@ test_get_admin_identities (void) "unix-group:users" } }, + { + "net.company.action3", + { + "unix-netgroup:foo" + } + }, }; guint n; @@ -222,6 +228,24 @@ static const RulesTestCase rules_test_cases[] = { POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED, NULL }, + + /* check netgroup membership */ + { + /* john is a member of netgroup 'foo', see test/etc/netgroup */ + "netgroup_membership_with_member", + "net.company.group.only_netgroup_users", + "unix-user:john", + POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED, + NULL + }, + { + /* sally is not a member of netgroup 'foo', see test/etc/netgroup */ + "netgroup_membership_with_non_member", + "net.company.group.only_netgroup_users", + "unix-user:sally", + POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED, + NULL + }, }; /* ---------------------------------------------------------------------------------------------------- */ -- cgit v1.2.3