File _service:obs_scm:0003-fix-Interface-permission-... of Package kiran-authentication-service

File _service:obs_scm:0003-fix-Interface-permission-Upgrade-the-permission-of-s.patch of Package kiran-authentication-service

From 74cff73678e966b232d70aba787476f34fa0d584 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Tue, 30 May 2023 11:11:48 +0800
Subject: [PATCH 3/5] fix(Interface permission): Upgrade the permission of some
 interfaces of the authentication service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 提升部分认证服务接口权限至root，调用前需认证polkit

Closes #I795QI
---
 data/com.kylinsec.Kiran.Authentication.xml |  7 ++-
 src/daemon/auth-manager.cpp                | 66 ++++++++++++++--------
 src/daemon/auth-manager.h                  | 46 ++++++++++-----
 src/daemon/user.cpp                        |  2 +-
 src/pam/authentication.cpp                 |  1 -
 5 files changed, 82 insertions(+), 40 deletions(-)

diff --git a/data/com.kylinsec.Kiran.Authentication.xml b/data/com.kylinsec.Kiran.Authentication.xml
index b575ebd..12b077f 100644
--- a/data/com.kylinsec.Kiran.Authentication.xml
+++ b/data/com.kylinsec.Kiran.Authentication.xml
@@ -51,7 +51,7 @@
             </arg>
         </method>
 
-        <method name="SetDrivereEanbled">
+        <method name="SetDrivereEnabled">
             <arg name="driver_name" direction="in" type="s">
                 <description>driver name</description>
             </arg>
@@ -73,7 +73,7 @@
             <arg name="auth_type" direction="in" type="i">
                 <description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
             </arg>
-            <arg name="device_id" type="s">
+            <arg name="device_id" direction="in" type="s">
                 <description>The default device ID.</description>
             </arg>
         </method>
@@ -82,6 +82,9 @@
             <arg name="auth_type" direction="in" type="i">
                 <description>The auth type. Refer to KADAuthType in kas-authentication-i.h</description>
             </arg>
+            <arg name="device_id" direction="out" type="s">
+                <description>The default device ID.</description>
+            </arg>
         </method>
 
         <method name="SetAuthTypeEnabledForApp">
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
index 0a74682..7ebef89 100644
--- a/src/daemon/auth-manager.cpp
+++ b/src/daemon/auth-manager.cpp
@@ -21,6 +21,7 @@
 #include "src/daemon/device/device-adaptor-factory.h"
 #include "src/daemon/error.h"
 #include "src/daemon/proxy/dbus-daemon-proxy.h"
+#include "src/daemon/proxy/polkit-proxy.h"
 #include "src/daemon/session.h"
 #include "src/daemon/user-manager.h"
 #include "src/utils/utils.h"
@@ -34,6 +35,9 @@
 #include <QMetaEnum>
 #include <QSettings>
 #include <QTime>
+
+#define AUTH_USER_ADMIN "com.kylinsec.kiran.authentication.user-administration"
+
 namespace Kiran
 {
 // 会话ID的最大值
@@ -85,7 +89,7 @@ QDBusObjectPath AuthManager::CreateSession(const QString &username, int timeout,
                         .arg(authApp)
                         .arg(this->message().service())
                         .arg(sessionID);
-                        
+
     return QDBusObjectPath(session->getObjectPath());
 }
 
@@ -108,15 +112,6 @@ QString AuthManager::GetDriversForType(int authType)
     return DeviceAdaptorFactory::getInstance()->getDriversForType(authType);
 }
 
-void AuthManager::SetDrivereEanbled(const QString &driverName, bool enabled)
-{
-    if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
-    {
-        DBUS_ERROR_REPLY(QDBusError::InternalError,
-                         KADErrorCode::ERROR_FAILED);
-    }
-}
-
 QDBusObjectPath AuthManager::FindUserByID(qulonglong uid)
 {
     auto pwent = getpwuid(uid);
@@ -164,21 +159,11 @@ bool AuthManager::GetAuthTypeEnabled(int authType)
     return m_authConfig->getAuthTypeEnable((KADAuthType)authType);
 }
 
-void AuthManager::SetAuthTypeEnabled(int authType, bool enabled)
-{
-    m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
-}
-
 bool AuthManager::GetAuthTypeEnabledForApp(int authType, int authApp)
 {
     return m_authConfig->getAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp);
 }
 
-void AuthManager::SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled)
-{
-    m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
-}
-
 /// @brief 通过认证应用枚举获取支持的认证类型或认证顺序
 /// @param authApp 应用程序所属的认证应用类型
 /// @return 与模式下为需认证类型的认证顺序,或模式下为可选的认证类型
@@ -202,9 +187,9 @@ QList<int> AuthManager::GetAuthTypeByApp(int32_t authApp)
     auto sortedAuthTypes = authOrder;
 
     auto enabledAuthTypeIter = enabledAuthTypes.begin();
-    while(enabledAuthTypeIter != enabledAuthTypes.end())
+    while (enabledAuthTypeIter != enabledAuthTypes.end())
     {
-        if(!sortedAuthTypes.contains(*enabledAuthTypeIter))
+        if (!sortedAuthTypes.contains(*enabledAuthTypeIter))
         {
             sortedAuthTypes << *enabledAuthTypeIter;
         }
@@ -257,6 +242,10 @@ void AuthManager::onNameLost(const QString &serviceName)
     }
 }
 
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetDrivereEnabled, onSetDriverEnabled, AUTH_USER_ADMIN, const QString &, bool);
+CHECK_AUTH_WITH_2ARGS(AuthManager, SetAuthTypeEnabled, onSetAuthTypeEnabled, AUTH_USER_ADMIN, int, bool);
+CHECK_AUTH_WITH_3ARGS(AuthManager, SetAuthTypeEnabledForApp, onSetAuthTypeEnabledForApp, AUTH_USER_ADMIN, int, int, bool);
+
 void AuthManager::init()
 {
     auto systemConnection = QDBusConnection::systemBus();
@@ -276,6 +265,11 @@ void AuthManager::init()
     connect(m_authConfig, SIGNAL(defaultDeviceChanged(int, QString)), this, SIGNAL(defaultDeviceChanged(int, QString)));
 }
 
+QString AuthManager::calcAction(const QString &originAction)
+{
+    return AUTH_USER_ADMIN;
+}
+
 int32_t AuthManager::generateSessionID()
 {
     // 最多生成10次，超过次数则返回失败
@@ -288,4 +282,32 @@ int32_t AuthManager::generateSessionID()
     }
     return -1;
 }
+
+void AuthManager::onSetDriverEnabled(const QDBusMessage &message, const QString &driverName, bool enabled)
+{
+    if (!DeviceAdaptorFactory::getInstance()->setDrivereEanbled(driverName, enabled))
+    {
+        DBUS_ERROR_REPLY_ASYNC(message, QDBusError::InternalError, KADErrorCode::ERROR_FAILED);
+    }
+
+    auto replyMessage = message.createReply();
+    QDBusConnection::systemBus().send(replyMessage);
+}
+
+void AuthManager::onSetAuthTypeEnabled(const QDBusMessage &message, int authType, bool enabled)
+{
+    m_authConfig->setAuthTypeEnable((KADAuthType)authType, enabled);
+
+    auto replyMessage = message.createReply();
+    QDBusConnection::systemBus().send(replyMessage);
+}
+
+void AuthManager::onSetAuthTypeEnabledForApp(const QDBusMessage &message, int authType, int authApp, bool enabled)
+{
+    m_authConfig->setAuthTypeEnabledForApp((KADAuthType)authType, (KADAuthApplication)authApp, enabled);
+
+    auto replyMessage = message.createReply();
+    QDBusConnection::systemBus().send(replyMessage);
+}
+
 }  // namespace Kiran
diff --git a/src/daemon/auth-manager.h b/src/daemon/auth-manager.h
index 696dc96..e707e0b 100644
--- a/src/daemon/auth-manager.h
+++ b/src/daemon/auth-manager.h
@@ -48,46 +48,64 @@ public:
     int getMaxFailures();
 
 public Q_SLOTS:  // DBUS METHODS
+    /// normal
+    // 获取认证服务中用户DBUS对象
+    QDBusObjectPath FindUserByID(qulonglong uid);
+    QDBusObjectPath FindUserByName(const QString &userName);
+
     // 认证会话创建以及销毁
     QDBusObjectPath CreateSession(const QString &userName, int timeout,int authApp);
     void DestroySession(uint sessionID);
 
+    // 根据认证类型获取驱动列表
     QString GetDriversForType(int authType);
-    void SetDrivereEanbled(const QString& driverName,bool enabled);
 
-    // 获取认证服务中用户DBUS对象
-    QDBusObjectPath FindUserByID(qulonglong uid);
-    QDBusObjectPath FindUserByName(const QString &userName);
-
-    // 获取认证设备
+    // 根据认证类型获取设备列表
     QString GetDevicesForType(int authType);
-    // 获取默认认证设备
-    QString GetDefaultDeviceID(int authType);
-    // 设置默认设备ID
-    void SetDefaultDeviceID(int authType, const QString &deviceID);
 
-    // 认证类型总开关
+    // 获取认证类型是否启用
     bool GetAuthTypeEnabled(int authType);
-    void SetAuthTypeEnabled(int authType,bool enabled);
 
-    // 获取/设置指定认证场景下认证类型的开关
+    // 获取认证类型认证场景(认证应用)是否启用
     bool GetAuthTypeEnabledForApp(int authType,int authApp);
-    void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
+
+    // 默认设备
+    QString GetDefaultDeviceID(int authType);
+    void SetDefaultDeviceID(int authType, const QString &deviceID);
     
     // 通过pam服务名查询属于哪个认证场景
+    // 例如:
+    // lightdm->KAD_AUTH_APPLICATION_LOGIN,
+    // iran-screensaver->KAD_AUTH_APPLICATION_UNLOCK
     int QueryAuthApp(const QString &pamServiceName);
+
     // 通过指定的认证应用获取支持的认证类型,返回值为有序列表
     QList<int> GetAuthTypeByApp(int32_t authApp);
 
     void onNameLost(const QString &serviceName);
 
+    // root
+    // 设备驱动控制
+    void SetDrivereEnabled(const QString& driverName,bool enabled);
+
+    // 认证类型总开关
+    void SetAuthTypeEnabled(int authType,bool enabled);
+    
+    // 获取/设置指定认证场景下认证类型的开关
+    void SetAuthTypeEnabledForApp(int authType, int authApp, bool enabled);
+
 signals:
     void defaultDeviceChanged(int authType,const QString& deviceID,QPrivateSignal);
 
 private:
     void init();
+    // 需要管理员权限
+    QString calcAction(const QString &originAction);
     // 生成一个唯一的会话ID
     int32_t generateSessionID();
+    void onSetDriverEnabled(const QDBusMessage &message,const QString& driverName,bool enabled);
+    void onSetAuthTypeEnabled(const QDBusMessage &message,int authType,bool enabled);
+    void onSetAuthTypeEnabledForApp(const QDBusMessage &message,int authType, int authApp, bool enabled);
 
 private:
     static AuthManager *m_instance;
diff --git a/src/daemon/user.cpp b/src/daemon/user.cpp
index 1b77bf0..c9d98bb 100644
--- a/src/daemon/user.cpp
+++ b/src/daemon/user.cpp
@@ -290,7 +290,7 @@ void User::onDeleteIdentification(const QDBusMessage &message, const QString &ii
     if (!getIIDs().contains(iid))
     {
         USER_WARNING() << "delete identification" << iid << "error,can not find!";
-        DBUS_ERROR_REPLY_AND_RET(QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
+        DBUS_ERROR_REPLY_ASYNC_AND_RET(message,QDBusError::InvalidArgs, KADErrorCode::ERROR_INVALID_ARGUMENT);
     }
 
     USER_DEBUG() << "delete identification" << iid;
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
index 192a1b1..6a165fd 100644
--- a/src/pam/authentication.cpp
+++ b/src/pam/authentication.cpp
@@ -42,7 +42,6 @@ Authentication::Authentication(PAMHandle *pamHandle,
 {
 }
 
-// TODO polkit 认证 超时,未结束认证
 Authentication::~Authentication()
 {
     if (this->m_authSessionProxy && this->m_authManagerProxy)
-- 
2.33.0