`17012a9`

Map retention choice to auth lifecycle

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 2 months ago

SHA: 17012a95c9741152e8d2cd78756d88c914bf58e0
Parents: b84d6dc
Tree: 3396c02

3 changed files

Status	File	+	-
M	`garcard-ipc/src/lib.rs`	8	0
M	`garcard/src/agent.rs`	141	7
M	`garcard/src/state.rs`	76	0

garcard-ipc/src/lib.rsmodified

      pub state: String,
      pub active_requests: usize,
      pub queued_requests: usize,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub last_action_id: Option<String>,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub last_outcome: Option<String>,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub last_retention_policy: Option<String>,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub last_retention_enforced: Option<bool>,
+ }
  /// Resolve the daemon socket path from `XDG_RUNTIME_DIR` with `/tmp` fallback.

garcard/src/agent.rsmodified

  type Subject = (String, HashMap<String, OwnedValue>);
  type Details = HashMap<String, String>;
 +type TemporaryAuthorization = (String, String, Subject, u64, u64);
  const DEFAULT_AUTH_MAX_ATTEMPTS: usize = 3;
  const DEFAULT_IDENTITY_SELECTION_ATTEMPTS: usize = 3;
  const DEFAULT_RETENTION_SELECTION_ATTEMPTS: usize = 3;
          let max_attempts = auth_max_attempts();
          let username = match select_identity_for_request(request, prompts) {
              IdentitySelection::Selected(selected) => selected,
 -            IdentitySelection::Terminal(outcome) => return outcome,
 +            IdentitySelection::Terminal(outcome) => {
 +                return self.finalize_auth_attempt(request, outcome, None);
 +            }
          };
          let retention = match select_retention_for_request(request, prompts) {
              RetentionSelection::Selected(selected) => selected,
 -            RetentionSelection::Terminal(outcome) => return outcome,
 +            RetentionSelection::Terminal(outcome) => {
 +                return self.finalize_auth_attempt(request, outcome, None);
 +            }
          };
          tracing::info!(
              action_id = %request.action_id,
                      action_id = %request.action_id,
                      "Authentication request canceled before helper attempt"
                  );
 -                return HelperOutcome::Canceled;
 +                return self.finalize_auth_attempt(request, HelperOutcome::Canceled, Some(retention));
+             }
              tracing::info!(
                  context = %prompt_context,
                          action_id = %request.action_id,
                          "Authentication request canceled during helper attempt"
                      );
 -                    return HelperOutcome::Canceled;
 +                    return self.finalize_auth_attempt(
 +                        request,
 +                        HelperOutcome::Canceled,
 +                        Some(retention),
 +                    );
+                 }
                  Ok(HelperOutcome::Denied) if attempt < max_attempts => {
                      prompts.on_retry();
                      );
                      continue;
+                 }
 -                Ok(outcome) => return outcome,
 +                Ok(outcome) => {
 +                    return self.finalize_auth_attempt(request, outcome, Some(retention));
 +                }
                  Err(err) => {
                      tracing::warn!(
                          action_id = %request.action_id,
                          self.auth_state.set_phase(AuthPhase::PendingPrompt);
                          continue;
+                     }
 -                    return HelperOutcome::Denied;
 +                    return self.finalize_auth_attempt(
 +                        request,
 +                        HelperOutcome::Denied,
 +                        Some(retention),
 +                    );
 +                }
 +            }
 +        }
++
 +        self.finalize_auth_attempt(request, HelperOutcome::Denied, Some(retention))
 +    }
++
 +    fn finalize_auth_attempt(
 +        &self,
 +        request: &ActiveRequest,
 +        outcome: HelperOutcome,
 +        retention: Option<RetentionPolicy>,
 +    ) -> HelperOutcome {
 +        let retention_enforced = self.enforce_retention_policy(request, outcome, retention);
 +        self.auth_state.set_last_decision(
 +            request.action_id.clone(),
 +            helper_outcome_label(outcome),
 +            retention.map(|policy| policy.label().to_string()),
 +            retention_enforced,
 +        );
 +        outcome
+     }
++
 +    fn enforce_retention_policy(
 +        &self,
 +        request: &ActiveRequest,
 +        outcome: HelperOutcome,
 +        retention: Option<RetentionPolicy>,
 +    ) -> bool {
 +        if outcome != HelperOutcome::Authorized {
 +            return false;
 +        }
 +        let Some(retention) = retention else {
 +            return false;
 +        };
 +        if retention != RetentionPolicy::OneShot {
 +            return false;
+         }
 +        if request.retention_options.len() <= 1 {
 +            return false;
+         }
 -        HelperOutcome::Denied
 +        match revoke_temporary_authorizations_for_action(&request.action_id) {
 +            Ok(revoked) => {
 +                tracing::info!(
 +                    action_id = %request.action_id,
 +                    revoked_count = revoked,
 +                    "Applied one-shot retention policy by revoking temporary authorizations"
 +                );
 +                true
 +            }
 +            Err(err) => {
 +                tracing::warn!(
 +                    action_id = %request.action_id,
 +                    error = %err,
 +                    "Failed to enforce one-shot retention policy"
 +                );
 +                false
 +            }
 +        }
+     }
      fn complete_request(&self, cookie: &str, outcome: HelperOutcome) {
+     }
+ }
 +fn helper_outcome_label(outcome: HelperOutcome) -> &'static str {
 +    match outcome {
 +        HelperOutcome::Authorized => "success",
 +        HelperOutcome::Denied => "failure",
 +        HelperOutcome::Canceled => "canceled",
 +        HelperOutcome::Timeout => "timeout",
 +    }
 +}
++
 +fn revoke_temporary_authorizations_for_action(action_id: &str) -> Result<usize> {
 +    let connection = Connection::system().context("failed to connect to system bus")?;
 +    let subject = build_subject();
 +    let proxy = PolkitAgent::proxy(&connection)?;
 +    let authorizations: Vec<TemporaryAuthorization> =
 +        proxy.call("EnumerateTemporaryAuthorizations", &subject)?;
++
 +    let mut revoked = 0_usize;
 +    for (authorization_id, auth_action_id, _subject, _obtained, _expires) in authorizations {
 +        if auth_action_id != action_id {
 +            continue;
 +        }
++
 +        let _: () = proxy.call("RevokeTemporaryAuthorizationById", &authorization_id)?;
 +        revoked += 1;
 +    }
++
 +    Ok(revoked)
 +}
++
  fn render_prompt_context(request: &ActiveRequest) -> String {
      let mut lines = Vec::new();
      let message = request.message.trim();
          assert_eq!(parse_retention_selection("unknown", &options), None);
+     }
 +    #[test]
 +    fn helper_outcome_label_maps_outcomes() {
 +        assert_eq!(helper_outcome_label(HelperOutcome::Authorized), "success");
 +        assert_eq!(helper_outcome_label(HelperOutcome::Denied), "failure");
 +        assert_eq!(helper_outcome_label(HelperOutcome::Canceled), "canceled");
 +        assert_eq!(helper_outcome_label(HelperOutcome::Timeout), "timeout");
 +    }
++
      #[test]
      fn select_retention_for_request_uses_prompted_choice() {
          let request = ActiveRequest {
          ));
+     }
 +    #[test]
 +    fn finalize_auth_attempt_records_retention_in_auth_summary() {
 +        let auth_state = Arc::new(AuthState::default());
 +        let runtime = PolkitRuntime::new_without_worker(Arc::clone(&auth_state));
 +        let request = ActiveRequest {
 +            action_id: "org.gardesk.test".to_string(),
 +            message: "Authenticate".to_string(),
 +            icon_name: "dialog-password".to_string(),
 +            detail_count: 0,
 +            details: HashMap::new(),
 +            cookie: "cookie-finalize".to_string(),
 +            username: "operator".to_string(),
 +            identity_options: vec!["operator".to_string()],
 +            retention_options: vec![RetentionPolicy::OneShot],
 +        };
++
 +        let outcome =
 +            runtime.finalize_auth_attempt(&request, HelperOutcome::Denied, Some(RetentionPolicy::OneShot));
 +        assert_eq!(outcome, HelperOutcome::Denied);
++
 +        let summary = auth_state.summary();
 +        assert_eq!(summary.last_action_id.as_deref(), Some("org.gardesk.test"));
 +        assert_eq!(summary.last_outcome.as_deref(), Some("failure"));
 +        assert_eq!(summary.last_retention_policy.as_deref(), Some("one-shot"));
 +        assert_eq!(summary.last_retention_enforced, Some(false));
 +    }
++
      #[test]
      fn select_identity_for_request_uses_prompted_choice() {
          let request = ActiveRequest {

garcard/src/state.rsmodified

      current_phase: RwLock<AuthPhase>,
      active_requests: AtomicUsize,
      queued_requests: AtomicUsize,
 +    last_decision: RwLock<Option<AuthDecision>>,
+ }
  impl Default for AuthState {
              current_phase: RwLock::new(AuthPhase::Idle),
              active_requests: AtomicUsize::new(0),
              queued_requests: AtomicUsize::new(0),
 +            last_decision: RwLock::new(None),
+         }
+     }
+ }
 +#[derive(Debug, Clone)]
 +struct AuthDecision {
 +    action_id: String,
 +    outcome: String,
 +    retention_policy: Option<String>,
 +    retention_enforced: bool,
 +}
++
  impl AuthState {
      pub fn phase(&self) -> AuthPhase {
          self.current_phase
+     }
      pub fn summary(&self) -> AuthSummary {
 +        let (last_action_id, last_outcome, last_retention_policy, last_retention_enforced) = self
 +            .last_decision
 +            .read()
 +            .ok()
 +            .and_then(|decision| decision.clone())
 +            .map(|decision| {
 +                (
 +                    Some(decision.action_id),
 +                    Some(decision.outcome),
 +                    decision.retention_policy,
 +                    Some(decision.retention_enforced),
 +                )
 +            })
 +            .unwrap_or((None, None, None, None));
          AuthSummary {
              state: self.phase().to_string(),
              active_requests: self.active_requests.load(Ordering::Relaxed),
              queued_requests: self.queued_requests.load(Ordering::Relaxed),
 +            last_action_id,
 +            last_outcome,
 +            last_retention_policy,
 +            last_retention_enforced,
 +        }
 +    }
++
 +    pub fn set_last_decision(
 +        &self,
 +        action_id: impl Into<String>,
 +        outcome: impl Into<String>,
 +        retention_policy: Option<String>,
 +        retention_enforced: bool,
 +    ) {
 +        if let Ok(mut decision) = self.last_decision.write() {
 +            *decision = Some(AuthDecision {
 +                action_id: action_id.into(),
 +                outcome: outcome.into(),
 +                retention_policy,
 +                retention_enforced,
 +            });
 +        }
 +    }
++
 +    pub fn clear_last_decision(&self) {
 +        if let Ok(mut decision) = self.last_decision.write() {
 +            *decision = None;
+         }
+     }
+ }
          auth.set_phase(AuthPhase::Idle);
          auth.set_active_requests(0);
          auth.set_queued_requests(0);
 +        auth.clear_last_decision();
          Self {
              started_at: Instant::now(),
              pid: std::process::id(),
          assert_eq!(summary.state, "idle");
          assert_eq!(summary.active_requests, 0);
          assert_eq!(summary.queued_requests, 0);
 +        assert!(summary.last_action_id.is_none());
 +        assert!(summary.last_outcome.is_none());
 +        assert!(summary.last_retention_policy.is_none());
 +        assert!(summary.last_retention_enforced.is_none());
+     }
      #[test]
          assert_eq!(summary.queued_requests, 3);
+     }
 +    #[test]
 +    fn auth_state_records_last_decision_context() {
 +        let state = AuthState::default();
 +        state.set_last_decision(
 +            "com.gardesk.install",
 +            "success",
 +            Some("one-shot".to_string()),
 +            true,
 +        );
++
 +        let summary = state.summary();
 +        assert_eq!(
 +            summary.last_action_id.as_deref(),
 +            Some("com.gardesk.install")
 +        );
 +        assert_eq!(summary.last_outcome.as_deref(), Some("success"));
 +        assert_eq!(summary.last_retention_policy.as_deref(), Some("one-shot"));
 +        assert_eq!(summary.last_retention_enforced, Some(true));
 +    }
++
      #[test]
      fn auth_phase_transition_rules_are_enforced() {
          let state = AuthState::default();