gardesk/garcard / 517f24c

+7. `GARCARD_POLKIT_HELPER_SOCKET`

+8. `GARCARD_PROMPT_COMMAND`

+

+`GARCARD_PROMPT_COMMAND` is optional. If unset, `garcard` falls back to

+`systemd-ask-password` for prompt interaction.

+use crate::polkit_helper::{DEFAULT_HELPER_SOCKET, HelperOutcome, HelperSocketClient};

+use crate::prompt::CommandPrompt;

+use std::path::PathBuf;

+use std::sync::atomic::{AtomicBool, Ordering};

+use std::thread;

+#[derive(Debug, Clone)]

+struct ActiveRequest {

+    action_id: String,

+    message: String,

+    icon_name: String,

+    detail_count: usize,

+    cookie: String,

+    username: String,

+}

+

+    helper_client: HelperSocketClient,

+    processing: AtomicBool,

+    worker_enabled: bool,

+        Self::new_with_worker(auth_state, true)

+    }

+

+    #[cfg(test)]

+    fn new_without_worker(auth_state: Arc<AuthState>) -> Self {

+        Self::new_with_worker(auth_state, false)

+    }

+

+    fn new_with_worker(auth_state: Arc<AuthState>, worker_enabled: bool) -> Self {

+        let helper_socket = std::env::var_os("GARCARD_POLKIT_HELPER_SOCKET")

+            .map(PathBuf::from)

+            .unwrap_or_else(|| PathBuf::from(DEFAULT_HELPER_SOCKET));

+            helper_client: HelperSocketClient::new(helper_socket),

+            processing: AtomicBool::new(false),

+            worker_enabled,

+    fn begin_authentication(self: &Arc<Self>, request: AuthRequest) -> Result<QueueInsert> {

+        if self.worker_enabled && active > 0 {

+            self.ensure_worker();

+        }

+

+    fn cancel_authentication(self: &Arc<Self>, cookie: &str) -> Result<bool> {

+            if self.worker_enabled && active > 0 {

+                self.ensure_worker();

+            }

+    fn ensure_worker(self: &Arc<Self>) {

+        if self.processing.swap(true, Ordering::AcqRel) {

+            return;

+        }

+

+        let runtime = Arc::clone(self);

+        let spawn_result = thread::Builder::new()

+            .name("garcard-auth-worker".to_string())

+            .spawn(move || runtime.process_loop());

+        if let Err(err) = spawn_result {

+            self.processing.store(false, Ordering::Release);

+            tracing::error!(error = %err, "Failed to spawn garcard auth worker");

+        }

+    }

+

+    fn process_loop(self: Arc<Self>) {

+        loop {

+            let Some(active) = self.active_request_snapshot() else {

+                break;

+            };

+

+            self.auth_state.set_phase(AuthPhase::Verifying);

+            tracing::info!(

+                action_id = %active.action_id,

+                icon_name = %active.icon_name,

+                detail_count = active.detail_count,

+                "Processing polkit auth request"

+            );

+

+            let outcome = self.authenticate_active_request(&active);

+            self.complete_request(&active.cookie, outcome);

+        }

+

+        self.processing.store(false, Ordering::Release);

+        if self.has_active_request() {

+            self.ensure_worker();

+        }

+    }

+

+    fn has_active_request(&self) -> bool {

+        self.queue

+            .lock()

+            .map(|queue| queue.active().is_some())

+            .unwrap_or(false)

+    }

+

+    fn active_request_snapshot(&self) -> Option<ActiveRequest> {

+        let queue = self.queue.lock().ok()?;

+        let request = queue.active()?;

+

+        let username = resolve_identity_username(&request.identities)

+            .or_else(current_username)

+            .or_else(|| std::env::var("USER").ok())

+            .unwrap_or_else(|| "unknown".to_string());

+

+        Some(ActiveRequest {

+            action_id: request.action_id.clone(),

+            message: request.message.clone(),

+            icon_name: request.icon_name.clone(),

+            detail_count: request.details.len(),

+            cookie: request.cookie.clone(),

+            username,

+        })

+    }

+

+    fn authenticate_active_request(&self, request: &ActiveRequest) -> HelperOutcome {

+        let mut prompts = CommandPrompt::default();

+        let prompt_context = if request.message.is_empty() {

+            request.action_id.as_str()

+        } else {

+            request.message.as_str()

+        };

+        tracing::info!(context = %prompt_context, "Starting helper authentication dialog");

+

+        match self

+            .helper_client

+            .authenticate(&request.username, &request.cookie, &mut prompts)

+        {

+            Ok(outcome) => outcome,

+            Err(err) => {

+                tracing::warn!(

+                    action_id = %request.action_id,

+                    error = %err,

+                    "Polkit helper authentication failed"

+                );

+                HelperOutcome::Denied

+            }

+        }

+    }

+

+    fn complete_request(&self, cookie: &str, outcome: HelperOutcome) {

+        let (removed, active, queued) = {

+            let mut queue = match self.queue.lock() {

+                Ok(queue) => queue,

+                Err(_) => {

+                    tracing::error!("auth request queue lock poisoned");

+                    return;

+                }

+            };

+            let removed = queue

+                .complete_active_if(|request| request.cookie == cookie)

+                .is_some();

+            let (active, queued) = queue.counts();

+            (removed, active, queued)

+        };

+

+        self.auth_state.sync_queue_counts(active, queued);

+        if !removed {

+            if active == 0 && queued == 0 && self.auth_state.phase() == AuthPhase::Verifying {

+                self.auth_state.set_phase(AuthPhase::Idle);

+            }

+            return;

+        }

+

+        if active > 0 {

+            self.auth_state.set_phase(AuthPhase::PendingPrompt);

+            return;

+        }

+

+        let phase = match outcome {

+            HelperOutcome::Authorized => AuthPhase::Success,

+            HelperOutcome::Denied => AuthPhase::Failure,

+            HelperOutcome::Canceled => AuthPhase::Canceled,

+        };

+        self.auth_state.set_phase(phase);

+    }

+

+        self.processing.store(false, Ordering::Release);

+fn resolve_identity_username(identities: &[Subject]) -> Option<String> {

+    for (kind, details) in identities {

+        if kind != "unix-user" {

+            continue;

+        }

+

+        if let Some(value) = details.get("name") {

+            if let Ok(name) = <&str>::try_from(value) {

+                return Some(name.to_string());

+            }

+        }

+

+        if let Some(uid) = details.get("uid").and_then(parse_uid) {

+            if let Some(name) = username_for_uid(uid) {

+                return Some(name);

+            }

+        }

+    }

+

+    None

+}

+

+fn parse_uid(value: &OwnedValue) -> Option<u32> {

+    if let Ok(uid) = u32::try_from(value) {

+        return Some(uid);

+    }

+    if let Ok(uid) = u64::try_from(value) {

+        return u32::try_from(uid).ok();

+    }

+    if let Ok(uid) = i32::try_from(value) {

+        return u32::try_from(uid).ok();

+    }

+

+    None

+}

+

+fn username_for_uid(uid: u32) -> Option<String> {

+    nix::unistd::User::from_uid(nix::unistd::Uid::from_raw(uid))

+        .ok()

+        .flatten()

+        .map(|user| user.name)

+}

+

+fn current_username() -> Option<String> {

+    username_for_uid(nix::unistd::geteuid().as_raw())

+}

+

+        let detail_count = details.len();

+        let identity_count = identities.len();

+                tracing::info!(

+                    action_id = %action_id,

+                    icon_name = %icon_name,

+                    detail_count,

+                    identity_count,

+                    "Started active polkit auth request"

+                );

+                    icon_name = %icon_name,

+                    detail_count,

+                    identity_count,

+        let runtime = Arc::new(PolkitRuntime::new_without_worker(Arc::clone(&auth_state)));

+        let runtime = Arc::new(PolkitRuntime::new_without_worker(Arc::clone(&auth_state)));

+        let runtime = Arc::new(PolkitRuntime::new_without_worker(Arc::clone(&auth_state)));

+

+    #[test]

+    fn resolve_identity_username_uses_uid_detail() {

+        let mut details = HashMap::new();

+        details.insert(

+            "uid".to_string(),

+            OwnedValue::from(nix::unistd::geteuid().as_raw()),

+        );

+        let identities = vec![("unix-user".to_string(), details)];

+

+        let resolved = resolve_identity_username(&identities);

+        assert_eq!(resolved, current_username());

+    }

+            let mut backend: Box<dyn AuthAgentBackend> = Box::new(PolkitAgent::new(

+                PolkitBackendConfig {

+                },

+                Arc::clone(&auth_state),

+            )?);

+                let mut backend: Box<dyn AuthAgentBackend> = Box::new(PolkitAgent::new(

+                    PolkitBackendConfig {

+                    },

+                    Arc::clone(&auth_state),

+                )?);

+mod prompt;

+                    match prompts

+                        .prompt_secret(&prompt)

+                        .context("prompt handler failed")?

+                    {

+                    match prompts

+                        .prompt_plain(&prompt)

+                        .context("prompt handler failed")?

+                    {

+use crate::polkit_helper::PromptProvider;

+use anyhow::{Context, Result};

+use std::process::Command;

+

+const DEFAULT_ASK_TIMEOUT_SECS: u64 = 120;

+

+#[derive(Debug, Clone)]

+pub struct CommandPrompt {

+    prompt_command: Option<String>,

+}

+

+impl Default for CommandPrompt {

+    fn default() -> Self {

+        Self {

+            prompt_command: std::env::var("GARCARD_PROMPT_COMMAND").ok(),

+        }

+    }

+}

+

+impl CommandPrompt {

+    fn run_prompt(&self, prompt: &str, visible: bool) -> Result<Option<String>> {

+        if let Some(command) = self.prompt_command.as_deref() {

+            return run_custom_prompt_command(command, prompt, visible);

+        }

+

+        run_systemd_ask_password(prompt, visible)

+    }

+}

+

+impl PromptProvider for CommandPrompt {

+    fn prompt_secret(&mut self, prompt: &str) -> Result<Option<String>> {

+        self.run_prompt(prompt, false)

+    }

+

+    fn prompt_plain(&mut self, prompt: &str) -> Result<Option<String>> {

+        self.run_prompt(prompt, true)

+    }

+

+    fn show_error(&mut self, message: &str) -> Result<()> {

+        tracing::warn!("polkit helper message: {}", message);

+        Ok(())

+    }

+

+    fn show_info(&mut self, message: &str) -> Result<()> {

+        tracing::info!("polkit helper message: {}", message);

+        Ok(())

+    }

+}

+

+fn run_custom_prompt_command(command: &str, prompt: &str, visible: bool) -> Result<Option<String>> {

+    let mode = if visible { "plain" } else { "secret" };

+    let output = Command::new("sh")

+        .arg("-c")

+        .arg(command)

+        .env("GARCARD_PROMPT", prompt)

+        .env("GARCARD_PROMPT_MODE", mode)

+        .output()

+        .with_context(|| format!("failed to run custom prompt command: {}", command))?;

+

+    if !output.status.success() {

+        return Ok(None);

+    }

+

+    Ok(extract_response(&output.stdout))

+}

+

+fn run_systemd_ask_password(prompt: &str, visible: bool) -> Result<Option<String>> {

+    let mut command = Command::new("systemd-ask-password");

+    command.arg("--user");

+    command.arg("--no-tty");

+    command.arg(format!("--timeout={}", DEFAULT_ASK_TIMEOUT_SECS));

+    if visible {

+        command.arg("--echo=yes");

+    }

+    command.arg(prompt);

+

+    let output = command

+        .output()

+        .context("failed to run systemd-ask-password")?;

+    if !output.status.success() {

+        return Ok(None);

+    }

+

+    Ok(extract_response(&output.stdout))

+}

+

+fn extract_response(stdout: &[u8]) -> Option<String> {

+    let response = String::from_utf8_lossy(stdout).trim().to_string();

+    if response.is_empty() {

+        None

+    } else {

+        Some(response)

+    }

+}

+

+#[cfg(test)]

+mod tests {

+    use super::*;

+

+    #[test]

+    fn extract_response_trims_whitespace() {

+        let response = extract_response(b"  hello world \n");

+        assert_eq!(response.as_deref(), Some("hello world"));

+    }

+

+    #[test]

+    fn extract_response_rejects_empty_value() {

+        assert_eq!(extract_response(b" \n\t"), None);

+    }

+}

+#[allow(dead_code)]

+        self.current_phase

+            .read()

+            .map(|phase| *phase)

+            .unwrap_or(AuthPhase::Idle)

+    pub fn take_active_if<F>(&mut self, mut predicate: F) -> Option<T>

+    where

+        F: FnMut(&T) -> bool,

+    {

+        if self.active.as_ref().is_some_and(&mut predicate) {

+            return self.complete_active();

+        }

+

+        None

+    pub fn complete_active_if<F>(&mut self, mut predicate: F) -> Option<T>

+    pub fn with_auth(

+        socket_path: String,

+        backend_name: &'static str,

+        auth: Arc<AuthState>,

+    ) -> Self {