`517f24c`

process auth queue via polkit helper

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 2 months ago

SHA: 517f24c7914bfe6e8291c15306a73cd51a58a85a
Parents: 81f4555
Tree: 559dc1d

7 changed files

Status	File	+	-
M	`README.md`	5	0
M	`garcard/src/agent.rs`	245	6
M	`garcard/src/daemon.rs`	10	6
M	`garcard/src/main.rs`	1	0
M	`garcard/src/polkit_helper.rs`	8	2
A	`garcard/src/prompt.rs`	110	0
M	`garcard/src/state.rs`	20	30

README.mdmodified

 . `GARCARD_AGENT_BACKEND`
 . `GARCARD_POLKIT_OBJECT_PATH`
 . `GARCARD_LOCALE`
++7. `GARCARD_POLKIT_HELPER_SOCKET`
++8. `GARCARD_PROMPT_COMMAND`
  See `examples/config.toml` for a starter file.
++
++`GARCARD_PROMPT_COMMAND` is optional. If unset, `garcard` falls back to
++`systemd-ask-password` for prompt interaction.

garcard/src/agent.rsmodified

++use crate::polkit_helper::{DEFAULT_HELPER_SOCKET, HelperOutcome, HelperSocketClient};
++use crate::prompt::CommandPrompt;
  use crate::state::{AuthPhase, AuthQueue, AuthState, QueueInsert};
  use anyhow::{Context, Result};
  use std::collections::HashMap;
++use std::path::PathBuf;
++use std::sync::atomic::{AtomicBool, Ordering};
  use std::sync::{Arc, Mutex};
++use std::thread;
  use zbus::blocking::{Connection, Proxy};
  use zbus::fdo;
  use zbus::zvariant::{OwnedObjectPath, OwnedValue};
      identities: Vec<Subject>,
+ }
++#[derive(Debug, Clone)]
++struct ActiveRequest {
++    action_id: String,
++    message: String,
++    icon_name: String,
++    detail_count: usize,
++    cookie: String,
++    username: String,
++}
++
  #[derive(Debug)]
  struct PolkitRuntime {
      auth_state: Arc<AuthState>,
      queue: Mutex<AuthQueue<AuthRequest>>,
++    helper_client: HelperSocketClient,
++    processing: AtomicBool,
++    worker_enabled: bool,
+ }
  impl PolkitRuntime {
      fn new(auth_state: Arc<AuthState>) -> Self {
++        Self::new_with_worker(auth_state, true)
++    }
++
++    #[cfg(test)]
++    fn new_without_worker(auth_state: Arc<AuthState>) -> Self {
++        Self::new_with_worker(auth_state, false)
++    }
++
++    fn new_with_worker(auth_state: Arc<AuthState>, worker_enabled: bool) -> Self {
++        let helper_socket = std::env::var_os("GARCARD_POLKIT_HELPER_SOCKET")
++            .map(PathBuf::from)
++            .unwrap_or_else(|| PathBuf::from(DEFAULT_HELPER_SOCKET));
          Self {
              auth_state,
              queue: Mutex::new(AuthQueue::default()),
++            helper_client: HelperSocketClient::new(helper_socket),
++            processing: AtomicBool::new(false),
++            worker_enabled,
+         }
+     }
--    fn begin_authentication(&self, request: AuthRequest) -> Result<QueueInsert> {
++    fn begin_authentication(self: &Arc<Self>, request: AuthRequest) -> Result<QueueInsert> {
          let (insert, active, queued) = {
              let mut queue = self
                  .queue
              self.auth_state.set_phase(AuthPhase::PendingPrompt);
+         }
++        if self.worker_enabled && active > 0 {
++            self.ensure_worker();
++        }
++
          Ok(insert)
+     }
--    fn cancel_authentication(&self, cookie: &str) -> Result<bool> {
++    fn cancel_authentication(self: &Arc<Self>, cookie: &str) -> Result<bool> {
          let (canceled_active, removed_queued, active, queued) = {
              let mut queue = self
                  .queue
              } else {
                  self.auth_state.set_phase(AuthPhase::Canceled);
+             }
++            if self.worker_enabled && active > 0 {
++                self.ensure_worker();
++            }
              return Ok(true);
+         }
          Ok(false)
+     }
++    fn ensure_worker(self: &Arc<Self>) {
++        if self.processing.swap(true, Ordering::AcqRel) {
++            return;
++        }
++
++        let runtime = Arc::clone(self);
++        let spawn_result = thread::Builder::new()
++            .name("garcard-auth-worker".to_string())
++            .spawn(move || runtime.process_loop());
++        if let Err(err) = spawn_result {
++            self.processing.store(false, Ordering::Release);
++            tracing::error!(error = %err, "Failed to spawn garcard auth worker");
++        }
++    }
++
++    fn process_loop(self: Arc<Self>) {
++        loop {
++            let Some(active) = self.active_request_snapshot() else {
++                break;
++            };
++
++            self.auth_state.set_phase(AuthPhase::Verifying);
++            tracing::info!(
++                action_id = %active.action_id,
++                icon_name = %active.icon_name,
++                detail_count = active.detail_count,
++                "Processing polkit auth request"
++            );
++
++            let outcome = self.authenticate_active_request(&active);
++            self.complete_request(&active.cookie, outcome);
++        }
++
++        self.processing.store(false, Ordering::Release);
++        if self.has_active_request() {
++            self.ensure_worker();
++        }
++    }
++
++    fn has_active_request(&self) -> bool {
++        self.queue
++            .lock()
++            .map(|queue| queue.active().is_some())
++            .unwrap_or(false)
++    }
++
++    fn active_request_snapshot(&self) -> Option<ActiveRequest> {
++        let queue = self.queue.lock().ok()?;
++        let request = queue.active()?;
++
++        let username = resolve_identity_username(&request.identities)
++            .or_else(current_username)
++            .or_else(|| std::env::var("USER").ok())
++            .unwrap_or_else(|| "unknown".to_string());
++
++        Some(ActiveRequest {
++            action_id: request.action_id.clone(),
++            message: request.message.clone(),
++            icon_name: request.icon_name.clone(),
++            detail_count: request.details.len(),
++            cookie: request.cookie.clone(),
++            username,
++        })
++    }
++
++    fn authenticate_active_request(&self, request: &ActiveRequest) -> HelperOutcome {
++        let mut prompts = CommandPrompt::default();
++        let prompt_context = if request.message.is_empty() {
++            request.action_id.as_str()
++        } else {
++            request.message.as_str()
++        };
++        tracing::info!(context = %prompt_context, "Starting helper authentication dialog");
++
++        match self
++            .helper_client
++            .authenticate(&request.username, &request.cookie, &mut prompts)
++        {
++            Ok(outcome) => outcome,
++            Err(err) => {
++                tracing::warn!(
++                    action_id = %request.action_id,
++                    error = %err,
++                    "Polkit helper authentication failed"
++                );
++                HelperOutcome::Denied
++            }
++        }
++    }
++
++    fn complete_request(&self, cookie: &str, outcome: HelperOutcome) {
++        let (removed, active, queued) = {
++            let mut queue = match self.queue.lock() {
++                Ok(queue) => queue,
++                Err(_) => {
++                    tracing::error!("auth request queue lock poisoned");
++                    return;
++                }
++            };
++            let removed = queue
++                .complete_active_if(|request| request.cookie == cookie)
++                .is_some();
++            let (active, queued) = queue.counts();
++            (removed, active, queued)
++        };
++
++        self.auth_state.sync_queue_counts(active, queued);
++        if !removed {
++            if active == 0 && queued == 0 && self.auth_state.phase() == AuthPhase::Verifying {
++                self.auth_state.set_phase(AuthPhase::Idle);
++            }
++            return;
++        }
++
++        if active > 0 {
++            self.auth_state.set_phase(AuthPhase::PendingPrompt);
++            return;
++        }
++
++        let phase = match outcome {
++            HelperOutcome::Authorized => AuthPhase::Success,
++            HelperOutcome::Denied => AuthPhase::Failure,
++            HelperOutcome::Canceled => AuthPhase::Canceled,
++        };
++        self.auth_state.set_phase(phase);
++    }
++
      fn reset(&self) {
          if let Ok(mut queue) = self.queue.lock() {
              queue.clear();
+         }
++        self.processing.store(false, Ordering::Release);
          self.auth_state.set_phase(AuthPhase::Idle);
          self.auth_state.sync_queue_counts(0, 0);
+     }
+ }
++fn resolve_identity_username(identities: &[Subject]) -> Option<String> {
++    for (kind, details) in identities {
++        if kind != "unix-user" {
++            continue;
++        }
++
++        if let Some(value) = details.get("name") {
++            if let Ok(name) = <&str>::try_from(value) {
++                return Some(name.to_string());
++            }
++        }
++
++        if let Some(uid) = details.get("uid").and_then(parse_uid) {
++            if let Some(name) = username_for_uid(uid) {
++                return Some(name);
++            }
++        }
++    }
++
++    None
++}
++
++fn parse_uid(value: &OwnedValue) -> Option<u32> {
++    if let Ok(uid) = u32::try_from(value) {
++        return Some(uid);
++    }
++    if let Ok(uid) = u64::try_from(value) {
++        return u32::try_from(uid).ok();
++    }
++    if let Ok(uid) = i32::try_from(value) {
++        return u32::try_from(uid).ok();
++    }
++
++    None
++}
++
++fn username_for_uid(uid: u32) -> Option<String> {
++    nix::unistd::User::from_uid(nix::unistd::Uid::from_raw(uid))
++        .ok()
++        .flatten()
++        .map(|user| user.name)
++}
++
++fn current_username() -> Option<String> {
++    username_for_uid(nix::unistd::geteuid().as_raw())
++}
++
  #[derive(Debug, Clone)]
  struct PolkitAuthAgentObject {
      runtime: Arc<PolkitRuntime>,
          cookie: &str,
          identities: Vec<Subject>,
      ) -> fdo::Result<()> {
++        let detail_count = details.len();
++        let identity_count = identities.len();
          let request = AuthRequest {
              action_id: action_id.to_string(),
              message: message.to_string(),
          match queue_insert {
              QueueInsert::Activated => {
--                tracing::info!(action_id = %action_id, "Started active polkit auth request");
++                tracing::info!(
++                    action_id = %action_id,
++                    icon_name = %icon_name,
++                    detail_count,
++                    identity_count,
++                    "Started active polkit auth request"
++                );
+             }
              QueueInsert::Queued { position } => {
                  tracing::info!(
                      action_id = %action_id,
++                    icon_name = %icon_name,
++                    detail_count,
++                    identity_count,
                      queue_position = position,
                      "Queued polkit auth request"
                  );
      #[test]
      fn runtime_begin_authentication_updates_state_and_counts() {
          let auth_state = Arc::new(AuthState::default());
--        let runtime = PolkitRuntime::new(Arc::clone(&auth_state));
++        let runtime = Arc::new(PolkitRuntime::new_without_worker(Arc::clone(&auth_state)));
          let insert = runtime
              .begin_authentication(fake_request("cookie-1"))
      #[test]
      fn runtime_cancel_authentication_drops_active_request() {
          let auth_state = Arc::new(AuthState::default());
--        let runtime = PolkitRuntime::new(Arc::clone(&auth_state));
++        let runtime = Arc::new(PolkitRuntime::new_without_worker(Arc::clone(&auth_state)));
          runtime
              .begin_authentication(fake_request("cookie-1"))
              .expect("begin");
      #[test]
      fn runtime_cancel_authentication_removes_queued_request() {
          let auth_state = Arc::new(AuthState::default());
--        let runtime = PolkitRuntime::new(Arc::clone(&auth_state));
++        let runtime = Arc::new(PolkitRuntime::new_without_worker(Arc::clone(&auth_state)));
          runtime
              .begin_authentication(fake_request("cookie-1"))
              .expect("begin first");
          assert_eq!(auth_state.summary().active_requests, 1);
          assert_eq!(auth_state.summary().queued_requests, 0);
+     }
++
++    #[test]
++    fn resolve_identity_username_uses_uid_detail() {
++        let mut details = HashMap::new();
++        details.insert(
++            "uid".to_string(),
++            OwnedValue::from(nix::unistd::geteuid().as_raw()),
++        );
++        let identities = vec![("unix-user".to_string(), details)];
++
++        let resolved = resolve_identity_username(&identities);
++        assert_eq!(resolved, current_username());
++    }
+ }

garcard/src/daemon.rsmodified

              Ok(backend)
+         }
          AgentBackendMode::Polkit => {
--            let mut backend: Box<dyn AuthAgentBackend> =
++            let mut backend: Box<dyn AuthAgentBackend> = Box::new(PolkitAgent::new(
--                Box::new(PolkitAgent::new(PolkitBackendConfig {
++                PolkitBackendConfig {
                      object_path: config.polkit_object_path.clone(),
                      locale: config.locale.clone(),
--                }, Arc::clone(&auth_state))?);
++                },
++                Arc::clone(&auth_state),
++            )?);
              backend.register()?;
              Ok(backend)
+         }
          AgentBackendMode::Auto => {
              let attempt = (|| -> Result<Box<dyn AuthAgentBackend>> {
--                let mut backend: Box<dyn AuthAgentBackend> =
++                let mut backend: Box<dyn AuthAgentBackend> = Box::new(PolkitAgent::new(
--                    Box::new(PolkitAgent::new(PolkitBackendConfig {
++                    PolkitBackendConfig {
                          object_path: config.polkit_object_path.clone(),
                          locale: config.locale.clone(),
--                    }, Arc::clone(&auth_state))?);
++                    },
++                    Arc::clone(&auth_state),
++                )?);
                  backend.register()?;
                  Ok(backend)
              })();

garcard/src/main.rsmodified


 mod config;
 mod daemon;
 mod polkit_helper;
+mod prompt;
 mod state;
 
 use anyhow::Result;

garcard/src/polkit_helper.rsmodified

              match parse_helper_line(&line)? {
                  HelperEvent::PromptHidden(prompt) => {
--                    match prompts.prompt_secret(&prompt).context("prompt handler failed")? {
++                    match prompts
++                        .prompt_secret(&prompt)
++                        .context("prompt handler failed")?
++                    {
                          Some(response) => write_line(&mut stream, &sanitize_response(&response))
                              .context("failed to send helper secret response")?,
                          None => return Ok(HelperOutcome::Canceled),
+                     }
+                 }
                  HelperEvent::PromptVisible(prompt) => {
--                    match prompts.prompt_plain(&prompt).context("prompt handler failed")? {
++                    match prompts
++                        .prompt_plain(&prompt)
++                        .context("prompt handler failed")?
++                    {
                          Some(response) => write_line(&mut stream, &sanitize_response(&response))
                              .context("failed to send helper visible response")?,
                          None => return Ok(HelperOutcome::Canceled),

garcard/src/prompt.rsadded

++use crate::polkit_helper::PromptProvider;
++use anyhow::{Context, Result};
++use std::process::Command;
++
++const DEFAULT_ASK_TIMEOUT_SECS: u64 = 120;
++
++#[derive(Debug, Clone)]
++pub struct CommandPrompt {
++    prompt_command: Option<String>,
++}
++
++impl Default for CommandPrompt {
++    fn default() -> Self {
++        Self {
++            prompt_command: std::env::var("GARCARD_PROMPT_COMMAND").ok(),
++        }
++    }
++}
++
++impl CommandPrompt {
++    fn run_prompt(&self, prompt: &str, visible: bool) -> Result<Option<String>> {
++        if let Some(command) = self.prompt_command.as_deref() {
++            return run_custom_prompt_command(command, prompt, visible);
++        }
++
++        run_systemd_ask_password(prompt, visible)
++    }
++}
++
++impl PromptProvider for CommandPrompt {
++    fn prompt_secret(&mut self, prompt: &str) -> Result<Option<String>> {
++        self.run_prompt(prompt, false)
++    }
++
++    fn prompt_plain(&mut self, prompt: &str) -> Result<Option<String>> {
++        self.run_prompt(prompt, true)
++    }
++
++    fn show_error(&mut self, message: &str) -> Result<()> {
++        tracing::warn!("polkit helper message: {}", message);
++        Ok(())
++    }
++
++    fn show_info(&mut self, message: &str) -> Result<()> {
++        tracing::info!("polkit helper message: {}", message);
++        Ok(())
++    }
++}
++
++fn run_custom_prompt_command(command: &str, prompt: &str, visible: bool) -> Result<Option<String>> {
++    let mode = if visible { "plain" } else { "secret" };
++    let output = Command::new("sh")
++        .arg("-c")
++        .arg(command)
++        .env("GARCARD_PROMPT", prompt)
++        .env("GARCARD_PROMPT_MODE", mode)
++        .output()
++        .with_context(|| format!("failed to run custom prompt command: {}", command))?;
++
++    if !output.status.success() {
++        return Ok(None);
++    }
++
++    Ok(extract_response(&output.stdout))
++}
++
++fn run_systemd_ask_password(prompt: &str, visible: bool) -> Result<Option<String>> {
++    let mut command = Command::new("systemd-ask-password");
++    command.arg("--user");
++    command.arg("--no-tty");
++    command.arg(format!("--timeout={}", DEFAULT_ASK_TIMEOUT_SECS));
++    if visible {
++        command.arg("--echo=yes");
++    }
++    command.arg(prompt);
++
++    let output = command
++        .output()
++        .context("failed to run systemd-ask-password")?;
++    if !output.status.success() {
++        return Ok(None);
++    }
++
++    Ok(extract_response(&output.stdout))
++}
++
++fn extract_response(stdout: &[u8]) -> Option<String> {
++    let response = String::from_utf8_lossy(stdout).trim().to_string();
++    if response.is_empty() {
++        None
++    } else {
++        Some(response)
++    }
++}
++
++#[cfg(test)]
++mod tests {
++    use super::*;
++
++    #[test]
++    fn extract_response_trims_whitespace() {
++        let response = extract_response(b"  hello world \n");
++        assert_eq!(response.as_deref(), Some("hello world"));
++    }
++
++    #[test]
++    fn extract_response_rejects_empty_value() {
++        assert_eq!(extract_response(b" \n\t"), None);
++    }
++}

garcard/src/state.rsmodified

  use std::time::Instant;
  /// Typed phases for auth flow transitions.
++#[allow(dead_code)]
  #[derive(Debug, Clone, Copy, PartialEq, Eq)]
  pub enum AuthPhase {
      Idle,
              Self::Timeout => "timeout",
+         }
+     }
--
--    pub fn from_label(raw: &str) -> Option<Self> {
--        match raw.trim().to_ascii_lowercase().as_str() {
--            "idle" => Some(Self::Idle),
--            "pending" | "pending_prompt" | "pending-prompt" | "pending prompt" => {
--                Some(Self::PendingPrompt)
--            }
--            "verifying" => Some(Self::Verifying),
--            "success" => Some(Self::Success),
--            "failure" | "failed" => Some(Self::Failure),
--            "canceled" | "cancelled" => Some(Self::Canceled),
--            "timeout" | "timed_out" => Some(Self::Timeout),
--            _ => None,
--        }
--    }
+ }
  impl fmt::Display for AuthPhase {
  impl AuthState {
      pub fn phase(&self) -> AuthPhase {
--        self.current_phase.read().map(|phase| *phase).unwrap_or(AuthPhase::Idle)
++        self.current_phase
++            .read()
++            .map(|phase| *phase)
++            .unwrap_or(AuthPhase::Idle)
+     }
      pub fn set_phase(&self, next: AuthPhase) {
          false
+     }
--    pub fn set_state(&self, next: impl AsRef<str>) {
--        if let Some(phase) = AuthPhase::from_label(next.as_ref()) {
--            self.set_phase(phase);
--        }
--    }
--
      pub fn set_active_requests(&self, count: usize) {
          self.active_requests.store(count, Ordering::Relaxed);
+     }
          self.active.as_ref()
+     }
--    pub fn active_mut(&mut self) -> Option<&mut T> {
++    pub fn take_active_if<F>(&mut self, mut predicate: F) -> Option<T>
--        self.active.as_mut()
++    where
++        F: FnMut(&T) -> bool,
++    {
++        if self.active.as_ref().is_some_and(&mut predicate) {
++            return self.complete_active();
++        }
++
++        None
+     }
--    pub fn take_active_if<F>(&mut self, mut predicate: F) -> Option<T>
++    pub fn complete_active_if<F>(&mut self, mut predicate: F) -> Option<T>
      where
          F: FnMut(&T) -> bool,
+     {
          finished
+     }
--    pub fn cancel_active(&mut self) -> Option<T> {
--        self.complete_active()
--    }
--
      pub fn active_len(&self) -> usize {
          usize::from(self.active.is_some())
+     }
          Self::with_auth(socket_path, backend_name, Arc::new(AuthState::default()))
+     }
--    pub fn with_auth(socket_path: String, backend_name: &'static str, auth: Arc<AuthState>) -> Self {
++    pub fn with_auth(
++        socket_path: String,
++        backend_name: &'static str,
++        auth: Arc<AuthState>,
++    ) -> Self {
          auth.set_phase(AuthPhase::Idle);
          auth.set_active_requests(0);
          auth.set_queued_requests(0);

`@@ -2,6 +2,7 @@` mod agent;
2	mod config;	2	mod config;
3	mod daemon;	3	mod daemon;
4	mod polkit_helper;	4	mod polkit_helper;
		5	+mod prompt;
5	mod state;	6	mod state;
6		7
7	use anyhow::Result;	8	use anyhow::Result;