`9d3a589`

Add diagnostics command and remediation hints

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 2 months ago

SHA: 9d3a5897e691a1c3bd06d71cd49b8d141bd75830
Parents: 202a73b
Tree: f26a15c

4 changed files

Status	File	+	-
M	`garcard-ipc/src/lib.rs`	9	0
M	`garcard/src/agent.rs`	167	22
M	`garcard/src/daemon.rs`	119	2
M	`garcardctl/src/main.rs`	2	0

garcard-ipc/src/lib.rsmodified

  pub enum Command {
      Ping,
      Status,
 +    Diagnose,
      Version,
      AuthSummary,
      TempList,
          assert!(matches!(decoded, Command::AuthSummary));
+     }
 +    #[test]
 +    fn command_round_trip_diagnose() {
 +        let cmd = Command::Diagnose;
 +        let encoded = serde_json::to_string(&cmd).expect("encode command");
 +        let decoded: Command = serde_json::from_str(&encoded).expect("decode command");
 +        assert!(matches!(decoded, Command::Diagnose));
 +    }
++
      #[test]
      fn socket_path_falls_back_to_tmp() {
          let path = socket_path_from_runtime_dir(None);

garcard/src/agent.rsmodified

      pub expires_at_unix: u64,
      pub expires_in_secs: u64,
+ }
++
 +#[derive(Debug, Clone, serde::Serialize)]
 +pub struct SubjectResolution {
 +    pub kind: String,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub session_id: Option<String>,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub pid: Option<u32>,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub uid: Option<u32>,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub start_time_ticks: Option<u64>,
 +    pub has_start_time: bool,
 +}
++
 +#[derive(Debug, Clone, serde::Serialize)]
 +pub struct AuthorityDiagnostics {
 +    pub authority_connected: bool,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub authority_error: Option<String>,
 +    pub subject: SubjectResolution,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub temporary_authorization_count: Option<usize>,
 +    #[serde(skip_serializing_if = "Option::is_none")]
 +    pub temporary_authorization_error: Option<String>,
 +}
  const DEFAULT_AUTH_MAX_ATTEMPTS: usize = 3;
  const DEFAULT_IDENTITY_SELECTION_ATTEMPTS: usize = 3;
  const DEFAULT_RETENTION_SELECTION_ATTEMPTS: usize = 3;
  pub fn enumerate_temporary_authorizations() -> Result<Vec<TemporaryAuthorizationRecord>> {
      let connection = Connection::system().context("failed to connect to system bus")?;
      let subject = build_subject();
 -    let proxy = PolkitAgent::proxy(&connection)?;
 -    let authorizations: Vec<TemporaryAuthorization> =
 -        proxy.call("EnumerateTemporaryAuthorizations", &subject)?;
 -    let now_unix = SystemTime::now()
 -        .duration_since(UNIX_EPOCH)
 -        .map(|duration| duration.as_secs())
 -        .unwrap_or(0);
+-
 -    let mut entries = Vec::with_capacity(authorizations.len());
 -    for (authorization_id, action_id, _subject, obtained_at_unix, expires_at_unix) in authorizations
 -    {
 -        let expires_in_secs = expires_at_unix.saturating_sub(now_unix);
 -        entries.push(TemporaryAuthorizationRecord {
 -            authorization_id,
 -            action_id,
 -            obtained_at_unix,
 -            expires_at_unix,
 -            expires_in_secs,
 -        });
 -    }
 -    entries.sort_by(|left, right| left.action_id.cmp(&right.action_id));
 -    Ok(entries)
 +    enumerate_temporary_authorizations_for_subject(&connection, &subject)
+ }
  pub fn revoke_temporary_authorization_by_id(authorization_id: &str) -> Result<()> {
      Ok(revoked)
+ }
 +pub fn current_subject_resolution() -> SubjectResolution {
 +    if let Some(session_id) = current_session_id() {
 +        return SubjectResolution {
 +            kind: "unix-session".to_string(),
 +            session_id: Some(session_id),
 +            pid: None,
 +            uid: None,
 +            start_time_ticks: None,
 +            has_start_time: false,
 +        };
 +    }
++
 +    let start_time_ticks = process_start_time_ticks();
 +    SubjectResolution {
 +        kind: "unix-process".to_string(),
 +        session_id: None,
 +        pid: Some(std::process::id()),
 +        uid: Some(nix::unistd::geteuid().as_raw()),
 +        start_time_ticks,
 +        has_start_time: start_time_ticks.is_some(),
 +    }
 +}
++
 +pub fn collect_authority_diagnostics() -> AuthorityDiagnostics {
 +    let subject = current_subject_resolution();
 +    let connection = match Connection::system() {
 +        Ok(connection) => connection,
 +        Err(err) => {
 +            return AuthorityDiagnostics {
 +                authority_connected: false,
 +                authority_error: Some(format!("failed to connect to system bus: {}", err)),
 +                subject,
 +                temporary_authorization_count: None,
 +                temporary_authorization_error: None,
 +            };
 +        }
 +    };
++
 +    if let Err(err) = PolkitAgent::ping_authority(&connection) {
 +        return AuthorityDiagnostics {
 +            authority_connected: false,
 +            authority_error: Some(format!("polkit authority ping failed: {}", err)),
 +            subject,
 +            temporary_authorization_count: None,
 +            temporary_authorization_error: None,
 +        };
 +    }
++
 +    let polkit_subject = subject_to_polkit_subject(&subject);
 +    match enumerate_temporary_authorizations_for_subject(&connection, &polkit_subject) {
 +        Ok(authorizations) => AuthorityDiagnostics {
 +            authority_connected: true,
 +            authority_error: None,
 +            subject,
 +            temporary_authorization_count: Some(authorizations.len()),
 +            temporary_authorization_error: None,
 +        },
 +        Err(err) => AuthorityDiagnostics {
 +            authority_connected: true,
 +            authority_error: None,
 +            subject,
 +            temporary_authorization_count: None,
 +            temporary_authorization_error: Some(err.to_string()),
 +        },
 +    }
 +}
++
 +fn enumerate_temporary_authorizations_for_subject(
 +    connection: &Connection,
 +    subject: &Subject,
 +) -> Result<Vec<TemporaryAuthorizationRecord>> {
 +    let proxy = PolkitAgent::proxy(connection)?;
 +    let authorizations: Vec<TemporaryAuthorization> =
 +        proxy.call("EnumerateTemporaryAuthorizations", subject)?;
 +    let now_unix = SystemTime::now()
 +        .duration_since(UNIX_EPOCH)
 +        .map(|duration| duration.as_secs())
 +        .unwrap_or(0);
++
 +    let mut entries = Vec::with_capacity(authorizations.len());
 +    for (authorization_id, action_id, _subject, obtained_at_unix, expires_at_unix) in authorizations
 +    {
 +        let expires_in_secs = expires_at_unix.saturating_sub(now_unix);
 +        entries.push(TemporaryAuthorizationRecord {
 +            authorization_id,
 +            action_id,
 +            obtained_at_unix,
 +            expires_at_unix,
 +            expires_in_secs,
 +        });
 +    }
 +    entries.sort_by(|left, right| left.action_id.cmp(&right.action_id));
 +    Ok(entries)
 +}
++
  fn render_prompt_context(request: &ActiveRequest) -> String {
      let mut lines = Vec::new();
      let message = request.message.trim();
      subject_from_session_id(current_session_id())
+ }
 +fn subject_to_polkit_subject(subject: &SubjectResolution) -> Subject {
 +    if subject.kind == "unix-session" {
 +        return subject_from_session_id(subject.session_id.clone());
 +    }
++
 +    build_unix_process_subject()
 +}
++
  fn subject_from_session_id(session_id: Option<String>) -> Subject {
      if let Some(session_id) = session_id {
          let mut details = HashMap::new();
          assert!(subject.1.contains_key("start-time"));
+     }
 +    #[test]
 +    fn subject_to_polkit_subject_uses_session_resolution() {
 +        let resolution = SubjectResolution {
 +            kind: "unix-session".to_string(),
 +            session_id: Some("42".to_string()),
 +            pid: None,
 +            uid: None,
 +            start_time_ticks: None,
 +            has_start_time: false,
 +        };
++
 +        let subject = subject_to_polkit_subject(&resolution);
 +        assert_eq!(subject.0.as_str(), "unix-session");
 +        let session_id = subject
 +            .1
 +            .get("session-id")
 +            .and_then(|value| <&str>::try_from(value).ok());
 +        assert_eq!(session_id, Some("42"));
 +    }
++
 +    #[test]
 +    fn subject_to_polkit_subject_falls_back_to_unix_process_resolution() {
 +        let resolution = SubjectResolution {
 +            kind: "unix-process".to_string(),
 +            session_id: None,
 +            pid: Some(std::process::id()),
 +            uid: Some(nix::unistd::geteuid().as_raw()),
 +            start_time_ticks: process_start_time_ticks(),
 +            has_start_time: true,
 +        };
++
 +        let subject = subject_to_polkit_subject(&resolution);
 +        assert_eq!(subject.0.as_str(), "unix-process");
 +        assert!(subject.1.contains_key("pid"));
 +        assert!(subject.1.contains_key("uid"));
 +    }
++
      #[test]
      fn invalid_object_path_error_message_mentions_path() {
          let err = match PolkitAgent::new(

garcard/src/daemon.rsmodified

  use crate::agent::{
      AuthAgentBackend, PolkitAgent, PolkitBackendConfig, StubPolkitAgent,
 -    enumerate_temporary_authorizations, revoke_all_temporary_authorizations,
 -    revoke_temporary_authorization_by_id,
 +    collect_authority_diagnostics, enumerate_temporary_authorizations,
 +    revoke_all_temporary_authorizations, revoke_temporary_authorization_by_id,
  };
  use crate::config::{AgentBackendMode, Config};
  use crate::state::{AuthState, RuntimeState};
      match command {
          Command::Ping => Response::ok_with_data(json!({ "pong": true })),
          Command::Status => Response::ok_with_data(state.status()),
 +        Command::Diagnose => {
 +            let diagnostics = collect_authority_diagnostics();
 +            let auth_summary = state.auth_summary();
 +            let hints = diagnostics_hints(&diagnostics, auth_summary.last_outcome.as_deref());
 +            Response::ok_with_data(json!({
 +                "authority_connected": diagnostics.authority_connected,
 +                "authority_error": diagnostics.authority_error,
 +                "subject": diagnostics.subject,
 +                "temporary_authorization_count": diagnostics.temporary_authorization_count,
 +                "temporary_authorization_error": diagnostics.temporary_authorization_error,
 +                "last_outcome": auth_summary.last_outcome,
 +                "hints": hints,
 +            }))
 +        }
          Command::Version => Response::ok_with_data(state.version()),
          Command::AuthSummary => Response::ok_with_data(state.auth_summary()),
          Command::TempList => match enumerate_temporary_authorizations() {
+     }
+ }
 +fn diagnostics_hints(
 +    diagnostics: &crate::agent::AuthorityDiagnostics,
 +    last_outcome: Option<&str>,
 +) -> Vec<String> {
 +    let mut hints = Vec::new();
++
 +    if !diagnostics.authority_connected {
 +        hints.push(
 +            "No agent path: verify garcard daemon is running and reachable with `garcardctl ping`."
 +                .to_string(),
 +        );
 +        hints.push(
 +            "If polkit was restarted, relaunch garcard (`garcardctl quit`, then start daemon again)."
 +                .to_string(),
 +        );
 +    }
++
 +    if diagnostics.subject.kind != "unix-session" {
 +        hints.push(
 +            "Subject is `unix-process` fallback; set a valid `XDG_SESSION_ID` and restart daemon for session-scoped auth."
 +                .to_string(),
 +        );
 +    }
++
 +    if diagnostics
 +        .temporary_authorization_error
 +        .as_ref()
 +        .is_some_and(|error| !error.trim().is_empty())
 +    {
 +        hints.push(
 +            "Temporary-authorization inspection failed; verify authority permissions and dbus connectivity."
 +                .to_string(),
 +        );
 +    }
++
 +    if matches!(last_outcome, Some("failure")) {
 +        hints.push(
 +            "Denied flow observed; verify account policy membership (admin/wheel) and retry with `pkcheck --allow-user-interaction ...`."
 +                .to_string(),
 +        );
 +    } else {
 +        hints.push(
 +            "For denied-flow debugging, run daemon with `RUST_LOG=garcard=debug` and trigger via `pkcheck --allow-user-interaction ...`."
 +                .to_string(),
 +        );
 +    }
++
 +    hints
 +}
++
  #[cfg(test)]
  mod tests {
      use super::*;
          assert!(shutdown_rx.try_recv().is_ok());
+     }
 +    #[test]
 +    fn diagnostics_hints_cover_no_agent_and_denied_flows() {
 +        let diagnostics = crate::agent::AuthorityDiagnostics {
 +            authority_connected: false,
 +            authority_error: Some("failed to connect to system bus".to_string()),
 +            subject: crate::agent::SubjectResolution {
 +                kind: "unix-process".to_string(),
 +                session_id: None,
 +                pid: Some(1000),
 +                uid: Some(1000),
 +                start_time_ticks: None,
 +                has_start_time: false,
 +            },
 +            temporary_authorization_count: None,
 +            temporary_authorization_error: Some("dbus unavailable".to_string()),
 +        };
++
 +        let hints = diagnostics_hints(&diagnostics, Some("failure"));
 +        assert!(hints.iter().any(|hint| hint.contains("No agent path")));
 +        assert!(
 +            hints
 +                .iter()
 +                .any(|hint| hint.contains("Denied flow observed"))
 +        );
 +        assert!(hints.iter().any(|hint| hint.contains("unix-process")));
 +    }
++
 +    #[test]
 +    fn diagnostics_hints_include_debug_guidance_without_failure_outcome() {
 +        let diagnostics = crate::agent::AuthorityDiagnostics {
 +            authority_connected: true,
 +            authority_error: None,
 +            subject: crate::agent::SubjectResolution {
 +                kind: "unix-session".to_string(),
 +                session_id: Some("7".to_string()),
 +                pid: None,
 +                uid: None,
 +                start_time_ticks: None,
 +                has_start_time: false,
 +            },
 +            temporary_authorization_count: Some(1),
 +            temporary_authorization_error: None,
 +        };
++
 +        let hints = diagnostics_hints(&diagnostics, Some("success"));
 +        assert!(
 +            hints
 +                .iter()
 +                .any(|hint| hint.contains("denied-flow debugging"))
 +        );
 +        assert!(!hints.iter().any(|hint| hint.contains("No agent path")));
 +    }
++
      #[test]
      fn auto_backend_falls_back_to_stub_for_bad_object_path() {
          let config = Config {

garcardctl/src/main.rsmodified

  enum Commands {
      Ping,
      Status,
 +    Diagnose,
      Version,
      AuthSummary,
      TempList,
      match command {
          Commands::Ping => Command::Ping,
          Commands::Status => Command::Status,
 +        Commands::Diagnose => Command::Diagnose,
          Commands::Version => Command::Version,
          Commands::AuthSummary => Command::AuthSummary,
          Commands::TempList => Command::TempList,