summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Haller <thaller@redhat.com>2018-04-12 09:48:16 +0200
committerThomas Haller <thaller@redhat.com>2018-04-18 07:55:15 +0200
commitaa86327e45fa5062620c489de4c78270c603f1c4 (patch)
tree459f1acc276a874a162018058c5260a705e58c71
parentf94167d8b1f94e59fb04f711cb999f380b083314 (diff)
downloadNetworkManager-aa86327e45fa5062620c489de4c78270c603f1c4.tar.gz
core: cleanup code by using nm_auth_is_subject_in_acl_set_error()
Diffstat
-rw-r--r--src/nm-manager.c113
-rw-r--r--src/settings/nm-settings-connection.c33
-rw-r--r--src/settings/nm-settings.c31
3 files changed, 57 insertions, 120 deletions
diff --git a/src/nm-manager.c b/src/nm-manager.c
index a4156fa2a7..f569386371 100644
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@@ -2116,7 +2116,6 @@ device_auth_request_cb (NMDevice *device,
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self);
GError *error = NULL;
NMAuthSubject *subject = NULL;
- char *error_desc = NULL;
NMAuthChain *chain;
/* Validate the caller */
@@ -2129,15 +2128,13 @@ device_auth_request_cb (NMDevice *device,
}
/* Ensure the subject has permissions for this connection */
- if (connection && !nm_auth_is_subject_in_acl (connection,
- subject,
- &error_desc)) {
- error = g_error_new_literal (NM_MANAGER_ERROR,
- NM_MANAGER_ERROR_PERMISSION_DENIED,
- error_desc);
- g_free (error_desc);
+ if ( connection
+ && !nm_auth_is_subject_in_acl_set_error (connection,
+ subject,
+ NM_MANAGER_ERROR,
+ NM_MANAGER_ERROR_PERMISSION_DENIED,
+ &error))
goto done;
- }
/* Validate the request */
chain = nm_auth_chain_new_subject (subject, context, device_auth_done_cb, self);
@@ -3746,7 +3743,6 @@ _internal_activate_device (NMManager *self, NMActiveConnection *active, GError *
NMConnection *existing_connection = NULL;
NMActiveConnection *master_ac = NULL;
NMAuthSubject *subject;
- char *error_desc = NULL;
g_return_val_if_fail (NM_IS_MANAGER (self), FALSE);
g_return_val_if_fail (NM_IS_ACTIVE_CONNECTION (active), FALSE);
@@ -3754,14 +3750,14 @@ _internal_activate_device (NMManager *self, NMActiveConnection *active, GError *
g_assert (NM_IS_VPN_CONNECTION (active) == FALSE);
+ device = nm_active_connection_get_device (active);
+ g_return_val_if_fail (device != NULL, FALSE);
+
connection = nm_active_connection_get_settings_connection (active);
- g_assert (connection);
+ nm_assert (connection);
applied = nm_active_connection_get_applied_connection (active);
- device = nm_active_connection_get_device (active);
- g_return_val_if_fail (device != NULL, FALSE);
-
/* If the device is active and its connection is not visible to the
* user that's requesting this new activation, fail, since other users
* should not be allowed to implicitly deactivate private connections
@@ -3769,16 +3765,13 @@ _internal_activate_device (NMManager *self, NMActiveConnection *active, GError *
*/
existing_connection = nm_device_get_applied_connection (device);
subject = nm_active_connection_get_subject (active);
- if (existing_connection &&
- !nm_auth_is_subject_in_acl (existing_connection,
- subject,
- &error_desc)) {
- g_set_error (error,
- NM_MANAGER_ERROR,
- NM_MANAGER_ERROR_PERMISSION_DENIED,
- "Private connection already active on the device: %s",
- error_desc);
- g_free (error_desc);
+ if ( existing_connection
+ && !nm_auth_is_subject_in_acl_set_error (existing_connection,
+ subject,
+ NM_MANAGER_ERROR,
+ NM_MANAGER_ERROR_PERMISSION_DENIED,
+ error)) {
+ g_prefix_error (error, "Private connection already active on the device: ");
return FALSE;
}
@@ -4159,25 +4152,18 @@ nm_manager_activate_connection (NMManager *self,
{
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self);
NMActiveConnection *active;
- char *error_desc = NULL;
GSList *iter;
- g_return_val_if_fail (self != NULL, NULL);
- g_return_val_if_fail (connection != NULL, NULL);
- g_return_val_if_fail (error != NULL, NULL);
- g_return_val_if_fail (*error == NULL, NULL);
+ g_return_val_if_fail (self, NULL);
+ g_return_val_if_fail (connection, NULL);
+ g_return_val_if_fail (!error || !*error, NULL);
- /* Ensure the subject has permissions for this connection */
- if (!nm_auth_is_subject_in_acl (NM_CONNECTION (connection),
- subject,
- &error_desc)) {
- g_set_error_literal (error,
- NM_MANAGER_ERROR,
- NM_MANAGER_ERROR_PERMISSION_DENIED,
- error_desc);
- g_free (error_desc);
+ if (!nm_auth_is_subject_in_acl_set_error (NM_CONNECTION (connection),
+ subject,
+ NM_MANAGER_ERROR,
+ NM_MANAGER_ERROR_PERMISSION_DENIED,
+ error))
return NULL;
- }
/* Look for a active connection that's equivalent and is already pending authorization
* and eventual activation. This is used to de-duplicate concurrent activations which would
@@ -4241,7 +4227,6 @@ validate_activation_request (NMManager *self,
NMDevice *device = NULL;
gboolean vpn = FALSE;
NMAuthSubject *subject = NULL;
- char *error_desc = NULL;
nm_assert (NM_IS_CONNECTION (connection));
nm_assert (out_device);
@@ -4257,17 +4242,12 @@ validate_activation_request (NMManager *self,
return NULL;
}
- /* Ensure the subject has permissions for this connection */
- if (!nm_auth_is_subject_in_acl (connection,
- subject,
- &error_desc)) {
- g_set_error_literal (error,
- NM_MANAGER_ERROR,
- NM_MANAGER_ERROR_PERMISSION_DENIED,
- error_desc);
- g_free (error_desc);
+ if (!nm_auth_is_subject_in_acl_set_error (connection,
+ subject,
+ NM_MANAGER_ERROR,
+ NM_MANAGER_ERROR_PERMISSION_DENIED,
+ error))
goto error;
- }
if ( nm_connection_get_setting_vpn (connection)
|| nm_connection_is_type (connection, NM_SETTING_VPN_SETTING_NAME))
@@ -4800,7 +4780,6 @@ impl_manager_deactivate_connection (NMDBusObject *obj,
GError *error = NULL;
NMAuthSubject *subject = NULL;
NMAuthChain *chain;
- char *error_desc = NULL;
const char *active_path;
g_variant_get (parameters, "(&o)", &active_path);
@@ -4826,16 +4805,12 @@ impl_manager_deactivate_connection (NMDBusObject *obj,
goto done;
}
- /* Ensure the subject has permissions for this connection */
- if (!nm_auth_is_subject_in_acl (NM_CONNECTION (connection),
- subject,
- &error_desc)) {
- error = g_error_new_literal (NM_MANAGER_ERROR,
- NM_MANAGER_ERROR_PERMISSION_DENIED,
- error_desc);
- g_free (error_desc);
+ if (!nm_auth_is_subject_in_acl_set_error (NM_CONNECTION (connection),
+ subject,
+ NM_MANAGER_ERROR,
+ NM_MANAGER_ERROR_PERMISSION_DENIED,
+ &error))
goto done;
- }
/* Validate the user request */
chain = nm_auth_chain_new_subject (subject, invocation, deactivate_net_auth_done_cb, self);
@@ -5140,10 +5115,6 @@ impl_manager_sleep (NMDBusObject *obj,
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (self);
GError *error = NULL;
gs_unref_object NMAuthSubject *subject = NULL;
-#if 0
- NMAuthChain *chain;
- const char *error_desc = NULL;
-#endif
gboolean do_sleep;
g_variant_get (parameters, "(b)", &do_sleep);
@@ -5172,20 +5143,6 @@ impl_manager_sleep (NMDBusObject *obj,
nm_audit_log_control_op (NM_AUDIT_OP_SLEEP_CONTROL, do_sleep ? "on" : "off", TRUE, subject, NULL);
g_dbus_method_invocation_return_value (invocation, NULL);
return;
-
-#if 0
- chain = nm_auth_chain_new (invocation, sleep_auth_done_cb, self, &error_desc);
- if (chain) {
- priv->auth_chains = g_slist_append (priv->auth_chains, chain);
- nm_auth_chain_set_data (chain, "sleep", GUINT_TO_POINTER (do_sleep), NULL);
- nm_auth_chain_add_call (chain, NM_AUTH_PERMISSION_SLEEP_WAKE, TRUE);
- } else {
- error = g_error_new_literal (NM_MANAGER_ERROR,
- NM_MANAGER_ERROR_PERMISSION_DENIED,
- error_desc);
- g_dbus_method_invocation_take_error (invocation, error);
- }
-#endif
}
static void
diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c
index 6871499eb4..a71de91531 100644
--- a/src/settings/nm-settings-connection.c
+++ b/src/settings/nm-settings-connection.c
@@ -1465,24 +1465,19 @@ auth_start (NMSettingsConnection *self,
{
NMSettingsConnectionPrivate *priv = NM_SETTINGS_CONNECTION_GET_PRIVATE (self);
AuthData *auth_data;
- char *error_desc = NULL;
+ GError *error = NULL;
nm_assert (nm_dbus_object_is_exported (NM_DBUS_OBJECT (self)));
nm_assert (G_IS_DBUS_METHOD_INVOCATION (invocation));
nm_assert (NM_IS_AUTH_SUBJECT (subject));
- /* Ensure the caller can view this connection */
- if (!nm_auth_is_subject_in_acl (NM_CONNECTION (self),
- subject,
- &error_desc)) {
- gs_free_error GError *error = NULL;
-
- error = g_error_new_literal (NM_SETTINGS_ERROR,
- NM_SETTINGS_ERROR_PERMISSION_DENIED,
- error_desc);
- g_free (error_desc);
-
+ if (!nm_auth_is_subject_in_acl_set_error (NM_CONNECTION (self),
+ subject,
+ NM_SETTINGS_ERROR,
+ NM_SETTINGS_ERROR_PERMISSION_DENIED,
+ &error)) {
callback (self, invocation, subject, error, callback_data);
+ g_clear_error (&error);
return;
}
@@ -1855,7 +1850,6 @@ settings_connection_update (NMSettingsConnection *self,
GError *error = NULL;
UpdateInfo *info;
const char *permission;
- char *error_desc = NULL;
/* If the connection is read-only, that has to be changed at the source of
* the problem (ex a system settings plugin that can't write connections out)
@@ -1892,15 +1886,12 @@ settings_connection_update (NMSettingsConnection *self,
* that's sending the update request. You can't make a connection
* invisible to yourself.
*/
- if (!nm_auth_is_subject_in_acl (tmp ? tmp : NM_CONNECTION (self),
- subject,
- &error_desc)) {
- error = g_error_new_literal (NM_SETTINGS_ERROR,
- NM_SETTINGS_ERROR_PERMISSION_DENIED,
- error_desc);
- g_free (error_desc);
+ if (!nm_auth_is_subject_in_acl_set_error (tmp ? tmp : NM_CONNECTION (self),
+ subject,
+ NM_SETTINGS_ERROR,
+ NM_SETTINGS_ERROR_PERMISSION_DENIED,
+ &error))
goto error;
- }
info = g_slice_new0 (UpdateInfo);
info->is_update2 = is_update2;
diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c
index e2be3d120e..3dbd0b72fb 100644
--- a/src/settings/nm-settings.c
+++ b/src/settings/nm-settings.c
@@ -309,7 +309,6 @@ impl_settings_get_connection_by_uuid (NMDBusObject *obj,
NMSettingsConnection *connection = NULL;
gs_unref_object NMAuthSubject *subject = NULL;
GError *error = NULL;
- char *error_desc = NULL;
const char *uuid;
g_variant_get (parameters, "(&s)", &uuid);
@@ -330,15 +329,12 @@ impl_settings_get_connection_by_uuid (NMDBusObject *obj,
goto error;
}
- if (!nm_auth_is_subject_in_acl (NM_CONNECTION (connection),
- subject,
- &error_desc)) {
- error = g_error_new_literal (NM_SETTINGS_ERROR,
- NM_SETTINGS_ERROR_PERMISSION_DENIED,
- error_desc);
- g_free (error_desc);
+ if (!nm_auth_is_subject_in_acl_set_error (NM_CONNECTION (connection),
+ subject,
+ NM_SETTINGS_ERROR,
+ NM_SETTINGS_ERROR_PERMISSION_DENIED,
+ &error))
goto error;
- }
g_dbus_method_invocation_return_value (invocation,
g_variant_new ("(o)",
@@ -1252,7 +1248,6 @@ nm_settings_add_connection_dbus (NMSettings *self,
NMAuthSubject *subject = NULL;
NMAuthChain *chain;
GError *error = NULL, *tmp_error = NULL;
- char *error_desc = NULL;
const char *perm;
g_return_if_fail (connection != NULL);
@@ -1295,18 +1290,12 @@ nm_settings_add_connection_dbus (NMSettings *self,
goto done;
}
- /* Ensure the caller's username exists in the connection's permissions,
- * or that the permissions is empty (ie, visible by everyone).
- */
- if (!nm_auth_is_subject_in_acl (connection,
- subject,
- &error_desc)) {
- error = g_error_new_literal (NM_SETTINGS_ERROR,
- NM_SETTINGS_ERROR_PERMISSION_DENIED,
- error_desc);
- g_free (error_desc);
+ if (!nm_auth_is_subject_in_acl_set_error (connection,
+ subject,
+ NM_SETTINGS_ERROR,
+ NM_SETTINGS_ERROR_PERMISSION_DENIED,
+ &error))
goto done;
- }
/* If the caller is the only user in the connection's permissions, then
* we use the 'modify.own' permission instead of 'modify.system'. If the
View Lorry Controller Status