auth-manager: let NMAuthChain always call to NMAuthManager for dummy requests

NMAuthChain's nm_auth_chain_add_call() used to add special handling for
the NMAuthSubject. This handling really belongs to NMAuthManager for two
reasons:
 - NMAuthManager already goes through the effort of scheduling an idle
   handler to handle the case where no GDBusProxy is present. It can
   just as well handle the special cases where polkit-auth is disabled
   or when we have internal requests.
 - by NMAuthChain doing special handling, it makes it more complicated
   to call nm_auth_manager_check_authorization() directly. Previously,
   the NMAuthChain had additional logic, which means you either were
   forced to create an NMAuthChain, or you had to reimplement special
   handling like nm_auth_chain_add_call().

2 files changed, 49 insertions, 42 deletions

diff --git a/src/nm-auth-manager.c b/src/nm-auth-manager.c
index ee63df6f56..6a8214c824 100644
--- a/src/nm-auth-manager.c
+++ b/src/nm-auth-manager.c
@@ -123,6 +123,11 @@ typedef enum {
 	POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION = (1<<0),
 } PolkitCheckAuthorizationFlags;
 
+typedef enum {
+	IDLE_REASON_AUTHORIZED,
+	IDLE_REASON_NO_DBUS,
+} IdleReason;
+
 struct _NMAuthManagerCallId {
 	CList calls_lst;
 	NMAuthManager *self;
@@ -132,6 +137,7 @@ struct _NMAuthManagerCallId {
 	gpointer user_data;
 	guint64 call_numid;
 	guint idle_id;
+	IdleReason idle_reason:8;
 };
 
 #define cancellation_id_to_str_a(call_numid) \
@@ -289,16 +295,28 @@ _call_check_authorize (NMAuthManagerCallId *call_id)
 }
 
 static gboolean
-_call_fail_on_idle (gpointer user_data)
+_call_on_idle (gpointer user_data)
 {
 	NMAuthManagerCallId *call_id = user_data;
 	gs_free_error GError *error = NULL;
+	gboolean is_authorized = FALSE;
+	gboolean is_challenge = FALSE;
+	const char *error_msg = NULL;
 
 	call_id->idle_id = 0;
-	g_set_error_literal (&error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN,
-	                     "failure creating GDBusProxy for authorization request");
-	_LOG2T (call_id, "completed: failed due to no D-Bus proxy");
-	_call_id_invoke_callback (call_id, FALSE, FALSE, error);
+	if (call_id->idle_reason == IDLE_REASON_AUTHORIZED) {
+		is_authorized = TRUE;
+		_LOG2T (call_id, "completed: authorized=%d, challenge=%d (simulated)",
+		        is_authorized, is_challenge);
+	} else {
+		nm_assert (call_id->idle_reason == IDLE_REASON_NO_DBUS);
+		error_msg = "failure creating GDBusProxy for authorization request";
+		_LOG2T (call_id, "completed: failed due to no D-Bus proxy");
+	}
+
+	if (error_msg)
+		g_set_error_literal (&error, NM_UTILS_ERROR, NM_UTILS_ERROR_UNKNOWN, error_msg);
+	_call_id_invoke_callback (call_id, is_authorized, is_challenge, error);
 	return G_SOURCE_REMOVE;
 }
 
@@ -332,13 +350,14 @@ nm_auth_manager_check_authorization (NMAuthManager *self,
 	NMAuthManagerCallId *call_id;
 
 	g_return_val_if_fail (NM_IS_AUTH_MANAGER (self), NULL);
-	g_return_val_if_fail (NM_IS_AUTH_SUBJECT (subject), NULL);
-	g_return_val_if_fail (nm_auth_subject_is_unix_process (subject), NULL);
+	g_return_val_if_fail (NM_IN_SET (nm_auth_subject_get_subject_type (subject),
+	                                 NM_AUTH_SUBJECT_TYPE_INTERNAL,
+	                                 NM_AUTH_SUBJECT_TYPE_UNIX_PROCESS),
+	                      NULL);
 	g_return_val_if_fail (action_id, NULL);
 
 	priv = NM_AUTH_MANAGER_GET_PRIVATE (self);
 
-	g_return_val_if_fail (priv->polkit_enabled, NULL);
 	g_return_val_if_fail (!priv->disposing, NULL);
 	g_return_val_if_fail (!priv->shutting_down, NULL);
 
@@ -353,10 +372,23 @@ nm_auth_manager_check_authorization (NMAuthManager *self,
 	call_id->call_numid = ++priv->call_numid_counter;
 	c_list_link_tail (&priv->calls_lst_head, &call_id->calls_lst);
 
-	if (   !priv->proxy
-	    && !priv->new_proxy_cancellable) {
+	if (!priv->polkit_enabled) {
+		_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (succeeding due to polkit authorization disabled)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
+		call_id->idle_reason = IDLE_REASON_AUTHORIZED;
+		call_id->idle_id = g_idle_add (_call_on_idle, call_id);
+	} else if (nm_auth_subject_is_internal (subject)) {
+		_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (succeeding for internal request)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
+		call_id->idle_reason = IDLE_REASON_AUTHORIZED;
+		call_id->idle_id = g_idle_add (_call_on_idle, call_id);
+	} else if (nm_auth_subject_get_unix_process_uid (subject) == 0) {
+		_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (succeeding for root)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
+		call_id->idle_reason = IDLE_REASON_AUTHORIZED;
+		call_id->idle_id = g_idle_add (_call_on_idle, call_id);
+	} else if (   !priv->proxy
+	           && !priv->new_proxy_cancellable) {
 		_LOG2T (call_id, "CheckAuthorization(%s), subject=%s (failing due to invalid DBUS proxy)", action_id, nm_auth_subject_to_string (subject, subject_buf, sizeof (subject_buf)));
-		call_id->idle_id = g_idle_add (_call_fail_on_idle, call_id);
+		call_id->idle_reason = IDLE_REASON_NO_DBUS;
+		call_id->idle_id = g_idle_add (_call_on_idle, call_id);
 	} else {
 		subject_value = nm_auth_subject_unix_process_to_polkit_gvariant (subject);
 		nm_assert (g_variant_is_floating (subject_value));
diff --git a/src/nm-auth-utils.c b/src/nm-auth-utils.c
index d641621bf2..83206352cd 100644
--- a/src/nm-auth-utils.c
+++ b/src/nm-auth-utils.c
@@ -54,7 +54,6 @@ typedef struct {
 	NMAuthChain *chain;
 	NMAuthManagerCallId *call_id;
 	char *permission;
-	guint call_idle_id;
 } AuthCall;
 
 /*****************************************************************************/
@@ -74,8 +73,6 @@ auth_call_free (AuthCall *call)
 {
 	if (call->call_id)
 		nm_auth_manager_check_authorization_cancel (call->call_id);
-
-	nm_clear_g_source (&call->call_idle_id);
 	c_list_unlink_stale (&call->auth_call_lst);
 	g_free (call->permission);
 	g_slice_free (AuthCall, call);
@@ -241,18 +238,6 @@ auth_call_complete (AuthCall *call)
 	}
 }
 
-static gboolean
-auth_call_complete_idle_cb (gpointer user_data)
-{
-	AuthCall *call = user_data;
-
-	_ASSERT_call (call);
-
-	call->call_idle_id = 0;
-	auth_call_complete (call);
-	return G_SOURCE_REMOVE;
-}
-
 static void
 pk_call_cb (NMAuthManager *auth_manager,
             NMAuthManagerCallId *call_id,
@@ -311,22 +296,12 @@ nm_auth_chain_add_call (NMAuthChain *self,
 	call->chain = self;
 	call->permission = g_strdup (permission);
 	c_list_link_tail (&self->auth_call_lst_head, &call->auth_call_lst);
-
-	if (   nm_auth_subject_is_internal (self->subject)
-	    || nm_auth_subject_get_unix_process_uid (self->subject) == 0
-	    || !nm_auth_manager_get_polkit_enabled (auth_manager)) {
-		/* Root user or non-polkit always gets the permission */
-		nm_auth_chain_set_data (self, permission, GUINT_TO_POINTER (NM_AUTH_CALL_RESULT_YES), NULL);
-		call->call_idle_id = g_idle_add (auth_call_complete_idle_cb, call);
-	} else {
-		/* Non-root always gets authenticated when using polkit */
-		call->call_id = nm_auth_manager_check_authorization (auth_manager,
-		                                                     self->subject,
-		                                                     permission,
-		                                                     allow_interaction,
-		                                                     pk_call_cb,
-		                                                     call);
-	}
+	call->call_id = nm_auth_manager_check_authorization (auth_manager,
+	                                                     self->subject,
+	                                                     permission,
+	                                                     allow_interaction,
+	                                                     pk_call_cb,
+	                                                     call);
 }
 
 /*****************************************************************************/