Add a permission-reset command

This command removes all permissions for a given app
from the permission store.

Closes: #1837
Approved by: alexlarsson

7 files changed, 317 insertions, 0 deletions

diff --git a/app/Makefile.am.inc b/app/Makefile.am.inc
index 46f1f096..941c53ed 100644
--- a/app/Makefile.am.inc
+++ b/app/Makefile.am.inc
@@ -54,6 +54,7 @@ flatpak_SOURCES = \
 	app/flatpak-builtins-permission-remove.c \
 	app/flatpak-builtins-permission-list.c \
 	app/flatpak-builtins-permission-show.c \
+	app/flatpak-builtins-permission-reset.c \
 	app/flatpak-builtins-search.c \
 	app/flatpak-builtins-repair.c \
 	app/flatpak-table-printer.c \
diff --git a/app/flatpak-builtins-permission-reset.c b/app/flatpak-builtins-permission-reset.c
new file mode 100644
index 00000000..3903529f
--- /dev/null
+++ b/app/flatpak-builtins-permission-reset.c
@@ -0,0 +1,210 @@
+/*
+ * Copyright © 2018 Red Hat, Inc
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	 See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Authors:
+ *       Matthias Clasen <mclasen@redhat.com>
+ */
+
+#include "config.h"
+
+#include <locale.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <glib/gi18n.h>
+
+#include "libglnx/libglnx.h"
+#include "flatpak-permission-dbus-generated.h"
+
+#include "flatpak-builtins.h"
+#include "flatpak-table-printer.h"
+#include "flatpak-utils-private.h"
+#include "flatpak-run-private.h"
+
+static GOptionEntry options[] = {
+  { NULL }
+};
+
+static char **
+get_permission_tables (XdpDbusPermissionStore *store)
+{
+  g_autofree char *path = NULL;
+  GDir *dir;
+  const char *name;
+  GPtrArray *tables = NULL;
+
+  tables = g_ptr_array_new ();
+
+  path = g_build_filename (g_get_user_data_dir (), "flatpak/db", NULL);
+  dir = g_dir_open (path, 0, NULL);
+  if (dir != NULL)
+    {
+      while ((name = g_dir_read_name (dir)) != NULL)
+        {
+          g_ptr_array_add (tables, g_strdup (name));
+        }
+    }
+
+  g_dir_close (dir);
+
+  g_ptr_array_add (tables, NULL);
+
+  return (char **)g_ptr_array_free (tables, FALSE);
+}
+
+static gboolean
+remove_for_app (XdpDbusPermissionStore  *store,
+                const char              *table,
+                const char              *app_id,
+                GError                 **error)
+{
+  char **ids;
+  int i;
+
+  /* FIXME some portals cache their permission tables and assume that they're
+   * the only writers, so they may miss these changes.
+   * See https://github.com/flatpak/xdg-desktop-portal/issues/197
+   */
+
+  if (!xdp_dbus_permission_store_call_list_sync (store, table, &ids, NULL, error))
+    return FALSE;
+
+  for (i = 0; ids[i]; i++)
+    {
+      g_autoptr(GVariant) permissions = NULL;
+      g_autoptr(GVariant) data = NULL;
+      GVariantIter iter;
+      char *key;
+      GVariant *value;
+      GVariantBuilder builder;
+
+      g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{sas}"));
+
+      if (!xdp_dbus_permission_store_call_lookup_sync (store, table, ids[i],
+                                                       &permissions, &data,
+                                                       NULL, error))
+        return FALSE;
+
+      g_variant_iter_init (&iter, permissions);
+      while (g_variant_iter_loop (&iter, "{s@as}", &key, &value))
+        {
+          if (strcmp (key, app_id) == 0)
+            continue;
+
+          g_variant_builder_add (&builder, "{s@as}", key, value);
+        }
+
+      if (!xdp_dbus_permission_store_call_set_sync (store, table, TRUE, ids[i],
+                                                    g_variant_builder_end (&builder),
+                                                    data ? data : g_variant_new_byte (0),
+                                                    NULL, error))
+        return FALSE;
+    }
+
+  return TRUE;
+}
+
+gboolean
+flatpak_builtin_permission_reset (int argc, char **argv,
+                                  GCancellable *cancellable,
+                                  GError **error)
+{
+  g_autoptr(GOptionContext) context = NULL;
+  g_autoptr(GDBusConnection) session_bus = NULL;
+  XdpDbusPermissionStore *store = NULL;
+  const char *app_id;
+  int i;
+  g_auto(GStrv) tables = NULL;
+
+  context = g_option_context_new (_("APP_ID - Reset permissions for an app"));
+  g_option_context_set_translation_domain (context, GETTEXT_PACKAGE);
+
+  if (!flatpak_option_context_parse (context, options, &argc, &argv,
+                                     FLATPAK_BUILTIN_FLAG_NO_DIR,
+                                     NULL, cancellable, error))
+    return FALSE;
+
+  if (argc != 2)
+    return usage_error (context, _("Wrong number of arguments"), error);
+
+  app_id = argv[1];
+
+  session_bus = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, error);
+  if (session_bus == NULL)
+    return FALSE;
+
+  store = xdp_dbus_permission_store_proxy_new_sync (session_bus, 0,
+                                                    "org.freedesktop.impl.portal.PermissionStore",
+                                                    "/org/freedesktop/impl/portal/PermissionStore",
+                                                    NULL, error);
+  if (store == NULL)
+    return FALSE;
+
+  tables = get_permission_tables (store);
+  for (i = 0; tables[i]; i++)
+    {
+      if (!remove_for_app (store, tables[i], app_id, error))
+        return FALSE;
+    }
+
+  return TRUE;
+}
+
+gboolean
+flatpak_complete_permission_reset (FlatpakCompletion *completion)
+{
+  g_autoptr(GOptionContext) context = NULL;
+  g_autoptr(GDBusConnection) session_bus = NULL;
+  XdpDbusPermissionStore *store = NULL;
+
+  context = g_option_context_new ("");
+
+  if (!flatpak_option_context_parse (context, options, &completion->argc, &completion->argv,
+                                     FLATPAK_BUILTIN_FLAG_NO_DIR, NULL, NULL, NULL))
+    return FALSE;
+
+  session_bus = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+  if (session_bus == NULL)
+    return FALSE;
+
+  store = xdp_dbus_permission_store_proxy_new_sync (session_bus, 0,
+                                                    "org.freedesktop.impl.portal.PermissionStore",
+                                                    "/org/freedesktop/impl/portal/PermissionStore",
+                                                    NULL, NULL);
+
+  if (store == NULL)
+    return FALSE;
+
+  switch (completion->argc)
+    {
+    case 0:
+    case 1: /* APP_ID */
+      flatpak_complete_options (completion, global_entries);
+      flatpak_complete_options (completion, options);
+
+      flatpak_complete_partial_ref (completion, FLATPAK_KINDS_APP, FALSE, flatpak_dir_get_user (), NULL);
+      flatpak_complete_partial_ref (completion, FLATPAK_KINDS_APP, FALSE, flatpak_dir_get_system_default (), NULL);
+
+      break;
+
+    default:
+      break;
+    }
+
+  return TRUE;
+}
diff --git a/app/flatpak-builtins.h b/app/flatpak-builtins.h
index 6e6b28eb..ecea144a 100644
--- a/app/flatpak-builtins.h
+++ b/app/flatpak-builtins.h
@@ -90,6 +90,7 @@ BUILTINPROTO (document_list)
 BUILTINPROTO (permission_remove)
 BUILTINPROTO (permission_list)
 BUILTINPROTO (permission_show)
+BUILTINPROTO (permission_reset)
 BUILTINPROTO (override)
 BUILTINPROTO (repo)
 BUILTINPROTO (config)
diff --git a/app/flatpak-main.c b/app/flatpak-main.c
index 513b7c2f..3dd5dd23 100644
--- a/app/flatpak-main.c
+++ b/app/flatpak-main.c
@@ -93,6 +93,7 @@ static FlatpakCommand commands[] = {
   { "permission-remove", N_("Remove item from permission store"), flatpak_builtin_permission_remove, flatpak_complete_permission_remove },
   { "permission-list", N_("List permissions"), flatpak_builtin_permission_list, flatpak_complete_permission_list },
   { "permission-show", N_("Show app permissions"), flatpak_builtin_permission_show, flatpak_complete_permission_show },
+  { "permission-reset", N_("Reset app permissions"), flatpak_builtin_permission_reset, flatpak_complete_permission_reset },
 
    /* translators: please keep the leading newline and space */
   { N_("\n Manage remote repositories") },
diff --git a/doc/Makefile.am b/doc/Makefile.am
index b26bbb2e..09c80c22 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -42,6 +42,7 @@ man1 = \
 	flatpak-permission-remove.1	\
 	flatpak-permission-list.1	\
 	flatpak-permission-show.1	\
+	flatpak-permission-reset.1	\
 	flatpak-build-init.1		\
 	flatpak-build.1			\
 	flatpak-build-bundle.1		\
diff --git a/doc/flatpak-docs.xml.in b/doc/flatpak-docs.xml.in
index de393935..ec5974f8 100644
--- a/doc/flatpak-docs.xml.in
+++ b/doc/flatpak-docs.xml.in
@@ -36,6 +36,7 @@
       <xi:include href="@srcdir@/flatpak-permission-remove.xml"/>
       <xi:include href="@srcdir@/flatpak-permission-list.xml"/>
       <xi:include href="@srcdir@/flatpak-permission-show.xml"/>
+      <xi:include href="@srcdir@/flatpak-permission-reset.xml"/>
       <xi:include href="@srcdir@/flatpak-enter.xml"/>
       <xi:include href="@srcdir@/flatpak-info.xml"/>
       <xi:include href="@srcdir@/flatpak-install.xml"/>
diff --git a/doc/flatpak-permission-reset.xml b/doc/flatpak-permission-reset.xml
new file mode 100644
index 00000000..4e58d853
--- /dev/null
+++ b/doc/flatpak-permission-reset.xml
@@ -0,0 +1,102 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+    "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<refentry id="flatpak-permission-reset">
+
+    <refentryinfo>
+        <title>flatpak permission-reset</title>
+        <productname>flatpak</productname>
+
+        <authorgroup>
+            <author>
+                <contrib>Developer</contrib>
+                <firstname>Matthias</firstname>
+                <surname>Clasen</surname>
+                <email>mclasen@redhat.com</email>
+            </author>
+        </authorgroup>
+    </refentryinfo>
+
+    <refmeta>
+        <refentrytitle>flatpak permission-reset</refentrytitle>
+        <manvolnum>1</manvolnum>
+    </refmeta>
+
+    <refnamediv>
+        <refname>flatpak-permission-reset</refname>
+        <refpurpose>Reset permissions</refpurpose>
+    </refnamediv>
+
+    <refsynopsisdiv>
+            <cmdsynopsis>
+                <command>flatpak permission-reset</command>
+                <arg choice="opt" rep="repeat">OPTION</arg>
+                <arg choice="plain">APP_ID</arg>
+            </cmdsynopsis>
+    </refsynopsisdiv>
+
+    <refsect1>
+        <title>Description</title>
+
+        <para>
+          Removes all permissions for the given app from the Flatpak
+          permission store.
+        </para>
+
+        <para>
+          The permission store is used by portals.
+          Each portal generally has its own table in the permission
+          store, and the format of the table entries is specific to
+          each portal.
+        </para>
+
+    </refsect1>
+
+    <refsect1>
+        <title>Options</title>
+
+        <para>The following options are understood:</para>
+
+        <variablelist>
+            <varlistentry>
+                <term><option>-h</option></term>
+                <term><option>--help</option></term>
+
+                <listitem><para>
+                    Show help options and exit.
+                </para></listitem>
+            </varlistentry>
+
+            <varlistentry>
+                <term><option>-v</option></term>
+                <term><option>--verbose</option></term>
+
+                <listitem><para>
+                    Print debug information during command processing.
+                </para></listitem>
+            </varlistentry>
+
+            <varlistentry>
+                <term><option>--ostree-verbose</option></term>
+
+                <listitem><para>
+                    Print OSTree debug information during command processing.
+                </para></listitem>
+            </varlistentry>
+        </variablelist>
+    </refsect1>
+
+    <refsect1>
+        <title>See also</title>
+
+        <para>
+            <citerefentry><refentrytitle>flatpak</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+            <citerefentry><refentrytitle>flatpak-permission-list</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+            <citerefentry><refentrytitle>flatpak-permission-show</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+            <citerefentry><refentrytitle>flatpak-permission-remove</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        </para>
+
+    </refsect1>
+
+</refentry>