[Libvir] PATCH: Don't send callbacks invalid credentials

Daniel P. Berrange berrange at redhat.com
Fri Dec 7 16:11:45 UTC 2007 

The PolicyKit auth code was invoking the authentication callback even if
the app hadn't indicated support for VIR_CREDENTIAL_EXTERNAL. The default
authentication callback was also not returning errors for credentials it
doesn't support. This patch fixes both those flaws

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 
-------------- next part --------------
Index: src/libvirt.c
===================================================================
RCS file: /data/cvs/libvirt/src/libvirt.c,v
retrieving revision 1.109
diff -u -p -r1.109 libvirt.c
--- src/libvirt.c	7 Dec 2007 14:56:37 -0000	1.109
+++ src/libvirt.c	7 Dec 2007 16:09:40 -0000
@@ -104,6 +104,9 @@ static int virConnectAuthCallbackDefault
             if (!bufptr)
                 return -1;
             break;
+
+        default:
+            return -1;
         }
 
         if (STREQ(bufptr, "") && cred[i].defresult)
Index: src/remote_internal.c
===================================================================
RCS file: /data/cvs/libvirt/src/remote_internal.c,v
retrieving revision 1.45
diff -u -p -r1.45 remote_internal.c
--- src/remote_internal.c	7 Dec 2007 14:56:37 -0000	1.45
+++ src/remote_internal.c	7 Dec 2007 16:09:40 -0000
@@ -3520,6 +3520,7 @@ remoteAuthPolkit (virConnectPtr conn, st
                   virConnectAuthPtr auth)
 {
     remote_auth_polkit_ret ret;
+    int i, allowcb = 0;
     virConnectCredential cred = {
         VIR_CRED_EXTERNAL,
         conn->flags & VIR_CONNECT_RO ? "org.libvirt.unix.monitor" : "org.libvirt.unix.manage",
@@ -3530,12 +3531,24 @@ remoteAuthPolkit (virConnectPtr conn, st
     };
     remoteDebug(priv, "Client initialize PolicyKit authentication");
 
+    for (i = 0 ; i < auth->ncredtype ; i++) {
+        if (auth->credtype[i] == VIR_CRED_EXTERNAL)
+            allowcb = 1;
+    }
+
     /* Run the authentication callback */
-    if (auth && auth->cb && (*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
-        __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
-                         VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
-                         "Failed to collect auth credentials");
-        return -1;
+    if (allowcb) {
+        if (auth && auth->cb &&
+            (*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
+            __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
+                             VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
+                             "Failed to collect auth credentials");
+            return -1;
+        } else {
+            remoteDebug(priv, "No auth callback provided for PolicyKit");
+        }
+    } else {
+        remoteDebug(priv, "Client auth callback does not support PolicyKit");
     }
 
     memset (&ret, 0, sizeof ret);

More information about the libvir-list mailing list