[Libvir] PATCH: Don't send callbacks invalid credentials
Daniel P. Berrange
berrange at redhat.com
Fri Dec 7 16:11:45 UTC 2007
The PolicyKit auth code was invoking the authentication callback even if
the app hadn't indicated support for VIR_CREDENTIAL_EXTERNAL. The default
authentication callback was also not returning errors for credentials it
doesn't support. This patch fixes both those flaws
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
-------------- next part --------------
Index: src/libvirt.c
===================================================================
RCS file: /data/cvs/libvirt/src/libvirt.c,v
retrieving revision 1.109
diff -u -p -r1.109 libvirt.c
--- src/libvirt.c 7 Dec 2007 14:56:37 -0000 1.109
+++ src/libvirt.c 7 Dec 2007 16:09:40 -0000
@@ -104,6 +104,9 @@ static int virConnectAuthCallbackDefault
if (!bufptr)
return -1;
break;
+
+ default:
+ return -1;
}
if (STREQ(bufptr, "") && cred[i].defresult)
Index: src/remote_internal.c
===================================================================
RCS file: /data/cvs/libvirt/src/remote_internal.c,v
retrieving revision 1.45
diff -u -p -r1.45 remote_internal.c
--- src/remote_internal.c 7 Dec 2007 14:56:37 -0000 1.45
+++ src/remote_internal.c 7 Dec 2007 16:09:40 -0000
@@ -3520,6 +3520,7 @@ remoteAuthPolkit (virConnectPtr conn, st
virConnectAuthPtr auth)
{
remote_auth_polkit_ret ret;
+ int i, allowcb = 0;
virConnectCredential cred = {
VIR_CRED_EXTERNAL,
conn->flags & VIR_CONNECT_RO ? "org.libvirt.unix.monitor" : "org.libvirt.unix.manage",
@@ -3530,12 +3531,24 @@ remoteAuthPolkit (virConnectPtr conn, st
};
remoteDebug(priv, "Client initialize PolicyKit authentication");
+ for (i = 0 ; i < auth->ncredtype ; i++) {
+ if (auth->credtype[i] == VIR_CRED_EXTERNAL)
+ allowcb = 1;
+ }
+
/* Run the authentication callback */
- if (auth && auth->cb && (*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
- __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
- VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
- "Failed to collect auth credentials");
- return -1;
+ if (allowcb) {
+ if (auth && auth->cb &&
+ (*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
+ __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
+ VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0,
+ "Failed to collect auth credentials");
+ return -1;
+ } else {
+ remoteDebug(priv, "No auth callback provided for PolicyKit");
+ }
+ } else {
+ remoteDebug(priv, "Client auth callback does not support PolicyKit");
}
memset (&ret, 0, sizeof ret);
More information about the libvir-list
mailing list