3
#include <QDBusMessage>
3
#include <QDBusMessage>
4
5
#include "aacontext.h"
8
7
static const char FORBIDDEN_ERROR[] = "com.ubuntu.OnlineAccounts.Error.Forbidden";
10
QDBusArgument &operator<<(QDBusArgument &argument, const AccountInfo &info) {
11
argument.beginStructure();
12
argument << info.account_id << info.details;
13
argument.endStructure();
17
const QDBusArgument &operator>>(const QDBusArgument &argument, AccountInfo &info) {
18
argument.beginStructure();
19
argument >> info.account_id >> info.details;
20
argument.endStructure();
25
struct Manager::Private {
26
AppArmorContext apparmor;
9
QDBusArgument &operator<<(QDBusArgument &argument, const AccountInfo &info)
11
argument.beginStructure();
12
argument << info.accountId << info.details;
13
argument.endStructure();
17
const QDBusArgument &operator>>(const QDBusArgument &argument,
20
argument.beginStructure();
21
argument >> info.accountId >> info.details;
22
argument.endStructure();
26
class ManagerPrivate {
28
AppArmorContext m_apparmor;
29
Manager::Manager(QObject *parent)
30
: QObject(parent), p(new Private) {
36
bool Manager::canAccess(const QString &service_id) {
37
QString context = p->apparmor.getPeerSecurityContext(connection(), message());
31
Manager::Manager(QObject *parent):
33
d_ptr(new ManagerPrivate)
42
bool Manager::canAccess(const QString &serviceId)
46
QString context = d->m_apparmor.getPeerSecurityContext(connection(),
38
48
// Could not determine peer's AppArmor context, so deny access
39
49
if (context.isEmpty()) {
55
65
// Do the same on the service ID: we are only dealing with
56
66
// confined apps at this point, so only $pkgname prefixed
57
67
// services are accessible.
58
pos = service_id.indexOf('_');
68
pos = serviceId.indexOf('_');
62
return service_id.left(pos) == pkgname;
72
return serviceId.left(pos) == pkgname;
65
bool Manager::checkAccess(const QString &service_id) {
66
bool has_access = canAccess(service_id);
68
sendErrorReply(FORBIDDEN_ERROR, QString("Access to service ID %1 forbidden").arg(service_id));
75
bool Manager::checkAccess(const QString &serviceId)
77
bool hasAccess = canAccess(serviceId);
79
sendErrorReply(FORBIDDEN_ERROR,
80
QString("Access to service ID %1 forbidden").arg(serviceId));
73
QList<AccountInfo> Manager::GetAccounts(const QStringList &service_ids) {
74
for (const auto &service_id : service_ids) {
75
if (!checkAccess(service_id)) {
85
QList<AccountInfo> Manager::GetAccounts(const QStringList &serviceIds)
87
Q_FOREACH(const QString &serviceId, serviceIds) {
88
if (!checkAccess(serviceId)) {
76
89
return QList<AccountInfo>();
80
93
return QList<AccountInfo>({AccountInfo(0, QVariantMap())});
83
AccountInfo Manager::GetAccountInfo(const QString &service_id, uint account_id) {
84
if (!checkAccess(service_id)) {
96
AccountInfo Manager::GetAccountInfo(const QString &serviceId, uint accountId)
100
if (!checkAccess(serviceId)) {
85
101
return AccountInfo();
88
return AccountInfo(account_id, QVariantMap());
104
return AccountInfo(accountId, QVariantMap());
91
QVariantMap Manager::Authenticate(const QString &service_id, uint account_id, bool interactive, bool invalidate) {
92
if (!checkAccess(service_id)) {
107
QVariantMap Manager::Authenticate(const QString &serviceId, uint accountId,
108
bool interactive, bool invalidate)
111
Q_UNUSED(interactive);
112
Q_UNUSED(invalidate);
114
if (!checkAccess(serviceId)) {
93
115
return QVariantMap();
96
118
return QVariantMap();
99
AccountInfo Manager::Register(const QString &service_id, QVariantMap &credentials) {
100
if (!checkAccess(service_id)) {
121
AccountInfo Manager::Register(const QString &serviceId, QVariantMap &credentials)
123
Q_UNUSED(credentials);
125
if (!checkAccess(serviceId)) {
101
126
return AccountInfo();