Re: [libvirt] [PATCH v2 3/3] virsh: Add support for text based polkit authentication

On Fri, Feb 12, 2016 at 06:49:22AM -0500, John Ferlan wrote: > [...] > >>> + err = virGetLastError(); >>> + if (err && strstr(err->message, >>> + _("no agent is available to authenticate"))) { >> >>> + if (!pkagent) { >>> + if (!(pkagent = virPolkitAgentCreate())) >>> + goto cleanup; >>> + } >>> + agentstart++; >>> + } else if (err && strstr(err->message, _("authentication failed:"))) { >> >> String matching is pretty unpleasant. I think we can match on >> err->domain == VIR_FROM_POLKIT && err->code == VIR_ERR_AUTH_FAILED >> for this. >> > > Using VIR_ERR_AUTH_FAILED I cannot distinguish between the failure of > available agent or access denied by policy from virPolkitCheckAuth. > Adjusting what virPolkitCheckAuth returns means more code modification > since the assumption is -2 has 3 possible issues of which 2 currently > are tested by a err->message comparison. My point is that you don't actually need to distinguish those two cases directly. You can do this: if (err && err->code == VIR_FROM_POLKIT && err->code == VIR_ER_AUTH_FAILED) { if (!virDBusIsServiceRegistered(...polkit...)) {

....start agent... } ....retry auth... } > I would think in this case, I wouldn't want to create a text agent if > access is denied by policy. So should I bite the bullet and adjust the > return value checking? Or should I add a new error code > "VIR_ERR_AUTH_DENY" and likewise adjust the code/tests to use that > rather than the current string comparisons. It is actually generally bad security practice to tell users /why/ auth failed - that we return different error messages for these two cases is probably something we should in fact fix.