Merge pull request #19 from slakkala/dev/policykit-policy

Adjust policykit policy
tiiuae · Oct 9, 2024 · be24afa · be24afa
2 parents 68079de + 9df483d
commit be24afa
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 29 deletions.
diff --git a/client/src/client.rs b/client/src/client.rs
@@ -167,7 +167,7 @@ impl AdminClient {
     pub async fn watch(&self) -> anyhow::Result<WatchResult> {
         use pb::admin::watch_item::Status;
         use pb::admin::WatchItem;
-        let (tx, rx) = async_channel::bounded::<Event>(10);
+        let (tx, rx) = async_channel::bounded(10);
         let (quittx, mut quitrx) = mpsc::channel(1);
 
         let mut watch = self

diff --git a/client/src/endpoint.rs b/client/src/endpoint.rs
@@ -1,4 +1,5 @@
 use std::path::PathBuf;
+use std::sync::Arc;
 use std::time::Duration;
 
 use anyhow::anyhow;
@@ -40,11 +41,11 @@ impl TlsConfig {
         let client_identity = Identity::from_pem(client_cert, client_key);
         let tls_name = self
             .tls_name
-            .as_ref()
+            .as_deref()
             .ok_or_else(|| anyhow!("Missing TLS name"))?;
         Ok(ClientTlsConfig::new()
             .ca_certificate(ca)
-            .domain_name(tls_name.as_str())
+            .domain_name(tls_name)
             .identity(client_identity))
     }
 
@@ -69,32 +70,20 @@ fn transport_config_to_url(ea: &EndpointAddress, with_tls: bool) -> String {
 }
 
 async fn connect_unix_socket(endpoint: Endpoint, path: &String) -> anyhow::Result<Channel> {
-    let mut path = Some(path.to_owned());
+    let path = Arc::new(path.to_owned());
     let ch = endpoint
         .connect_with_connector(service_fn(move |_: Uri| {
-            let path = path.take();
-            async move {
-                if let Some(path) = path {
-                    // Connect to a Uds socket
-                    Ok::<_, std::io::Error>(TokioIo::new(UnixStream::connect(path).await?))
-                } else {
-                    Err(std::io::Error::new(
-                        std::io::ErrorKind::Other,
-                        "Path already taken",
-                    ))
-                }
-            }
+            let path = path.clone();
+            async move { UnixStream::connect(path.as_ref()).await.map(TokioIo::new) }
         }))
         .await?;
     Ok(ch)
 }
 
-async fn connect_vsock_socket(endpoint: Endpoint, vs: &VsockAddr) -> anyhow::Result<Channel> {
-    let vs = vs.to_owned();
+async fn connect_vsock_socket(endpoint: Endpoint, vs: VsockAddr) -> anyhow::Result<Channel> {
     let ch = endpoint
         .connect_with_connector(service_fn(move |_: Uri| async move {
-            let stream = VsockStream::connect(vs).await?;
-            Ok::<_, std::io::Error>(TokioIo::new(stream))
+            VsockStream::connect(vs).await.map(TokioIo::new)
         }))
         .await?;
     Ok(ch)
@@ -114,7 +103,7 @@ impl EndpointConfig {
             EndpointAddress::Tcp { .. } => endpoint.connect().await?,
             EndpointAddress::Unix(unix) => connect_unix_socket(endpoint, unix).await?,
             EndpointAddress::Abstract(abs) => connect_unix_socket(endpoint, abs).await?,
-            EndpointAddress::Vsock(vs) => connect_vsock_socket(endpoint, vs).await?,
+            EndpointAddress::Vsock(vs) => connect_vsock_socket(endpoint, *vs).await?,
         };
         Ok(channel)
     }

diff --git a/nixos/modules/appvm.nix b/nixos/modules/appvm.nix
@@ -179,12 +179,10 @@ in
       enable = true;
       extraConfig = ''
         polkit.addRule(function(action, subject) {
-            if (action.id == "org.freedesktop.locale1.set-locale" && subject.user == "ghaf") {
-                return polkit.Result.YES;
-            }
-        });
-        polkit.addRule(function(action, subject) {
-            if (action.id == "org.freedesktop.timedate1.set-timezone" && subject.user == "ghaf") {
+            if ((
+                 action.id == "org.freedesktop.locale1.set-locale" ||
+                 action.id == "org.freedesktop.timedate1.set-timezone"
+                ) && subject.isInGroup("users")) {
                 return polkit.Result.YES;
             }
         });

diff --git a/nixos/tests/admin.nix b/nixos/tests/admin.nix
@@ -299,6 +299,12 @@ in
                   swaymsg("exec ssh -R /tmp/vsock:/tmp/vsock -f -N ${addrs.appvm}")
                   time.sleep(5) # Give ssh some time to setup remote socket
 
+              with subtest("set locale and timezone"):
+                  print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} set-locale en_US.UTF-8"))
+                  adminvm.wait_for_file("/etc/locale-givc.conf")
+                  print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} set-timezone UTC"))
+                  adminvm.wait_for_file("/etc/timezone.conf")
+
               with subtest("Clean run"):
                   print(hostvm.succeed("${cli} --addr ${nodes.adminvm.config.givc.admin.addr} --port ${nodes.adminvm.config.givc.admin.port} --cacert ${nodes.hostvm.givc.host.tls.caCertPath} --cert ${nodes.hostvm.givc.host.tls.certPath} --key ${nodes.hostvm.givc.host.tls.keyPath} ${if tls then "" else "--notls"} --name ${nodes.adminvm.config.givc.admin.name} start foot"))
                   time.sleep(10) # Give few seconds to application to spin up

diff --git a/src/admin/server.rs b/src/admin/server.rs
@@ -223,7 +223,7 @@ impl AdminServiceImpl {
                     error!("could not get status of unit {}: {}", &entry.name, err);
                     self.handle_error(entry)
                         .await
-                        .with_context(|| "during handle error")?
+                        .context("during handle error")?
                 }
                 Ok(status) => {
                     let inactive = status.active_state != "active";

diff --git a/src/utils/naming.rs b/src/utils/naming.rs
@@ -27,7 +27,7 @@ pub fn parse_application_name(name: &str) -> anyhow::Result<(&str, i32)> {
     if let Some(name_no_suffix) = name.strip_suffix(".service") {
         if let Some((left, right)) = name_no_suffix.rsplit_once('@') {
             let num = right
-                .parse::<i32>()
+                .parse()
                 .with_context(|| format!("While parsing number part of {name}"))?;
             return Ok((left, num));
         }