bridge: Add polkit action for privileged bridge

This provides a nicer polkit prompt with using cockpit-desktop. It also defines a polkit action ID, so that it's possible to have a custom polkit policy for this. https://bugzilla.redhat.com/show_bug.cgi?id=1651264 Closes #10782
2018-12-07 14:41:12 +01:00 · 2018-12-07 14:41:12 +01:00 · c2f2dd1927
parent e64cb8fa6f
commit c2f2dd1927
5 changed files with 42 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,6 +9,7 @@
 *.gir
 *.pyc
 *.typelib
+*.policy
 *.so
 *.mo
 *~
--- a/src/bridge/Makefile.am
+++ b/src/bridge/Makefile.am
@ -272,6 +272,25 @@ EXTRA_DIST += \
 	src/bridge/mock-server.key \
 	$(NULL)

+# -----------------------------------------------------------------------------
+# polkit
+
+polkitdir        = $(datadir)/polkit-1/actions
+polkit_in_files  = src/bridge/org.cockpit-project.cockpit-bridge.policy.in
+polkit_DATA = $(polkit_in_files:.policy.in=.policy)
+
+%.policy: %.policy.in $(PO_FILES)
+	$(AM_V_GEN) $(INTLTOOL_MERGE) -x $(top_srcdir)/po $< $@
+
+EXTRA_DIST += $(polkit_in_files)
+CLEANFILES += $(polkit_DATA)
+
+prepare-po-bridge-policy: $(polkit_in_files)
+	cp $< .
+	$(AM_V_GEN) $(INTLTOOL_EXTRACT) -l --type=gettext/xml $(notdir $<)
+
+prepare-po:: prepare-po-bridge-policy
+
 # -----------------------------------------------------------------------------
 # PCP

--- a/src/bridge/org.cockpit-project.cockpit-bridge.policy.in
+++ b/src/bridge/org.cockpit-project.cockpit-bridge.policy.in
@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
+<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+        "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+
+<policyconfig>
+    <vendor>Cockpit Project</vendor>
+    <vendor_url>https://www.cockpit-project.org</vendor_url>
+
+    <action id="org.cockpit-project.cockpit.root-bridge">
+        <_description gettext-domain="cockpit">Administration with Cockpit Web Console</_description>
+        <_message gettext-domain="cockpit">Authentication is required to perform privileged tasks with the Cockpit Web Console</_message>
+        <defaults>
+            <allow_any>auth_admin</allow_any>
+            <allow_inactive>auth_admin</allow_inactive>
+            <allow_active>auth_admin</allow_active>
+        </defaults>
+        <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/cockpit-bridge</annotate>
+    </action>
+</policyconfig>
--- a/tools/cockpit.spec
+++ b/tools/cockpit.spec
@ -212,6 +212,7 @@ echo '%{_libexecdir}/cockpit-ssh' >> dashboard.list
 %else
 find %{buildroot}%{_datadir}/cockpit/ssh -type f >> base.list
 echo '%{_libexecdir}/cockpit-ssh' >> base.list
+echo %{buildroot}%{_datadir}/polkit-1/actions/org.cockpit-project.cockpit-bridge.policy >> base.list
 %endif

 %if %{defined build_dashboard}
@ -311,7 +312,7 @@ for pkg in base1 branding motd kdump networkmanager realmd selinux shell sosrepo
    rm -r %{buildroot}/%{_datadir}/cockpit/$pkg
    rm -f %{buildroot}/%{_datadir}/metainfo/org.cockpit-project.cockpit-${pkg}.metainfo.xml
 done
-for data in doc locale man pixmaps; do
+for data in doc locale man pixmaps polkit-1; do
    rm -r %{buildroot}/%{_datadir}/$data
 done
 for lib in systemd tmpfiles.d firewalld; do
--- a/tools/debian/cockpit-bridge.install
+++ b/tools/debian/cockpit-bridge.install
@ -5,3 +5,4 @@ usr/lib/cockpit/cockpit-ssh
 usr/share/cockpit/base1/
 usr/share/cockpit/ssh/
 usr/share/man/man1/cockpit-bridge.1
+usr/share/polkit-1/actions/org.cockpit-project.cockpit-bridge.policy