Merge pull request #15 from endlessm/T24016-flatpak-apps

libeos-parental-controls: Support matching against flatpak app IDs
2018-11-26 12:21:56 -02:00 · 2018-11-26 12:21:56 -02:00 · 08e8f994c3
parent 49228974eb 244985f45f
commit 08e8f994c3
4 changed files with 64 additions and 2 deletions
--- a/eos-parental-controls-client/eos-parental-controls-client.py
+++ b/eos-parental-controls-client/eos-parental-controls-client.py
@ -150,7 +150,12 @@ def command_check(user, path, quiet=False, interactive=True):
    user_id = __lookup_user_id_or_error(user)
    app_filter = __get_app_filter_or_error(user_id, interactive)

-    if path.startswith('app/') or path.startswith('runtime/'):
+    if path.startswith('app/') and path.count('/') < 3:
+        # Flatpak app ID
+        path = path[4:]
+        is_allowed = app_filter.is_flatpak_app_allowed(path)
+        noun = 'Flatpak app ID'
+    elif path.startswith('app/') or path.startswith('runtime/'):
        # Flatpak ref
        is_allowed = app_filter.is_flatpak_ref_allowed(path)
        noun = 'Flatpak ref'
--- a/libeos-parental-controls/app-filter.c
+++ b/libeos-parental-controls/app-filter.c
@ -166,7 +166,7 @@ epc_app_filter_is_path_allowed (EpcAppFilter *filter,
 /**
 * epc_app_filter_is_flatpak_ref_allowed:
 * @filter: an #EpcAppFilter
- * @app_ref: flatpak ref for the app
+ * @app_ref: flatpak ref for the app, for example `app/org.gnome.Builder/x86_64/master`
 *
 * Check whether the flatpak app with the given @app_ref is allowed to be run
 * according to this app filter.
@ -197,6 +197,57 @@ epc_app_filter_is_flatpak_ref_allowed (EpcAppFilter *filter,
    }
 }

+/**
+ * epc_app_filter_is_flatpak_app_allowed:
+ * @filter: an #EpcAppFilter
+ * @app_id: flatpak ID for the app, for example `org.gnome.Builder`
+ *
+ * Check whether the flatpak app with the given @app_id is allowed to be run
+ * according to this app filter. This is a globbing match, matching @app_id
+ * against potentially multiple entries in the blacklist, as the blacklist
+ * contains flatpak refs (for example, `app/org.gnome.Builder/x86_64/master`)
+ * which contain architecture and branch information. App IDs (for example,
+ * `org.gnome.Builder`) do not contain architecture or branch information.
+ *
+ * Returns: %TRUE if the user this @filter corresponds to is allowed to run the
+ *    flatpak called @app_id according to the @filter policy; %FALSE otherwise
+ * Since: 0.1.0
+ */
+gboolean
+epc_app_filter_is_flatpak_app_allowed (EpcAppFilter *filter,
+                                       const gchar  *app_id)
+{
+  g_return_val_if_fail (filter != NULL, FALSE);
+  g_return_val_if_fail (filter->ref_count >= 1, FALSE);
+  g_return_val_if_fail (app_id != NULL, FALSE);
+
+  gsize app_id_len = strlen (app_id);
+
+  gboolean id_in_list = FALSE;
+  for (gsize i = 0; filter->app_list[i] != NULL; i++)
+    {
+      /* Avoid using flatpak_ref_parse() to avoid a dependency on libflatpak
+       * just for that one function. */
+      if (g_str_has_prefix (filter->app_list[i], "app/") &&
+          strncmp (filter->app_list[i] + strlen ("app/"), app_id, app_id_len) == 0 &&
+          filter->app_list[i][strlen ("app/") + app_id_len] == '/')
+        {
+          id_in_list = TRUE;
+          break;
+        }
+    }
+
+  switch (filter->app_list_type)
+    {
+    case EPC_APP_FILTER_LIST_BLACKLIST:
+      return !id_in_list;
+    case EPC_APP_FILTER_LIST_WHITELIST:
+      return id_in_list;
+    default:
+      g_assert_not_reached ();
+    }
+}
+
 static gint
 strcmp_cb (gconstpointer a,
           gconstpointer b)
--- a/libeos-parental-controls/app-filter.h
+++ b/libeos-parental-controls/app-filter.h
@ -102,6 +102,8 @@ gboolean epc_app_filter_is_path_allowed        (EpcAppFilter *filter,
                                                const gchar  *path);
 gboolean epc_app_filter_is_flatpak_ref_allowed (EpcAppFilter *filter,
                                                const gchar  *app_ref);
+gboolean epc_app_filter_is_flatpak_app_allowed (EpcAppFilter *filter,
+                                                const gchar  *app_id);

 const gchar           **epc_app_filter_get_oars_sections (EpcAppFilter *filter);
 EpcAppFilterOarsValue   epc_app_filter_get_oars_value    (EpcAppFilter *filter,
--- a/libeos-parental-controls/tests/app-filter.c
+++ b/libeos-parental-controls/tests/app-filter.c
@ -135,8 +135,10 @@ test_app_filter_builder_non_empty (BuilderFixture *fixture,

  g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
                                                        "app/org.gnome.Ponies/x86_64/master"));
+  g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.gnome.Ponies"));
  g_assert_false (epc_app_filter_is_flatpak_ref_allowed (filter,
                                                         "app/org.doom.Doom/x86_64/master"));
+  g_assert_false (epc_app_filter_is_flatpak_app_allowed (filter, "org.doom.Doom"));

  g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==,
                   EPC_APP_FILTER_OARS_VALUE_MILD);
@ -168,8 +170,10 @@ test_app_filter_builder_empty (BuilderFixture *fixture,

  g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
                                                        "app/org.gnome.Ponies/x86_64/master"));
+  g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.gnome.Ponies"));
  g_assert_true (epc_app_filter_is_flatpak_ref_allowed (filter,
                                                        "app/org.doom.Doom/x86_64/master"));
+  g_assert_true (epc_app_filter_is_flatpak_app_allowed (filter, "org.doom.Doom"));

  g_assert_cmpint (epc_app_filter_get_oars_value (filter, "drugs-alcohol"), ==,
                   EPC_APP_FILTER_OARS_VALUE_UNKNOWN);