GSignondAccessControlManager: gsignond API Reference Manual

GSignondAccessControlManager

GSignondAccessControlManager — an object that performs access control checks

Functions

void	gsignond_access_control_manager_security_context_of_peer ()
gboolean	gsignond_access_control_manager_peer_is_allowed_to_use_identity ()
gboolean	gsignond_access_control_manager_peer_is_owner_of_identity ()
gboolean	gsignond_access_control_manager_acl_is_valid ()
GSignondSecurityContext *	gsignond_access_control_manager_security_context_of_keychain ()

Properties

GSignondConfig *

config

Read / Write / Construct Only

Object Hierarchy

    GObject
    ╰── GSignondAccessControlManager

Includes

#include <gsignond/gsignond-access-control-manager.h>

Description

GSignondAccessControlManager performs access control checks using available system services. gSSO can be configured to use a custom extension that provides a subclassed implementation of GSignondAccessControlManager (see GSignondExtension), otherwise a default implementation is used.

Functions

gsignond_access_control_manager_security_context_of_peer ()

void
gsignond_access_control_manager_security_context_of_peer
                               (GSignondAccessControlManager *self,
                                GSignondSecurityContext *peer_ctx,
                                int peer_fd,
                                const gchar *peer_service,
                                const gchar *peer_app_ctx);

Retrieves and sets GSignondSecurityContext of the specified peer.

The default implementation sets the app context as it was passed, and sets the system context to the binary path of the process that is determined from peer_fd and peer_service parameters.

Parameters

self	object instance.
peer_ctx	instance of security context to be set.
peer_fd	file descriptor of the peer connection if using peer-to-peer dbus, -1 otherwise.
peer_service	g_dbus_method_invocation_get_sender() of the peer connection, if not using peer-to-peer dbus, NULL otherwise
peer_app_ctx	application context of the peer connection.

gsignond_access_control_manager_peer_is_allowed_to_use_identity ()

gboolean
gsignond_access_control_manager_peer_is_allowed_to_use_identity
                               (GSignondAccessControlManager *self,
                                const GSignondSecurityContext *peer_ctx,
                                const GSignondSecurityContext *owner_ctx,
                                const GSignondSecurityContextList *identity_acl);

Checks if specified peer is allowed to access the specified identity.

The default implementation goes over items in identity_acl , using gsignond_security_context_check() to check them against peer_ctx .

Parameters

self	object instance.
peer_ctx	security context of the peer connection.
owner_ctx	security context of the identity owner.
identity_acl	access control list for the identity in question. Includes the `owner_ctx` as well.

Returns

access is allowed?

gsignond_access_control_manager_peer_is_owner_of_identity ()

gboolean
gsignond_access_control_manager_peer_is_owner_of_identity
                               (GSignondAccessControlManager *self,
                                const GSignondSecurityContext *peer_ctx,
                                const GSignondSecurityContext *owner_ctx);

Checks if the peer specified in peer_ctx is the owner of the identity.

The default implementation is using gsignond_security_context_check() to check peer_ctx against owner_ctx directly.

Parameters

self	object instance.
peer_ctx	security context of the peer connection.
owner_ctx	security context of the identity owner.

Returns

is owner?

gsignond_access_control_manager_acl_is_valid ()

gboolean
gsignond_access_control_manager_acl_is_valid
                               (GSignondAccessControlManager *self,
                                const GSignondSecurityContext *peer_ctx,
                                const GSignondSecurityContextList *identity_acl);

Checks if the specified peer is allowed to set the specified access control list. gsignond_access_control_manager_peer_is_owner_of_identity() is used before calling this method to verify identity ownership.

The default implementation always returns TRUE.

Parameters

self	object instance.
peer_ctx	security context of the peer connection.
identity_acl	access control list for the identity.

Returns

access control list is OK?

gsignond_access_control_manager_security_context_of_keychain ()

GSignondSecurityContext *
gsignond_access_control_manager_security_context_of_keychain
                               (GSignondAccessControlManager *self);

Retrieves security context of the keychain application. Keychain application has a special management access to all stored identities and is able to perform deletion of all identities from storage.

The default implementation returns a context either set in GSignondConfig, or if not set, a value specified through a configure --enable-keychain option (see

Building gsignond), or if that is not

set either then an empty string "" is returned.

If gSSO was compiled with --enable-debug and SSO_KEYCHAIN_SYSCTX environment variable is set, then the value of that variable is used to set the returned system context instead.

Parameters

self

object instance.

Returns

security context of the keychain application.

Types and Values

Property Details

The `“config”` property

  “config”                   GSignondConfig *

Configuration object.

Flags: Read / Write / Construct Only