From 84371303d8302e59e535b4ca2d7e2d5f43d7679e Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Thu, 14 Apr 2016 14:58:40 -0400
Subject: [PATCH] remote: Don't reject remote polkit if client lacks support

If you compile a client --without-polkit, and connect to a URI that needs
polkit auth, the connection will fail with:

$ ./tools/virsh --connect qemu+ssh://crobinso@machine/system
error: failed to connect to the hypervisor
error: authentication failed: unsupported authentication type 2

This is because the client side portion of the polkit handling is
compiled out. However, nothing polkit specific is actually required
of the client.

Fix that error by unconditionally compiling the basic polkit client
handling.

https://bugzilla.redhat.com/show_bug.cgi?id=635529
---
 src/remote/remote_driver.c | 69 +++++++++++++++++---------------------
 1 file changed, 31 insertions(+), 38 deletions(-)

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index da9441107b..6bed2c5389 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -132,11 +132,9 @@ static int remoteAuthenticate(virConnectPtr conn, struct private_data *priv,
 #if WITH_SASL
 static int remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
                           virConnectAuthPtr auth, const char *mech);
-#endif
-#if WITH_POLKIT
+#endif /* WITH_SASL */
 static int remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
                             virConnectAuthPtr auth);
-#endif /* WITH_POLKIT */
 
 static virDomainPtr get_nonnull_domain(virConnectPtr conn, remote_nonnull_domain domain);
 static virNetworkPtr get_nonnull_network(virConnectPtr conn, remote_nonnull_network network);
@@ -3326,14 +3324,12 @@ remoteAuthenticate(virConnectPtr conn, struct private_data *priv,
     }
 #endif
 
-#if WITH_POLKIT
     case REMOTE_AUTH_POLKIT:
         if (remoteAuthPolkit(conn, priv, auth) < 0) {
             VIR_FREE(ret.types.types_val);
             return -1;
         }
         break;
-#endif
 
     case REMOTE_AUTH_NONE:
         /* Nothing todo, hurrah ! */
@@ -3904,30 +3900,10 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
 #endif /* WITH_SASL */
 
 
-#if WITH_POLKIT
-# if WITH_POLKIT1
-static int
-remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
-                 virConnectAuthPtr auth ATTRIBUTE_UNUSED)
-{
-    remote_auth_polkit_ret ret;
-    VIR_DEBUG("Client initialize PolicyKit-1 authentication");
-
-    memset(&ret, 0, sizeof(ret));
-    if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
-             (xdrproc_t) xdr_void, (char *)NULL,
-             (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) {
-        return -1; /* virError already set by call */
-    }
-
-    VIR_DEBUG("PolicyKit-1 authentication complete");
-    return 0;
-}
-# elif WITH_POLKIT0
-/* Perform the PolicyKit authentication process
- */
+#if WITH_POLKIT0
+/* Perform the PolicyKit0 authentication process */
 static int
-remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
+remoteAuthPolkit0(virConnectPtr conn, struct private_data *priv,
                  virConnectAuthPtr auth)
 {
     remote_auth_polkit_ret ret;
@@ -3943,14 +3919,8 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
     };
     VIR_DEBUG("Client initialize PolicyKit-0 authentication");
 
-    /* Check auth first and if it succeeds we are done. */
-    memset(&ret, 0, sizeof(ret));
-    if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
-             (xdrproc_t) xdr_void, (char *)NULL,
-             (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) == 0)
-        goto out;
-
-    /* Auth failed.  Ask client to obtain it and check again. */
+    /* We only make it here if auth already failed
+     * Ask client to obtain it and check again. */
     if (auth && auth->cb) {
         /* Check if the necessary credential type for PolicyKit is supported */
         for (i = 0; i < auth->ncredtype; i++) {
@@ -3986,8 +3956,31 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
     VIR_DEBUG("PolicyKit-0 authentication complete");
     return 0;
 }
-# endif /* WITH_POLKIT0 */
-#endif /* WITH_POLKIT */
+#endif /* WITH_POLKIT0 */
+
+static int
+remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
+                 virConnectAuthPtr auth ATTRIBUTE_UNUSED)
+{
+    remote_auth_polkit_ret ret;
+    VIR_DEBUG("Client initialize PolicyKit authentication");
+
+    memset(&ret, 0, sizeof(ret));
+    if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
+             (xdrproc_t) xdr_void, (char *)NULL,
+             (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) {
+        return -1; /* virError already set by call */
+    }
+
+#if WITH_POLKIT0
+    if (remoteAuthPolkit0(conn, priv, auth) < 0)
+        return -1;
+#endif /* WITH_POLKIT0 */
+
+    VIR_DEBUG("PolicyKit authentication complete");
+    return 0;
+}
+
 /*----------------------------------------------------------------------*/
 
 static int
-- 
GitLab