[libsignon] Treat empty ACL as synonym for "*". Contributes to JB#27876

sailfishos · Dec 10, 2019 · e71d603 · e71d603
1 parent cc8a208
commit e71d603
Show file tree

Hide file tree

Showing 10 changed files with 62 additions and 24 deletions.
diff --git a/rpm/0001-disable-multilib.patch b/rpm/0001-disable-multilib.patch
@@ -1,7 +1,7 @@
-From a199c161ff19a8612a578c8dc6b531aed21ba40a Mon Sep 17 00:00:00 2001
+From 8f04041c8ca77a7680f983a3887c4da775b40056 Mon Sep 17 00:00:00 2001
 From: Robin Burchell <robin+git@viroteck.net>
 Date: Thu, 11 Jul 2013 08:51:54 +0000
-Subject: [PATCH 1/8] disable multilib
+Subject: [PATCH 1/9] disable multilib
 
 Mer doesn't use it.
 ---
@@ -26,5 +26,5 @@ index a8768cb..5624a7f 100644
  # default library directory can be overriden by defining LIBDIR when
  # running qmake
 -- 
-2.20.1
+2.17.1
 
diff --git a/rpm/0002-fix-documentation-path.patch b/rpm/0002-fix-documentation-path.patch
@@ -1,7 +1,7 @@
-From 9cb171bb9816690c830c9c5a24f1cf6882256cb3 Mon Sep 17 00:00:00 2001
+From 161430c5194413a3be5245f4cd2ef586abbf18f5 Mon Sep 17 00:00:00 2001
 From: Robin Burchell <robin+git@viroteck.net>
 Date: Thu, 11 Jul 2013 08:53:06 +0000
-Subject: [PATCH 2/8] fix documentation path
+Subject: [PATCH 2/9] fix documentation path
 
 ---
  lib/SignOn/doc/doc.pri | 2 +-
@@ -21,5 +21,5 @@ index 46f1148..3f2a96b 100644
      documentation.files += $${folder}
  }
 -- 
-2.20.1
+2.17.1
 
diff --git a/rpm/0003-Install-tests-add-tests-definition.patch b/rpm/0003-Install-tests-add-tests-definition.patch
@@ -1,7 +1,7 @@
-From 843bcff0cdcfe19216ad7b6790de84ba8eacbe8b Mon Sep 17 00:00:00 2001
+From 7844b7100c5859fd315a26d33a3b04c41aa15bcb Mon Sep 17 00:00:00 2001
 From: Martin Kampas <martin.kampas@tieto.com>
 Date: Mon, 18 Mar 2013 16:50:19 +0100
-Subject: [PATCH 3/8] Install tests, add tests definition
+Subject: [PATCH 3/9] Install tests, add tests definition
 
 Signed-off-by: Martin Kampas <martin.kampas@tieto.com>
 ---
@@ -206,5 +206,5 @@ index 64c59c1..656391e 100644
      passwordplugintest \
      libsignon-qt-tests \
 -- 
-2.20.1
+2.17.1
 
diff --git a/rpm/0004-Set-permissions-on-config-dir-correctly.patch b/rpm/0004-Set-permissions-on-config-dir-correctly.patch
@@ -1,7 +1,7 @@
-From a682fda4d2ccbc9d73d15e2e45f0c34dbd4e2816 Mon Sep 17 00:00:00 2001
+From d3f24755fbd48a09c1dd6c9902a6059d8a87a17c Mon Sep 17 00:00:00 2001
 From: Chris Adams <chris.adams@jollamobile.com>
 Date: Thu, 20 Mar 2014 21:44:25 +1000
-Subject: [PATCH 4/8] Set permissions on config dir correctly
+Subject: [PATCH 4/9] Set permissions on config dir correctly
 
 Also ensure that signond is launched with privileged permissions
 ---
@@ -61,5 +61,5 @@ index 86588d5..00d2ead 100644
  DBUS_ADAPTORS += \
      ../../lib/signond/com.nokia.SingleSignOn.Backup.xml
 -- 
-2.20.1
+2.17.1
 
diff --git a/rpm/0005-Guard-PendingCall-against-deletion-by-connected-slot.patch b/rpm/0005-Guard-PendingCall-against-deletion-by-connected-slot.patch
@@ -1,7 +1,7 @@
-From 3d1d5c703763c949a189603fac2095bff312c9f2 Mon Sep 17 00:00:00 2001
+From e5b1cc1ce601ba092110c2106b4ca776e5d1dda2 Mon Sep 17 00:00:00 2001
 From: Chris Adams <chris.adams@jollamobile.com>
 Date: Fri, 6 Feb 2015 15:39:16 +1000
-Subject: [PATCH 5/8] Guard PendingCall against deletion by connected slots
+Subject: [PATCH 5/9] Guard PendingCall against deletion by connected slots
 
 This commit uses QPointer to guard the PendingCall object (and the
 QDBusPendingCallWatcher associated with it).
@@ -44,5 +44,5 @@ index 8656e48..94db648 100644
 
  void PendingCall::onInterfaceDestroyed()
 -- 
-2.20.1
+2.17.1
 
diff --git a/rpm/0006-Always-use-P2P-DBus-if-enabled.-Contributes-to-JB-42.patch b/rpm/0006-Always-use-P2P-DBus-if-enabled.-Contributes-to-JB-42.patch
@@ -1,7 +1,7 @@
-From 96f6867b69c30938b5e867ed09147ab209d38645 Mon Sep 17 00:00:00 2001
+From aee866158d7ed0ecd86334b5aa02e134d376680b Mon Sep 17 00:00:00 2001
 From: Chris Adams <chris.adams@jollamobile.com>
 Date: Tue, 19 Jun 2018 15:06:11 +1000
-Subject: [PATCH 6/8] Always use P2P DBus if enabled. Contributes to JB#42126
+Subject: [PATCH 6/9] Always use P2P DBus if enabled. Contributes to JB#42126
 
 This commit ensures that if the enable-p2p config is set, we don't
 ever allow falling back to the session bus to service signon requests,
@@ -89,5 +89,5 @@ index 5782d72..3eef484 100644
 
  headers.files = $$public_headers \
 -- 
-2.20.1
+2.17.1
 
diff --git a/rpm/0007-Use-p2p-dbus-for-signon-ui-flows.-Contributes-to-JB-.patch b/rpm/0007-Use-p2p-dbus-for-signon-ui-flows.-Contributes-to-JB-.patch
@@ -1,7 +1,7 @@
-From 7d41b3af7c9dfedb8ce88670a725735147be2e96 Mon Sep 17 00:00:00 2001
+From 95055459e8ca7ffee44c93adb1dc840864ed3eb8 Mon Sep 17 00:00:00 2001
 From: Chris Adams <chris.adams@jollamobile.com>
 Date: Tue, 19 Jun 2018 13:15:36 +1000
-Subject: [PATCH 7/8] Use p2p dbus for signon-ui flows. Contributes to JB#42126
+Subject: [PATCH 7/9] Use p2p dbus for signon-ui flows. Contributes to JB#42126
 
 ---
  src/signond/signonidentity.cpp    | 26 ++++++++++++++++++++--
@@ -169,5 +169,5 @@ index d4a428c..bb0543b 100644
 
      QDBusPendingCallWatcher *m_watcher;
 -- 
-2.20.1
+2.17.1
 
diff --git a/rpm/0008-Initialize-secrets-db-on-start.-Fixes-JB-34557.patch b/rpm/0008-Initialize-secrets-db-on-start.-Fixes-JB-34557.patch
@@ -1,7 +1,7 @@
-From cc70d78a61cea583d5e996a585eb799995c8a393 Mon Sep 17 00:00:00 2001
+From b82886e74cd7449bb812f5560f38faf094285f4f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marko=20Kentt=C3=A4l=C3=A4?= <marko.kenttala@jolla.com>
 Date: Fri, 26 Oct 2018 11:47:24 +0300
-Subject: [PATCH 8/8] Initialize secrets db on start. Fixes JB#34557
+Subject: [PATCH 8/9] Initialize secrets db on start. Fixes JB#34557
 
 ---
  libexec/libexec.pro           | 12 ++++++++++
@@ -116,5 +116,5 @@ index 58baa1a..4b6db21 100644
      m_instance = new SignonDaemon(app);
      return m_instance;
 -- 
-2.20.1
+2.17.1
 
diff --git a/rpm/0009-Treat-empty-ACL-as-synonym-for-.-Contributes-to-JB-2.patch b/rpm/0009-Treat-empty-ACL-as-synonym-for-.-Contributes-to-JB-2.patch
@@ -0,0 +1,36 @@
+From 313e047da4e704725ae4ca07acfa96c266de3c48 Mon Sep 17 00:00:00 2001
+From: Chris Adams <chris.adams@jollamobile.com>
+Date: Mon, 22 Jul 2019 14:00:51 +1000
+Subject: [PATCH 9/9] Treat empty ACL as synonym for "*". Contributes to
+ JB#27876
+
+Prior to 03dd20ef043bd5c1035387998c59312ccc704a59 the ACL was
+bypassed if the identity had no owner.
+With that commit applied, the ACL is enforced even if it had not
+previously been set, making all existing identities inaccessible.
+
+This commit ensures that if the ACL is empty, we treat this as a
+synonym for "*" ACL, allowing the identity to be accessed.
+---
+ src/signond/accesscontrolmanagerhelper.cpp | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/signond/accesscontrolmanagerhelper.cpp b/src/signond/accesscontrolmanagerhelper.cpp
+index 931efc3..40ef357 100644
+--- a/src/signond/accesscontrolmanagerhelper.cpp
++++ b/src/signond/accesscontrolmanagerhelper.cpp
+@@ -91,10 +91,7 @@ bool AccessControlManagerHelper::isPeerAllowedToUseIdentity(
+     if (ownership == ApplicationIsOwner)
+         return true;
+
+-    if (acl.isEmpty())
+-        return false;
+-
+-    if (acl.contains(QLatin1String("*")))
++    if (acl.contains(QLatin1String("*")) || acl.isEmpty())
+         return true;
+
+     return peerHasOneOfAccesses(peerConnection, peerMessage, acl);
+-- 
+2.17.1
+
diff --git a/rpm/signon-qt5.spec b/rpm/signon-qt5.spec
@@ -16,6 +16,7 @@ Patch5:  0005-Guard-PendingCall-against-deletion-by-connected-slot.patch
 Patch6:  0006-Always-use-P2P-DBus-if-enabled.-Contributes-to-JB-42.patch
 Patch7:  0007-Use-p2p-dbus-for-signon-ui-flows.-Contributes-to-JB-.patch
 Patch8:  0008-Initialize-secrets-db-on-start.-Fixes-JB-34557.patch
+Patch9:  0009-Treat-empty-ACL-as-synonym-for-.-Contributes-to-JB-2.patch
 
 BuildRequires: doxygen
 BuildRequires: pkgconfig(Qt5Core)
@@ -184,6 +185,7 @@ This package contains tests for signon
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 chmod +x tests/create-tests-definition.sh