Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for new Polkit (versions >= 124) #1147

Merged
merged 7 commits into from
Dec 2, 2024
Merged

Support for new Polkit (versions >= 124) #1147

merged 7 commits into from
Dec 2, 2024

Conversation

denisonbarbosa
Copy link
Member

The new Polkit introduced quite some changes, even syntax ones. Since then, users had to install an additional compatibility package to make the privilege escalation policy work.

This PR adds support for the new Polkit versions whilst still supporting clients that have the older versions and properly handling migration between versions as well.

UDENG-5318

@codecov-commenter
Copy link

codecov-commenter commented Nov 27, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 87.09677% with 16 lines in your changes missing coverage. Please review.

Project coverage is 91.45%. Comparing base (b7c1883) to head (50df13d).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
internal/policies/privilege/privilege.go 87.09% 16 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1147      +/-   ##
==========================================
- Coverage   91.55%   91.45%   -0.10%     
==========================================
  Files          79       79              
  Lines        8961     9074     +113     
==========================================
+ Hits         8204     8299      +95     
- Misses        747      765      +18     
  Partials       10       10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@denisonbarbosa denisonbarbosa marked this pull request as ready for review November 28, 2024 08:11
@denisonbarbosa denisonbarbosa requested a review from a team as a code owner November 28, 2024 08:11
didrocks
didrocks requested changes Nov 28, 2024
View reviewed changes
Copy link
Member

@didrocks didrocks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

It’s hard to check every single golden files, I did check most of them but I assume you did check all of them one by one :)

I have some nitpicks, but nothing really core to the changes. However, I see that in the policy manager tests testdata/existing-files don’t contains pre-existings rules.d content which should be ready to be overriden, shouldn’t that be the case or does the github diff is fooling me? I see also that you generate some files that should be as test fixtures IMHO. Finally, some idea on how to improve IMHO the code readability and logic.

But overall this looks really sweet, nice!

internal/policies/privilege/privilege.go Outdated Show resolved Hide resolved
internal/policies/privilege/privilege.go Show resolved Hide resolved
internal/policies/privilege/privilege.go Outdated Show resolved Hide resolved
internal/policies/privilege/privilege.go Outdated Show resolved Hide resolved
internal/policies/privilege/privilege.go Outdated Show resolved Hide resolved
internal/policies/privilege/privilege.go Show resolved Hide resolved
internal/policies/privilege/privilege.go Show resolved Hide resolved
internal/policies/privilege/privilege.go Show resolved Hide resolved
internal/policies/privilege/privilege_test.go Outdated Show resolved Hide resolved
internal/policies/privilege/privilege.go Outdated Show resolved Hide resolved
didrocks
didrocks reviewed Dec 2, 2024
View reviewed changes
internal/policies/privilege/privilege.go Outdated Show resolved Hide resolved
internal/policies/privilege/privilege.go Outdated Show resolved Hide resolved
internal/policies/privilege/privilege.go Outdated Show resolved Hide resolved
didrocks
didrocks approved these changes Dec 2, 2024
View reviewed changes
Copy link
Member

@didrocks didrocks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do have everything we need now. Well done!

@denisonbarbosa
Support for Polkit 124
c511e37 
The "new" polkit (version 124 and above) introduced a lot of changes in
its behavior. This commit updates the privilege escalation policy
manager to be able to correctly identify which polkit version is running
in the client and apply the policy properly
@denisonbarbosa
Add test for new AdminIdentitiesFromRules function
5cc63d9 
This is likely the most senstive part of this update, since we need to
ensure we properly parse the existing files so we don't damage the
current admin structure of the client.

Therefore, it deserves a unit test
@denisonbarbosa
Allow overriding the default polkit path in tests
8405364
@denisonbarbosa
Update existing test with newer format
3ec1da5
@denisonbarbosa
Update tests golden files and assets
8713c66
@denisonbarbosa
Remove polkitd-pkla from suggested packages
1e3563a 
Now that we support the new polkit versions, we don't need to recommend
this anymore.
@denisonbarbosa
Update check for polkit configuration in e2e tests
50df13d 
We used to rely only on a single way of applying the privilege policy.
Now, we have two ways of applying it based on the polkit version. The
e2e tests validation needs to account for that.
@denisonbarbosa denisonbarbosa merged commit 2d2a5e1 into main Dec 2, 2024
4 checks passed
@denisonbarbosa denisonbarbosa deleted the polkit-124 branch December 2, 2024 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didrocks didrocks didrocks approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@denisonbarbosa @codecov-commenter @didrocks