scripts: add portal access script

Includes a plugin to handle the portal permission store dbus interface

modules/meson.build

@@ -64,6 +64,20 @@ shared_library(
   dependencies : [wp_dep, giounix_dep],
 )
 
+subdir('module-portal-permissionstore')
+shared_library(
+  'wireplumber-module-portal-permissionstore',
+  [
+    'module-portal-permissionstore/plugin.c',
+    portal_permissionstore_enums,
+  ],
+  c_args : [common_c_args, '-DG_LOG_DOMAIN="m-portal-permissionstore"'],
+  include_directories: portal_permissionstore_includes,
+  install : true,
+  install_dir : wireplumber_module_dir,
+  dependencies : [wp_dep, giounix_dep],
+)
+
 shared_library(
   'wireplumber-module-si-adapter',
   [

modules/module-portal-permissionstore/meson.build

@@ -0,0 +1,5 @@
+portal_permissionstore_enums = gnome.mkenums_simple('portal-permissionstore-enums',
+  sources: [ 'plugin.h' ],
+)
+
+portal_permissionstore_includes = include_directories('.')

modules/module-portal-permissionstore/plugin.c

@@ -0,0 +1,307 @@
+/* WirePlumber
+ *
+ * Copyright © 2021 Collabora Ltd.
+ *    @author Julian Bouzas <julian.bouzas@collabora.com>
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include "plugin.h"
+#include "portal-permissionstore-enums.h"
+
+#define DBUS_INTERFACE_NAME "org.freedesktop.impl.portal.PermissionStore"
+#define DBUS_OBJECT_PATH "/org/freedesktop/impl/portal/PermissionStore"
+
+G_DEFINE_TYPE (WpPortalPermissionStorePlugin, wp_portal_permissionstore_plugin,
+    WP_TYPE_PLUGIN)
+
+enum
+{
+  ACTION_LOOKUP,
+  ACTION_SET,
+  SIGNAL_CHANGED,
+  LAST_SIGNAL
+};
+
+enum
+{
+  PROP_0,
+  PROP_STATE,
+};
+
+static guint signals[LAST_SIGNAL] = { 0 };
+
+static GVariant *
+wp_portal_permissionstore_plugin_lookup (WpPortalPermissionStorePlugin *self,
+    const gchar *table, const gchar *id)
+{
+  g_autoptr (GError) error = NULL;
+  g_autoptr (GVariant) res = NULL;
+  GVariant *permissions = NULL, *data = NULL;
+
+  g_return_val_if_fail (self->connection, NULL);
+
+  /* Lookup */
+  res = g_dbus_connection_call_sync (self->connection, DBUS_INTERFACE_NAME,
+      DBUS_OBJECT_PATH, DBUS_INTERFACE_NAME, "Lookup",
+      g_variant_new ("(ss)", table, id), NULL, G_DBUS_CALL_FLAGS_NONE, -1, NULL,
+      &error);
+  if (error) {
+    wp_warning_object (self, "Failed to call Lookup: %s", error->message);
+    return NULL;
+  }
+
+  /* Get the permissions */
+  g_variant_get (res, "(@a{sas}@v)", &permissions, &data);
+
+  return permissions ? g_variant_ref (permissions) : NULL;
+}
+
+static void
+wp_portal_permissionstore_plugin_set (WpPortalPermissionStorePlugin *self,
+    const gchar *table, gboolean create, const gchar *id, GVariant *permissions)
+{
+  g_autoptr (GError) error = NULL;
+  g_autoptr (GVariant) res = NULL;
+  GVariant *data = NULL;
+
+  g_return_if_fail (self->connection);
+
+  /* Set */
+  res = g_dbus_connection_call_sync (self->connection, DBUS_INTERFACE_NAME,
+      DBUS_OBJECT_PATH, DBUS_INTERFACE_NAME, "Set",
+      g_variant_new ("(sbs@a{sas}@v)", table, id, permissions, data), NULL,
+      G_DBUS_CALL_FLAGS_NONE, -1, NULL, &error);
+  if (error)
+    wp_warning_object (self, "Failed to call Set: %s", error->message);
+}
+
+static void
+wp_portal_permissionstore_plugin_changed (GDBusConnection *connection,
+    const gchar *sender_name, const gchar *object_path,
+    const gchar *interface_name, const gchar *signal_name,
+    GVariant *parameters, gpointer user_data)
+{
+  WpPortalPermissionStorePlugin *self =
+      WP_PORTAL_PERMISSIONSTORE_PLUGIN (user_data);
+  const char *table = NULL, *id = NULL;
+  gboolean deleted = FALSE;
+  GVariant *permissions = NULL, *data = NULL;
+
+  g_return_if_fail (parameters);
+  g_variant_get (parameters, "(ssb@v@a{sas})", &table, &id, &deleted, &data,
+      &permissions);
+
+  g_signal_emit (self, signals[SIGNAL_CHANGED], 0, table, id, deleted,
+      permissions);
+}
+
+static void
+wp_portal_permissionstore_plugin_init (WpPortalPermissionStorePlugin * self)
+{
+  self->cancellable = g_cancellable_new ();
+}
+
+static void
+wp_portal_permissionstore_plugin_finalize (GObject * object)
+{
+  WpPortalPermissionStorePlugin *self =
+      WP_PORTAL_PERMISSIONSTORE_PLUGIN (object);
+
+  g_clear_object (&self->cancellable);
+
+  G_OBJECT_CLASS (wp_portal_permissionstore_plugin_parent_class)->finalize (
+      object);
+}
+
+static void
+wp_portal_permissionstore_plugin_disable_internal (
+    WpPortalPermissionStorePlugin *self)
+{
+  if (self->connection && self->signal_id > 0)
+    g_dbus_connection_signal_unsubscribe (self->connection, self->signal_id);
+  g_clear_object (&self->connection);
+
+  if (self->state != WP_DBUS_CONNECTION_STATUS_CLOSED) {
+    self->state = WP_DBUS_CONNECTION_STATUS_CLOSED;
+    g_object_notify (G_OBJECT (self), "state");
+  }
+
+  wp_object_update_features (WP_OBJECT (self), 0, WP_PLUGIN_FEATURE_ENABLED);
+}
+
+static void
+on_connection_closed (GDBusConnection *connection,
+    gboolean remote_peer_vanished, GError *error, gpointer data)
+{
+  WpPortalPermissionStorePlugin *self =
+      WP_PORTAL_PERMISSIONSTORE_PLUGIN (data);
+  wp_info_object (self, "D-Bus connection closed: %s", error->message);
+  wp_portal_permissionstore_plugin_disable_internal (self);
+}
+
+static void
+got_bus (GObject * obj, GAsyncResult * res, gpointer data)
+{
+  WpTransition *transition = WP_TRANSITION (data);
+  WpPortalPermissionStorePlugin *self =
+      wp_transition_get_source_object (transition);
+  g_autoptr (GError) error = NULL;
+
+  self->connection = g_dbus_connection_new_for_address_finish (res, &error);
+  if (!self->connection) {
+    wp_portal_permissionstore_plugin_disable_internal (self);
+    g_prefix_error (&error, "Failed to connect to session bus: ");
+    wp_transition_return_error (transition, g_steal_pointer (&error));
+    return;
+  }
+
+  wp_debug_object (self, "Connected to bus");
+
+  g_signal_connect_object (self->connection, "closed",
+      G_CALLBACK (on_connection_closed), self, 0);
+  g_dbus_connection_set_exit_on_close (self->connection, FALSE);
+
+  self->state = WP_DBUS_CONNECTION_STATUS_CONNECTED;
+  g_object_notify (G_OBJECT (self), "state");
+
+  /* Listen for the changed signal */
+  self->signal_id = g_dbus_connection_signal_subscribe (self->connection,
+      DBUS_INTERFACE_NAME, DBUS_INTERFACE_NAME, "Changed", NULL, NULL,
+      G_DBUS_SIGNAL_FLAGS_NONE, wp_portal_permissionstore_plugin_changed, self,
+      NULL);
+
+  wp_object_update_features (WP_OBJECT (self), WP_PLUGIN_FEATURE_ENABLED, 0);
+}
+
+static void
+wp_portal_permissionstore_plugin_enable (WpPlugin * plugin,
+    WpTransition * transition)
+{
+  WpPortalPermissionStorePlugin *self =
+      WP_PORTAL_PERMISSIONSTORE_PLUGIN (plugin);
+  g_autoptr (GError) error = NULL;
+  g_autofree gchar *address = NULL;
+
+  g_return_if_fail (self->state == WP_DBUS_CONNECTION_STATUS_CLOSED);
+
+  address = g_dbus_address_get_for_bus_sync (G_BUS_TYPE_SESSION, NULL, &error);
+  if (!address) {
+    g_prefix_error (&error, "Error acquiring session bus address: ");
+    wp_transition_return_error (transition, g_steal_pointer (&error));
+    return;
+  }
+
+  wp_debug_object (self, "Connecting to bus: %s", address);
+
+  self->state = WP_DBUS_CONNECTION_STATUS_CONNECTING;
+  g_object_notify (G_OBJECT (self), "state");
+
+  g_dbus_connection_new_for_address (address,
+      G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT |
+      G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION,
+      NULL, self->cancellable, got_bus, transition);
+}
+
+static void
+wp_portal_permissionstore_plugin_disable (WpPlugin * plugin)
+{
+  WpPortalPermissionStorePlugin *self =
+      WP_PORTAL_PERMISSIONSTORE_PLUGIN (plugin);
+
+  g_cancellable_cancel (self->cancellable);
+  wp_portal_permissionstore_plugin_disable_internal (self);
+  g_clear_object (&self->cancellable);
+  self->cancellable = g_cancellable_new ();
+}
+
+static void
+wp_portal_permissionstore_plugin_get_property (GObject * object,
+    guint property_id, GValue * value, GParamSpec * pspec)
+{
+  WpPortalPermissionStorePlugin *self =
+      WP_PORTAL_PERMISSIONSTORE_PLUGIN (object);
+
+  switch (property_id) {
+  case PROP_STATE:
+    g_value_set_enum (value, self->state);
+    break;
+  default:
+    G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+    break;
+  }
+}
+
+static void
+wp_portal_permissionstore_plugin_class_init (
+    WpPortalPermissionStorePluginClass * klass)
+{
+  GObjectClass *object_class = (GObjectClass *) klass;
+  WpPluginClass *plugin_class = (WpPluginClass *) klass;
+
+  object_class->finalize = wp_portal_permissionstore_plugin_finalize;
+  object_class->get_property = wp_portal_permissionstore_plugin_get_property;
+
+  plugin_class->enable = wp_portal_permissionstore_plugin_enable;
+  plugin_class->disable = wp_portal_permissionstore_plugin_disable;
+
+  g_object_class_install_property (object_class, PROP_STATE,
+      g_param_spec_enum ("state", "state", "The state",
+          WP_TYPE_DBUS_CONNECTION_STATUS, WP_DBUS_CONNECTION_STATUS_CLOSED,
+          G_PARAM_READABLE | G_PARAM_STATIC_STRINGS));
+
+  /**
+   * WpPortalPermissionStorePlugin::lookup:
+   * @table: the table name
+   * @id: the Id name
+   *
+   * Returns: (transfer full): the GVariant with permissions
+   */
+  signals[ACTION_LOOKUP] = g_signal_new_class_handler (
+      "lookup", G_TYPE_FROM_CLASS (klass),
+      G_SIGNAL_RUN_LAST | G_SIGNAL_ACTION,
+      (GCallback) wp_portal_permissionstore_plugin_lookup,
+      NULL, NULL, NULL, G_TYPE_VARIANT,
+      2, G_TYPE_STRING, G_TYPE_STRING);
+
+  /**
+   * WpPortalPermissionStorePlugin::set:
+   * @table: the table name
+   * @create: whether to create the table if it does not exist
+   * @id: the Id name
+   * @permissions: the permissions
+   *
+   * Sets the permissions in the permission store
+   */
+  signals[ACTION_SET] = g_signal_new_class_handler (
+      "set", G_TYPE_FROM_CLASS (klass),
+      G_SIGNAL_RUN_LAST | G_SIGNAL_ACTION,
+      (GCallback) wp_portal_permissionstore_plugin_set,
+      NULL, NULL, NULL, G_TYPE_NONE,
+      4, G_TYPE_STRING, G_TYPE_BOOLEAN, G_TYPE_STRING, G_TYPE_VARIANT);
+
+  /**
+   * WpPortalPermissionStorePlugin::changed:
+   * @table: the table name
+   * @id: the Id name
+   * @deleted: whether the permission was deleted or not
+   * @permissions: the GVariant with permissions
+   *
+   * Signaled when the permissions changed
+   */
+  signals[SIGNAL_CHANGED] = g_signal_new (
+      "changed", G_TYPE_FROM_CLASS (klass),
+      G_SIGNAL_RUN_LAST, 0,
+      NULL, NULL, NULL, G_TYPE_NONE, 4,
+      G_TYPE_STRING, G_TYPE_STRING, G_TYPE_BOOLEAN, G_TYPE_VARIANT);
+}
+
+WP_PLUGIN_EXPORT gboolean
+wireplumber__module_init (WpCore * core, GVariant * args, GError ** error)
+{
+  wp_plugin_register (g_object_new (wp_portal_permissionstore_plugin_get_type(),
+      "name", "portal-permissionstore",
+      "core", core,
+      NULL));
+  return TRUE;
+}

modules/module-portal-permissionstore/plugin.h

@@ -0,0 +1,39 @@
+/* WirePlumber
+ *
+ * Copyright © 2021 Collabora Ltd.
+ *    @author Julian Bouzas <julian.bouzas@collabora.com>
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef __WIREPLUMBER_PORTAL_PERMISSIONSTORE_PLUGIN_H__
+#define __WIREPLUMBER_PORTAL_PERMISSIONSTORE_PLUGIN_H__
+
+#include <wp/wp.h>
+
+G_BEGIN_DECLS
+
+typedef enum {
+  WP_DBUS_CONNECTION_STATUS_CLOSED = 0,
+  WP_DBUS_CONNECTION_STATUS_CONNECTING,
+  WP_DBUS_CONNECTION_STATUS_CONNECTED,
+} WpDBusConnectionStatus;
+
+G_DECLARE_FINAL_TYPE (WpPortalPermissionStorePlugin,
+    wp_portal_permissionstore_plugin, WP, PORTAL_PERMISSIONSTORE_PLUGIN,
+    WpPlugin)
+
+struct _WpPortalPermissionStorePlugin
+{
+  WpPlugin parent;
+
+  WpDBusConnectionStatus state;
+  guint signal_id;
+
+  GCancellable *cancellable;
+  GDBusConnection *connection;
+};
+
+G_END_DECLS
+
+#endif

src/config/config.lua

@@ -69,6 +69,12 @@ load_module("device-activation")
 function enable_access()
   -- Flatpak access
   load_access("flatpak")
+
+  -- Enables portal permissions via org.freedesktop.impl.portal.PermissionStore
+  load_module("portal-permissionstore")
+
+  -- Portal access
+  load_access("portal")
 end
 
 function enable_audio()

src/scripts/access/access-portal.lua

@@ -0,0 +1,129 @@
+ID_ALL = 0xffffffff
+
+MEDIA_ROLE_NONE = 0
+MEDIA_ROLE_CAMERA = 1 << 0
+
+function hasPermission (permissions, app_id, lookup)
+  if permissions then
+    for key, values in pairs(permissions) do
+      if key == app_id then
+        for _, v in pairs(values) do
+          if v == lookup then
+            return true
+          end
+        end
+      end
+    end
+  end
+  return false
+end
+
+function parseMediaRoles (media_roles_str)
+  local media_roles = MEDIA_ROLE_NONE
+  for role in media_roles_str:gmatch('[^,%s]+') do
+    if role == "Camera" then
+      media_roles = media_roles | MEDIA_ROLE_CAMERA
+    end
+  end
+  return media_roles
+end
+
+function setPermissions (client, nodes_om, allow_client, allow_nodes)
+  local client_id = client["bound-id"]
+  Log.info(client, "Granting ALL access to client " .. client_id)
+
+  -- Update permissions on client
+  client:update_permissions ({[client_id] = allow_client and "rwx" or "-"})
+
+  -- Update permissions on client's nodes
+  for node in nodes_om:iterate_filtered( Interest { type = "node",
+    Constraint { "client.id", "=", client_id },
+    Constraint { "media.role", "=", "Camera" },
+    Constraint { "media.class", "=", "Video/Source" },
+  }) do
+    local node_id = node["bound-id"]
+    client:update_permissions ({[node_id] = allow_nodes and "rwx" or "-"})
+  end
+end
+
+function updateClientPermissions (client, nodes_om, permissions)
+  local client_id = client["bound-id"]
+  local str_prop = nil
+  local app_id = nil
+  local media_roles = nil
+  local allowed = false
+
+  -- Make sure the client is not the portal itself
+  str_prop = client.properties["pipewire.access.portal.is_portal"]
+  if str_prop == "yes" then
+    Log.info (client, "client is the portal itself")
+    return
+  end
+
+  -- Make sure the client has a portal app Id
+  str_prop = client.properties["pipewire.access.portal.app_id"]
+  if str_prop == nil then
+    Log.info (client, "Portal managed client did not set app_id")
+    return
+  end
+  if str_prop == "" then
+    Log.info (client, "Ignoring portal check for non-sandboxed client")
+    setPermissions (client, nodes_om, true, true)
+    return
+  end
+  app_id = str_prop
+
+  -- Make sure the client has portal media roles
+  str_prop = client.properties["pipewire.access.portal.media_roles"]
+  if str_prop == nil then
+  Log.info (client, "Portal managed client did not set media_roles")
+    return
+  end
+  media_roles = parseMediaRoles (str_prop)
+  if not (media_roles & MEDIA_ROLE_CAMERA) then
+    Log.info (client, "Ignoring portal check for clients without camera role")
+    return
+  end
+
+  -- Update permissions
+  allowed = hasPermission (permissions, app_id, "yes")
+
+  Log.info (client, "setting permissions: " .. tostring(allowed))
+  setPermissions (client, nodes_om, allowed, allowed)
+end
+
+-- Create portal clients object manager
+clients_om = ObjectManager { Interest { type = "client",
+  Constraint { "pipewire.access", "=", "portal" },
+} }
+
+-- Set permissions to portal clients from the permission store if loaded
+pps_plugin = Plugin("portal-permissionstore")
+if pps_plugin then
+  local nodes_om = ObjectManager { Interest { type = "node" } }
+  nodes_om:activate()
+  clients_om:connect("object-added", function (om, client)
+    local new_perms = pps_plugin:call("lookup", "devices", "camera");
+    updateClientPermissions (client, nodes_om, new_perms)
+  end)
+  pps_plugin:connect("changed", function (p, table, id, deleted, permissions)
+    if table == "devices" or id == "camera" then
+      for app_id, _ in pairs(permissions) do
+        for client in clients_om:iterate_filtered( Interest { type = "client",
+            Constraint { "pipewire.access.portal.app_id", "=", app_id }
+        }) do
+          updateClientPermissions (client, nodes_om, permissions)
+        end
+      end
+    end
+  end)
+else
+  -- Otherwise, just set all permissions to all portal clients
+  clients_om:connect("object-added", function (om, client)
+    local id = client["bound-id"]
+    Log.info(client, "Granting ALL access to client " .. id)
+    client:update_permissions ({ [ID_ALL] = "rwx" })
+  end)
+end
+
+clients_om:activate()