touch-packages team mailing list archive

Thread
Date

[Bug 1376445] Re: Addition of signon-apparmor-extension causes token lookup problems

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: James Henstridge <james.henstridge@xxxxxxxxxxxxx>
Date: Mon, 10 Nov 2014 08:36:58 -0000
Reply-to: Bug 1376445 <1376445@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Since the go-onlineaccounts bug task was added, I guess we are also
tracking the problems with scopes here too.

In my investigations last week, I came to the conclusion that the
problems were not limited to the Go scopes, but instead affected all
scopes running under confinement.

After digging in a bit, it isn't clear how it can be fixed without
changes to the online accounts API.  The way the online accounts
integration for scopes works is:

1. the scope starts a signin session for the account service with the
"no interaction" flag set.  If no token can be retrieved (either because
no account is available, or because the token isn't available), it will
push a result with a special login button.

2. When the special result is clicked by the user, the dash will
initiate the account creation process with the
OnlineAccountsClient::Setup class.

3. If the account is successfully created, the dash refreshes the
scope's results.  The scope starts another signin session and finds the
new token and displays personalised results.

>From my understanding, this breaks down because it is the dash's
AppArmor label (which I guess would be unconfined) that gets added to
the ACL for the account service.  What would be needed here would be
some kind of API the dash could use to ask for a second AppArmor label
to be added to the ACL.

** Changed in: go-onlineaccounts
       Status: Triaged => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-system-settings-
online-accounts in Ubuntu.
https://bugs.launchpad.net/bugs/1376445

Title:
  Addition of signon-apparmor-extension causes token lookup problems

Status in go-onlineaccounts:
  Incomplete
Status in The Savilerow project:
  Invalid
Status in ACL for signond, AppArmor backend:
  Fix Released
Status in Online Accounts setup for Ubuntu Touch:
  In Progress
Status in “ubuntu-system-settings-online-accounts” package in Ubuntu:
  In Progress
Status in “ubuntuone-credentials” package in Ubuntu:
  Confirmed
Status in “signon-apparmor-extension” package in Ubuntu RTM:
  Triaged
Status in “ubuntuone-credentials” package in Ubuntu RTM:
  Confirmed

Bug description:
  As of image ~264 of ubuntu-touch, the signon-apparmor-extension
  package is included. As a result, apps like pay-ui cannot find the
  token any longer, and are not being notified that they are not allowed
  to access the token. The following error appears in the payui log
  file:

  2014-10-01 19:15:51,550 - DEBUG -
  ../../../../lib/SignOn/authsessionimpl.cpp 184 errorSlot
  QDBusError("com.google.code.AccountsSSO.SingleSignOn.Error.PermissionDenied",
  "Client has insuficient permissions to access the
  service.Method:getAuthSessionObjectPath")

To manage notifications about this bug go to:
https://bugs.launchpad.net/go-onlineaccounts/+bug/1376445/+subscriptions

References

[Bug 1376445] [NEW] Addition of signon-apparmor-extension causes token lookup problems
From: Rodney Dawes, 2014-10-01