From 4d45f30e2846852577cff70d5f83df9ed73b939f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=F0=9F=98=8EMostafa=20Emami?= <mostafa.emami@daimler.com>
Date: Mon, 2 Jan 2023 17:42:43 +0100
Subject: [PATCH] auth: Optionally not send UID with external auth

Due to mismatch between UID in a user-namespace
and out-of-band credential acquired by server
on another user-namespace refrain from sending UID
with external authentication by default
to keep compatibility still fallback to sending UID
if it fails

https://github.com/godbus/dbus/issues/345
---
 conn_test.go | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/conn_test.go b/conn_test.go
index a97f6ca..4cff197 100644
--- a/conn_test.go
+++ b/conn_test.go
@@ -1,13 +1,17 @@
 package dbus
 
 import (
+	"bufio"
 	"context"
 	"encoding/binary"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
+	"os"
+	"os/exec"
 	"sync"
+	"syscall"
 	"testing"
 	"time"
 )
@@ -78,6 +82,21 @@ func TestConnectSystemBus(t *testing.T) {
 	}
 }
 
+func TestConnectToDifferentUserNamespace(t *testing.T) {
+	addr, process := startDaemonInDifferentUserNamespace(t)
+	defer func() { _ = process.Kill() }()
+	conn, err := Connect(addr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err = conn.Close(); err != nil {
+		t.Fatal(err)
+	}
+	if conn.Connected() {
+		t.Fatal("Should be closed")
+	}
+}
+
 func TestSend(t *testing.T) {
 	bus, err := ConnectSessionBus()
 	if err != nil {
@@ -826,3 +845,66 @@ func TestTimeoutContextClosesConnection(t *testing.T) {
 		t.Errorf("expected connection to be closed, but got: %v", err)
 	}
 }
+
+// starts a dbus-daemon instance in a new user-namespace
+// and returns its address string and underlying process.
+func startDaemonInDifferentUserNamespace(t *testing.T) (string, *os.Process) {
+	config := `<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+	"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+   <busconfig>
+   <listen>unix:path=/tmp/test.socket</listen>
+   <auth>EXTERNAL</auth>
+   <apparmor mode="disabled"/>
+   
+	<policy context='default'>
+	  <allow send_destination='*' eavesdrop='true'/>
+	  <allow eavesdrop='true'/>
+	  <allow user='*'/>
+	</policy>   
+   </busconfig>
+   `
+	cfg, err := ioutil.TempFile("", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(cfg.Name())
+	if _, err = cfg.Write([]byte(config)); err != nil {
+		t.Fatal(err)
+	}
+
+	cmd := exec.Command("dbus-daemon", "--nofork", "--print-address", "--config-file", cfg.Name())
+
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Cloneflags: syscall.CLONE_NEWPID | syscall.CLONE_NEWUSER,
+		UidMappings: []syscall.SysProcIDMap{
+			{
+				ContainerID: 0,
+				HostID:      os.Getuid(),
+				Size:        1,
+			},
+		},
+		GidMappings: []syscall.SysProcIDMap{
+			{
+				ContainerID: 0,
+				HostID:      os.Getgid(),
+				Size:        1,
+			},
+		},
+	}
+
+	cmd.Stderr = os.Stderr
+	out, err := cmd.StdoutPipe()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := cmd.Start(); err != nil {
+		t.Fatal(err)
+	}
+	r := bufio.NewReader(out)
+	l, _, err := r.ReadLine()
+	if err != nil {
+		_ = cmd.Process.Kill()
+		t.Fatal(err)
+	}
+	return string(l), cmd.Process
+}