From f5390f91104ca5c531a1e778ecfafadc0a668075 Mon Sep 17 00:00:00 2001 From: "B. Stack" Date: Tue, 24 Sep 2024 16:11:26 -0400 Subject: add verbose, advanced (control other users), docs --- README.md | 30 ++++++++++++++++++++++++ aux/80-fprintd.rules | 29 +++++++++++++++++++++++ fprintd_tk.py | 54 ++++++++++++++++++++++++++++++++---------- fprintd_tk_lib.py | 66 ++++++++++++++++++++++++++++++++++++++++++++++++---- 4 files changed, 162 insertions(+), 17 deletions(-) create mode 100644 README.md create mode 100644 aux/80-fprintd.rules diff --git a/README.md b/README.md new file mode 100644 index 0000000..e60cbfb --- /dev/null +++ b/README.md @@ -0,0 +1,30 @@ +# README for fprintd_tk +This project is a desktop application that makes it easy for a user to control fingerprint enrollments. + +## Upstream +The upstream project is hosted at + +## Alternatives + +* Use `fprintd-enroll` on cli. +* Use whatever probably-GNOME software is demonstrated in + +## Reason for existence +I couldn't find a window-manager friendly gui for managing fingerprints. + +## Using +Run the program. + +## Dependencies + +* [python-tkstackrpms](https://bgstack15.ddns.net/cgit/python3-tkstackrpms/) +* python3-tk +* python3-pil + +The application really needs the user to have password-less auth permission in dbus/polkit to the fprintd actions. You will want a file like [80-fprintd.rules](aux/80-fprintd.rules) + +## Building + +## References + +* Icons adapted from [Numix Circle icon theme](https://github.com/numixproject/numix-icon-theme-circle) under GPL 3.0 diff --git a/aux/80-fprintd.rules b/aux/80-fprintd.rules new file mode 100644 index 0000000..1da22cf --- /dev/null +++ b/aux/80-fprintd.rules @@ -0,0 +1,29 @@ +/* +.. File: 80-fprintd.rules +.. Startdate: 2023-01-12-5 15:59 +.. History: +.. 2024-09-24 updated for current correctness required +.. Purpose: replaced fprintd.pkla for bgconf 0.1.34 +.. Origin: placed by fingerprint-scanner.sh +*/ +polkit.addRule(function(action, subject) { + if ( + ( + action.id.match("net.reactivated.fprint.device.enroll") || + action.id.match("net.reactivated.fprint.device.verify") + ) && subject.active) { + polkit.log("action=" + action); + polkit.log("subject=" + subject); + return polkit.Result.YES; + } +}); +polkit.addRule(function(action, subject) { + if ( + ( + action.id.match("net.reactivated.fprint.device.setusername") + ) && subject.active && subject.isInGroup("admins")) { + polkit.log("action=" + action); + polkit.log("subject=" + subject); + return polkit.Result.YES; + } +}); diff --git a/fprintd_tk.py b/fprintd_tk.py index 492f2eb..f7442d8 100755 --- a/fprintd_tk.py +++ b/fprintd_tk.py @@ -1,11 +1,23 @@ #!/usr/bin/env python3 +# File: fprintd_tk.py +# Location: https://bgstack15.cgit/fprintd-tk +# Author: bgstack15 # Startdate: 2024-09-22-1 14:26 +# SPDX-License-Identifier: GPL-3.0-only +# Title: Gui for fprintd # Purpose: tkinter desktop gui app for management fingerprint enrollments -# Dependencies: -# python3-tkstackrpms, python3-tk, python3-pil -# References: +# Project: fprintd-tk +# History: +# Usage: +# Run from window manager application menu +# Reference: # stackrpms_tk.py # Improve: +# Dependencies: +# dep-devuan: python3-tkstackrpms, python3-tk, python3-pil +# fprintd_tk_lib.py +# Documentation: +# README.md import tkinter as tk, os, tkinter.simpledialog, sys, threading, time import tkstackrpms as stk @@ -19,7 +31,7 @@ SPDX-License-Identifier: GPL-3.0-only Icons adapted from Numix-Icon-Theme-Circle (GPL 3) """ -# configurable by admin +# configurable by admin or installation img_path = os.path.join(os.path.dirname(os.path.realpath(__file__)),"images") # These will be used a lot in the program. @@ -39,13 +51,15 @@ class App(tk.Frame): self.advanced.trace_add("write",self.load_data_into_form) self.current_username = os.getenv("USER") self.username = tk.StringVar(value=self.current_username) + self.verbose = tk.BooleanVar(value=False) self.master.title("Gui for fprintd") imgicon = stk.get_scaled_icon("fingerprint-gui",24,"default", "","apps") self.master.tk.call("wm","iconphoto",self.master._w,imgicon) menu = tk.Menu(self.master) menu_file = tk.Menu(menu,tearoff=0) - menu_file.add_checkbutton(label="Advanced features", variable=self.advanced, underline=0) + menu_file.add_checkbutton(label="Advanced features", variable=self.advanced, underline=0, state="disabled") + menu_file.add_checkbutton(label="Verbose", variable=self.verbose, underline=0) menu_file.add_command(label="Delete...", command=self.func_delete, underline=0) menu_file.add_separator() menu_file.add_command(label="Exit", command=self.func_exit, underline=1) @@ -106,6 +120,15 @@ class App(tk.Frame): # status bar stk.StatusBar(self.master,var=self.statustext) + # check if user has setusername polkit-1 permission, which lets him control fingerprint enrollments for other users. + temp1 = lib.check_setusername_permission(self.func_update_status) + if self.verbose.get(): + print(f"DEBUG (init): has set_username: {temp1}") + if temp1: + #self.chk_advanced.configure(state="enabled") + #menu_file.child[0].child[0].configure(state="enabled") + menu_file.entryconfigure(0,state="normal") + #print(menu_file.children) # and now, load data into form for the first time self.load_data_into_form() @@ -128,10 +151,12 @@ class App(tk.Frame): # show advanced toolbar used_user = self.get_used_user() if advanced: - print(f"DEBUG: showing advanced toolbar") + if self.verbose.get(): + print(f"DEBUG: showing advanced toolbar") self.frm_advanced.grid(row=0,column=0,columnspan=100) else: - print(f"DEBUG: hiding advanced toolbar") + if self.verbose.get(): + print(f"DEBUG: hiding advanced toolbar") self.frm_advanced.grid_forget() # update enrolled fingers icons try: @@ -143,9 +168,11 @@ class App(tk.Frame): if temp1: self.enrolled_fingers = temp1 else: - print(f"DEBUG (load_data_into_form): having to skip empty response from get_enrolled_fingers") + if self.verbose.get(): + print(f"DEBUG (load_data_into_form): having to skip empty response from get_enrolled_fingers") self.func_update_status(f"Unable to read enrolled fingers for user {used_user}.", reload = False) - print(f"DEBUG (load_data_into_form): got user {used_user} enrolled fingers {self.enrolled_fingers}") + if self.verbose.get(): + print(f"DEBUG (load_data_into_form): got user {used_user} enrolled fingers {self.enrolled_fingers}") for i in self.fingers: if str(i.cget('text')) in self.enrolled_fingers: i.config(image=self.img_enrolled) @@ -163,7 +190,8 @@ class App(tk.Frame): self.master.quit() def func_finger_button(self, finger): - print(f"DEBUG: func_finger_button finger {finger}, action {self.action.get()}") + if self.verbose.get(): + print(f"DEBUG: func_finger_button finger {finger}, action {self.action.get()}") action = self.action.get() used_user = self.get_used_user() # position in array is same as the value coming from radio button for actions. @@ -188,13 +216,15 @@ class App(tk.Frame): def func_update_status(self, msg, reload = True): msg = msg.strip() - print(f"DEBUG (func_update_status): msg {msg}",file=sys.stderr) + if self.verbose.get(): + print(f"DEBUG (func_update_status): msg {msg}",file=sys.stderr) self.statustext.set(msg) try: this_finger = [i for i in self.fingers if i.cget("text") == self.last_fingerbutton_used.get()][0] except Exception as e: this_finger = None - print(f"DEBUG (func_update_status): while evaluating last-used finger, got {e}") + if self.verbose.get(): + print(f"DEBUG (func_update_status): while evaluating last-used finger, got {e}") # flash these red failure_messages = [ "enroll-duplicate", diff --git a/fprintd_tk_lib.py b/fprintd_tk_lib.py index bc97448..18470cb 100644 --- a/fprintd_tk_lib.py +++ b/fprintd_tk_lib.py @@ -1,9 +1,20 @@ #!/usr/bin/env python3 +# File: fprintd_tk_lib.py +# Location: https://bgstack15.cgit/fprintd-tk +# Author: bgstack15 # Startdate: 2024-09-22-1 15:33 -# Purpose: backend for fprintd_tk that uses fprintd-* binaries, in case I ever rewrite this to use dbus directly? +# SPDX-License-Identifier: GPL-3.0-only +# Title: Backend for fprintd_tk that uses fprintd binaries +# Purpose: In case this gets rewritten to use dbus directly or something +# Project: fprintd-tk +# History: +# Usage: +# Reference: +# Improve: # Dependencies: # /usr/bin/fprintd-* -# Improve: +# Documentation: +# README.md import os, subprocess, re @@ -17,11 +28,14 @@ prevent_success_messages = [ ] def get_enrolled_fingers(user = None, verbose = False): - # return list of full strings of fingers that are enrolled. + """ + Returns list of full strings of fingers that are enrolled for the listed user. + """ enrolled_fingers = [] if user is None: user = _user - print(f"DEBUG (get_enrolled_fingers): user {user}") + if verbose: + print(f"DEBUG (get_enrolled_fingers): user {user}") proc = subprocess.Popen( ["fprintd-list",user], stdout = subprocess.PIPE, @@ -29,12 +43,16 @@ def get_enrolled_fingers(user = None, verbose = False): ) while True: line = proc.stdout.readline() + if verbose: + print(f"DEBUG (get_enrolled_fingers): line {line}") if not line: break if fre.match(line): enrolled_fingers.append(fre.match(line).groups()[0].strip()) elif re.match("^.*No devices available.*", line): return [] + elif re.match("^.*has no fingers enrolled.*", line): + return ["none"] else: pass return enrolled_fingers @@ -52,7 +70,8 @@ def fprintd_action(action, finger, status_function = None, user = None, verbose if status_function: status_function(f"Invalid action {action}") return False - print(f"DEBUG (fprintd_action): command {command}") + if verbose: + print(f"DEBUG (fprintd_action): command {command}") proc = subprocess.Popen( command, stdout = subprocess.PIPE, @@ -88,3 +107,40 @@ def fprintd_action(action, finger, status_function = None, user = None, verbose break if display: status_function(f"Succeeded! {display_line}") + +def check_setusername_permission(status_function = None, verbose = False): + """ + This permission depends on a rule like this in /etc/polkit-1/rules.d/80-fprintd.rules: + + polkit.addRule(function(action, subject) { + if ( + ( + action.id.match("net.reactivated.fprint.device.setusername") + ) && subject.active && subject.isInGroup("admins")) { + polkit.log("action=" + action); + polkit.log("subject=" + subject); + return polkit.Result.YES; + } + }); + + We need to check for the ability to run `fprintd-list root` and if it does not print "not authorized", we can allow the advanced actions. + """ + proc = subprocess.Popen( + ["fprintd-list","root"], + stdout = subprocess.PIPE, + universal_newlines = True # or maybe text=True + ) + has_setusername = True + while True: + line = proc.stdout.readline() + if verbose: + print(f"DEBUG (check_setusername_permission): line {line}") + if not line: + break + if re.match(".*Not Authorized.*",line): + if verbose: + print(f"DEBUG (check_setusername_permission): setting has_setusername to false...") + has_setusername = False + if status_function: + status_function(f"Have advanced permissions: {has_setusername}") + return has_setusername -- cgit