From 176cce2e58dbada5f920163607c7a8494dc1eabd Mon Sep 17 00:00:00 2001
From: Robert Fairley <rfairley@redhat.com>
Date: Jul 04 2019 16:27:45 +0000
Subject: Add polkit rule to authorize zincati to perform upgrades


Change is brought forward from: https://github.com/coreos/zincati/pull/59

Signed-off-by: Robert Fairley <rfairley@redhat.com>

---

diff --git a/0001-dist-add-polkit-rule-for-rpm-ostree-59.patch b/0001-dist-add-polkit-rule-for-rpm-ostree-59.patch
new file mode 100644
index 0000000..352b8f2
--- /dev/null
+++ b/0001-dist-add-polkit-rule-for-rpm-ostree-59.patch
@@ -0,0 +1,26 @@
+From 6b98e164cd233fb1a68d49d2b6b9f9bf2c2dcb8a Mon Sep 17 00:00:00 2001
+From: Robert Fairley <rfairley@redhat.com>
+Date: Thu, 4 Jul 2019 09:21:18 -0400
+Subject: [PATCH] dist: add polkit rule for rpm-ostree
+
+Add a polkit rule to allow the `zincati` user to make `deploy` and
+`finalize-deployment` calls to the D-Bus API exposed by rpm-ostree.
+---
+ dist/polkit-1/rules.d/zincati.rules | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+ create mode 100644 dist/polkit-1/rules.d/zincati.rules
+
+diff --git a/dist/polkit-1/rules.d/zincati.rules b/dist/polkit-1/rules.d/zincati.rules
+new file mode 100644
+index 0000000..2171bde
+--- /dev/null
++++ b/dist/polkit-1/rules.d/zincati.rules
+@@ -0,0 +1,8 @@
++// Allow Zincati to deploy, and finalize a staged deployment through rpm-ostree.
++polkit.addRule(function(action, subject) {
++    if ((action.id == "org.projectatomic.rpmostree1.deploy" ||
++         action.id == "org.projectatomic.rpmostree1.finalize-deployment") &&
++        subject.user == "zincati") {
++        return polkit.Result.YES;
++    }
++})
diff --git a/rust-zincati.spec b/rust-zincati.spec
index e6b493d..cb5312c 100644
--- a/rust-zincati.spec
+++ b/rust-zincati.spec
@@ -6,7 +6,7 @@
 
 Name:           rust-%{crate}
 Version:        0.0.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Update agent for Fedora CoreOS
 
 # Upstream license specification: Apache-2.0
@@ -15,12 +15,16 @@ URL:            https://crates.io/crates/zincati
 Source:         %{crates_source}
 # Initial patched metadata
 Patch0:         zincati-fix-metadata.diff
+# Add polkit rule to authorize zincati to perform upgrades https://github.com/coreos/zincati/pull/59
+Patch0001:      0001-dist-add-polkit-rule-for-rpm-ostree-59.patch
 
 ExclusiveArch:  %{rust_arches}
 
 BuildRequires:  rust-packaging
 BuildRequires:  systemd-rpm-macros
 
+Requires:       %{_datadir}/polkit-1/rules.d
+
 %global _description %{expand:
 Update agent for Fedora CoreOS.}
 
@@ -47,6 +51,7 @@ Summary:        %{summary}
 %{_unitdir}/zincati.service
 %{_sysusersdir}/50-zincati.conf
 %{_tmpfilesdir}/zincati.conf
+%{_datadir}/polkit-1/rules.d/zincati.rules
 
 %pre         -n %{crate}
 %sysusers_create_package %{crate} 50-zincati.conf
@@ -84,6 +89,8 @@ install -Dpm0644 -t %{buildroot}%{_sysusersdir} \
   dist/sysusers.d/*.conf
 install -Dpm0644 -t %{buildroot}%{_tmpfilesdir} \
   dist/tmpfiles.d/*.conf
+install -Dpm0644 -t %{buildroot}%{_datadir}/polkit-1/rules.d \
+  dist/polkit-1/rules.d/*.rules
 
 %if %{with check}
 %check
@@ -91,6 +98,9 @@ install -Dpm0644 -t %{buildroot}%{_tmpfilesdir} \
 %endif
 
 %changelog
+* Thu Jul 04 2019 Robert Fairley <rfairley@redhat.com> - 0.0.2-6
+- Add polkit rule to authorize zincati to perform upgrades https://github.com/coreos/zincati/pull/59
+
 * Tue Jul 02 2019 Robert Fairley <rfairley@redhat.com> - 0.0.2-5
 - Add missing owned directories, tidy owned files list