From d3e7d6609a8e63c21e85abf135d237a3bdd30913 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 8 Feb 2022 16:13:48 +0100
Subject: [PATCH] polkit.yml: Make GitHub Actions detect Polkit policy parse
 error regressions

---
 .github/workflows/polkit.yml | 67 ++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 .github/workflows/polkit.yml

diff --git a/.github/workflows/polkit.yml b/.github/workflows/polkit.yml
new file mode 100644
index 00000000..fc4b4fe3
--- /dev/null
+++ b/.github/workflows/polkit.yml
@@ -0,0 +1,67 @@
+##
+## Copyright (c) 2022 Sebastian Pipping <sebastian@pipping.org>
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+name: Check for Polkit policy parse errors
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  polkit_policies:
+
+    name: Check for Polkit policy parse errors
+    runs-on: ubuntu-20.04
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Install runtime dependencies
+      run:  |
+        set -x
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends --yes -V expat
+
+    - name: Check for Polkit policy parse errors
+      run:  |
+        # This will work around pkaction exiting with unjustified(?)
+        # code 1 on Ubuntu 20.04
+        check_polkit_action() { pkaction -v -a "$1" | tee /dev/stderr | fgrep -q 'implicit any' ; }
+
+        set -x
+        actions=(
+            org.usbguard.Devices.listDevices
+            org.usbguard.Devices.applyDevicePolicy
+            org.usbguard.Policy.appendRule
+            org.usbguard.Policy.listRules
+            org.usbguard.Policy.removeRule
+            org.usbguard.getParameter
+            org.usbguard.setParameter
+        )
+
+        # Self-test: Assert that prior to installation, our Polkit "actions"
+        # are unknown to PolKit.
+        ! check_polkit_action "${actions[0]}"
+
+        # Install the policy so that polkin can find it
+        xmlwf      src/DBus/org.usbguard.policy
+        sudo cp -v src/DBus/org.usbguard.policy /usr/share/polkit-1/actions/
+
+        # Assert that after installation, all of our Polkit "actions" are known.
+        # This detects parse error regressions.
+        for action in "${actions[@]}"; do
+            check_polkit_action "${action}"
+        done