kael 0.2.0

GPU-accelerated native UI framework for Rust — build desktop apps with Metal, DirectX, and Vulkan rendering
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175

use crate::{BiometricKind, BiometricStatus};

/// Check if fprintd is available and has enrolled fingerprints.
///
/// Queries the `net.reactivated.Fprint.Manager` D-Bus interface to list devices,
/// then checks if any device has enrolled fingerprints for the current user.
fn fprintd_status() -> Option<BiometricStatus> {
    // Check if fprintd manager is reachable by listing devices
    let output = std::process::Command::new("dbus-send")
        .args([
            "--system",
            "--dest=net.reactivated.Fprint",
            "--type=method_call",
            "--print-reply",
            "/net/reactivated/Fprint/Manager",
            "net.reactivated.Fprint.Manager.GetDefaultDevice",
        ])
        .output()
        .ok()?;

    if !output.status.success() {
        return None;
    }

    let stdout = std::str::from_utf8(&output.stdout).ok()?;
    let device_path = parse_dbus_object_path(stdout)?;

    // Check if the current user has enrolled fingerprints on this device
    let username = std::env::var("USER")
        .or_else(|_| std::env::var("LOGNAME"))
        .unwrap_or_default();

    if username.is_empty() {
        return Some(BiometricStatus::Available(BiometricKind::Fingerprint));
    }

    let list_output = std::process::Command::new("dbus-send")
        .args([
            "--system",
            "--dest=net.reactivated.Fprint",
            "--type=method_call",
            "--print-reply",
            &device_path,
            "net.reactivated.Fprint.Device.ListEnrolledFingers",
            &format!("string:{}", username),
        ])
        .output()
        .ok()?;

    if list_output.status.success() {
        let list_stdout = std::str::from_utf8(&list_output.stdout).ok()?;
        // If the response contains array elements, fingerprints are enrolled
        if list_stdout.contains("string") {
            Some(BiometricStatus::Available(BiometricKind::Fingerprint))
        } else {
            // Device exists but no fingerprints enrolled — still report available
            // since the hardware is present
            Some(BiometricStatus::Available(BiometricKind::Fingerprint))
        }
    } else {
        // Device exists but listing failed (e.g., no enrolled fingers error)
        // The hardware is present, so report available
        Some(BiometricStatus::Available(BiometricKind::Fingerprint))
    }
}

/// Check if polkit is available for general authentication.
fn polkit_available() -> bool {
    let output = std::process::Command::new("dbus-send")
        .args([
            "--system",
            "--dest=org.freedesktop.PolicyKit1",
            "--type=method_call",
            "--print-reply",
            "/org/freedesktop/PolicyKit1/Authority",
            "org.freedesktop.DBus.Properties.Get",
            "string:org.freedesktop.PolicyKit1.Authority",
            "string:BackendVersion",
        ])
        .output();

    match output {
        Ok(o) => o.status.success(),
        Err(_) => false,
    }
}

/// Returns the biometric status for the Linux platform.
///
/// Checks fprintd first for fingerprint reader support, then falls back
/// to polkit for general authentication capability.
pub fn biometric_status() -> BiometricStatus {
    // Try fprintd first
    if let Some(status) = fprintd_status() {
        return status;
    }

    // Polkit doesn't provide biometric auth per se, but it can prompt
    // for authentication. We only report it as available if fprintd is not.
    // Since polkit is password-based, not biometric, we report Unavailable
    // when there's no actual biometric hardware.
    BiometricStatus::Unavailable
}

/// Authenticate using fprintd fingerprint verification.
fn authenticate_fprintd(reason: &str, callback: Box<dyn FnOnce(bool) + Send>) {
    let _ = reason; // fprintd doesn't use a reason string in its D-Bus API

    // Use fprintd-verify which handles the full verification flow
    let output = std::process::Command::new("fprintd-verify").output();

    match output {
        Ok(o) => callback(o.status.success()),
        Err(_) => callback(false),
    }
}

/// Authenticate using polkit (pkexec or pkttyagent).
///
/// Uses `pkcheck` to verify the user's identity via polkit, which will
/// prompt for password authentication through the system's polkit agent.
fn authenticate_polkit(reason: &str, callback: Box<dyn FnOnce(bool) + Send>) {
    let _ = reason;

    // Use pkcheck with a well-known action that requires auth
    let pid = std::process::id();
    let output = std::process::Command::new("pkcheck")
        .args([
            "--action-id",
            "org.freedesktop.policykit.exec",
            "--process",
            &pid.to_string(),
            "--allow-user-interaction",
        ])
        .output();

    match output {
        Ok(o) => callback(o.status.success()),
        Err(_) => callback(false),
    }
}

/// Authenticate the user via biometrics on Linux.
///
/// Tries fprintd first if available, then falls back to polkit.
pub fn authenticate_biometric(reason: &str, callback: Box<dyn FnOnce(bool) + Send>) {
    // If fprintd is available, use fingerprint verification
    if fprintd_status().is_some() {
        authenticate_fprintd(reason, callback);
        return;
    }

    // Fall back to polkit for general authentication
    if polkit_available() {
        authenticate_polkit(reason, callback);
        return;
    }

    // No authentication method available
    callback(false);
}

/// Parse a D-Bus object path from dbus-send --print-reply output.
fn parse_dbus_object_path(stdout: &str) -> Option<String> {
    for line in stdout.lines() {
        let trimmed = line.trim();
        if let Some(rest) = trimmed.strip_prefix("object path") {
            let path = rest.trim().trim_matches('"');
            if path.starts_with('/') {
                return Some(path.to_string());
            }
        }
    }
    None
}