The polkit service registers RAGS as a polkit authentication agent for the
current user session.
The sensitive part of the flow is implemented in the native GUtils helper: it
subclasses PolkitAgent.Listener and uses PolkitAgent.Session, which
delegates successful responses through polkit's setuid helper. JavaScript code
only receives request metadata and sends prompt responses.
const polkit = await Service.import("polkit");
const password = Widget.Entry({
visibility: false,
on_accept: (self) => {
polkit.respond(self.text);
self.text = "";
},
});
const dialog = Widget.Window({
name: "polkit",
layer: "overlay",
keymode: "exclusive",
visible: polkit.bind("active"),
child: Widget.Box({
vertical: true,
children: [
Widget.Label({
label: polkit.bind("current-request").as((request) => {
return request?.message ?? "";
}),
}),
Widget.Label({
label: polkit.bind("prompt").as((prompt) => {
return prompt?.message ?? "";
}),
}),
password,
Widget.Button({
label: "Cancel",
on_clicked: () => polkit.cancel(),
}),
],
}),
});
polkit.connect(
"request",
() => Utils.timeout(100, () => password.grab_focus()),
);
polkit.connect("show-error", (_, message) => print(message));
polkit.registerAgent();
By default, the service selects the first identity polkit offers. Disable this if your UI lets the user choose an identity:
polkit.autoSelectIdentity = false;
polkit.connect("begin", (_, request) => {
request.identities.forEach((identity, index) => {
print(`${index}: ${identity.name ?? identity.id}`);
});
});
polkit.selectIdentity(0);
registered: boolean - whether this process is registered as an agent.active: boolean - whether an authentication request is active.current_request: object or null - action id, message, details, and
identities.prompt: object or null - prompt message and whether echo is allowed.registerAgent(options?) registers the current process as an agent.unregisterAgent() unregisters the agent.selectIdentity(index) starts authentication for an offered identity.respond(response) answers the current prompt.cancel() cancels the current authentication request.begin(request) fires when polkit starts an authentication request.request(prompt) fires when PAM asks for input.show-info(message) and show-error(message) forward PAM messages.completed(authorized) fires when the authentication session ends.cancelled fires when polkit or the user cancels the request.