From b7155bf86da629d4f6cd951ba66df0b30a52076c Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Fri, 30 May 2025 14:22:01 +0200
Subject: [PATCH] Xnamespace: add support for multiple auth tokens per
 namespace

Support having more than one auth token per namespace, so separate tokens
can be handed out to clients that are still landing in the same namespace.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 Xext/namespace/config.c        | 40 ++++++++++++++++++++--------------
 Xext/namespace/namespace.c     | 15 ++++++++-----
 Xext/namespace/namespace.h     | 12 +++++++---
 Xext/namespace/ns.conf.example |  5 +++++
 4 files changed, 47 insertions(+), 25 deletions(-)

diff --git a/Xext/namespace/config.c b/Xext/namespace/config.c
index 8c450c553..dfdce9a76 100644
--- a/Xext/namespace/config.c
+++ b/Xext/namespace/config.c
@@ -105,21 +105,27 @@ static void parseLine(char *line, struct Xnamespace **walk_ns)
         if (token == NULL)
             return;
 
-        curr->authProto = strdup(token);
+        struct auth_token *new_token = calloc(1, sizeof(struct auth_token));
+        if (new_token == NULL)
+            FatalError("Xnamespace: failed allocating token\n");
+
+        new_token->authProto = strdup(token);
         token = strtok(NULL, " ");
 
-        curr->authTokenLen = strlen(token)/2;
-        curr->authTokenData = calloc(1, curr->authTokenLen);
-        if (!curr->authTokenData) {
-            curr->authTokenLen = 0;
+        new_token->authTokenLen = strlen(token)/2;
+        new_token->authTokenData = calloc(1, new_token->authTokenLen);
+        if (!new_token->authTokenData) {
+            free(new_token);
             return;
         }
-        hex2bin(token, curr->authTokenData);
+        hex2bin(token, new_token->authTokenData);
 
-        AddAuthorization(strlen(curr->authProto),
-                         curr->authProto,
-                         curr->authTokenLen,
-                         curr->authTokenData);
+        new_token->authId = AddAuthorization(strlen(new_token->authProto),
+                                             new_token->authProto,
+                                             new_token->authTokenLen,
+                                             new_token->authTokenData);
+
+        xorg_list_append(&new_token->entry, &curr->auth_tokens);
         return;
     }
 
@@ -179,12 +185,14 @@ Bool XnsLoadConfig(void)
 
     struct Xnamespace *ns;
     xorg_list_for_each_entry(ns, &ns_list, entry) {
-        XNS_LOG("namespace: \"%s\" \"%s\" \"",
-            ns->name,
-            ns->authProto);
-        for (int i=0; i<ns->authTokenLen; i++)
-            printf("%02X", (unsigned char)ns->authTokenData[i]);
-        printf("\"\n");
+        XNS_LOG("namespace: \"%s\" \n", ns->name);
+        struct auth_token *at;
+        xorg_list_for_each_entry(at, &ns->auth_tokens, entry) {
+            XNS_LOG("      auth: \"%s\" \"", at->authProto);
+            for (int i=0; i<at->authTokenLen; i++)
+                printf("%02X", (unsigned char)at->authTokenData[i]);
+            printf("\"\n");
+        }
     }
 
     return TRUE;
diff --git a/Xext/namespace/namespace.c b/Xext/namespace/namespace.c
index 77bd92198..fac94df1b 100644
--- a/Xext/namespace/namespace.c
+++ b/Xext/namespace/namespace.c
@@ -76,12 +76,15 @@ struct Xnamespace* XnsFindByAuth(size_t szAuthProto, const char* authProto, size
 {
     struct Xnamespace *walk;
     xorg_list_for_each_entry(walk, &ns_list, entry) {
-        int protoLen = walk->authProto ? strlen(walk->authProto) : 0;
-        if ((protoLen == szAuthProto) &&
-            (walk->authTokenLen == szAuthToken) &&
-            (memcmp(walk->authTokenData, authToken, szAuthToken)==0) &&
-            (memcmp(walk->authProto, authProto, szAuthProto)==0))
-            return walk;
+        struct auth_token *at;
+        xorg_list_for_each_entry(at, &walk->auth_tokens, entry) {
+            int protoLen = at->authProto ? strlen(at->authProto) : 0;
+            if ((protoLen == szAuthProto) &&
+                (at->authTokenLen == szAuthToken) &&
+                (memcmp(at->authTokenData, authToken, szAuthToken)==0) &&
+                (memcmp(at->authProto, authProto, szAuthProto)==0))
+                return walk;
+        }
     }
 
     // default to anonymous if credentials aren't assigned to specific NS
diff --git a/Xext/namespace/namespace.h b/Xext/namespace/namespace.h
index 626f0a9da..36331df19 100644
--- a/Xext/namespace/namespace.h
+++ b/Xext/namespace/namespace.h
@@ -10,6 +10,14 @@
 #include "include/window.h"
 #include "include/windowstr.h"
 
+struct auth_token {
+    struct xorg_list entry;
+    const char *authProto;
+    char *authTokenData;
+    size_t authTokenLen;
+    XID authId;
+};
+
 struct Xnamespace {
     struct xorg_list entry;
     const char *name;
@@ -20,9 +28,7 @@ struct Xnamespace {
     Bool allowXInput;
     Bool allowXKeyboard;
     Bool superPower;
-    const char *authProto;
-    char *authTokenData;
-    size_t authTokenLen;
+    struct xorg_list auth_tokens;
     size_t refcnt;
     WindowPtr rootWindow;
 };
diff --git a/Xext/namespace/ns.conf.example b/Xext/namespace/ns.conf.example
index 28623832e..954d9f187 100644
--- a/Xext/namespace/ns.conf.example
+++ b/Xext/namespace/ns.conf.example
@@ -1,13 +1,18 @@
 
 # auth <proto> <hex-key>
   auth MIT-MAGIC-COOKIE-1 46f8e62b78e58962de0ceefc05ad90b0
+  auth MIT-MAGIC-COOKIE-1 56f8e62b78e58962de0ceefc05ad90b0
 
 # container <name> <parent_name>
 container xeyes root
   auth MIT-MAGIC-COOKIE-1 46f8e62b78e58962de0ceefc05ad90b8
+  auth MIT-MAGIC-COOKIE-1 46f8e62b78e58962de0ceefc05ad90a8
   allow mouse-motion
   allow shape
   allow xinput
 
 container xclock root
   auth MIT-MAGIC-COOKIE-1 46f8e62b78e58962de0ceefc05ad90b7
+  auth MIT-MAGIC-COOKIE-1 46f8e62b78e58962de0ceefc05ad91b7
+  auth MIT-MAGIC-COOKIE-1 46f8e62b78e58962de0ceefc05ad92b7
+  auth MIT-MAGIC-COOKIE-1 46f8e62b78e58962de0ceefc05ad93b7