diff options
author | Thomas Haller <thaller@redhat.com> | 2019-06-15 11:18:46 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2019-06-17 12:12:02 +0200 |
commit | 1de36fad51476794b609c6dfc31266f08a8ae2c1 (patch) | |
tree | 5a6bbb92e195bd42ecd5208ec4f5dbf157a9c8e8 | |
parent | a17453913c9f6f24235f1f60721c6028288e213b (diff) | |
download | NetworkManager-1de36fad51476794b609c6dfc31266f08a8ae2c1.tar.gz |
libnm: add NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED serialization flag
At various places we only want to serialize agent-owned secrets. Without this
flag, we need to clone the setting first, then drop the secrets, then serialize
to D-Bus. Add a serialization flag to avoid that.
The name ("with") and the meaning of the flag is chosen in a way, that
there could be multiple such flags (NM_CONNECTION_SERIALIZE_WITH_SECRETS_NOT_REQUIRED),
and specifying at least one of them, would have the meaning to whitelist
flags of this kind. Specifying non of these "with" flags would have the
meaning of specifying *all*. Currently there is only one kind, so the name
and meaning is slightly counter intuitive.
-rw-r--r-- | libnm-core/nm-connection.h | 9 | ||||
-rw-r--r-- | libnm-core/nm-core-internal.h | 12 | ||||
-rw-r--r-- | libnm-core/nm-setting-wireguard.c | 2 | ||||
-rw-r--r-- | libnm-core/nm-setting.c | 23 |
4 files changed, 35 insertions, 11 deletions
diff --git a/libnm-core/nm-connection.h b/libnm-core/nm-connection.h index bddec74bae..4399ad67da 100644 --- a/libnm-core/nm-connection.h +++ b/libnm-core/nm-connection.h @@ -111,14 +111,17 @@ NMSetting *nm_connection_get_setting_by_name (NMConnection *connection, * @NM_CONNECTION_SERIALIZE_ALL: serialize all properties (including secrets) * @NM_CONNECTION_SERIALIZE_NO_SECRETS: do not include secrets * @NM_CONNECTION_SERIALIZE_ONLY_SECRETS: only serialize secrets + * @NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED: if set, only secrets that + * are agent owned will be serialized. * * These flags determine which properties are serialized when calling when * calling nm_connection_to_dbus(). **/ typedef enum { /*< flags >*/ - NM_CONNECTION_SERIALIZE_ALL = 0x00000000, - NM_CONNECTION_SERIALIZE_NO_SECRETS = 0x00000001, - NM_CONNECTION_SERIALIZE_ONLY_SECRETS = 0x00000002, + NM_CONNECTION_SERIALIZE_ALL = 0x00000000, + NM_CONNECTION_SERIALIZE_NO_SECRETS = 0x00000001, + NM_CONNECTION_SERIALIZE_ONLY_SECRETS = 0x00000002, + NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED = 0x00000004, } NMConnectionSerializationFlags; GVariant *nm_connection_to_dbus (NMConnection *connection, diff --git a/libnm-core/nm-core-internal.h b/libnm-core/nm-core-internal.h index eb0767c7ea..eaf29849cf 100644 --- a/libnm-core/nm-core-internal.h +++ b/libnm-core/nm-core-internal.h @@ -806,6 +806,18 @@ GBytes *_nm_setting_802_1x_cert_value_to_bytes (NMSetting8021xCKScheme scheme, /*****************************************************************************/ +static inline gboolean +_nm_connection_serialize_secrets (NMConnectionSerializationFlags flags, + NMSettingSecretFlags secret_flags) +{ + if (NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_NO_SECRETS)) + return FALSE; + if ( NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED) + && !NM_FLAGS_HAS (secret_flags, NM_SETTING_SECRET_FLAG_AGENT_OWNED)) + return FALSE; + return TRUE; +} + void _nm_connection_clear_secrets_by_secret_flags (NMConnection *self, NMSettingSecretFlags filter_flags); diff --git a/libnm-core/nm-setting-wireguard.c b/libnm-core/nm-setting-wireguard.c index dd26a1ea48..64a9b1a228 100644 --- a/libnm-core/nm-setting-wireguard.c +++ b/libnm-core/nm-setting-wireguard.c @@ -1490,7 +1490,7 @@ _peers_dbus_only_synth (const NMSettInfoSetting *sett_info, && peer->endpoint) g_variant_builder_add (&builder, "{sv}", NM_WIREGUARD_PEER_ATTR_ENDPOINT, g_variant_new_string (nm_sock_addr_endpoint_get_endpoint (peer->endpoint))); - if ( !NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_NO_SECRETS) + if ( _nm_connection_serialize_secrets (flags, peer->preshared_key_flags) && peer->preshared_key) g_variant_builder_add (&builder, "{sv}", NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY, g_variant_new_string (peer->preshared_key)); diff --git a/libnm-core/nm-setting.c b/libnm-core/nm-setting.c index 297804b5ce..dfb2393ca3 100644 --- a/libnm-core/nm-setting.c +++ b/libnm-core/nm-setting.c @@ -708,13 +708,22 @@ property_to_dbus (const NMSettInfoSetting *sett_info, && !_nm_utils_is_manager_process) return NULL; - if ( NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_NO_SECRETS) - && NM_FLAGS_HAS (property->param_spec->flags, NM_SETTING_PARAM_SECRET)) - return NULL; - - if ( NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_ONLY_SECRETS) - && !NM_FLAGS_HAS (property->param_spec->flags, NM_SETTING_PARAM_SECRET)) - return NULL; + if (NM_FLAGS_HAS (property->param_spec->flags, NM_SETTING_PARAM_SECRET)) { + if (NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_NO_SECRETS)) + return NULL; + if (NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED)) { + NMSettingSecretFlags f; + + /* see also _nm_connection_serialize_secrets() */ + if (!nm_setting_get_secret_flags (setting, property->param_spec->name, &f, NULL)) + return NULL; + if (!NM_FLAGS_HAS (f, NM_SETTING_SECRET_FLAG_AGENT_OWNED)) + return NULL; + } + } else { + if (NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_ONLY_SECRETS)) + return NULL; + } } if (property->to_dbus_fcn) { |