all: add 802-1x.optional property

Introduce a 802-1x.optional boolean property that can be used to
succeed the connection even after an authentication timeout or
failure.

7 files changed, 80 insertions, 0 deletions

diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c
index f17e81b4b9..7021c5280b 100644
--- a/clients/common/nm-meta-setting-desc.c
+++ b/clients/common/nm-meta-setting-desc.c
@@ -4502,6 +4502,9 @@ static const NMMetaPropertyInfo *const property_infos_6LOWPAN[] = {
 #undef  _CURRENT_NM_META_SETTING_TYPE
 #define _CURRENT_NM_META_SETTING_TYPE NM_META_SETTING_TYPE_802_1X
 static const NMMetaPropertyInfo *const property_infos_802_1X[] = {
+	PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_OPTIONAL,
+		.property_type =                &_pt_gobject_bool,
+	),
 	PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_EAP,
 	    .property_type =                &_pt_multilist,
 	    .property_typ_data = DEFINE_PROPERTY_TYP_DATA (
diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in
index 0024d8fbc8..a1b9784af1 100644
--- a/clients/common/settings-docs.h.in
+++ b/clients/common/settings-docs.h.in
@@ -54,6 +54,7 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH N_("Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server.  If a matching dNSName is found, this constraint is met.  If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_EAP N_("The allowed EAP method to be used when authenticating to the network with 802.1x.  Valid methods are: \"leap\", \"md5\", \"tls\", \"peap\", \"ttls\", \"pwd\", and \"fast\".  Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_IDENTITY N_("Identity string for EAP authentication methods.  Often the user's user or login name.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_OPTIONAL N_("Whether the 802.1X authentication is optional. If TRUE, the activation will continue even after a timeout or an authentication failure. Setting the property to TRUE is currently allowed only for Ethernet connections. If set to FALSE, the activation can continue only after a successful authentication.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PAC_FILE N_("UTF-8 encoded file path containing PAC for EAP-FAST.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD N_("UTF-8 encoded password used for EAP authentication methods. If both the \"password\" property and the \"password-raw\" property are specified, \"password\" is preferred.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_FLAGS N_("Flags indicating how to handle the \"password\" property.")
diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index 60f1118029..8464100d2f 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -124,6 +124,7 @@ NM_GOBJECT_PROPERTIES_DEFINE (NMSetting8021x,
 	PROP_PIN,
 	PROP_PIN_FLAGS,
 	PROP_SYSTEM_CA_CERTS,
+	PROP_OPTIONAL,
 	PROP_AUTH_TIMEOUT,
 );
 
@@ -172,6 +173,7 @@ typedef struct {
 	NMSettingSecretFlags phase2_private_key_password_flags;
 	gboolean system_ca_certs;
 	int auth_timeout;
+	gboolean optional;
 } NMSetting8021xPrivate;
 
 G_DEFINE_TYPE (NMSetting8021x, nm_setting_802_1x, NM_TYPE_SETTING)
@@ -2415,6 +2417,25 @@ nm_setting_802_1x_get_auth_timeout (NMSetting8021x *setting)
 	return NM_SETTING_802_1X_GET_PRIVATE (setting)->auth_timeout;
 }
 
+/**
+ * nm_setting_802_1x_get_optional:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the value contained in the #NMSetting8021x:optional property.
+ *
+ * Returns: %TRUE if the activation should proceed even when the 802.1X
+ *     authentication fails; %FALSE otherwise
+ *
+ * Since: 1.22
+ **/
+gboolean
+nm_setting_802_1x_get_optional (NMSetting8021x *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
+
+	return NM_SETTING_802_1X_GET_PRIVATE (setting)->optional;
+}
+
 /*****************************************************************************/
 
 static void
@@ -2801,6 +2822,17 @@ verify (NMSetting *setting, NMConnection *connection, GError **error)
 	if (error)
 		g_return_val_if_fail (*error == NULL, FALSE);
 
+	if (   connection
+	    && priv->optional
+	    && !nm_streq0 (nm_connection_get_connection_type (connection), NM_SETTING_WIRED_SETTING_NAME)) {
+		g_set_error_literal (error,
+		                     NM_CONNECTION_ERROR,
+		                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		                     _("can be enabled only on Ethernet connections"));
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_OPTIONAL);
+		return FALSE;
+	}
+
 	if (!priv->eap) {
 		g_set_error_literal (error,
 		                     NM_CONNECTION_ERROR,
@@ -3141,6 +3173,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_AUTH_TIMEOUT:
 		g_value_set_int (value, priv->auth_timeout);
 		break;
+	case PROP_OPTIONAL:
+		g_value_set_boolean (value, priv->optional);
+		break;
 	default:
 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 		break;
@@ -3319,6 +3354,9 @@ set_property (GObject *object, guint prop_id,
 	case PROP_AUTH_TIMEOUT:
 		priv->auth_timeout = g_value_get_int (value);
 		break;
+	case PROP_OPTIONAL:
+		priv->optional = g_value_get_boolean (value);
+		break;
 	default:
 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 		break;
@@ -4388,6 +4426,30 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass)
 	                      NM_SETTING_PARAM_FUZZY_IGNORE |
 	                      G_PARAM_STATIC_STRINGS);
 
+	/**
+	 * NMSetting8021x:optional:
+	 *
+	 * Whether the 802.1X authentication is optional. If %TRUE, the activation
+	 * will continue even after a timeout or an authentication failure. Setting
+	 * the property to %TRUE is currently allowed only for Ethernet connections.
+	 * If set to %FALSE, the activation can continue only after a successful
+	 * authentication.
+	 *
+	 * Since: 1.22
+	 **/
+	/* ---ifcfg-rh---
+	 * property: optional
+	 * variable: IEEE_8021X_OPTIONAL(+)
+	 * default=no
+	 * description: whether the 802.1X authentication is optional
+	 * ---end---
+	 */
+	obj_properties[PROP_OPTIONAL] =
+	    g_param_spec_boolean (NM_SETTING_802_1X_OPTIONAL, "", "",
+	                          FALSE,
+	                          G_PARAM_READWRITE |
+	                          G_PARAM_STATIC_STRINGS);
+
 	g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
 
 	_nm_setting_class_commit (setting_class, NM_META_SETTING_TYPE_802_1X);
diff --git a/libnm-core/nm-setting-8021x.h b/libnm-core/nm-setting-8021x.h
index b5c3539617..1bcca30cb0 100644
--- a/libnm-core/nm-setting-8021x.h
+++ b/libnm-core/nm-setting-8021x.h
@@ -137,6 +137,7 @@ typedef enum { /*< flags, underscore_name=nm_setting_802_1x_auth_flags >*/
 #define NM_SETTING_802_1X_PIN_FLAGS "pin-flags"
 #define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs"
 #define NM_SETTING_802_1X_AUTH_TIMEOUT "auth-timeout"
+#define NM_SETTING_802_1X_OPTIONAL "optional"
 
 /* PRIVATE KEY NOTE: when setting PKCS#12 private keys directly via properties
  * using the "blob" scheme, the data must be passed in PKCS#12 binary format.
@@ -346,6 +347,8 @@ NM_AVAILABLE_IN_1_8
 NMSetting8021xAuthFlags nm_setting_802_1x_get_phase1_auth_flags          (NMSetting8021x *setting);
 NM_AVAILABLE_IN_1_8
 int                    nm_setting_802_1x_get_auth_timeout                (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_22
+gboolean               nm_setting_802_1x_get_optional                    (NMSetting8021x *setting);
 
 G_END_DECLS
 
diff --git a/libnm/libnm.ver b/libnm/libnm.ver
index e9a69d6881..15aa5fa169 100644
--- a/libnm/libnm.ver
+++ b/libnm/libnm.ver
@@ -1634,5 +1634,6 @@ global:
 	nm_client_reload;
 	nm_client_reload_finish;
 	nm_manager_reload_flags_get_type;
+	nm_setting_802_1x_get_optional;
 	nm_setting_gsm_get_auto_config;
 } libnm_1_20_0;
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
index ad72636385..c730f6447f 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@@ -3527,6 +3527,11 @@ next:
 	timeout = svGetValueInt64 (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", 10, 0, G_MAXINT32, 0);
 	g_object_set (s_8021x, NM_SETTING_802_1X_AUTH_TIMEOUT, (int) timeout, NULL);
 
+	g_object_set (s_8021x,
+	              NM_SETTING_802_1X_OPTIONAL,
+	              svGetValueBoolean (ifcfg, "IEEE_8021X_OPTIONAL", FALSE),
+	              NULL);
+
 	return g_steal_pointer (&s_8021x);
 }
 
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
index 5b11544c06..86c3747050 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@@ -524,6 +524,11 @@ write_8021x_setting (NMConnection *connection,
 	vint = nm_setting_802_1x_get_auth_timeout (s_8021x);
 	svSetValueInt64_cond (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", vint > 0, vint);
 
+	if (nm_setting_802_1x_get_optional (s_8021x))
+		svSetValueBoolean (ifcfg, "IEEE_8021X_OPTIONAL", TRUE);
+	else
+		svUnsetValue (ifcfg, "IEEE_8021X_OPTIONAL");
+
 	if (!write_8021x_certs (s_8021x, secrets, blobs, FALSE, ifcfg, error))
 		return FALSE;