libnmc-base: add supported options for OpenConnect CLI authentication

Ideally, we wouldn't have this hard-coded in NetworkManager itself; we
would invoke a tool to do it for us, like the GUI auth-dialog, which
can live in the NetworkManager-openconnect repository and be kept up
to date as new options are added.

To start with though, let's bring it into sync. We don't add new options
that often, and this will cover the majority of use cases.

1 files changed, 85 insertions, 5 deletions

diff --git a/src/libnmc-base/nm-vpn-helpers.c b/src/libnmc-base/nm-vpn-helpers.c
index e447ef047a..f7a65e3815 100644
--- a/src/libnmc-base/nm-vpn-helpers.c
+++ b/src/libnmc-base/nm-vpn-helpers.c
@@ -187,7 +187,50 @@ _extract_variable_value(char *line, const char *tag, char **value)
     return TRUE;
 }
 
-#define OC_ARGS_MAX 10
+#define NM_OPENCONNECT_KEY_GATEWAY              "gateway"
+#define NM_OPENCONNECT_KEY_COOKIE               "cookie"
+#define NM_OPENCONNECT_KEY_GWCERT               "gwcert"
+#define NM_OPENCONNECT_KEY_RESOLVE              "resolve"
+#define NM_OPENCONNECT_KEY_AUTHTYPE             "authtype"
+#define NM_OPENCONNECT_KEY_USERCERT             "usercert"
+#define NM_OPENCONNECT_KEY_CACERT               "cacert"
+#define NM_OPENCONNECT_KEY_PRIVKEY              "userkey"
+#define NM_OPENCONNECT_KEY_KEY_PASS             "key_pass"
+#define NM_OPENCONNECT_KEY_MTU                  "mtu"
+#define NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID  "pem_passphrase_fsid"
+#define NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT "prevent_invalid_cert"
+#define NM_OPENCONNECT_KEY_DISABLE_UDP          "disable_udp"
+#define NM_OPENCONNECT_KEY_PROTOCOL             "protocol"
+#define NM_OPENCONNECT_KEY_PROXY                "proxy"
+#define NM_OPENCONNECT_KEY_CSD_ENABLE           "enable_csd_trojan"
+#define NM_OPENCONNECT_KEY_USERAGENT            "useragent"
+#define NM_OPENCONNECT_KEY_CSD_WRAPPER          "csd_wrapper"
+#define NM_OPENCONNECT_KEY_TOKEN_MODE           "stoken_source"
+#define NM_OPENCONNECT_KEY_TOKEN_SECRET         "stoken_string"
+#define NM_OPENCONNECT_KEY_REPORTED_OS          "reported_os"
+#define NM_OPENCONNECT_KEY_MCACERT              "mcacert"
+#define NM_OPENCONNECT_KEY_MCAKEY               "mcakey"
+#define NM_OPENCONNECT_KEY_MCA_PASS             "mca_key_pass"
+
+struct {
+    const char *property;
+    const char *cmdline;
+} oc_property_args[] = {
+    {NM_OPENCONNECT_KEY_USERCERT, "--certificate"},
+    {NM_OPENCONNECT_KEY_CACERT, "--caflle"},
+    {NM_OPENCONNECT_KEY_PRIVKEY, "--sslkey"},
+    {NM_OPENCONNECT_KEY_KEY_PASS, "--key-password"},
+    {NM_OPENCONNECT_KEY_PROTOCOL, "--protocol"},
+    {NM_OPENCONNECT_KEY_PROXY, "--proxy"},
+    {NM_OPENCONNECT_KEY_USERAGENT, "--useragent"},
+    {NM_OPENCONNECT_KEY_REPORTED_OS, "--os"},
+    {NM_OPENCONNECT_KEY_MCACERT, "--mca-certificate"},
+    {NM_OPENCONNECT_KEY_MCAKEY, "--mca-key"},
+    {NM_OPENCONNECT_KEY_MCA_PASS, "--mca-key-password"},
+};
+
+#define NR_OC_STRING_PROPS (sizeof(oc_property_args) / sizeof(oc_property_args[0]))
+#define OC_ARGS_MAX        (12 + 2 * NR_OC_STRING_PROPS)
 
 gboolean
 nm_vpn_openconnect_authenticate_helper(NMSettingVpn *s_vpn,
@@ -216,7 +259,7 @@ nm_vpn_openconnect_authenticate_helper(NMSettingVpn *s_vpn,
     };
     const char *gw, *port;
     const char *oc_argv[OC_ARGS_MAX];
-    int         oc_argc = 0;
+    int         i, oc_argc = 0;
 
     /* Get gateway and port */
     gw   = nm_setting_vpn_get_data_item(s_vpn, "gateway");
@@ -236,10 +279,47 @@ nm_vpn_openconnect_authenticate_helper(NMSettingVpn *s_vpn,
     oc_argv[oc_argc++] = "--authenticate";
     oc_argv[oc_argc++] = gw;
 
-    opt = nm_setting_vpn_get_data_item(s_vpn, "protocol");
+    for (i = 0; i < NR_OC_STRING_PROPS; i++) {
+        opt = nm_setting_vpn_get_data_item(s_vpn, oc_property_args[i].property);
+        if (opt) {
+            oc_argv[oc_argc++] = oc_property_args[i].cmdline;
+            oc_argv[oc_argc++] = opt;
+        }
+    }
+
+    opt = nm_setting_vpn_get_data_item(s_vpn, NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID);
+    if (opt && nm_streq(opt, "yes"))
+        oc_argv[oc_argc++] = "--key-password-from-fsid";
+
+    opt = nm_setting_vpn_get_data_item(s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
+    if (opt && nm_streq(opt, "yes")) {
+        opt = nm_setting_vpn_get_data_item(s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
+        if (opt) {
+            oc_argv[oc_argc++] = "--csd-wrapper";
+            oc_argv[oc_argc++] = opt;
+        }
+    }
+
+    opt = nm_setting_vpn_get_data_item(s_vpn, NM_OPENCONNECT_KEY_TOKEN_MODE);
     if (opt) {
-        oc_argv[oc_argc++] = "--protocol";
-        oc_argv[oc_argc++] = opt;
+        const char *token_secret =
+            nm_setting_vpn_get_data_item(s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET);
+        if (nm_streq(opt, "manual") && token_secret) {
+            opt = "rsa";
+        } else if (nm_streq(opt, "stokenrc")) {
+            opt          = "rsa";
+            token_secret = NULL;
+        } else if (!nm_streq(opt, "totp") && !nm_streq(opt, "hotp") && !nm_streq(opt, "yubioath")) {
+            opt = NULL;
+        }
+        if (opt) {
+            oc_argv[oc_argc++] = "--token-mode";
+            oc_argv[oc_argc++] = opt;
+        }
+        if (token_secret) {
+            oc_argv[oc_argc++] = "--token-secret";
+            oc_argv[oc_argc++] = token_secret;
+        }
     }
 
     oc_argv[oc_argc++] = NULL;