From 948a03d2a28dae7bb975f6e64dc7b5a31f10d5b9 Mon Sep 17 00:00:00 2001

From: Thomas Haller <thaller@redhat.com>

Date: Fri, 14 Sep 2018 11:13:05 +0200

Subject: [PATCH 1/1] cli: fix reading "vpn.secrets.*" from passwd-file

Due to a bug, we required VPN secrets to be prefixed with

"vpn.secret." instead of "vpn.secrets.". This was a change

in behavior with 1.12.0 release.

Fix it, to restore the old behavior. For backward compatibility

to the broken behavior, adjust parse_passwords() to treat accept

that as well.

https://bugzilla.redhat.com/show_bug.cgi?id=1628833

https://github.com/NetworkManager/NetworkManager/pull/201

Fixes: 0601b5d725b072bd3ce4ec60be867898a16f85cd

(cherry picked from commit 5815ae8c60961f088e4e54b41ddf8254cb83574a)

(cherry picked from commit 6bfab6796f064c4f878e05476a60cd59fa8bf11e)

(cherry picked from commit 10888abe96fedd3d6c5b99faea76465522f8e8e9)

---

 clients/cli/common.c                    |  6 +++---

 clients/cli/connections.c               | 10 +++++++++-

 clients/common/nm-secret-agent-simple.c |  2 +-

 clients/common/nm-secret-agent-simple.h |  2 +-

 clients/tui/nmtui-connect.c             |  6 +++---

 5 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/clients/cli/common.c b/clients/cli/common.c

index 09c86334a..4aea0d5b2 100644

--- a/clients/cli/common.c

+++ b/clients/cli/common.c

@@ -630,13 +630,13 @@ vpn_openconnect_get_secrets (NMConnection *connection, GPtrArray *secrets)

 		if (!nm_streq0 (secret->vpn_type, NM_SECRET_AGENT_VPN_TYPE_OPENCONNECT))

 			continue;

-		if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRET "cookie")) {

+		if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRETS "cookie")) {

 			g_free (secret->value);

 			secret->value = g_steal_pointer (&cookie);

-		} else if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRET "gateway")) {

+		} else if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRETS "gateway")) {

 			g_free (secret->value);

 			secret->value = g_steal_pointer (&gateway);

-		} else if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRET "gwcert")) {

+		} else if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRETS "gwcert")) {

 			g_free (secret->value);

 			secret->value = g_steal_pointer (&gwcert);

 		}

diff --git a/clients/cli/connections.c b/clients/cli/connections.c

index 1563178de..b547e34ca 100644

--- a/clients/cli/connections.c

+++ b/clients/cli/connections.c

@@ -2565,7 +2565,15 @@ parse_passwords (const char *passwd_file, GError **error)

 			return NULL;

 		}

-		pwd_spec = g_strdup_printf ("%s.%s", setting, prop);

+		if (   nm_streq (setting, "vpn")

+		    && g_str_has_prefix (prop, "secret.")) {

+			/* in 1.12.0, we wrongly required the VPN secrets to be named

+			 * "vpn.secret". It should be "vpn.secrets". Work around it

+			 * (rh#1628833). */

+			pwd_spec = g_strdup_printf ("vpn.secrets.%s", &prop[NM_STRLEN ("secret.")]);

+		} else

+			pwd_spec = g_strdup_printf ("%s.%s", setting, prop);

+

 		g_hash_table_insert (pwds_hash, pwd_spec, g_strdup (pwd));

 	}

 	return g_steal_pointer (&pwds_hash);

diff --git a/clients/common/nm-secret-agent-simple.c b/clients/common/nm-secret-agent-simple.c

index 0856b51ff..3df8c0386 100644

--- a/clients/common/nm-secret-agent-simple.c

+++ b/clients/common/nm-secret-agent-simple.c

@@ -195,7 +195,7 @@ nm_secret_agent_simple_secret_new (NMSecretAgentSecretType secret_type,

 		real->base.is_secret = (secret_type != NM_SECRET_AGENT_SECRET_TYPE_PROPERTY);

 		break;

 	case NM_SECRET_AGENT_SECRET_TYPE_VPN_SECRET:

-		vpn_prefix = NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRET;

+		vpn_prefix = NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRETS;

 		value = nm_setting_vpn_get_secret (NM_SETTING_VPN (setting), property);

 		real->base.entry_id = g_strdup_printf ("%s%s", vpn_prefix, property);

 		nm_assert (vpn_type);

diff --git a/clients/common/nm-secret-agent-simple.h b/clients/common/nm-secret-agent-simple.h

index 505987dfd..529aaeaca 100644

--- a/clients/common/nm-secret-agent-simple.h

+++ b/clients/common/nm-secret-agent-simple.h

@@ -56,7 +56,7 @@ typedef struct {

 	gboolean is_secret;

 } NMSecretAgentSimpleSecret;

-#define NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRET "vpn.secret."

+#define NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRETS "vpn.secrets."

 #define NM_SECRET_AGENT_VPN_TYPE_OPENCONNECT  NM_DBUS_INTERFACE".openconnect"

diff --git a/clients/tui/nmtui-connect.c b/clients/tui/nmtui-connect.c

index 2a954fb8c..6f29e13e9 100644

--- a/clients/tui/nmtui-connect.c

+++ b/clients/tui/nmtui-connect.c

@@ -121,13 +121,13 @@ secrets_requested (NMSecretAgentSimple *agent,

 					continue;

 				if (!nm_streq0 (secret->vpn_type, NM_SECRET_AGENT_VPN_TYPE_OPENCONNECT))

 					continue;

-				if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRET "cookie")) {

+				if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRETS "cookie")) {

 					g_free (secret->value);

 					secret->value = g_steal_pointer (&cookie);

-				} else if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRET "gateway")) {

+				} else if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRETS "gateway")) {

 					g_free (secret->value);

 					secret->value = g_steal_pointer (&gateway);

-				} else if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRET "gwcert")) {

+				} else if (nm_streq0 (secret->entry_id, NM_SECRET_AGENT_ENTRY_ID_PREFX_VPN_SECRETS "gwcert")) {

 					g_free (secret->value);

 					secret->value = g_steal_pointer (&gwcert);

 				}

-- 

2.17.1