[kde-plasma-nm] Make NM to store openconnect secrets into KWallet
Jan Grulich
jgrulich at fedoraproject.org
Tue Jan 13 15:55:30 UTC 2015
commit f45488556055e1bf68f78cc52ba281948e1b4b24
Author: Jan Grulich <jgrulich at redhat.com>
Date: Tue Jan 13 16:55:40 2015 +0100
Make NM to store openconnect secrets into KWallet
kde-plasma-nm.spec | 19 ++-
...to-store-Openconnect-secrets-into-KWallet.patch | 143 ++++++++++++++++++++
...e-lost-every-time-when-we-edit-connection.patch | 0
...storage-of-manually-accepted-server-certs.patch | 0
...on-t-send-completely-empty-map-to-nm-back.patch | 0
5 files changed, 155 insertions(+), 7 deletions(-)
---
diff --git a/kde-plasma-nm.spec b/kde-plasma-nm.spec
index 3f6fc8d..db6fc25 100644
--- a/kde-plasma-nm.spec
+++ b/kde-plasma-nm.spec
@@ -1,7 +1,7 @@
# %global git_commit f2ca6ae
Name: kde-plasma-nm
Version: 0.9.3.5
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Plasma applet written in QML for managing network connections
License: LGPLv2+ and GPLv2+
URL: https://projects.kde.org/projects/kde/workspace/plasma-nm/
@@ -15,9 +15,10 @@ Source10: 01-fedora-plasma-nm.js
# Upstream patches
Patch0: plasma-nm-add-option-for-server-certificate-verification.patch
Patch1: plasma-nm-update-openconnect-support-for-library-version-5.patch
-Patch2: plasma-nm-update-openconnect-storage-of-manually-accepted-serv.patch
-Patch3: plasma-nm-return-secrets-back-otherwise-they-will-be-lost-ever.patch
-Patch4: plasma-nm-workaround-make-sure-we-don-t-send-completely-empty-.patch
+Patch2: plasma-nm-update-openconnect-storage-of-manually-accepted-server-certs.patch
+Patch3: plasma-nm-return-secrets-back-otherwise-they-will-be-lost-every-time-when-we-edit-connection.patch
+Patch4: plasma-nm-workaround-make-sure-we-don-t-send-completely-empty-map-to-nm-back.patch
+Patch5: plasma-nm-make-NM-to-store-Openconnect-secrets-into-KWallet.patch
BuildRequires: gettext
BuildRequires: kdelibs4-devel
@@ -121,9 +122,10 @@ Provides: kde-plasma-networkmanagement-pptp = 1:%{version}-%{release}
%patch0 -p1 -b .add-option-for-server-certificate-verification
%patch1 -p1 -b .update-openconnect-support-for-library-version-5
-%patch2 -p1 -b .update-openconnect-storage-of-manually-accepted-serv
-%patch3 -p1 -b .return-secrets-back-otherwise-they-will-be-lost-ever.patch
-%patch4 -p1 -b .workaround-make-sure-we-don-t-send-completely-empty-.patch
+%patch2 -p1 -b .update-openconnect-storage-of-manually-accepted-server-certs
+%patch3 -p1 -b .return-secrets-back-otherwise-they-will-be-lost-every-time-when-we-edit-connection
+%patch4 -p1 -b .workaround-make-sure-we-don-t-send-completely-empty-map-to-nm-back
+%patch5 -p1 -b .plasma-nm-make-NM-to-store-Openconnect-secrets-into-KWallet
%build
mkdir -p %{_target_platform}
@@ -241,6 +243,9 @@ fi
%endif
%changelog
+* Tue Jan 13 2015 Jan Grulich <jgrulich at redhat.com> - 0.9.3.5-6
+- Make NM to store openconnect secrets into KWallet
+
* Fri Jan 09 2015 Jan Grulich <jgrulich at redhat.com> - 0.9.3.5-5
- Pickup upstream openconnect fixes
diff --git a/plasma-nm-make-NM-to-store-Openconnect-secrets-into-KWallet.patch b/plasma-nm-make-NM-to-store-Openconnect-secrets-into-KWallet.patch
new file mode 100644
index 0000000..32b5c9d
--- /dev/null
+++ b/plasma-nm-make-NM-to-store-Openconnect-secrets-into-KWallet.patch
@@ -0,0 +1,143 @@
+From 35effa11540bbec8b6d13aa520656b270b31728e Mon Sep 17 00:00:00 2001
+From: Jan Grulich <jgrulich at redhat.com>
+Date: Tue, 13 Jan 2015 16:27:49 +0100
+Subject: [PATCH] Make NM to store Openconnect secrets into KWallet
+
+REVIEW:122012
+BUG:309931
+BUG:334474
+---
+ kded/secretagent.cpp | 36 +++++++++++++++++++++++++++++++++++
+ vpn/openconnect/openconnectauth.cpp | 14 ++++++++++++--
+ vpn/openconnect/openconnectwidget.cpp | 7 +++++++
+ 3 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/kded/secretagent.cpp b/kded/secretagent.cpp
+index 101506f..3aece0c 100644
+--- a/kded/secretagent.cpp
++++ b/kded/secretagent.cpp
+@@ -155,7 +155,16 @@ void SecretAgent::dialogAccepted()
+ for (int i = 0; i < m_calls.size(); ++i) {
+ SecretsRequest request = m_calls[i];
+ if (request.type == SecretsRequest::GetSecrets && request.dialog == m_dialog) {
++ NMStringMap tmpOpenconnectSecrets;
+ NMVariantMapMap connection = request.dialog->secrets();
++ if (connection.contains(QLatin1String("vpn"))) {
++ if (connection.value(QLatin1String("vpn")).contains(QLatin1String("tmp-secrets"))) {
++ QVariantMap vpnSetting = connection.value(QLatin1String("vpn"));
++ tmpOpenconnectSecrets = qdbus_cast<NMStringMap>(vpnSetting.take(QLatin1String("tmp-secrets")));
++ connection.insert(QLatin1String("vpn"), vpnSetting);
++ }
++ }
++
+ sendSecrets(connection, request.message);
+ NetworkManager::ConnectionSettings::Ptr connectionSettings = NetworkManager::ConnectionSettings::Ptr(new NetworkManager::ConnectionSettings(connection));
+ NetworkManager::ConnectionSettings::Ptr completeConnectionSettings;
+@@ -205,6 +214,33 @@ void SecretAgent::dialogAccepted()
+ requestOffline.saveSecretsWithoutReply = true;
+ m_calls << requestOffline;
+ }
++ } else if (request.saveSecretsWithoutReply && completeConnectionSettings->connectionType() == NetworkManager::ConnectionSettings::Vpn && !tmpOpenconnectSecrets.isEmpty()) {
++ NetworkManager::VpnSetting::Ptr vpnSetting = completeConnectionSettings->setting(NetworkManager::Setting::Vpn).staticCast<NetworkManager::VpnSetting>();
++ if (vpnSetting) {
++ NMStringMap data = vpnSetting->data();
++ NMStringMap secrets = vpnSetting->secrets();
++
++ // Load secrets from auth dialog which are returned back to NM
++ if (connection.value(QLatin1String("vpn")).contains(QLatin1String("secrets"))) {
++ secrets.unite(qdbus_cast<NMStringMap>(connection.value(QLatin1String("vpn")).value(QLatin1String("secrets"))));
++ }
++
++ // Load temporary secrets from auth dialog which are not returned to NM
++ foreach (const QString &key, tmpOpenconnectSecrets.keys()) {
++ data.insert(key + QLatin1String("-flags"), QString::number(NetworkManager::Setting::AgentOwned));
++ secrets.insert(key, tmpOpenconnectSecrets.value(key));
++ }
++
++ vpnSetting->setData(data);
++ vpnSetting->setSecrets(secrets);
++ if (!con) {
++ con = NetworkManager::findConnection(request.connection_path.path());
++ }
++
++ if (con) {
++ con->update(completeConnectionSettings->toMap());
++ }
++ }
+ }
+
+ m_calls.removeAt(i);
+diff --git a/vpn/openconnect/openconnectauth.cpp b/vpn/openconnect/openconnectauth.cpp
+index 419ff67..d3b609e 100644
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -67,6 +67,7 @@ public:
+ NetworkManager::VpnSetting::Ptr setting;
+ struct openconnect_info *vpninfo;
+ NMStringMap secrets;
++ NMStringMap tmpSecrets;
+ QMutex mutex;
+ QWaitCondition workerWaiting;
+ OpenconnectAuthWorkerThread *worker;
+@@ -310,6 +311,12 @@ QVariantMap OpenconnectAuthWidget::setting(bool agentOwned) const
+ }
+
+ secretData.insert("secrets", QVariant::fromValue<NMStringMap>(secrets));
++
++ // These secrets are not officially part of the secrets which would be returned back to NetworkManager. We just
++ // need to somehow get them to our secret agent which will handle them separately and store them.
++ if (!d->tmpSecrets.isEmpty()) {
++ secretData.insert("tmp-secrets", QVariant::fromValue<NMStringMap>(d->tmpSecrets));
++ }
+ return secretData;
+ }
+
+@@ -489,7 +496,7 @@ void OpenconnectAuthWidget::validatePeerCert(const QString &fingerprint,
+ #if !OPENCONNECT_CHECK_VER(5,0)
+ #define openconnect_check_peer_cert_hash(v,d) strcmp(d, fingerprint.toUtf8().data())
+ #endif
+-
++
+ if (openconnect_check_peer_cert_hash(d->vpninfo, value.toUtf8().data())) {
+ QWidget *widget = new QWidget();
+ QVBoxLayout *verticalLayout;
+@@ -583,7 +590,9 @@ void OpenconnectAuthWidget::formLoginClicked()
+ QByteArray text = le->text().toUtf8();
+ openconnect_set_option_value(opt, text.data());
+ if (opt->type == OC_FORM_OPT_TEXT) {
+- d->secrets.insert(key,le->text());
++ d->secrets.insert(key, le->text());
++ } else {
++ d->tmpSecrets.insert(key, le->text());
+ }
+ } else if (opt->type == OC_FORM_OPT_SELECT) {
+ KComboBox *cbo = qobject_cast<KComboBox*>(widget);
+@@ -593,6 +602,7 @@ void OpenconnectAuthWidget::formLoginClicked()
+ }
+ }
+ }
++
+ deleteAllFromLayout(d->ui.loginBoxLayout);
+ d->workerWaiting.wakeAll();
+ }
+diff --git a/vpn/openconnect/openconnectwidget.cpp b/vpn/openconnect/openconnectwidget.cpp
+index 51e97d1..0ec870c 100644
+--- a/vpn/openconnect/openconnectwidget.cpp
++++ b/vpn/openconnect/openconnectwidget.cpp
+@@ -96,6 +96,13 @@ QVariantMap OpenconnectSettingWidget::setting(bool agentOwned) const
+ data.insert(QLatin1String(NM_OPENCONNECT_KEY_PRIVKEY), d->ui.leUserPrivateKey->url().path());
+ data.insert(QLatin1String(NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID), d->ui.chkUseFsid->isChecked() ? "yes" : "no");
+
++ // Restore previous flags, this is necessary for keeping secrets stored in KWallet
++ foreach (const QString &key, d->setting->data().keys()) {
++ if (key.contains(QLatin1String("-flags"))) {
++ data.insert(key, d->setting->data().value(key));
++ }
++ }
++
+ /* These are different for every login session, and should not be stored */
+ data.insert(QLatin1String(NM_OPENCONNECT_KEY_COOKIE"-flags"), QString::number(NetworkManager::Setting::NotSaved));
+ data.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT"-flags"), QString::number(NetworkManager::Setting::NotSaved));
+--
+2.1.0
+
diff --git a/plasma-nm-return-secrets-back-otherwise-they-will-be-lost-ever.patch b/plasma-nm-return-secrets-back-otherwise-they-will-be-lost-every-time-when-we-edit-connection.patch
similarity index 100%
rename from plasma-nm-return-secrets-back-otherwise-they-will-be-lost-ever.patch
rename to plasma-nm-return-secrets-back-otherwise-they-will-be-lost-every-time-when-we-edit-connection.patch
diff --git a/plasma-nm-update-openconnect-storage-of-manually-accepted-serv.patch b/plasma-nm-update-openconnect-storage-of-manually-accepted-server-certs.patch
similarity index 100%
rename from plasma-nm-update-openconnect-storage-of-manually-accepted-serv.patch
rename to plasma-nm-update-openconnect-storage-of-manually-accepted-server-certs.patch
diff --git a/plasma-nm-workaround-make-sure-we-don-t-send-completely-empty-.patch b/plasma-nm-workaround-make-sure-we-don-t-send-completely-empty-map-to-nm-back.patch
similarity index 100%
rename from plasma-nm-workaround-make-sure-we-don-t-send-completely-empty-.patch
rename to plasma-nm-workaround-make-sure-we-don-t-send-completely-empty-map-to-nm-back.patch
More information about the scm-commits
mailing list