[network-manager-openvpn] core: implement interactive secrets requests (rh #704263)



commit e73b5a460fcdd14efa02cd89e070acfa5e2c4713
Author: Dan Williams <dcbw redhat com>
Date:   Fri Jun 21 11:56:31 2013 -0500

    core: implement interactive secrets requests (rh #704263)
    
    Request secrets from NetworkManager when existing secrets are
    insufficient and openvpn asks us for new ones.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=704263

 src/nm-openvpn-service.c |  386 ++++++++++++++++++++++++++++++++--------------
 1 files changed, 270 insertions(+), 116 deletions(-)
---
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 7b4cbd7..54be7d5 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -69,11 +69,13 @@ G_DEFINE_TYPE (NMOpenvpnPlugin, nm_openvpn_plugin, NM_TYPE_VPN_PLUGIN)
 #define NM_OPENVPN_PLUGIN_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_OPENVPN_PLUGIN, 
NMOpenvpnPluginPrivate))
 
 typedef struct {
+       char *default_username;
        char *username;
        char *password;
        char *priv_key_pass;
        char *proxy_username;
        char *proxy_password;
+       char *pending_auth;
        GIOChannel *socket_channel;
        guint socket_channel_eventid;
 } NMOpenvpnPluginIOData;
@@ -83,6 +85,7 @@ typedef struct {
        guint connect_timer;
        guint connect_count;
        NMOpenvpnPluginIOData *io_data;
+       gboolean interactive;
 } NMOpenvpnPluginPrivate;
 
 typedef struct {
@@ -268,17 +271,8 @@ nm_openvpn_secrets_validate (NMSettingVPN *s_vpn, GError **error)
        ValidateInfo info = { &valid_secrets[0], &validate_error, FALSE };
 
        nm_setting_vpn_foreach_secret (s_vpn, validate_one_property, &info);
-       if (!info.have_items) {
-               g_set_error (error,
-                            NM_VPN_PLUGIN_ERROR,
-                            NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-                            "%s",
-                            _("No VPN secrets!"));
-               return FALSE;
-       }
-
        if (validate_error) {
-               *error = validate_error;
+               g_propagate_error (error, validate_error);
                return FALSE;
        }
        return TRUE;
@@ -304,6 +298,7 @@ nm_openvpn_disconnect_management_socket (NMOpenvpnPlugin *plugin)
 
        g_free (io_data->username);
        g_free (io_data->proxy_username);
+       g_free (io_data->pending_auth);
 
        if (io_data->password)
                memset (io_data->password, 0, strlen (io_data->password));
@@ -398,14 +393,104 @@ write_user_pass (GIOChannel *channel,
 }
 
 static gboolean
+handle_auth (NMOpenvpnPluginIOData *io_data,
+             const char *requested_auth,
+             const char **out_message,
+             char ***out_hints)
+{
+       gboolean handled = FALSE;
+       guint i = 0;
+       char **hints = NULL;
+
+       g_return_val_if_fail (requested_auth != NULL, FALSE);
+       g_return_val_if_fail (out_message != NULL, FALSE);
+       g_return_val_if_fail (out_hints != NULL, FALSE);
+
+       if (strcmp (requested_auth, "Auth") == 0) {
+               const char *username = io_data->username;
+
+               /* Fall back to the default username if it wasn't overridden by the user */
+               if (!username)
+                       username = io_data->default_username;
+
+               if (username != NULL && io_data->password != NULL) {
+                       write_user_pass (io_data->socket_channel,
+                                        requested_auth,
+                                        username,
+                                        io_data->password);
+               } else {
+                       hints = g_new0 (char *, 3);
+                       if (!username) {
+                               hints[i++] = NM_OPENVPN_KEY_USERNAME;
+                               *out_message = _("A username is required.");
+                       }
+                       if (!io_data->password) {
+                               hints[i++] = NM_OPENVPN_KEY_PASSWORD;
+                               *out_message = _("A password is required.");
+                       }
+                       if (!username && !io_data->password)
+                               *out_message = _("A username and password are required.");
+               }
+               handled = TRUE;
+       } else if (!strcmp (requested_auth, "Private Key")) {
+               if (io_data->priv_key_pass) {
+                       char *qpass, *buf;
+
+                       /* Quote strings passed back to openvpn */
+                       qpass = ovpn_quote_string (io_data->priv_key_pass);
+                       buf = g_strdup_printf ("password \"%s\" \"%s\"\n", requested_auth, qpass);
+                       memset (qpass, 0, strlen (qpass));
+                       g_free (qpass);
+
+                       /* Will always write everything in blocking channels (on success) */
+                       g_io_channel_write_chars (io_data->socket_channel, buf, strlen (buf), NULL, NULL);
+                       g_io_channel_flush (io_data->socket_channel, NULL);
+                       g_free (buf);
+               } else {
+                       hints = g_new0 (char *, 2);
+                       hints[i++] = NM_OPENVPN_KEY_CERTPASS;
+                       *out_message = _("A private key password is required.");
+               }
+               handled = TRUE;
+       } else if (strcmp (requested_auth, "HTTP Proxy") == 0) {
+               if (io_data->proxy_username != NULL && io_data->proxy_password != NULL) {
+                       write_user_pass (io_data->socket_channel,
+                                        requested_auth,
+                                        io_data->proxy_username,
+                                        io_data->proxy_password);
+               } else {
+                       hints = g_new0 (char *, 3);
+                       if (!io_data->proxy_username) {
+                               hints[i++] = NM_OPENVPN_KEY_HTTP_PROXY_USERNAME;
+                               *out_message = _("An HTTP Proxy username is required.");
+                       }
+                       if (!io_data->proxy_password) {
+                               hints[i++] = NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD;
+                               *out_message = _("An HTTP Proxy password is required.");
+                       }
+                       if (!io_data->proxy_username && !io_data->proxy_password)
+                               *out_message = _("An HTTP Proxy username and password are required.");
+               }
+               handled = TRUE;
+       }
+
+       *out_hints = hints;
+       return handled;
+}
+
+static gboolean
 handle_management_socket (NMVPNPlugin *plugin,
                           GIOChannel *source,
                           GIOCondition condition,
                           NMVPNPluginFailure *out_failure)
 {
-       NMOpenvpnPluginIOData *io_data = NM_OPENVPN_PLUGIN_GET_PRIVATE (plugin)->io_data;
+       NMOpenvpnPluginPrivate *priv = NM_OPENVPN_PLUGIN_GET_PRIVATE (plugin);
        gboolean again = TRUE;
-       char *str = NULL, *auth = NULL, *buf;
+       char *str = NULL, *auth = NULL;
+       const char *message = NULL;
+       char **hints = NULL;
+
+       g_assert (out_failure);
 
        if (!(condition & G_IO_IN))
                return TRUE;
@@ -413,44 +498,45 @@ handle_management_socket (NMVPNPlugin *plugin,
        if (g_io_channel_read_line (source, &str, NULL, NULL, NULL) != G_IO_STATUS_NORMAL)
                return TRUE;
 
-       if (strlen (str) < 1)
-               goto out;
+       if (!str[0]) {
+               g_free (str);
+               return TRUE;
+       }
+
+       if (debug)
+               g_message ("VPN request '%s'", str);
 
        auth = get_detail (str, ">PASSWORD:Need '");
        if (auth) {
-               if (strcmp (auth, "Auth") == 0) {
-                       if (io_data->username != NULL && io_data->password != NULL)
-                               write_user_pass (source, auth, io_data->username, io_data->password);
-                       else
-                               g_warning ("Auth requested but one of username or password is missing");
-               } else if (!strcmp (auth, "Private Key")) {
-                       if (io_data->priv_key_pass) {
-                               char *qpass;
-
-                               /* Quote strings passed back to openvpn */
-                               qpass = ovpn_quote_string (io_data->priv_key_pass);
-                               buf = g_strdup_printf ("password \"%s\" \"%s\"\n", auth, qpass);
-                               memset (qpass, 0, strlen (qpass));
-                               g_free (qpass);
-
-                               /* Will always write everything in blocking channels (on success) */
-                               g_io_channel_write_chars (source, buf, strlen (buf), NULL, NULL);
-                               g_io_channel_flush (source, NULL);
-                               g_free (buf);
-                       } else
-                               g_warning ("Certificate password requested but private key password == NULL");
-               } else if (strcmp (auth, "HTTP Proxy") == 0) {
-                       if (io_data->proxy_username != NULL && io_data->proxy_password != NULL)
-                               write_user_pass (source, auth, io_data->proxy_username, 
io_data->proxy_password);
-                       else
-                               g_warning ("HTTP Proxy auth requested but either proxy username or password 
is missing");
+               if (priv->io_data->pending_auth)
+                       g_free (priv->io_data->pending_auth);
+               priv->io_data->pending_auth = auth;
+
+               if (handle_auth (priv->io_data, auth, &message, &hints)) {
+                       /* Request new secrets if we need any */
+                       if (priv->interactive) {
+                               if (message) {
+                                       if (debug) {
+                                               char *joined = hints ? g_strjoinv (",", (char **) hints) : 
"none";
+                                               g_message ("Requesting new secrets: '%s' (%s)", message, 
joined);
+                                               g_free (joined);
+                                       }
+                                       nm_vpn_plugin_secrets_required (plugin, message, (const char **) 
hints);
+                               }
+                       } else {
+                               /* Interactive not allowed, can't ask for more secrets */
+                               g_warning ("More secrets required but cannot ask interactively");
+                               *out_failure = NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED;
+                               again = FALSE;
+                       }
+                       if (hints)
+                               g_free (hints);  /* elements are 'const' */
                } else {
-                       g_warning ("No clue what to send for username/password request for '%s'", auth);
-                       if (out_failure)
-                               *out_failure = NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED;
+                       g_warning ("Unhandled management socket request '%s'", auth);
+                       *out_failure = NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED;
                        again = FALSE;
                }
-               g_free (auth);
+               goto out;
        }
 
        auth = get_detail (str, ">PASSWORD:Verification Failed: '");
@@ -464,8 +550,7 @@ handle_management_socket (NMVPNPlugin *plugin,
 
                g_free (auth);
 
-               if (out_failure)
-                       *out_failure = NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED;
+               *out_failure = NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED;
                again = FALSE;
        }
 
@@ -727,6 +812,48 @@ add_cert_args (GPtrArray *args, NMSettingVPN *s_vpn)
        }
 }
 
+static void
+update_io_data_from_vpn_setting (NMOpenvpnPluginIOData *io_data,
+                                 NMSettingVPN *s_vpn,
+                                 const char *default_username)
+{
+       const char *tmp;
+
+       if (default_username) {
+               g_free (io_data->default_username);
+               io_data->default_username = g_strdup (default_username);
+       }
+
+       g_free (io_data->username);
+       tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_USERNAME);
+       io_data->username = tmp ? g_strdup (tmp) : NULL;
+
+       if (io_data->password) {
+               memset (io_data->password, 0, strlen (io_data->password));
+               g_free (io_data->password);
+       }
+       tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD);
+       io_data->password = tmp ? g_strdup (tmp) : NULL;
+
+       if (io_data->priv_key_pass) {
+               memset (io_data->priv_key_pass, 0, strlen (io_data->priv_key_pass));
+               g_free (io_data->priv_key_pass);
+       }
+       tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS);
+       io_data->priv_key_pass = tmp ? g_strdup (tmp) : NULL;
+
+       g_free (io_data->proxy_username);
+       tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_HTTP_PROXY_USERNAME);
+       io_data->proxy_username = tmp ? g_strdup (tmp) : NULL;
+
+       if (io_data->proxy_password) {
+               memset (io_data->proxy_password, 0, strlen (io_data->proxy_password));
+               g_free (io_data->proxy_password);
+       }
+       tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD);
+       io_data->proxy_password = tmp ? g_strdup (tmp) : NULL;
+}
+
 static gboolean
 nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
                                  NMSettingVPN *s_vpn,
@@ -762,9 +889,8 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
                }
        }
 
-       tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE);
-       connection_type = validate_connection_type (tmp);
-       if (!connection_type) {
+       connection_type = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE);
+       if (!validate_connection_type (connection_type)) {
                g_set_error (error,
                             NM_VPN_PLUGIN_ERROR,
                             NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
@@ -1086,25 +1212,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
            || nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_HTTP_PROXY_USERNAME)) {
 
                priv->io_data = g_malloc0 (sizeof (NMOpenvpnPluginIOData));
-
-               tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_USERNAME);
-               priv->io_data->username = tmp ? g_strdup (tmp) : NULL;
-               /* Use the default username if it wasn't overridden by the user */
-               if (!priv->io_data->username && default_username)
-                       priv->io_data->username = g_strdup (default_username);
-
-               tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD);
-               priv->io_data->password = tmp ? g_strdup (tmp) : NULL;
-
-               tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS);
-               priv->io_data->priv_key_pass = tmp ? g_strdup (tmp) : NULL;
-
-               tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_HTTP_PROXY_USERNAME);
-               priv->io_data->proxy_username = tmp ? g_strdup (tmp) : NULL;
-
-               tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD);
-               priv->io_data->proxy_password = tmp ? g_strdup (tmp) : NULL;
-
+               update_io_data_from_vpn_setting (priv->io_data, s_vpn, default_username);
                nm_openvpn_schedule_connect_timer (plugin);
        }
 
@@ -1167,62 +1275,43 @@ check_need_secrets (NMSettingVPN *s_vpn, gboolean *need_secrets)
 }
 
 static gboolean
-real_connect (NMVPNPlugin   *plugin,
-              NMConnection  *connection,
-              GError       **error)
+_connect_common (NMVPNPlugin   *plugin,
+                 NMConnection  *connection,
+                 GHashTable    *details,
+                 GError       **error)
 {
        NMSettingVPN *s_vpn;
        const char *connection_type;
        const char *user_name;
-       gboolean need_secrets;
 
-       s_vpn = NM_SETTING_VPN (nm_connection_get_setting (connection, NM_TYPE_SETTING_VPN));
+       s_vpn = nm_connection_get_setting_vpn (connection);
        if (!s_vpn) {
-               g_set_error (error,
-                            NM_VPN_PLUGIN_ERROR,
-                            NM_VPN_PLUGIN_ERROR_CONNECTION_INVALID,
-                            "%s",
-                            _("Could not process the request because the VPN connection settings were 
invalid."));
+               g_set_error_literal (error,
+                                    NM_VPN_PLUGIN_ERROR,
+                                    NM_VPN_PLUGIN_ERROR_CONNECTION_INVALID,
+                                    _("Could not process the request because the VPN connection settings 
were invalid."));
                return FALSE;
        }
 
-       /* Check if we need secrets and validate the connection type */
-       connection_type = check_need_secrets (s_vpn, &need_secrets);
-       if (!connection_type) {
-               g_set_error (error,
-                            NM_VPN_PLUGIN_ERROR,
-                            NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-                            "%s",
-                            _("Invalid connection type."));
+       connection_type = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE);
+       if (!validate_connection_type (connection_type)) {
+               g_set_error_literal (error,
+                                    NM_VPN_PLUGIN_ERROR,
+                                    NM_VPN_PLUGIN_ERROR_CONNECTION_INVALID,
+                                    _("Could not process the request because the openvpn connection type was 
invalid."));
                return FALSE;
        }
 
-       user_name = nm_setting_vpn_get_user_name (s_vpn);
-
-       /* Need a username for any password-based connection types */
-       if (   !strcmp (connection_type, NM_OPENVPN_CONTYPE_PASSWORD_TLS)
-           || !strcmp (connection_type, NM_OPENVPN_CONTYPE_PASSWORD)) {
-               if (!user_name && !nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_USERNAME)) {
-                       g_set_error (error,
-                                    NM_VPN_PLUGIN_ERROR,
-                                    NM_VPN_PLUGIN_ERROR_CONNECTION_INVALID,
-                                    "%s",
-                                    _("Could not process the request because no username was provided."));
-                       return FALSE;
-               }
-       }
-
        /* Validate the properties */
        if (!nm_openvpn_properties_validate (s_vpn, error))
                return FALSE;
 
        /* Validate secrets */
-       if (need_secrets) {
-               if (!nm_openvpn_secrets_validate (s_vpn, error))
-                       return FALSE;
-       }
+       if (!nm_openvpn_secrets_validate (s_vpn, error))
+               return FALSE;
 
        /* Finally try to start OpenVPN */
+       user_name = nm_setting_vpn_get_user_name (s_vpn);
        if (!nm_openvpn_start_openvpn_binary (NM_OPENVPN_PLUGIN (plugin), s_vpn, user_name, error))
                return FALSE;
 
@@ -1230,6 +1319,27 @@ real_connect (NMVPNPlugin   *plugin,
 }
 
 static gboolean
+real_connect (NMVPNPlugin   *plugin,
+              NMConnection  *connection,
+              GError       **error)
+{
+       return _connect_common (plugin, connection, NULL, error);
+}
+
+static gboolean
+real_connect_interactive (NMVPNPlugin   *plugin,
+                          NMConnection  *connection,
+                          GHashTable    *details,
+                          GError       **error)
+{
+       if (!_connect_common (plugin, connection, details, error))
+               return FALSE;
+
+       NM_OPENVPN_PLUGIN_GET_PRIVATE (plugin)->interactive = TRUE;
+       return TRUE;
+}
+
+static gboolean
 real_need_secrets (NMVPNPlugin *plugin,
                    NMConnection *connection,
                    char **setting_name,
@@ -1247,23 +1357,21 @@ real_need_secrets (NMVPNPlugin *plugin,
                nm_connection_dump (connection);
        }
 
-       s_vpn = NM_SETTING_VPN (nm_connection_get_setting (connection, NM_TYPE_SETTING_VPN));
+       s_vpn = nm_connection_get_setting_vpn (connection);
        if (!s_vpn) {
-               g_set_error (error,
-                            NM_VPN_PLUGIN_ERROR,
-                            NM_VPN_PLUGIN_ERROR_CONNECTION_INVALID,
-                            "%s",
-                            _("Could not process the request because the VPN connection settings were 
invalid."));
+               g_set_error_literal (error,
+                                    NM_VPN_PLUGIN_ERROR,
+                                    NM_VPN_PLUGIN_ERROR_CONNECTION_INVALID,
+                                    _("Could not process the request because the VPN connection settings 
were invalid."));
                return FALSE;
        }
 
        connection_type = check_need_secrets (s_vpn, &need_secrets);
        if (!connection_type) {
-               g_set_error (error,
-                            NM_VPN_PLUGIN_ERROR,
-                            NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-                            "%s",
-                            _("Invalid connection type."));
+               g_set_error_literal (error,
+                                    NM_VPN_PLUGIN_ERROR,
+                                    NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+                                    _("Invalid connection type."));
                return FALSE;
        }
 
@@ -1274,6 +1382,50 @@ real_need_secrets (NMVPNPlugin *plugin,
 }
 
 static gboolean
+real_new_secrets (NMVPNPlugin *plugin,
+                  NMConnection *connection,
+                  GError **error)
+{
+       NMOpenvpnPluginPrivate *priv = NM_OPENVPN_PLUGIN_GET_PRIVATE (plugin);
+       NMSettingVPN *s_vpn;
+       const char *message = NULL;
+       char **hints = NULL;
+
+       s_vpn = nm_connection_get_setting_vpn (connection);
+       if (!s_vpn) {
+               g_set_error_literal (error,
+                                    NM_VPN_PLUGIN_ERROR,
+                                    NM_VPN_PLUGIN_ERROR_CONNECTION_INVALID,
+                                    _("Could not process the request because the VPN connection settings 
were invalid."));
+               return FALSE;
+       }
+
+       if (debug)
+               g_message ("VPN received new secrets; sending to management interface");
+
+       update_io_data_from_vpn_setting (priv->io_data, s_vpn, NULL);
+
+       g_warn_if_fail (priv->io_data->pending_auth);
+       if (!handle_auth (priv->io_data, priv->io_data->pending_auth, &message, &hints)) {
+               g_set_error_literal (error,
+                                    NM_VPN_PLUGIN_ERROR,
+                                    NM_VPN_PLUGIN_ERROR_GENERAL,
+                                    _("Unhandled pending authentication."));
+               return FALSE;
+       }
+
+       /* Request new secrets if we need any */
+       if (message) {
+               if (debug)
+                       g_message ("Requesting new secrets: '%s'", message);
+               nm_vpn_plugin_secrets_required (plugin, message, (const char **) hints);
+       }
+       if (hints)
+               g_free (hints);  /* elements are 'const' */
+       return TRUE;
+}
+
+static gboolean
 ensure_killed (gpointer data)
 {
        int pid = GPOINTER_TO_INT (data);
@@ -1318,8 +1470,10 @@ nm_openvpn_plugin_class_init (NMOpenvpnPluginClass *plugin_class)
 
        /* virtual methods */
        parent_class->connect      = real_connect;
+       parent_class->connect_interactive = real_connect_interactive;
        parent_class->need_secrets = real_need_secrets;
        parent_class->disconnect   = real_disconnect;
+       parent_class->new_secrets  = real_new_secrets;
 }
 
 static void


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]