While most secrets are serialized as individual settings with a string
value, all VPN secrets are serialized together as a string dict which is
the value of a single setting. Incorrect serialization causes VPN
secrets to not be remembered by NetworkManager.
This commit adds a new method that allows adding secrets as VPN secrets
specifically such that they can be correctly serialized.
Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1535>
While we can use the libnm API directly from JS, the call will
synchronously load the VPN service descriptions from disk.
Previously we were lowering the impact by caching the result,
but as we stopped doing that, it becomes more important to address
the issue properly and move it off to a thread.
https://gitlab.gnome.org/GNOME/gnome-shell/issues/2386
Most of the libsecret API was declared stable in 0.18 and the stable API
now provides everything we need, so switch from libsecret-unstable to
libsecret-1.
https://bugzilla.gnome.org/show_bug.cgi?id=782637
The non-interactive requests for 'vpn' settings are forwarded to the UI because
it is able to talk to the auth helpers. However, the VPN requests are identified
by the connection type instead of setting type. That is incorrect and the UI
is not prepared to handle such requests; tries to construct a dialog and fails
miserably:
Gjs-Message: JS LOG: Invalid connection type: vpn
(gnome-shell:13133): Gjs-WARNING **: JS ERROR: Error: No property 'text' in property list (or its value was undefined)
NetworkSecretDialog<._init@resource:///org/gnome/shell/ui/components/networkAgent.js:60
wrapper@resource:///org/gnome/gjs/modules/lang.js:169
_Base.prototype._construct@resource:///org/gnome/gjs/modules/lang.js:110
Class.prototype._construct/newClass@resource:///org/gnome/gjs/modules/lang.js:204
NetworkAgent<._handleRequest@resource:///org/gnome/shell/ui/components/networkAgent.js:724
wrapper@resource:///org/gnome/gjs/modules/lang.js:169
NetworkAgent<._newRequest@resource:///org/gnome/shell/ui/components/networkAgent.js:715
wrapper@resource:///org/gnome/gjs/modules/lang.js:169
https://bugzilla.gnome.org/show_bug.cgi?id=760999
In get_secrets_keyring_cb, we own a ref on the 'attributes' hash table
from secret_item_get_attributes), and a ref on the 'secret' object (from
secret_item_get_secret(), but in the SHELL_KEYRING_SK_TAG case, we unref
these once before breaking out of the loop, and the second time after
breaking out of the loop.
https://bugzilla.gnome.org/show_bug.cgi?id=759708
While the named commit was correct for VPN connections, it didn't
work correctly for the initial secrets requests like when connecting
to a new access point. In that case, secrets *should* be requested
when none are found, but only if interaction is enabled. The
bits of 17726abb which removed checking secrets against the hints
*were* correct, but 17726abb removed too much.
Also, to ensure passwords don't get inadvertently cleared when
simply reading them from the keyring, don't save passwords
unless something might have changed.
https://bugzilla.gnome.org/show_bug.cgi?id=724779
get_secrets_keyring_cb() contained an optimization (copied over from
nm-applet) that avoided a D-Bus round-trip when NetworkManager sent
secrets hints that were not satisified by the user. This code did
not properly handle empty hints though, and proceeded to always
request new secrets whenever empty hints were sent. Remove this
code entirely since the complexity is not worth it (per Jasper).
Second, get_secrets_keyring_cb() was mishandling VPN secrets which
were marked as "always ask". Because the VPN secrets are not GObject
properties because they cannot be pre-defined, they are passed in
a hash table that is a GObject property marked 'secret'. Unfortunately,
that means that the shell agent cannot determine their secret flags.
But since the VPN plugin auth dialogs have much better information
about what's required than the shell agent does, always ask the VPN
auth dialogs to handle the secrets requests after grabbing any that
already exist from the keyring. This is also what nm-applet does.
https://bugzilla.gnome.org/show_bug.cgi?id=719815
It doesn't make sense to have multiple requests for the same
connection/setting combination at the same time, since we would be
asking the user twice for the same password. Instead, report cancellation
to NetworkManager if this happens.
Note that does make sense to have multiple requests in sequence though
(they could have different flags), but this is not affected.
https://bugzilla.gnome.org/show_bug.cgi?id=674961
If a request isn't found in shell_network_agent_set_password() or
shell_network_agent_respond(), then g_return_if_fail() rather than
crashing. OTOH, if a request is not found in
shell_network_agent_cancel_get_secrets(), then just ignore it
silently, since that could legitimately happen.
https://bugzilla.gnome.org/show_bug.cgi?id=674961
When the operation is cancelled by NetworkManager, the request is
cancelled immediately. Later when gnome-keyring invokes the callback
notifying the error we must therefore not access its memory.
Previously the callback would mistakenly treat "cancelled" (which
indicates a programmatic cancel) as "denied" (which means the user
clicked "Cancel" on the keyring prompt)
https://bugzilla.gnome.org/show_bug.cgi?id=658484
VPN secrets are stored by the plugins, that provide separate
helpers for authentication. This commit adds the support for invoking
the binaries and pass them connection details.
For plugins that support it (as exposed by their keyfile), we invoke
them in "external-ui-mode" and expect a set of metadata about the
secrets which is used to build a shell styled dialog.
https://bugzilla.gnome.org/show_bug.cgi?id=658484
VPN secrets are currently unhandled by the UI code. To avoid
lengthy timeouts, bail out early with an error, so NetworkManager
falls back to the nm-applet agent directly.
https://bugzilla.gnome.org/show_bug.cgi?id=658484
A network agent is a component that stores network secrets (like
wifi passwords) in the session keyring. This commit adds an
implementation of it to be used by the shell network dialogs. It
handles most of the keyring stuff, delegating the UI to upper layers.
https://bugzilla.gnome.org/show_bug.cgi?id=650244
