From 610fbe612b5a1c05762195f112fc2c80892b4d93 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 23 Feb 2026 17:23:23 +0100
Subject: [PATCH] settings: fix check on existing system secrets

The previous check was based only on the presence of a non-NULL
"existing_secrets" GVariant. That GVariant is created via:

  nm_connection_to_dbus(nm_settings_connection_get_connection(self),
                        NM_CONNECTION_SERIALIZE_WITH_SECRETS_SYSTEM_OWNED)

The function returns a GVariant containing a first-level dictionary
for each setting, even for those that doesn't contain any secrets. As
a result, the check was requiring the system.modify permission even if
there weren't any cached secrets to send to the agent.

Fix the check to actually check for the presence of any secrets in the
cached dictionary.
---
 src/core/settings/nm-agent-manager.c | 35 +++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/core/settings/nm-agent-manager.c b/src/core/settings/nm-agent-manager.c
index 19b3cfcbaf..ce7dbab2f0 100644
--- a/src/core/settings/nm-agent-manager.c
+++ b/src/core/settings/nm-agent-manager.c
@@ -1083,6 +1083,39 @@ _con_get_request_start_validated(NMAuthChain           *chain,
     _con_get_request_start_proceed(req, req->con.current_has_modify);
 }
 
+static gboolean
+_req_has_existing_secrets(Request *req)
+{
+    GVariantIter iter;
+    const char  *setting_name;
+    GVariant    *setting_dict;
+    gboolean     has;
+
+    if (!req->con.get.existing_secrets)
+        return FALSE;
+
+    nm_assert(g_variant_is_of_type(req->con.get.existing_secrets, NM_VARIANT_TYPE_CONNECTION));
+
+    g_variant_iter_init(&iter, req->con.get.existing_secrets);
+    while (g_variant_iter_next(&iter, "{&s@a{sv}}", &setting_name, &setting_dict)) {
+        GVariantIter setting_iter;
+        GVariant    *val;
+
+        g_variant_iter_init(&setting_iter, setting_dict);
+        while (g_variant_iter_next(&setting_iter, "{&sv}", NULL, &val)) {
+            has = !g_variant_is_container(val) || g_variant_n_children(val) > 0;
+            g_variant_unref(val);
+            if (has) {
+                g_variant_unref(setting_dict);
+                return TRUE;
+            }
+        }
+        g_variant_unref(setting_dict);
+    }
+
+    return FALSE;
+}
+
 static void
 _con_get_request_start(Request *req)
 {
@@ -1103,7 +1136,7 @@ _con_get_request_start(Request *req)
      * unprivileged users.
      */
     if ((req->con.get.flags != NM_SECRET_AGENT_GET_SECRETS_FLAG_NONE)
-        && (req->con.get.existing_secrets
+        && (_req_has_existing_secrets(req)
             || _nm_connection_aggregate(req->con.connection,
                                         NM_CONNECTION_AGGREGATE_ANY_SYSTEM_SECRET_FLAGS,
                                         NULL))) {