From a63714ec1de4ad174f04569726a23de7928d96cb Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 24 May 2019 15:01:21 +0200
Subject: [PATCH] settings,keyfile: move openconnect hack from settings to
 keyfile reader

VPN settings (for openconnect) can only be handled by the keyfile settings
plugin.

In any case, such special casing belongs to the settings plugin and not
"nm-settings.c". The reason is that the settings plugin already has an
intimate understanding of the content of connections, it knows which fields
exist, their meaning, etc. It makes sense special handling of
openconnect is done there.

See also commit 304d0b869bfe ('core: openconnect migration hack').
Unfortunately it's not clear to me why/whether this is still the
right thing to do.
---
 libnm-core/nm-keyfile.c    | 48 ++++++++++++++++++++++++++++++++++++++
 src/settings/nm-settings.c | 47 -------------------------------------
 2 files changed, 48 insertions(+), 47 deletions(-)

diff --git a/libnm-core/nm-keyfile.c b/libnm-core/nm-keyfile.c
index f31853c96f..8add4bfccf 100644
--- a/libnm-core/nm-keyfile.c
+++ b/libnm-core/nm-keyfile.c
@@ -363,6 +363,53 @@ read_field (char **current, const char **out_err_str, const char *characters, co
 	}
 }
 
+/*****************************************************************************/
+
+#define NM_DBUS_SERVICE_OPENCONNECT    "org.freedesktop.NetworkManager.openconnect"
+#define NM_OPENCONNECT_KEY_GATEWAY     "gateway"
+#define NM_OPENCONNECT_KEY_COOKIE      "cookie"
+#define NM_OPENCONNECT_KEY_GWCERT      "gwcert"
+#define NM_OPENCONNECT_KEY_XMLCONFIG   "xmlconfig"
+#define NM_OPENCONNECT_KEY_LASTHOST    "lasthost"
+#define NM_OPENCONNECT_KEY_AUTOCONNECT "autoconnect"
+#define NM_OPENCONNECT_KEY_CERTSIGS    "certsigs"
+
+static void
+openconnect_fix_secret_flags (NMSetting *setting)
+{
+	NMSettingVpn *s_vpn;
+	NMSettingSecretFlags flags;
+
+	/* Huge hack.  There were some openconnect changes that needed to happen
+	 * pretty late, too late to get into distros.  Migration has already
+	 * happened for many people, and their secret flags are wrong.  But we
+	 * don't want to requrie re-migration, so we have to fix it up here. Ugh.
+	 */
+
+	if (!NM_IS_SETTING_VPN (setting))
+		return;
+
+	s_vpn = NM_SETTING_VPN (setting);
+
+	if (!nm_streq0 (nm_setting_vpn_get_service_type (s_vpn), NM_DBUS_SERVICE_OPENCONNECT))
+		return;
+
+	/* These are different for every login session, and should not be stored */
+	flags = NM_SETTING_SECRET_FLAG_NOT_SAVED;
+	nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_GATEWAY, flags, NULL);
+	nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_COOKIE, flags, NULL);
+	nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_GWCERT, flags, NULL);
+
+	/* These are purely internal data for the auth-dialog, and should be stored */
+	flags = 0;
+	nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_XMLCONFIG, flags, NULL);
+	nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_LASTHOST, flags, NULL);
+	nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_AUTOCONNECT, flags, NULL);
+	nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_CERTSIGS, flags, NULL);
+}
+
+/*****************************************************************************/
+
 #define IP_ADDRESS_CHARS "0123456789abcdefABCDEF:.%"
 #define DIGITS "0123456789"
 #define DELIMITERS "/;,"
@@ -1024,6 +1071,7 @@ read_hash_of_string (GKeyFile *file, NMSetting *setting, const char *key)
 					nm_setting_bond_add_option (NM_SETTING_BOND (setting), name, value);
 			}
 		}
+		openconnect_fix_secret_flags (setting);
 		return;
 	}
 
diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c
index f342d6b446..18ec00f6dd 100644
--- a/src/settings/nm-settings.c
+++ b/src/settings/nm-settings.c
@@ -178,7 +178,6 @@ static void default_wired_clear_tag (NMSettings *self,
                                      NMSettingsConnection *connection,
                                      gboolean add_to_no_auto_default);
 
-static void openconnect_migrate_hack (NMConnection *connection);
 static void _clear_connections_cached_list (NMSettingsPrivate *priv);
 
 /*****************************************************************************/
@@ -474,10 +473,6 @@ claim_connection (NMSettings *self, NMSettingsConnection *sett_conn)
 	/* Ensure its initial visibility is up-to-date */
 	nm_settings_connection_recheck_visibility (sett_conn);
 
-	/* Evil openconnect migration hack */
-	/* FIXME(copy-on-write-connection): avoid modifying NMConnection instances and share them via copy-on-write. */
-	openconnect_migrate_hack (nm_settings_connection_get_connection (sett_conn));
-
 	/* This one unexports the connection, it needs to run late to give the active
 	 * connection a chance to deal with its reference to this settings connection. */
 	g_signal_connect_after (sett_conn, NM_SETTINGS_CONNECTION_REMOVED,
@@ -532,48 +527,6 @@ claim_connection (NMSettings *self, NMSettingsConnection *sett_conn)
 
 /*****************************************************************************/
 
-#define NM_DBUS_SERVICE_OPENCONNECT    "org.freedesktop.NetworkManager.openconnect"
-#define NM_OPENCONNECT_KEY_GATEWAY "gateway"
-#define NM_OPENCONNECT_KEY_COOKIE "cookie"
-#define NM_OPENCONNECT_KEY_GWCERT "gwcert"
-#define NM_OPENCONNECT_KEY_XMLCONFIG "xmlconfig"
-#define NM_OPENCONNECT_KEY_LASTHOST "lasthost"
-#define NM_OPENCONNECT_KEY_AUTOCONNECT "autoconnect"
-#define NM_OPENCONNECT_KEY_CERTSIGS "certsigs"
-
-static void
-openconnect_migrate_hack (NMConnection *connection)
-{
-	NMSettingVpn *s_vpn;
-	NMSettingSecretFlags flags = NM_SETTING_SECRET_FLAG_NOT_SAVED;
-
-	/* Huge hack.  There were some openconnect changes that needed to happen
-	 * pretty late, too late to get into distros.  Migration has already
-	 * happened for many people, and their secret flags are wrong.  But we
-	 * don't want to requrie re-migration, so we have to fix it up here. Ugh.
-	 */
-
-	s_vpn = nm_connection_get_setting_vpn (connection);
-	if (s_vpn == NULL)
-		return;
-
-	if (g_strcmp0 (nm_setting_vpn_get_service_type (s_vpn), NM_DBUS_SERVICE_OPENCONNECT) == 0) {
-		/* These are different for every login session, and should not be stored */
-		nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_GATEWAY, flags, NULL);
-		nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_COOKIE, flags, NULL);
-		nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_GWCERT, flags, NULL);
-
-		/* These are purely internal data for the auth-dialog, and should be stored */
-		flags = 0;
-		nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_XMLCONFIG, flags, NULL);
-		nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_LASTHOST, flags, NULL);
-		nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_AUTOCONNECT, flags, NULL);
-		nm_setting_set_secret_flags (NM_SETTING (s_vpn), NM_OPENCONNECT_KEY_CERTSIGS, flags, NULL);
-	}
-}
-
-/*****************************************************************************/
-
 static gboolean
 secrets_filter_cb (NMSetting *setting,
                    const char *secret,