From f63ce6055eeff577d505d8a2fe8b6de4813755c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 27 May 2024 15:33:16 +0200
Subject: [PATCH] openvpn: fix secret flags for challenge-response

NetworkManager-openvpn added a new secret property "challenge-response".
It's for 2FA authentication so it mustn't be persisted to disk, thus it
uses the NOT_SAVED flags.

However, this flag is only set on connection creation or modification.
Some users were already using this 2FA method that was working
partially. This users does not expect having to reimport or edit the
connection, and now they can't connect because without the NOT_SAVED flag
the first response is saved to the connection, and the next activation
fails because that value is not valid anymore.

Hacky fix: add the flags when reading the connection from nm-keyfile. We
already had the same fix for openconnect.
---
 src/libnm-core-impl/nm-keyfile.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/src/libnm-core-impl/nm-keyfile.c b/src/libnm-core-impl/nm-keyfile.c
index 078ea5d766..9d9c679b97 100644
--- a/src/libnm-core-impl/nm-keyfile.c
+++ b/src/libnm-core-impl/nm-keyfile.c
@@ -548,6 +548,36 @@ openconnect_fix_secret_flags(NMSetting *setting)
     nm_setting_set_secret_flags(NM_SETTING(s_vpn), NM_OPENCONNECT_KEY_CERTSIGS, flags, NULL);
 }
 
+#define NM_DBUS_SERVICE_OPENVPN           "org.freedesktop.NetworkManager.openvpn"
+#define NM_OPENVPN_KEY_CHALLENGE_RESPONSE "challenge-response"
+
+static void
+openvpn_fix_secret_flags(NMSetting *setting)
+{
+    NMSettingVpn *s_vpn;
+
+    /* Huge hack.  2FA dynamic challenge was working already, but with some
+     * caveats like being stored in the connection profile overriding the
+     * password. It was fixed by adding a "challenge-response" secret, but
+     * "challenge-response-flags" is only added when the profile is
+     * created or modified. As this is a change that should work out of the box
+     * for already existing profiles, fix it here.
+     */
+
+    if (!NM_IS_SETTING_VPN(setting))
+        return;
+
+    s_vpn = NM_SETTING_VPN(setting);
+
+    if (!nm_streq0(nm_setting_vpn_get_service_type(s_vpn), NM_DBUS_SERVICE_OPENVPN))
+        return;
+
+    nm_setting_set_secret_flags(NM_SETTING(s_vpn),
+                                NM_OPENVPN_KEY_CHALLENGE_RESPONSE,
+                                NM_SETTING_SECRET_FLAG_NOT_SAVED,
+                                NULL);
+}
+
 /*****************************************************************************/
 
 #define IP_ADDRESS_CHARS "0123456789abcdefABCDEF:.%"
@@ -1341,6 +1371,7 @@ read_hash_of_string(KeyfileReaderInfo *info,
             }
         }
         openconnect_fix_secret_flags(setting);
+        openvpn_fix_secret_flags(setting);
         return;
     }