colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

all: add 802-1x.optional property

Browse Source 
Introduce a 802-1x.optional boolean property that can be used to
succeed the connection even after an authentication timeout or
failure.
This commit is contained in:
Beniamino Galvani
2019-07-11 15:52:03 +02:00
parent 5b4f4a4c30
commit 8763e6da9c
7 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
clients/common/nm-meta-setting-desc.c
View File

@@ -4502,6 +4502,9 @@ static const NMMetaPropertyInfo *const property_infos_6LOWPAN[] = {
#undef _CURRENT_NM_META_SETTING_TYPE #undef _CURRENT_NM_META_SETTING_TYPE
#define _CURRENT_NM_META_SETTING_TYPE NM_META_SETTING_TYPE_802_1X #define _CURRENT_NM_META_SETTING_TYPE NM_META_SETTING_TYPE_802_1X
static const NMMetaPropertyInfo *const property_infos_802_1X[] = { static const NMMetaPropertyInfo *const property_infos_802_1X[] = {
PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_OPTIONAL,
.property_type = &_pt_gobject_bool,
),
PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_EAP, PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_EAP,
.property_type = &_pt_multilist, .property_type = &_pt_multilist,
.property_typ_data = DEFINE_PROPERTY_TYP_DATA ( .property_typ_data = DEFINE_PROPERTY_TYP_DATA (

1
clients/common/settings-docs.h.in
View File

@@ -54,6 +54,7 @@
#define DESCRIBE_DOC_NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH N_("Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.") #define DESCRIBE_DOC_NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH N_("Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_EAP N_("The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: \"leap\", \"md5\", \"tls\", \"peap\", \"ttls\", \"pwd\", and \"fast\". Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.") #define DESCRIBE_DOC_NM_SETTING_802_1X_EAP N_("The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: \"leap\", \"md5\", \"tls\", \"peap\", \"ttls\", \"pwd\", and \"fast\". Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_IDENTITY N_("Identity string for EAP authentication methods. Often the user's user or login name.") #define DESCRIBE_DOC_NM_SETTING_802_1X_IDENTITY N_("Identity string for EAP authentication methods. Often the user's user or login name.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_OPTIONAL N_("Whether the 802.1X authentication is optional. If TRUE, the activation will continue even after a timeout or an authentication failure. Setting the property to TRUE is currently allowed only for Ethernet connections. If set to FALSE, the activation can continue only after a successful authentication.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PAC_FILE N_("UTF-8 encoded file path containing PAC for EAP-FAST.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PAC_FILE N_("UTF-8 encoded file path containing PAC for EAP-FAST.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD N_("UTF-8 encoded password used for EAP authentication methods. If both the \"password\" property and the \"password-raw\" property are specified, \"password\" is preferred.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD N_("UTF-8 encoded password used for EAP authentication methods. If both the \"password\" property and the \"password-raw\" property are specified, \"password\" is preferred.")
#define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_FLAGS N_("Flags indicating how to handle the \"password\" property.") #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_FLAGS N_("Flags indicating how to handle the \"password\" property.")

62
libnm-core/nm-setting-8021x.c
View File

@@ -124,6 +124,7 @@ NM_GOBJECT_PROPERTIES_DEFINE (NMSetting8021x,
PROP_PIN, PROP_PIN,
PROP_PIN_FLAGS, PROP_PIN_FLAGS,
PROP_SYSTEM_CA_CERTS, PROP_SYSTEM_CA_CERTS,
PROP_OPTIONAL,
PROP_AUTH_TIMEOUT, PROP_AUTH_TIMEOUT,
); );
@@ -172,6 +173,7 @@ typedef struct {
NMSettingSecretFlags phase2_private_key_password_flags; NMSettingSecretFlags phase2_private_key_password_flags;
gboolean system_ca_certs; gboolean system_ca_certs;
int auth_timeout; int auth_timeout;
gboolean optional;
} NMSetting8021xPrivate; } NMSetting8021xPrivate;
G_DEFINE_TYPE (NMSetting8021x, nm_setting_802_1x, NM_TYPE_SETTING) G_DEFINE_TYPE (NMSetting8021x, nm_setting_802_1x, NM_TYPE_SETTING)
@@ -2415,6 +2417,25 @@ nm_setting_802_1x_get_auth_timeout (NMSetting8021x *setting)
return NM_SETTING_802_1X_GET_PRIVATE (setting)->auth_timeout; return NM_SETTING_802_1X_GET_PRIVATE (setting)->auth_timeout;
} }
/**
* nm_setting_802_1x_get_optional:
* @setting: the #NMSetting8021x
*
* Returns the value contained in the #NMSetting8021x:optional property.
*
* Returns: %TRUE if the activation should proceed even when the 802.1X
* authentication fails; %FALSE otherwise
*
* Since: 1.22
**/
gboolean
nm_setting_802_1x_get_optional (NMSetting8021x *setting)
{
g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), FALSE);
return NM_SETTING_802_1X_GET_PRIVATE (setting)->optional;
}
/*****************************************************************************/ /*****************************************************************************/
static void static void
@@ -2801,6 +2822,17 @@ verify (NMSetting *setting, NMConnection *connection, GError **error)
if (error) if (error)
g_return_val_if_fail (*error == NULL, FALSE); g_return_val_if_fail (*error == NULL, FALSE);
if ( connection
&& priv->optional
&& !nm_streq0 (nm_connection_get_connection_type (connection), NM_SETTING_WIRED_SETTING_NAME)) {
g_set_error_literal (error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_INVALID_PROPERTY,
_("can be enabled only on Ethernet connections"));
g_prefix_error (error, "%s.%s: ", NM_SETTING_802_1X_SETTING_NAME, NM_SETTING_802_1X_OPTIONAL);
return FALSE;
}
if (!priv->eap) { if (!priv->eap) {
g_set_error_literal (error, g_set_error_literal (error,
NM_CONNECTION_ERROR, NM_CONNECTION_ERROR,
@@ -3141,6 +3173,9 @@ get_property (GObject *object, guint prop_id,
case PROP_AUTH_TIMEOUT: case PROP_AUTH_TIMEOUT:
g_value_set_int (value, priv->auth_timeout); g_value_set_int (value, priv->auth_timeout);
break; break;
case PROP_OPTIONAL:
g_value_set_boolean (value, priv->optional);
break;
default: default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break; break;
@@ -3319,6 +3354,9 @@ set_property (GObject *object, guint prop_id,
case PROP_AUTH_TIMEOUT: case PROP_AUTH_TIMEOUT:
priv->auth_timeout = g_value_get_int (value); priv->auth_timeout = g_value_get_int (value);
break; break;
case PROP_OPTIONAL:
priv->optional = g_value_get_boolean (value);
break;
default: default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break; break;
@@ -4388,6 +4426,30 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass)
NM_SETTING_PARAM_FUZZY_IGNORE | NM_SETTING_PARAM_FUZZY_IGNORE |
G_PARAM_STATIC_STRINGS); G_PARAM_STATIC_STRINGS);
/**
* NMSetting8021x:optional:
*
* Whether the 802.1X authentication is optional. If %TRUE, the activation
* will continue even after a timeout or an authentication failure. Setting
* the property to %TRUE is currently allowed only for Ethernet connections.
* If set to %FALSE, the activation can continue only after a successful
* authentication.
*
* Since: 1.22
**/
/* ---ifcfg-rh---
* property: optional
* variable: IEEE_8021X_OPTIONAL(+)
* default=no
* description: whether the 802.1X authentication is optional
* ---end---
*/
obj_properties[PROP_OPTIONAL] =
g_param_spec_boolean (NM_SETTING_802_1X_OPTIONAL, "", "",
FALSE,
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS);
g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
_nm_setting_class_commit (setting_class, NM_META_SETTING_TYPE_802_1X); _nm_setting_class_commit (setting_class, NM_META_SETTING_TYPE_802_1X);

3
libnm-core/nm-setting-8021x.h
View File

@@ -137,6 +137,7 @@ typedef enum { /*< flags, underscore_name=nm_setting_802_1x_auth_flags >*/
#define NM_SETTING_802_1X_PIN_FLAGS "pin-flags" #define NM_SETTING_802_1X_PIN_FLAGS "pin-flags"
#define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs" #define NM_SETTING_802_1X_SYSTEM_CA_CERTS "system-ca-certs"
#define NM_SETTING_802_1X_AUTH_TIMEOUT "auth-timeout" #define NM_SETTING_802_1X_AUTH_TIMEOUT "auth-timeout"
#define NM_SETTING_802_1X_OPTIONAL "optional"
/* PRIVATE KEY NOTE: when setting PKCS#12 private keys directly via properties /* PRIVATE KEY NOTE: when setting PKCS#12 private keys directly via properties
* using the "blob" scheme, the data must be passed in PKCS#12 binary format. * using the "blob" scheme, the data must be passed in PKCS#12 binary format.
@@ -346,6 +347,8 @@ NM_AVAILABLE_IN_1_8
NMSetting8021xAuthFlags nm_setting_802_1x_get_phase1_auth_flags (NMSetting8021x *setting); NMSetting8021xAuthFlags nm_setting_802_1x_get_phase1_auth_flags (NMSetting8021x *setting);
NM_AVAILABLE_IN_1_8 NM_AVAILABLE_IN_1_8
int nm_setting_802_1x_get_auth_timeout (NMSetting8021x *setting); int nm_setting_802_1x_get_auth_timeout (NMSetting8021x *setting);
NM_AVAILABLE_IN_1_22
gboolean nm_setting_802_1x_get_optional (NMSetting8021x *setting);
G_END_DECLS G_END_DECLS

1
libnm/libnm.ver
View File

@@ -1634,5 +1634,6 @@ global:
nm_client_reload; nm_client_reload;
nm_client_reload_finish; nm_client_reload_finish;
nm_manager_reload_flags_get_type; nm_manager_reload_flags_get_type;
nm_setting_802_1x_get_optional;
nm_setting_gsm_get_auto_config; nm_setting_gsm_get_auto_config;
} libnm_1_20_0; } libnm_1_20_0;

5
src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
View File

@@ -3527,6 +3527,11 @@ next:
timeout = svGetValueInt64 (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", 10, 0, G_MAXINT32, 0); timeout = svGetValueInt64 (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", 10, 0, G_MAXINT32, 0);
g_object_set (s_8021x, NM_SETTING_802_1X_AUTH_TIMEOUT, (int) timeout, NULL); g_object_set (s_8021x, NM_SETTING_802_1X_AUTH_TIMEOUT, (int) timeout, NULL);
g_object_set (s_8021x,
NM_SETTING_802_1X_OPTIONAL,
svGetValueBoolean (ifcfg, "IEEE_8021X_OPTIONAL", FALSE),
NULL);
return g_steal_pointer (&s_8021x); return g_steal_pointer (&s_8021x);
} }

5
src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
View File

@@ -524,6 +524,11 @@ write_8021x_setting (NMConnection *connection,
vint = nm_setting_802_1x_get_auth_timeout (s_8021x); vint = nm_setting_802_1x_get_auth_timeout (s_8021x);
svSetValueInt64_cond (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", vint > 0, vint); svSetValueInt64_cond (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", vint > 0, vint);
if (nm_setting_802_1x_get_optional (s_8021x))
svSetValueBoolean (ifcfg, "IEEE_8021X_OPTIONAL", TRUE);
else
svUnsetValue (ifcfg, "IEEE_8021X_OPTIONAL");
if (!write_8021x_certs (s_8021x, secrets, blobs, FALSE, ifcfg, error)) if (!write_8021x_certs (s_8021x, secrets, blobs, FALSE, ifcfg, error))
return FALSE; return FALSE;