settings: Don't clone connections to serialize secrets

Use the new nm_connection_to_dbus() flags to filter secrets instead of cloning connections and using _nm_connection_clear_secrets_by_secret_flags() and then serializing all secrets in NMSettingsConnection. Fix a related comment.
author: Andrew Zaborowski <andrew.zaborowski@intel.com> 2021-03-25 18:06:27 +0100
committer: Thomas Haller <thaller@redhat.com> 2021-04-01 17:19:15 +0200
commit: 2a1b65ce12ee8063910a88674b53b03e1de3cad1 (patch)
tree: bfc0bb2800f5ce239db576db5a5376d716cfb85b
parent: 34285fec76591b5c216cf24bdf4765f6210c327b (diff)
download: NetworkManager-2a1b65ce12ee8063910a88674b53b03e1de3cad1.tar.gz
1 files changed, 15 insertions, 37 deletions
diff --git a/src/core/settings/nm-settings-connection.c b/src/core/settings/nm-settings-connection.c
index 6f400f7e85..83ca261060 100644
--- a/src/core/settings/nm-settings-connection.c
+++ b/src/core/settings/nm-settings-connection.c
@@ -436,27 +436,16 @@ nm_settings_connection_check_permission(NMSettingsConnection *self, const char *
 static void
 update_system_secrets_cache(NMSettingsConnection *self, NMConnection *new)
 {
-    NMSettingsConnectionPrivate *priv               = NM_SETTINGS_CONNECTION_GET_PRIVATE(self);
-    gs_unref_object NMConnection *connection_cloned = NULL;
-    gs_unref_variant GVariant *old_secrets          = NULL;
+    NMSettingsConnectionPrivate *priv      = NM_SETTINGS_CONNECTION_GET_PRIVATE(self);
+    gs_unref_variant GVariant *old_secrets = NULL;
 
     old_secrets = g_steal_pointer(&priv->system_secrets);
 
-    if (!new)
-        goto out;
-
-    /* FIXME: improve NMConnection API so we can avoid the overhead of cloning the connection,
-     *   in particular if there are no secrets to begin with. */
-
-    connection_cloned = nm_simple_connection_new_clone(new);
-
-    /* Clear out non-system-owned and not-saved secrets */
-    _nm_connection_clear_secrets_by_secret_flags(connection_cloned, NM_SETTING_SECRET_FLAG_NONE);
-
-    priv->system_secrets = nm_g_variant_ref_sink(
-        nm_connection_to_dbus(connection_cloned, NM_CONNECTION_SERIALIZE_ONLY_SECRETS));
+    if (new) {
+        priv->system_secrets = nm_g_variant_ref_sink(
+            nm_connection_to_dbus(new, NM_CONNECTION_SERIALIZE_WITH_SECRETS_SYSTEM_OWNED));
+    }
 
-out:
     if (_LOGT_ENABLED()) {
         if ((!!old_secrets) != (!!priv->system_secrets)) {
             _LOGT("update system secrets: secrets %s", old_secrets ? "cleared" : "set");
@@ -468,29 +457,18 @@ out:
 static void
 update_agent_secrets_cache(NMSettingsConnection *self, NMConnection *new)
 {
-    NMSettingsConnectionPrivate *priv               = NM_SETTINGS_CONNECTION_GET_PRIVATE(self);
-    gs_unref_object NMConnection *connection_cloned = NULL;
-    gs_unref_variant GVariant *old_secrets          = NULL;
+    NMSettingsConnectionPrivate *priv      = NM_SETTINGS_CONNECTION_GET_PRIVATE(self);
+    gs_unref_variant GVariant *old_secrets = NULL;
 
     old_secrets = g_steal_pointer(&priv->agent_secrets);
 
-    if (!new)
-        goto out;
-
-    /* FIXME: improve NMConnection API so we can avoid the overhead of cloning the connection,
-     *   in particular if there are no secrets to begin with. */
-
-    connection_cloned = nm_simple_connection_new_clone(new);
-
-    /* Clear out non-system-owned secrets */
-    _nm_connection_clear_secrets_by_secret_flags(connection_cloned,
-                                                 NM_SETTING_SECRET_FLAG_NOT_SAVED
-                                                     | NM_SETTING_SECRET_FLAG_AGENT_OWNED);
-
-    priv->agent_secrets = nm_g_variant_ref_sink(
-        nm_connection_to_dbus(connection_cloned, NM_CONNECTION_SERIALIZE_ONLY_SECRETS));
+    if (new) {
+        priv->agent_secrets = nm_g_variant_ref_sink(
+            nm_connection_to_dbus(new,
+                                  NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED
+                                      | NM_CONNECTION_SERIALIZE_WITH_SECRETS_NOT_SAVED));
+    }
 
-out:
     if (_LOGT_ENABLED()) {
         if ((!!old_secrets) != (!!priv->agent_secrets)) {
             _LOGT("update agent secrets: secrets %s", old_secrets ? "cleared" : "set");
@@ -1568,7 +1546,7 @@ update_auth_cb(NMSettingsConnection * self,
         gs_unref_object NMConnection *for_agent = NULL;
 
         /* Dupe the connection so we can clear out non-agent-owned secrets,
-         * as agent-owned secrets are the only ones we send back be saved.
+         * as agent-owned secrets are the only ones we send back to be saved.
          * Only send secrets to agents of the same UID that called update too.
          */
         for_agent = nm_simple_connection_new_clone(nm_settings_connection_get_connection(self));
author	Andrew Zaborowski <andrew.zaborowski@intel.com>	2021-03-25 18:06:27 +0100
committer	Thomas Haller <thaller@redhat.com>	2021-04-01 17:19:15 +0200
commit	2a1b65ce12ee8063910a88674b53b03e1de3cad1 (patch)
tree	bfc0bb2800f5ce239db576db5a5376d716cfb85b
parent	34285fec76591b5c216cf24bdf4765f6210c327b (diff)
download	NetworkManager-2a1b65ce12ee8063910a88674b53b03e1de3cad1.tar.gz