cli: don't send secrets unless we actually learn them

3 files changed, 49 insertions, 0 deletions

diff --git a/clients/cli/connections.c b/clients/cli/connections.c
index 09adf0e812..231b702ab3 100644
--- a/clients/cli/connections.c
+++ b/clients/cli/connections.c
@@ -1716,6 +1716,11 @@ get_connection (NmCli *nmc, int *argc, char ***argv, int *pos, GError **error)
 		             _("unknown connection '%s'"), **argv);
 	}
 
+	/* This connection has no secrets until we update it with ones. */
+	g_object_set (NM_REMOTE_CONNECTION (connection),
+	              NM_REMOTE_CONNECTION_SERIALIZE_FLAGS, NM_CONNECTION_SERIALIZE_NO_SECRETS,
+	              NULL);
+
 	/* If the caller wants multiple results (pos is set) and there are any,
 	 * don't switch to next argument.
 	 */
@@ -3632,6 +3637,32 @@ reset_options (void)
 	}
 }
 
+/*
+ * If the connection is a remote connection, update it with secrets. Set a flag to
+ * indicate we're serializing the secrets if we commit the connection.
+ */
+static void
+ensure_remote_secrets (NMConnection *connection)
+{
+	NMConnectionSerializationFlags serialize_flags;
+
+	/* If this is not a remote connection, it is thought to always
+	 * have secrets. */
+	if (!NM_IS_REMOTE_CONNECTION (connection))
+		return;
+
+	g_object_get (connection,
+	              NM_REMOTE_CONNECTION_SERIALIZE_FLAGS, &serialize_flags,
+	              NULL);
+
+	if (serialize_flags == NM_CONNECTION_SERIALIZE_NO_SECRETS)
+		update_secrets_in_connection (NM_REMOTE_CONNECTION (connection), connection);
+
+	g_object_set (connection,
+	              NM_REMOTE_CONNECTION_SERIALIZE_FLAGS, NM_CONNECTION_SERIALIZE_ALL,
+	              NULL);
+}
+
 static gboolean
 set_property (NMConnection *connection,
               const char *setting_name, const char *property, const char *value,
@@ -3664,6 +3695,11 @@ set_property (NMConnection *connection,
 		return FALSE;
 	}
 
+	/* If we're setting a secret, we better make sure we are aware of the
+	 * other secrets too. */
+	if (nmc_setting_property_is_secret (setting, property_name))
+		ensure_remote_secrets (connection);
+
 	if (modifier != '-') {
 		/* Set/add value */
 		if (modifier != '+') {
diff --git a/clients/cli/settings.c b/clients/cli/settings.c
index 40cf9754ad..c8f60d104b 100644
--- a/clients/cli/settings.c
+++ b/clients/cli/settings.c
@@ -8254,6 +8254,17 @@ nmc_setting_get_property_parsable (NMSetting *setting, const char *prop, GError
 	return get_property_val (setting, prop, NMC_PROPERTY_GET_PARSABLE, error);
 }
 
+gboolean
+nmc_setting_property_is_secret (NMSetting *setting, const char *prop)
+{
+	GParamSpec *param_spec;
+
+	param_spec = g_object_class_find_property (G_OBJECT_GET_CLASS (G_OBJECT (setting)), prop);
+	if (param_spec)
+		return !!(param_spec->flags & NM_SETTING_PARAM_SECRET);
+	return FALSE;
+}
+
 /*
  * Generic function for setting property value.
  *
diff --git a/clients/cli/settings.h b/clients/cli/settings.h
index ad503f9ef6..c732328d10 100644
--- a/clients/cli/settings.h
+++ b/clients/cli/settings.h
@@ -45,6 +45,8 @@ char       *nmc_setting_get_property (NMSetting *setting,
 char       *nmc_setting_get_property_parsable (NMSetting *setting,
                                                const char *prop,
                                                GError **error);
+gboolean    nmc_setting_property_is_secret (NMSetting *setting,
+                                            const char *prop);
 gboolean    nmc_setting_set_property (NMSetting *setting,
                                       const char *prop,
                                       const char *val,