Re: Inconsistency in flags sent to GetSecrets() for VPN connections

From: Ionuț Leonte <ionut leonte gmail com>
To: Beniamino Galvani <bgalvani redhat com>
Cc: networkmanager-list gnome org
Subject: Re: Inconsistency in flags sent to GetSecrets() for VPN connections
Date: Thu, 27 Aug 2020 22:51:26 +0300

Hello,

I went back and tested again with TRACE logging enabled, here are the results:

- GNOME on Fedora 32 (NM 1.22.14):
  * activating via applet: https://pastebin.com/raw/ubLUSusH
  * activating via settings page: https://pastebin.com/raw/jaR4EtuE
  * activating via nmcli: https://pastebin.com/raw/jfJuq2zW
- KDE on my Gentoo desktop (NM 1.26.0):
  * activating via applet: https://pastebin.com/raw/gsrtaiy4

In all cases EXCEPT the GNOME applet case SecretAgents are queried in reverse
registration order:

[nmcli]->script->org.gnome.Shell.NetworkAgen/org.kde.plasma.networkmanagement

In the GNOME applet case the order of the checks is reversed. The PID of the
process that sent the connection activation request does match with the PID
of gnome-shell. HOWEVER, in the KDE applet case the PID of the process that
activates the request is that of plasmashell but the order in which the agents
are queried is the 'correct' one (reverse registration order).

Also in the GNOME applet case the log for the GetSectet() calls with flags=5
is weird - NM says:

Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.0879]
vpn-connection[0x55cb06a442b0,64807cd4-6d57-4ee6-8549-898eb6990446,"test-connection",0]:
requesting VPN secrets pass #3
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.0881] Secrets requested for connection
/org/freedesktop/NetworkManager/Settings/1 (test-connection/vpn)
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.0881] agent-manager:
agent[d03fcadacfc9bd59,:1.121/dev.ileonte.VPNSSO/1000]: agent allowed
for secrets request [069543b75f29276e/"test-connection"/"vpn"]
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.0881] agent-manager:
agent[1b10dd043b0034b2,:1.71/org.gnome.Shell.NetworkAgent/1000]: agent
allowed for secrets request [069543b75f29276e/"test-connection"/"vpn"]
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.0881]
settings-connection[a9177daad52eea09,64807cd4-6d57-4ee6-8549-898eb6990446]:
(vpn:0x7f6f3c004220) secrets requested flags 0x5 hints '(none)'
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.0882] agent-manager:
([069543b75f29276e/"test-connection"/"vpn"]) system settings secrets
insufficient, asking agents
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.0882] agent-manager:
agent[1b10dd043b0034b2,:1.71/org.gnome.Shell.NetworkAgent/1000]: agent
getting secrets for request [069543b75f29276e/"test-connection"/"vpn"]
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.0882] agent-manager:
([069543b75f29276e/"test-connection"/"vpn"]) request has system
secrets; checking agent :1.71 for MODIFY
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <trace>
[1598553359.0882] auth: call[76]:
CheckAuthorization(org.freedesktop.NetworkManager.settings.modify.system),
subject=unix-process[pid=1469, uid=1000, start=1982]
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <trace>
[1598553359.1038] auth: call[76]: completed: authorized=1, challenge=0
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <debug>
[1598553359.1038] agent-manager:
agent[1b10dd043b0034b2,:1.71/org.gnome.Shell.NetworkAgent/1000]: agent
[069543b75f29276e/"test-connection"/"vpn"] MODIFY check result YES
Aug 27 21:35:59 localhost.localdomain NetworkManager[792]: <trace>
[1598553359.1040] secret-agent[1b10dd043b0034b2] request
[a607f1a89ad6835e,GetSecrets,"/org/freedesktop/NetworkManager/Settings/1"]:
new request...
Aug 27 21:36:01 localhost.localdomain NetworkManager[792]: <trace>
[1598553361.3152] secret-agent[1b10dd043b0034b2] request
[a607f1a89ad6835e,GetSecrets,"/org/freedesktop/NetworkManager/Settings/1"]:
completed successfully
Aug 27 21:36:01 localhost.localdomain NetworkManager[792]: <debug>
[1598553361.3152] agent-manager:
agent[1b10dd043b0034b2,:1.71/org.gnome.Shell.NetworkAgent/1000]: agent
returned secrets for request
[069543b75f29276e/"test-connection"/"vpn"]
Aug 27 21:36:01 localhost.localdomain NetworkManager[792]: <debug>
[1598553361.3154]
settings-connection[a9177daad52eea09,64807cd4-6d57-4ee6-8549-898eb6990446]:
(vpn:0x7f6f440078a0) secrets returned from agent :1.71
Aug 27 21:36:01 localhost.localdomain NetworkManager[792]: <debug>
[1598553361.3154]
settings-connection[a9177daad52eea09,64807cd4-6d57-4ee6-8549-898eb6990446]:
(vpn:0x7f6f440078a0) secrets request completed

but that can't possibly be right because all I did was close the auth-dialog
window as soon as it popped up so I'm not sure what 'secrets' were returned
exactly. This is probably why my own GetSecrets() function is never called with
flags=5 in this case - as far as NM is concerned the first secret agent it
queried told it that it had the secrets for the connection even though it
really didn't.

Is there any config option to disable the prefer-pid-of-the-activating-process
logic in NM? This seems like a really arbitrary thing to have in there.

Follow-Ups:
- Re: Inconsistency in flags sent to GetSecrets() for VPN connections
  - From: Beniamino Galvani

References:
- Inconsistency in flags sent to GetSecrets() for VPN connections
  - From: Ionuț Leonte
- Re: Inconsistency in flags sent to GetSecrets() for VPN connections
  - From: Beniamino Galvani

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]