Allow creation of connections without admin privileges

Set passwords as agent-owned when they need to, to allow users without
root permissions to easily configure their connections.
The logic is:
- Bluetooth, CDMA and GSM connections: always user-owned
- WEP/WPA connections: system-owned if user has the permissions
  (with NM's config, that is netdev or sudo membership), user-owned
  otherwise. The password is stored in the keyring for WPA, not for
  WEP.
- WiMax / Wired connections: always system-owned (with 802.1x
  passwords in the keyring).

Closes: #696256

Gbp-Pq: Name Allow-creation-of-connections-without-admin-privileges.patch

src/applet-device-wifi.c

@@ -444,9 +444,10 @@ wifi_new_auto_connection (NMDevice *device,
 	NMConnection *connection;
 	NMSettingConnection *s_con;
 	NMSettingWireless *s_wifi = NULL;
-	NMSettingWirelessSecurity *s_wsec;
+	NMSettingWirelessSecurity *s_wsec = NULL;
 	NMSetting8021x *s_8021x = NULL;
 	GBytes *ssid;
+	NM80211ApFlags flags;
 	NM80211ApSecurityFlags wpa_flags, rsn_flags;
 	GtkWidget *dialog;
 	MoreInfo *more_info;
@@ -464,7 +465,6 @@ wifi_new_auto_connection (NMDevice *device,
 
 	/* Make the new connection available only for the current user */
 	s_con = (NMSettingConnection *) nm_setting_connection_new ();
-	nm_setting_connection_add_permission (s_con, "user", g_get_user_name (), NULL);
 	nm_connection_add_setting (connection, NM_SETTING (s_con));
 
 	ssid = nm_access_point_get_ssid (ap);
@@ -482,6 +482,7 @@ wifi_new_auto_connection (NMDevice *device,
 	/* If the AP is WPA[2]-Enterprise then we need to set up a minimal 802.1x
 	 * setting and ask the user for more information.
 	 */
+	flags = nm_access_point_get_flags (ap);
 	rsn_flags = nm_access_point_get_rsn_flags (ap);
 	wpa_flags = nm_access_point_get_wpa_flags (ap);
 	if (   (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)
@@ -510,6 +511,29 @@ wifi_new_auto_connection (NMDevice *device,
 		nm_connection_add_setting (connection, NM_SETTING (s_8021x));
 	}
 
+	if (utils_default_to_private_connection (applet->nm_client)) {
+		if (!s_con) {
+			s_con = (NMSettingConnection *) nm_setting_connection_new ();
+			nm_connection_add_setting (connection, NM_SETTING (s_con));
+		}
+		nm_setting_connection_add_permission (s_con, "user", g_get_user_name (), NULL);
+
+		if ((rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK) ||
+		    (wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_PSK)) {
+			if (!s_wsec) {
+				s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
+				nm_connection_add_setting (connection, NM_SETTING (s_wsec));
+			}
+			g_object_set (s_wsec, NM_SETTING_WIRELESS_SECURITY_PSK_FLAGS, NM_SETTING_SECRET_FLAG_AGENT_OWNED, NULL);
+		} else if (flags & NM_802_11_AP_FLAGS_PRIVACY) {
+			if (!s_wsec) {
+				s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
+				nm_connection_add_setting (connection, NM_SETTING (s_wsec));
+			}
+			g_object_set (s_wsec, NM_SETTING_WIRELESS_SECURITY_WEP_KEY_FLAGS, NM_SETTING_SECRET_FLAG_AGENT_OWNED, NULL);
+		}
+	}
+
 	/* If it's an 802.1x connection, we need more information, so pop up the
 	 * Dialog Of Doom.
 	 */

src/connection-editor/page-mobile.c

@@ -425,6 +425,7 @@ new_connection_mobile_wizard_done (NMAMobileWizard *wizard,
 	WizardInfo *info = user_data;
 
 	if (!canceled && method) {
+		NMSettingConnection *s_con;
 		NMSetting *type_setting;
 		const char *ctype = NULL;
 		char *detail = NULL;
@@ -438,6 +439,7 @@ new_connection_mobile_wizard_done (NMAMobileWizard *wizard,
 			              NM_SETTING_GSM_NUMBER, "*99#",
 			              NM_SETTING_GSM_USERNAME, method->username,
 			              NM_SETTING_GSM_PASSWORD, method->password,
+			              NM_SETTING_GSM_PASSWORD_FLAGS, NM_SETTING_SECRET_FLAG_AGENT_OWNED,
 			              NM_SETTING_GSM_APN, method->gsm_apn,
 			              NULL);
 			break;
@@ -449,6 +451,7 @@ new_connection_mobile_wizard_done (NMAMobileWizard *wizard,
 			              NM_SETTING_CDMA_NUMBER, "#777",
 			              NM_SETTING_GSM_USERNAME, method->username,
 			              NM_SETTING_GSM_PASSWORD, method->password,
+			              NM_SETTING_GSM_PASSWORD_FLAGS, NM_SETTING_SECRET_FLAG_AGENT_OWNED,
 			              NULL);
 			break;
 		default:
@@ -469,6 +472,13 @@ new_connection_mobile_wizard_done (NMAMobileWizard *wizard,
 		                             info->client);
 		g_free (detail);
 
+		s_con = nm_connection_get_setting_connection (info->connection);
+		if (!s_con) {
+			s_con = (NMSettingConnection *) nm_setting_connection_new ();
+			nm_connection_add_setting (info->connection, NM_SETTING (s_con));
+		}
+		nm_setting_connection_add_permission (s_con, "user", g_get_user_name (), NULL);
+
 		nm_connection_add_setting (info->connection, type_setting);
 		nm_connection_add_setting (info->connection, nm_setting_ppp_new ());
 	}

src/connection-editor/page-vpn.c

@@ -221,6 +221,7 @@ vpn_connection_new (FUNC_TAG_PAGE_NEW_CONNECTION_IMPL,
                     gpointer user_data)
 {
 	NMSetting *s_vpn;
+	NMSettingConnection *s_con;
 	const char *service_type;
 	gs_free char *service_type_free = NULL;
 	gs_free char *add_detail_key_free = NULL;
@@ -294,6 +295,13 @@ vpn_connection_new (FUNC_TAG_PAGE_NEW_CONNECTION_IMPL,
 		if (!service_type)
 			service_type = detail;
 
+		s_con = nm_connection_get_setting_connection (connection);
+		if (!s_con) {
+			s_con = (NMSettingConnection *) nm_setting_connection_new ();
+			nm_connection_add_setting (connection, NM_SETTING (s_con));
+		}
+		nm_setting_connection_add_permission (s_con, "user", g_get_user_name (), NULL);
+
 		s_vpn = nm_setting_vpn_new ();
 		g_object_set (s_vpn, NM_SETTING_VPN_SERVICE_TYPE, service_type, NULL);
 

src/connection-editor/page-wifi.c

@@ -12,6 +12,8 @@
 #include <math.h>
 
 #include "nm-connection-editor.h"
+#include "utils.h"
+
 #include "page-wifi.h"
 
 G_DEFINE_TYPE (CEPageWifi, ce_page_wifi, CE_TYPE_PAGE)
@@ -601,6 +603,17 @@ wifi_connection_new (FUNC_TAG_PAGE_NEW_CONNECTION_IMPL,
 	                             NM_SETTING_WIRELESS_SETTING_NAME,
 	                             TRUE,
 	                             client);
+
+	if (utils_default_to_private_connection (client)) {
+		NMSettingConnection *s_con;
+		s_con = nm_connection_get_setting_connection (connection);
+		if (!s_con) {
+			s_con = (NMSettingConnection *) nm_setting_connection_new ();
+			nm_connection_add_setting (connection, NM_SETTING (s_con));
+		}
+		nm_setting_connection_add_permission (s_con, "user", g_get_user_name (), NULL);
+	}
+
 	s_wifi = nm_setting_wireless_new ();
 	g_object_set (s_wifi, NM_SETTING_WIRELESS_MODE, "infrastructure", NULL);
 	nm_connection_add_setting (connection, s_wifi);

src/libnm-gtk/nm-wifi-dialog.c

@@ -22,6 +22,7 @@
 #include "wireless-security.h"
 #include "nm-ui-utils.h"
 #include "eap-method.h"
+#include "utils.h"
 
 G_DEFINE_TYPE (NMAWifiDialog, nma_wifi_dialog, GTK_TYPE_DIALOG)
 
@@ -1204,6 +1205,9 @@ nma_wifi_dialog_get_connection (NMAWifiDialog *self,
 			      NM_SETTING_CONNECTION_UUID, uuid,
 			      NULL);
 		g_free (uuid);
+		if (utils_default_to_private_connection (priv->client)) {
+			nm_setting_connection_add_permission (s_con, "user", g_get_user_name (), NULL);
+		}
 		nm_connection_add_setting (connection, (NMSetting *) s_con);
 
 		s_wireless = (NMSettingWireless *) nm_setting_wireless_new ();

src/mobile-helpers.c

@@ -168,6 +168,7 @@ mobile_wizard_done (NMAMobileWizard *wizard,
 			              NM_SETTING_CDMA_NUMBER, "#777",
 			              NM_SETTING_CDMA_USERNAME, method->username,
 			              NM_SETTING_CDMA_PASSWORD, method->password,
+			              NM_SETTING_CDMA_PASSWORD_FLAGS, NM_SETTING_SECRET_FLAG_AGENT_OWNED,
 			              NULL);
 			nm_connection_add_setting (connection, setting);
 		} else if (method->devtype == NM_DEVICE_MODEM_CAPABILITY_GSM_UMTS) {
@@ -178,6 +179,7 @@ mobile_wizard_done (NMAMobileWizard *wizard,
 			              NM_SETTING_GSM_USERNAME, method->username,
 			              NM_SETTING_GSM_PASSWORD, method->password,
 			              NM_SETTING_GSM_APN, method->gsm_apn,
+			              NM_SETTING_GSM_PASSWORD_FLAGS, NM_SETTING_SECRET_FLAG_AGENT_OWNED,
 			              NULL);
 			nm_connection_add_setting (connection, setting);
 		} else
@@ -208,6 +210,7 @@ mobile_wizard_done (NMAMobileWizard *wizard,
 		                                      "user", g_get_user_name (), NULL);
 		g_free (uuid);
 		g_free (id);
+		nm_setting_connection_add_permission ((NMSettingConnection *) setting, "user", g_get_user_name (), NULL);
 		nm_connection_add_setting (connection, setting);
 	}
 

src/utils/utils.c

@@ -557,3 +557,11 @@ utils_key_filter (void)
 
 	return filter;
 }
+
+gboolean
+utils_default_to_private_connection (NMClient *client)
+{
+	NMClientPermissionResult perms;
+	perms = nm_client_get_permission_result (client, NM_CLIENT_PERMISSION_SETTINGS_MODIFY_SYSTEM);
+	return (perms != NM_CLIENT_PERMISSION_RESULT_YES);
+}

src/utils/utils.h

@@ -11,6 +11,8 @@
 
 #include <net/ethernet.h>
 
+#include <nm-client.h>
+
 gboolean utils_ether_addr_valid (const struct ether_addr *test_addr);
 
 #if LIBNM_BUILD
@@ -38,6 +40,8 @@ void utils_show_error_dialog (const char *title,
                               gboolean modal,
                               GtkWindow *parent);
 
+gboolean utils_default_to_private_connection (NMClient *client);
+
 #define NMA_ERROR (g_quark_from_static_string ("nma-error-quark"))
 
 typedef enum  {

src/wireless-security/ws-wep-key.c

@@ -155,6 +155,7 @@ static void
 fill_connection (WirelessSecurity *parent, NMConnection *connection)
 {
 	WirelessSecurityWEPKey *sec = (WirelessSecurityWEPKey *) parent;
+	NMSettingConnection *s_con;
 	NMSettingWirelessSecurity *s_wsec;
 	NMSettingSecretFlags secret_flags;
 	GtkWidget *widget, *passwd_entry;
@@ -181,6 +182,12 @@ fill_connection (WirelessSecurity *parent, NMConnection *connection)
 	              NM_SETTING_WIRELESS_SECURITY_WEP_KEY_TYPE, sec->type,
 	              NULL);
 
+	s_con = nm_connection_get_setting_connection (connection);
+
+	/* If the connection is user-owned, mark the secrets as agent-owned */
+	if (s_con && nm_setting_connection_get_num_permissions (s_con))
+		g_object_set (s_wsec, NM_SETTING_WIRELESS_SECURITY_WEP_KEY_FLAGS, NM_SETTING_SECRET_FLAG_AGENT_OWNED, NULL);
+
 	for (i = 0; i < 4; i++) {
 		if (strlen (sec->keys[i]))
 			nm_setting_wireless_security_set_wep_key (s_wsec, i, sec->keys[i]);

src/wireless-security/ws-wpa-psk.c

@@ -97,12 +97,14 @@ fill_connection (WirelessSecurity *parent, NMConnection *connection)
 	WirelessSecurityWPAPSK *wpa_psk = (WirelessSecurityWPAPSK *) parent;
 	GtkWidget *widget, *passwd_entry;
 	const char *key;
+	NMSettingConnection *s_con;
 	NMSettingWireless *s_wireless;
 	NMSettingWirelessSecurity *s_wireless_sec;
 	NMSettingSecretFlags secret_flags;
 	const char *mode;
 	gboolean is_adhoc = FALSE;
 
+	s_con = nm_connection_get_setting_connection (connection);
 	s_wireless = nm_connection_get_setting_wireless (connection);
 	g_assert (s_wireless);
 
@@ -118,6 +120,9 @@ fill_connection (WirelessSecurity *parent, NMConnection *connection)
 	passwd_entry = widget;
 	key = gtk_editable_get_text (GTK_EDITABLE (widget));
 	g_object_set (s_wireless_sec, NM_SETTING_WIRELESS_SECURITY_PSK, key, NULL);
+	/* If the connection is user-owned, mark the secrets as agent-owned */
+	if (s_con && nm_setting_connection_get_num_permissions (s_con))
+		g_object_set (s_wireless_sec, NM_SETTING_WIRELESS_SECURITY_PSK_FLAGS, NM_SETTING_SECRET_FLAG_AGENT_OWNED, NULL);
 
 	/* Save PSK_FLAGS to the connection */
 	secret_flags = nma_utils_menu_to_secret_flags (passwd_entry);