lp:~lopin/network-manager-openconnect/+git/trunk-gitlab.gnome.org

Author: Alan Mortensen
Author Date: 2024-03-23 14:23:00 UTC

Update Danish translation

Author: dwmw2
Author Date: 2023-05-25 22:34:55 UTC

Reinstate openconnect_set_external_browser_callback handling in Gtk

This reinstates commit dfbfec25568a ("Add
openconnect_set_external_browser_callback for auth-dialog") having fixed
it not to invoke Gtk APIs from the libopenconnect I/O thread.

Author: Lubomir Rintel
Author Date: 2022-06-15 15:13:19 UTC

properties: load certificates & key from the connection

This has been omitted whilst porting to the Gtk4-ready NmaCertChooser.

[dwmw2: Update for MCA cert too, provide scheme to fix filenames]
Fixes: 650bfa6f60f8 ('properties: use NmaCertChooser')

Author: Hans Christian Schmitz
Author Date: 2022-12-30 21:35:33 UTC

auth-dialog: update libsoup API usage for libsoup3

webkit2gtk-4.1 upgraded to libsoup3, requiring some small changes:
* Cookie fields should now be accessed via accessor functions
* `soup_message_headers_free` was renamed to `soup_message_headers_unref`,
  but it should not be called in this context.
  The WebKit instance holds a `GUniquePtr` to the headers and hands out
  a raw ptr to us. The ownership of the data is with the WebKit instance.
  See also https://gitlab.gnome.org/GNOME/libsoup/-/blob/a35dc0a3a838f58042cb0dbdb1c57846af5f252f/NEWS#L184
  and https://webkitgtk.org/reference/webkit2gtk/2.38.3/method.URIResponse.get_http_headers.html

Author: Andika Triwidada
Author Date: 2023-02-13 07:31:07 UTC

Update Indonesian translation

Author: Lubomir Rintel
Author Date: 2022-06-16 07:49:59 UTC

properties: allow choosing certificate from a PKCS#11 token

Apparently, openconnect can handle certificates from PKCS#11 tokens.
Drop the NMA_CERT_CHOOSER_FLAG_PEM flags from NmaCertChoosers.

Author: dwmw2
Author Date: 2022-04-25 09:34:35 UTC

Handle default routes in split excludes

We attempted to 'fix' OpenConnect not to send these and to set the netmask
on the interface to 0 instead, but that caused compatibility problems which
we had to work around in commit 84e279cb7 ("src/helper: handle openconnect
8.20 netmask values.")

We want to revert that from the OpenConnect side as it's a regression, so
let's find a better way to achieve the original objective. Scan the split
includes to see if they include a default route. If they *do*, drop it from
the list we pass to NM explicitly, but *don't* set the never-default flag.

That should allow NM to honour the 'Use only for resources on this
connection' setting while still doing the right thing in other cases.

Author: Romain Failliot
Author Date: 2022-04-15 03:38:51 UTC

Update Fedora Docker image to last supported release

As per this Fedora documentation page: https://docs.fedoraproject.org/en-US/releases/eol/

Fedora 28 reached EOL the 2019-05-28.
The last Fedora release to be supported is Fedora 34, which will be EOL once Fedora 37 is out (the N-2 rule).

Author: Lubomir Rintel
Author Date: 2022-03-11 17:28:30 UTC

release: bump version to 1.2.9 (development)

Author: Lubomir Rintel
Author Date: 2022-03-11 07:40:09 UTC

build: distribute gtk4/nm-openconnect-dialog.ui

Include the file in the tarball so that the users don't have to
generate it for now. This works around an issue in the generator
tool [1], but also makes sure a good known file is used.

[1] https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/4415

Author: dwmw2
Author Date: 2021-05-14 12:20:04 UTC

Support openconnect_get_connect_url() to fix SNI and authgroup problems

Fixes: #53
Fixes: #46

A long time back, OpenConnect started returning the IP address when we
call openconnect_get_hostname(), to ensure that it ends up establishing
the connection to precisely the same host as it authenticated to. Since
we passed on the server certificate fingerprint explicitly it didn't
need to revalidate that anyway.

However, that breaks virtualhost servers which rely on either a Host:
header or SNI to provide the actual hostname. So where OpenConnect is
new enough to understand the --resolve argument, use that and go back
to giving it the *actual* hostname in the connect URL.

Meanwhile, the Pulse protocol started actually caring about the *path*
for the connection; it's the only one for which the path part of the
URL actually matters after authentication, and isn't just noise left
behind by the last form we authenticated to. So for *Pulse* only, add
the path too.

The next OpenConnect release will have openconnect_get_connect_url()
and we won't need to do that by hand, but for now we *can* support
versions going back to v7.07 where the --resolve argument was added,
so let's do so.

We need to construct the --resolve argument too, and everything we
need to do that is already available, although it's a bit icky that
we have to strip the [] from around IPv6 literals.

Author: dwmw2
Author Date: 2019-06-10 14:15:45 UTC

Remove hard-coded protocol lists.

Well, not entirely. But use them only for protocols that predate the
openconnect_get_supported_protocols() API. Only use the old list as
a fallback, and that means it only has to have anyconnect and nc in
it; nothing newer.

Author: Lubomir Rintel
Author Date: 2018-10-17 13:21:30 UTC

build: disable libnm-glib support by default

By now nobody should be using this. Keep the code around for a little
longer just in case anybody still uses this.

The libnm-glib support also serves as an example how do we build two
different versions of the properties plugin. We'll soon be in a similar
situation with Gtk 4.0. (sigh.) Just don't drop it yet.

https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/merge_requests/5

Author: Lubomir Rintel
Author Date: 2018-06-19 11:07:06 UTC

service: deleage CSD trojan execution to the agent

The service sets --csd-wrapper to a shim program that forwards the agent
to the service. The shim passes the arguments to the service.

The service issues a secrets requests, forwarding the arguments passed
to the shim as hints. The auth helper recognizes those and runs the CSD
trojan instead of asking for actual secrets.

Upon receiving the new "secrets" from the auth helper, the service
responds to the shim which, in turn, prints the result back to the
openconnect.

This makes CSD scripts work with GlobalProtect networks that can request
CSD to be run after the authentication phase.

Based on work by Daniel Lenski <dlenski@gmail.com>

Author: Lubomir Rintel
Author Date: 2018-06-07 16:47:59 UTC

all: update bug tracker address

Author: Lubomir Rintel
Author Date: 2018-05-28 15:06:46 UTC

build: add GNOME GitLab CI configuration

The pipeline begins with "build" stage doing a distcheck on Fedora 28
(which is still known to ship libnm-glib) and outputting a tarball
artifact.

The output is then used in the "test" stage.

In future, builds on some older platforms, CentOS and Ubuntu and clang
builds would be nice. Not implemented at this point, but it should be
straightforward enough.

Maybe a build with a Git snapshot of NetworkManager and/or
network-manager-applet would be useful at some point, but that's not
implemented either.

Author: Lubomir Rintel
Author Date: 2016-11-19 12:47:38 UTC

auth-helper: add non-interactive mode

This allows fully automated logins.

Proceed submitting the forms if there's exactly one host and all the secrets
are saved. Stop on error or when too many forms have been submitted (to
prevent submitting the same form indefinitely).

This uses the dialog internally, but doesn't present it.

Author: Lubomir Rintel
Author Date: 2016-11-19 12:47:38 UTC

auth-helper: add non-interactive mode

This allows fully automated logins.

Proceed submitting the forms if there's exactly one host and all the secrets
are saved. Stop on error or when too many forms have been submitted (to
prevent submitting the same form indefinitely).

This uses the dialog internally, but doesn't present it.

Author: Lubomir Rintel
Author Date: 2016-11-19 09:40:47 UTC

helper: add domain to IP6

Author: David Woodhouse
Author Date: 2016-07-04 10:56:00 UTC

Make master branch build against NM 1.2 to provide (hidden) Juniper support

You'd have to explicitly enable the option with nmcli but it should work,
and *lots* of people are asking for it, so best not to make them wait until
1.4.

Author: Lubomir Rintel
Author Date: 2016-04-12 19:40:29 UTC

appdata: add appstream metadata

Author: Lubomir Rintel
Author Date: 2015-11-20 15:16:08 UTC

release: bump version to 1.0.9 (development)

Author: Lubomir Rintel
Author Date: 2015-10-13 17:23:31 UTC

helper: make it possible to make helper speak to a different bus.

Author: Lubomir Rintel
Author Date: 2015-08-31 12:36:20 UTC

build: create xz compressed tarballs by default

GNOME release tooling repacks the bz2 to a xz anyway. This makes it
easier for packagers to use tarballs created with "make dist" in place of
distribution tarballs.

Author: Lubomir Rintel
Author Date: 2015-08-21 09:13:41 UTC

build: install into /usr/lib/NetworkManager/VPN as well

That's the preferred location now, though we can't just get rid of the old one yet.

Author: Dan Williams
Author Date: 2015-03-04 17:03:53 UTC

release: bump version to 0.9.10.3 (development)

Author: Iñaki Larrañaga Murgoitio
Author Date: 2015-02-07 16:45:26 UTC

Updated Basque language

Author: Jiří Klimeš
Author Date: 2014-03-17 16:28:29 UTC

core: NMVPNPlugin initialization changed to use GInitable (rh #1050934)

https://bugzilla.redhat.com/show_bug.cgi?id=1050934

Author: Murilo Opsfelder Araujo
Author Date: 2013-06-04 19:20:52 UTC

Add gnome-keyring support to NM_0_8 branch

Backported the following commits:

72f391a24487ab442290c47e2e670f52c41b0608 Use gnome-keyring for password fields
db47228f8e73b41549f89d941d52ae8e3acafb62 gnome-keyring: use the vpn_uuid instead of the host
d9f4b023fd4211affdd5a1b69305a4de78ac60f3 Only store passwords in keyring upon success
31a0e8b8cf78206cda34ab593ba90c3d28ebbc29 Handle string == NULL in gnome-keyring callback
a37b1f725c460b5237ed6ab36a961c2e3f1c8145 Remove passwords from gnome-keyring when user disables 'save passwords'
96a0741b154dbb3a629038b34c89469b9bd11adb Fix nm_process_auth_form() to clear 'form_grabbed' and cancel keyring ops
eee2f4fd0f1aa3e2439c9ca337b00f5a382d9b8e When entry with focus gets password from gnome-keyring, select the full region

Author: Mazi
Author Date: 2013-02-25 10:27:24 UTC

Updated Spanish translation

Author: Dan Williams
Author Date: 2010-07-28 07:37:16 UTC

release: bump version to 0.7.3