GitLab

!17

GtkMenu and friends are all gone from Gtk4.

Bump it by one release -- should be uniquitous. We need the GtkPopover.

Drawing is handled differently in Gtk4.

With GtkFileChooserButton gone from Gtk4, the NmaFileCertChooser lost
its point. With better support for plain PEM files in NmaCertChooserButton,
the NmaPkcs11CertChooser can replace it completely.

Let's drop the machinery for providing different implementations of
NmaFileCertChooser logic and keep what used to be NmaPkcs11CertChooser.

In Gtk4 the GtkFileChooser only deals with GFile instead of URIs and
file names.

NMACertChooserButton would always have been able to pick certificates or
keys from plain PEM/P12 files.

This takes it a bit further and makes it possible to make it pick
*only* files -- not PKCS#11 objects with the intruduction of a new
NMA_CERT_CHOOSER_BUTTON_FLAG_PEM flag.

This makes it possible to use NMACertChooserButton instead of
GtkFileChooserButton. This makes NMACertChooser slightly simpler, but,
perhaps more importantly, provides for a migration path for GTK4, that
drops GtkFileChooserButton.

The widget now works even when GCR/GCK is not available.

Gtk3 compatibility is kept with a compatibility shim.

gtk_main() and gtk_main_quit() are gone. Replace them with GMainLoop
instead.

We do provide compatibility shim for gtk_box_append() that makes the
whole #ifdef dance unnecessary.

It is gone from Gtk4.

These work differently in Gtk4.

This works differently in Gtk4. Keep compatibility with Gtk3.

Replace the calls. We provide compatibility calls already.

GtkContainer is gone from Gtk4.

In Gtk4, only the windows can be destroyed explicitly and they in turn
take care of their children. Let's use the Gtk4 API we provide a compat
shim for.

It is gone from Gtk4. The migration manuals suggest replacing it with a
GtkButton & GtkFileChooser directly, which is what we do here.

This is going to be useful in few places where the library widgets
invoke modal dialogs.

This allows code written to utilize Gtk4 to work with Gtk3 reasonably well.

These are no longer present in Gtk4:

  GtkWindow.window_position
  GtkDialog.type_hint
  GtkAspectFrame.label_xalign

We don't use it anywhere any more.

In absence of an widget that receives the default activations this
results in activation of the currently focused widget. This results in
infinite recursion if we're responding to its activation in the first
place.

Even though this would be a programming error, it's difficult to spot
and can be caused just with an ommission of a single property in the
GtkBuilder side.

Let's be on the safe side and just invoke the response directly.

In Gtk4, GtkAssistant class is final. We can't subclass from it anymore.

Using a procedure that wraps a macro is generally inferior to using the
macro directly. A real procedure is used only in one spot -- no need to
have it in the common utils package.

It is not used anywhere.

It is not used anywhere.

It is not available in Gtk4 and is not too useful anyway.

Fixes: 0c54ce26 ("libnma: add PKCS#11 login dialog")

Eivind Næss authored Mar 18, 2021 and Thomas Haller committed Mar 18, 2021

The handling of the various input and cases, and to get these right is difficult; partially because of the number of inputs and the
various states the component can be in. I've taken the pre-caution by creating a State Machine laid out by the text below that will
adequately describe the current state, the action taken and the result of each user action as listed below.

I've methodically gone through and tested each state with my change.

Tested the following scenarios:

The seven states, except for 1, 3, and 5 (as they cannot be saved), as spelled out below describe the initial state when restoring a
configuration using network-manager-openvpn plugin. For each of the starting state (0, 2, 4, 6), sufficient input has been made to
transition between each of these states.

The states:

State 0: When starting from from all blank fields, Cert is enabled, Key and Password are disabled
  * Set PKCS12 for certificate
    - Key gets PKCS12 value,
    - Password entry is enabled
    - Goto 5
  * Set X509 for Certificate
    - Key becomes enabled
    - Goto 1

State 1: When using X509 for certificate, Key is blank, Password is empty and disabled
  * Change Cert to PCKS12
    - Key gets PKCS12 value
    - Password is enabled
    - Goto 5
  * Change Key to PKCS12
    - Cert gets PKCS12 value
    - Password is enabled
    - Goto 5
  * Change key to use an un-encrypted RSA key
    - No change
    - Goto 2
  * Change key to use an encrypted RSA key
    - Password is enabled
    - Goto 3

State 2: When using X509 for Certificate, Key has an un-encrypted RSA key, Password is empty and disabled
  * Change Cert to PKCS12
    - Key gets PKCS12 value
    - Password is enabled
    - Goto 5
  * Change Key to PKCS12
    - Cert gets PKCS12 value
    - Password is enabled
    - Goto 5
  * Change Cert to different X509 certificate
    - No change
    - Goto 2
  * Change Key to encrypted RSA key
    - Password is enabled
    - Goto 3
  * Change Key to different un-encrypted RSA key
    - No change
    - Goto 2

State 3: When using X509 for Certificate, Key has an *encrypted* RSA key, Password is empty and enabled
  * Change Cert to PKCS12
    - Key gets PKCS12 value
    - Goto 5
  * Change Key to PKCS12
    - Cert gets PKCS12 value
    - Goto 5
  * Change Cert to different X509 certificate
    - No change
    - Goto 3
  * Change Key to un-encrypted RSA key
    - Password is disabled
    - Goto 2
  * Change Key to different encrypted RSA key
    - No change
    - Goto 3
  * Enter password
    - No change
    - Goto 4

State 4: When using X509 for Certificate, Key has an *encrypted* RSA key, Password has value and is enabled
  * Change Cert to PKCS12
    - Key gets PKCS12 value
    - Password is cleared
    - Goto 5
  * Change Key to PKCS12
    - Cert gets PKCS12 value
    - Password is cleared
    - Goto 5
  * Change Key to invalid RSA value (e.g. X509 certificate)
    - Password is cleared
    - Key is marked with error (GTK bug, error marking not visible to end-user in FileChooser component)
    - Goto 2
  * Change Cert to different X509 certificate
    - No change
    - Goto 4
  * Change Key to un-encrypted RSA key
    - Password is cleared
    - Password is disabled
    - Goto 2
  * Change Key to different encrypted RSA key
    - No Change, see Note 1
    - Goto 4

State 5: When using PKCS12 for Certificate and Key, Key is disabled, Password is empty and enabled
  * Change Cert to use X509 certificate
    - Key is cleared
    - Password is disabled
    - Goto 1
  * Enter password
    - No change
    - Goto 6

State 6: When using PKCS12 for Certificate and Key, Key is disabled, Password has a value and is enabled
  * Change Cert to use X509 certificate
    - Key is cleared
    - Password is cleared
    - Password is disabled
    - Goto 1
  * Clear password
    - No change
    - Goto 5

Notes:
1) To clear password here, we can't destinguish if user set a different key or if network-manager-openvpn restored an existing configuration.
Signed-off-by: Eivind Naess <eivnaes@yahoo.com>

#6

!16