NetworkManager: Wireguard private key flag support

[daniloegea]

Description

Network Manager supports storing the Wireguard private key in an external keychain agent, like the kdewallet. In this cases, it will emit the following configuration in the keyfile: wireguard.private-key-flags=1 and omit the private key, which will be stored somewhere else.

The new key will look like this:

network:
  version: 2
  tunnels:
    wg-tunnel:
      renderer: NetworkManager
      addresses:
      - "10.20.30.1/24"
      mode: "wireguard"
      port: 51820
      keys:
        private-key-flags:
        - agent-owned

Adding this options is one way of solving the issue described here https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2024661

Checklist

• Runs make check successfully.
• Retains 100% code coverage (make check-coverage).
• New/changed keys in YAML format are documented.
• (Optional) Adds example YAML for new feature.
• (Optional) Closes an open bug in Launchpad.

[slyon]

Regarding new schema:
This seems to be a rather NetworkManager specific settings, I feel like it should therefore live in the nm_backend_settings_handlers instead. Also, I wonder if we could/should make this a bit more generic, by introducing a generic "networkmanager.flags" setting, which might contain other (future) flags, then using the "validation" stage to verify those flags make sense for the given interface definition implicitly (c.f. wakeonwlan setting). E.g.:

 network:
   renderer: NetworkManager
   tunnels:
     wg0:
       mode: wireguard
       networkmanager:
         flags: [private-key-agent-owned]
       port: 5182
       peers:
         - keys:
             public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
           allowed-ips: [0.0.0.0/0, "2001:fe:ad:de:ad:be:ef:1/24"]
           keepalive: 23
           endpoint: 1.2.3.4:5
   ```

What do you think?

[daniloegea]

That works for me. It could be moved to backend_settings, but it's used in the middle of the netdef struct, so adding a new variable there will change the struct layout. Is that fine?

[daniloegea]

On a second thought, I think having a generic flags key might be tricky to maintain. We'll have to have our own encoding. What if a flag for a given context have the same value as another flag from a different context in Network Manager?

I think it's fine to move the private-key-flags to the backend specific data though.

[daniloegea]

I moved the new key to the networkmanager section and rebased.

[slyon]

Sorry for the back and forth.
After some discussion with the Netplan team, we feel like this kind of flags should rather be close to the actual definition of the (private-)key. Before we continue with the review of the implementation details, I'd like to get an agreement on the new parts of the YAML schema.

What do you think about the following suggestion? We could also do private-key-flags: [agent-owned], but I think a generic keays.flags setting gives us more flexibility to expand for other use cases and key toggles in the future. We'd need an internal translation function from Netplan-keys.flags to NM's wireguard.private-key-flags, though.

Can you already think of any other (potential) use case, where such flags could be needed? What would it be and do you think this schema could cover that case?

 network:
   renderer: NetworkManager
   tunnels:
     wg0:
       mode: wireguard
       port: 5182
       peers:
         - keys:
             public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
             flags: [private-key-agent-owned]
           allowed-ips: [0.0.0.0/0, "2001:fe:ad:de:ad:be:ef:1/24"]
           keepalive: 23
           endpoint: 1.2.3.4:5

[daniloegea]

Having the flags in the peers.keys path is not accurate. Those flags are about the private key used by the local connection, not its peers.

After checking nm-settings(5), I've found many more places where the same set of flags (NMSettingSecretFlags) are used apart from wireguard.private-key-flags (I missed that before):
802-1x.ca-cert-password-flags, 802-1x.client-cert-password-flags, 802-1x.password-flags, 802-1x.password-raw-flags, 802-1x.phase2-ca-cert-password-flags, 802-1x.phase2-client-cert-password-flags, 802-1x.phase2-private-key-password-flags, 802-1x.pin-flags, 802-1x.private-key-password-flags, adsl.password-flags, cdma.password-flags, gsm.password-flags, gsm.pin-flags, macsec.mka-cak-flags, pppoe.password-flags, 802-11-wireless-security.leap-password-flags, leap-password-flags.psk-flags and leap-password-flags.wep-key-flags.

For reference, these are the flags:

/**
 * NMSettingSecretFlags:
 * @NM_SETTING_SECRET_FLAG_NONE: the system is responsible for providing and
 * storing this secret (default)
 * @NM_SETTING_SECRET_FLAG_AGENT_OWNED: a user secret agent is responsible
 * for providing and storing this secret; when it is required agents will be
 * asked to retrieve it
 * @NM_SETTING_SECRET_FLAG_NOT_SAVED: this secret should not be saved, but
 * should be requested from the user each time it is needed
 * @NM_SETTING_SECRET_FLAG_NOT_REQUIRED: in situations where it cannot be
 * automatically determined that the secret is required (some VPNs and PPP
 * providers don't require all secrets) this flag indicates that the specific
 * secret is not required
 *
 * These flags indicate specific behavior related to handling of a secret.  Each
 * secret has a corresponding set of these flags which indicate how the secret
 * is to be stored and/or requested when it is needed.
 *
 **/
typedef enum /*< flags >*/ {
    NM_SETTING_SECRET_FLAG_NONE         = 0x00000000,
    NM_SETTING_SECRET_FLAG_AGENT_OWNED  = 0x00000001,
    NM_SETTING_SECRET_FLAG_NOT_SAVED    = 0x00000002,
    NM_SETTING_SECRET_FLAG_NOT_REQUIRED = 0x00000004

    /* NOTE: if adding flags, update nm-core-internal.h as well */
} NMSettingSecretFlags;

That said, I think it makes sense to have a more generic key for setting these flags. Maybe something like networkmanager.secret-flags so we could use it to set flags for all those types of connections I listed above.

[slyon]

That said, I think it makes sense to have a more generic key for setting these flags. Maybe something like networkmanager.secret-flags so we could use it to set flags for all those types of connections I listed above.

Thanks for looking up the details! So that would be back to my original suggestion of networkmanager.(secret-)flags and be pretty much a 1:1 representation of the setting in NetworkManager, but it would still keep the secret-flags far away from the actual secrets in Netplan's YAML schema. I wonder if we can do better than that?

We don't need to keep a 1:1 representation of Netplan <-> NetworkManager settings. Can we think of any (hypothetical/future) usecase where such flags could be used for another backend renderer, like networkd or OVS? If so that would be an argument against moving it into the networkmanager. backend settings.

I feel like those secret-flags should be tightly bundled with the secrets itself, which are bundled under the key[s] setting in Netplan. You're right that it shouldn't be in peers.keys.flags, as this is about the private key for the local connection. Rather, it should be in tunnels.wg0.keys.flags, which uses the same datastructure/schema as peers.keys.

For example

 network:
   renderer: NetworkManager
   tunnels:
     wg0:
       mode: wireguard
       port: 5182
       key:
         flags: [agent-owned]
       peers:
         - keys:
             public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
           allowed-ips: [0.0.0.0/0, "2001:fe:ad:de:ad:be:ef:1/24"]
           keepalive: 23
           endpoint: 1.2.3.4:5

[daniloegea]

tunnels.interface.keys.flags sounds like a good place to add it. Should we call it private-key-flags though? There are 3 possible keys one can use inside keys: input, output and private. Maybe we should just explicitly correlate the flags with the private key.

[slyon]

Should we call it private-key-flags though?

That works for me. It's close to the actual secret (if any) and could also be used to define (future) flags for other backends. So let's try to get @vorlonofportland review of this schema proposal:

 network:
   renderer: NetworkManager
   tunnels:
     wg0:
       mode: wireguard
       key:
         private-key-flags: [agent-owned]
       peers:
         [...]

[vorlonofportland]

This looks good to me, thanks.

[slyon]

This looks good to me, thanks.

Thanks! I've added the "schema ok" tag and will do a review of the implementation details next.

[slyon]

I wonder if we can use the same schema for WPA-PSK credentials stored in an agent?
See https://discourse.ubuntu.com/t/call-for-testing-networkmanager-yaml-settings/32420/8 (point 3) and https://developer-old.gnome.org/NetworkManager/stable/settings-802-11-wireless-security.html => psk-flags

[slyon]

Thanks, this is looking good overall. The docs & implementation need to be adopted to the agreed upon YAML schema. And I wonder if we could use the same data-structure for wifi-security.psk-flags, too?

I added some remarks inline.

[slyon]

thought: I wonder if the same data-structure could be used for [wifi-security].psk-flags?

[daniloegea]

If only wireguard and the the psk password will have flags we could use the same variable, as the netdef will never be wifi and wireguard at the same time. But if we want to extend it to all the other secrets we will need multiple variables...

The case for wifi é covered by the passthrough data, only the wireguard one was causing issues due to how NM parses the keyfile and how we were generating it. Do we want to extend it to wifi right now?

[slyon]

We should probably use separate fields/data-structures internally, as you suggested above. But stick to a similar (user-facing) YAML structure. Also, let's postpone the psk-flags to another PR, so we can get this one landed.

[slyon]

Thanks, lgtm!