From df1f64c15692ec043ccd55578518f445a41bcc87 Mon Sep 17 00:00:00 2001
From: Vivien Malerba <vivien.malerba@aviation-civile.gouv.fr>
Date: Fri, 18 Nov 2022 18:59:01 +0100
Subject: [PATCH] Post release corrections

---
 CHANGELOG.md                                     |  7 +++++++
 components/inseca-live-server/README.md          |  5 ++---
 components/inseca-live-server/config.json        |  2 +-
 components/inseca-live-server/opt/inseca/manager | 11 ++++++++---
 components/inseca-live-server/prepare.py         |  5 +++--
 components/inseca-live-wks/README.md             |  4 ++--
 components/inseca-live-wks/config.json           |  6 +++++-
 components/inseca-live-wks/prepare.py            |  5 +++--
 8 files changed, 31 insertions(+), 14 deletions(-)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..46163b5
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,7 @@
+# Changelog
+
+## [1.0.1] - 2022-11-18
+
+### Fixed
+
+- minor items
\ No newline at end of file
diff --git a/components/inseca-live-server/README.md b/components/inseca-live-server/README.md
index a09e82f..050314b 100644
--- a/components/inseca-live-server/README.md
+++ b/components/inseca-live-server/README.md
@@ -5,14 +5,13 @@ Main component to manage a running INSECA system without any UI (server OS).
 - **userdata-skey-pub-file**: public key used to verify the signature of USERDATA resources,
   relative to the build's config file
 - **allowed-virtualized**: list of virtual environments in which the devices is allowed to be used as a CSV or "", refer to systemd-detect-virt's man page
-- **disabled-net-services**: list of INSECA's network services to disable, as a CSV of:
+- **disable-inseca-services**: list of INSECA's network services to disable, as a CSV of:
   - `all`: disable all services
   - `updates`: disable the live Linux updates service
 - **data-mapping**: lists directories which will be mapped from the DATA partition in the system,
   as a CVS of `<directory to map>:<where to map it in the system>`
 - **post-unlock-script**: script to execute once the device has been unlocked (e.g. to start services)
-
-- NOT YET **network-connections-allowed**: boolean indicating if the network stack (managed by NetworkManager) is enabled
+- **allow-network-connections**: boolean indicating if the network stack (managed by NetworkManager) is enabled
   (which allows the user to connect to wired or wireless networks) or disabled
 - NOT YET **network-allow-list**: if defined, the network access is denied by default and restricted only to the
   provided list of system names and/or IP address ranges.
diff --git a/components/inseca-live-server/config.json b/components/inseca-live-server/config.json
index 3e59751..918de93 100644
--- a/components/inseca-live-server/config.json
+++ b/components/inseca-live-server/config.json
@@ -13,7 +13,7 @@
             "descr": "CSV list of allowed virtualization execution environment, use 'all' to allow any",
             "type": "str"
         },
-        "disabled-net-services": {
+        "disable-inseca-services": {
             "descr": "List of INSECA's network services to disable",
             "type": "str"
         },
diff --git a/components/inseca-live-server/opt/inseca/manager b/components/inseca-live-server/opt/inseca/manager
index ed157b7..e775247 100755
--- a/components/inseca-live-server/opt/inseca/manager
+++ b/components/inseca-live-server/opt/inseca/manager
@@ -151,7 +151,8 @@ def _term_signal_ignore(signum, frame):
 def _term_signal_handle(signum, frame):
     syslog.syslog(syslog.LOG_INFO, "Received TERM signal, preparing shutdown")
     bp=Live.BootProcessWKS.get_instance()
-    bp.prepare_shutdown()
+    if bp:
+        bp.prepare_shutdown()
     sys.exit(0)
 
 # define default TERM signal handler tu properly umount partitions
@@ -233,8 +234,8 @@ class Remote(dbus.service.Object):
         # disable some INSECA services if specificed
         dservs=[]
         servs=["update"] # services which can be disabled
-        if conf and "disabled-net-services" in conf:
-            data=conf["disabled-net-services"]
+        if conf and "disable-inseca-services" in conf:
+            data=conf["disable-inseca-services"]
             if data is not None:
                 dservs=data.split(",")
         if "all" in dservs:
@@ -246,6 +247,10 @@ class Remote(dbus.service.Object):
                 if serv=="update":
                     self._updates_enabled=False
 
+        # enable network after authentication?
+        if conf and "allow-network-connections" in conf and conf["allow-network-connections"]==False:
+            self._net.force_always_disabled()
+
         # start shutdown timer and disable networking
         self._start_killer_counter()
         if cm.disable_network_before_unlock:
diff --git a/components/inseca-live-server/prepare.py b/components/inseca-live-server/prepare.py
index 066f718..9cff993 100755
--- a/components/inseca-live-server/prepare.py
+++ b/components/inseca-live-server/prepare.py
@@ -64,8 +64,9 @@
 # other config. elements
 protected_conf={
     "allowed-virtualized": conf.get("allowed-virtualized", ""),
-    "disabled-net-services": conf.get("disabled-net-services", "")
+    "disable-inseca-services": conf.get("disable-inseca-services", ""),
+    "allow-network-connections": conf.get("allow-network-connections", True)
 }
 util.write_data_to_file(json.dumps(protected_conf), "%s/etc/inseca-live.json"%os.environ["LIVE_DIR"])
 util.write_data_to_file("Allowed virtual environments: %s\n"%protected_conf["allowed-virtualized"], os.environ["BUILD_DATA_FILE"], append=True)
-util.write_data_to_file("Disabled net services: %s\n"%protected_conf["disabled-net-services"], os.environ["BUILD_DATA_FILE"], append=True)
\ No newline at end of file
+util.write_data_to_file("Disabled net services: %s\n"%protected_conf["disable-inseca-services"], os.environ["BUILD_DATA_FILE"], append=True)
\ No newline at end of file
diff --git a/components/inseca-live-wks/README.md b/components/inseca-live-wks/README.md
index ac8c4b3..181463b 100644
--- a/components/inseca-live-wks/README.md
+++ b/components/inseca-live-wks/README.md
@@ -5,10 +5,10 @@ Main component to manage a running INSECA system with a GUI.
 - **userdata-skey-pub-file**: public key used to verify the signature of USERDATA resources,
   relative to the build's config file
 - **allowed-virtualized**: list of virtual environments in which the devices is allowed to be used as a CSV or "", refer to systemd-detect-virt's man page
-- **disabled-net-services**: list of INSECA's network services to disable, as a CSV of:
+- **disable-inseca-services**: list of INSECA's network services to disable, as a CSV of:
   - `all`: disable all services
   - `updates`: disable the live Linux updates service
-- NOT YET **network-connections-allowed**: boolean indicating if the network stack (managed by NetworkManager) is enabled
+- **allow-network-connections**: boolean indicating if the network stack (managed by NetworkManager) is enabled
   (which allows the user to connect to wired or wireless networks) or disabled
 - NOT YET **network-allow-list**: if defined, the network access is denied by default and restricted only to the
   provided list of system names and/or IP address ranges.
diff --git a/components/inseca-live-wks/config.json b/components/inseca-live-wks/config.json
index 06bb711..513c9c8 100644
--- a/components/inseca-live-wks/config.json
+++ b/components/inseca-live-wks/config.json
@@ -16,7 +16,11 @@
             "descr": "CSV list of allowed virtualization execution environment",
             "type": "str"
         },
-        "disabled-net-services": {
+        "allow-network-connections": {
+            "descr": "True if the network stack (managed by NetworkManager) is enabled",
+            "type": "boolean"
+        },
+        "disable-inseca-services": {
             "descr": "List of INSECA's network services to disable",
             "type": "str"
         }
diff --git a/components/inseca-live-wks/prepare.py b/components/inseca-live-wks/prepare.py
index a503a72..918e26a 100755
--- a/components/inseca-live-wks/prepare.py
+++ b/components/inseca-live-wks/prepare.py
@@ -45,8 +45,9 @@
 # other config. elements
 protected_conf={
     "allowed-virtualized": conf.get("allowed-virtualized", ""),
-    "disabled-net-services": conf.get("disabled-net-services", "")
+    "disable-inseca-services": conf.get("disable-inseca-services", ""),
+    "allow-network-connections": conf.get("allow-network-connections", True)
 }
 util.write_data_to_file(json.dumps(protected_conf), "%s/etc/inseca-live.json"%os.environ["LIVE_DIR"])
 util.write_data_to_file("Allowed virtual environments: %s\n"%protected_conf["allowed-virtualized"], os.environ["BUILD_DATA_FILE"], append=True)
-util.write_data_to_file("Disabled net services: %s\n"%protected_conf["disabled-net-services"], os.environ["BUILD_DATA_FILE"], append=True)
\ No newline at end of file
+util.write_data_to_file("Disabled net services: %s\n"%protected_conf["disable-inseca-services"], os.environ["BUILD_DATA_FILE"], append=True)
\ No newline at end of file