vici: Add possibility to remove shared keys by a unique identifier

This identifier can be set when adding/replacing a secret.  The unique
identifiers of all secrets may be enumerated.

2 files changed, 76 insertions, 5 deletions

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index a46c35a28..edcc7eae5 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -493,7 +493,8 @@ including keys found in other backends.
 Load a shared IKE PSK, EAP or XAuth secret into the daemon.
 
 	{
-		type = <private key type, IKE|EAP|XAUTH>
+		id = <optional unique identifier of this shared key>
+		type = <shared key type, IKE|EAP|XAUTH>
 		data = <raw shared key data>
 		owners = [
 			<list of shared key owner identities>
@@ -503,6 +504,29 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon.
 		errmsg = <error string on failure>
 	}
 
+### unload-shared() ###
+
+Unload a previously loaded shared IKE PSK, EAP or XAuth secret by its unique
+identifier.
+
+	{
+		id = <unique identifier of the shared key to unload>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
+### get-shared() ###
+
+Return a list of unique identifiers of shared keys loaded exclusively over vici,
+not including keys found in other backends.
+
+	{} => {
+		keys = [
+			<list of unique identifiers>
+		]
+	}
+
 ### flush-certs() ###
 
 Flushes the certificate cache. The optional type argument allows to flush
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index 03649acfe..04a13b4fa 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -320,11 +320,12 @@ CALLBACK(load_shared, vici_message_t*,
 	shared_key_type_t type;
 	linked_list_t *owners;
 	chunk_t data;
-	char *str, buf[512] = "";
+	char *unique, *str, buf[512] = "";
 	enumerator_t *enumerator;
 	identification_t *owner;
 	int len;
 
+	unique = message->get_str(message, NULL, "id");
 	str = message->get_str(message, NULL, "type");
 	if (!str)
 	{
@@ -371,15 +372,59 @@ CALLBACK(load_shared, vici_message_t*,
 	}
 	enumerator->destroy(enumerator);
 
-	DBG1(DBG_CFG, "loaded %N shared key for: %s",
-		 shared_key_type_names, type, buf);
+	if (unique)
+	{
+		DBG1(DBG_CFG, "loaded %N shared key with id '%s' for: %s",
+			 shared_key_type_names, type, unique, buf);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "loaded %N shared key for: %s",
+			 shared_key_type_names, type, buf);
+	}
 
-	this->creds->add_shared_list(this->creds,
+	this->creds->add_shared_unique(this->creds, unique,
 						shared_key_create(type, chunk_clone(data)), owners);
 
 	return create_reply(NULL);
 }
 
+CALLBACK(unload_shared, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	char *unique;
+
+	unique = message->get_str(message, NULL, "id");
+	if (!unique)
+	{
+		return create_reply("unique identifier missing");
+	}
+	DBG1(DBG_CFG, "unloaded shared key with id '%s'", unique);
+	this->creds->remove_shared_unique(this->creds, unique);
+	return create_reply(NULL);
+}
+
+CALLBACK(get_shared, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	vici_builder_t *builder;
+	enumerator_t *enumerator;
+	char *unique;
+
+	builder = vici_builder_create();
+	builder->begin_list(builder, "keys");
+
+	enumerator = this->creds->create_unique_shared_enumerator(this->creds);
+	while (enumerator->enumerate(enumerator, &unique))
+	{
+		builder->add_li(builder, "%s", unique);
+	}
+	enumerator->destroy(enumerator);
+
+	builder->end_list(builder);
+	return builder->finalize(builder);
+}
+
 CALLBACK(clear_creds, vici_message_t*,
 	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
@@ -426,6 +471,8 @@ static void manage_commands(private_vici_cred_t *this, bool reg)
 	manage_command(this, "unload-key", unload_key, reg);
 	manage_command(this, "get-keys", get_keys, reg);
 	manage_command(this, "load-shared", load_shared, reg);
+	manage_command(this, "unload-shared", unload_shared, reg);
+	manage_command(this, "get-shared", get_shared, reg);
 }
 
 METHOD(vici_cred_t, add_cert, certificate_t*,