tools: virsh: Add --interactive flag for secret-set-value command

Simplify human usage of secret-set-value by adding --interactive which will read the value of the secret from the terminal. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2024-10-02 04:15:46 +00:00 · 2020-01-24 16:37:27 +01:00 · 2020-01-24 16:37:27 +01:00 · 70c7453895
commit 70c7453895
parent ff5f75f561
2 changed files with 26 additions and 3 deletions
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@ -6563,14 +6563,17 @@ secret-set-value

 .. code-block::

-   secret-set-value secret (--file filename [--plain] | base64)
+   secret-set-value secret (--file filename [--plain] | --interactive | base64)

 Set the value associated with *secret* (specified by its UUID) to the value
 Base64-encoded value *base64* or Base-64-encoded contents of file named
 *filename*. Using the *--plain* flag is together with *--file* allows to use
 the file contents directly as the secret value.

-Note that *--file* and *base64* options are mutually exclusive.
+If *--interactive* flag is used the secret value is read as a password from the
+terminal.
+
+Note that *--file*, *--interactive* and *base64* options are mutually exclusive.

 Passing secrets via the *base64* option on command line is INSECURE and
 deprecated. Use the *--file* option instead.
--- a/tools/virsh-secret.c
+++ b/tools/virsh-secret.c
@ -186,6 +186,10 @@ static const vshCmdOptDef opts_secret_set_value[] = {
     .type = VSH_OT_BOOL,
     .help = N_("read the secret from file without converting from base64")
    },
+    {.name = "interactive",
+     .type = VSH_OT_BOOL,
+     .help = N_("read the secret from the terminal")
+    },
    {.name = "base64",
     .type = VSH_OT_STRING,
     .help = N_("base64-encoded secret value")
@ -204,10 +208,14 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
    unsigned char *value;
    size_t value_size;
    bool plain = vshCommandOptBool(cmd, "plain");
+    bool interactive = vshCommandOptBool(cmd, "interactive");
    int res;

    VSH_EXCLUSIVE_OPTIONS("file", "base64");
    VSH_EXCLUSIVE_OPTIONS("plain", "base64");
+    VSH_EXCLUSIVE_OPTIONS("interactive", "base64");
+    VSH_EXCLUSIVE_OPTIONS("interactive", "plain");
+    VSH_EXCLUSIVE_OPTIONS("interactive", "file");

    if (!(secret = virshCommandOptSecret(ctl, cmd, NULL)))
        return false;
@ -218,7 +226,7 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
    if (vshCommandOptStringReq(ctl, cmd, "file", &filename) < 0)
        return false;

-    if (!base64 && !filename) {
+    if (!base64 && !filename && !interactive) {
        vshError(ctl, _("Input secret value is missing"));
        return false;
    }
@ -238,6 +246,18 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
        base64 = file_buf;
    }

+    if (interactive) {
+        vshPrint(ctl, "%s", _("Enter new value for secret:"));
+        fflush(stdout);
+
+        if (!(file_buf = getpass(""))) {
+            vshError(ctl, "%s", _("Failed to read secret"));
+            return false;
+        }
+        file_len = strlen(file_buf);
+        plain = true;
+    }
+
    if (plain) {
        value = g_steal_pointer(&file_buf);
        value_size = file_len;