From c84380106fe69f86842dc7e8c032af6740bef77e Mon Sep 17 00:00:00 2001 From: John Ferlan Date: Wed, 1 Jun 2016 15:00:57 -0400 Subject: [PATCH] conf: Add new secret type "passphrase" Add a new secret type known as "passphrase" - it will handle adding the secret objects that need a passphrase without a specific username. The format is: ... ... mumblyfratz Signed-off-by: John Ferlan --- docs/aclpolkit.html.in | 4 ++ docs/formatsecret.html.in | 57 +++++++++++++++++++++- docs/schemas/secret.rng | 10 ++++ include/libvirt/libvirt-secret.h | 3 +- src/access/viraccessdriverpolkit.c | 13 +++++ src/conf/secret_conf.c | 22 ++++++++- src/conf/secret_conf.h | 1 + src/conf/virsecretobj.c | 5 ++ tests/secretxml2xmlin/usage-passphrase.xml | 7 +++ tests/secretxml2xmltest.c | 1 + 10 files changed, 119 insertions(+), 4 deletions(-) create mode 100644 tests/secretxml2xmlin/usage-passphrase.xml diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in index dae0814a82..4d0307d0d7 100644 --- a/docs/aclpolkit.html.in +++ b/docs/aclpolkit.html.in @@ -224,6 +224,10 @@ secret_usage_target Name of the associated iSCSI target, if any + + secret_usage_name + Name of be associated passphrase secret, if any + diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in index c39d2a73d4..f03d90ca69 100644 --- a/docs/formatsecret.html.in +++ b/docs/formatsecret.html.in @@ -41,8 +41,9 @@
Specifies what this secret is used for. A mandatory type attribute specifies the usage category, currently - only volume, ceph and iscsi - are defined. Specific usage categories are described below. + only volume, ceph, iscsi, + and passphrase are defined. Specific usage categories + are described below.
@@ -241,5 +242,57 @@ <secret usage='libvirtiscsi'/> </auth> + +

Usage type "passphrase"

+ +

+ This secret is a general purpose secret to be used by various libvirt + objects to provide a single passphrase as required by the object in + order to perform its authentication. + Since 2.1.0. The following is an example + of a secret.xml file: +

+ + 
+      # cat secret.xml
+      <secret ephemeral='no' private='yes'>
+         <description>sample passphrase secret</description>
+         <usage type='passphrase'>
+            <name>name_example</name>
+         </usage>
+      </secret>
+
+      # virsh secret-define secret.xml
+      Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
+
+      # virsh secret-list
+       UUID                                 Usage
+      -----------------------------------------------------------
+       718c71bd-67b5-4a2b-87ec-a24e8ca200dc  passphrase  name_example
+      #
+
+
+ +

+ A secret may also be defined via the + + virSecretDefineXML API. + + Once the secret is defined, a secret value will need to be set. This + value would be the same used to create and use the volume. + The following is a simple example of using + virsh secret-set-value to set the secret value. The + + virSecretSetValue API may also be used to set + a more secure secret without using printable/readable characters. +

+ + 
+      # MYSECRET=`printf %s "letmein" | base64`
+      # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
+      Secret value set
+
+
+ diff --git a/docs/schemas/secret.rng b/docs/schemas/secret.rng index e21e700325..cac8560fe8 100644 --- a/docs/schemas/secret.rng +++ b/docs/schemas/secret.rng @@ -36,6 +36,7 @@ + @@ -71,4 +72,13 @@ + + + passphrase + + + + + + diff --git a/include/libvirt/libvirt-secret.h b/include/libvirt/libvirt-secret.h index 3e5cdf621c..55b11e05f0 100644 --- a/include/libvirt/libvirt-secret.h +++ b/include/libvirt/libvirt-secret.h @@ -4,7 +4,7 @@ * Description: Provides APIs for the management of secrets * Author: Daniel Veillard * - * Copyright (C) 2006-2014 Red Hat, Inc. + * Copyright (C) 2006-2014, 2016 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -43,6 +43,7 @@ typedef enum { VIR_SECRET_USAGE_TYPE_VOLUME = 1, VIR_SECRET_USAGE_TYPE_CEPH = 2, VIR_SECRET_USAGE_TYPE_ISCSI = 3, + VIR_SECRET_USAGE_TYPE_PASSPHRASE = 4, # ifdef VIR_ENUM_SENTINELS VIR_SECRET_USAGE_TYPE_LAST diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c index 89bc8908f2..99b867f9e8 100644 --- a/src/access/viraccessdriverpolkit.c +++ b/src/access/viraccessdriverpolkit.c @@ -338,6 +338,19 @@ virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager, virAccessPermSecretTypeToString(perm), attrs); } break; + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: { + const char *attrs[] = { + "connect_driver", driverName, + "secret_uuid", uuidstr, + "secret_usage_name", secret->usage.name, + NULL, + }; + + return virAccessDriverPolkitCheck(manager, + "secret", + virAccessPermSecretTypeToString(perm), + attrs); + } break; } } diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c index d510645496..a973aa9199 100644 --- a/src/conf/secret_conf.c +++ b/src/conf/secret_conf.c @@ -29,6 +29,7 @@ #include "viralloc.h" #include "secret_conf.h" #include "virsecretobj.h" +#include "virstring.h" #include "virerror.h" #include "virxml.h" #include "viruuid.h" @@ -38,7 +39,7 @@ VIR_LOG_INIT("conf.secret_conf"); VIR_ENUM_IMPL(virSecretUsage, VIR_SECRET_USAGE_TYPE_LAST, - "none", "volume", "ceph", "iscsi") + "none", "volume", "ceph", "iscsi", "passphrase") const char * virSecretUsageIDForDef(virSecretDefPtr def) @@ -56,6 +57,9 @@ virSecretUsageIDForDef(virSecretDefPtr def) case VIR_SECRET_USAGE_TYPE_ISCSI: return def->usage.target; + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: + return def->usage.name; + default: return NULL; } @@ -85,6 +89,10 @@ virSecretDefFree(virSecretDefPtr def) VIR_FREE(def->usage.target); break; + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: + VIR_FREE(def->usage.name); + break; + default: VIR_ERROR(_("unexpected secret usage type %d"), def->usage_type); break; @@ -145,6 +153,14 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt, } break; + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: + if (!(def->usage.name = virXPathString("string(./usage/name)", ctxt))) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("passphrase usage specified, but name is missing")); + return -1; + } + break; + default: virReportError(VIR_ERR_INTERNAL_ERROR, _("unexpected secret usage type %d"), @@ -297,6 +313,10 @@ virSecretDefFormatUsage(virBufferPtr buf, virBufferEscapeString(buf, "%s\n", def->usage.target); break; + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: + virBufferEscapeString(buf, "%s\n", def->usage.name); + break; + default: virReportError(VIR_ERR_INTERNAL_ERROR, _("unexpected secret usage type %d"), diff --git a/src/conf/secret_conf.h b/src/conf/secret_conf.h index 4584403dcb..c34880fb09 100644 --- a/src/conf/secret_conf.h +++ b/src/conf/secret_conf.h @@ -40,6 +40,7 @@ struct _virSecretDef { char *volume; /* May be NULL */ char *ceph; char *target; + char *name; } usage; }; diff --git a/src/conf/virsecretobj.c b/src/conf/virsecretobj.c index 30a5e80f6e..6714a0075c 100644 --- a/src/conf/virsecretobj.c +++ b/src/conf/virsecretobj.c @@ -237,6 +237,11 @@ virSecretObjSearchName(const void *payload, if (STREQ(secret->def->usage.target, data->usageID)) found = 1; break; + + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: + if (STREQ(secret->def->usage.name, data->usageID)) + found = 1; + break; } cleanup: diff --git a/tests/secretxml2xmlin/usage-passphrase.xml b/tests/secretxml2xmlin/usage-passphrase.xml new file mode 100644 index 0000000000..2b94b80400 --- /dev/null +++ b/tests/secretxml2xmlin/usage-passphrase.xml @@ -0,0 +1,7 @@ + + f52a81b2-424e-490c-823d-6bd4235bc572 + Sample Passphrase Secret + + mumblyfratz + + diff --git a/tests/secretxml2xmltest.c b/tests/secretxml2xmltest.c index 8dcbb40080..c444e4d29b 100644 --- a/tests/secretxml2xmltest.c +++ b/tests/secretxml2xmltest.c @@ -80,6 +80,7 @@ mymain(void) DO_TEST("usage-volume"); DO_TEST("usage-ceph"); DO_TEST("usage-iscsi"); + DO_TEST("usage-passphrase"); return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; }