mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-03 12:55:45 +00:00
virsh: secret: Add --file 'filename' support for secret-set-value
The necessity to specify the secret value as command argument is insecure. Allow reading the secret from a file. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
5611795b2b
commit
dbbc74e4ce
@ -6563,10 +6563,13 @@ secret-set-value
|
|||||||
|
|
||||||
.. code-block::
|
.. code-block::
|
||||||
|
|
||||||
secret-set-value secret base64
|
secret-set-value secret (--file filename | base64)
|
||||||
|
|
||||||
Set the value associated with *secret* (specified by its UUID) to the value
|
Set the value associated with *secret* (specified by its UUID) to the value
|
||||||
Base64-encoded value *base64*.
|
Base64-encoded value *base64* or Base-64-encoded contents of file named
|
||||||
|
*filename*.
|
||||||
|
|
||||||
|
Note that *--file* and *base64* options are mutually exclusive.
|
||||||
|
|
||||||
|
|
||||||
secret-get-value
|
secret-get-value
|
||||||
|
@ -177,9 +177,13 @@ static const vshCmdOptDef opts_secret_set_value[] = {
|
|||||||
.help = N_("secret UUID"),
|
.help = N_("secret UUID"),
|
||||||
.completer = virshSecretUUIDCompleter,
|
.completer = virshSecretUUIDCompleter,
|
||||||
},
|
},
|
||||||
|
{.name = "file",
|
||||||
|
.type = VSH_OT_STRING,
|
||||||
|
.flags = VSH_OFLAG_REQ_OPT,
|
||||||
|
.help = N_("read secret from file"),
|
||||||
|
},
|
||||||
{.name = "base64",
|
{.name = "base64",
|
||||||
.type = VSH_OT_DATA,
|
.type = VSH_OT_STRING,
|
||||||
.flags = VSH_OFLAG_REQ,
|
|
||||||
.help = N_("base64-encoded secret value")
|
.help = N_("base64-encoded secret value")
|
||||||
},
|
},
|
||||||
{.name = NULL}
|
{.name = NULL}
|
||||||
@ -189,22 +193,46 @@ static bool
|
|||||||
cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
|
cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
|
||||||
{
|
{
|
||||||
g_autoptr(virshSecret) secret = NULL;
|
g_autoptr(virshSecret) secret = NULL;
|
||||||
size_t value_size;
|
|
||||||
const char *base64 = NULL;
|
const char *base64 = NULL;
|
||||||
|
const char *filename = NULL;
|
||||||
|
char *file_buf = NULL;
|
||||||
|
size_t file_len = 0;
|
||||||
unsigned char *value;
|
unsigned char *value;
|
||||||
|
size_t value_size;
|
||||||
int res;
|
int res;
|
||||||
|
|
||||||
|
VSH_EXCLUSIVE_OPTIONS("file", "base64");
|
||||||
|
|
||||||
if (!(secret = virshCommandOptSecret(ctl, cmd, NULL)))
|
if (!(secret = virshCommandOptSecret(ctl, cmd, NULL)))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (vshCommandOptStringReq(ctl, cmd, "base64", &base64) < 0)
|
if (vshCommandOptStringReq(ctl, cmd, "base64", &base64) < 0)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
if (vshCommandOptStringReq(ctl, cmd, "file", &filename) < 0)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (!base64 && !filename) {
|
||||||
|
vshError(ctl, _("Input secret value is missing"));
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (filename) {
|
||||||
|
ssize_t read_ret;
|
||||||
|
if ((read_ret = virFileReadAll(filename, 1024, &file_buf)) < 0) {
|
||||||
|
vshSaveLibvirtError();
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
file_len = read_ret;
|
||||||
|
base64 = file_buf;
|
||||||
|
}
|
||||||
|
|
||||||
value = g_base64_decode(base64, &value_size);
|
value = g_base64_decode(base64, &value_size);
|
||||||
|
|
||||||
res = virSecretSetValue(secret, value, value_size, 0);
|
res = virSecretSetValue(secret, value, value_size, 0);
|
||||||
memset(value, 0, value_size);
|
VIR_DISPOSE_N(value, value_size);
|
||||||
VIR_FREE(value);
|
VIR_DISPOSE_N(file_buf, file_len);
|
||||||
|
|
||||||
if (res != 0) {
|
if (res != 0) {
|
||||||
vshError(ctl, "%s", _("Failed to set secret value"));
|
vshError(ctl, "%s", _("Failed to set secret value"));
|
||||||
|
Loading…
Reference in New Issue
Block a user