[libvirt] [PATCH v4 3/7] Repurpose the 'passphrase' secret to 'tls'
John Ferlan
jferlan at redhat.com
Mon Jul 11 18:07:54 UTC 2016
Commit id 'c84380106' added support for a secret usage type 'passphrase'
that was designed to be used for both LUKS encryption and TLS credentials
since both used a 'simple' passphrase in order to handle the authentication.
However, a post commit review deemed that usage model to be invalid.
This patch repurposes the 'passphrase' usage type for 'tls' specific usage.
A previous patch has already adjusted the various LUKS usages to utilize
a 'volume' secret.
Signed-off-by: John Ferlan <jferlan at redhat.com>
---
docs/aclpolkit.html.in | 2 +-
docs/formatsecret.html.in | 59 +++++++++++++++++++++++++++++-
docs/schemas/secret.rng | 6 +--
include/libvirt/libvirt-secret.h | 2 +-
src/access/viraccessdriverpolkit.c | 2 +-
src/conf/secret_conf.c | 12 +++---
src/conf/virsecretobj.c | 2 +-
tests/secretxml2xmlin/usage-passphrase.xml | 7 ----
tests/secretxml2xmlin/usage-tls.xml | 7 ++++
tests/secretxml2xmltest.c | 2 +-
10 files changed, 78 insertions(+), 23 deletions(-)
delete mode 100644 tests/secretxml2xmlin/usage-passphrase.xml
create mode 100644 tests/secretxml2xmlin/usage-tls.xml
diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in
index 4d0307d..7a1e302 100644
--- a/docs/aclpolkit.html.in
+++ b/docs/aclpolkit.html.in
@@ -226,7 +226,7 @@
</tr>
<tr>
<td>secret_usage_name</td>
- <td>Name of be associated passphrase secret, if any</td>
+ <td>Name of the associated tls secret, if any</td>
</tr>
</tbody>
</table>
diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in
index 216a83c..de1af20 100644
--- a/docs/formatsecret.html.in
+++ b/docs/formatsecret.html.in
@@ -41,8 +41,9 @@
<dd>
Specifies what this secret is used for. A mandatory
<code>type</code> attribute specifies the usage category, currently
- only <code>volume</code>, <code>ceph</code>, and <code>iscsi</code>
- are defined. Specific usage categories are described below.
+ only <code>volume</code>, <code>ceph</code>, <code>iscsi</code>,
+ and <code>tls</code> are defined. Specific usage categories
+ are described below.
</dd>
</dl>
@@ -271,5 +272,59 @@
</auth>
</pre>
+ <h3><a name="tlsUsageType">Usage type "tls"</a></h3>
+
+ <p>
+ This secret may be used in order to provide the passphrase for the
+ private key used to provide TLS credentials.
+ The <code><usage type='tls'></code> element must contain a
+ single <code>name</code> element that specifies a usage name
+ for the secret.
+ <span class="since">Since 2.1.0</span>.
+ The following is an example of the expected XML and processing to
+ define the secret:
+ </p>
+
+ <pre>
+ # cat tls-secret.xml
+ <secret ephemeral='no' private='yes'>
+ <description>sample tls secret</description>
+ <usage type='tls'>
+ <name>TLS_example</name>
+ </usage>
+ </secret>
+
+ # virsh secret-define tls-secret.xml
+ Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
+
+ # virsh secret-list
+ UUID Usage
+ -----------------------------------------------------------
+ 718c71bd-67b5-4a2b-87ec-a24e8ca200dc tls TLS_example
+ #
+
+ </pre>
+
+ <p>
+ A secret may also be defined via the
+ <a href="html/libvirt-libvirt-secret.html#virSecretDefineXML">
+ <code>virSecretDefineXML</code></a> API.
+
+ Once the secret is defined, a secret value will need to be set. The
+ secret would be the passphrase used to access the TLS credentials.
+ The following is a simple example of using
+ <code>virsh secret-set-value</code> to set the secret value. The
+ <a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
+ <code>virSecretSetValue</code></a> API may also be used to set
+ a more secure secret without using printable/readable characters.
+ </p>
+
+ <pre>
+ # MYSECRET=`printf %s "letmein" | base64`
+ # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
+ Secret value set
+
+ </pre>
+
</body>
</html>
diff --git a/docs/schemas/secret.rng b/docs/schemas/secret.rng
index cac8560..1e94d66 100644
--- a/docs/schemas/secret.rng
+++ b/docs/schemas/secret.rng
@@ -36,7 +36,7 @@
<ref name='usagevolume'/>
<ref name='usageceph'/>
<ref name='usageiscsi'/>
- <ref name='usagepassphrase'/>
+ <ref name='usagetls'/>
<!-- More choices later -->
</choice>
</element>
@@ -72,9 +72,9 @@
</element>
</define>
- <define name='usagepassphrase'>
+ <define name='usagetls'>
<attribute name='type'>
- <value>passphrase</value>
+ <value>tls</value>
</attribute>
<element name='name'>
<ref name='genericName'/>
diff --git a/include/libvirt/libvirt-secret.h b/include/libvirt/libvirt-secret.h
index 55b11e0..2ae36f6 100644
--- a/include/libvirt/libvirt-secret.h
+++ b/include/libvirt/libvirt-secret.h
@@ -43,7 +43,7 @@ typedef enum {
VIR_SECRET_USAGE_TYPE_VOLUME = 1,
VIR_SECRET_USAGE_TYPE_CEPH = 2,
VIR_SECRET_USAGE_TYPE_ISCSI = 3,
- VIR_SECRET_USAGE_TYPE_PASSPHRASE = 4,
+ VIR_SECRET_USAGE_TYPE_TLS = 4,
# ifdef VIR_ENUM_SENTINELS
VIR_SECRET_USAGE_TYPE_LAST
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 99b867f..67f2a57 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -338,7 +338,7 @@ virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
virAccessPermSecretTypeToString(perm),
attrs);
} break;
- case VIR_SECRET_USAGE_TYPE_PASSPHRASE: {
+ case VIR_SECRET_USAGE_TYPE_TLS: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c
index a973aa9..ce1ad92 100644
--- a/src/conf/secret_conf.c
+++ b/src/conf/secret_conf.c
@@ -39,7 +39,7 @@
VIR_LOG_INIT("conf.secret_conf");
VIR_ENUM_IMPL(virSecretUsage, VIR_SECRET_USAGE_TYPE_LAST,
- "none", "volume", "ceph", "iscsi", "passphrase")
+ "none", "volume", "ceph", "iscsi", "tls")
const char *
virSecretUsageIDForDef(virSecretDefPtr def)
@@ -57,7 +57,7 @@ virSecretUsageIDForDef(virSecretDefPtr def)
case VIR_SECRET_USAGE_TYPE_ISCSI:
return def->usage.target;
- case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ case VIR_SECRET_USAGE_TYPE_TLS:
return def->usage.name;
default:
@@ -89,7 +89,7 @@ virSecretDefFree(virSecretDefPtr def)
VIR_FREE(def->usage.target);
break;
- case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ case VIR_SECRET_USAGE_TYPE_TLS:
VIR_FREE(def->usage.name);
break;
@@ -153,10 +153,10 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt,
}
break;
- case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ case VIR_SECRET_USAGE_TYPE_TLS:
if (!(def->usage.name = virXPathString("string(./usage/name)", ctxt))) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("passphrase usage specified, but name is missing"));
+ _("tls usage specified, but name is missing"));
return -1;
}
break;
@@ -313,7 +313,7 @@ virSecretDefFormatUsage(virBufferPtr buf,
virBufferEscapeString(buf, "<target>%s</target>\n", def->usage.target);
break;
- case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ case VIR_SECRET_USAGE_TYPE_TLS:
virBufferEscapeString(buf, "<name>%s</name>\n", def->usage.name);
break;
diff --git a/src/conf/virsecretobj.c b/src/conf/virsecretobj.c
index 6714a00..2bdfe08 100644
--- a/src/conf/virsecretobj.c
+++ b/src/conf/virsecretobj.c
@@ -238,7 +238,7 @@ virSecretObjSearchName(const void *payload,
found = 1;
break;
- case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ case VIR_SECRET_USAGE_TYPE_TLS:
if (STREQ(secret->def->usage.name, data->usageID))
found = 1;
break;
diff --git a/tests/secretxml2xmlin/usage-passphrase.xml b/tests/secretxml2xmlin/usage-passphrase.xml
deleted file mode 100644
index 2b94b80..0000000
--- a/tests/secretxml2xmlin/usage-passphrase.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<secret ephemeral='no' private='no'>
- <uuid>f52a81b2-424e-490c-823d-6bd4235bc572</uuid>
- <description>Sample Passphrase Secret</description>
- <usage type='passphrase'>
- <name>mumblyfratz</name>
- </usage>
-</secret>
diff --git a/tests/secretxml2xmlin/usage-tls.xml b/tests/secretxml2xmlin/usage-tls.xml
new file mode 100644
index 0000000..8203681
--- /dev/null
+++ b/tests/secretxml2xmlin/usage-tls.xml
@@ -0,0 +1,7 @@
+<secret ephemeral='no' private='no'>
+ <uuid>f52a81b2-424e-490c-823d-6bd4235bc572</uuid>
+ <description>Sample TLS Secret</description>
+ <usage type='tls'>
+ <name>TLS-Example</name>
+ </usage>
+</secret>
diff --git a/tests/secretxml2xmltest.c b/tests/secretxml2xmltest.c
index c444e4d..714c709 100644
--- a/tests/secretxml2xmltest.c
+++ b/tests/secretxml2xmltest.c
@@ -80,7 +80,7 @@ mymain(void)
DO_TEST("usage-volume");
DO_TEST("usage-ceph");
DO_TEST("usage-iscsi");
- DO_TEST("usage-passphrase");
+ DO_TEST("usage-tls");
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
2.5.5
More information about the libvir-list
mailing list