[libvirt] [PATCH v2 03/15] conf: Add new secret type "passphrase"
John Ferlan
jferlan at redhat.com
Thu Jun 23 17:28:59 UTC 2016
Add a new secret type known as "passphrase" - it will handle adding the
secret objects that need a passphrase without a specific username.
The format is:
<secret ...>
<uuid>...</uuid>
...
<usage type='passphrase'>
<id>mumblyfratz</id>
</usage>
</secret>
Signed-off-by: John Ferlan <jferlan at redhat.com>
---
docs/aclpolkit.html.in | 4 +++
docs/formatsecret.html.in | 57 ++++++++++++++++++++++++++++--
docs/schemas/secret.rng | 10 ++++++
include/libvirt/libvirt-secret.h | 3 +-
src/access/viraccessdriverpolkit.c | 13 +++++++
src/conf/secret_conf.c | 26 +++++++++++++-
src/conf/secret_conf.h | 1 +
src/conf/virsecretobj.c | 5 +++
tests/secretxml2xmlin/usage-passphrase.xml | 7 ++++
tests/secretxml2xmltest.c | 1 +
10 files changed, 123 insertions(+), 4 deletions(-)
create mode 100644 tests/secretxml2xmlin/usage-passphrase.xml
diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in
index dae0814..1d31b6d 100644
--- a/docs/aclpolkit.html.in
+++ b/docs/aclpolkit.html.in
@@ -224,6 +224,10 @@
<td>secret_usage_target</td>
<td>Name of the associated iSCSI target, if any</td>
</tr>
+ <tr>
+ <td>secret_usage_id</td>
+ <td>Name of be associated passphrase secret, if any</td>
+ </tr>
</tbody>
</table>
diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in
index 599cb38..79c4082 100644
--- a/docs/formatsecret.html.in
+++ b/docs/formatsecret.html.in
@@ -41,8 +41,9 @@
<dd>
Specifies what this secret is used for. A mandatory
<code>type</code> attribute specifies the usage category, currently
- only <code>volume</code>, <code>ceph</code> and <code>iscsi</code>
- are defined. Specific usage categories are described below.
+ only <code>volume</code>, <code>ceph</code>, <code>iscsi</code>,
+ and <code>passphrase</code> are defined. Specific usage categories
+ are described below.
</dd>
</dl>
@@ -241,5 +242,57 @@
<secret usage='libvirtiscsi'/>
</auth>
</pre>
+
+ <h3><a name="passphraseUsageType">Usage type "passphrase"</a></h3>
+
+ <p>
+ This secret is a general purpose secret to be used by various libvirt
+ objects to provide a single passphrase as required by the object in
+ order to perform its authentication.
+ <span class="since">Since 2.0.0</span>. The following is an example
+ of a secret.xml file:
+ </p>
+
+ <pre>
+ # cat secret.xml
+ <secret ephemeral='no' private='yes'>
+ <description>sample passphrase secret</description>
+ <usage type='passphrase'>
+ <id>id_example</id>
+ </usage>
+ </secret>
+
+ # virsh secret-define secret.xml
+ Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
+
+ # virsh secret-list
+ UUID Usage
+ -----------------------------------------------------------
+ 718c71bd-67b5-4a2b-87ec-a24e8ca200dc passphrase id_example
+ #
+
+ </pre>
+
+ <p>
+ A secret may also be defined via the
+ <a href="html/libvirt-libvirt-secret.html#virSecretDefineXML">
+ <code>virSecretDefineXML</code></a> API.
+
+ Once the secret is defined, a secret value will need to be set. This
+ value would be the same used to create and use the volume.
+ The following is a simple example of using
+ <code>virsh secret-set-value</code> to set the secret value. The
+ <a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
+ <code>virSecretSetValue</code></a> API may also be used to set
+ a more secure secret without using printable/readable characters.
+ </p>
+
+ <pre>
+ # MYSECRET=`printf %s "letmein" | base64`
+ # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
+ Secret value set
+
+ </pre>
+
</body>
</html>
diff --git a/docs/schemas/secret.rng b/docs/schemas/secret.rng
index e21e700..fc188ba 100644
--- a/docs/schemas/secret.rng
+++ b/docs/schemas/secret.rng
@@ -36,6 +36,7 @@
<ref name='usagevolume'/>
<ref name='usageceph'/>
<ref name='usageiscsi'/>
+ <ref name='usagepassphrase'/>
<!-- More choices later -->
</choice>
</element>
@@ -71,4 +72,13 @@
</element>
</define>
+ <define name='usagepassphrase'>
+ <attribute name='type'>
+ <value>passphrase</value>
+ </attribute>
+ <element name='id'>
+ <ref name='genericName'/>
+ </element>
+ </define>
+
</grammar>
diff --git a/include/libvirt/libvirt-secret.h b/include/libvirt/libvirt-secret.h
index 3e5cdf6..55b11e0 100644
--- a/include/libvirt/libvirt-secret.h
+++ b/include/libvirt/libvirt-secret.h
@@ -4,7 +4,7 @@
* Description: Provides APIs for the management of secrets
* Author: Daniel Veillard <veillard at redhat.com>
*
- * Copyright (C) 2006-2014 Red Hat, Inc.
+ * Copyright (C) 2006-2014, 2016 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -43,6 +43,7 @@ typedef enum {
VIR_SECRET_USAGE_TYPE_VOLUME = 1,
VIR_SECRET_USAGE_TYPE_CEPH = 2,
VIR_SECRET_USAGE_TYPE_ISCSI = 3,
+ VIR_SECRET_USAGE_TYPE_PASSPHRASE = 4,
# ifdef VIR_ENUM_SENTINELS
VIR_SECRET_USAGE_TYPE_LAST
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 89bc890..1f955f0 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -338,6 +338,19 @@ virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
virAccessPermSecretTypeToString(perm),
attrs);
} break;
+ case VIR_SECRET_USAGE_TYPE_PASSPHRASE: {
+ const char *attrs[] = {
+ "connect_driver", driverName,
+ "secret_uuid", uuidstr,
+ "secret_usage_id", secret->usage.id,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "secret",
+ virAccessPermSecretTypeToString(perm),
+ attrs);
+ } break;
}
}
diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c
index de9e6cf..77477b6 100644
--- a/src/conf/secret_conf.c
+++ b/src/conf/secret_conf.c
@@ -29,6 +29,7 @@
#include "viralloc.h"
#include "secret_conf.h"
#include "virsecretobj.h"
+#include "virstring.h"
#include "virerror.h"
#include "virxml.h"
#include "viruuid.h"
@@ -38,7 +39,7 @@
VIR_LOG_INIT("conf.secret_conf");
VIR_ENUM_IMPL(virSecretUsage, VIR_SECRET_USAGE_TYPE_LAST,
- "none", "volume", "ceph", "iscsi")
+ "none", "volume", "ceph", "iscsi", "passphrase")
const char *
virSecretUsageIDForDef(virSecretDefPtr def)
@@ -56,6 +57,9 @@ virSecretUsageIDForDef(virSecretDefPtr def)
case VIR_SECRET_USAGE_TYPE_ISCSI:
return def->usage.target;
+ case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ return def->usage.id;
+
default:
return NULL;
}
@@ -85,6 +89,10 @@ virSecretDefFree(virSecretDefPtr def)
VIR_FREE(def->usage.target);
break;
+ case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ VIR_FREE(def->usage.id);
+ break;
+
default:
VIR_ERROR(_("unexpected secret usage type %d"), def->usage_type);
break;
@@ -92,6 +100,7 @@ virSecretDefFree(virSecretDefPtr def)
VIR_FREE(def);
}
+
static int
virSecretDefParseUsage(xmlXPathContextPtr ctxt,
virSecretDefPtr def)
@@ -145,6 +154,14 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt,
}
break;
+ case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ if (!(def->usage.id = virXPathString("string(./usage/id)", ctxt))) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("passphrase usage specified, but id is missing"));
+ return -1;
+ }
+ break;
+
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected secret usage type %d"),
@@ -305,6 +322,13 @@ virSecretDefFormatUsage(virBufferPtr buf,
}
break;
+ case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ if (def->usage.id != NULL) {
+ virBufferEscapeString(buf, "<id>%s</id>\n",
+ def->usage.id);
+ }
+ break;
+
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected secret usage type %d"),
diff --git a/src/conf/secret_conf.h b/src/conf/secret_conf.h
index 4584403..768e6e9 100644
--- a/src/conf/secret_conf.h
+++ b/src/conf/secret_conf.h
@@ -40,6 +40,7 @@ struct _virSecretDef {
char *volume; /* May be NULL */
char *ceph;
char *target;
+ char *id;
} usage;
};
diff --git a/src/conf/virsecretobj.c b/src/conf/virsecretobj.c
index c46d22c..a2b4801 100644
--- a/src/conf/virsecretobj.c
+++ b/src/conf/virsecretobj.c
@@ -237,6 +237,11 @@ virSecretObjSearchName(const void *payload,
if (STREQ(secret->def->usage.target, data->usageID))
found = 1;
break;
+
+ case VIR_SECRET_USAGE_TYPE_PASSPHRASE:
+ if (STREQ(secret->def->usage.id, data->usageID))
+ found = 1;
+ break;
}
cleanup:
diff --git a/tests/secretxml2xmlin/usage-passphrase.xml b/tests/secretxml2xmlin/usage-passphrase.xml
new file mode 100644
index 0000000..7ebe0a4
--- /dev/null
+++ b/tests/secretxml2xmlin/usage-passphrase.xml
@@ -0,0 +1,7 @@
+<secret ephemeral='no' private='no'>
+ <uuid>f52a81b2-424e-490c-823d-6bd4235bc572</uuid>
+ <description>Sample Passphrase Secret</description>
+ <usage type='passphrase'>
+ <id>mumblyfratz</id>
+ </usage>
+</secret>
diff --git a/tests/secretxml2xmltest.c b/tests/secretxml2xmltest.c
index 8dcbb40..c444e4d 100644
--- a/tests/secretxml2xmltest.c
+++ b/tests/secretxml2xmltest.c
@@ -80,6 +80,7 @@ mymain(void)
DO_TEST("usage-volume");
DO_TEST("usage-ceph");
DO_TEST("usage-iscsi");
+ DO_TEST("usage-passphrase");
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
2.5.5
More information about the libvir-list
mailing list