[PATCH 19/30] qemu: domain: Store data for 'secret' object representing http cookies
Peter Krempa
pkrempa at redhat.com
Mon Mar 9 16:22:59 UTC 2020
The http cookies can have potentially sensitive values and thus should
not be leaked into the command line. This means that we'll need to
instantiate a 'secret' object in qemu to pass the value encrypted.
This patch adds infrastructure for storing of the alias in the status
XML.t
Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
src/qemu/qemu_domain.c | 8 +++++++-
src/qemu/qemu_domain.h | 3 +++
tests/qemustatusxml2xmldata/modern-in.xml | 1 +
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index e7aaded4d5..b36ff434f3 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -2314,6 +2314,7 @@ qemuStorageSourcePrivateDataParse(xmlXPathContextPtr ctxt,
qemuDomainStorageSourcePrivatePtr priv;
g_autofree char *authalias = NULL;
g_autofree char *encalias = NULL;
+ g_autofree char *httpcookiealias = NULL;
src->nodestorage = virXPathString("string(./nodenames/nodename[@type='storage']/@name)", ctxt);
src->nodeformat = virXPathString("string(./nodenames/nodename[@type='format']/@name)", ctxt);
@@ -2327,8 +2328,9 @@ qemuStorageSourcePrivateDataParse(xmlXPathContextPtr ctxt,
authalias = virXPathString("string(./objects/secret[@type='auth']/@alias)", ctxt);
encalias = virXPathString("string(./objects/secret[@type='encryption']/@alias)", ctxt);
+ httpcookiealias = virXPathString("string(./objects/secret[@type='httpcookie']/@alias)", ctxt);
- if (authalias || encalias) {
+ if (authalias || encalias || httpcookiealias) {
if (!src->privateData &&
!(src->privateData = qemuDomainStorageSourcePrivateNew()))
return -1;
@@ -2340,6 +2342,9 @@ qemuStorageSourcePrivateDataParse(xmlXPathContextPtr ctxt,
if (qemuStorageSourcePrivateDataAssignSecinfo(&priv->encinfo, &encalias) < 0)
return -1;
+
+ if (qemuStorageSourcePrivateDataAssignSecinfo(&priv->httpcookie, &httpcookiealias) < 0)
+ return -1;
}
if (virStorageSourcePrivateDataParseRelPath(ctxt, src) < 0)
@@ -2390,6 +2395,7 @@ qemuStorageSourcePrivateDataFormat(virStorageSourcePtr src,
if (srcPriv) {
qemuStorageSourcePrivateDataFormatSecinfo(&tmp, srcPriv->secinfo, "auth");
qemuStorageSourcePrivateDataFormatSecinfo(&tmp, srcPriv->encinfo, "encryption");
+ qemuStorageSourcePrivateDataFormatSecinfo(&tmp, srcPriv->httpcookie, "httpcookie");
}
if (src->tlsAlias)
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 202b85e39a..4e59f316fa 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -460,6 +460,9 @@ struct _qemuDomainStorageSourcePrivate {
/* data required for decryption of encrypted storage source */
qemuDomainSecretInfoPtr encinfo;
+
+ /* secure passthrough of the http cookie */
+ qemuDomainSecretInfoPtr httpcookie;
};
virObjectPtr qemuDomainStorageSourcePrivateNew(void);
diff --git a/tests/qemustatusxml2xmldata/modern-in.xml b/tests/qemustatusxml2xmldata/modern-in.xml
index c8d21ceada..cb56cdcef9 100644
--- a/tests/qemustatusxml2xmldata/modern-in.xml
+++ b/tests/qemustatusxml2xmldata/modern-in.xml
@@ -332,6 +332,7 @@
<objects>
<secret type='auth' alias='test-auth-alias'/>
<secret type='encryption' alias='test-encryption-alias'/>
+ <secret type='httpcookie' alias='http-cookie-alias'/>
<TLSx509 alias='transport-alias'/>
</objects>
</privateData>
--
2.24.1
More information about the libvir-list
mailing list