Re: [libvirt] [PATCH v2 03/15] conf: Add new secret type "passphrase"

On Thu, Jun 23, 2016 at 13:28:59 -0400, John Ferlan wrote: > Add a new secret type known as "passphrase" - it will handle adding the > secret objects that need a passphrase without a specific username. > > The format is: > > <secret ...> > <uuid>...</uuid> > ... > <usage type='passphrase'> > <id>mumblyfratz</id> > </usage> > </secret> > > Signed-off-by: John Ferlan <jferlan(a)redhat.com&gt; > --- > docs/aclpolkit.html.in | 4 +++ > docs/formatsecret.html.in | 57 ++++++++++++++++++++++++++++-- > docs/schemas/secret.rng | 10 ++++++ > include/libvirt/libvirt-secret.h | 3 +- > src/access/viraccessdriverpolkit.c | 13 +++++++ > src/conf/secret_conf.c | 26 +++++++++++++- > src/conf/secret_conf.h | 1 + > src/conf/virsecretobj.c | 5 +++ > tests/secretxml2xmlin/usage-passphrase.xml | 7 ++++ > tests/secretxml2xmltest.c | 1 + > 10 files changed, 123 insertions(+), 4 deletions(-) > create mode 100644 tests/secretxml2xmlin/usage-passphrase.xml > > diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in > index 599cb38..79c4082 100644 > --- a/docs/formatsecret.html.in > +++ b/docs/formatsecret.html.in [..] > @@ -241,5 +242,57 @@ > &lt;secret usage='libvirtiscsi'/&gt; > &lt;/auth&gt; > </pre> > + > + <h3><a name="passphraseUsageType">Usage type "passphrase"</a></h3> > + > + <p> > + This secret is a general purpose secret to be used by various libvirt > + objects to provide a single passphrase as required by the object in > + order to perform its authentication. > + <span class="since">Since 2.0.0</span>. The following is an example > + of a secret.xml file: > + </p> > + > + <pre> > + # cat secret.xml > + &lt;secret ephemeral='no' private='yes'&gt; > + &lt;description&gt;sample passphrase secret&lt;/description&gt; > + &lt;usage type='passphrase'&gt; > + &lt;id&gt;id_example&lt;/id&gt; 'id' implies a number. Any reason for not using 'name'?

> + &lt;/usage&gt; > + &lt;/secret&gt; > + > + # virsh secret-define secret.xml > + Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created > + > + # virsh secret-list > + UUID Usage > + ----------------------------------------------------------- > + 718c71bd-67b5-4a2b-87ec-a24e8ca200dc passphrase id_example Header is misaligned.

> + # > + > + </pre> > + > + <p> > + A secret may also be defined via the > + <a href="html/libvirt-libvirt-secret.html#virSecretDefineXML"> > + <code>virSecretDefineXML</code></a> API. > + > + Once the secret is defined, a secret value will need to be set. This > + value would be the same used to create and use the volume. > + The following is a simple example of using > + <code>virsh secret-set-value</code> to set the secret value. The > + <a href="html/libvirt-libvirt-secret.html#virSecretSetValue"> > + <code>virSecretSetValue</code></a> API may also be used to set > + a more secure secret without using printable/readable characters. > + </p> > + > + <pre> > + # MYSECRET=`printf %s "letmein" | base64` > + # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET > + Secret value set > + > + </pre> > + > </body> > </html> [...] > diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c > index de9e6cf..77477b6 100644 > --- a/src/conf/secret_conf.c > +++ b/src/conf/secret_conf.c > @@ -92,6 +100,7 @@ virSecretDefFree(virSecretDefPtr def) > VIR_FREE(def); > } > > + Spurious whitespace change. > static int > virSecretDefParseUsage(xmlXPathContextPtr ctxt, > virSecretDefPtr def) > @@ -145,6 +154,14 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt, > } > break; > > + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: > + if (!(def->usage.id = virXPathString("string(./usage/id)", ctxt))) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", > + _("passphrase usage specified, but id is missing")); > + return -1; This diallows missing ID. > + } > + break; > + > default: > virReportError(VIR_ERR_INTERNAL_ERROR, > _("unexpected secret usage type %d"), > @@ -305,6 +322,13 @@ virSecretDefFormatUsage(virBufferPtr buf, > } > break; > > + case VIR_SECRET_USAGE_TYPE_PASSPHRASE: > + if (def->usage.id != NULL) { This allows missing id.

> + virBufferEscapeString(buf, "<id>%s</id>\n", > + def->usage.id); > + } > + break; > + > default: > virReportError(VIR_ERR_INTERNAL_ERROR, > _("unexpected secret usage type %d"),