On Thu, Jun 23, 2016 at 13:28:59 -0400, John Ferlan wrote:
Add a new secret type known as "passphrase" - it will handle adding the secret objects that need a passphrase without a specific username.
The format is:
<secret ...> <uuid>...</uuid> ... <usage type='passphrase'> <id>mumblyfratz</id> </usage> </secret>
Signed-off-by: John Ferlan <jferlan@redhat.com> --- docs/aclpolkit.html.in | 4 +++ docs/formatsecret.html.in | 57 ++++++++++++++++++++++++++++-- docs/schemas/secret.rng | 10 ++++++ include/libvirt/libvirt-secret.h | 3 +- src/access/viraccessdriverpolkit.c | 13 +++++++ src/conf/secret_conf.c | 26 +++++++++++++- src/conf/secret_conf.h | 1 + src/conf/virsecretobj.c | 5 +++ tests/secretxml2xmlin/usage-passphrase.xml | 7 ++++ tests/secretxml2xmltest.c | 1 + 10 files changed, 123 insertions(+), 4 deletions(-) create mode 100644 tests/secretxml2xmlin/usage-passphrase.xml
diff --git a/docs/formatsecret.html.in b/docs/formatsecret.html.in index 599cb38..79c4082 100644 --- a/docs/formatsecret.html.in +++ b/docs/formatsecret.html.in
[..]
@@ -241,5 +242,57 @@ <secret usage='libvirtiscsi'/> </auth> </pre> + + <h3><a name="passphraseUsageType">Usage type "passphrase"</a></h3> + + <p> + This secret is a general purpose secret to be used by various libvirt + objects to provide a single passphrase as required by the object in + order to perform its authentication. + <span class="since">Since 2.0.0</span>. The following is an example + of a secret.xml file: + </p> + + <pre> + # cat secret.xml + <secret ephemeral='no' private='yes'> + <description>sample passphrase secret</description> + <usage type='passphrase'> + <id>id_example</id>
'id' implies a number. Any reason for not using 'name'?
+ </usage> + </secret> + + # virsh secret-define secret.xml + Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created + + # virsh secret-list + UUID Usage + ----------------------------------------------------------- + 718c71bd-67b5-4a2b-87ec-a24e8ca200dc passphrase id_example
Header is misaligned.
+ # + + </pre> + + <p> + A secret may also be defined via the + <a href="html/libvirt-libvirt-secret.html#virSecretDefineXML"> + <code>virSecretDefineXML</code></a> API. + + Once the secret is defined, a secret value will need to be set. This + value would be the same used to create and use the volume. + The following is a simple example of using + <code>virsh secret-set-value</code> to set the secret value. The + <a href="html/libvirt-libvirt-secret.html#virSecretSetValue"> + <code>virSecretSetValue</code></a> API may also be used to set + a more secure secret without using printable/readable characters. + </p> + + <pre> + # MYSECRET=`printf %s "letmein" | base64` + # virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET + Secret value set + + </pre> + </body> </html>
[...]
diff --git a/src/conf/secret_conf.c b/src/conf/secret_conf.c index de9e6cf..77477b6 100644 --- a/src/conf/secret_conf.c +++ b/src/conf/secret_conf.c
@@ -92,6 +100,7 @@ virSecretDefFree(virSecretDefPtr def) VIR_FREE(def); }
+
Spurious whitespace change.
static int virSecretDefParseUsage(xmlXPathContextPtr ctxt, virSecretDefPtr def) @@ -145,6 +154,14 @@ virSecretDefParseUsage(xmlXPathContextPtr ctxt, } break;
+ case VIR_SECRET_USAGE_TYPE_PASSPHRASE: + if (!(def->usage.id = virXPathString("string(./usage/id)", ctxt))) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("passphrase usage specified, but id is missing")); + return -1;
This diallows missing ID.
+ } + break; + default: virReportError(VIR_ERR_INTERNAL_ERROR, _("unexpected secret usage type %d"), @@ -305,6 +322,13 @@ virSecretDefFormatUsage(virBufferPtr buf, } break;
+ case VIR_SECRET_USAGE_TYPE_PASSPHRASE: + if (def->usage.id != NULL) {
This allows missing id.
+ virBufferEscapeString(buf, "<id>%s</id>\n", + def->usage.id); + } + break; + default: virReportError(VIR_ERR_INTERNAL_ERROR, _("unexpected secret usage type %d"),