From 6d661329dd1c426c5a46c678cf2e71b4ef2647e8 Mon Sep 17 00:00:00 2001
From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 9 Dec 2022 16:49:12 +0100
Subject: [PATCH] virStorageBackendRBDOpenRADOSConn: Don't log the RBD key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

'virStorageBackendRBDRADOSConfSet' logs its arguments but it's also
used to set the RBD secret/key.

All the security theatre with securely erasing the string we do to fetch
the secret would be quite pointless if we log it thus introduce
virStorageBackendRBDRADOSConfSetQuiet and use it to avoid logging the
password.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
 src/storage/storage_backend_rbd.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/storage/storage_backend_rbd.c b/src/storage/storage_backend_rbd.c
index 52407f8e6f..05b2c43f79 100644
--- a/src/storage/storage_backend_rbd.c
+++ b/src/storage/storage_backend_rbd.c
@@ -161,12 +161,10 @@ virStoragePoolDefRBDNamespaceFormatXML(virBuffer *buf,
 
 
 static int
-virStorageBackendRBDRADOSConfSet(rados_t cluster,
-                                 const char *option,
-                                 const char *value)
+virStorageBackendRBDRADOSConfSetQuiet(rados_t cluster,
+                                      const char *option,
+                                      const char *value)
 {
-    VIR_DEBUG("Setting RADOS option '%s' to '%s'",
-              option, value);
     if (rados_conf_set(cluster, option, value) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("failed to set RADOS option: %s"),
@@ -177,6 +175,19 @@ virStorageBackendRBDRADOSConfSet(rados_t cluster,
     return 0;
 }
 
+
+static int
+virStorageBackendRBDRADOSConfSet(rados_t cluster,
+                                 const char *option,
+                                 const char *value)
+{
+    VIR_DEBUG("Setting RADOS option '%s' to '%s'",
+              option, value);
+
+    return virStorageBackendRBDRADOSConfSetQuiet(cluster, option, value);
+}
+
+
 static int
 virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDState *ptr,
                                   virStoragePoolDef *def)
@@ -222,7 +233,8 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDState *ptr,
         rados_key = g_base64_encode(secret_value, secret_value_size);
         virSecureErase(secret_value, secret_value_size);
 
-        rc = virStorageBackendRBDRADOSConfSet(ptr->cluster, "key", rados_key);
+        VIR_DEBUG("Setting RADOS option 'key'");
+        rc = virStorageBackendRBDRADOSConfSetQuiet(ptr->cluster, "key", rados_key);
         virSecureEraseString(rados_key);
 
         if (rc < 0)