NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

tools: virsh: Add --interactive flag for secret-set-value command

Browse Source 
Simplify human usage of secret-set-value by adding --interactive which
will read the value of the secret from the terminal.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Peter Krempa 2020-01-24 16:37:27 +01:00
parent ff5f75f561
commit 70c7453895
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/manpages/virsh.rst
View File

@ -6563,14 +6563,17 @@ secret-set-value
.. code-block:: .. code-block::
secret-set-value secret (--file filename [--plain] | base64) secret-set-value secret (--file filename [--plain] | --interactive | base64)
Set the value associated with *secret* (specified by its UUID) to the value Set the value associated with *secret* (specified by its UUID) to the value
Base64-encoded value *base64* or Base-64-encoded contents of file named Base64-encoded value *base64* or Base-64-encoded contents of file named
*filename*. Using the *--plain* flag is together with *--file* allows to use *filename*. Using the *--plain* flag is together with *--file* allows to use
the file contents directly as the secret value. the file contents directly as the secret value.
Note that *--file* and *base64* options are mutually exclusive. If *--interactive* flag is used the secret value is read as a password from the
terminal.
Note that *--file*, *--interactive* and *base64* options are mutually exclusive.
Passing secrets via the *base64* option on command line is INSECURE and Passing secrets via the *base64* option on command line is INSECURE and
deprecated. Use the *--file* option instead. deprecated. Use the *--file* option instead.

22
tools/virsh-secret.c
View File

@ -186,6 +186,10 @@ static const vshCmdOptDef opts_secret_set_value[] = {
.type = VSH_OT_BOOL, .type = VSH_OT_BOOL,
.help = N_("read the secret from file without converting from base64") .help = N_("read the secret from file without converting from base64")
}, },
{.name = "interactive",
.type = VSH_OT_BOOL,
.help = N_("read the secret from the terminal")
},
{.name = "base64", {.name = "base64",
.type = VSH_OT_STRING, .type = VSH_OT_STRING,
.help = N_("base64-encoded secret value") .help = N_("base64-encoded secret value")
@ -204,10 +208,14 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
unsigned char *value; unsigned char *value;
size_t value_size; size_t value_size;
bool plain = vshCommandOptBool(cmd, "plain"); bool plain = vshCommandOptBool(cmd, "plain");
bool interactive = vshCommandOptBool(cmd, "interactive");
int res; int res;
VSH_EXCLUSIVE_OPTIONS("file", "base64"); VSH_EXCLUSIVE_OPTIONS("file", "base64");
VSH_EXCLUSIVE_OPTIONS("plain", "base64"); VSH_EXCLUSIVE_OPTIONS("plain", "base64");
VSH_EXCLUSIVE_OPTIONS("interactive", "base64");
VSH_EXCLUSIVE_OPTIONS("interactive", "plain");
VSH_EXCLUSIVE_OPTIONS("interactive", "file");
if (!(secret = virshCommandOptSecret(ctl, cmd, NULL))) if (!(secret = virshCommandOptSecret(ctl, cmd, NULL)))
return false; return false;
@ -218,7 +226,7 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
if (vshCommandOptStringReq(ctl, cmd, "file", &filename) < 0) if (vshCommandOptStringReq(ctl, cmd, "file", &filename) < 0)
return false; return false;
if (!base64 && !filename) { if (!base64 && !filename && !interactive) {
vshError(ctl, _("Input secret value is missing")); vshError(ctl, _("Input secret value is missing"));
return false; return false;
} }
@ -238,6 +246,18 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
base64 = file_buf; base64 = file_buf;
} }
if (interactive) {
vshPrint(ctl, "%s", _("Enter new value for secret:"));
fflush(stdout);
if (!(file_buf = getpass(""))) {
vshError(ctl, "%s", _("Failed to read secret"));
return false;
}
file_len = strlen(file_buf);
plain = true;
}
if (plain) { if (plain) {
value = g_steal_pointer(&file_buf); value = g_steal_pointer(&file_buf);
value_size = file_len; value_size = file_len;