Commit 1bff9606 authored by Daniel P. Berrangé's avatar Daniel P. Berrangé Committed by Jeff Cody
Browse files

curl: add support for HTTP authentication parameters 

If connecting to a web server which has authentication
turned on, QEMU gets a 401 as curl has not been configured
with any authentication credentials.

This adds 4 new parameters to the curl block driver
options 'username', 'password-secret', 'proxy-username'
and 'proxy-password-secret'. Passwords are provided using
the recently added 'secret' object type

 $QEMU \
     -object secret,id=sec0,filename=/home/berrange/example.pw \
     -object secret,id=sec1,filename=/home/berrange/proxy.pw \
     -drive driver=http,url=http://example.com/some.img,\


            username=dan,password-secret=sec0,\
            proxy-username=dan,proxy-password-secret=sec1

Of course it is possible to use the same secret for both the
proxy & server passwords if desired, or omit the proxy auth
details, or the server auth details as required.

Signed-off-by: default avatarDaniel P. Berrange <berrange@redhat.com>
Message-id: 1453385961-10718-3-git-send-email-berrange@redhat.com
Signed-off-by: default avatarJeff Cody <jcody@redhat.com>
parent 60390a21

block/curl.c

+66 −0
Original line number Diff line number Diff line
@@ -27,6 +27,7 @@ 
#include "block/block_int.h"

#include "qapi/qmp/qbool.h"

#include "qapi/qmp/qstring.h"

#include "crypto/secret.h"

#include <curl/curl.h>



// #define DEBUG_CURL
@@ -78,6 +79,10 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, 
#define CURL_BLOCK_OPT_SSLVERIFY "sslverify"

#define CURL_BLOCK_OPT_TIMEOUT "timeout"

#define CURL_BLOCK_OPT_COOKIE    "cookie"

#define CURL_BLOCK_OPT_USERNAME "username"

#define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"

#define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"

#define CURL_BLOCK_OPT_PROXY_PASSWORD_SECRET "proxy-password-secret"



struct BDRVCURLState;
@@ -120,6 +125,10 @@ typedef struct BDRVCURLState { 
    char *cookie;

    bool accept_range;

    AioContext *aio_context;

    char *username;

    char *password;

    char *proxyusername;

    char *proxypassword;

} BDRVCURLState;



static void curl_clean_state(CURLState *s);
@@ -419,6 +428,21 @@ static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s) 
        curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errmsg);

        curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1);



        if (s->username) {

            curl_easy_setopt(state->curl, CURLOPT_USERNAME, s->username);

        }

        if (s->password) {

            curl_easy_setopt(state->curl, CURLOPT_PASSWORD, s->password);

        }

        if (s->proxyusername) {

            curl_easy_setopt(state->curl,

                             CURLOPT_PROXYUSERNAME, s->proxyusername);

        }

        if (s->proxypassword) {

            curl_easy_setopt(state->curl,

                             CURLOPT_PROXYPASSWORD, s->proxypassword);

        }



        /* Restrict supported protocols to avoid security issues in the more

         * obscure protocols.  For example, do not allow POP3/SMTP/IMAP see

         * CVE-2013-0249.
@@ -525,10 +549,31 @@ static QemuOptsList runtime_opts = { 
            .type = QEMU_OPT_STRING,

            .help = "Pass the cookie or list of cookies with each request"

        },

        {

            .name = CURL_BLOCK_OPT_USERNAME,

            .type = QEMU_OPT_STRING,

            .help = "Username for HTTP auth"

        },

        {

            .name = CURL_BLOCK_OPT_PASSWORD_SECRET,

            .type = QEMU_OPT_STRING,

            .help = "ID of secret used as password for HTTP auth",

        },

        {

            .name = CURL_BLOCK_OPT_PROXY_USERNAME,

            .type = QEMU_OPT_STRING,

            .help = "Username for HTTP proxy auth"

        },

        {

            .name = CURL_BLOCK_OPT_PROXY_PASSWORD_SECRET,

            .type = QEMU_OPT_STRING,

            .help = "ID of secret used as password for HTTP proxy auth",

        },

        { /* end of list */ }

    },

};





static int curl_open(BlockDriverState *bs, QDict *options, int flags,

                     Error **errp)

{
@@ -539,6 +584,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, 
    const char *file;

    const char *cookie;

    double d;

    const char *secretid;



    static int inited = 0;
@@ -580,6 +626,26 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, 
        goto out_noclean;

    }



    s->username = g_strdup(qemu_opt_get(opts, CURL_BLOCK_OPT_USERNAME));

    secretid = qemu_opt_get(opts, CURL_BLOCK_OPT_PASSWORD_SECRET);



    if (secretid) {

        s->password = qcrypto_secret_lookup_as_utf8(secretid, errp);

        if (!s->password) {

            goto out_noclean;

        }

    }



    s->proxyusername = g_strdup(

        qemu_opt_get(opts, CURL_BLOCK_OPT_PROXY_USERNAME));

    secretid = qemu_opt_get(opts, CURL_BLOCK_OPT_PROXY_PASSWORD_SECRET);

    if (secretid) {

        s->proxypassword = qcrypto_secret_lookup_as_utf8(secretid, errp);

        if (!s->proxypassword) {

            goto out_noclean;

        }

    }



    if (!inited) {

        curl_global_init(CURL_GLOBAL_ALL);

        inited = 1;