Commit 327c8ebd authored by Peter Krempa's avatar Peter Krempa Committed by Jeff Cody
Browse files

block: curl: Allow passing cookies via QCryptoSecret 

Since cookies can contain sensitive data (session ID, etc ...) it is
desired to hide them from the prying eyes of users. Add a possibility to
pass them via the secret infrastructure.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1447413



Signed-off-by: default avatarPeter Krempa <pkrempa@redhat.com>
Reviewed-by: default avatarEric Blake <eblake@redhat.com>
Reviewed-by: default avatarJeff Cody <jcody@redhat.com>
Message-id: f4a22cdebdd0bca6a13a43a2a6deead7f2ec4bb3.1493906281.git.pkrempa@redhat.com
Signed-off-by: default avatarJeff Cody <jcody@redhat.com>
parent 3a876066

block/curl.c

+23 −1
Original line number Diff line number Diff line
@@ -85,6 +85,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, 
#define CURL_BLOCK_OPT_SSLVERIFY "sslverify"

#define CURL_BLOCK_OPT_TIMEOUT "timeout"

#define CURL_BLOCK_OPT_COOKIE    "cookie"

#define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret"

#define CURL_BLOCK_OPT_USERNAME "username"

#define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"

#define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"
@@ -623,6 +624,11 @@ static QemuOptsList runtime_opts = { 
            .type = QEMU_OPT_STRING,

            .help = "Pass the cookie or list of cookies with each request"

        },

        {

            .name = CURL_BLOCK_OPT_COOKIE_SECRET,

            .type = QEMU_OPT_STRING,

            .help = "ID of secret used as cookie passed with each request"

        },

        {

            .name = CURL_BLOCK_OPT_USERNAME,

            .type = QEMU_OPT_STRING,
@@ -657,6 +663,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, 
    Error *local_err = NULL;

    const char *file;

    const char *cookie;

    const char *cookie_secret;

    double d;

    const char *secretid;

    const char *protocol_delimiter;
@@ -693,7 +700,22 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, 
    s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true);



    cookie = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE);

    cookie_secret = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE_SECRET);



    if (cookie && cookie_secret) {

        error_setg(errp,

                   "curl driver cannot handle both cookie and cookie secret");

        goto out_noclean;

    }



    if (cookie_secret) {

        s->cookie = qcrypto_secret_lookup_as_utf8(cookie_secret, errp);

        if (!s->cookie) {

            goto out_noclean;

        }

    } else {

        s->cookie = g_strdup(cookie);

    }



    file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);

    if (file == NULL) {

qapi/block-core.json

+10 −2
Original line number Diff line number Diff line
@@ -2813,11 +2813,15 @@ 
#               "name1=content1; name2=content2;" as explained by

#               CURLOPT_COOKIE(3). Defaults to no cookies.

#

# @cookie-secret: ID of a QCryptoSecret object providing the cookie data in a

#                 secure way. See @cookie for the format. (since 2.10)

#

# Since: 2.9

##

{ 'struct': 'BlockdevOptionsCurlHttp',

  'base': 'BlockdevOptionsCurlBase',

  'data': { '*cookie': 'str' } }

  'data': { '*cookie': 'str',

            '*cookie-secret': 'str'} }



##

# @BlockdevOptionsCurlHttps:
@@ -2832,12 +2836,16 @@ 
# @sslverify:   Whether to verify the SSL certificate's validity (defaults to

#               true)

#

# @cookie-secret: ID of a QCryptoSecret object providing the cookie data in a

#                 secure way. See @cookie for the format. (since 2.10)

#

# Since: 2.9

##

{ 'struct': 'BlockdevOptionsCurlHttps',

  'base': 'BlockdevOptionsCurlBase',

  'data': { '*cookie': 'str',

            '*sslverify': 'bool' } }

            '*sslverify': 'bool',

            '*cookie-secret': 'str'} }



##

# @BlockdevOptionsCurlFtp: