[Qemu-devel] [PULL 1/8] block: curl: Allow passing cookies via QCryptoSe

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL 1/8] block: curl: Allow passing cookies via QCryptoSe

From:	Jeff Cody
Subject:	[Qemu-devel] [PULL 1/8] block: curl: Allow passing cookies via QCryptoSecret
Date:	Tue, 16 May 2017 11:54:13 -0400

From: Peter Krempa <address@hidden>

Since cookies can contain sensitive data (session ID, etc ...) it is
desired to hide them from the prying eyes of users. Add a possibility to
pass them via the secret infrastructure.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1447413

Signed-off-by: Peter Krempa <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Jeff Cody <address@hidden>
Message-id: address@hidden
Signed-off-by: Jeff Cody <address@hidden>
---
 block/curl.c         | 24 +++++++++++++++++++++++-
 qapi/block-core.json | 12 ++++++++++--
 2 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/block/curl.c b/block/curl.c
index aa6e8cc..4382234 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -85,6 +85,7 @@ static CURLMcode __curl_multi_socket_action(CURLM 
*multi_handle,
 #define CURL_BLOCK_OPT_SSLVERIFY "sslverify"
 #define CURL_BLOCK_OPT_TIMEOUT "timeout"
 #define CURL_BLOCK_OPT_COOKIE    "cookie"
+#define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret"
 #define CURL_BLOCK_OPT_USERNAME "username"
 #define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"
 #define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"
@@ -624,6 +625,11 @@ static QemuOptsList runtime_opts = {
             .help = "Pass the cookie or list of cookies with each request"
         },
         {
+            .name = CURL_BLOCK_OPT_COOKIE_SECRET,
+            .type = QEMU_OPT_STRING,
+            .help = "ID of secret used as cookie passed with each request"
+        },
+        {
             .name = CURL_BLOCK_OPT_USERNAME,
             .type = QEMU_OPT_STRING,
             .help = "Username for HTTP auth"
@@ -657,6 +663,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, 
int flags,
     Error *local_err = NULL;
     const char *file;
     const char *cookie;
+    const char *cookie_secret;
     double d;
     const char *secretid;
     const char *protocol_delimiter;
@@ -693,7 +700,22 @@ static int curl_open(BlockDriverState *bs, QDict *options, 
int flags,
     s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true);
 
     cookie = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE);
-    s->cookie = g_strdup(cookie);
+    cookie_secret = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE_SECRET);
+
+    if (cookie && cookie_secret) {
+        error_setg(errp,
+                   "curl driver cannot handle both cookie and cookie secret");
+        goto out_noclean;
+    }
+
+    if (cookie_secret) {
+        s->cookie = qcrypto_secret_lookup_as_utf8(cookie_secret, errp);
+        if (!s->cookie) {
+            goto out_noclean;
+        }
+    } else {
+        s->cookie = g_strdup(cookie);
+    }
 
     file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
     if (file == NULL) {
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 6b974b9..ea0b3e8 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -2813,11 +2813,15 @@
 #               "name1=content1; name2=content2;" as explained by
 #               CURLOPT_COOKIE(3). Defaults to no cookies.
 #
+# @cookie-secret: ID of a QCryptoSecret object providing the cookie data in a
+#                 secure way. See @cookie for the format. (since 2.10)
+#
 # Since: 2.9
 ##
 { 'struct': 'BlockdevOptionsCurlHttp',
   'base': 'BlockdevOptionsCurlBase',
-  'data': { '*cookie': 'str' } }
+  'data': { '*cookie': 'str',
+            '*cookie-secret': 'str'} }
 
 ##
 # @BlockdevOptionsCurlHttps:
@@ -2832,12 +2836,16 @@
 # @sslverify:   Whether to verify the SSL certificate's validity (defaults to
 #               true)
 #
+# @cookie-secret: ID of a QCryptoSecret object providing the cookie data in a
+#                 secure way. See @cookie for the format. (since 2.10)
+#
 # Since: 2.9
 ##
 { 'struct': 'BlockdevOptionsCurlHttps',
   'base': 'BlockdevOptionsCurlBase',
   'data': { '*cookie': 'str',
-            '*sslverify': 'bool' } }
+            '*sslverify': 'bool',
+            '*cookie-secret': 'str'} }
 
 ##
 # @BlockdevOptionsCurlFtp:
-- 
2.9.3

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL 0/8] Block patches for curl, Jeff Cody, 2017/05/16
- [Qemu-devel] [PULL 2/8] curl: strengthen assertion in curl_clean_state, Jeff Cody, 2017/05/16
- [Qemu-devel] [PULL 1/8] block: curl: Allow passing cookies via QCryptoSecret, Jeff Cody <=
- [Qemu-devel] [PULL 3/8] curl: never invoke callbacks with s->mutex held, Jeff Cody, 2017/05/16
- [Qemu-devel] [PULL 4/8] curl: avoid recursive locking of BDRVCURLState mutex, Jeff Cody, 2017/05/16
- [Qemu-devel] [PULL 5/8] curl: split curl_find_state/curl_init_state, Jeff Cody, 2017/05/16
- [Qemu-devel] [PULL 7/8] curl: convert readv to coroutines, Jeff Cody, 2017/05/16
- [Qemu-devel] [PULL 6/8] curl: convert CURLAIOCB to byte values, Jeff Cody, 2017/05/16
- [Qemu-devel] [PULL 8/8] curl: do not do aio_poll when waiting for a free CURLState, Jeff Cody, 2017/05/16
- Re: [Qemu-devel] [Qemu-block] [PULL 0/8] Block patches for curl, Stefan Hajnoczi, 2017/05/17

Prev by Date: [Qemu-devel] [PULL 2/8] curl: strengthen assertion in curl_clean_state
Next by Date: [Qemu-devel] [PULL 3/8] curl: never invoke callbacks with s->mutex held
Previous by thread: [Qemu-devel] [PULL 2/8] curl: strengthen assertion in curl_clean_state
Next by thread: [Qemu-devel] [PULL 3/8] curl: never invoke callbacks with s->mutex held
Index(es):
- Date
- Thread