[Libguestfs] [PATCH nbdkit 1/3] server/uri.c: Append tls-certificates or tls-psk-key parameter to $uri

[Richard W.M. Jones]

If TLS is required (--tls=require), when either --run or --print-uri
is used, include extra query parameters ?tls-certificates=... or
?tls-psk-key=... in the URI.

These are simply copied from the corresponding --tls-certificates or
--tls-psk parameter on the nbdkit command line without any other
modification (we don't make it an absolute path as it's not needed).

This will probably only work for libnbd-based clients.

This commit as it stands doesn't actually work well for PSK, unless
the username in the PSK file happens to coincide with the local login
name.

Example:

  $ nbdkit null \
           --tls=require --tls-certificates=tests/pki --tls-verify-peer \
           --print-uri \
           --run 'echo uri="$uri" ; nbdinfo "$uri"'
  nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
  Shell-quoted URI: 
"nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki"
  Command to query the NBD endpoint:
    nbdinfo 
"nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki"
  uri=nbds+unix://?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
  protocol: newstyle-fixed with TLS, using structured packets
  export="":
        export-size: 0
        content: empty
        uri: 
nbds+unix:///?socket=/tmp/nbdkitIdKUcE/socket&tls-certificates=tests/pki
        contexts:
                base:allocation
        is_rotational: false
        is_read_only: false
        can_block_status_payload: false
        can_cache: true
        can_df: true
        can_fast_zero: true
        can_flush: true
        can_fua: true
        can_multi_conn: true
        can_trim: true
        can_zero: true
---
 server/uri.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/server/uri.c b/server/uri.c
index 0810ee4c06..441034261a 100644
--- a/server/uri.c
+++ b/server/uri.c
@@ -52,6 +52,7 @@ make_uri (void)
   char *r = NULL;
   const bool tls_required = tls == 2;
   const char *scheme;
+  bool query_appended;
 
   switch (service_mode) {
   case SERVICE_MODE_SOCKET_ACTIVATION:
@@ -97,6 +98,7 @@ make_uri (void)
     }
     fprintf (fp, "?socket=");
     uri_quote (unixsocket, fp);
+    query_appended = true;
     break;
   case SERVICE_MODE_VSOCK:
     /* 1 = VMADDR_CID_LOCAL */
@@ -109,6 +111,7 @@ make_uri (void)
       putc ('/', fp);
       uri_quote (export_name, fp);
     }
+    query_appended = false;
     break;
   case SERVICE_MODE_TCPIP:
     fputs ("localhost", fp);
@@ -120,6 +123,7 @@ make_uri (void)
       putc ('/', fp);
       uri_quote (export_name, fp);
     }
+    query_appended = false;
     break;
 
   case SERVICE_MODE_SOCKET_ACTIVATION:
@@ -130,6 +134,24 @@ make_uri (void)
     abort ();
   }
 
+  /* For TLS, append tls-certificates or tls-psk-file.  Note that
+   * tls-certificates requires libnbd >= 1.10 (Sep 2021) and it fails
+   * strangely with older versions (RHEL 8 is too old).  Hopefully
+   * this will resolve itself over time as people upgrade libnbd.
+   * qemu probably ignores these parameters.
+   */
+  if (tls_required && (tls_certificates_dir || tls_psk)) {
+    putc (query_appended ? '&' : '?', fp);
+    if (tls_certificates_dir) {
+      fputs ("tls-certificates=", fp);
+      uri_quote (tls_certificates_dir, fp);
+    }
+    else if (tls_psk) {
+      fputs ("tls-psk-file=", fp);
+      uri_quote (tls_psk, fp);
+    }
+  }
+
   if (close_memstream (fp) == EOF) {
     perror ("uri: close_memstream");
     exit (EXIT_FAILURE);
-- 
2.44.0
_______________________________________________
Libguestfs mailing list -- guestfs@lists.libguestfs.org
To unsubscribe send an email to guestfs-le...@lists.libguestfs.org