subject:"\[Qemu\-devel\] \[PATCH 2\/2\] block\: curl\: Allow Certificate Authority bundle to be passed in."

Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

2018-03-01 Thread Richard W.M. Jones

On Thu, Mar 01, 2018 at 03:34:38PM +, Daniel P. Berrangé wrote:
> On Thu, Mar 01, 2018 at 01:58:56PM +, Richard W.M. Jones wrote:
> > This allows a Certificate Authority bundle to be passed to the curl
> > driver, allowing authentication against servers that check
> > certificates.  For example this allows you to access a disk on an
> > oVirt node:
> > 
> >   qemu-img create -f qcow2 \
> >   -b 'json:{ "file.driver": "https",
> >  "file.url": "https://ovirt-node:54322/images/",
> >   "file.header": ["Authorization: "] }' \
> >   "file.cainfo": "/tmp/ca.pem" }' \
> >   test.qcow2
> 
> I think we ought to be using the TLS creds object to provide this data
> 
>qemu-img create \
>--object 
> tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
>-b 'json:{ "file.driver": "https",
>   "file.url": "https://ovirt-node:54322/images/",
>"file.header": ["Authorization: "] }' \
>"file.tls-creds": "tls0" }' \
>test.qcow2
> 
> The /path/to/certs dir would contain ca-cert.pem, and optionally also a
> client-key.pem & client-cert.pem, which would let curl provide client
> certs to servers that mandate that. The 'verify-peer' option lets you
> control whether to ignore or enforce CA validation errors too.
> 
> Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.

Thanks, I'll have a look into this for the second revision.  It seems
like a better way to do it.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

2018-03-01 Thread Daniel P . Berrangé

On Thu, Mar 01, 2018 at 01:58:56PM +, Richard W.M. Jones wrote:
> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates.  For example this allows you to access a disk on an
> oVirt node:
> 
>   qemu-img create -f qcow2 \
>   -b 'json:{ "file.driver": "https",
>  "file.url": "https://ovirt-node:54322/images/",
>   "file.header": ["Authorization: "] }' \
>   "file.cainfo": "/tmp/ca.pem" }' \
>   test.qcow2

I think we ought to be using the TLS creds object to provide this data

   qemu-img create \
   --object 
tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \
   -b 'json:{ "file.driver": "https",
  "file.url": "https://ovirt-node:54322/images/",
   "file.header": ["Authorization: "] }' \
   "file.tls-creds": "tls0" }' \
   test.qcow2

The /path/to/certs dir would contain ca-cert.pem, and optionally also a
client-key.pem & client-cert.pem, which would let curl provide client
certs to servers that mandate that. The 'verify-peer' option lets you
control whether to ignore or enforce CA validation errors too.

Take a look at block/vxhs.c and its vxhs_get_tls_creds() method.


Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

2018-03-01 Thread Nir Soffer

On Thu, Mar 1, 2018 at 4:02 PM Richard W.M. Jones  wrote:

> This allows a Certificate Authority bundle to be passed to the curl
> driver, allowing authentication against servers that check
> certificates.  For example this allows you to access a disk on an
> oVirt node:
>
>   qemu-img create -f qcow2 \
>   -b 'json:{ "file.driver": "https",
>  "file.url": "https://ovirt-node:54322/images/",
>

 is actually , a random id assigned for
every transfer operation.


>   "file.header": ["Authorization: "] }' \
>   "file.cainfo": "/tmp/ca.pem" }' \
>   test.qcow2
>
> ( and  have to be determined using some extra code.
> See
>
> https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_ova_as_vm.py
> for some guidance).
>
> Signed-off-by: Richard W.M. Jones 
> ---
>  block/curl.c | 14 ++
>  qapi/block-core.json |  3 +++
>  2 files changed, 17 insertions(+)
>
> diff --git a/block/curl.c b/block/curl.c
> index 972673ba5c..2dc9035ff8 100644
> --- a/block/curl.c
> +++ b/block/curl.c
> @@ -84,6 +84,7 @@ static CURLMcode __curl_multi_socket_action(CURLM
> *multi_handle,
>  #define CURL_BLOCK_OPT_COOKIE"cookie"
>  #define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret"
>  #define CURL_BLOCK_OPT_HEADER_PATTERN "header."
> +#define CURL_BLOCK_OPT_CAINFO   "cainfo"
>  #define CURL_BLOCK_OPT_USERNAME "username"
>  #define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"
>  #define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"
> @@ -136,6 +137,7 @@ typedef struct BDRVCURLState {
>  uint64_t timeout;
>  char *cookie;
>  struct curl_slist *headers;
> +char *cainfo;
>  bool accept_range;
>  AioContext *aio_context;
>  QemuMutex mutex;
> @@ -491,6 +493,9 @@ static int curl_init_state(BDRVCURLState *s, CURLState
> *state)
>  if (s->headers) {
>  curl_easy_setopt(state->curl, CURLOPT_HTTPHEADER, s->headers);
>  }
> +if (s->cainfo) {
> +curl_easy_setopt(state->curl, CURLOPT_CAINFO, s->cainfo);
> +}
>  curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, (long)s->timeout);
>  curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
>   (void *)curl_read_cb);
> @@ -648,6 +653,11 @@ static QemuOptsList runtime_opts = {
>  .help = "ID of secret used as cookie passed with each request"
>  },
>  {
> +.name = CURL_BLOCK_OPT_CAINFO,
> +.type = QEMU_OPT_STRING,
> +.help = "Pass the Certificate Authority bundle"
> +},
> +{
>  .name = CURL_BLOCK_OPT_USERNAME,
>  .type = QEMU_OPT_STRING,
>  .help = "Username for HTTP auth"
> @@ -757,6 +767,8 @@ static int curl_open(BlockDriverState *bs, QDict
> *options, int flags,
>  qdict_del(options, key);
>  }
>
> +s->cainfo = qemu_opt_get(opts, CURL_BLOCK_OPT_CAINFO);
> +
>  file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
>  if (file == NULL) {
>  error_setg(errp, "curl block driver requires an 'url' option");
> @@ -864,6 +876,7 @@ out:
>  state->curl = NULL;
>  out_noclean:
>  qemu_mutex_destroy(>mutex);
> +g_free(s->cainfo);
>  curl_slist_free_all(s->headers);
>  g_free(s->cookie);
>  g_free(s->url);
> @@ -963,6 +976,7 @@ static void curl_close(BlockDriverState *bs)
>  curl_detach_aio_context(bs);
>  qemu_mutex_destroy(>mutex);
>
> +g_free(s->cainfo);
>  curl_slist_free_all(s->headers);
>  g_free(s->cookie);
>  g_free(s->url);
> diff --git a/qapi/block-core.json b/qapi/block-core.json
> index ca1ebdbef1..bf3066af08 100644
> --- a/qapi/block-core.json
> +++ b/qapi/block-core.json
> @@ -3073,6 +3073,8 @@
>  # @cookie-secret: ID of a QCryptoSecret object providing the cookie data
> in a
>  # secure way. See @cookie for the format. (since 2.10)
>  #
> +# @cainfo:  Certificate Authority bundle.
> +#
>  # @header:  List of HTTP request headers, see CURLOPT_HTTPHEADER(3).
>  #
>  # Since: 2.9
> @@ -3082,6 +3084,7 @@
>'data': { '*cookie': 'str',
>  '*sslverify': 'bool',
>  '*cookie-secret': 'str',
> +'*cainfo': 'str',
>  '*header': [ 'str' ] } }
>
>  ##
> --
> 2.13.2
>
>
>

[Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

2018-03-01 Thread Richard W.M. Jones

This allows a Certificate Authority bundle to be passed to the curl
driver, allowing authentication against servers that check
certificates.  For example this allows you to access a disk on an
oVirt node:

  qemu-img create -f qcow2 \
  -b 'json:{ "file.driver": "https",
 "file.url": "https://ovirt-node:54322/images/",
  "file.header": ["Authorization: "] }' \
  "file.cainfo": "/tmp/ca.pem" }' \
  test.qcow2

( and  have to be determined using some extra code.
See
https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_ova_as_vm.py
for some guidance).

Signed-off-by: Richard W.M. Jones 
---
 block/curl.c | 14 ++
 qapi/block-core.json |  3 +++
 2 files changed, 17 insertions(+)

diff --git a/block/curl.c b/block/curl.c
index 972673ba5c..2dc9035ff8 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -84,6 +84,7 @@ static CURLMcode __curl_multi_socket_action(CURLM 
*multi_handle,
 #define CURL_BLOCK_OPT_COOKIE"cookie"
 #define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret"
 #define CURL_BLOCK_OPT_HEADER_PATTERN "header."
+#define CURL_BLOCK_OPT_CAINFO   "cainfo"
 #define CURL_BLOCK_OPT_USERNAME "username"
 #define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"
 #define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"
@@ -136,6 +137,7 @@ typedef struct BDRVCURLState {
 uint64_t timeout;
 char *cookie;
 struct curl_slist *headers;
+char *cainfo;
 bool accept_range;
 AioContext *aio_context;
 QemuMutex mutex;
@@ -491,6 +493,9 @@ static int curl_init_state(BDRVCURLState *s, CURLState 
*state)
 if (s->headers) {
 curl_easy_setopt(state->curl, CURLOPT_HTTPHEADER, s->headers);
 }
+if (s->cainfo) {
+curl_easy_setopt(state->curl, CURLOPT_CAINFO, s->cainfo);
+}
 curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, (long)s->timeout);
 curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
  (void *)curl_read_cb);
@@ -648,6 +653,11 @@ static QemuOptsList runtime_opts = {
 .help = "ID of secret used as cookie passed with each request"
 },
 {
+.name = CURL_BLOCK_OPT_CAINFO,
+.type = QEMU_OPT_STRING,
+.help = "Pass the Certificate Authority bundle"
+},
+{
 .name = CURL_BLOCK_OPT_USERNAME,
 .type = QEMU_OPT_STRING,
 .help = "Username for HTTP auth"
@@ -757,6 +767,8 @@ static int curl_open(BlockDriverState *bs, QDict *options, 
int flags,
 qdict_del(options, key);
 }
 
+s->cainfo = qemu_opt_get(opts, CURL_BLOCK_OPT_CAINFO);
+
 file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
 if (file == NULL) {
 error_setg(errp, "curl block driver requires an 'url' option");
@@ -864,6 +876,7 @@ out:
 state->curl = NULL;
 out_noclean:
 qemu_mutex_destroy(>mutex);
+g_free(s->cainfo);
 curl_slist_free_all(s->headers);
 g_free(s->cookie);
 g_free(s->url);
@@ -963,6 +976,7 @@ static void curl_close(BlockDriverState *bs)
 curl_detach_aio_context(bs);
 qemu_mutex_destroy(>mutex);
 
+g_free(s->cainfo);
 curl_slist_free_all(s->headers);
 g_free(s->cookie);
 g_free(s->url);
diff --git a/qapi/block-core.json b/qapi/block-core.json
index ca1ebdbef1..bf3066af08 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -3073,6 +3073,8 @@
 # @cookie-secret: ID of a QCryptoSecret object providing the cookie data in a
 # secure way. See @cookie for the format. (since 2.10)
 #
+# @cainfo:  Certificate Authority bundle.
+#
 # @header:  List of HTTP request headers, see CURLOPT_HTTPHEADER(3).
 #
 # Since: 2.9
@@ -3082,6 +3084,7 @@
   'data': { '*cookie': 'str',
 '*sslverify': 'bool',
 '*cookie-secret': 'str',
+'*cainfo': 'str',
 '*header': [ 'str' ] } }
 
 ##
-- 
2.13.2

Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

[Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.

4 matches

Site Navigation

Mail list logo

Footer information