Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.
On Thu, Mar 01, 2018 at 03:34:38PM +, Daniel P. Berrangé wrote: > On Thu, Mar 01, 2018 at 01:58:56PM +, Richard W.M. Jones wrote: > > This allows a Certificate Authority bundle to be passed to the curl > > driver, allowing authentication against servers that check > > certificates. For example this allows you to access a disk on an > > oVirt node: > > > > qemu-img create -f qcow2 \ > > -b 'json:{ "file.driver": "https", > > "file.url": "https://ovirt-node:54322/images/", > > "file.header": ["Authorization: "] }' \ > > "file.cainfo": "/tmp/ca.pem" }' \ > > test.qcow2 > > I think we ought to be using the TLS creds object to provide this data > >qemu-img create \ >--object > tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \ >-b 'json:{ "file.driver": "https", > "file.url": "https://ovirt-node:54322/images/", >"file.header": ["Authorization: "] }' \ >"file.tls-creds": "tls0" }' \ >test.qcow2 > > The /path/to/certs dir would contain ca-cert.pem, and optionally also a > client-key.pem & client-cert.pem, which would let curl provide client > certs to servers that mandate that. The 'verify-peer' option lets you > control whether to ignore or enforce CA validation errors too. > > Take a look at block/vxhs.c and its vxhs_get_tls_creds() method. Thanks, I'll have a look into this for the second revision. It seems like a better way to do it. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.
On Thu, Mar 01, 2018 at 01:58:56PM +, Richard W.M. Jones wrote: > This allows a Certificate Authority bundle to be passed to the curl > driver, allowing authentication against servers that check > certificates. For example this allows you to access a disk on an > oVirt node: > > qemu-img create -f qcow2 \ > -b 'json:{ "file.driver": "https", > "file.url": "https://ovirt-node:54322/images/", > "file.header": ["Authorization: "] }' \ > "file.cainfo": "/tmp/ca.pem" }' \ > test.qcow2 I think we ought to be using the TLS creds object to provide this data qemu-img create \ --object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes,endpoint=client \ -b 'json:{ "file.driver": "https", "file.url": "https://ovirt-node:54322/images/", "file.header": ["Authorization: "] }' \ "file.tls-creds": "tls0" }' \ test.qcow2 The /path/to/certs dir would contain ca-cert.pem, and optionally also a client-key.pem & client-cert.pem, which would let curl provide client certs to servers that mandate that. The 'verify-peer' option lets you control whether to ignore or enforce CA validation errors too. Take a look at block/vxhs.c and its vxhs_get_tls_creds() method. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.
On Thu, Mar 1, 2018 at 4:02 PM Richard W.M. Joneswrote: > This allows a Certificate Authority bundle to be passed to the curl > driver, allowing authentication against servers that check > certificates. For example this allows you to access a disk on an > oVirt node: > > qemu-img create -f qcow2 \ > -b 'json:{ "file.driver": "https", > "file.url": "https://ovirt-node:54322/images/", > is actually , a random id assigned for every transfer operation. > "file.header": ["Authorization: "] }' \ > "file.cainfo": "/tmp/ca.pem" }' \ > test.qcow2 > > ( and have to be determined using some extra code. > See > > https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_ova_as_vm.py > for some guidance). > > Signed-off-by: Richard W.M. Jones > --- > block/curl.c | 14 ++ > qapi/block-core.json | 3 +++ > 2 files changed, 17 insertions(+) > > diff --git a/block/curl.c b/block/curl.c > index 972673ba5c..2dc9035ff8 100644 > --- a/block/curl.c > +++ b/block/curl.c > @@ -84,6 +84,7 @@ static CURLMcode __curl_multi_socket_action(CURLM > *multi_handle, > #define CURL_BLOCK_OPT_COOKIE"cookie" > #define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret" > #define CURL_BLOCK_OPT_HEADER_PATTERN "header." > +#define CURL_BLOCK_OPT_CAINFO "cainfo" > #define CURL_BLOCK_OPT_USERNAME "username" > #define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret" > #define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username" > @@ -136,6 +137,7 @@ typedef struct BDRVCURLState { > uint64_t timeout; > char *cookie; > struct curl_slist *headers; > +char *cainfo; > bool accept_range; > AioContext *aio_context; > QemuMutex mutex; > @@ -491,6 +493,9 @@ static int curl_init_state(BDRVCURLState *s, CURLState > *state) > if (s->headers) { > curl_easy_setopt(state->curl, CURLOPT_HTTPHEADER, s->headers); > } > +if (s->cainfo) { > +curl_easy_setopt(state->curl, CURLOPT_CAINFO, s->cainfo); > +} > curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, (long)s->timeout); > curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, > (void *)curl_read_cb); > @@ -648,6 +653,11 @@ static QemuOptsList runtime_opts = { > .help = "ID of secret used as cookie passed with each request" > }, > { > +.name = CURL_BLOCK_OPT_CAINFO, > +.type = QEMU_OPT_STRING, > +.help = "Pass the Certificate Authority bundle" > +}, > +{ > .name = CURL_BLOCK_OPT_USERNAME, > .type = QEMU_OPT_STRING, > .help = "Username for HTTP auth" > @@ -757,6 +767,8 @@ static int curl_open(BlockDriverState *bs, QDict > *options, int flags, > qdict_del(options, key); > } > > +s->cainfo = qemu_opt_get(opts, CURL_BLOCK_OPT_CAINFO); > + > file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); > if (file == NULL) { > error_setg(errp, "curl block driver requires an 'url' option"); > @@ -864,6 +876,7 @@ out: > state->curl = NULL; > out_noclean: > qemu_mutex_destroy(>mutex); > +g_free(s->cainfo); > curl_slist_free_all(s->headers); > g_free(s->cookie); > g_free(s->url); > @@ -963,6 +976,7 @@ static void curl_close(BlockDriverState *bs) > curl_detach_aio_context(bs); > qemu_mutex_destroy(>mutex); > > +g_free(s->cainfo); > curl_slist_free_all(s->headers); > g_free(s->cookie); > g_free(s->url); > diff --git a/qapi/block-core.json b/qapi/block-core.json > index ca1ebdbef1..bf3066af08 100644 > --- a/qapi/block-core.json > +++ b/qapi/block-core.json > @@ -3073,6 +3073,8 @@ > # @cookie-secret: ID of a QCryptoSecret object providing the cookie data > in a > # secure way. See @cookie for the format. (since 2.10) > # > +# @cainfo: Certificate Authority bundle. > +# > # @header: List of HTTP request headers, see CURLOPT_HTTPHEADER(3). > # > # Since: 2.9 > @@ -3082,6 +3084,7 @@ >'data': { '*cookie': 'str', > '*sslverify': 'bool', > '*cookie-secret': 'str', > +'*cainfo': 'str', > '*header': [ 'str' ] } } > > ## > -- > 2.13.2 > > >
[Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.
This allows a Certificate Authority bundle to be passed to the curl driver, allowing authentication against servers that check certificates. For example this allows you to access a disk on an oVirt node: qemu-img create -f qcow2 \ -b 'json:{ "file.driver": "https", "file.url": "https://ovirt-node:54322/images/", "file.header": ["Authorization: "] }' \ "file.cainfo": "/tmp/ca.pem" }' \ test.qcow2 ( and have to be determined using some extra code. See https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_ova_as_vm.py for some guidance). Signed-off-by: Richard W.M. Jones--- block/curl.c | 14 ++ qapi/block-core.json | 3 +++ 2 files changed, 17 insertions(+) diff --git a/block/curl.c b/block/curl.c index 972673ba5c..2dc9035ff8 100644 --- a/block/curl.c +++ b/block/curl.c @@ -84,6 +84,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, #define CURL_BLOCK_OPT_COOKIE"cookie" #define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret" #define CURL_BLOCK_OPT_HEADER_PATTERN "header." +#define CURL_BLOCK_OPT_CAINFO "cainfo" #define CURL_BLOCK_OPT_USERNAME "username" #define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret" #define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username" @@ -136,6 +137,7 @@ typedef struct BDRVCURLState { uint64_t timeout; char *cookie; struct curl_slist *headers; +char *cainfo; bool accept_range; AioContext *aio_context; QemuMutex mutex; @@ -491,6 +493,9 @@ static int curl_init_state(BDRVCURLState *s, CURLState *state) if (s->headers) { curl_easy_setopt(state->curl, CURLOPT_HTTPHEADER, s->headers); } +if (s->cainfo) { +curl_easy_setopt(state->curl, CURLOPT_CAINFO, s->cainfo); +} curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, (long)s->timeout); curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, (void *)curl_read_cb); @@ -648,6 +653,11 @@ static QemuOptsList runtime_opts = { .help = "ID of secret used as cookie passed with each request" }, { +.name = CURL_BLOCK_OPT_CAINFO, +.type = QEMU_OPT_STRING, +.help = "Pass the Certificate Authority bundle" +}, +{ .name = CURL_BLOCK_OPT_USERNAME, .type = QEMU_OPT_STRING, .help = "Username for HTTP auth" @@ -757,6 +767,8 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, qdict_del(options, key); } +s->cainfo = qemu_opt_get(opts, CURL_BLOCK_OPT_CAINFO); + file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); if (file == NULL) { error_setg(errp, "curl block driver requires an 'url' option"); @@ -864,6 +876,7 @@ out: state->curl = NULL; out_noclean: qemu_mutex_destroy(>mutex); +g_free(s->cainfo); curl_slist_free_all(s->headers); g_free(s->cookie); g_free(s->url); @@ -963,6 +976,7 @@ static void curl_close(BlockDriverState *bs) curl_detach_aio_context(bs); qemu_mutex_destroy(>mutex); +g_free(s->cainfo); curl_slist_free_all(s->headers); g_free(s->cookie); g_free(s->url); diff --git a/qapi/block-core.json b/qapi/block-core.json index ca1ebdbef1..bf3066af08 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -3073,6 +3073,8 @@ # @cookie-secret: ID of a QCryptoSecret object providing the cookie data in a # secure way. See @cookie for the format. (since 2.10) # +# @cainfo: Certificate Authority bundle. +# # @header: List of HTTP request headers, see CURLOPT_HTTPHEADER(3). # # Since: 2.9 @@ -3082,6 +3084,7 @@ 'data': { '*cookie': 'str', '*sslverify': 'bool', '*cookie-secret': 'str', +'*cainfo': 'str', '*header': [ 'str' ] } } ## -- 2.13.2