提交 c750e1c4 编写于 作者: P Peter Krempa

qemu: domain: Use qemuDomainSecretInfoNewPlain only for unencrypted secrets

Move the logic that determines which secret shall be used into the
caller and make this function work only for plain secrets.

This untangles the control flow by only checking relevant data.
Signed-off-by: NPeter Krempa <pkrempa@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
上级 56bb7bb3
......@@ -1308,94 +1308,33 @@ qemuDomainSupportsEncryptedSecret(qemuDomainObjPrivatePtr priv)
}
/* qemuDomainSecretSetup:
* @priv: pointer to domain private object
* @secinfo: Pointer to secret info
* @srcalias: Alias of the disk/hostdev used to generate the secret alias
* @usageType: The virSecretUsageType
* @username: username to use for authentication (may be NULL)
* @seclookupdef: Pointer to seclookupdef data
* @isLuks: True when is luks (generates different alias)
*
* If we have the encryption API present and can support a secret object, then
* build the AES secret; otherwise, build the Plain secret. This is the magic
* decision point for utilizing the AES secrets for an RBD disk. For now iSCSI
* disks and hostdevs will not be able to utilize this mechanism.
*
* Returns 0 on success, -1 on failure
*/
static int
qemuDomainSecretSetup(qemuDomainObjPrivatePtr priv,
qemuDomainSecretInfoPtr secinfo,
const char *srcalias,
virSecretUsageType usageType,
const char *username,
virSecretLookupTypeDefPtr seclookupdef,
bool isLuks)
{
bool iscsiHasPS = virQEMUCapsGet(priv->qemuCaps,
QEMU_CAPS_ISCSI_PASSWORD_SECRET);
if (qemuDomainSupportsEncryptedSecret(priv) &&
(usageType == VIR_SECRET_USAGE_TYPE_CEPH ||
(usageType == VIR_SECRET_USAGE_TYPE_ISCSI && iscsiHasPS) ||
usageType == VIR_SECRET_USAGE_TYPE_VOLUME ||
usageType == VIR_SECRET_USAGE_TYPE_TLS)) {
if (qemuDomainSecretAESSetup(priv, secinfo, srcalias,
usageType, username,
seclookupdef, isLuks) < 0)
return -1;
} else {
if (qemuDomainSecretPlainSetup(secinfo, usageType,
username, seclookupdef) < 0)
return -1;
}
return 0;
}
/* qemuDomainSecretInfoNewPlain:
* @priv: pointer to domain private object
* @srcAlias: Alias base to use for TLS object
* @usageType: Secret usage type
* @username: username for plain secrets (only)
* @looupdef: lookup def describing secret
* @isLuks: boolean for luks lookup
* @username: username
* @lookupDef: lookup def describing secret
*
* Helper function to create a secinfo to be used for secinfo consumers. This
* possibly sets up a 'plain' (unencrypted) secret for legacy consumers.
* sets up a 'plain' (unencrypted) secret for legacy consumers.
*
* Returns @secinfo on success, NULL on failure. Caller is responsible
* to eventually free @secinfo.
*/
static qemuDomainSecretInfoPtr
qemuDomainSecretInfoNewPlain(qemuDomainObjPrivatePtr priv,
const char *srcAlias,
virSecretUsageType usageType,
qemuDomainSecretInfoNewPlain(virSecretUsageType usageType,
const char *username,
virSecretLookupTypeDefPtr lookupDef,
bool isLuks)
virSecretLookupTypeDefPtr lookupDef)
{
qemuDomainSecretInfoPtr secinfo = NULL;
if (VIR_ALLOC(secinfo) < 0)
return NULL;
if (qemuDomainSecretSetup(priv, secinfo, srcAlias, usageType,
username, lookupDef, isLuks) < 0)
goto error;
if (!username && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("encrypted secrets are not supported"));
goto error;
if (qemuDomainSecretPlainSetup(secinfo, usageType, username, lookupDef) < 0) {
qemuDomainSecretInfoFree(&secinfo);
return NULL;
}
return secinfo;
error:
qemuDomainSecretInfoFree(&secinfo);
return NULL;
}
......@@ -1549,6 +1488,7 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
const char *encalias)
{
qemuDomainStorageSourcePrivatePtr srcPriv;
bool iscsiHasPS = virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ISCSI_PASSWORD_SECRET);
bool hasAuth = qemuDomainStorageSourceHasAuth(src);
bool hasEnc = qemuDomainDiskHasEncryptionSecret(src);
......@@ -1566,10 +1506,20 @@ qemuDomainSecretStorageSourcePrepare(qemuDomainObjPrivatePtr priv,
if (src->protocol == VIR_STORAGE_NET_PROTOCOL_RBD)
usageType = VIR_SECRET_USAGE_TYPE_CEPH;
if (!(srcPriv->secinfo =
qemuDomainSecretInfoNewPlain(priv, authalias,
usageType, src->auth->username,
&src->auth->seclookupdef, false)))
if (!qemuDomainSupportsEncryptedSecret(priv) ||
(src->protocol == VIR_STORAGE_NET_PROTOCOL_ISCSI && !iscsiHasPS)) {
srcPriv->secinfo = qemuDomainSecretInfoNewPlain(usageType,
src->auth->username,
&src->auth->seclookupdef);
} else {
srcPriv->secinfo = qemuDomainSecretInfoNew(priv, authalias,
usageType,
src->auth->username,
&src->auth->seclookupdef,
false);
}
if (!srcPriv->secinfo)
return -1;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册