Simplify human usage of secret-set-value by adding --interactive which will read the value of the secret from the terminal. Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- docs/manpages/virsh.rst | 7 +++++-- tools/virsh-secret.c | 22 +++++++++++++++++++++- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst index dbeac9232f..8841ae1b31 100644 --- a/docs/manpages/virsh.rst +++ b/docs/manpages/virsh.rst @@ -6563,14 +6563,17 @@ secret-set-value .. code-block:: - secret-set-value secret (--file filename [--plain] | base64) + secret-set-value secret (--file filename [--plain] | --interactive | base64) Set the value associated with *secret* (specified by its UUID) to the value Base64-encoded value *base64* or Base-64-encoded contents of file named *filename*. Using the *--plain* flag is together with *--file* allows to use the file contents directly as the secret value. -Note that *--file* and *base64* options are mutually exclusive. +If *--interactive* flag is used the secret value is read as a password from the +terminal. + +Note that *--file*, *--interactive* and *base64* options are mutually exclusive. Passing secrets via the *base64* option on command line is INSECURE and deprecated. Use the *--file* option instead. diff --git a/tools/virsh-secret.c b/tools/virsh-secret.c index 87f3cfff16..00a434e997 100644 --- a/tools/virsh-secret.c +++ b/tools/virsh-secret.c @@ -186,6 +186,10 @@ static const vshCmdOptDef opts_secret_set_value[] = { .type = VSH_OT_BOOL, .help = N_("read the secret from file without converting from base64") }, + {.name = "interactive", + .type = VSH_OT_BOOL, + .help = N_("read the secret from the terminal") + }, {.name = "base64", .type = VSH_OT_STRING, .help = N_("base64-encoded secret value") @@ -204,10 +208,14 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd) unsigned char *value; size_t value_size; bool plain = vshCommandOptBool(cmd, "plain"); + bool interactive = vshCommandOptBool(cmd, "interactive"); int res; VSH_EXCLUSIVE_OPTIONS("file", "base64"); VSH_EXCLUSIVE_OPTIONS("plain", "base64"); + VSH_EXCLUSIVE_OPTIONS("interactive", "base64"); + VSH_EXCLUSIVE_OPTIONS("interactive", "plain"); + VSH_EXCLUSIVE_OPTIONS("interactive", "file"); if (!(secret = virshCommandOptSecret(ctl, cmd, NULL))) return false; @@ -218,7 +226,7 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd) if (vshCommandOptStringReq(ctl, cmd, "file", &filename) < 0) return false; - if (!base64 && !filename) { + if (!base64 && !filename && !interactive) { vshError(ctl, _("Input secret value is missing")); return false; } @@ -238,6 +246,18 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd) base64 = file_buf; } + if (interactive) { + vshPrint(ctl, "%s", _("Enter new value for secret:")); + fflush(stdout); + + if (!(file_buf = getpass(""))) { + vshError(ctl, "%s", _("Failed to read secret")); + return false; + } + file_len = strlen(file_buf); + plain = true; + } + if (plain) { value = g_steal_pointer(&file_buf); value_size = file_len; -- 2.24.1