From: "Richard W.M. Jones" <rjones@redhat.com>
To: jcody@redhat.com
Cc: kwolf@redhat.com, mreitz@redhat.com, armbru@redhat.com,
eblake@redhat.com, qemu-block@nongnu.org, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in.
Date: Thu, 1 Mar 2018 13:58:56 +0000 [thread overview]
Message-ID: <20180301135856.22698-3-rjones@redhat.com> (raw)
In-Reply-To: <20180301135856.22698-1-rjones@redhat.com>
This allows a Certificate Authority bundle to be passed to the curl
driver, allowing authentication against servers that check
certificates. For example this allows you to access a disk on an
oVirt node:
qemu-img create -f qcow2 \
-b 'json:{ "file.driver": "https",
"file.url": "https://ovirt-node:54322/images/<disk-id>",
"file.header": ["Authorization: <ticket>"] }' \
"file.cainfo": "/tmp/ca.pem" }' \
test.qcow2
(<disk-id> and <ticket> have to be determined using some extra code.
See
https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_ova_as_vm.py
for some guidance).
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
---
block/curl.c | 14 ++++++++++++++
qapi/block-core.json | 3 +++
2 files changed, 17 insertions(+)
diff --git a/block/curl.c b/block/curl.c
index 972673ba5c..2dc9035ff8 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -84,6 +84,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
#define CURL_BLOCK_OPT_COOKIE "cookie"
#define CURL_BLOCK_OPT_COOKIE_SECRET "cookie-secret"
#define CURL_BLOCK_OPT_HEADER_PATTERN "header."
+#define CURL_BLOCK_OPT_CAINFO "cainfo"
#define CURL_BLOCK_OPT_USERNAME "username"
#define CURL_BLOCK_OPT_PASSWORD_SECRET "password-secret"
#define CURL_BLOCK_OPT_PROXY_USERNAME "proxy-username"
@@ -136,6 +137,7 @@ typedef struct BDRVCURLState {
uint64_t timeout;
char *cookie;
struct curl_slist *headers;
+ char *cainfo;
bool accept_range;
AioContext *aio_context;
QemuMutex mutex;
@@ -491,6 +493,9 @@ static int curl_init_state(BDRVCURLState *s, CURLState *state)
if (s->headers) {
curl_easy_setopt(state->curl, CURLOPT_HTTPHEADER, s->headers);
}
+ if (s->cainfo) {
+ curl_easy_setopt(state->curl, CURLOPT_CAINFO, s->cainfo);
+ }
curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, (long)s->timeout);
curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION,
(void *)curl_read_cb);
@@ -648,6 +653,11 @@ static QemuOptsList runtime_opts = {
.help = "ID of secret used as cookie passed with each request"
},
{
+ .name = CURL_BLOCK_OPT_CAINFO,
+ .type = QEMU_OPT_STRING,
+ .help = "Pass the Certificate Authority bundle"
+ },
+ {
.name = CURL_BLOCK_OPT_USERNAME,
.type = QEMU_OPT_STRING,
.help = "Username for HTTP auth"
@@ -757,6 +767,8 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,
qdict_del(options, key);
}
+ s->cainfo = qemu_opt_get(opts, CURL_BLOCK_OPT_CAINFO);
+
file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
if (file == NULL) {
error_setg(errp, "curl block driver requires an 'url' option");
@@ -864,6 +876,7 @@ out:
state->curl = NULL;
out_noclean:
qemu_mutex_destroy(&s->mutex);
+ g_free(s->cainfo);
curl_slist_free_all(s->headers);
g_free(s->cookie);
g_free(s->url);
@@ -963,6 +976,7 @@ static void curl_close(BlockDriverState *bs)
curl_detach_aio_context(bs);
qemu_mutex_destroy(&s->mutex);
+ g_free(s->cainfo);
curl_slist_free_all(s->headers);
g_free(s->cookie);
g_free(s->url);
diff --git a/qapi/block-core.json b/qapi/block-core.json
index ca1ebdbef1..bf3066af08 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -3073,6 +3073,8 @@
# @cookie-secret: ID of a QCryptoSecret object providing the cookie data in a
# secure way. See @cookie for the format. (since 2.10)
#
+# @cainfo: Certificate Authority bundle.
+#
# @header: List of HTTP request headers, see CURLOPT_HTTPHEADER(3).
#
# Since: 2.9
@@ -3082,6 +3084,7 @@
'data': { '*cookie': 'str',
'*sslverify': 'bool',
'*cookie-secret': 'str',
+ '*cainfo': 'str',
'*header': [ 'str' ] } }
##
--
2.13.2
next prev parent reply other threads:[~2018-03-01 13:59 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-01 13:58 [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt Richard W.M. Jones
2018-03-01 13:58 ` [Qemu-devel] [PATCH 1/2] block: curl: Allow arbitrary HTTP request headers to be set Richard W.M. Jones
2018-03-01 15:24 ` Nir Soffer
2018-03-01 15:46 ` Richard W.M. Jones
2018-03-01 16:11 ` Daniel P. Berrangé
2018-03-01 16:29 ` Richard W.M. Jones
2018-03-01 13:58 ` Richard W.M. Jones [this message]
2018-03-01 15:27 ` [Qemu-devel] [PATCH 2/2] block: curl: Allow Certificate Authority bundle to be passed in Nir Soffer
2018-03-01 15:34 ` Daniel P. Berrangé
2018-03-01 15:47 ` Richard W.M. Jones
2018-03-01 14:21 ` [Qemu-devel] [PATCH 0/2] block: curl: Proof of concept for connecting to oVirt no-reply
2018-03-01 14:31 ` Richard W.M. Jones
2018-03-01 14:49 ` no-reply
2018-03-01 15:38 ` no-reply
2018-03-01 16:54 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180301135856.22698-3-rjones@redhat.com \
--to=rjones@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).