From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Fabian Ebner <f.ebner@proxmox.com>
Cc: w.bumiller@proxmox.com, berrange@redhat.com,
qemu-devel@nongnu.org, armbru@redhat.com,
marcandre.lureau@gmail.com, kraxel@redhat.com,
pbonzini@redhat.com, marcandre.lureau@redhat.com,
eblake@redhat.com, t.lamprecht@proxmox.com
Subject: Re: [PATCH v9 3/3] qapi/monitor: allow VNC display id in set/expire_password
Date: Tue, 1 Mar 2022 11:29:33 +0000 [thread overview]
Message-ID: <Yh4DnamfMVzGQM8s@work-vm> (raw)
In-Reply-To: <20220225084949.35746-4-f.ebner@proxmox.com>
* Fabian Ebner (f.ebner@proxmox.com) wrote:
> From: Stefan Reiter <s.reiter@proxmox.com>
>
> It is possible to specify more than one VNC server on the command line,
> either with an explicit ID or the auto-generated ones à la "default",
> "vnc2", "vnc3", ...
>
> It is not possible to change the password on one of these extra VNC
> displays though. Fix this by adding a "display" parameter to the
> "set_password" and "expire_password" QMP and HMP commands.
>
> For HMP, the display is specified using the "-d" value flag.
>
> For QMP, the schema is updated to explicitly express the supported
> variants of the commands with protocol-discriminated unions.
>
> Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
> [FE: update "Since: " from 6.2 to 7.0
> make @connected a common member of @SetPasswordOptions]
> Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
>
> v8 -> v9:
> * Make @connected a common member of @SetPasswordOptions.
> * Use s rather than V to indicate that the flag takes a string value.
>
> hmp-commands.hx | 24 ++++++------
> monitor/hmp-cmds.c | 40 +++++++++++++------
> monitor/qmp-cmds.c | 34 +++++++---------
> qapi/ui.json | 96 +++++++++++++++++++++++++++++++++++-----------
> 4 files changed, 129 insertions(+), 65 deletions(-)
>
> diff --git a/hmp-commands.hx b/hmp-commands.hx
> index 70a9136ac2..8476277aa9 100644
> --- a/hmp-commands.hx
> +++ b/hmp-commands.hx
> @@ -1514,33 +1514,35 @@ ERST
>
> {
> .name = "set_password",
> - .args_type = "protocol:s,password:s,connected:s?",
> - .params = "protocol password action-if-connected",
> + .args_type = "protocol:s,password:s,display:-ds,connected:s?",
> + .params = "protocol password [-d display] [action-if-connected]",
> .help = "set spice/vnc password",
> .cmd = hmp_set_password,
> },
>
> SRST
> -``set_password [ vnc | spice ] password [ action-if-connected ]``
> - Change spice/vnc password. *action-if-connected* specifies what
> - should happen in case a connection is established: *fail* makes the
> - password change fail. *disconnect* changes the password and
> +``set_password [ vnc | spice ] password [ -d display ] [ action-if-connected ]``
> + Change spice/vnc password. *display* can be used with 'vnc' to specify
> + which display to set the password on. *action-if-connected* specifies
> + what should happen in case a connection is established: *fail* makes
> + the password change fail. *disconnect* changes the password and
> disconnects the client. *keep* changes the password and keeps the
> connection up. *keep* is the default.
> ERST
>
> {
> .name = "expire_password",
> - .args_type = "protocol:s,time:s",
> - .params = "protocol time",
> + .args_type = "protocol:s,time:s,display:-ds",
> + .params = "protocol time [-d display]",
> .help = "set spice/vnc password expire-time",
> .cmd = hmp_expire_password,
> },
>
> SRST
> -``expire_password [ vnc | spice ]`` *expire-time*
> - Specify when a password for spice/vnc becomes
> - invalid. *expire-time* accepts:
> +``expire_password [ vnc | spice ] expire-time [ -d display ]``
> + Specify when a password for spice/vnc becomes invalid.
> + *display* behaves the same as in ``set_password``.
> + *expire-time* accepts:
>
> ``now``
> Invalidate password instantly.
> diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
> index ff78741b75..634968498b 100644
> --- a/monitor/hmp-cmds.c
> +++ b/monitor/hmp-cmds.c
> @@ -1396,24 +1396,33 @@ void hmp_set_password(Monitor *mon, const QDict *qdict)
> {
> const char *protocol = qdict_get_str(qdict, "protocol");
> const char *password = qdict_get_str(qdict, "password");
> + const char *display = qdict_get_try_str(qdict, "display");
> const char *connected = qdict_get_try_str(qdict, "connected");
> Error *err = NULL;
> - DisplayProtocol proto;
> - SetPasswordAction conn;
>
> - proto = qapi_enum_parse(&DisplayProtocol_lookup, protocol,
> - DISPLAY_PROTOCOL_VNC, &err);
> + SetPasswordOptions opts = {
> + .password = (char *)password,
> + .has_connected = !!connected,
> + };
> +
> + opts.connected = qapi_enum_parse(&SetPasswordAction_lookup, connected,
> + SET_PASSWORD_ACTION_KEEP, &err);
> if (err) {
> goto out;
> }
>
> - conn = qapi_enum_parse(&SetPasswordAction_lookup, connected,
> - SET_PASSWORD_ACTION_KEEP, &err);
> + opts.protocol = qapi_enum_parse(&DisplayProtocol_lookup, protocol,
> + DISPLAY_PROTOCOL_VNC, &err);
> if (err) {
> goto out;
> }
>
> - qmp_set_password(proto, password, !!connected, conn, &err);
> + if (opts.protocol == DISPLAY_PROTOCOL_VNC) {
> + opts.u.vnc.has_display = !!display;
> + opts.u.vnc.display = (char *)display;
> + }
> +
> + qmp_set_password(&opts, &err);
>
> out:
> hmp_handle_error(mon, err);
> @@ -1423,16 +1432,25 @@ void hmp_expire_password(Monitor *mon, const QDict *qdict)
> {
> const char *protocol = qdict_get_str(qdict, "protocol");
> const char *whenstr = qdict_get_str(qdict, "time");
> + const char *display = qdict_get_try_str(qdict, "display");
> Error *err = NULL;
> - DisplayProtocol proto;
>
> - proto = qapi_enum_parse(&DisplayProtocol_lookup, protocol,
> - DISPLAY_PROTOCOL_VNC, &err);
> + ExpirePasswordOptions opts = {
> + .time = (char *)whenstr,
> + };
> +
> + opts.protocol = qapi_enum_parse(&DisplayProtocol_lookup, protocol,
> + DISPLAY_PROTOCOL_VNC, &err);
> if (err) {
> goto out;
> }
>
> - qmp_expire_password(proto, whenstr, &err);
> + if (opts.protocol == DISPLAY_PROTOCOL_VNC) {
> + opts.u.vnc.has_display = !!display;
> + opts.u.vnc.display = (char *)display;
> + }
> +
> + qmp_expire_password(&opts, &err);
>
> out:
> hmp_handle_error(mon, err);
> diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
> index b6e8b57fcc..df97582dd4 100644
> --- a/monitor/qmp-cmds.c
> +++ b/monitor/qmp-cmds.c
> @@ -168,35 +168,27 @@ void qmp_system_wakeup(Error **errp)
> qemu_system_wakeup_request(QEMU_WAKEUP_REASON_OTHER, errp);
> }
>
> -void qmp_set_password(DisplayProtocol protocol, const char *password,
> - bool has_connected, SetPasswordAction connected,
> - Error **errp)
> +void qmp_set_password(SetPasswordOptions *opts, Error **errp)
> {
> - int disconnect_if_connected = 0;
> - int fail_if_connected = 0;
> int rc;
>
> - if (has_connected) {
> - fail_if_connected = connected == SET_PASSWORD_ACTION_FAIL;
> - disconnect_if_connected = connected == SET_PASSWORD_ACTION_DISCONNECT;
> - }
> -
> - if (protocol == DISPLAY_PROTOCOL_SPICE) {
> + if (opts->protocol == DISPLAY_PROTOCOL_SPICE) {
> if (!qemu_using_spice(errp)) {
> return;
> }
> - rc = qemu_spice.set_passwd(password, fail_if_connected,
> - disconnect_if_connected);
> + rc = qemu_spice.set_passwd(opts->password,
> + opts->connected == SET_PASSWORD_ACTION_FAIL,
> + opts->connected == SET_PASSWORD_ACTION_DISCONNECT);
> } else {
> - assert(protocol == DISPLAY_PROTOCOL_VNC);
> - if (fail_if_connected || disconnect_if_connected) {
> + assert(opts->protocol == DISPLAY_PROTOCOL_VNC);
> + if (opts->connected != SET_PASSWORD_ACTION_KEEP) {
> /* vnc supports "connected=keep" only */
> error_setg(errp, QERR_INVALID_PARAMETER, "connected");
> return;
> }
> /* Note that setting an empty password will not disable login through
> * this interface. */
> - rc = vnc_display_password(NULL, password);
> + rc = vnc_display_password(opts->u.vnc.display, opts->password);
> }
>
> if (rc != 0) {
> @@ -204,11 +196,11 @@ void qmp_set_password(DisplayProtocol protocol, const char *password,
> }
> }
>
> -void qmp_expire_password(DisplayProtocol protocol, const char *whenstr,
> - Error **errp)
> +void qmp_expire_password(ExpirePasswordOptions *opts, Error **errp)
> {
> time_t when;
> int rc;
> + const char *whenstr = opts->time;
>
> if (strcmp(whenstr, "now") == 0) {
> when = 0;
> @@ -220,14 +212,14 @@ void qmp_expire_password(DisplayProtocol protocol, const char *whenstr,
> when = strtoull(whenstr, NULL, 10);
> }
>
> - if (protocol == DISPLAY_PROTOCOL_SPICE) {
> + if (opts->protocol == DISPLAY_PROTOCOL_SPICE) {
> if (!qemu_using_spice(errp)) {
> return;
> }
> rc = qemu_spice.set_pw_expire(when);
> } else {
> - assert(protocol == DISPLAY_PROTOCOL_VNC);
> - rc = vnc_display_pw_expire(NULL, when);
> + assert(opts->protocol == DISPLAY_PROTOCOL_VNC);
> + rc = vnc_display_pw_expire(opts->u.vnc.display, when);
> }
>
> if (rc != 0) {
> diff --git a/qapi/ui.json b/qapi/ui.json
> index e112409211..4a13f883a3 100644
> --- a/qapi/ui.json
> +++ b/qapi/ui.json
> @@ -38,20 +38,47 @@
> 'data': [ 'keep', 'fail', 'disconnect' ] }
>
> ##
> -# @set_password:
> +# @SetPasswordOptions:
> #
> -# Sets the password of a remote display session.
> +# Options for set_password.
> #
> # @protocol: - 'vnc' to modify the VNC server password
> # - 'spice' to modify the Spice server password
> #
> # @password: the new password
> #
> -# @connected: how to handle existing clients when changing the
> -# password. If nothing is specified, defaults to 'keep'
> -# 'fail' to fail the command if clients are connected
> -# 'disconnect' to disconnect existing clients
> -# 'keep' to maintain existing clients
> +# @connected: How to handle existing clients when changing the
> +# password. If nothing is specified, defaults to 'keep'.
> +# For VNC, only 'keep' is currently implemented.
> +#
> +# Since: 7.0
> +#
> +##
> +{ 'union': 'SetPasswordOptions',
> + 'base': { 'protocol': 'DisplayProtocol',
> + 'password': 'str',
> + '*connected': 'SetPasswordAction' },
> + 'discriminator': 'protocol',
> + 'data': { 'vnc': 'SetPasswordOptionsVnc' } }
> +
> +##
> +# @SetPasswordOptionsVnc:
> +#
> +# Options for set_password specific to the VNC procotol.
> +#
> +# @display: The id of the display where the password should be changed.
> +# Defaults to the first.
> +#
> +# Since: 7.0
> +#
> +##
> +{ 'struct': 'SetPasswordOptionsVnc',
> + 'data': { '*display': 'str' } }
> +
> +##
> +# @set_password:
> +#
> +# Set the password of a remote display server.
> #
> # Returns: - Nothing on success
> # - If Spice is not enabled, DeviceNotFound
> @@ -65,17 +92,15 @@
> # <- { "return": {} }
> #
> ##
> -{ 'command': 'set_password',
> - 'data': { 'protocol': 'DisplayProtocol',
> - 'password': 'str',
> - '*connected': 'SetPasswordAction' } }
> +{ 'command': 'set_password', 'boxed': true, 'data': 'SetPasswordOptions' }
>
> ##
> -# @expire_password:
> +# @ExpirePasswordOptions:
> #
> -# Expire the password of a remote display server.
> +# General options for expire_password.
> #
> -# @protocol: the name of the remote display protocol 'vnc' or 'spice'
> +# @protocol: - 'vnc' to modify the VNC server expiration
> +# - 'spice' to modify the Spice server expiration
> #
> # @time: when to expire the password.
> #
> @@ -84,16 +109,45 @@
> # - '+INT' where INT is the number of seconds from now (integer)
> # - 'INT' where INT is the absolute time in seconds
> #
> -# Returns: - Nothing on success
> -# - If @protocol is 'spice' and Spice is not active, DeviceNotFound
> -#
> -# Since: 0.14
> -#
> # Notes: Time is relative to the server and currently there is no way to
> # coordinate server time with client time. It is not recommended to
> # use the absolute time version of the @time parameter unless you're
> # sure you are on the same machine as the QEMU instance.
> #
> +# Since: 7.0
> +#
> +##
> +{ 'union': 'ExpirePasswordOptions',
> + 'base': { 'protocol': 'DisplayProtocol',
> + 'time': 'str' },
> + 'discriminator': 'protocol',
> + 'data': { 'vnc': 'ExpirePasswordOptionsVnc' } }
> +
> +##
> +# @ExpirePasswordOptionsVnc:
> +#
> +# Options for expire_password specific to the VNC procotol.
> +#
> +# @display: The id of the display where the expiration should be changed.
> +# Defaults to the first.
> +#
> +# Since: 7.0
> +#
> +##
> +
> +{ 'struct': 'ExpirePasswordOptionsVnc',
> + 'data': { '*display': 'str' } }
> +
> +##
> +# @expire_password:
> +#
> +# Expire the password of a remote display server.
> +#
> +# Returns: - Nothing on success
> +# - If @protocol is 'spice' and Spice is not active, DeviceNotFound
> +#
> +# Since: 0.14
> +#
> # Example:
> #
> # -> { "execute": "expire_password", "arguments": { "protocol": "vnc",
> @@ -101,9 +155,7 @@
> # <- { "return": {} }
> #
> ##
> -{ 'command': 'expire_password',
> - 'data': { 'protocol': 'DisplayProtocol',
> - 'time': 'str' } }
> +{ 'command': 'expire_password', 'boxed': true, 'data': 'ExpirePasswordOptions' }
>
> ##
> # @screendump:
> --
> 2.30.2
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2022-03-01 11:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-25 8:49 [PATCH v9 0/3] VNC-related HMP/QMP fixes Fabian Ebner
2022-02-25 8:49 ` [PATCH v9 1/3] monitor/hmp: add support for flag argument with value Fabian Ebner
2022-02-25 8:49 ` [PATCH v9 2/3] qapi/monitor: refactor set/expire_password with enums Fabian Ebner
2022-02-25 8:49 ` [PATCH v9 3/3] qapi/monitor: allow VNC display id in set/expire_password Fabian Ebner
2022-02-25 11:34 ` Markus Armbruster
2022-02-25 12:23 ` Fabian Ebner
2022-02-25 12:44 ` Markus Armbruster
2022-03-01 11:29 ` Dr. David Alan Gilbert [this message]
2022-03-02 11:26 ` [PATCH v9 0/3] VNC-related HMP/QMP fixes Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yh4DnamfMVzGQM8s@work-vm \
--to=dgilbert@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=f.ebner@proxmox.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=t.lamprecht@proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).