diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-03-11 20:17:10 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-03-26 12:21:56 +0100 |
| commit | 8806bb4bc7fa15d6ca46e81b8d535730209a3b66 (patch) | |
| tree | 95412964dee1dca33817f5fa6bb2150436338bf2 /src/shared/ask-password-api.c | |
| parent | f6ab6199a2e8cbda64fe2574af572b8800da48bd (diff) | |
| download | systemd-8806bb4bc7fa15d6ca46e81b8d535730209a3b66.tar.gz | |
ask-password: when querying for a password, try to read from credential store first
This adds generic support for the SetCredential=/LoadCredential= logic
to our password querying infrastructure: if a password is requested by a
program that has a credential store configured via
$CREDENTIALS_DIRECTORY we'll look in it for a password.
The "systemd-ask-password" tool is updated with an option to specify the
credential to look for.
Diffstat (limited to 'src/shared/ask-password-api.c')
| -rw-r--r-- | src/shared/ask-password-api.c | 41 |
1 files changed, 35 insertions, 6 deletions
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c index 729aa1fb00..04c6b5287e 100644 --- a/src/shared/ask-password-api.c +++ b/src/shared/ask-password-api.c @@ -20,6 +20,7 @@ #include "alloc-util.h" #include "ask-password-api.h" +#include "creds-util.h" #include "def.h" #include "fd-util.h" #include "fileio.h" @@ -971,11 +972,33 @@ finish: return r; } +static int ask_password_credential(const char *credential_name, AskPasswordFlags flags, char ***ret) { + _cleanup_(erase_and_freep) char *buffer = NULL; + size_t size; + char **l; + int r; + + assert(credential_name); + assert(ret); + + r = read_credential(credential_name, (void**) &buffer, &size); + if (IN_SET(r, -ENXIO, -ENOENT)) /* No credentials passed or this credential not defined? */ + return -ENOKEY; + + l = strv_parse_nulstr(buffer, size); + if (!l) + return -ENOMEM; + + *ret = l; + return 0; +} + int ask_password_auto( const char *message, const char *icon, - const char *id, - const char *keyname, + const char *id, /* id in "ask-password" protocol */ + const char *key_name, /* name in kernel keyring */ + const char *credential_name, /* name in $CREDENTIALS_DIRECTORY directory */ usec_t until, AskPasswordFlags flags, char ***ret) { @@ -984,20 +1007,26 @@ int ask_password_auto( assert(ret); + if (!(flags & ASK_PASSWORD_NO_CREDENTIAL) && credential_name) { + r = ask_password_credential(credential_name, flags, ret); + if (r != -ENOKEY) + return r; + } + if ((flags & ASK_PASSWORD_ACCEPT_CACHED) && - keyname && + key_name && ((flags & ASK_PASSWORD_NO_TTY) || !isatty(STDIN_FILENO)) && (flags & ASK_PASSWORD_NO_AGENT)) { - r = ask_password_keyring(keyname, flags, ret); + r = ask_password_keyring(key_name, flags, ret); if (r != -ENOKEY) return r; } if (!(flags & ASK_PASSWORD_NO_TTY) && isatty(STDIN_FILENO)) - return ask_password_tty(-1, message, keyname, until, flags, NULL, ret); + return ask_password_tty(-1, message, key_name, until, flags, NULL, ret); if (!(flags & ASK_PASSWORD_NO_AGENT)) - return ask_password_agent(message, icon, id, keyname, until, flags, ret); + return ask_password_agent(message, icon, id, key_name, until, flags, ret); return -EUNATCH; } |