From 560a3e5dd6ff12cfbe1cedfa8838dd8423a0dadd Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 29 Apr 2020 16:25:52 +0200
Subject: home: make sure whenever we touch the 'secret' part of a user record,
 we set the the sensitive flag on it

---
 src/home/user-record-util.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c
index c4a0d95081..430a952e6f 100644
--- a/src/home/user-record-util.c
+++ b/src/home/user-record-util.c
@@ -840,6 +840,8 @@ int user_record_set_password(UserRecord *h, char **password, bool prepend) {
         if (r < 0)
                 return r;
 
+        json_variant_sensitive(w);
+
         r = json_variant_set_field(&h->json, "secret", w);
         if (r < 0)
                 return r;
@@ -900,6 +902,8 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
         if (r < 0)
                 return r;
 
+        json_variant_sensitive(w);
+
         r = json_variant_set_field(&h->json, "secret", w);
         if (r < 0)
                 return r;
@@ -927,8 +931,11 @@ int user_record_set_pkcs11_protected_authentication_path_permitted(UserRecord *h
 
         if (json_variant_is_blank_object(w))
                 r = json_variant_filter(&h->json, STRV_MAKE("secret"));
-        else
+        else {
+                json_variant_sensitive(w);
+
                 r = json_variant_set_field(&h->json, "secret", w);
+        }
         if (r < 0)
                 return r;
 
-- 
cgit v1.2.1