tools: virsh: Add --interactive flag for secret-set-value command

Simplify human usage of secret-set-value by adding --interactive which
will read the value of the secret from the terminal.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index dbeac9232f80d0793b6d599845fa3b9655876bdf..8841ae1b319b7db08ccc303ed6869ae2ed2fd4df 100644 (file)
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -6563,14 +6563,17 @@ secret-set-value
 
 .. code-block::
 
-   secret-set-value secret (--file filename [--plain] | base64)
+   secret-set-value secret (--file filename [--plain] | --interactive | base64)
 
 Set the value associated with *secret* (specified by its UUID) to the value
 Base64-encoded value *base64* or Base-64-encoded contents of file named
 *filename*. Using the *--plain* flag is together with *--file* allows to use
 the file contents directly as the secret value.
 
-Note that *--file* and *base64* options are mutually exclusive.
+If *--interactive* flag is used the secret value is read as a password from the
+terminal.
+
+Note that *--file*, *--interactive* and *base64* options are mutually exclusive.
 
 Passing secrets via the *base64* option on command line is INSECURE and
 deprecated. Use the *--file* option instead.

diff --git a/tools/virsh-secret.c b/tools/virsh-secret.c
index 87f3cfff1661991e2d4c0b76979bcb6fe88047e2..00a434e997511bc1dc7f5e0774192dd6c56849e9 100644 (file)
--- a/tools/virsh-secret.c
+++ b/tools/virsh-secret.c
@@ -186,6 +186,10 @@ static const vshCmdOptDef opts_secret_set_value[] = {
      .type = VSH_OT_BOOL,
      .help = N_("read the secret from file without converting from base64")
     },
+    {.name = "interactive",
+     .type = VSH_OT_BOOL,
+     .help = N_("read the secret from the terminal")
+    },
     {.name = "base64",
      .type = VSH_OT_STRING,
      .help = N_("base64-encoded secret value")
@@ -204,10 +208,14 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
     unsigned char *value;
     size_t value_size;
     bool plain = vshCommandOptBool(cmd, "plain");
+    bool interactive = vshCommandOptBool(cmd, "interactive");
     int res;
 
     VSH_EXCLUSIVE_OPTIONS("file", "base64");
     VSH_EXCLUSIVE_OPTIONS("plain", "base64");
+    VSH_EXCLUSIVE_OPTIONS("interactive", "base64");
+    VSH_EXCLUSIVE_OPTIONS("interactive", "plain");
+    VSH_EXCLUSIVE_OPTIONS("interactive", "file");
 
     if (!(secret = virshCommandOptSecret(ctl, cmd, NULL)))
         return false;
@@ -218,7 +226,7 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
     if (vshCommandOptStringReq(ctl, cmd, "file", &filename) < 0)
         return false;
 
-    if (!base64 && !filename) {
+    if (!base64 && !filename && !interactive) {
         vshError(ctl, _("Input secret value is missing"));
         return false;
     }
@@ -238,6 +246,18 @@ cmdSecretSetValue(vshControl *ctl, const vshCmd *cmd)
         base64 = file_buf;
     }
 
+    if (interactive) {
+        vshPrint(ctl, "%s", _("Enter new value for secret:"));
+        fflush(stdout);
+
+        if (!(file_buf = getpass(""))) {
+            vshError(ctl, "%s", _("Failed to read secret"));
+            return false;
+        }
+        file_len = strlen(file_buf);
+        plain = true;
+    }
+
     if (plain) {
         value = g_steal_pointer(&file_buf);
         value_size = file_len;