homed: set "secrets" section to 'sensitive' in more places

We already do this in all placed where we it *really* matters, i.e. for
passwords PINs. But let's do this also at any place where we add the
section at all, regardless whether it is for storing a pw or something
else.

With this we establish the rule that if it's in "secrets", then it
shall be marked "sensitive".

(cherry picked from commit 5933eb1a712ea533261811a4f9448a207672565a)

diff --git a/src/home/homectl-pkcs11.c b/src/home/homectl-pkcs11.c
index 9a75da74d304b268a8e72baa14f95abdb60c2cd4..8fe03f403609493acd96cc0f7027bfb9bf8c7fa5 100644 (file)
--- a/src/home/homectl-pkcs11.c
+++ b/src/home/homectl-pkcs11.c
@@ -48,6 +48,8 @@ int identity_add_token_pin(sd_json_variant **v, const char *pin) {
         if (r < 0)
                 return log_error_errno(r, "Failed to update PIN field: %m");
 
+        sd_json_variant_sensitive(w);
+
         r = sd_json_variant_set_field(v, "secret", w);
         if (r < 0)
                 return log_error_errno(r, "Failed to update secret object: %m");

diff --git a/src/home/homectl-recovery-key.c b/src/home/homectl-recovery-key.c
index 2b76303edd02e7c85b86b7622fdde105c669dad5..b9508d0940a75830ac17803fd8686d393fc034f2 100644 (file)
--- a/src/home/homectl-recovery-key.c
+++ b/src/home/homectl-recovery-key.c
@@ -95,6 +95,8 @@ static int add_secret(sd_json_variant **v, const char *password) {
         if (r < 0)
                 return log_error_errno(r, "Failed to update password field: %m");
 
+        sd_json_variant_sensitive(w);
+
         r = sd_json_variant_set_field(v, "secret", w);
         if (r < 0)
                 return log_error_errno(r, "Failed to update secret object: %m");

diff --git a/src/home/homed-home.c b/src/home/homed-home.c
index 9cefef610ec3d2bdf187006194083b5dfc7bfdbf..3e535068abb996aff96289a15b7dc859e4073f60 100644 (file)
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@@ -1226,6 +1226,8 @@ static int home_start_work(
                 if (!sub)
                         return -ENOKEY;
 
+                sd_json_variant_sensitive(sub);
+
                 r = sd_json_variant_set_field(&v, "secret", sub);
                 if (r < 0)
                         return r;

diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c
index 907dd435126d716e706997fa074d5856f308c0fd..15e0ffdf762511835d07f7706b2722f47cc4fe08 100644 (file)
--- a/src/home/user-record-util.c
+++ b/src/home/user-record-util.c
@@ -1053,8 +1053,11 @@ int user_record_set_fido2_user_presence_permitted(UserRecord *h, int b) {
 
         if (sd_json_variant_is_blank_object(w))
                 r = sd_json_variant_filter(&h->json, STRV_MAKE("secret"));
-        else
+        else {
+                sd_json_variant_sensitive(w);
+
                 r = sd_json_variant_set_field(&h->json, "secret", w);
+        }
         if (r < 0)
                 return r;
 
@@ -1081,8 +1084,11 @@ int user_record_set_fido2_user_verification_permitted(UserRecord *h, int b) {
 
         if (sd_json_variant_is_blank_object(w))
                 r = sd_json_variant_filter(&h->json, STRV_MAKE("secret"));
-        else
+        else {
+                sd_json_variant_sensitive(w);
+
                 r = sd_json_variant_set_field(&h->json, "secret", w);
+        }
         if (r < 0)
                 return r;