homed: set "secrets" section to 'sensitive' in more places

We already do this in all placed where we it *really* matters, i.e. for
passwords PINs. But let's do this also at any place where we add the
section at all, regardless whether it is for storing a pw or something
else.

With this we establish the rule that if it's in "secrets", then it
shall be marked "sensitive".

diff --git a/src/home/homectl-pkcs11.c b/src/home/homectl-pkcs11.c
index 12037a667dee8aa57c45532904d92e1616273d38..38541c51ceb05f751822e30aae23ce14a621ffd9 100644 (file)
--- a/src/home/homectl-pkcs11.c
+++ b/src/home/homectl-pkcs11.c
@@ -50,6 +50,8 @@ int identity_add_token_pin(sd_json_variant **v, const char *pin) {
         if (r < 0)
                 return log_error_errno(r, "Failed to update PIN field: %m");
 
+        sd_json_variant_sensitive(w);
+
         r = sd_json_variant_set_field(v, "secret", w);
         if (r < 0)
                 return log_error_errno(r, "Failed to update secret object: %m");

diff --git a/src/home/homectl-recovery-key.c b/src/home/homectl-recovery-key.c
index ad1850d056469757cb381648bd4e23d918352e06..c8d6a9b2fa65f60e0a4f381287c02fbb6ad02a23 100644 (file)
--- a/src/home/homectl-recovery-key.c
+++ b/src/home/homectl-recovery-key.c
@@ -94,6 +94,8 @@ static int add_secret(sd_json_variant **v, const char *password) {
         if (r < 0)
                 return log_error_errno(r, "Failed to update password field: %m");
 
+        sd_json_variant_sensitive(w);
+
         r = sd_json_variant_set_field(v, "secret", w);
         if (r < 0)
                 return log_error_errno(r, "Failed to update secret object: %m");

diff --git a/src/home/homed-home.c b/src/home/homed-home.c
index be6a7bf515029de189a69466e448602035d6c8e3..4b5aed46bf0634853fad31e9052805fbbb6e3df4 100644 (file)
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@@ -1256,6 +1256,8 @@ static int home_start_work(
                 if (!sub)
                         return -ENOKEY;
 
+                sd_json_variant_sensitive(sub);
+
                 r = sd_json_variant_set_field(&v, "secret", sub);
                 if (r < 0)
                         return r;

diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c
index fdc99e1c4f05f1ea28ca0bbe0348affbba5aa65a..3cc100ac94639d57d751941c2b04f4104078a083 100644 (file)
--- a/src/home/user-record-util.c
+++ b/src/home/user-record-util.c
@@ -1022,8 +1022,11 @@ int user_record_set_fido2_user_presence_permitted(UserRecord *h, int b) {
 
         if (sd_json_variant_is_blank_object(w))
                 r = sd_json_variant_filter(&h->json, STRV_MAKE("secret"));
-        else
+        else {
+                sd_json_variant_sensitive(w);
+
                 r = sd_json_variant_set_field(&h->json, "secret", w);
+        }
         if (r < 0)
                 return r;
 
@@ -1050,8 +1053,11 @@ int user_record_set_fido2_user_verification_permitted(UserRecord *h, int b) {
 
         if (sd_json_variant_is_blank_object(w))
                 r = sd_json_variant_filter(&h->json, STRV_MAKE("secret"));
-        else
+        else {
+                sd_json_variant_sensitive(w);
+
                 r = sd_json_variant_set_field(&h->json, "secret", w);
+        }
         if (r < 0)
                 return r;