From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 17 Jan 2023 10:10:04 +0000 (+0100)
Subject: execute: Make credential_search_path() more flexible
X-Git-Tag: v254-rc1~244^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=96df2bd84b811c8a364755e3a2996918007f3c54;p=thirdparty%2Fsystemd.git

execute: Make credential_search_path() more flexible

Let's also allow looking up only the encrypted credential search
path.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index 1802ae05b30..2d1538be857 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2757,19 +2757,26 @@ static int write_credential(
         return 0;
 }
 
-static char **credential_search_path(
-                const ExecParameters *params,
-                bool encrypted) {
+typedef enum CredentialSearchPath {
+        CREDENTIAL_SEARCH_PATH_TRUSTED,
+        CREDENTIAL_SEARCH_PATH_ENCRYPTED,
+        CREDENTIAL_SEARCH_PATH_ALL,
+        _CREDENTIAL_SEARCH_PATH_MAX,
+        _CREDENTIAL_SEARCH_PATH_INVALID = -EINVAL,
+} CredentialSearchPath;
+
+static char **credential_search_path(const ExecParameters *params, CredentialSearchPath path) {
 
         _cleanup_strv_free_ char **l = NULL;
 
         assert(params);
+        assert(path >= 0 && path < _CREDENTIAL_SEARCH_PATH_MAX);
 
-        /* Assemble a search path to find credentials in. We'll look in /etc/credstore/ (and similar
-         * directories in /usr/lib/ + /run/) for all types of credentials. If we are looking for encrypted
-         * credentials, also look in /etc/credstore.encrypted/ (and similar dirs). */
+        /* Assemble a search path to find credentials in. For non-encrypted credentials, We'll look in
+         * /etc/credstore/ (and similar directories in /usr/lib/ + /run/). If we're looking for encrypted
+         * credentials, we'll look in /etc/credstore.encrypted/ (and similar dirs). */
 
-        if (encrypted) {
+        if (IN_SET(path, CREDENTIAL_SEARCH_PATH_ENCRYPTED, CREDENTIAL_SEARCH_PATH_ALL)) {
                 if (strv_extend(&l, params->received_encrypted_credentials_directory) < 0)
                         return NULL;
 
@@ -2777,12 +2784,14 @@ static char **credential_search_path(
                         return NULL;
         }
 
-        if (params->received_credentials_directory)
-                if (strv_extend(&l, params->received_credentials_directory) < 0)
-                        return NULL;
+        if (IN_SET(path, CREDENTIAL_SEARCH_PATH_TRUSTED, CREDENTIAL_SEARCH_PATH_ALL)) {
+                if (params->received_credentials_directory)
+                        if (strv_extend(&l, params->received_credentials_directory) < 0)
+                                return NULL;
 
-        if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore"), /* filter_duplicates= */ true) < 0)
-                return NULL;
+                if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore"), /* filter_duplicates= */ true) < 0)
+                        return NULL;
+        }
 
         if (DEBUG_LOGGING) {
                 _cleanup_free_ char *t = strv_join(l, ":");
@@ -2858,7 +2867,7 @@ static int load_credential(
                  * directory we received ourselves. We don't support the AF_UNIX stuff in this mode, since we
                  * are operating on a credential store, i.e. this is guaranteed to be regular files. */
 
-                search_path = credential_search_path(params, encrypted);
+                search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ALL);
                 if (!search_path)
                         return -ENOMEM;