Blame SOURCES/libvirt-conf-Add-support-for-modifying-ssl-validation-for-https-ftps-disks.patch

d76c62
From ffe8028ca07eb049b12d5c152b3d66489378d731 Mon Sep 17 00:00:00 2001
d76c62
Message-Id: <ffe8028ca07eb049b12d5c152b3d66489378d731@dist-git>
d76c62
From: Peter Krempa <pkrempa@redhat.com>
d76c62
Date: Mon, 16 Mar 2020 22:11:56 +0100
d76c62
Subject: [PATCH] conf: Add support for modifying ssl validation for https/ftps
d76c62
 disks
d76c62
MIME-Version: 1.0
d76c62
Content-Type: text/plain; charset=UTF-8
d76c62
Content-Transfer-Encoding: 8bit
d76c62
d76c62
To allow turning off verification of SSL cerificates add a new element
d76c62
<ssl> to the disk source XML which will allow configuring the validation
d76c62
process using the 'verify' attribute.
d76c62
d76c62
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
d76c62
Reviewed-by: Ján Tomko <jtomko@redhat.com>
d76c62
(cherry picked from commit 25481e25b14108373bf2e5e95c04fe30bff96bb4)
d76c62
d76c62
https://bugzilla.redhat.com/show_bug.cgi?id=1804750
d76c62
Message-Id: <ede13179128fc9ef05036a5408f4115132a2c12d.1584391727.git.pkrempa@redhat.com>
d76c62
Reviewed-by: Ján Tomko <jtomko@redhat.com>
d76c62
---
d76c62
 docs/formatdomain.html.in                     |  9 ++++
d76c62
 docs/schemas/domaincommon.rng                 | 51 ++++++++++++++++++-
d76c62
 src/conf/domain_conf.c                        | 19 +++++++
d76c62
 src/util/virstoragefile.c                     |  1 +
d76c62
 src/util/virstoragefile.h                     |  1 +
d76c62
 .../disk-network-http.xml                     |  9 ++++
d76c62
 6 files changed, 88 insertions(+), 2 deletions(-)
d76c62
d76c62
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
d76c62
index e9830ab231..2cce247958 100644
d76c62
--- a/docs/formatdomain.html.in
d76c62
+++ b/docs/formatdomain.html.in
d76c62
@@ -2847,6 +2847,7 @@
d76c62
     <driver name='qemu' type='raw'/>
d76c62
     <source protocol="https" name="url_path">
d76c62
       <host name="hostname" port="443"/>
d76c62
+      <ssl verify="no"/>
d76c62
     </source>
d76c62
     <target dev='hdf' bus='ide' tray='open'/>
d76c62
     <readonly/>
d76c62
@@ -3373,6 +3374,14 @@
d76c62
             The offset and size values are in bytes.
d76c62
             Since 6.1.0
d76c62
           
d76c62
+          
ssl
d76c62
+          
d76c62
+            For https and ftps accessed storage it's
d76c62
+            possible to tweak the SSL transport parameters with this element.
d76c62
+            The verify attribute allows to turn on or off SSL
d76c62
+            certificate validation. Supported values are yes and
d76c62
+            no. Since 6.2.0
d76c62
+          
d76c62
         
d76c62
 
d76c62
         

d76c62
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
d76c62
index aa70e340b9..548601b61c 100644
d76c62
--- a/docs/schemas/domaincommon.rng
d76c62
+++ b/docs/schemas/domaincommon.rng
d76c62
@@ -1808,12 +1808,39 @@
d76c62
     </element>
d76c62
   </define>
d76c62
 
d76c62
+  <define name="diskSourceNetworkProtocolSSLVerify">
d76c62
+    <element name="ssl">
d76c62
+      <attribute name="verify">
d76c62
+        <ref name="virYesNo"/>
d76c62
+      </attribute>
d76c62
+      <empty/>
d76c62
+    </element>
d76c62
+  </define>
d76c62
+
d76c62
+  <define name="diskSourceNetworkProtocolHTTPS">
d76c62
+    <element name="source">
d76c62
+      <attribute name="protocol">
d76c62
+        <choice>
d76c62
+          <value>https</value>
d76c62
+        </choice>
d76c62
+      </attribute>
d76c62
+      <attribute name="name"/>
d76c62
+      <ref name="diskSourceCommon"/>
d76c62
+      <ref name="diskSourceNetworkHost"/>
d76c62
+      <optional>
d76c62
+        <ref name="encryption"/>
d76c62
+      </optional>
d76c62
+      <optional>
d76c62
+        <ref name="diskSourceNetworkProtocolSSLVerify"/>
d76c62
+      </optional>
d76c62
+    </element>
d76c62
+  </define>
d76c62
+
d76c62
   <define name="diskSourceNetworkProtocolHTTP">
d76c62
     <element name="source">
d76c62
       <attribute name="protocol">
d76c62
         <choice>
d76c62
           <value>http</value>
d76c62
-          <value>https</value>
d76c62
         </choice>
d76c62
       </attribute>
d76c62
       <attribute name="name"/>
d76c62
@@ -1825,13 +1852,31 @@
d76c62
     </element>
d76c62
   </define>
d76c62
 
d76c62
+  <define name="diskSourceNetworkProtocolFTPS">
d76c62
+    <element name="source">
d76c62
+      <attribute name="protocol">
d76c62
+        <choice>
d76c62
+          <value>ftps</value>
d76c62
+        </choice>
d76c62
+      </attribute>
d76c62
+      <attribute name="name"/>
d76c62
+      <ref name="diskSourceCommon"/>
d76c62
+      <ref name="diskSourceNetworkHost"/>
d76c62
+      <optional>
d76c62
+        <ref name="encryption"/>
d76c62
+      </optional>
d76c62
+      <optional>
d76c62
+        <ref name="diskSourceNetworkProtocolSSLVerify"/>
d76c62
+      </optional>
d76c62
+    </element>
d76c62
+  </define>
d76c62
+
d76c62
   <define name="diskSourceNetworkProtocolSimple">
d76c62
     <element name="source">
d76c62
       <attribute name="protocol">
d76c62
         <choice>
d76c62
           <value>sheepdog</value>
d76c62
           <value>ftp</value>
d76c62
-          <value>ftps</value>
d76c62
           <value>tftp</value>
d76c62
         </choice>
d76c62
       </attribute>
d76c62
@@ -1909,6 +1954,8 @@
d76c62
       <ref name="diskSourceNetworkProtocolRBD"/>
d76c62
       <ref name="diskSourceNetworkProtocolISCSI"/>
d76c62
       <ref name="diskSourceNetworkProtocolHTTP"/>
d76c62
+      <ref name="diskSourceNetworkProtocolHTTPS"/>
d76c62
+      <ref name="diskSourceNetworkProtocolFTPS"/>
d76c62
       <ref name="diskSourceNetworkProtocolSimple"/>
d76c62
       <ref name="diskSourceNetworkProtocolVxHS"/>
d76c62
     </choice>
d76c62
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
d76c62
index b3c4084c38..70bbc35bb3 100644
d76c62
--- a/src/conf/domain_conf.c
d76c62
+++ b/src/conf/domain_conf.c
d76c62
@@ -9259,6 +9259,7 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
d76c62
     g_autofree char *protocol = NULL;
d76c62
     g_autofree char *haveTLS = NULL;
d76c62
     g_autofree char *tlsCfg = NULL;
d76c62
+    g_autofree char *sslverifystr = NULL;
d76c62
 
d76c62
     if (!(protocol = virXMLPropString(node, "protocol"))) {
d76c62
         virReportError(VIR_ERR_XML_ERROR, "%s",
d76c62
@@ -9331,6 +9332,19 @@ virDomainDiskSourceNetworkParse(xmlNodePtr node,
d76c62
 
d76c62
     virStorageSourceInitiatorParseXML(ctxt, &src->initiator);
d76c62
 
d76c62
+    if ((src->protocol == VIR_STORAGE_NET_PROTOCOL_HTTPS ||
d76c62
+         src->protocol == VIR_STORAGE_NET_PROTOCOL_FTPS) &&
d76c62
+        (sslverifystr = virXPathString("string(./ssl/@verify)", ctxt))) {
d76c62
+        int verify;
d76c62
+        if ((verify = virTristateBoolTypeFromString(sslverifystr)) < 0) {
d76c62
+            virReportError(VIR_ERR_XML_ERROR,
d76c62
+                           _("invalid ssl verify mode '%s'"), sslverifystr);
d76c62
+            return -1;
d76c62
+        }
d76c62
+
d76c62
+        src->sslverify = verify;
d76c62
+    }
d76c62
+
d76c62
     return 0;
d76c62
 }
d76c62
 
d76c62
@@ -24312,6 +24326,11 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
d76c62
 
d76c62
     virStorageSourceInitiatorFormatXML(&src->initiator, childBuf);
d76c62
 
d76c62
+    if (src->sslverify != VIR_TRISTATE_BOOL_ABSENT) {
d76c62
+        virBufferAsprintf(childBuf, "<ssl verify='%s'/>\n",
d76c62
+                          virTristateBoolTypeToString(src->sslverify));
d76c62
+    }
d76c62
+
d76c62
     return 0;
d76c62
 }
d76c62
 
d76c62
diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c
d76c62
index b88763b267..cfa77fccf8 100644
d76c62
--- a/src/util/virstoragefile.c
d76c62
+++ b/src/util/virstoragefile.c
d76c62
@@ -2270,6 +2270,7 @@ virStorageSourceCopy(const virStorageSource *src,
d76c62
     def->cachemode = src->cachemode;
d76c62
     def->discard = src->discard;
d76c62
     def->detect_zeroes = src->detect_zeroes;
d76c62
+    def->sslverify = src->sslverify;
d76c62
 
d76c62
     /* storage driver metadata are not copied */
d76c62
     def->drv = NULL;
d76c62
diff --git a/src/util/virstoragefile.h b/src/util/virstoragefile.h
d76c62
index 5b995d54ab..fab4248c3d 100644
d76c62
--- a/src/util/virstoragefile.h
d76c62
+++ b/src/util/virstoragefile.h
d76c62
@@ -282,6 +282,7 @@ struct _virStorageSource {
d76c62
     virStorageEncryptionPtr encryption;
d76c62
     bool encryptionInherited;
d76c62
     virStoragePRDefPtr pr;
d76c62
+    virTristateBool sslverify;
d76c62
 
d76c62
     virStorageSourceNVMeDefPtr nvme; /* type == VIR_STORAGE_TYPE_NVME */
d76c62
 
d76c62
diff --git a/tests/genericxml2xmlindata/disk-network-http.xml b/tests/genericxml2xmlindata/disk-network-http.xml
d76c62
index fde1222fd0..bdcc1977f2 100644
d76c62
--- a/tests/genericxml2xmlindata/disk-network-http.xml
d76c62
+++ b/tests/genericxml2xmlindata/disk-network-http.xml
d76c62
@@ -25,6 +25,7 @@
d76c62
       <driver name='qemu' type='raw'/>
d76c62
       <source protocol='https' name='test2.img'>
d76c62
         <host name='example.org' port='443'/>
d76c62
+        <ssl verify='no'/>
d76c62
       </source>
d76c62
       <target dev='vdb' bus='virtio'/>
d76c62
     </disk>
d76c62
@@ -35,6 +36,14 @@
d76c62
       </source>
d76c62
       <target dev='vdc' bus='virtio'/>
d76c62
     </disk>
d76c62
+    <disk type='network' device='disk'>
d76c62
+      <driver name='qemu' type='raw'/>
d76c62
+      <source protocol='https' name='test4.img'>
d76c62
+        <host name='example.org' port='1234'/>
d76c62
+        <ssl verify='yes'/>
d76c62
+      </source>
d76c62
+      <target dev='vdd' bus='virtio'/>
d76c62
+    </disk>
d76c62
     <controller type='usb' index='0'/>
d76c62
     <controller type='pci' index='0' model='pci-root'/>
d76c62
     <input type='mouse' bus='ps2'/>
d76c62
-- 
d76c62
2.25.1
d76c62