node-libvirt icon indicating copy to clipboard operation
node-libvirt copied to clipboard
verified publisher icon hooklift

set/get secret value do not work properly

Open oferb1 opened this issue 8 years ago • 4 comments

I have found the following issues when testing secrets (for Ceph storage pools)

  • setValue will clip the passed key
  • virsh retrieves the data base64 transposed
const Promise = require('bluebird'),
      exec = Promise.promisify(require('child_process').exec),
      virt = require('libvirt'),
      uuid = require('uuid');

let secretUUID = uuid.v4(),
    secretXml =  `<secret ephemeral="no" private="no"><uuid>${secretUUID}</uuid><usage type="ceph">` +
                 '<name>client.test secret</name></usage></secret>',
    key = 'do not tell anyone',
    secret;

let hv = virt.createHypervisor('qemu:///system');

hv.connectAsync()
  .then(() => hv.defineSecretAsync(secretXml))
  .then(_secret => {
    secret = _secret;
    secret.setValueAsync(key);
  })
  .then(() => secret.getValueAsync())
  .then(value => console.log(`setValue('${key}'), while getValue() returns '${value}'`))
  .then(() => exec(`virsh secret-get-value ${secretUUID}`))
  .then(stdout => console.log(`virsh reads the secret value as '${stdout.trim()}', which is base64 transposed of the cropped key`))
  .then(() => secret.undefineAsync())
  .then(() => hv.disconnectAsync());

oferb1 avatar Mar 15 '17 17:03 oferb1

@oferb1 okay the SetValue bug is fixed in fcb1637a250e456a9d91aac615117136a6f44076. I'm not sure what you mean in the second part of your question: that virsh returns the value base64 encoded? The test I added here shows that setValue will have the same getValue, so I might make the argument that base64 encoding/decoding is up to the end user in this case (and a weird implementation detail of virsh)

mbroadst avatar Mar 18 '17 20:03 mbroadst

Thanks - I confirmed that it works, and was able to set a secret, and define a Ceph pool using it.

Still when I use virsh to read the value, I get it base64 transposed - weird...

oferb1 avatar Mar 19 '17 03:03 oferb1

Still not sure what you mean about "transposed" in this case. Can you use node-libvirt to check if virsh is converting to base64 on the way in or out? like store it with virsh and read with node-libvirt and visa versa

mbroadst avatar Mar 19 '17 12:03 mbroadst

virsh set value

# virsh secret-set-value a14408e2-e147-4ce9-b081-fd56ffab8e48 AQAGE8hYGi8fFxAAS7c7XdFda/ZblwlF9Z5p/A==
Secret value set

node-libvirt get value

hv.lookupSecretByUUIDAsync('a14408e2-e147-4ce9-b081-fd56ffab8e48').then(secret => secret.getValueAsync()).then(console.log)
Promise {
  _bitField: 0,
  _fulfillmentHandler0: undefined,
  _rejectionHandler0: undefined,
  _promise0: undefined,
  _receiver0: undefined }
> �X/K�;]�]k�[�	E��i�

node libvirt set-value

hv.lookupSecretByUUIDAsync('a14408e2-e147-4ce9-b081-fd56ffab8e48').then(secret => secret.setValueAsync('AQAGE8hYGi8fFxAAS7c7XdFda/ZblwlF9Z5p/A=='))

virsh get value

# virsh secret-get-value a14408e2-e147-4ce9-b081-fd56ffab8e48
QVFBR0U4aFlHaThmRnhBQVM3YzdYZEZkYS9aYmx3bEY5WjVwL0E9PQ==
# virsh secret-get-value a14408e2-e147-4ce9-b081-fd56ffab8e48 | base64 -d
AQAGE8hYGi8fFxAAS7c7XdFda/ZblwlF9Z5p/A==

oferb1 avatar Mar 19 '17 17:03 oferb1