return true;
}
+bool AuthTicketsManager::has_key(uint32_t service_id)
+{
+ map<uint32_t, AuthTicketHandler>::iterator iter = tickets_map.find(service_id);
+ if (iter == tickets_map.end())
+ return false;
+ return iter->second.has_key();
+}
+
/*
* PRINCIPAL: verify our attempt to authenticate succeeded. fill out
* this ServiceTicket with the result.
*/
bool AuthTicketHandler::verify_reply_authorizer(AuthContext& ctx, AuthAuthorizeReply& reply)
{
- if (ctx.timestamp == reply.timestamp) {
+ if (ctx.timestamp + 1 == reply.timestamp) {
return true;
}
ret = 0;
break;
- case CEPHX_OPEN_SESSION:
- {
- AuthTicketHandler& ticket_handler = client->tickets.get_handler(CEPHX_PRINCIPAL_AUTH);
- AuthAuthorizeReply reply;
- if (!ticket_handler.decode_reply_authorizer(indata, reply)) {
- ret = -EINVAL;
- break;
- }
- AuthContext *ctx = client->context_map.get(reply.trans_id);
- if (!ctx) {
- ret = -EINVAL;
- break;
- }
- bool result = ticket_handler.verify_reply_authorizer(*ctx, reply);
- if (result)
- ctx->status = 0;
- else
- ctx->status = -EPERM;
-
- ctx->cond->Signal();
- ret = 0;
- break;
- }
- break;
default:
dout(0) << "header.request_type = " << hex << header.request_type << dec << dendl;
ret = -EINVAL;
int AuthClientAuthorizeHandler::_build_request()
{
CephXRequestHeader header;
- if (!(client->have & service_id)) {
+ if (!client->tickets.has_key(service_id)) {
dout(0) << "can't authorize: missing service key" << dendl;
return -EPERM;
}
::encode(header, bl);
utime_t now;
-#if 0
+
if (!client->tickets.build_authorizer(service_id, bl, ctx))
return -EINVAL;
-#endif
+
return 0;
}
int AuthClientAuthorizeHandler::_handle_response(int ret, bufferlist::iterator& iter)
{
- /* FIXME: implement */
+ struct CephXResponseHeader header;
+ ::decode(header, iter);
- return 0;
-}
+ dout(0) << "AuthClientAuthorizeHandler::_handle_response() ret=" << ret << dendl;
-#if 0
-int AuthClientAuthenticateHandler::_do_request()
-{
- Message *msg = build_authenticate_request();
- if (!msg)
- return -EIO;
+ if (ret) {
+ return ret;
+ }
- int ret = _do_request_generic(timeout, msg);
+ switch (header.request_type & CEPHX_REQUEST_TYPE_MASK) {
+ case CEPHX_OPEN_SESSION:
+ {
+ AuthTicketHandler& ticket_handler = client->tickets.get_handler(service_id);
+ AuthAuthorizeReply reply;
+ if (!ticket_handler.decode_reply_authorizer(iter, reply)) {
+ ret = -EINVAL;
+ break;
+ }
+ ret = 0;
+ bool result = ticket_handler.verify_reply_authorizer(ctx, reply);
+ if (!result) {
+ ret = -EPERM;
+ }
+
+ break;
+ }
+ break;
+ default:
+ dout(0) << "header.request_type = " << hex << header.request_type << dec << dendl;
+ ret = -EINVAL;
+ break;
+ }
return ret;
}
-#endif
AuthClientProtocolHandler *AuthClientHandler::_get_proto_handler(uint32_t id)
{
int AuthClientHandler::authorize(uint32_t service_id, double timeout)
{
+ Mutex::Locker l(lock);
AuthClientAuthorizeHandler handler(this, service_id);
int ret = handler.build_request();
ret = handler.do_request(timeout);
+ dout(0) << "authorize returned " << ret << dendl;
+
return ret;
}
}
-AuthContext& AuthContextMap::create()
-{
- Mutex::Locker l(lock);
- AuthContext& ctx = m[max_id];
- ctx.id = max_id;
- ctx.cond = NULL;
- ++max_id;
-
- return ctx;
-}
-
-void AuthContextMap::remove(int id)
-{
- Mutex::Locker l(lock);
- std::map<int, AuthContext>::iterator iter = m.find(id);
- if (iter != m.end()) {
- m.erase(iter);
- }
-}
-
-AuthContext *AuthContextMap::get(int id)
-{
- Mutex::Locker l(lock);
- std::map<int, AuthContext>::iterator iter = m.find(id);
- if (iter != m.end())
- return &iter->second;
-
- return NULL;
-}
-
-
class Message;
class AuthClient;
-class AuthContextMap {
- map<int, AuthContext> m;
-
- Mutex lock;
- int max_id;
-
-public:
- AuthContextMap() : lock("AuthorizeMap") {}
- AuthContext& create();
- void remove(int id);
- AuthContext *get(int id);
-};
-
class AuthClientHandler;
class AuthClientProtocolHandler {
class AuthClientAuthorizeHandler : public AuthClientProtocolHandler {
uint32_t service_id;
+ AuthContext ctx;
protected:
int _build_request();
int _handle_response(int ret, bufferlist::iterator& iter);
uint32_t have;
CryptoKey secret;
- AuthContextMap context_map;
AuthTicketsManager tickets;
AuthClientHandler() : lock("AuthClientHandler::lock"),
ret = 0;
}
break;
+ case CEPHX_OPEN_SESSION:
+ {
+ CryptoKey service_secret;
+
+ auth_server.get_service_secret(service_secret, CEPHX_PRINCIPAL_MON);
+
+ ret = 0;
+ bufferlist tmp_bl;
+ if (!verify_authorizer(service_secret, indata, tmp_bl)) {
+ ret = -EPERM;
+ }
+ build_cephx_response_header(request_type, ret, result_bl);
+ result_bl.claim_append(tmp_bl);
+
+ break;
+ }
+ break;
default:
ret = -EINVAL;
build_cephx_response_header(request_type, -EINVAL, result_bl);
projects / ceph.git / commitdiff