#define CEPH_AUTHTYPES_H
#include "Crypto.h"
+#include "common/CanHasPrint.h"
#include "common/ceph_json.h"
#include "common/entity_name.h"
#include "common/Formatter.h"
std::map<std::string, ceph::buffer::list> caps;
CryptoKey pending_key; ///< new but uncommitted key
+ void print(std::ostream& out) const {
+ out << "auth(key=" << key;
+ if (!pending_key.empty()) {
+ out << " pending_key=" << pending_key;
+ }
+ out << ")";
+ }
void encode(ceph::buffer::list& bl) const {
__u8 struct_v = 3;
using ceph::encode;
};
WRITE_CLASS_ENCODER(EntityAuth)
-inline std::ostream& operator<<(std::ostream& out, const EntityAuth& a)
-{
- out << "auth(key=" << a.key;
- if (!a.pending_key.empty()) {
- out << " pending_key=" << a.pending_key;
- }
- out << ")";
- return out;
-}
-
struct AuthCapsInfo {
bool allow_all;
ceph::buffer::list caps;
CryptoKey key;
utime_t expiration;
+ void print(std::ostream& out) const {
+ out << key << " expires " << expiration;
+ }
void encode(ceph::buffer::list& bl) const {
using ceph::encode;
__u8 struct_v = 1;
};
WRITE_CLASS_ENCODER(ExpiringCryptoKey)
-inline std::ostream& operator<<(std::ostream& out, const ExpiringCryptoKey& c)
-{
- return out << c.key << " expires " << c.expiration;
-}
-
struct RotatingSecrets {
std::map<uint64_t, ExpiringCryptoKey> secrets;
version_t max_ver;
};
WRITE_CLASS_ENCODER(CryptoKey)
-inline std::ostream& operator<<(std::ostream& out, const CryptoKey& k)
-{
- k.print(out);
- return out;
-}
-
/*
* Driver for a particular algorithm
bool RotatingKeyRing::get_service_secret(uint32_t service_id_, uint64_t secret_id,
CryptoKey& secret) const
{
+ ldout(cct, 30) << __func__ << ": service_id=" << service_id_ << " secret_id=" << secret_id << dendl;
+
std::lock_guard l{lock};
if (service_id_ != this->service_id) {
CryptoKey& secret, uint64_t& secret_id,
double& ttl) const
{
+ ldout(cct,30) << __func__ << ": " << service_id << dendl;
auto iter = rotating_secrets.find(service_id);
if (iter == rotating_secrets.end()) {
ldout(cct, 10) << "get_service_secret service " << ceph_entity_type_name(service_id) << " not found " << dendl;
return true;
}
-bool KeyServerData::get_auth(const EntityName& name, EntityAuth& auth) const {
+bool KeyServerData::get_auth(CephContext *cct, const EntityName& name, EntityAuth& auth) const {
+ ldout(cct, 20) << __func__ << ": " << name << dendl;
auto iter = secrets.find(name);
if (iter != secrets.end()) {
auth = iter->second;
+ ldout(cct, 30) << __func__ << ": found " << auth << dendl;
return true;
}
+ ldout(cct, 30) << __func__ << ": searching extra secrets" << dendl;
return extra_secrets->get_auth(name, auth);
}
-bool KeyServerData::get_secret(const EntityName& name, CryptoKey& secret) const {
+bool KeyServerData::get_secret(CephContext *cct, const EntityName& name, CryptoKey& secret) const {
+ ldout(cct, 20) << __func__ << ": " << name << dendl;
auto iter = secrets.find(name);
if (iter != secrets.end()) {
secret = iter->second.key;
+ ldout(cct, 30) << __func__ << ": found " << secret << dendl;
return true;
}
+
+ ldout(cct, 30) << __func__ << ": searching extra secrets" << dendl;
return extra_secrets->get_secret(name, secret);
}
bool KeyServer::get_secret(const EntityName& name, CryptoKey& secret) const
{
std::scoped_lock l{lock};
- return data.get_secret(name, secret);
+ return data.get_secret(cct, name, secret);
}
bool KeyServer::get_auth(const EntityName& name, EntityAuth& auth) const
{
std::scoped_lock l{lock};
- return data.get_auth(name, auth);
+ return data.get_auth(cct, name, auth);
}
bool KeyServer::get_caps(const EntityName& name, const string& type,
double& ttl) const;
bool get_service_secret(CephContext *cct, uint32_t service_id,
uint64_t secret_id, CryptoKey& secret) const;
- bool get_auth(const EntityName& name, EntityAuth& auth) const;
- bool get_secret(const EntityName& name, CryptoKey& secret) const;
+ bool get_auth(CephContext *cct, const EntityName& name, EntityAuth& auth) const;
+ bool get_secret(CephContext *cct, const EntityName& name, CryptoKey& secret) const;
bool get_caps(CephContext *cct, const EntityName& name,
const std::string& type, AuthCapsInfo& caps) const;
*key = k;
}
+void CephXSessionAuthInfo::print(std::ostream& os) const
+{
+ os << "session_auth_info("
+ << ceph_entity_type_name(service_id)
+ << " id=" << secret_id
+ << " session_key=" << session_key
+ << " service_secret=" << service_secret
+ << " ticket.name=" << ticket.name
+ << " ticket.global_id=" << ticket.global_id
+ << ")";
+}
/*
* Authentication
ticket_info.ticket = info.ticket;
ticket_info.ticket.caps = info.ticket.caps;
- ldout(cct, 10) << "build_service_ticket service "
- << ceph_entity_type_name(info.service_id)
- << " secret_id " << info.secret_id
- << " ticket_info.ticket.name="
- << ticket_info.ticket.name.to_str()
- << " ticket.global_id " << info.ticket.global_id << dendl;
+ ldout(cct, 10) << "build_service_ticket service " << info << dendl;
blob.secret_id = info.secret_id;
std::string error;
if (!info.service_secret.get_secret().length())
// Unable to decode!
return false;
}
- ldout(cct, 10) << "verify_authorizer decrypted service "
+
+ ldout(cct, 10) << __func__ << ": decoded service "
<< ceph_entity_type_name(service_id)
<< " secret_id=" << ticket.secret_id << dendl;
if (ticket.secret_id == (uint64_t)-1) {
EntityName name;
name.set_type(service_id);
+ ldout(cct, 20) << __func__ << ": looking up secret for " << ceph_entity_type_name(service_id) << dendl;
if (!keys.get_secret(name, service_secret)) {
ldout(cct, 0) << "verify_authorizer could not get general service secret for service "
<< ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl;
return false;
}
} else {
+ ldout(cct, 20) << __func__ << ": looking up service secret for " << ceph_entity_type_name(service_id) << dendl;
if (!keys.get_service_secret(service_id, ticket.secret_id, service_secret)) {
ldout(cct, 0) << "verify_authorizer could not get service secret for service "
<< ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl;
return false;
}
}
+ ldout(cct, 30) << __func__ << ": got secret " << service_secret << dendl;
+
std::string error;
if (!service_secret.get_secret().length())
error = "invalid key"; // Bad key?
else
decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
if (!error.empty()) {
- ldout(cct, 0) << "verify_authorizer could not decrypt ticket info: error: "
- << error << dendl;
+ ldout(cct, 0) << __func__ << ": could not decrypt ticket info: " << error << dendl;
return false;
}
if (ticket_info.ticket.global_id != global_id) {
- ldout(cct, 0) << "verify_authorizer global_id mismatch: declared id=" << global_id
+ ldout(cct, 0) << __func__ << ": global_id mismatch: declared id=" << global_id
<< " ticket_id=" << ticket_info.ticket.global_id << dendl;
return false;
}
- ldout(cct, 10) << "verify_authorizer global_id=" << global_id << dendl;
+ ldout(cct, 10) << __func__ << ": global_id=" << global_id << dendl;
+ ldout(cct, 30) << __func__ << ": session key=" << ticket_info.session_key << dendl;
// CephXAuthorize
CephXAuthorize auth_msg;
c = new CephXAuthorizeChallenge;
challenge->reset(c);
cct->random()->get_bytes((char*)&c->server_challenge, sizeof(c->server_challenge));
- ldout(cct,10) << __func__ << " adding server_challenge " << c->server_challenge
+ ldout(cct,10) << __func__ << ": adding server_challenge " << c->server_challenge
<< dendl;
encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, *reply_bl, error);
if (!error.empty()) {
- ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl;
+ ldout(cct, 0) << __func__ << ": encode_encrypt error: " << error << dendl;
return false;
}
return false;
}
- ldout(cct, 10) << __func__ << " got server_challenge+1 "
+ ldout(cct, 10) << __func__ << ": got server_challenge+1 "
<< auth_msg.server_challenge_plus_one
<< " expecting " << c->server_challenge + 1 << dendl;
if (c->server_challenge + 1 != auth_msg.server_challenge_plus_one) {
CryptoKey session_key;
CryptoKey service_secret;
utime_t validity;
+
+ void print(std::ostream& os) const;
};
projects / ceph-ci.git / commitdiff