auth: follow auth with keys request

diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc
index be4c147c257b49f82d692eb27a683d11998be350..caa3d7478ade961cb2922542b2f7140b5d026779 100644 (file)
--- a/src/auth/Auth.cc
+++ b/src/auth/Auth.cc
@@ -90,7 +90,9 @@ bool ServiceTicket::verify_authenticate_reply(CryptoKey& client_secret,
   }
   if (!indata.end())
     return false;
-  
+
+  has_key_flag = true;
+
   return true;
 }
 
@@ -110,7 +112,7 @@ utime_t ServiceTicket::build_authenticator(bufferlist& bl)
   ::encode(nonce, info);
   session_key.encrypt(info, enc_info);
   ::encode(enc_info, bl);
-    return now;
+  return now;
 }
 
 /*
@@ -131,7 +133,8 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist& bl,
   CryptoKey session_key;
   {
     bufferlist bl;
-    service_secret.decrypt(enc_ticket, bl);
+    if (service_secret.decrypt(enc_ticket, bl) < 0)
+      return false;
     bufferlist::iterator p = bl.begin();
     ::decode(ticket, p);
     ::decode(session_key, p);
@@ -142,7 +145,8 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist& bl,
   string nonce;
   {
     bufferlist info;
-    session_key.decrypt(enc_info, info);
+    if (session_key.decrypt(enc_info, info) < 0)
+      return false;
     bufferlist::iterator p = info.begin();
     ::decode(timestamp, p);
     ::decode(nonce, p);
@@ -159,7 +163,8 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist& bl,
   bufferlist reply;
   timestamp += 1;
   ::encode(timestamp, reply);
-  session_key.encrypt(reply, enc_reply);
+  if (session_key.encrypt(reply, enc_reply) < 0)
+    return false;
 
   return true;
 }
@@ -171,13 +176,17 @@ bool verify_authenticator(CryptoKey& service_secret, bufferlist& bl,
 bool ServiceTicket::verify_reply_authenticator(utime_t then, bufferlist& enc_reply)
 {
   bufferlist reply;
-  session_key.decrypt(enc_reply, reply);
+  if (session_key.decrypt(enc_reply, reply) < 0)
+    return false;
   
   bufferlist::iterator p = reply.begin();
   utime_t later;
   ::decode(later, p);
-  if (then + 1 == later)
+  dout(0) << "later=" << later << " then=" << then << dendl;
+  if (then + 1 == later) {
     return true;
+  }
+
   return false;
 }
 

diff --git a/src/auth/Auth.h b/src/auth/Auth.h
index 948e5d562ffa4d3ab26c2c18b37b63c83d59f001..2aa9ddf91161efafd7ea47a97036b5c0b982ddb6 100644 (file)
--- a/src/auth/Auth.h
+++ b/src/auth/Auth.h
@@ -89,6 +89,9 @@ struct ServiceTicket {
   bufferlist enc_ticket;        // opaque to us
   string nonce;
   utime_t renew_after, expires;
+  bool has_key_flag;
+
+  ServiceTicket() : has_key_flag(false) {}
 
   // to build our ServiceTicket
   bool verify_authenticate_reply(CryptoKey& client_secret,
@@ -97,6 +100,8 @@ struct ServiceTicket {
   // to access the service
   utime_t build_authenticator(bufferlist& bl);
   bool verify_reply_authenticator(utime_t then, bufferlist& enc_reply);
+
+  bool has_key() { return has_key_flag; }
 };
 
 

diff --git a/src/auth/AuthClientHandler.cc b/src/auth/AuthClientHandler.cc
index 4f645175844f0aca255eea8ee15029540dce0b38..98abb8b22a40e9179f885e2af0fd686e17b0cd06 100644 (file)
--- a/src/auth/AuthClientHandler.cc
+++ b/src/auth/AuthClientHandler.cc
@@ -20,6 +20,7 @@
 
 int AuthClientHandler::generate_request(bufferlist& bl)
 {
+  dout(0) << "status=" << status << dendl;
   if (status < 0) {
     return status;
   }
@@ -110,7 +111,8 @@ int AuthClientHandler::generate_cephx_protocol_request(bufferlist& bl)
 {
   CephXRequestHeader header;
 
-  if (!auth_session_key.length()) {
+  if (!auth_ticket.has_key()) {
+    dout(0) << "auth ticket: doesn't have key" << dendl;
     /* we first need to get the principle/auth session key */
 
     header.request_type = CEPHX_GET_AUTH_SESSION_KEY;
@@ -120,19 +122,16 @@ int AuthClientHandler::generate_cephx_protocol_request(bufferlist& bl)
     return 0;
   }
 
-  if (!cur_cap) {
-    uint32_t left_caps = (want_caps ^ have_caps) & want_caps;
+  dout(0) << "want_keys=" << hex << want_keys << " have_keys=" << have_keys << dec << dendl;
 
-    for (uint32_t i=0; i<sizeof(left_caps)*8; i++) {
-      cur_cap = (left_caps & (1 << i));
-      if (cur_cap)
-        break;
-    }
-    if (!cur_cap) /* done */
-      return 0;
-  }
+  if (want_keys == have_keys)
+    return 0;
 
-  ::encode(cur_cap, bl);
+  header.request_type = CEPHX_GET_PRINCIPAL_SESSION_KEY | want_keys;
+
+  ::encode(header, bl);
+  
+  auth_ts = auth_ticket.build_authenticator(bl);
 
   return 0;
 }
@@ -155,12 +154,20 @@ int AuthClientHandler::handle_cephx_protocol_response(bufferlist::iterator& inda
       bufferptr p(PRINCIPAL_SECRET, sizeof(PRINCIPAL_SECRET) - 1);
       secret.set_secret(CEPH_SECRET_AES, p);
   
-      auth_ticket.verify_authenticate_reply(secret, indata);
+      if (!auth_ticket.verify_authenticate_reply(secret, indata)) {
+        dout(0) << "could not verify authenticate reply" << dendl;
+        return -EPERM;
+      }
+
+      if (want_keys)
+        ret = -EAGAIN;
     }
     break;
 
   case CEPHX_GET_PRINCIPAL_SESSION_KEY:
-    dout(0) << "FIXME: CEPHX_GET_PRINCIPAL_SESSION_KEY" << dendl;
+    dout(0) << "CEPHX_GET_PRINCIPAL_SESSION_KEY" << dendl;
+    {
+    }
     break;
 
   case CEPHX_OPEN_SESSION:

diff --git a/src/librados.cc b/src/librados.cc
index 8ec1673451d3bd15168ce6c5d2586fec99aaa1d2..cb0706db7b70fc81c908610ee7016b08718d5d24 100644 (file)
--- a/src/librados.cc
+++ b/src/librados.cc
@@ -41,6 +41,8 @@ using namespace std;
 #include "messages/MClientMount.h"
 #include "messages/MClientMountAck.h"
 
+#include "auth/AuthProtocol.h"
+
 #include "include/librados.h"
 
 #define RADOS_LIST_MAX_ENTRIES 1024
@@ -303,7 +305,8 @@ bool RadosClient::init()
   monclient.mount(g_conf.client_mount_timeout);
 
   dout(0) << "librados: before monclient.authorize()" << dendl;
-  monclient.authorize(g_conf.client_mount_timeout);
+  monclient.authorize(CEPHX_PRINCIPAL_MON | CEPHX_PRINCIPAL_OSD,
+                      g_conf.client_mount_timeout);
 
   lock.Lock();
 

diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc
index 31aa32bf9eedf09d686603beb93f24e688c5ba2b..f19091c2568aca75853b7c408ed732680bda97de 100644 (file)
--- a/src/mon/MonClient.cc
+++ b/src/mon/MonClient.cc
@@ -211,11 +211,13 @@ int MonClient::unmount(double timeout)
   return unmount_handler.do_op(timeout);
 }
 
-int MonClient::authorize(double mount_timeout)
+int MonClient::authorize(uint32_t want_keys, double mount_timeout)
 {
   Mutex::Locker l(auth_lock);
   int ret;
 
+  auth_client_handler.set_request_keys(want_keys);
+
   do {
     MonClientAuthHandler h(this);
 

diff --git a/src/mon/MonClient.h b/src/mon/MonClient.h
index c385570d4368c80153b2aa4216eb9e26b15fa934..ab01ca94d4ae8c024265b7e7d1e6abb8a9dc8d30 100644 (file)
--- a/src/mon/MonClient.h
+++ b/src/mon/MonClient.h
@@ -168,7 +168,7 @@ private:
 
   int mount(double mount_timeout);
   int unmount(double timeout);
-  int authorize(double timeout);
+  int authorize(uint32_t want_keys, double timeout);
 
   void send_mon_message(Message *m, bool new_mon=false);
   void note_mon_leader(int m) {