From: Marcus Watts <mwatts@redhat.com>
Date: Tue, 4 Nov 2025 01:50:24 +0000 (-0500)
Subject: auth: CryptoKey, use secret in CryptoKeyHandler
X-Git-Tag: testing/wip-pdonnell-testing-20260126.152838~13
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8b13bd05d5b31d831eda6813bbc7939e0529dc01;p=ceph-ci.git

auth: CryptoKey, use secret in CryptoKeyHandler

Keep only one copy of secret in CryptoKeyHandler.  This will reduce
the number of copies made in memory.  Also introduce bool() and ==
opeartors so we can hide implementation details.

Signed-off-by: Marcus Watts <mwatts@redhat.com>
---

diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc
index 053dc31afa8..8b25040c920 100644
--- a/src/auth/Crypto.cc
+++ b/src/auth/Crypto.cc
@@ -1069,10 +1069,10 @@ CryptoKeyHandler *CryptoAES256KRB5::get_key_handler_ext(const bufferptr& secret,
 
 // ---------------------------------------------------
 
-
 void CryptoKey::encode(bufferlist& bl) const
 {
   using ceph::encode;
+  const bufferptr &secret = get_secret();
   encode(type, bl);
   encode(created, bl);
   __u16 len = secret.length();
@@ -1124,7 +1124,7 @@ int CryptoKey::set_secret(int type, const bufferptr& s, utime_t c)
 int CryptoKey::_set_secret(int t, const bufferptr& s)
 {
   if (s.length() == 0) {
-    secret = s;
+//    secret = s;
     ckh.reset();
     return 0;
   }
@@ -1146,7 +1146,7 @@ int CryptoKey::_set_secret(int t, const bufferptr& s)
       return -EOPNOTSUPP;
   }
   type = t;
-  secret = s;
+//  secret = s;
   return 0;
 }
 
@@ -1178,6 +1178,7 @@ void CryptoKey::print(std::ostream &out) const
 
 void CryptoKey::to_str(std::string& s) const
 {
+  const bufferptr &secret = get_secret();
   int len = secret.length() * 4;
   char buf[len];
   hex2str(secret.c_str(), secret.length(), buf, len);
@@ -1197,6 +1198,14 @@ void CryptoKey::encode_plaintext(bufferlist &bl)
   bl.append(encode_base64());
 }
 
+static bufferptr z;
+
+const bufferptr& CryptoKey::get_secret() const
+{
+  const bufferptr &secret = ckh ? ckh->secret : z;
+  return secret;
+}
+
 
 // ------------------
 
diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h
index ef31ac5a09b..a8839c34c69 100644
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -75,6 +75,14 @@ public:
 
   virtual ~CryptoKeyHandler() {}
 
+  operator bool()const {
+    return secret.length() > 0;
+  }
+
+  bool operator==(const CryptoKeyHandler &rhs) const {
+    return 0 == secret.cmp(rhs.secret);
+  }
+
   virtual int encrypt(CephContext *cct,
                       const ceph::buffer::list& in,
 		      ceph::buffer::list& out, std::string *error) const {
@@ -164,7 +172,7 @@ class CryptoKey {
 protected:
   __u16 type;
   utime_t created;
-  ceph::buffer::ptr secret;   // must set this via set_secret()!
+//  ceph::buffer::ptr secret;   // must set this via set_secret()!
 
   // cache a pointer to the implementation-specific key handler, so we
   // don't have to create it for every crypto operation.
@@ -181,6 +189,13 @@ public:
   ~CryptoKey() {
   }
 
+  operator bool()const {
+    return ckh && *ckh;
+  }
+  bool operator==(const CryptoKey &rhs) const {
+    return !ckh ? !rhs.ckh
+                : rhs.ckh && *ckh == *rhs.ckh;
+  }
   void encode(ceph::buffer::list& bl) const;
   void decode(ceph::buffer::list::const_iterator& bl);
   void dump(ceph::Formatter *f) const;
@@ -195,8 +210,8 @@ public:
   void print(std::ostream& out) const;
 
   int set_secret(int type, const ceph::buffer::ptr& s, utime_t created);
-  const ceph::buffer::ptr& get_secret() { return secret; }
-  const ceph::buffer::ptr& get_secret() const { return secret; }
+//  const ceph::buffer::ptr& get_secret() { return secret; }
+//  const ceph::buffer::ptr& get_secret() const { return secret; }
 
   bool empty() const { return ckh.get() == nullptr; }
 
@@ -270,6 +285,8 @@ public:
   }
 
   void to_str(std::string& s) const;
+private:
+  const ceph::bufferptr& get_secret() const;
 };
 WRITE_CLASS_ENCODER(CryptoKey)
 
diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc
index 42153fd04e6..451fdb4fc28 100644
--- a/src/auth/cephx/CephxClientHandler.cc
+++ b/src/auth/cephx/CephxClientHandler.cc
@@ -73,7 +73,7 @@ int CephxClientHandler::build_request(bufferlist& bl) const
     }
 
     // is the key OK?
-    if (!secret.get_secret().length()) {
+    if (!secret) {
       ldout(cct, 20) << "secret for entity " << cct->_conf->name << " is invalid" << dendl;
       return -EINVAL;
     }
diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 20c0e0205e9..1c4db822dc2 100644
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -1180,7 +1180,7 @@ int AuthMonitor::exists_and_matches_entity(
   if (mon.get_auth(name, existing_auth)) {
     // key match?
     if (has_secret) {
-      if (existing_auth.key.get_secret().cmp(auth.key.get_secret())) {
+      if (!(existing_auth.key == auth.key)) {
         ss << "entity " << name << " exists but key does not match";
         return -EEXIST;
       }