From: Radoslaw Zarzynski Date: Tue, 22 Jan 2019 21:46:36 +0000 (+0100) Subject: auth, msg: dissect AuthStreamHandler from AuthSessionHandler. X-Git-Tag: v14.1.1~157^2~59 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9d07d699d0fb74fce0e1b3ebf9e7cb26b1106bed;p=ceph.git auth, msg: dissect AuthStreamHandler from AuthSessionHandler. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/auth/AuthSessionHandler.cc b/src/auth/AuthSessionHandler.cc index 1be86fb0950f..528b4ac698a5 100644 --- a/src/auth/AuthSessionHandler.cc +++ b/src/auth/AuthSessionHandler.cc @@ -27,7 +27,6 @@ AuthSessionHandler *get_auth_session_handler( CephContext *cct, int protocol, const CryptoKey& key, - const std::string& connection_secret, uint64_t features) { @@ -41,7 +40,7 @@ AuthSessionHandler *get_auth_session_handler( if (key.get_type() == CEPH_CRYPTO_NONE) { return nullptr; } - return new CephxSessionHandler(cct, key, connection_secret, features); + return new CephxSessionHandler(cct, key, features); case CEPH_AUTH_NONE: return new AuthNoneSessionHandler(); case CEPH_AUTH_UNKNOWN: @@ -54,3 +53,10 @@ AuthSessionHandler *get_auth_session_handler( return nullptr; } } + +std::unique_ptr AuthStreamHandler::create_stream_handler( + CephContext* ctx, + const class AuthConnectionMeta& auth_meta) +{ + return std::make_unique(); +} diff --git a/src/auth/AuthSessionHandler.h b/src/auth/AuthSessionHandler.h index abc733cace11..b291e9e067d9 100644 --- a/src/auth/AuthSessionHandler.h +++ b/src/auth/AuthSessionHandler.h @@ -30,13 +30,6 @@ struct AuthSessionHandler { virtual ~AuthSessionHandler() = default; virtual int sign_message(Message *message) = 0; virtual int check_message_signature(Message *message) = 0; - - virtual int encrypt_bufferlist(bufferlist &in, bufferlist &out) { - return 0; - } - virtual int decrypt_bufferlist(bufferlist &in, bufferlist &out) { - return 0; - } }; struct DummyAuthSessionHandler : AuthSessionHandler { @@ -48,10 +41,29 @@ struct DummyAuthSessionHandler : AuthSessionHandler { } }; +// TODO: make this a static member of AuthSessionHandler. extern AuthSessionHandler *get_auth_session_handler( CephContext *cct, int protocol, const CryptoKey& key, - const std::string& connection_secret, uint64_t features); + +struct AuthStreamHandler { + virtual ~AuthStreamHandler() = default; + //virtual ceph::bufferlist authenticated_encrypt(ceph::bufferlist& in) = 0; + //virtual ceph::bufferlist authenticated_decrypt(ceph::bufferlist& in) = 0; + + // TODO: kill the dummies + int encrypt_bufferlist(bufferlist &in, bufferlist &out) { + return 0; + } + int decrypt_bufferlist(bufferlist &in, bufferlist &out) { + return 0; + } + + static std::unique_ptr create_stream_handler( + CephContext* ctx, + const class AuthConnectionMeta& auth_meta); +}; + #endif diff --git a/src/auth/cephx/CephxSessionHandler.cc b/src/auth/cephx/CephxSessionHandler.cc index 4b0c1cfd0d5b..bf5ffe1a48ed 100644 --- a/src/auth/cephx/CephxSessionHandler.cc +++ b/src/auth/cephx/CephxSessionHandler.cc @@ -184,7 +184,6 @@ int CephxSessionHandler::check_message_signature(Message *m) int CephxSessionHandler::encrypt_bufferlist(bufferlist &in, bufferlist &out) { std::string error; try { -#warning fixme key key.encrypt(cct, in, out, &error); } catch (std::exception &e) { lderr(cct) << __func__ << " failed to encrypt buffer: " << error << dendl; @@ -196,7 +195,6 @@ int CephxSessionHandler::encrypt_bufferlist(bufferlist &in, bufferlist &out) { int CephxSessionHandler::decrypt_bufferlist(bufferlist &in, bufferlist &out) { std::string error; try { -#warning fixme key key.decrypt(cct, in, out, &error); } catch (std::exception &e) { lderr(cct) << __func__ << " failed to decrypt buffer: " << error << dendl; diff --git a/src/auth/cephx/CephxSessionHandler.h b/src/auth/cephx/CephxSessionHandler.h index 2829ba14b702..32a143a818b8 100644 --- a/src/auth/cephx/CephxSessionHandler.h +++ b/src/auth/cephx/CephxSessionHandler.h @@ -22,8 +22,7 @@ class Message; class CephxSessionHandler : public AuthSessionHandler { CephContext *cct; int protocol; - CryptoKey key; // per mon authentication - std::string connection_secret; // per connection + CryptoKey key; // per mon authentication uint64_t features; int _calc_signature(Message *m, uint64_t *psig); @@ -31,12 +30,10 @@ class CephxSessionHandler : public AuthSessionHandler { public: CephxSessionHandler(CephContext *cct, const CryptoKey& session_key, - const std::string& connection_secret, const uint64_t features) : cct(cct), protocol(CEPH_AUTH_CEPHX), key(session_key), - connection_secret(connection_secret), features(features) { } ~CephxSessionHandler() override = default; @@ -44,7 +41,7 @@ public: int sign_message(Message *m) override; int check_message_signature(Message *m) override ; - int encrypt_bufferlist(bufferlist &in, bufferlist &out) override; - int decrypt_bufferlist(bufferlist &in, bufferlist &out) override; + int encrypt_bufferlist(bufferlist &in, bufferlist &out); + int decrypt_bufferlist(bufferlist &in, bufferlist &out); }; diff --git a/src/crimson/net/SocketConnection.cc b/src/crimson/net/SocketConnection.cc index b9a4fecb5eb3..2907c4868714 100644 --- a/src/crimson/net/SocketConnection.cc +++ b/src/crimson/net/SocketConnection.cc @@ -710,14 +710,10 @@ SocketConnection::handle_connect_reply(msgr_tag_t tag) h.backoff = 0ms; set_features(h.reply.features & h.connect.features); if (h.authorizer) { - std::string connection_secret; // this is not used here, we just need - // to make get_auth_session_handler - // call happy session_security.reset( get_auth_session_handler(nullptr, h.authorizer->protocol, h.authorizer->session_key, - connection_secret, features)); } h.authorizer.reset(); diff --git a/src/msg/async/ProtocolV1.cc b/src/msg/async/ProtocolV1.cc index 773eac11acd8..dac1bbd58401 100644 --- a/src/msg/async/ProtocolV1.cc +++ b/src/msg/async/ProtocolV1.cc @@ -1683,7 +1683,6 @@ CtPtr ProtocolV1::client_ready() { session_security.reset(get_auth_session_handler( cct, authorizer->protocol, authorizer->session_key, - string() /* connection_secret */, connection->get_features())); } else { // We have no authorizer, so we shouldn't be applying security to messages @@ -2355,7 +2354,6 @@ CtPtr ProtocolV1::open(ceph_msg_connect_reply &reply, session_security.reset( get_auth_session_handler(cct, connect_msg.authorizer_protocol, session_key, - string() /* connection secret */, connection->get_features())); bufferlist reply_bl; diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc index 62db34e5a2ad..19e0169d2fb5 100644 --- a/src/msg/async/ProtocolV2.cc +++ b/src/msg/async/ProtocolV2.cc @@ -2245,10 +2245,7 @@ CtPtr ProtocolV2::handle_auth_done(char *payload, uint32_t length) { return _fault(); } session_security.reset( - get_auth_session_handler( - cct, auth_meta->auth_method, auth_meta->session_key, - auth_meta->connection_secret, - CEPH_FEATURE_MSG_AUTH | CEPH_FEATURE_CEPHX_V2)); + AuthStreamHandler::create_stream_handler(cct, auth_meta).release()); if (!server_cookie) { ceph_assert(connect_seq == 0); diff --git a/src/msg/async/ProtocolV2.h b/src/msg/async/ProtocolV2.h index 7970e0775203..2bb7dc4dce70 100644 --- a/src/msg/async/ProtocolV2.h +++ b/src/msg/async/ProtocolV2.h @@ -75,7 +75,7 @@ private: char *temp_buffer; State state; uint64_t peer_required_features; - std::shared_ptr session_security; + std::shared_ptr session_security; uint64_t client_cookie; uint64_t server_cookie; diff --git a/src/msg/simple/Pipe.cc b/src/msg/simple/Pipe.cc index 271dec8e13a9..1a06ab04d1dc 100644 --- a/src/msg/simple/Pipe.cc +++ b/src/msg/simple/Pipe.cc @@ -820,7 +820,6 @@ int Pipe::accept() get_auth_session_handler(msgr->cct, connect.authorizer_protocol, session_key, - string(), /* connection_secret */ connection_state->get_features())); // notify @@ -1347,7 +1346,6 @@ int Pipe::connect() msgr->cct, authorizer->protocol, authorizer->session_key, - string() /* connection secret*/, connection_state->get_features())); } else { // We have no authorizer, so we shouldn't be applying security to messages in this pipe. PLR