From 11bcda7a2ee35e19a25819e521192d6f09e8bbdb Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <ysadehwe@ibm.com>
Date: Fri, 7 Mar 2025 16:35:36 -0500
Subject: [PATCH] cephx: add configurable to set allowed ciphers

cephx allowed ciphers: a list of ciphers that  sets what type
of keys are allowed to be used to authenticate

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>
(cherry picked from commit 0d4c67f2fd03aea9f65ade736e60f807d9da832e)

Conflicts:
	src/auth/cephx/CephxServiceHandler.cc: header include movement
---
 src/auth/cephx/CephxServiceHandler.cc | 42 +++++++++++++++++++++++++++
 src/auth/cephx/CephxServiceHandler.h  | 21 ++++++++++++--
 src/common/options/global.yaml.in     | 11 +++++++
 3 files changed, 71 insertions(+), 3 deletions(-)

diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc
index 52a61a5518e..4b61df25bad 100644
--- a/src/auth/cephx/CephxServiceHandler.cc
+++ b/src/auth/cephx/CephxServiceHandler.cc
@@ -18,6 +18,7 @@
 #include "CephxKeyServer.h"
 #include <errno.h>
 #include <sstream>
+#include <shared_mutex>
 
 #include "include/random.h"
 #include "common/config.h"
@@ -30,11 +31,46 @@
 using std::dec;
 using std::hex;
 using std::vector;
+using namespace std::literals;
 
 using ceph::bufferlist;
 using ceph::decode;
 using ceph::encode;
 
+CephxServiceHandler::CephxServiceHandler(CephContext *cct_, KeyServer *ks)
+  : AuthServiceHandler(cct_), key_server(ks), server_challenge(0) {
+  cct->_conf.add_observer(this);
+  init_conf(cct->_conf);
+}
+
+std::vector<std::string> CephxServiceHandler::get_tracked_keys() const noexcept
+{
+  return {
+    "cephx_allowed_ciphers"s
+  };
+}
+
+void CephxServiceHandler::init_conf(const ConfigProxy& conf) {
+  std::unique_lock wl(lock);
+  auto s = conf.get_val<std::string>("cephx_allowed_ciphers");
+
+  std::vector<std::string> v;
+  get_str_vec(s, ", ", v);
+
+  for (auto& cipher : v) {
+    int cipher_type = CryptoManager::get_key_type(cipher);
+    if (cipher_type > 0) {
+      allowed_ciphers.insert(cipher_type);
+    }
+  }
+}
+
+bool CephxServiceHandler::cipher_is_allowed(int cipher)
+{
+  std::shared_lock rl(lock);
+  return (allowed_ciphers.find(cipher) != allowed_ciphers.end());
+}
+
 int CephxServiceHandler::do_start_session(
   bool is_new_global_id,
   bufferlist *result_bl,
@@ -177,6 +213,12 @@ int CephxServiceHandler::handle_request(
 	break;
       }
 
+      if (!cipher_is_allowed(eauth.key.get_type())) {
+	ldout(cct, 20) << __func__ << " authentication failed due to unallowed cipher type: " << eauth.key.get_type() << dendl;
+        ret = -EACCES;
+        break;
+      }
+
       if (!server_challenge) {
 	ret = -EACCES;
 	break;
diff --git a/src/auth/cephx/CephxServiceHandler.h b/src/auth/cephx/CephxServiceHandler.h
index e6e093ee4c7..5638517ef96 100644
--- a/src/auth/cephx/CephxServiceHandler.h
+++ b/src/auth/cephx/CephxServiceHandler.h
@@ -18,17 +18,22 @@
 #include "auth/AuthServiceHandler.h"
 #include "auth/Auth.h"
 
+#include "common/ceph_mutex.h"
+#include "common/config_obs.h"
+
 class KeyServer;
 struct CephXAuthenticate;
 struct CephXServiceTicketInfo;
 
-class CephxServiceHandler  : public AuthServiceHandler {
+class CephxServiceHandler  : public AuthServiceHandler, md_config_obs_t {
   KeyServer *key_server;
   uint64_t server_challenge;
 
+  std::set<int> allowed_ciphers;
+  ceph::shared_mutex lock = ceph::make_shared_mutex("CephxServiceHandler::lock");
+
 public:
-  CephxServiceHandler(CephContext *cct_, KeyServer *ks) 
-    : AuthServiceHandler(cct_), key_server(ks), server_challenge(0) {}
+  CephxServiceHandler(CephContext *cct_, KeyServer *ks);
   ~CephxServiceHandler() override {}
   
   int handle_request(
@@ -49,6 +54,16 @@ private:
 			bool& should_enc_ticket);
   void build_cephx_response_header(int request_type, int status,
 				   ceph::buffer::list& bl);
+
+  std::vector<std::string> get_tracked_keys() const noexcept override;
+
+  void init_conf(const ConfigProxy& conf);
+  void handle_conf_change(const ConfigProxy& conf,
+                          const std::set <std::string> &changed) override {
+    init_conf(conf);
+  }
+
+  bool cipher_is_allowed(int type);
 };
 
 #endif
diff --git a/src/common/options/global.yaml.in b/src/common/options/global.yaml.in
index b69bbad5d36..7adfbbb8102 100644
--- a/src/common/options/global.yaml.in
+++ b/src/common/options/global.yaml.in
@@ -2266,6 +2266,17 @@ options:
   fmt_desc: If the Ceph version supports message signing, Ceph will sign
    all messages so they are more difficult to spoof.
   with_legacy: true
+- name: cephx_allowed_ciphers
+  type: str
+  level: advanced
+  desc: list of allowed ciphers in cephx authentication
+  fmt_desc: This can be used to enable/disable specific key types
+   that are being used for connecting different entities to the
+   cluster.
+  default: aes, aes256k
+  with_legacy: false
+  flags:
+  - runtime
 - name: auth_mon_ticket_ttl
   type: float
   level: advanced
-- 
2.39.5