From 1dbb0ac80bb106fc2fc3f7d6b5d01282c5c8e1da Mon Sep 17 00:00:00 2001 From: Colin Patrick McCabe Date: Tue, 14 Jun 2011 11:48:52 -0700 Subject: [PATCH] auth: de-globalize TicketManager, TicketHandler de-globalize CephXTicketManager and CephXTicketHandler. Also de-globalize two static functions. Signed-off-by: Colin McCabe --- src/auth/cephx/CephxAuthorizeHandler.cc | 2 +- src/auth/cephx/CephxClientHandler.h | 1 + src/auth/cephx/CephxProtocol.cc | 49 ++++++++++++++----------- src/auth/cephx/CephxProtocol.h | 33 ++++++++++++----- src/auth/cephx/CephxServiceHandler.cc | 5 ++- src/mon/Monitor.cc | 6 +-- 6 files changed, 59 insertions(+), 37 deletions(-) diff --git a/src/auth/cephx/CephxAuthorizeHandler.cc b/src/auth/cephx/CephxAuthorizeHandler.cc index 55272ecc65268..a86af9ac19f08 100644 --- a/src/auth/cephx/CephxAuthorizeHandler.cc +++ b/src/auth/cephx/CephxAuthorizeHandler.cc @@ -18,7 +18,7 @@ bool CephxAuthorizeHandler::verify_authorizer(KeyStore *keys, CephXServiceTicketInfo auth_ticket_info; - bool isvalid = cephx_verify_authorizer(keys, iter, auth_ticket_info, authorizer_reply); + bool isvalid = cephx_verify_authorizer(&g_ceph_context, keys, iter, auth_ticket_info, authorizer_reply); dout(1) << "CephxAuthorizeHandler::verify_authorizer isvalid=" << isvalid << dendl; if (isvalid) { diff --git a/src/auth/cephx/CephxClientHandler.h b/src/auth/cephx/CephxClientHandler.h index b3ddc2b901455..ee331c4dfea32 100644 --- a/src/auth/cephx/CephxClientHandler.h +++ b/src/auth/cephx/CephxClientHandler.h @@ -33,6 +33,7 @@ class CephxClientHandler : public AuthClientHandler { public: CephxClientHandler(RotatingKeyRing *rsecrets) : authorizer(0), + tickets(&g_ceph_context), rotating_secrets(rsecrets), keyring(rsecrets->get_keyring()) { diff --git a/src/auth/cephx/CephxProtocol.cc b/src/auth/cephx/CephxProtocol.cc index babd6f52e4629..1285d79826559 100644 --- a/src/auth/cephx/CephxProtocol.cc +++ b/src/auth/cephx/CephxProtocol.cc @@ -213,11 +213,13 @@ void CephXTicketManager::set_have_need_key(uint32_t service_id, uint32_t& have, if (iter == tickets_map.end()) { have &= ~service_id; need |= service_id; - dout(10) << "set_have_need_key no handler for service " << ceph_entity_type_name(service_id) << dendl; + ldout(cct, 10) << "set_have_need_key no handler for service " + << ceph_entity_type_name(service_id) << dendl; return; } - //dout(10) << "set_have_need_key service " << ceph_entity_type_name(service_id) << " (" << service_id << ")" + //ldout(cct, 10) << "set_have_need_key service " << ceph_entity_type_name(service_id) + //<< " (" << service_id << ")" //<< " need=" << iter->second.need_key() << " have=" << iter->second.have_key() << dendl; if (iter->second.need_key()) need |= service_id; @@ -249,14 +251,13 @@ bool CephXTicketManager::verify_service_ticket_reply(CryptoKey& secret, uint32_t num; ::decode(num, indata); - dout(10) << "verify_service_ticket_reply got " << num << " keys" << dendl; + ldout(cct, 10) << "verify_service_ticket_reply got " << num << " keys" << dendl; for (int i=0; i<(int)num; i++) { uint32_t type; ::decode(type, indata); - dout(10) << "got key for service_id " << ceph_entity_type_name(type) << dendl; - CephXTicketHandler& handler = tickets_map[type]; - handler.service_id = type; + ldout(cct, 10) << "got key for service_id " << ceph_entity_type_name(type) << dendl; + CephXTicketHandler& handler = get_handler(type); if (!handler.verify_service_ticket_reply(secret, indata)) { return false; } @@ -292,7 +293,7 @@ CephXAuthorizer *CephXTicketHandler::build_authorizer(uint64_t global_id) msg.nonce = a->nonce; if (encode_encrypt(msg, session_key, a->bl) < 0) { - dout(0) << "failed to encrypt authorizer" << dendl; + ldout(cct, 0) << "failed to encrypt authorizer" << dendl; delete a; return 0; } @@ -308,7 +309,8 @@ CephXAuthorizer *CephXTicketManager::build_authorizer(uint32_t service_id) { map::iterator iter = tickets_map.find(service_id); if (iter == tickets_map.end()) { - dout(0) << "no TicketHandler for service " << ceph_entity_type_name(service_id) << dendl; + ldout(cct, 0) << "no TicketHandler for service " + << ceph_entity_type_name(service_id) << dendl; return NULL; } @@ -325,10 +327,12 @@ void CephXTicketManager::validate_tickets(uint32_t mask, uint32_t& have, uint32_ set_have_need_key(i, have, need); } } - dout(10) << "validate_tickets want " << mask << " have " << have << " need " << need << dendl; + ldout(cct, 10) << "validate_tickets want " << mask << " have " << have + << " need " << need << dendl; } -bool cephx_decode_ticket(KeyStore *keys, uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info) +bool cephx_decode_ticket(CephContext *cct, KeyStore *keys, uint32_t service_id, + CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info) { uint64_t secret_id = ticket_blob.secret_id; CryptoKey service_secret; @@ -339,20 +343,20 @@ bool cephx_decode_ticket(KeyStore *keys, uint32_t service_id, CephXTicketBlob& t if (secret_id == (uint64_t)-1) { if (!keys->get_secret(g_conf->name, service_secret)) { - dout(0) << "ceph_decode_ticket could not get general service secret for service_id=" + ldout(cct, 0) << "ceph_decode_ticket could not get general service secret for service_id=" << ceph_entity_type_name(service_id) << " secret_id=" << secret_id << dendl; return false; } } else { if (!keys->get_service_secret(service_id, secret_id, service_secret)) { - dout(0) << "ceph_decode_ticket could not get service secret for service_id=" + ldout(cct, 0) << "ceph_decode_ticket could not get service secret for service_id=" << ceph_entity_type_name(service_id) << " secret_id=" << secret_id << dendl; return false; } } if (decode_decrypt_enc_bl(ticket_info, service_secret, ticket_blob.blob) < 0) { - dout(0) << "ceph_decode_ticket could not decrypt ticket info" << dendl; + ldout(cct, 0) << "ceph_decode_ticket could not decrypt ticket info" << dendl; return false; } @@ -364,7 +368,7 @@ bool cephx_decode_ticket(KeyStore *keys, uint32_t service_id, CephXTicketBlob& t * * {timestamp + 1}^session_key */ -bool cephx_verify_authorizer(KeyStore *keys, +bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, bufferlist::iterator& indata, CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl) { @@ -385,41 +389,42 @@ bool cephx_verify_authorizer(KeyStore *keys, // Unable to decode! return false; } - dout(10) << "verify_authorizer decrypted service " << ceph_entity_type_name(service_id) + ldout(cct, 10) << "verify_authorizer decrypted service " + << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl; if (ticket.secret_id == (uint64_t)-1) { EntityName name; name.set_type(service_id); if (!keys->get_secret(name, service_secret)) { - dout(0) << "verify_authorizer could not get general service secret for service " + ldout(cct, 0) << "verify_authorizer could not get general service secret for service " << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl; return false; } } else { if (!keys->get_service_secret(service_id, ticket.secret_id, service_secret)) { - dout(0) << "verify_authorizer could not get service secret for service " + ldout(cct, 0) << "verify_authorizer could not get service secret for service " << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl; return false; } } if (decode_decrypt_enc_bl(ticket_info, service_secret, ticket.blob) < 0) { - dout(0) << "verify_authorizer could not decrypt ticket info" << dendl; + ldout(cct, 0) << "verify_authorizer could not decrypt ticket info" << dendl; return false; } if (ticket_info.ticket.global_id != global_id) { - dout(0) << "verify_authorizer global_id mismatch: declared id=" << global_id + ldout(cct, 0) << "verify_authorizer global_id mismatch: declared id=" << global_id << " ticket_id=" << ticket_info.ticket.global_id << dendl; return false; } - dout(10) << "verify_authorizer global_id=" << global_id << dendl; + ldout(cct, 10) << "verify_authorizer global_id=" << global_id << dendl; // CephXAuthorize CephXAuthorize auth_msg; if (decode_decrypt(auth_msg, ticket_info.session_key, indata) < 0) { - dout(0) << "verify_authorizercould not decrypt authorize request" << dendl; + ldout(cct, 0) << "verify_authorizercould not decrypt authorize request" << dendl; return false; } @@ -433,7 +438,7 @@ bool cephx_verify_authorizer(KeyStore *keys, if (encode_encrypt(reply, ticket_info.session_key, reply_bl) < 0) return false; - dout(10) << "verify_authorizer ok nonce " << hex << auth_msg.nonce << dec + ldout(cct, 10) << "verify_authorizer ok nonce " << hex << auth_msg.nonce << dec << " reply_bl.length()=" << reply_bl.length() << dendl; return true; } diff --git a/src/auth/cephx/CephxProtocol.h b/src/auth/cephx/CephxProtocol.h index 82eca98d2ace3..903839c941607 100644 --- a/src/auth/cephx/CephxProtocol.h +++ b/src/auth/cephx/CephxProtocol.h @@ -88,6 +88,8 @@ #include +class CephContext; + /* * Authentication */ @@ -285,7 +287,8 @@ struct CephXTicketHandler { utime_t renew_after, expires; bool have_key_flag; - CephXTicketHandler() : service_id(0), have_key_flag(false) {} + CephXTicketHandler(CephContext *cct_, uint32_t service_id_) + : service_id(service_id_), have_key_flag(false), cct(cct_) { } // to build our ServiceTicket bool verify_service_ticket_reply(CryptoKey& principal_secret, @@ -299,21 +302,29 @@ struct CephXTicketHandler { void invalidate_ticket() { have_key_flag = 0; } +private: + CephContext *cct; }; struct CephXTicketManager { - map tickets_map; + typedef map tickets_map_t; + tickets_map_t tickets_map; uint64_t global_id; - CephXTicketManager() : global_id(0) {} + CephXTicketManager(CephContext *cct_) : global_id(0), cct(cct_) {} bool verify_service_ticket_reply(CryptoKey& principal_secret, bufferlist::iterator& indata); CephXTicketHandler& get_handler(uint32_t type) { - CephXTicketHandler& handler = tickets_map[type]; - handler.service_id = type; - return handler; + tickets_map_t::iterator i = tickets_map.find(type); + if (i != tickets_map.end()) + return i->second; + CephXTicketHandler newTicketHandler(cct, type); + std::pair < tickets_map_t::iterator, bool > res = + tickets_map.insert(std::make_pair(type, newTicketHandler)); + assert(res.second); + return res.first->second; } CephXAuthorizer *build_authorizer(uint32_t service_id); bool have_key(uint32_t service_id); @@ -321,6 +332,9 @@ struct CephXTicketManager { void set_have_need_key(uint32_t service_id, uint32_t& have, uint32_t& need); void validate_tickets(uint32_t mask, uint32_t& have, uint32_t& need); void invalidate_ticket(uint32_t service_id); + +private: + CephContext *cct; }; @@ -382,13 +396,14 @@ WRITE_CLASS_ENCODER(CephXAuthorize); /* * Decode an extract ticket */ -bool cephx_decode_ticket(KeyStore *keys, - uint32_t service_id, CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info); +bool cephx_decode_ticket(CephContext *cct, KeyStore *keys, + uint32_t service_id, CephXTicketBlob& ticket_blob, + CephXServiceTicketInfo& ticket_info); /* * Verify authorizer and generate reply authorizer */ -extern bool cephx_verify_authorizer(KeyStore *keys, +extern bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys, bufferlist::iterator& indata, CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl); diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index 0add266432851..a58bc04d5bfc1 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -95,7 +95,8 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist } CephXServiceTicketInfo old_ticket_info; - if (cephx_decode_ticket(key_server, CEPH_ENTITY_TYPE_AUTH, req.old_ticket, old_ticket_info)) { + if (cephx_decode_ticket(&g_ceph_context, key_server, CEPH_ENTITY_TYPE_AUTH, + req.old_ticket, old_ticket_info)) { global_id = old_ticket_info.ticket.global_id; dout(10) << "decoded old_ticket with global_id=" << global_id << dendl; should_enc_ticket = true; @@ -140,7 +141,7 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist bufferlist tmp_bl; CephXServiceTicketInfo auth_ticket_info; - if (!cephx_verify_authorizer(key_server, indata, auth_ticket_info, tmp_bl)) { + if (!cephx_verify_authorizer(&g_ceph_context, key_server, indata, auth_ticket_info, tmp_bl)) { ret = -EPERM; break; } diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index c5fdf422282f7..92e29a35b0379 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -1168,10 +1168,9 @@ bool Monitor::ms_get_authorizer(int service_id, AuthAuthorizer **authorizer, boo ::encode(blob, ticket_data); bufferlist::iterator iter = ticket_data.begin(); - CephXTicketHandler handler; + CephXTicketHandler handler(&g_ceph_context, service_id); ::decode(handler.ticket, iter); - handler.service_id = service_id; handler.session_key = info.session_key; *authorizer = handler.build_authorizer(0); @@ -1196,7 +1195,8 @@ bool Monitor::ms_verify_authorizer(Connection *con, int peer_type, CephXServiceTicketInfo auth_ticket_info; if (authorizer_data.length()) { - int ret = cephx_verify_authorizer(&key_server, iter, auth_ticket_info, authorizer_reply); + int ret = cephx_verify_authorizer(&g_ceph_context, &key_server, iter, + auth_ticket_info, authorizer_reply); if (ret >= 0) isvalid = true; else -- 2.39.5