From 4fe9f176c01c1f599ff01c1f5981455334eebbe8 Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <yehuda@redhat.com>
Date: Fri, 17 Nov 2017 15:40:25 -0800
Subject: [PATCH] rgw: send totp check to the otp objclass

Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
---
 src/rgw/rgw_rados.cc   | 44 ++++++++++++++++++++++++++++++++++++++++++
 src/rgw/rgw_rados.h    |  2 ++
 src/rgw/rgw_rest_s3.cc |  9 ++++++++-
 3 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/src/rgw/rgw_rados.cc b/src/rgw/rgw_rados.cc
index b5f5760e9de87..b0f9d858c69ec 100644
--- a/src/rgw/rgw_rados.cc
+++ b/src/rgw/rgw_rados.cc
@@ -14157,3 +14157,47 @@ bool RGWRados::call_erase(const std::string&) {
 void RGWRados::call_zap() {
   return;
 }
+
+int RGWRados::check_mfa(const rgw_user& user, const string& otp_id, const string& pin)
+{
+  string oid = string("user:") + user.to_str();
+  rgw_raw_obj obj(get_zone_params().otp_pool, oid);
+
+  rgw_rados_ref ref;
+  int r = get_system_obj_ref(obj, &ref);
+  if (r < 0) {
+    return r;
+  }
+
+  otp_check_t result;
+
+  librados::ObjectWriteOperation op;
+  rados::cls::otp::OTP::check(ref.io_ctx, obj.get_oid(), otp_id, pin, &result);
+  r = ref.ioctx.operate(ref.oid, &op);
+  if (r < 0) {
+    ldout(cct, 20) << "OTP remove, otp_id=" << id << " result=" << (int)r << dendl;
+    return r;
+  }
+
+  return 0;
+}
+
+int RGWRados::get_mfa(const rgw_user& user, const string& id, rados::cls::otp::otp_info_t *result)
+{
+  rgw_rados_ref ref;
+
+  int r = get_mfa_ref(user, &ref);
+  if (r < 0) {
+    return r;
+  }
+
+  r = rados::cls::otp::OTP::get(ref.ioctx, ref.oid, id, result);
+  if (r < 0) {
+    return r;
+  }
+
+  ldout(cct, 20) << "OTP check, otp_id=" << otp_id << " result=" << (int)result << dendl;
+
+  return (result.result == rados::cls::otp::OTP_CHECK ? 0 : -EACCES);
+}
+
diff --git a/src/rgw/rgw_rados.h b/src/rgw/rgw_rados.h
index 9d54ce69f3b30..ddcd3ef62d216 100644
--- a/src/rgw/rgw_rados.h
+++ b/src/rgw/rgw_rados.h
@@ -3706,6 +3706,8 @@ public:
   int delete_raw_obj_aio(const rgw_raw_obj& obj, list<librados::AioCompletion *>& handles);
   int delete_obj_aio(const rgw_obj& obj, RGWBucketInfo& info, RGWObjState *astate,
                      list<librados::AioCompletion *>& handles, bool keep_index_consistent);
+
+  int check_mfa(const rgw_user& user, const string& otp_id, const string& pin);
  private:
   /**
    * This is a helper method, it generates a list of bucket index objects with the given
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index c692cd6c9614f..0c6f418832278 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3235,7 +3235,7 @@ static int verify_mfa(RGWRados *store, RGWUserInfo *user, const string& mfa_str,
   }
 
   string& serial = params[0];
-  string& otp = params[1];
+  string& pin = params[1];
 
   auto i = user->mfa_ids.find(serial);
   if (i == user->mfa_ids.end()) {
@@ -3243,6 +3243,13 @@ static int verify_mfa(RGWRados *store, RGWUserInfo *user, const string& mfa_str,
     return -EACCES;
   }
 
+  int ret = store->check_mfa(user->user_id, serial, pin);
+  if (ret < 0) {
+    ldout(store->ctx(), 20) << "NOTICE: failed to check MFA, serial=" << serial << dendl;
+    return -EACCES;
+  }
+
+#warning clean me up
 #if 0
   string& seed = i->second;
 
-- 
2.39.5