From 771682aad09139cb2f9ecae7b1402876031c2faa Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Fri, 1 Feb 2019 12:14:08 -0600 Subject: [PATCH] auth: future-proof AUTH_MODE_* a bit in case we need to change the encoding byte Signed-off-by: Sage Weil --- src/auth/Auth.h | 10 ++++++++-- src/mon/MonClient.cc | 3 ++- src/mon/Monitor.cc | 8 +++++--- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/auth/Auth.h b/src/auth/Auth.h index 5e8e375fdf3..59370e25dc7 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -18,10 +18,16 @@ #include "Crypto.h" #include "common/entity_name.h" +// The _MAX values are a bit wonky here because we are overloading the first +// byte of the auth payload to identify both the type of authentication to be +// used *and* the encoding version for the authenticator. So, we define a +// range. enum { AUTH_MODE_NONE = 0, AUTH_MODE_AUTHORIZER = 1, - AUTH_MODE_MON = 100, + AUTH_MODE_AUTHORIZER_MAX = 9, + AUTH_MODE_MON = 10, + AUTH_MODE_MON_MAX = 19, }; class Cond; @@ -160,7 +166,7 @@ struct AuthConnectionMeta { /// client: initial empty, but populated if server said bad method std::vector allowed_methods; - int auth_mode = 0; ///< AUTH_MODE_* + int auth_mode = AUTH_MODE_NONE; ///< AUTH_MODE_* int con_mode = 0; ///< negotiated mode diff --git a/src/mon/MonClient.cc b/src/mon/MonClient.cc index 74a1891b0b2..fd149192c8b 100644 --- a/src/mon/MonClient.cc +++ b/src/mon/MonClient.cc @@ -1402,7 +1402,8 @@ int MonClient::handle_auth_request( bufferlist *reply) { auth_meta->auth_mode = payload[0]; - if (auth_meta->auth_mode != AUTH_MODE_AUTHORIZER) { + if (auth_meta->auth_mode < AUTH_MODE_AUTHORIZER || + auth_meta->auth_mode > AUTH_MODE_AUTHORIZER_MAX) { return -EACCES; } AuthAuthorizeHandler *ah = get_auth_authorize_handler(con->get_peer_type(), diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index c9e43305990..7f271e8e377 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -6053,7 +6053,8 @@ int Monitor::handle_auth_request( auth_meta->auth_mode = payload[0]; } - if (auth_meta->auth_mode == AUTH_MODE_AUTHORIZER) { + if (auth_meta->auth_mode >= AUTH_MODE_AUTHORIZER && + auth_meta->auth_mode <= AUTH_MODE_AUTHORIZER_MAX) { AuthAuthorizeHandler *ah = get_auth_authorize_handler(con->get_peer_type(), auth_method); if (!ah) { @@ -6083,7 +6084,8 @@ int Monitor::handle_auth_request( } dout(10) << __func__ << " bad authorizer on " << con << dendl; return -EACCES; - } else if (auth_meta->auth_mode != AUTH_MODE_MON) { + } else if (auth_meta->auth_mode < AUTH_MODE_MON && + auth_meta->auth_mode > AUTH_MODE_MON_MAX) { derr << __func__ << " unrecognized auth mode " << auth_meta->auth_mode << dendl; return -EACCES; @@ -6118,7 +6120,7 @@ int Monitor::handle_auth_request( EntityName entity_name; decode(mode, p); - assert(mode == AUTH_MODE_MON); + assert(mode >= AUTH_MODE_MON && mode <= AUTH_MODE_MON_MAX); decode(entity_name, p); decode(con->peer_global_id, p); -- 2.39.5