From a2ae9e77c65168424dbf1c78351d00c4bdaff39e Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <yehuda@hq.newdream.net>
Date: Thu, 24 Sep 2009 10:21:41 -0700
Subject: [PATCH] auth: start integrate keys_server with authentication

---
 src/auth/AuthServiceManager.cc | 22 +++++++++++++------
 src/auth/AuthServiceManager.h  |  1 +
 src/auth/KeysServer.cc         | 39 +++++++++++++++++++++++++++-------
 src/auth/KeysServer.h          | 10 +++++----
 4 files changed, 54 insertions(+), 18 deletions(-)

diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc
index 2895f8f9a002c..084dc2d89705b 100644
--- a/src/auth/AuthServiceManager.cc
+++ b/src/auth/AuthServiceManager.cc
@@ -17,6 +17,8 @@
 #include "AuthProtocol.h"
 #include "Auth.h"
 
+#include "mon/Monitor.h"
+
 #include <errno.h>
 #include <sstream>
 
@@ -197,7 +199,7 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
       SessionAuthInfo info;
 
       CryptoKey principal_secret;
-      if (auth_server.lookup_entity(req.name, principal_secret, info.ticket.caps) < 0) {
+      if (mon->keys_server.get_secret(req.name, principal_secret, info.ticket.caps) < 0) {
 	ret = -EPERM;
 	break;
       }
@@ -215,7 +217,7 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
 
       info.session_key = session_key;
       info.service_id = CEPHX_PRINCIPAL_AUTH;
-      auth_server.get_service_secret(info.service_secret, CEPHX_PRINCIPAL_AUTH);
+      mon->keys_server.get_service_secret(CEPHX_PRINCIPAL_AUTH, info.service_secret);
 
       vector<SessionAuthInfo> info_vec;
       info_vec.push_back(info);
@@ -231,7 +233,10 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
     dout(0) << "CEPHX_GET_PRINCIPAL_SESSION_KEY " << cephx_header.request_type << dendl;
     {
       CryptoKey auth_secret;
-      auth_server.get_service_secret(auth_secret, CEPHX_PRINCIPAL_AUTH);
+      CryptoKey session_key;
+      if (mon->keys_server.get_service_secret(CEPHX_PRINCIPAL_AUTH, auth_secret) < 0) {
+        ret = -EPERM;
+      }
       // ... FIXME .. get entity name, session_key from Monitor::Session
 
       AuthServiceTicketRequest ticket_req;
@@ -246,14 +251,16 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
       for (uint32_t service_id = 1; service_id != (CEPHX_PRINCIPAL_TYPE_MASK + 1); service_id <<= 1) {
         if (ticket_req.keys & service_id) {
 	  CryptoKey service_secret;
-          auth_server.get_service_secret(service_secret, service_id);
+          if (mon->keys_server.get_service_secret(service_id, service_secret) < 0) {
+            ret = -EPERM;
+            break;
+          }
 
           SessionAuthInfo info;
 
           AuthTicket service_ticket;
           /* FIXME: initialize service_ticket */
 
-          auth_server.get_service_secret(service_secret, service_id);
           auth_server.get_service_session_key(session_key, service_id);
 
           info.service_id = service_id;
@@ -275,7 +282,10 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
     {
       CryptoKey service_secret;
 
-      auth_server.get_service_secret(service_secret, CEPHX_PRINCIPAL_MON);
+      if (mon->keys_server.get_service_secret(CEPHX_PRINCIPAL_MON, service_secret) < 0) {
+        ret = -EPERM;
+        break;
+      }
 
       ret = 0;
       bufferlist tmp_bl;
diff --git a/src/auth/AuthServiceManager.h b/src/auth/AuthServiceManager.h
index c5b1b23073445..1d12c1e67499f 100644
--- a/src/auth/AuthServiceManager.h
+++ b/src/auth/AuthServiceManager.h
@@ -21,6 +21,7 @@
 class Monitor;
 
 class AuthServiceHandler {
+protected:
   Monitor *mon;
 
 public:
diff --git a/src/auth/KeysServer.cc b/src/auth/KeysServer.cc
index 35353e3e858ce..6d7cba3be8d59 100644
--- a/src/auth/KeysServer.cc
+++ b/src/auth/KeysServer.cc
@@ -48,20 +48,36 @@ void RotatingSecrets::add(ExpiringCryptoKey& key)
   }
 }
 
-bool KeysServerData::get_service_secret(uint32_t service_id, RotatingSecrets& secret)
+bool KeysServerData::get_service_secret(uint32_t service_id, ExpiringCryptoKey& secret)
 {
   map<uint32_t, RotatingSecrets>::iterator iter = rotating_secrets.find(service_id);
   if (iter == rotating_secrets.end())
     return false;
 
-  if (rotating_secrets.size() > 1)
-    ++iter; /* avoid giving the oldest rotating secret, as it'll expire soon */
+  RotatingSecrets& secrets = iter->second;
+  map<uint64_t, ExpiringCryptoKey>::iterator riter = secrets.secrets.lower_bound(0);
+  if (secrets.secrets.size() > 1)
+    ++riter;
+
+
+  secret = riter->second;
 
-  secret = iter->second;
   return true;
 }
 
-bool KeysServerData::get_secret(EntityName& name, CryptoKey& secret)
+bool KeysServerData::get_service_secret(uint32_t service_id, CryptoKey& secret)
+{
+  ExpiringCryptoKey e;
+
+  if (!get_service_secret(service_id, e))
+    return false;
+
+  secret = e.key;
+
+  return true;
+}
+
+bool KeysServerData::get_secret(EntityName& name, CryptoKey& secret, map<string,bufferlist>& caps)
 {
   map<EntityName, CryptoKey>::iterator iter = secrets.find(name);
   if (iter == secrets.end())
@@ -142,14 +158,21 @@ void KeysServer::rotate_timeout(double timeout)
   timer.add_event_after(timeout, rotate_event);
 }
 
-bool KeysServer::get_secret(EntityName& name, CryptoKey& secret)
+bool KeysServer::get_secret(EntityName& name, CryptoKey& secret, map<string,bufferlist>& caps)
+{
+  Mutex::Locker l(lock);
+
+  return data.get_secret(name, secret, caps);
+}
+
+bool KeysServer::get_service_secret(uint32_t service_id, ExpiringCryptoKey& secret)
 {
   Mutex::Locker l(lock);
 
-  return data.get_secret(name, secret);
+  return data.get_service_secret(service_id, secret);
 }
 
-bool KeysServer::get_service_secret(uint32_t service_id, RotatingSecrets& secret)
+bool KeysServer::get_service_secret(uint32_t service_id, CryptoKey& secret)
 {
   Mutex::Locker l(lock);
 
diff --git a/src/auth/KeysServer.h b/src/auth/KeysServer.h
index afe4f76ce2a86..5b248c03d82b5 100644
--- a/src/auth/KeysServer.h
+++ b/src/auth/KeysServer.h
@@ -69,8 +69,9 @@ struct KeysServerData {
     rotating_secrets[service_id].add(key);
   }
 
-  bool get_service_secret(uint32_t service_id, RotatingSecrets& secret);
-  bool get_secret(EntityName& name, CryptoKey& secret);
+  bool get_service_secret(uint32_t service_id, ExpiringCryptoKey& secret);
+  bool get_service_secret(uint32_t service_id, CryptoKey& secret);
+  bool get_secret(EntityName& name, CryptoKey& secret, map<string,bufferlist>& caps);
 
   map<EntityName, CryptoKey>::iterator secrets_begin() { return secrets.begin(); }
   map<EntityName, CryptoKey>::iterator secrets_end() { return secrets.end(); }
@@ -105,13 +106,14 @@ class KeysServer {
 public:
   KeysServer();
 
-  bool get_secret(EntityName& name, CryptoKey& secret);
+  bool get_secret(EntityName& name, CryptoKey& secret, map<string,bufferlist>& caps);
   bool get_active_rotating_secret(EntityName& name, CryptoKey& secret);
   int start_server(bool init);
   void rotate_timeout(double timeout);
 
   /* get current secret for specific service type */
-  bool get_service_secret(uint32_t service_id, RotatingSecrets& service_key);
+  bool get_service_secret(uint32_t service_id, ExpiringCryptoKey& service_key);
+  bool get_service_secret(uint32_t service_id, CryptoKey& service_key);
 
   bool generate_secret(EntityName& name, CryptoKey& secret);
 
-- 
2.39.5