From c9ee83981bf779979a31a9f6b06b143b2b6cf76f Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@newdream.net>
Date: Wed, 23 Sep 2009 12:13:15 -0700
Subject: [PATCH] auth: build an almost real mon ticket

---
 src/auth/Auth.cc               | 13 +-----------
 src/auth/Auth.h                | 14 ++++++-------
 src/auth/AuthServiceManager.cc | 36 +++++++++++++++++++++-------------
 src/auth/Crypto.cc             | 20 ++++++++++++++++---
 src/auth/Crypto.h              |  2 ++
 src/config.cc                  |  3 +++
 src/config.h                   |  5 +++++
 7 files changed, 57 insertions(+), 36 deletions(-)

diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc
index bc30797bb0b90..a242f170dca45 100644
--- a/src/auth/Auth.cc
+++ b/src/auth/Auth.cc
@@ -34,7 +34,7 @@ static void hexdump(string msg, const char *s, int len)
 void build_authenticate_request(EntityName& principal_name, entity_addr_t& principal_addr,
 				bufferlist& request)
 {
-  AuthAuthenticateRequest req(principal_name, principal_addr, g_clock.now());
+  AuthAuthenticateRequest req(principal_name, principal_addr);
   ::encode(req, request);
 }
 
@@ -97,17 +97,6 @@ bool build_service_ticket_reply(
   return true;
 }
 
-bool verify_authenticate_request(CryptoKey& service_secret,
-				 bufferlist::iterator& indata)
-{
-  AuthAuthenticateRequest msg;
-  ::decode(msg, indata);
-  dout(0) << "decoded timestamp=" << msg.timestamp << " addr=" << msg.addr << dendl;
-
-  /* FIXME: validate that request makes sense */
-  return true;
-}
-
 bool verify_service_ticket_request(CryptoKey& service_secret,
                                    CryptoKey& session_key,
                                    uint32_t& keys,
diff --git a/src/auth/Auth.h b/src/auth/Auth.h
index 607194491387f..fdb079f469e40 100644
--- a/src/auth/Auth.h
+++ b/src/auth/Auth.h
@@ -112,15 +112,19 @@ inline bool operator<(const EntityName& a, const EntityName& b) {
  * period.
  */
 struct AuthTicket {
+  EntityName name;
   entity_addr_t addr;
   utime_t created, renew_after, expires;
   string nonce;
   map<string, bufferlist> caps;
   __u32 flags;
 
+  AuthTicket() : flags(0) {}
+
   void encode(bufferlist& bl) const {
     __u8 v = 1;
     ::encode(v, bl);
+    ::encode(name, bl);
     ::encode(addr, bl);
     ::encode(created, bl);
     ::encode(expires, bl);
@@ -131,6 +135,7 @@ struct AuthTicket {
   void decode(bufferlist::iterator& bl) {
     __u8 v;
     ::decode(v, bl);
+    ::decode(name, bl);
     ::decode(addr, bl);
     ::decode(created, bl);
     ::decode(expires, bl);
@@ -182,21 +187,18 @@ extern bool build_service_ticket_reply(CryptoKey& principal_secret,
 struct AuthAuthenticateRequest {
   EntityName name;
   entity_addr_t addr;
-  utime_t timestamp;
 
   AuthAuthenticateRequest() {}
-  AuthAuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr, utime_t t) :
-    name(principal_name), addr(principal_addr), timestamp(t) {}
+  AuthAuthenticateRequest(EntityName& principal_name, entity_addr_t principal_addr) :
+    name(principal_name), addr(principal_addr) {}
 
   void encode(bufferlist& bl) const {
     ::encode(name, bl);
     ::encode(addr, bl);
-    ::encode(timestamp, bl);
   }
   void decode(bufferlist::iterator& bl) {
     ::decode(name, bl);
     ::decode(addr, bl);
-    ::decode(timestamp, bl);
   }
 };
 WRITE_CLASS_ENCODER(AuthAuthenticateRequest)
@@ -392,8 +394,6 @@ int encode_encrypt(const T& t, CryptoKey& key, bufferlist& out) {
 /*
  * Verify authorizer and generate reply authorizer
  */
-extern bool verify_authenticate_request(CryptoKey& service_secret,
-					bufferlist::iterator& indata);
 extern bool verify_service_ticket_request(CryptoKey& service_secret,
 					  CryptoKey& session_key,
 					  uint32_t& keys,
diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc
index 9bd167271b092..cda0f43629a9e 100644
--- a/src/auth/AuthServiceManager.cc
+++ b/src/auth/AuthServiceManager.cc
@@ -35,7 +35,7 @@ static inline void hexdump(string msg, const char *s, int len)
   int buf_len = len*4;
   char buf[buf_len];
   int pos = 0;
-  for (unsigned int i=0; i<len && pos<buf_len - 8; i++) {
+  for (int i=0; i<len && pos<buf_len - 8; i++) {
     if (i && !(i%8))
       pos += snprintf(&buf[pos], buf_len-pos, " ");
     if (i && !(i%16))
@@ -66,7 +66,7 @@ public:
    }
 
 /* FIXME: temporary stabs */
-  int get_client_secret(CryptoKey& secret) {
+  int lookup_entity(const EntityName& name, CryptoKey& secret, map<string,bufferlist>& caps) {
      secret = client_secret;
      return 0;
   }
@@ -178,25 +178,33 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
   case CEPHX_GET_AUTH_SESSION_KEY:
     {
       dout(0) << "CEPHX_GET_AUTH_SESSION_KEY" << dendl;
-      EntityName name; /* FIXME should take it from the request */
-      entity_addr_t addr;
+
+      AuthAuthenticateRequest req;
+      ::decode(req, indata);
+
       AuthTicket ticket;
+
       CryptoKey principal_secret;
-      CryptoKey session_key;
-      CryptoKey auth_secret;
+      if (auth_server.lookup_entity(req.name, principal_secret, ticket.caps) < 0) {
+	ret = -EPERM;
+	break;
+      }
 
-      ticket.expires = g_clock.now();
+      ticket.name = req.name;
+      ticket.addr = req.addr;
+      ticket.created = g_clock.now();
+      ticket.expires = ticket.created;
+      ticket.expires += g_conf.auth_mon_ticket_ttl;
+      ticket.renew_after = ticket.created;
+      ticket.renew_after += g_conf.auth_mon_ticket_ttl / 2.0;
+      generate_random_string(ticket.nonce, g_conf.auth_nonce_len);
 
-      auth_server.get_client_secret(principal_secret);
+
+      CryptoKey session_key;
+      CryptoKey auth_secret;
       auth_server.get_service_session_key(session_key, CEPHX_PRINCIPAL_AUTH);
       auth_server.get_service_secret(auth_secret, CEPHX_PRINCIPAL_AUTH);
 
-      if (!verify_authenticate_request(auth_secret, indata)) {
-         ret = -EPERM;
-         break;
-      }
-
-      // checking password?
 
       build_cephx_response_header(request_type, 0, result_bl);
       vector<SessionAuthInfo> info_vec;
diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc
index 07c7abb0a4d65..03d0ab201f2ca 100644
--- a/src/auth/Crypto.cc
+++ b/src/auth/Crypto.cc
@@ -21,9 +21,8 @@
 
 #include <errno.h>
 
-static int get_random_bytes(int len, bufferlist& out)
+static int get_random_bytes(char *buf, int len)
 {
-  char buf[len];
   char *t = buf;
   int fd = ::open("/dev/urandom", O_RDONLY);
   int l = len;
@@ -36,10 +35,25 @@ static int get_random_bytes(int len, bufferlist& out)
     t += r;
     l -= r;
   }
-  out.append(buf, len);
   return 0;
 }
 
+static int get_random_bytes(int len, bufferlist& bl)
+{
+  char buf[len];
+  get_random_bytes(buf, len);
+  bl.append(buf, len);
+  return 0;
+}
+
+void generate_random_string(string& s, int len)
+{
+  char buf[len+1];
+  get_random_bytes(buf, len);
+  buf[len] = 0;
+  s = buf;
+}
+
 // ---------------------------------------------------
 
 class CryptoNone : public CryptoHandler {
diff --git a/src/auth/Crypto.h b/src/auth/Crypto.h
index 8f606386cbc27..74596ce803151 100644
--- a/src/auth/Crypto.h
+++ b/src/auth/Crypto.h
@@ -75,5 +75,7 @@ public:
 
 extern CryptoManager ceph_crypto_mgr;
 
+extern void generate_random_string(string& s, int len);
+
 
 #endif
diff --git a/src/config.cc b/src/config.cc
index 7f2647d32c069..da554e1818c0d 100644
--- a/src/config.cc
+++ b/src/config.cc
@@ -363,6 +363,9 @@ static struct config_option config_optionsp[] = {
 	OPTION(mon_clientid_prealloc, 0, OPT_INT, 100),   // how many clientids to prealloc
 	OPTION(paxos_propose_interval, 0, OPT_DOUBLE, 1.0),  // gather updates for this long before proposing a map update
 	OPTION(paxos_observer_timeout, 0, OPT_DOUBLE, 5*60), // gather updates for this long before proposing a map update
+	OPTION(auth_mon_ticket_ttl, 0, OPT_DOUBLE, 60*60*24),
+	OPTION(auth_service_ticket_ttl, 0, OPT_DOUBLE, 60*60),
+	OPTION(auth_nonce_len, 0, OPT_INT, 16),
 	OPTION(client_cache_size, 0, OPT_INT, 1000),
 	OPTION(client_cache_mid, 0, OPT_FLOAT, .5),
 	OPTION(client_cache_stat_ttl, 0, OPT_INT, 0), // seconds until cached stat results become invalid
diff --git a/src/config.h b/src/config.h
index 3d408c7770fde..04979e9dc74fb 100644
--- a/src/config.h
+++ b/src/config.h
@@ -145,6 +145,11 @@ struct md_config_t {
   double paxos_propose_interval;
   double paxos_observer_timeout;
 
+  // auth
+  double auth_mon_ticket_ttl;
+  double auth_service_ticket_ttl;
+  int auth_nonce_len;
+
   // client
   int      client_cache_size;
   float    client_cache_mid;
-- 
2.39.5