From e92662b83e9aa4200de911688b198e7ff6d99be2 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@newdream.net>
Date: Fri, 25 Sep 2009 14:24:35 -0700
Subject: [PATCH] auth: generate meaningful service ticket

Include caps from auth ticket, create a new session key, etc.

Make session_key _and_ ticket available to verify_authorizer
caller.
---
 src/auth/Auth.cc               |  4 +---
 src/auth/Auth.h                | 10 +++++++++-
 src/auth/AuthServiceManager.cc | 33 +++++++++++++++------------------
 3 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/src/auth/Auth.cc b/src/auth/Auth.cc
index fd28ababa4823..cf8fa335dc065 100644
--- a/src/auth/Auth.cc
+++ b/src/auth/Auth.cc
@@ -178,12 +178,10 @@ bool AuthTicketsManager::build_authorizer(uint32_t service_id, bufferlist& bl, A
  * {timestamp + 1}^session_key
  */
 bool verify_authorizer(CryptoKey& service_secret, bufferlist::iterator& indata,
-                       CryptoKey& session_key, bufferlist& reply_bl)
+                       AuthServiceTicketInfo& ticket_info, bufferlist& reply_bl)
 {
-  AuthServiceTicketInfo ticket_info;
   if (decode_decrypt(ticket_info, service_secret, indata) < 0)
     return false;
-  session_key = ticket_info.session_key;
 
   AuthAuthorize auth_msg;
   if (decode_decrypt(auth_msg, ticket_info.session_key, indata) < 0)
diff --git a/src/auth/Auth.h b/src/auth/Auth.h
index 23471c82b0112..47ae0d7f25c19 100644
--- a/src/auth/Auth.h
+++ b/src/auth/Auth.h
@@ -131,6 +131,14 @@ struct AuthTicket {
 
   AuthTicket() : flags(0) {}
 
+  void init_timestamps(utime_t now, double ttl) {
+    created = now;
+    expires = now;
+    expires += ttl;
+    renew_after = now;
+    renew_after += ttl / 2.0;
+  }
+
   void encode(bufferlist& bl) const {
     __u8 v = 1;
     ::encode(v, bl);
@@ -407,6 +415,6 @@ extern bool verify_service_ticket_request(AuthServiceTicketRequest& ticket_req,
 					  bufferlist::iterator& indata);
 
 extern bool verify_authorizer(CryptoKey& service_secret, bufferlist::iterator& bl,
-			      CryptoKey& session_key, bufferlist& enc_reply);
+			      AuthServiceTicketInfo& ticket_info, bufferlist& enc_reply);
 
 #endif
diff --git a/src/auth/AuthServiceManager.cc b/src/auth/AuthServiceManager.cc
index 6f546fc930ab0..679cf1694411a 100644
--- a/src/auth/AuthServiceManager.cc
+++ b/src/auth/AuthServiceManager.cc
@@ -183,11 +183,7 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
 
       info.ticket.name = req.name;
       info.ticket.addr = req.addr;
-      info.ticket.created = g_clock.now();
-      info.ticket.expires = info.ticket.created;
-      info.ticket.expires += g_conf.auth_mon_ticket_ttl;
-      info.ticket.renew_after = info.ticket.created;
-      info.ticket.renew_after += g_conf.auth_mon_ticket_ttl / 2.0;
+      info.ticket.init_timestamps(g_clock.now(), g_conf.auth_mon_ticket_ttl);
 
       generate_random_string(info.ticket.nonce, g_conf.auth_nonce_len);
       mon->keys_server.generate_secret(session_key);
@@ -206,6 +202,7 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
       }
     }
     break;
+
   case CEPHX_GET_PRINCIPAL_SESSION_KEY:
     dout(0) << "CEPHX_GET_PRINCIPAL_SESSION_KEY " << cephx_header.request_type << dendl;
     {
@@ -218,8 +215,8 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
       AuthServiceTicketInfo ticket_info;
       EntityName name;
       bufferlist tmp_bl;
-      CryptoKey auth_session_key;
-      if (!verify_authorizer(auth_secret, indata, auth_session_key, tmp_bl)) {
+      AuthServiceTicketInfo auth_ticket_info;
+      if (!verify_authorizer(auth_secret, indata, auth_ticket_info, tmp_bl)) {
         ret = -EPERM;
       }
 
@@ -238,25 +235,25 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
           }
 
           SessionAuthInfo info;
+	  info.ticket.name = auth_ticket_info.ticket.name;
+	  info.ticket.addr = auth_ticket_info.ticket.addr;
+	  info.ticket.init_timestamps(g_clock.now(), g_conf.auth_service_ticket_ttl);
 
-          AuthTicket service_ticket;
-          /* FIXME: initialize service_ticket */
-
-          CryptoKey session_key;
+	  generate_random_string(info.ticket.nonce, g_conf.auth_nonce_len);
+          mon->keys_server.generate_secret(info.session_key);
 
-          mon->keys_server.generate_secret(session_key);
+          auth_server.get_service_secret(info.service_secret, service_id);
 
           info.service_id = service_id;
-          info.ticket = service_ticket;
-          info.session_key = session_key;
-          info.service_secret = service_secret;
+	  
+	  info.ticket.caps = auth_ticket_info.ticket.caps;
 
           info_vec.push_back(info);
         }
       }
 
       build_cephx_response_header(request_type, ret, result_bl);
-      build_service_ticket_reply(auth_session_key, info_vec, result_bl);
+      build_service_ticket_reply(auth_ticket_info.session_key, info_vec, result_bl);
       ret = 0;
     }
     break;
@@ -272,8 +269,8 @@ int CephAuthService_X::handle_cephx_protocol(bufferlist::iterator& indata, buffe
 
       ret = 0;
       bufferlist tmp_bl;
-      CryptoKey session_key;
-      if (!verify_authorizer(service_secret, indata, session_key, tmp_bl)) {
+      AuthServiceTicketInfo auth_ticket_info;
+      if (!verify_authorizer(service_secret, indata, auth_ticket_info, tmp_bl)) {
         ret = -EPERM;
       }
       build_cephx_response_header(request_type, ret, result_bl);
-- 
2.39.5