From fbe53c249a3cd185fc764341cc4eb979ead437d9 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@newdream.net>
Date: Wed, 19 Aug 2009 16:55:58 -0700
Subject: [PATCH] auth: bits

---
 src/auth/AuthTypes.h    | 149 ++++++++++++++++++++++++++++++++++++----
 src/auth/ClientTicket.h |   9 ++-
 2 files changed, 142 insertions(+), 16 deletions(-)

diff --git a/src/auth/AuthTypes.h b/src/auth/AuthTypes.h
index de54a1a57a1c1..68043cce4f3d4 100644
--- a/src/auth/AuthTypes.h
+++ b/src/auth/AuthTypes.h
@@ -16,40 +16,94 @@
 #define __AUTHTYPES_H
 
 #include "config.h"
+#include "ClientTicket.h"
 
-
+/*
+ * match encoding of struct ceph_secret
+ */
 class EntitySecret {
 protected:
+  __u16 type;
   bufferlist secret;
 
 public:
   EntitySecret(bufferlist& bl) { secret = bl; }
 
   void encode(bufferlist& bl) const {
-    ::encode(secret, bl);
+    ::encode(type, bl);
+    __u16 len = secret.length();
+    ::encode(len, bl);
+    bl.append(secret);
   }
   void decode(bufferlist::iterator& bl) {
-    ::decode(secret, bl);
+    ::decode(type, bl);
+    __u16 len;
+    ::decode(len, bl);
+    bl.copy(len, secret);
   }
 
   bufferlist& get_secret() { return secret; }
 };
 WRITE_CLASS_ENCODER(EntitySecret);
 
-class ServiceSecret : public EntitySecret {
-  utime_t created;
 
-public:
-  void encode(bufferlist& bl) const {
-    ::encode(secret, bl);
-    ::encode(created, bl);
+
+/*
+ * ServiceTicket gives a client access to some service
+ * (monitor, osd, mds).
+ */
+struct ServiceTicket {
+  EntitySecret session_key;
+  bufferlist enc_ticket;        // opaque to us
+  string nonce;
+  utime_t renew_after, expires;
+
+  utime_t build_authenticator(bufferlist& bl) {
+    ::encode(enc_ticket, bl);
+
+    bufferlist info;
+    utime_t now = g_clock.now();
+    ::encode(now, info);
+    ::encode(nonce, info);
+
+    //encrypt(info);....
+    ::encode(info, bl);
+
+    return now;
   }
-  void decode(bufferlist::iterator& bl) {
-    ::decode(secret, bl);
-    ::decode(created, bl);
+
+  bool verify_reply_authenticator(utime_t then, bufferlist& enc_reply) {
+    bufferlist reply;
+    //decrypt
+    bufferlist::iterator p = reply.begin();
+    utime_t later;
+    ::decode(later, p);
+    if (then + 1 == later)
+      return true;
+    return false;
   }
 };
-WRITE_CLASS_ENCODER(ServiceSecret);
+
+
+bool verify_authenticator(bufferlist& bl)
+{
+  bufferlist::iterator p = bl.begin();
+  bufferlist enc_ticket, enc_info;
+  ::decode(enc_ticket, p);
+  ::decode(info, p);
+
+  bufferlist ticket;
+  // decrypt with my key
+
+  // decrypt info with session key
+
+
+  if (info.nonce != ticket.nonce)
+    return false;
+  if (old)
+    return false;
+}
+
 
 struct EntityName {
   uint32_t entity_type;
@@ -66,6 +120,75 @@ struct EntityName {
 };
 WRITE_CLASS_ENCODER(EntityName);
 
+
+
+struct AuthReply {
+  bufferlist enc_info;      // with client's secret
+  bufferlist enc_ticket;    // with service's secret
+
+  void encode(bufferlist& bl) const {
+    ::encode(enc_info, bl);
+    ::encode(enc_ticket, bl);
+  }
+  void decode(bufferlist::iterator& bl) {
+    ::decode(enc_info, bl);
+    ::decode(enc_ticket, bl);
+  }
+};
+
+struct AuthRequest {
+  EntityName client_name;
+  entity_addr_t client_addr;
+
+  void encode(bufferlist& bl) const {
+    ::encode(client_name, bl);
+    ::encode(client_addr, bl);    
+  }
+  void decode(bufferlist::iterator& bl) {
+    ::decode(client_name, bl);
+    ::decode(client_addr, bl);    
+  }
+
+  bool validate_reply(AuthReply& reply, ServiceTicket& ticket) {
+    // validate info
+    bufferlist::iterator p = reply.enc_info.begin();
+    try {
+      ::decode(ticket.session_key, p);
+      ::decode(ticket.renew_after, p);
+      ::decode(ticket.expires, p);
+      ::decode(ticket.nonce, p);
+    }
+    catch (buffer::error *e) {
+      delete e;
+      return false;
+    }
+    if (!p.end())
+      return false;
+
+    // yay!
+    ticket.enc_ticket = reply.enc_ticket;
+    return true;
+  }
+};
+
+
+
+
+class ServiceSecret : public EntitySecret {
+  utime_t created;
+
+public:
+  void encode(bufferlist& bl) const {
+    ::encode(secret, bl);
+    ::encode(created, bl);
+  }
+  void decode(bufferlist::iterator& bl) {
+    ::decode(secret, bl);
+    ::decode(created, bl);
+  }
+};
+WRITE_CLASS_ENCODER(ServiceSecret);
+
 struct SessionKey {
   bufferlist key;
 
diff --git a/src/auth/ClientTicket.h b/src/auth/ClientTicket.h
index 2114e7163bc23..30be5577b894e 100644
--- a/src/auth/ClientTicket.h
+++ b/src/auth/ClientTicket.h
@@ -18,18 +18,20 @@
 #include "include/types.h"
 
 struct ClientTicket {
-  int client;
   entity_addr_t addr;
   utime_t created, expires;
+  string nonce;
+  map<string, bufferlist> caps;
   __u32 flags;
 
   void encode(bufferlist& bl) const {
     __u8 v = 1;
     ::encode(v, bl);
-    ::encode(client, bl);
     ::encode(addr, bl);
     ::encode(created, bl);
     ::encode(expires, bl);
+    ::encode(nonce, bl);
+    ::encode(caps, bl);
     ::encode(flags, bl);
   }
   void decode(bufferlist::iterator& bl) {
@@ -39,9 +41,10 @@ struct ClientTicket {
     ::decode(addr, bl);
     ::decode(created, bl);
     ::decode(expires, bl);
+    ::decode(nonce, bl);
+    ::decode(caps, bl);
     ::decode(flags, bl);
   }
-
 };
 WRITE_CLASS_ENCODER(ClientTicket)
 
-- 
2.39.5