+// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
+// vim: ts=8 sw=2 smarttab
+/*
+ * Ceph - scalable distributed file system
+ *
+ * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
+ *
+ * This is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2.1, as published by the Free Software
+ * Foundation. See file COPYING.
+ *
+ */
+
+
+#include <errno.h>
+
+#include "CephxClientHandler.h"
+#include "CephxProtocol.h"
+
+#include "auth/KeyRing.h"
+#include "common/config.h"
+#include "common/dout.h"
+
+#define dout_subsys ceph_subsys_auth
+#undef dout_prefix
+#define dout_prefix *_dout << "cephx client: "
+
+
+int CephxClientHandler::build_request(bufferlist& bl) const
+{
+ ldout(cct, 10) << "build_request" << dendl;
+
+ RWLock::RLocker l(lock);
+
+ if (need & CEPH_ENTITY_TYPE_AUTH) {
+ /* authenticate */
+ CephXRequestHeader header;
+ header.request_type = CEPHX_GET_AUTH_SESSION_KEY;
+ ::encode(header, bl);
+
+ CryptoKey secret;
+ const bool got = keyring->get_secret(cct->_conf->name, secret);
+ if (!got) {
+ ldout(cct, 20) << "no secret found for entity: " << cct->_conf->name << dendl;
+ return -ENOENT;
+ }
+
+ // is the key OK?
+ if (!secret.get_secret().length()) {
+ ldout(cct, 20) << "secret for entity " << cct->_conf->name << " is invalid" << dendl;
+ return -EINVAL;
+ }
+
+ CephXAuthenticate req;
+ get_random_bytes((char *)&req.client_challenge, sizeof(req.client_challenge));
+ std::string error;
+ cephx_calc_client_server_challenge(cct, secret, server_challenge,
+ req.client_challenge, &req.key, error);
+ if (!error.empty()) {
+ ldout(cct, 20) << "cephx_calc_client_server_challenge error: " << error << dendl;
+ return -EIO;
+ }
+
+ req.old_ticket = ticket_handler->ticket;
+
+ if (req.old_ticket.blob.length()) {
+ ldout(cct, 20) << "old ticket len=" << req.old_ticket.blob.length() << dendl;
+ }
+
+ ::encode(req, bl);
+
+ ldout(cct, 10) << "get auth session key: client_challenge "
+ << hex << req.client_challenge << dendl;
+ return 0;
+ }
+
+ if (_need_tickets()) {
+ /* get service tickets */
+ ldout(cct, 10) << "get service keys: want=" << want << " need=" << need << " have=" << have << dendl;
+
+ CephXRequestHeader header;
+ header.request_type = CEPHX_GET_PRINCIPAL_SESSION_KEY;
+ ::encode(header, bl);
+
+ CephXAuthorizer *authorizer = ticket_handler->build_authorizer(global_id);
+ if (!authorizer)
+ return -EINVAL;
+ bl.claim_append(authorizer->bl);
+ delete authorizer;
+
+ CephXServiceTicketRequest req;
+ req.keys = need;
+ ::encode(req, bl);
+ }
+
+ return 0;
+}
+
+bool CephxClientHandler::_need_tickets() const
+{
+ // do not bother (re)requesting tickets if we *only* need the MGR
+ // ticket; that can happen during an upgrade and we want to avoid a
+ // loop. we'll end up re-requesting it later when the secrets
+ // rotating.
+ return need && need != CEPH_ENTITY_TYPE_MGR;
+}
+
+int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata)
+{
+ ldout(cct, 10) << "handle_response ret = " << ret << dendl;
+ RWLock::WLocker l(lock);
+
+ if (ret < 0)
+ return ret; // hrm!
+
+ if (starting) {
+ CephXServerChallenge ch;
+ ::decode(ch, indata);
+ server_challenge = ch.server_challenge;
+ ldout(cct, 10) << " got initial server challenge "
+ << hex << server_challenge << dendl;
+ starting = false;
+
+ tickets.invalidate_ticket(CEPH_ENTITY_TYPE_AUTH);
+ return -EAGAIN;
+ }
+
+ struct CephXResponseHeader header;
+ ::decode(header, indata);
+
+ switch (header.request_type) {
+ case CEPHX_GET_AUTH_SESSION_KEY:
+ {
+ ldout(cct, 10) << " get_auth_session_key" << dendl;
+ CryptoKey secret;
+ const bool got = keyring->get_secret(cct->_conf->name, secret);
+ if (!got) {
+ ldout(cct, 0) << "key not found for " << cct->_conf->name << dendl;
+ return -ENOENT;
+ }
+
+ if (!tickets.verify_service_ticket_reply(secret, indata)) {
+ ldout(cct, 0) << "could not verify service_ticket reply" << dendl;
+ return -EPERM;
+ }
+ ldout(cct, 10) << " want=" << want << " need=" << need << " have=" << have << dendl;
+ validate_tickets();
+ if (_need_tickets())
+ ret = -EAGAIN;
+ else
+ ret = 0;
+ }
+ break;
+
+ case CEPHX_GET_PRINCIPAL_SESSION_KEY:
+ {
+ CephXTicketHandler& ticket_handler = tickets.get_handler(CEPH_ENTITY_TYPE_AUTH);
+ ldout(cct, 10) << " get_principal_session_key session_key " << ticket_handler.session_key << dendl;
+
+ if (!tickets.verify_service_ticket_reply(ticket_handler.session_key, indata)) {
+ ldout(cct, 0) << "could not verify service_ticket reply" << dendl;
+ return -EPERM;
+ }
+ validate_tickets();
+ if (!_need_tickets()) {
+ ret = 0;
+ }
+ }
+ break;
+
+ case CEPHX_GET_ROTATING_KEY:
+ {
+ ldout(cct, 10) << " get_rotating_key" << dendl;
+ if (rotating_secrets) {
+ RotatingSecrets secrets;
+ CryptoKey secret_key;
+ const bool got = keyring->get_secret(cct->_conf->name, secret_key);
+ if (!got) {
+ ldout(cct, 0) << "key not found for " << cct->_conf->name << dendl;
+ return -ENOENT;
+ }
+ std::string error;
+ if (decode_decrypt(cct, secrets, secret_key, indata, error)) {
+ ldout(cct, 0) << "could not set rotating key: decode_decrypt failed. error:"
+ << error << dendl;
+ return -EINVAL;
+ } else {
+ rotating_secrets->set_secrets(std::move(secrets));
+ }
+ }
+ }
+ break;
+
+ default:
+ ldout(cct, 0) << " unknown request_type " << header.request_type << dendl;
+ ceph_abort();
+ }
+ return ret;
+}
+
+
+
+AuthAuthorizer *CephxClientHandler::build_authorizer(uint32_t service_id) const
+{
+ RWLock::RLocker l(lock);
+ ldout(cct, 10) << "build_authorizer for service " << ceph_entity_type_name(service_id) << dendl;
+ return tickets.build_authorizer(service_id);
+}
+
+
+bool CephxClientHandler::build_rotating_request(bufferlist& bl) const
+{
+ ldout(cct, 10) << "build_rotating_request" << dendl;
+ CephXRequestHeader header;
+ header.request_type = CEPHX_GET_ROTATING_KEY;
+ ::encode(header, bl);
+ return true;
+}
+
+void CephxClientHandler::prepare_build_request()
+{
+ RWLock::WLocker l(lock);
+ ldout(cct, 10) << "validate_tickets: want=" << want << " need=" << need
+ << " have=" << have << dendl;
+ validate_tickets();
+ ldout(cct, 10) << "want=" << want << " need=" << need << " have=" << have
+ << dendl;
+
+ ticket_handler = &(tickets.get_handler(CEPH_ENTITY_TYPE_AUTH));
+}
+
+void CephxClientHandler::validate_tickets()
+{
+ // lock should be held for write
+ tickets.validate_tickets(want, have, need);
+}
+
+bool CephxClientHandler::need_tickets()
+{
+ RWLock::WLocker l(lock);
+ validate_tickets();
+
+ ldout(cct, 20) << "need_tickets: want=" << want
+ << " have=" << have
+ << " need=" << need
+ << dendl;
+
+ return _need_tickets();
+}
+