Fix some bugs when testing opensds ansible

[stor4nfv.git] / src / ceph / src / auth / cephx / CephxProtocol.cc

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
/*
 * Ceph - scalable distributed file system
 *
 * Copyright (C) 2009-2011 New Dream Network
 *
 * This is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License version 2.1, as published by the Free Software
 * Foundation.  See file COPYING.
 *
 */

#include "CephxProtocol.h"
#include "common/Clock.h"
#include "common/config.h"
#include "common/debug.h"
#include "include/buffer.h"

#define dout_subsys ceph_subsys_auth
#undef dout_prefix
#define dout_prefix *_dout << "cephx: "



void cephx_calc_client_server_challenge(CephContext *cct, CryptoKey& secret, uint64_t server_challenge, 
                  uint64_t client_challenge, uint64_t *key, std::string &error)
{
  CephXChallengeBlob b;
  b.server_challenge = server_challenge;
  b.client_challenge = client_challenge;

  bufferlist enc;
  if (encode_encrypt(cct, b, secret, enc, error))
    return;

  uint64_t k = 0;
  const uint64_t *p = (const uint64_t *)enc.c_str();
  for (int pos = 0; pos + sizeof(k) <= enc.length(); pos+=sizeof(k), p++)
    k ^= mswab(*p);
  *key = k;
}


/*
 * Authentication
 */

bool cephx_build_service_ticket_blob(CephContext *cct, CephXSessionAuthInfo& info,
                                     CephXTicketBlob& blob)
{
  CephXServiceTicketInfo ticket_info;
  ticket_info.session_key = info.session_key;
  ticket_info.ticket = info.ticket;
  ticket_info.ticket.caps = info.ticket.caps;

  ldout(cct, 10) << "build_service_ticket service " << ceph_entity_type_name(info.service_id)
           << " secret_id " << info.secret_id
           << " ticket_info.ticket.name=" << ticket_info.ticket.name.to_str() << dendl;
  blob.secret_id = info.secret_id;
  std::string error;
  if (!info.service_secret.get_secret().length())
    error = "invalid key";  // Bad key?
  else
    encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
  if (!error.empty()) {
    ldout(cct, -1) << "cephx_build_service_ticket_blob failed with error "
          << error << dendl;
    return false;
  }
  return true;
}

/*
 * AUTH SERVER: authenticate
 *
 * Authenticate principal, respond with AuthServiceTicketInfo
 *
 * {session key, validity}^principal_secret
 * {principal_ticket, session key}^service_secret  ... "enc_ticket"
 */
bool cephx_build_service_ticket_reply(CephContext *cct,
                     CryptoKey& principal_secret,
                     vector<CephXSessionAuthInfo> ticket_info_vec,
                     bool should_encrypt_ticket,
                     CryptoKey& ticket_enc_key,
                     bufferlist& reply)
{
  __u8 service_ticket_reply_v = 1;
  ::encode(service_ticket_reply_v, reply);

  uint32_t num = ticket_info_vec.size();
  ::encode(num, reply);
  ldout(cct, 10) << "build_service_ticket_reply encoding " << num
           << " tickets with secret " << principal_secret << dendl;

  for (vector<CephXSessionAuthInfo>::iterator ticket_iter = ticket_info_vec.begin(); 
       ticket_iter != ticket_info_vec.end();
       ++ticket_iter) {
    CephXSessionAuthInfo& info = *ticket_iter;
    ::encode(info.service_id, reply);

    __u8 service_ticket_v = 1;
    ::encode(service_ticket_v, reply);

    CephXServiceTicket msg_a;
    msg_a.session_key = info.session_key;
    msg_a.validity = info.validity;
    std::string error;
    if (encode_encrypt(cct, msg_a, principal_secret, reply, error)) {
      ldout(cct, -1) << "error encoding encrypted: " << error << dendl;
      return false;
    }

    bufferlist service_ticket_bl;
    CephXTicketBlob blob;
    if (!cephx_build_service_ticket_blob(cct, info, blob)) {
      return false;
    }
    ::encode(blob, service_ticket_bl);

    ldout(cct, 30) << "service_ticket_blob is ";
    service_ticket_bl.hexdump(*_dout);
    *_dout << dendl;

    ::encode((__u8)should_encrypt_ticket, reply);
    if (should_encrypt_ticket) {
      if (encode_encrypt(cct, service_ticket_bl, ticket_enc_key, reply, error)) {
        ldout(cct, -1) << "error encoding encrypted ticket: " << error << dendl;
        return false;
      }
    } else {
      ::encode(service_ticket_bl, reply);
    }
  }
  return true;
}

/*
 * PRINCIPAL: verify our attempt to authenticate succeeded.  fill out
 * this ServiceTicket with the result.
 */
bool CephXTicketHandler::verify_service_ticket_reply(CryptoKey& secret,
                                                     bufferlist::iterator& indata)
{
  __u8 service_ticket_v;
  ::decode(service_ticket_v, indata);

  CephXServiceTicket msg_a;
  std::string error;
  if (decode_decrypt(cct, msg_a, secret, indata, error)) {
    ldout(cct, 0) << "verify_service_ticket_reply: failed decode_decrypt, error is: " << error << dendl;
    return false;
  }
  
  __u8 ticket_enc;
  ::decode(ticket_enc, indata);

  bufferlist service_ticket_bl;
  if (ticket_enc) {
    ldout(cct, 10) << " got encrypted ticket" << dendl;
    std::string error;
    if (decode_decrypt(cct, service_ticket_bl, session_key, indata, error)) {
      ldout(cct, 10) << "verify_service_ticket_reply: decode_decrypt failed "
            << "with " << error << dendl;
      return false;
    }
  } else {
    ::decode(service_ticket_bl, indata);
  }
  bufferlist::iterator iter = service_ticket_bl.begin();
  ::decode(ticket, iter);
  ldout(cct, 10) << " ticket.secret_id=" <<  ticket.secret_id << dendl;

  ldout(cct, 10) << "verify_service_ticket_reply service " << ceph_entity_type_name(service_id)
           << " secret_id " << ticket.secret_id
           << " session_key " << msg_a.session_key
           << " validity=" << msg_a.validity << dendl;
  session_key = msg_a.session_key;
  if (!msg_a.validity.is_zero()) {
    expires = ceph_clock_now();
    expires += msg_a.validity;
    renew_after = expires;
    renew_after -= ((double)msg_a.validity.sec() / 4);
    ldout(cct, 10) << "ticket expires=" << expires << " renew_after=" << renew_after << dendl;
  }
  
  have_key_flag = true;
  return true;
}

bool CephXTicketHandler::have_key()
{
  if (have_key_flag) {
    have_key_flag = ceph_clock_now() < expires;
  }

  return have_key_flag;
}

bool CephXTicketHandler::need_key() const
{
  if (have_key_flag) {
    return (!expires.is_zero()) && (ceph_clock_now() >= renew_after);
  }

  return true;
}

bool CephXTicketManager::have_key(uint32_t service_id)
{
  map<uint32_t, CephXTicketHandler>::iterator iter = tickets_map.find(service_id);
  if (iter == tickets_map.end())
    return false;
  return iter->second.have_key();
}

bool CephXTicketManager::need_key(uint32_t service_id) const
{
  map<uint32_t, CephXTicketHandler>::const_iterator iter = tickets_map.find(service_id);
  if (iter == tickets_map.end())
    return true;
  return iter->second.need_key();
}

void CephXTicketManager::set_have_need_key(uint32_t service_id, uint32_t& have, uint32_t& need)
{
  map<uint32_t, CephXTicketHandler>::iterator iter = tickets_map.find(service_id);
  if (iter == tickets_map.end()) {
    have &= ~service_id;
    need |= service_id;
    ldout(cct, 10) << "set_have_need_key no handler for service "
                   << ceph_entity_type_name(service_id) << dendl;
    return;
  }

  //ldout(cct, 10) << "set_have_need_key service " << ceph_entity_type_name(service_id)
  //<< " (" << service_id << ")"
  //<< " need=" << iter->second.need_key() << " have=" << iter->second.have_key() << dendl;
  if (iter->second.need_key())
    need |= service_id;
  else
    need &= ~service_id;

  if (iter->second.have_key())
    have |= service_id;
  else
    have &= ~service_id;
}

void CephXTicketManager::invalidate_ticket(uint32_t service_id)
{
  map<uint32_t, CephXTicketHandler>::iterator iter = tickets_map.find(service_id);
  if (iter != tickets_map.end())
    iter->second.invalidate_ticket();
}

/*
 * PRINCIPAL: verify our attempt to authenticate succeeded.  fill out
 * this ServiceTicket with the result.
 */
bool CephXTicketManager::verify_service_ticket_reply(CryptoKey& secret,
                                                     bufferlist::iterator& indata)
{
  __u8 service_ticket_reply_v;
  ::decode(service_ticket_reply_v, indata);

  uint32_t num;
  ::decode(num, indata);
  ldout(cct, 10) << "verify_service_ticket_reply got " << num << " keys" << dendl;

  for (int i=0; i<(int)num; i++) {
    uint32_t type;
    ::decode(type, indata);
    ldout(cct, 10) << "got key for service_id " << ceph_entity_type_name(type) << dendl;
    CephXTicketHandler& handler = get_handler(type);
    if (!handler.verify_service_ticket_reply(secret, indata)) {
      return false;
    }
    handler.service_id = type;
  }

  if (!indata.end())
    return false;

  return true;
}

/*
 * PRINCIPAL: build authorizer to access the service.
 *
 * ticket, {timestamp}^session_key
 */
CephXAuthorizer *CephXTicketHandler::build_authorizer(uint64_t global_id) const
{
  CephXAuthorizer *a = new CephXAuthorizer(cct);
  a->session_key = session_key;
  a->nonce = ((uint64_t)rand() << 32) + rand();

  __u8 authorizer_v = 1;
  ::encode(authorizer_v, a->bl);
  ::encode(global_id, a->bl);
  ::encode(service_id, a->bl);

  ::encode(ticket, a->bl);

  CephXAuthorize msg;
  msg.nonce = a->nonce;

  std::string error;
  if (encode_encrypt(cct, msg, session_key, a->bl, error)) {
    ldout(cct, 0) << "failed to encrypt authorizer: " << error << dendl;
    delete a;
    return 0;
  }
  return a;
}

/*
 * PRINCIPAL: build authorizer to access the service.
 *
 * ticket, {timestamp}^session_key
 */
CephXAuthorizer *CephXTicketManager::build_authorizer(uint32_t service_id) const
{
  map<uint32_t, CephXTicketHandler>::const_iterator iter = tickets_map.find(service_id);
  if (iter == tickets_map.end()) {
    ldout(cct, 0) << "no TicketHandler for service "
                  << ceph_entity_type_name(service_id) << dendl;
    return NULL;
  }

  const CephXTicketHandler& handler = iter->second;
  return handler.build_authorizer(global_id);
}

void CephXTicketManager::validate_tickets(uint32_t mask, uint32_t& have, uint32_t& need)
{
  uint32_t i;
  need = 0;
  for (i = 1; i<=mask; i<<=1) {
    if (mask & i) {
      set_have_need_key(i, have, need);
    }
  }
  ldout(cct, 10) << "validate_tickets want " << mask << " have " << have
                 << " need " << need << dendl;
}

bool cephx_decode_ticket(CephContext *cct, KeyStore *keys, uint32_t service_id,
              CephXTicketBlob& ticket_blob, CephXServiceTicketInfo& ticket_info)
{
  uint64_t secret_id = ticket_blob.secret_id;
  CryptoKey service_secret;

  if (!ticket_blob.blob.length()) {
    return false;
  }

  if (secret_id == (uint64_t)-1) {
    if (!keys->get_secret(cct->_conf->name, service_secret)) {
      ldout(cct, 0) << "ceph_decode_ticket could not get general service secret for service_id="
              << ceph_entity_type_name(service_id) << " secret_id=" << secret_id << dendl;
      return false;
    }
  } else {
    if (!keys->get_service_secret(service_id, secret_id, service_secret)) {
      ldout(cct, 0) << "ceph_decode_ticket could not get service secret for service_id=" 
              << ceph_entity_type_name(service_id) << " secret_id=" << secret_id << dendl;
      return false;
    }
  }

  std::string error;
  decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket_blob.blob, error);
  if (!error.empty()) {
    ldout(cct, 0) << "ceph_decode_ticket could not decrypt ticket info. error:" 
        << error << dendl;
    return false;
  }

  return true;
}

/*
 * SERVICE: verify authorizer and generate reply authorizer
 *
 * {timestamp + 1}^session_key
 */
bool cephx_verify_authorizer(CephContext *cct, KeyStore *keys,
                             bufferlist::iterator& indata,
                             CephXServiceTicketInfo& ticket_info, bufferlist& reply_bl)
{
  __u8 authorizer_v;
  uint32_t service_id;
  uint64_t global_id;
  CryptoKey service_secret;
  // ticket blob
  CephXTicketBlob ticket;


  try {
    ::decode(authorizer_v, indata);
    ::decode(global_id, indata);
    ::decode(service_id, indata);
    ::decode(ticket, indata);
  } catch (buffer::end_of_buffer &e) {
    // Unable to decode!
    return false;
  }
  ldout(cct, 10) << "verify_authorizer decrypted service "
           << ceph_entity_type_name(service_id)
           << " secret_id=" << ticket.secret_id << dendl;

  if (ticket.secret_id == (uint64_t)-1) {
    EntityName name;
    name.set_type(service_id);
    if (!keys->get_secret(name, service_secret)) {
      ldout(cct, 0) << "verify_authorizer could not get general service secret for service "
              << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl;
      return false;
    }
  } else {
    if (!keys->get_service_secret(service_id, ticket.secret_id, service_secret)) {
      ldout(cct, 0) << "verify_authorizer could not get service secret for service "
              << ceph_entity_type_name(service_id) << " secret_id=" << ticket.secret_id << dendl;
      if (cct->_conf->auth_debug && ticket.secret_id == 0)
        assert(0 == "got secret_id=0");
      return false;
    }
  }
  std::string error;
  if (!service_secret.get_secret().length())
    error = "invalid key";  // Bad key?
  else
    decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
  if (!error.empty()) {
    ldout(cct, 0) << "verify_authorizer could not decrypt ticket info: error: "
      << error << dendl;
    return false;
  }

  if (ticket_info.ticket.global_id != global_id) {
    ldout(cct, 0) << "verify_authorizer global_id mismatch: declared id=" << global_id
            << " ticket_id=" << ticket_info.ticket.global_id << dendl;
    return false;
  }

  ldout(cct, 10) << "verify_authorizer global_id=" << global_id << dendl;

  // CephXAuthorize
  CephXAuthorize auth_msg;
  if (decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
    ldout(cct, 0) << "verify_authorizercould not decrypt authorize request with error: "
      << error << dendl;
    return false;
  }

  /*
   * Reply authorizer:
   *  {timestamp + 1}^session_key
   */
  CephXAuthorizeReply reply;
  // reply.trans_id = auth_msg.trans_id;
  reply.nonce_plus_one = auth_msg.nonce + 1;
  if (encode_encrypt(cct, reply, ticket_info.session_key, reply_bl, error)) {
    ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl;
    return false;
  }

  ldout(cct, 10) << "verify_authorizer ok nonce " << hex << auth_msg.nonce << dec
           << " reply_bl.length()=" << reply_bl.length() <<  dendl;
  return true;
}

bool CephXAuthorizer::verify_reply(bufferlist::iterator& indata)
{
  CephXAuthorizeReply reply;

  std::string error;
  if (decode_decrypt(cct, reply, session_key, indata, error)) {
      ldout(cct, 0) << "verify_reply couldn't decrypt with error: " << error << dendl;
      return false;
  }

  uint64_t expect = nonce + 1;
  if (expect != reply.nonce_plus_one) {
    ldout(cct, 0) << "verify_authorizer_reply bad nonce got " << reply.nonce_plus_one << " expected " << expect
            << " sent " << nonce << dendl;
    return false;
  }
  return true;
}