--- /dev/null
+// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
+// vim: ts=8 sw=2 smarttab
+/*
+ * Ceph - scalable distributed file system
+ *
+ * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
+ *
+ * This is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2.1, as published by the Free Software
+ * Foundation. See file COPYING.
+ *
+ */
+
+#ifndef CEPH_AUTHTYPES_H
+#define CEPH_AUTHTYPES_H
+
+#include "Crypto.h"
+#include "common/entity_name.h"
+
+class Cond;
+
+struct EntityAuth {
+ uint64_t auid;
+ CryptoKey key;
+ map<string, bufferlist> caps;
+
+ EntityAuth() : auid(CEPH_AUTH_UID_DEFAULT) {}
+
+ void encode(bufferlist& bl) const {
+ __u8 struct_v = 2;
+ ::encode(struct_v, bl);
+ ::encode(auid, bl);
+ ::encode(key, bl);
+ ::encode(caps, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ __u8 struct_v;
+ ::decode(struct_v, bl);
+ if (struct_v >= 2)
+ ::decode(auid, bl);
+ else auid = CEPH_AUTH_UID_DEFAULT;
+ ::decode(key, bl);
+ ::decode(caps, bl);
+ }
+};
+WRITE_CLASS_ENCODER(EntityAuth)
+
+static inline ostream& operator<<(ostream& out, const EntityAuth& a) {
+ return out << "auth(auid = " << a.auid << " key=" << a.key << " with " << a.caps.size() << " caps)";
+}
+
+struct AuthCapsInfo {
+ bool allow_all;
+ bufferlist caps;
+
+ AuthCapsInfo() : allow_all(false) {}
+
+ void encode(bufferlist& bl) const {
+ __u8 struct_v = 1;
+ ::encode(struct_v, bl);
+ __u8 a = (__u8)allow_all;
+ ::encode(a, bl);
+ ::encode(caps, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ __u8 struct_v;
+ ::decode(struct_v, bl);
+ __u8 a;
+ ::decode(a, bl);
+ allow_all = (bool)a;
+ ::decode(caps, bl);
+ }
+};
+WRITE_CLASS_ENCODER(AuthCapsInfo)
+
+/*
+ * The ticket (if properly validated) authorizes the principal use
+ * services as described by 'caps' during the specified validity
+ * period.
+ */
+struct AuthTicket {
+ EntityName name;
+ uint64_t global_id; /* global instance id */
+ uint64_t auid;
+ utime_t created, renew_after, expires;
+ AuthCapsInfo caps;
+ __u32 flags;
+
+ AuthTicket() : global_id(0), auid(CEPH_AUTH_UID_DEFAULT), flags(0){}
+
+ void init_timestamps(utime_t now, double ttl) {
+ created = now;
+ expires = now;
+ expires += ttl;
+ renew_after = now;
+ renew_after += ttl / 2.0;
+ }
+
+ void encode(bufferlist& bl) const {
+ __u8 struct_v = 2;
+ ::encode(struct_v, bl);
+ ::encode(name, bl);
+ ::encode(global_id, bl);
+ ::encode(auid, bl);
+ ::encode(created, bl);
+ ::encode(expires, bl);
+ ::encode(caps, bl);
+ ::encode(flags, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ __u8 struct_v;
+ ::decode(struct_v, bl);
+ ::decode(name, bl);
+ ::decode(global_id, bl);
+ if (struct_v >= 2)
+ ::decode(auid, bl);
+ else auid = CEPH_AUTH_UID_DEFAULT;
+ ::decode(created, bl);
+ ::decode(expires, bl);
+ ::decode(caps, bl);
+ ::decode(flags, bl);
+ }
+};
+WRITE_CLASS_ENCODER(AuthTicket)
+
+
+/*
+ * abstract authorizer class
+ */
+struct AuthAuthorizer {
+ __u32 protocol;
+ bufferlist bl;
+ CryptoKey session_key;
+
+ explicit AuthAuthorizer(__u32 p) : protocol(p) {}
+ virtual ~AuthAuthorizer() {}
+ virtual bool verify_reply(bufferlist::iterator& reply) = 0;
+};
+
+
+/*
+ * Key management
+ */
+#define KEY_ROTATE_NUM 3 /* prev, current, next */
+
+struct ExpiringCryptoKey {
+ CryptoKey key;
+ utime_t expiration;
+
+ void encode(bufferlist& bl) const {
+ __u8 struct_v = 1;
+ ::encode(struct_v, bl);
+ ::encode(key, bl);
+ ::encode(expiration, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ __u8 struct_v;
+ ::decode(struct_v, bl);
+ ::decode(key, bl);
+ ::decode(expiration, bl);
+ }
+};
+WRITE_CLASS_ENCODER(ExpiringCryptoKey)
+
+static inline ostream& operator<<(ostream& out, const ExpiringCryptoKey& c)
+{
+ return out << c.key << " expires " << c.expiration;
+}
+
+struct RotatingSecrets {
+ map<uint64_t, ExpiringCryptoKey> secrets;
+ version_t max_ver;
+
+ RotatingSecrets() : max_ver(0) {}
+
+ void encode(bufferlist& bl) const {
+ __u8 struct_v = 1;
+ ::encode(struct_v, bl);
+ ::encode(secrets, bl);
+ ::encode(max_ver, bl);
+ }
+ void decode(bufferlist::iterator& bl) {
+ __u8 struct_v;
+ ::decode(struct_v, bl);
+ ::decode(secrets, bl);
+ ::decode(max_ver, bl);
+ }
+
+ uint64_t add(ExpiringCryptoKey& key) {
+ secrets[++max_ver] = key;
+ while (secrets.size() > KEY_ROTATE_NUM)
+ secrets.erase(secrets.begin());
+ return max_ver;
+ }
+
+ bool need_new_secrets() const {
+ return secrets.size() < KEY_ROTATE_NUM;
+ }
+ bool need_new_secrets(utime_t now) const {
+ return secrets.size() < KEY_ROTATE_NUM || current().expiration <= now;
+ }
+
+ ExpiringCryptoKey& previous() {
+ return secrets.begin()->second;
+ }
+ ExpiringCryptoKey& current() {
+ map<uint64_t, ExpiringCryptoKey>::iterator p = secrets.begin();
+ ++p;
+ return p->second;
+ }
+ const ExpiringCryptoKey& current() const {
+ map<uint64_t, ExpiringCryptoKey>::const_iterator p = secrets.begin();
+ ++p;
+ return p->second;
+ }
+ ExpiringCryptoKey& next() {
+ return secrets.rbegin()->second;
+ }
+ bool empty() {
+ return secrets.empty();
+ }
+
+ void dump();
+};
+WRITE_CLASS_ENCODER(RotatingSecrets)
+
+
+
+class KeyStore {
+public:
+ virtual ~KeyStore() {}
+ virtual bool get_secret(const EntityName& name, CryptoKey& secret) const = 0;
+ virtual bool get_service_secret(uint32_t service_id, uint64_t secret_id,
+ CryptoKey& secret) const = 0;
+};
+
+static inline bool auth_principal_needs_rotating_keys(EntityName& name)
+{
+ uint32_t ty(name.get_type());
+ return ((ty == CEPH_ENTITY_TYPE_OSD)
+ || (ty == CEPH_ENTITY_TYPE_MDS)
+ || (ty == CEPH_ENTITY_TYPE_MGR));
+}
+
+#endif
Code Review / stor4nfv.git / blobdiff