auth, msg: dissect AuthStreamHandler from AuthSessionHandler.

Signed-off-by: Radoslaw Zarzynski <[email protected]>
allenk · Feb 21, 2019 · 9d07d69 · 9d07d69
1 parent 1291a8a
commit 9d07d69
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 31 deletions.
diff --git a/src/auth/AuthSessionHandler.cc b/src/auth/AuthSessionHandler.cc
@@ -27,7 +27,6 @@
 AuthSessionHandler *get_auth_session_handler(
   CephContext *cct, int protocol,
   const CryptoKey& key,
-  const std::string& connection_secret,
   uint64_t features)
 {
 
@@ -41,7 +40,7 @@ AuthSessionHandler *get_auth_session_handler(
     if (key.get_type() == CEPH_CRYPTO_NONE) {
       return nullptr;
     }
-    return new CephxSessionHandler(cct, key, connection_secret, features);
+    return new CephxSessionHandler(cct, key, features);
   case CEPH_AUTH_NONE:
     return new AuthNoneSessionHandler();
   case CEPH_AUTH_UNKNOWN:
@@ -54,3 +53,10 @@ AuthSessionHandler *get_auth_session_handler(
     return nullptr;
   }
 }
+
+std::unique_ptr<AuthStreamHandler> AuthStreamHandler::create_stream_handler(
+    CephContext* ctx,
+    const class AuthConnectionMeta& auth_meta)
+{
+  return std::make_unique<AuthStreamHandler>();
+}
diff --git a/src/auth/AuthSessionHandler.h b/src/auth/AuthSessionHandler.h
@@ -30,13 +30,6 @@ struct AuthSessionHandler {
   virtual ~AuthSessionHandler() = default;
   virtual int sign_message(Message *message) = 0;
   virtual int check_message_signature(Message *message) = 0;
-
-  virtual int encrypt_bufferlist(bufferlist &in, bufferlist &out) {
-    return 0;
-  }
-  virtual int decrypt_bufferlist(bufferlist &in, bufferlist &out) {
-    return 0;
-  }
 };
 
 struct DummyAuthSessionHandler : AuthSessionHandler {
@@ -48,10 +41,29 @@ struct DummyAuthSessionHandler : AuthSessionHandler {
   }
 };
 
+// TODO: make this a static member of AuthSessionHandler.
 extern AuthSessionHandler *get_auth_session_handler(
   CephContext *cct, int protocol,
   const CryptoKey& key,
-  const std::string& connection_secret,
   uint64_t features);
 
+
+struct AuthStreamHandler {
+  virtual ~AuthStreamHandler() = default;
+  //virtual ceph::bufferlist authenticated_encrypt(ceph::bufferlist& in) = 0;
+  //virtual ceph::bufferlist authenticated_decrypt(ceph::bufferlist& in) = 0;
+
+  // TODO: kill the dummies
+  int encrypt_bufferlist(bufferlist &in, bufferlist &out) {
+    return 0;
+  }
+  int decrypt_bufferlist(bufferlist &in, bufferlist &out) {
+    return 0;
+  }
+
+  static std::unique_ptr<AuthStreamHandler> create_stream_handler(
+    CephContext* ctx,
+    const class AuthConnectionMeta& auth_meta);
+};
+
 #endif
diff --git a/src/auth/cephx/CephxSessionHandler.cc b/src/auth/cephx/CephxSessionHandler.cc
@@ -184,7 +184,6 @@ int CephxSessionHandler::check_message_signature(Message *m)
 int CephxSessionHandler::encrypt_bufferlist(bufferlist &in, bufferlist &out) {
   std::string error;
   try {
-#warning fixme key
     key.encrypt(cct, in, out, &error);
   } catch (std::exception &e) {
     lderr(cct) << __func__ << " failed to encrypt buffer: " << error << dendl;
@@ -196,7 +195,6 @@ int CephxSessionHandler::encrypt_bufferlist(bufferlist &in, bufferlist &out) {
 int CephxSessionHandler::decrypt_bufferlist(bufferlist &in, bufferlist &out) {
   std::string error;
   try {
-#warning fixme key
     key.decrypt(cct, in, out, &error);
   } catch (std::exception &e) {
     lderr(cct) << __func__ << " failed to decrypt buffer: " << error << dendl;

diff --git a/src/auth/cephx/CephxSessionHandler.h b/src/auth/cephx/CephxSessionHandler.h
@@ -22,29 +22,26 @@ class Message;
 class CephxSessionHandler  : public AuthSessionHandler {
   CephContext *cct;
   int protocol;
-  CryptoKey key;                  // per mon authentication
-  std::string connection_secret;  // per connection
+  CryptoKey key;                // per mon authentication
   uint64_t features;
 
   int _calc_signature(Message *m, uint64_t *psig);
 
 public:
   CephxSessionHandler(CephContext *cct,
 		      const CryptoKey& session_key,
-		      const std::string& connection_secret,
 		      const uint64_t features)
     : cct(cct),
       protocol(CEPH_AUTH_CEPHX),
       key(session_key),
-      connection_secret(connection_secret),
       features(features) {
   }
   ~CephxSessionHandler() override = default;
 
   int sign_message(Message *m) override;
   int check_message_signature(Message *m) override ;
 
-  int encrypt_bufferlist(bufferlist &in, bufferlist &out) override;
-  int decrypt_bufferlist(bufferlist &in, bufferlist &out) override;
+  int encrypt_bufferlist(bufferlist &in, bufferlist &out);
+  int decrypt_bufferlist(bufferlist &in, bufferlist &out);
 };
 
diff --git a/src/crimson/net/SocketConnection.cc b/src/crimson/net/SocketConnection.cc
@@ -710,14 +710,10 @@ SocketConnection::handle_connect_reply(msgr_tag_t tag)
         h.backoff = 0ms;
         set_features(h.reply.features & h.connect.features);
         if (h.authorizer) {
-          std::string connection_secret;  // this is not used here, we just need
-                                        // to make get_auth_session_handler
-                                        // call happy
           session_security.reset(
               get_auth_session_handler(nullptr,
                                        h.authorizer->protocol,
                                        h.authorizer->session_key,
-                                       connection_secret,
                                        features));
         }
         h.authorizer.reset();

diff --git a/src/msg/async/ProtocolV1.cc b/src/msg/async/ProtocolV1.cc
@@ -1683,7 +1683,6 @@ CtPtr ProtocolV1::client_ready() {
     session_security.reset(get_auth_session_handler(
         cct, authorizer->protocol,
 	authorizer->session_key,
-	string() /* connection_secret */,
         connection->get_features()));
   } else {
     // We have no authorizer, so we shouldn't be applying security to messages
@@ -2355,7 +2354,6 @@ CtPtr ProtocolV1::open(ceph_msg_connect_reply &reply,
   session_security.reset(
       get_auth_session_handler(cct, connect_msg.authorizer_protocol,
                                session_key,
-			       string() /* connection secret */,
 			       connection->get_features()));
 
   bufferlist reply_bl;

diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc
@@ -2245,10 +2245,7 @@ CtPtr ProtocolV2::handle_auth_done(char *payload, uint32_t length) {
     return _fault();
   }
   session_security.reset(
-    get_auth_session_handler(
-      cct, auth_meta->auth_method, auth_meta->session_key,
-      auth_meta->connection_secret,
-      CEPH_FEATURE_MSG_AUTH | CEPH_FEATURE_CEPHX_V2));
+    AuthStreamHandler::create_stream_handler(cct, auth_meta).release());
 
   if (!server_cookie) {
     ceph_assert(connect_seq == 0);

diff --git a/src/msg/async/ProtocolV2.h b/src/msg/async/ProtocolV2.h
@@ -75,7 +75,7 @@ class ProtocolV2 : public Protocol {
   char *temp_buffer;
   State state;
   uint64_t peer_required_features;
-  std::shared_ptr<AuthSessionHandler> session_security;
+  std::shared_ptr<AuthStreamHandler> session_security;
 
   uint64_t client_cookie;
   uint64_t server_cookie;

diff --git a/src/msg/simple/Pipe.cc b/src/msg/simple/Pipe.cc
@@ -820,7 +820,6 @@ int Pipe::accept()
       get_auth_session_handler(msgr->cct,
 			       connect.authorizer_protocol,
 			       session_key,
-			       string(), /* connection_secret */
 			       connection_state->get_features()));
 
   // notify
@@ -1347,7 +1346,6 @@ int Pipe::connect()
 	      msgr->cct,
 	      authorizer->protocol,
 	      authorizer->session_key,
-	      string() /* connection secret*/,
 	      connection_state->get_features()));
       }  else {
         // We have no authorizer, so we shouldn't be applying security to messages in this pipe.  PLR