From d54c49d561fb4f6d14db91887c276e37880752de Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@newdream.net>
Date: Fri, 22 Oct 2021 11:38:36 -0500
Subject: [PATCH] auth/cephx: authenticate with either key or pending_key

Signed-off-by: Sage Weil <sage@newdream.net>
---
 src/auth/cephx/CephxKeyServer.cc      |  2 +-
 src/auth/cephx/CephxServiceHandler.cc | 29 ++++++++++++++++++---------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index 86ccc1ca2fbb7..b2e952781f8b9 100644
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -122,7 +122,7 @@ bool KeyServerData::get_caps(CephContext *cct, const EntityName& name,
   ldout(cct, 10) << "get_caps: name=" << name.to_str() << dendl;
   auto iter = secrets.find(name);
   if (iter != secrets.end()) {
-    ldout(cct, 10) << "get_secret: num of caps=" << iter->second.caps.size() << dendl;
+    ldout(cct, 10) << "get_caps: num of caps=" << iter->second.caps.size() << dendl;
     auto capsiter = iter->second.caps.find(type);
     if (capsiter != iter->second.caps.end()) {
       caps_info.caps = capsiter->second;
diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc
index a7c67757c5825..2a41631f2a7f6 100644
--- a/src/auth/cephx/CephxServiceHandler.cc
+++ b/src/auth/cephx/CephxServiceHandler.cc
@@ -170,8 +170,8 @@ int CephxServiceHandler::handle_request(
 	break;
       }
 
-      CryptoKey secret;
-      if (!key_server->get_secret(entity_name, secret)) {
+      EntityAuth eauth;
+      if (!key_server->get_auth(entity_name, eauth)) {
         ldout(cct, 0) << "couldn't find entity name: " << entity_name << dendl;
 	ret = -EACCES;
 	break;
@@ -183,9 +183,24 @@ int CephxServiceHandler::handle_request(
       }      
 
       uint64_t expected_key;
+      CryptoKey *used_key = &eauth.key;
       std::string error;
-      cephx_calc_client_server_challenge(cct, secret, server_challenge,
+      cephx_calc_client_server_challenge(cct, eauth.key, server_challenge,
 					 req.client_challenge, &expected_key, error);
+      if ((!error.empty() || req.key != expected_key) &&
+	  !eauth.pending_key.empty()) {
+	ldout(cct, 10) << "normal key failed for " << entity_name
+		       << ", trying pending_key" << dendl;
+	// try pending_key instead
+	error.clear();
+	cephx_calc_client_server_challenge(cct, eauth.pending_key,
+					   server_challenge,
+					   req.client_challenge, &expected_key,
+					   error);
+	if (error.empty()) {
+	  used_key = &eauth.pending_key;
+	}
+      }
       if (!error.empty()) {
 	ldout(cct, 0) << " cephx_calc_client_server_challenge error: " << error << dendl;
 	ret = -EACCES;
@@ -205,12 +220,6 @@ int CephxServiceHandler::handle_request(
       CephXSessionAuthInfo info;
       bool should_enc_ticket = false;
 
-      EntityAuth eauth;
-      if (! key_server->get_auth(entity_name, eauth)) {
-	ret = -EACCES;
-	break;
-      }
-
       CephXServiceTicketInfo old_ticket_info;
       ret = verify_old_ticket(req, old_ticket_info, should_enc_ticket);
       if (ret) {
@@ -245,7 +254,7 @@ int CephxServiceHandler::handle_request(
 
       build_cephx_response_header(cephx_header.request_type, 0, *result_bl);
       if (!cephx_build_service_ticket_reply(
-	    cct, eauth.key, info_vec, should_enc_ticket,
+	    cct, *used_key, info_vec, should_enc_ticket,
 	    old_ticket_info.session_key, *result_bl)) {
 	ret = -EIO;
 	break;