From: Simon Wilkinson Date: Fri, 4 Mar 2011 22:37:10 +0000 (+0000) Subject: afsconf: Rework security flags X-Git-Tag: openafs-devel-1_7_1~813 X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=7a0bbff4a61b1709cccc643ec8aa4440d2b4a936;hp=419fbfb4536242bbb6321d6e1c468ca939bf7009 afsconf: Rework security flags BuildServerSecurityObjects takes a set of flags, which makes it hard to use it as a callback function. Rework this so that the security flags are part of the afsconf directory structure, and so BuildServerSecurityObjects only takes a rock, and its return parameters. Update all of the callers for this new function, and add tests for it to the test suite. Change-Id: I48219ed199d128c6aec3765ca425bda9e464b937 Reviewed-on: http://gerrit.openafs.org/4201 Tested-by: BuildBot Reviewed-by: Derrick Brashear --- diff --git a/src/auth/authcon.c b/src/auth/authcon.c index a6cfff6..c5ff5d1 100644 --- a/src/auth/authcon.c +++ b/src/auth/authcon.c @@ -235,17 +235,28 @@ out: } /*! + * Set the security flags to be used for a particular configuration + */ +void +afsconf_SetSecurityFlags(struct afsconf_dir *dir, + afsconf_secflags flags) +{ + dir->securityFlags = flags; +} + +/*! * Build a set of security classes suitable for a server accepting * incoming connections */ #if !defined(UKERNEL) void -afsconf_BuildServerSecurityObjects(struct afsconf_dir *dir, - afs_uint32 flags, +afsconf_BuildServerSecurityObjects(void *rock, struct rx_securityClass ***classes, afs_int32 *numClasses) { - if (flags & AFSCONF_SEC_OBJS_RXKAD_CRYPT) + struct afsconf_dir *dir = rock; + + if (dir->securityFlags & AFSCONF_SECOPTS_ALWAYSENCRYPT) *numClasses = 4; else *numClasses = 3; @@ -256,7 +267,8 @@ afsconf_BuildServerSecurityObjects(struct afsconf_dir *dir, (*classes)[1] = NULL; (*classes)[2] = rxkad_NewServerSecurityObject(0, dir, afsconf_GetKey, NULL); - if (flags & AFSCONF_SEC_OBJS_RXKAD_CRYPT) + + if (dir->securityFlags & AFSCONF_SECOPTS_ALWAYSENCRYPT) (*classes)[3] = rxkad_NewServerSecurityObject(rxkad_crypt, dir, afsconf_GetKey, NULL); } diff --git a/src/auth/cellconfig.p.h b/src/auth/cellconfig.p.h index 0565c73..a32742a 100644 --- a/src/auth/cellconfig.p.h +++ b/src/auth/cellconfig.p.h @@ -79,6 +79,15 @@ struct afsconf_aliasentry { struct afsconf_cellalias aliasInfo; }; +/*! + * A set of bit flags to control the selection of a security object + */ +#define AFSCONF_SECOPTS_NOAUTH 0x1 +#define AFSCONF_SECOPTS_LOCALAUTH 0x2 +#define AFSCONF_SECOPTS_ALWAYSENCRYPT 0x4 +#define AFSCONF_SECOPTS_FALLBACK_NULL 0x8 +typedef afs_uint32 afsconf_secflags; + struct afsconf_dir { char *name; /* pointer to dir prefix */ char *cellName; /* cell name, if any, we're in */ @@ -86,6 +95,7 @@ struct afsconf_dir { struct opr_queue keyList; /* list of keys */ afs_int32 timeRead; /* time stamp of file last read */ struct afsconf_aliasentry *alias_entries; /* cell aliases */ + afsconf_secflags securityFlags; }; extern afs_int32 afsconf_FindService(const char *aname); @@ -190,14 +200,6 @@ extern afs_int32 afsconf_ClientAuthSecure(void *arock, struct rx_securityClass **astr, afs_int32 * aindex); -/*! - * A set of bit flags to control the selection of a security object - */ -#define AFSCONF_SECOPTS_NOAUTH 0x1 -#define AFSCONF_SECOPTS_LOCALAUTH 0x2 -#define AFSCONF_SECOPTS_ALWAYSENCRYPT 0x4 -#define AFSCONF_SECOPTS_FALLBACK_NULL 0x8 -typedef afs_uint32 afsconf_secflags; extern afs_int32 afsconf_ClientAuthToken(struct afsconf_cell *info, afsconf_secflags flags, @@ -214,10 +216,10 @@ extern afs_int32 afsconf_PickClientSecObj(struct afsconf_dir *dir, afs_int32 *scIndex, time_t *expires); -/* Flags for this function */ -#define AFSCONF_SEC_OBJS_RXKAD_CRYPT 1 -extern void afsconf_BuildServerSecurityObjects(struct afsconf_dir *, - afs_uint32, +extern void afsconf_SetSecurityFlags(struct afsconf_dir *dir, + afsconf_secflags flags); + +extern void afsconf_BuildServerSecurityObjects(void *, struct rx_securityClass ***, afs_int32 *); diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c index 65185d9..a964c38 100644 --- a/src/bozo/bosserver.c +++ b/src/bozo/bosserver.c @@ -1045,7 +1045,7 @@ main(int argc, char **argv, char **envp) rx_SetRxStatUserOk(bozo_rxstat_userok); afsconf_SetNoAuthFlag(tdir, noAuth); - afsconf_BuildServerSecurityObjects(tdir, 0, &securityClasses, &numClasses); + afsconf_BuildServerSecurityObjects(tdir, &securityClasses, &numClasses); /* Disable jumbograms */ rx_SetNoJumbo(); diff --git a/src/budb/server.c b/src/budb/server.c index 06273b1..eb7cc76 100644 --- a/src/budb/server.c +++ b/src/budb/server.c @@ -560,8 +560,7 @@ main(int argc, char **argv) ERROR(code); } - afsconf_BuildServerSecurityObjects(BU_conf, 0, - &securityClasses, &numClasses); + afsconf_BuildServerSecurityObjects(BU_conf, &securityClasses, &numClasses); /* Disable jumbograms */ rx_SetNoJumbo(); diff --git a/src/libafsauthent/afsauthent.def b/src/libafsauthent/afsauthent.def index 1f6258d..c39f588 100644 --- a/src/libafsauthent/afsauthent.def +++ b/src/libafsauthent/afsauthent.def @@ -151,3 +151,4 @@ EXPORTS pr_SIdToName @150 afsconf_GetExtendedCellInfo @151 afsconf_UpToDate @152 + afsconf_SetSecurityFlags @153 diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c index e427019..997688b 100644 --- a/src/ptserver/ptserver.c +++ b/src/ptserver/ptserver.c @@ -505,8 +505,7 @@ main(int argc, char **argv) pt_hook_write(); #endif - afsconf_BuildServerSecurityObjects(prdir, 0, &securityClasses, - &numClasses); + afsconf_BuildServerSecurityObjects(prdir, &securityClasses, &numClasses); /* Disable jumbograms */ rx_SetNoJumbo(); diff --git a/src/shlibafsauthent/libafsauthent.map b/src/shlibafsauthent/libafsauthent.map index 7b1aaa0..76f5dfc 100644 --- a/src/shlibafsauthent/libafsauthent.map +++ b/src/shlibafsauthent/libafsauthent.map @@ -28,6 +28,7 @@ afsconf_SetCellInfo; afsconf_SetNoAuthFlag; afsconf_SuperUser; + afsconf_SetSecurityFlags; ka_AuthServerConn; ka_Authenticate; ka_CellConfig; diff --git a/src/update/server.c b/src/update/server.c index 11bddb7..b62dc87 100644 --- a/src/update/server.c +++ b/src/update/server.c @@ -299,7 +299,7 @@ main(int argc, char *argv[]) if (rx_InitHost(host, htons(AFSCONF_UPDATEPORT)) < 0) Quit("rx_init"); - afsconf_BuildServerSecurityObjects(cdir, 0, &securityClasses, &numClasses); + afsconf_BuildServerSecurityObjects(cdir, &securityClasses, &numClasses); if (securityClasses[2] == NULL) Quit("rxkad_NewServerSecurityObject"); diff --git a/src/viced/viced.c b/src/viced/viced.c index f2df45c..ce327e5 100644 --- a/src/viced/viced.c +++ b/src/viced/viced.c @@ -2173,8 +2173,8 @@ main(int argc, char *argv[]) } rx_GetIFInfo(); rx_SetRxDeadTime(30); - afsconf_BuildServerSecurityObjects(confDir, AFSCONF_SEC_OBJS_RXKAD_CRYPT, - &securityClasses, &numClasses); + afsconf_SetSecurityFlags(confDir, AFSCONF_SECOPTS_ALWAYSENCRYPT); + afsconf_BuildServerSecurityObjects(confDir, &securityClasses, &numClasses); tservice = rx_NewServiceHost(rx_bindhost, /* port */ 0, /* service id */ 1, /*service name */ diff --git a/src/vlserver/vlserver.c b/src/vlserver/vlserver.c index 33d130d..93fa6d1 100644 --- a/src/vlserver/vlserver.c +++ b/src/vlserver/vlserver.c @@ -370,7 +370,7 @@ main(int argc, char **argv) memset(wr_HostAddress, 0, sizeof(wr_HostAddress)); initialize_dstats(); - afsconf_BuildServerSecurityObjects(tdir, 0, &securityClasses, &numClasses); + afsconf_BuildServerSecurityObjects(tdir, &securityClasses, &numClasses); tservice = rx_NewServiceHost(host, 0, USER_SERVICE_ID, "Vldb server", diff --git a/src/volser/volmain.c b/src/volser/volmain.c index 00eea8e..f90b020 100644 --- a/src/volser/volmain.c +++ b/src/volser/volmain.c @@ -513,7 +513,7 @@ main(int argc, char **argv) VS_EXIT(1); } afsconf_GetKey(tdir, 999, &tkey); - afsconf_BuildServerSecurityObjects(tdir, 0, &securityClasses, &numClasses); + afsconf_BuildServerSecurityObjects(tdir, &securityClasses, &numClasses); if (securityClasses[0] == NULL) Abort("rxnull_NewServerSecurityObject"); service = diff --git a/tests/TESTS b/tests/TESTS index f1bab61..e1e621c 100644 --- a/tests/TESTS +++ b/tests/TESTS @@ -3,3 +3,4 @@ util/exec-alt util/queues auth/keys auth/superuser +auth/authcon diff --git a/tests/auth/.gitignore b/tests/auth/.gitignore index 3360f1d..3e2a46f 100644 --- a/tests/auth/.gitignore +++ b/tests/auth/.gitignore @@ -1,3 +1,4 @@ +/authcon-t /keys-t /superuser-t /test.h diff --git a/tests/auth/Makefile.in b/tests/auth/Makefile.in index 31d2a59..8afde8b 100644 --- a/tests/auth/Makefile.in +++ b/tests/auth/Makefile.in @@ -4,7 +4,7 @@ abs_top_builddir=@abs_top_builddir@ include @TOP_OBJDIR@/src/config/Makefile.config include @TOP_OBJDIR@/src/config/Makefile.pthread -TESTS = superuser-t keys-t +TESTS = authcon-t superuser-t keys-t MODULE_CFLAGS=-I$(srcdir)/.. @@ -12,11 +12,16 @@ all check test tests: $(TESTS) MODULE_LIBS = ../tap/libtap.a \ $(abs_top_builddir)/lib/libafsauthent.a \ + $(abs_top_builddir)/lib/librxgk.a \ $(abs_top_builddir)/lib/libafsrpc.a \ $(abs_top_builddir)/lib/libafshcrypto.a \ $(LIB_rfc3961) $(LIB_roken) -lafsutil\ $(XLIBS) +authcon-t: authcon-t.o common.o + $(AFS_LDRULE) authcon-t.o common.o \ + $(MODULE_LIBS) + superuser-t: superuser-t.o common.o test.cs.o test.ss.o test.xdr.o $(AFS_LDRULE) superuser-t.o common.o \ test.cs.o test.ss.o test.xdr.o \ @@ -44,4 +49,4 @@ superuser-t.o: test.h common.h clean: rm -f *.o *.cs.c *.ss.c *.xdr.c test.h \ - writekeyfile superuser-t keys-t + writekeyfile $(TESTS) diff --git a/tests/auth/authcon-t.c b/tests/auth/authcon-t.c new file mode 100644 index 0000000..4508d8d --- /dev/null +++ b/tests/auth/authcon-t.c @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2010 Your File System Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/*! + * Test those bits of the authcon interface that we can test without involving + * the cache manager. + */ + +#include +#include + +#include + +#include +#include +#include + +#include +#include "common.h" + +int +main(int argc, char **argv) +{ + struct afsconf_dir *dir; + char *dirname; + struct rx_securityClass **classes; + int numClasses; + + plan(3); + dirname = buildTestConfig(); + + dir = afsconf_Open(dirname); + if (dir == NULL) { + fprintf(stderr, "Unable to configure directory.\n"); + exit(1); + } + + /* Server Security objects */ + + afsconf_BuildServerSecurityObjects(dir, &classes, &numClasses); + is_int(3, numClasses, "3 security classes are returned, as expected"); + ok(classes[1] == NULL, "The rxvab class is undefined, as requested"); + free(classes); + + afsconf_SetSecurityFlags(dir, AFSCONF_SECOPTS_ALWAYSENCRYPT); + + afsconf_BuildServerSecurityObjects(dir, &classes, &numClasses); + is_int(4, numClasses, "When encryption is enabled, 4 classes are returned"); + + return 0; +} diff --git a/tests/auth/superuser-t.c b/tests/auth/superuser-t.c index bc46fab..3d3bda0 100644 --- a/tests/auth/superuser-t.c +++ b/tests/auth/superuser-t.c @@ -410,7 +410,7 @@ startServer(char *configPath) exit(1); } - afsconf_BuildServerSecurityObjects(globalDir, 0, &classes, &numClasses); + afsconf_BuildServerSecurityObjects(globalDir, &classes, &numClasses); service = rx_NewService(0, TEST_SERVICE_ID, "test", classes, numClasses, TEST_ExecuteRequest); if (service == NULL) {