#define dout_prefix *_dout << "cephx keyserverdata: "
bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
- ExpiringCryptoKey& secret, uint64_t& secret_id) const
+ CryptoKey& secret, uint64_t& secret_id,
+ double& ttl) const
{
map<uint32_t, RotatingSecrets>::const_iterator iter =
rotating_secrets.find(service_id);
if (secrets.secrets.size() > 1)
++riter;
- if (riter->second.expiration < ceph_clock_now())
+ utime_t now = ceph_clock_now();
+ if (riter->second.expiration < now)
++riter; // "current" key has expired, use "next" key instead
secret_id = riter->first;
- secret = riter->second;
- ldout(cct, 30) << "get_service_secret service " << ceph_entity_type_name(service_id)
- << " id " << secret_id << " " << secret << dendl;
- return true;
-}
-
-bool KeyServerData::get_service_secret(CephContext *cct, uint32_t service_id,
- CryptoKey& secret, uint64_t& secret_id) const
-{
- ExpiringCryptoKey e;
-
- if (!get_service_secret(cct, service_id, e, secret_id))
- return false;
+ secret = riter->second.key;
- secret = e.key;
+ // ttl may have just been increased by the user
+ // cap it by expiration of "next" key to prevent handing out a ticket
+ // with a bogus, possibly way into the future, validity
+ ttl = service_id == CEPH_ENTITY_TYPE_AUTH ?
+ cct->_conf->auth_mon_ticket_ttl : cct->_conf->auth_service_ticket_ttl;
+ ttl = min(ttl, static_cast<double>(
+ secrets.secrets.rbegin()->second.expiration - now));
+
+ ldout(cct, 30) << __func__ << " service "
+ << ceph_entity_type_name(service_id) << " secret_id "
+ << secret_id << " " << riter->second << " ttl " << ttl
+ << dendl;
return true;
}
return data.get_caps(cct, name, type, caps_info);
}
-bool KeyServer::get_service_secret(uint32_t service_id,
- CryptoKey& secret, uint64_t& secret_id) const
+bool KeyServer::get_service_secret(uint32_t service_id, CryptoKey& secret,
+ uint64_t& secret_id, double& ttl) const
{
std::scoped_lock l{lock};
- return data.get_service_secret(cct, service_id, secret, secret_id);
+ return data.get_service_secret(cct, service_id, secret, secret_id, ttl);
}
bool KeyServer::get_service_secret(uint32_t service_id,
int KeyServer::_build_session_auth_info(uint32_t service_id,
const AuthTicket& parent_ticket,
- CephXSessionAuthInfo& info)
+ CephXSessionAuthInfo& info,
+ double ttl)
{
info.service_id = service_id;
info.ticket = parent_ticket;
- info.ticket.init_timestamps(ceph_clock_now(),
- cct->_conf->auth_service_ticket_ttl);
+ info.ticket.init_timestamps(ceph_clock_now(), ttl);
+ info.validity.set_from_double(ttl);
generate_secret(info.session_key);
const AuthTicket& parent_ticket,
CephXSessionAuthInfo& info)
{
- if (!get_service_secret(service_id, info.service_secret, info.secret_id)) {
+ double ttl;
+ if (!get_service_secret(service_id, info.service_secret, info.secret_id,
+ ttl)) {
return -EACCES;
}
std::scoped_lock l{lock};
-
- return _build_session_auth_info(service_id, parent_ticket, info);
+ return _build_session_auth_info(service_id, parent_ticket, info, ttl);
}
int KeyServer::build_session_auth_info(uint32_t service_id,
const AuthTicket& parent_ticket,
- CephXSessionAuthInfo& info,
- CryptoKey& service_secret,
- uint64_t secret_id)
+ const CryptoKey& service_secret,
+ uint64_t secret_id,
+ CephXSessionAuthInfo& info)
{
info.service_secret = service_secret;
info.secret_id = secret_id;
std::scoped_lock l{lock};
- return _build_session_auth_info(service_id, parent_ticket, info);
+ return _build_session_auth_info(service_id, parent_ticket, info,
+ cct->_conf->auth_service_ticket_ttl);
}