[PATCH 2/8] Remove hack using existance of an 'identity' string to disable auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

Currently the server determines whether authentication of clients
is complete, by checking whether an identity is set. This patch
removes that lame hack and replaces it with an explicit method
for changing the client auth code

* daemon/remote.c: Update for new APis
* src/libvirt_private.syms, src/rpc/virnetserverclient.c,
  src/rpc/virnetserverclient.h: Remove virNetServerClientGetIdentity
  and virNetServerClientSetIdentity, adding a new method
  virNetServerClientSetAuth.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 daemon/remote.c              | 14 +++++-------
 src/libvirt_private.syms     |  3 +--
 src/rpc/virnetserverclient.c | 52 +++++++-------------------------------------
 src/rpc/virnetserverclient.h |  5 +----
 4 files changed, 15 insertions(+), 59 deletions(-)

diff --git a/daemon/remote.c b/daemon/remote.c
index c92223e..45c50f3 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -2391,10 +2391,8 @@ remoteDispatchAuthList(virNetServerPtr server ATTRIBUTE_UNUSED,
                 goto cleanup;
             }
             VIR_INFO("Bypass polkit auth for privileged client %s", ident);
-            if (virNetServerClientSetIdentity(client, ident) < 0)
-                virResetLastError();
-            else
-                auth = VIR_NET_SERVER_SERVICE_AUTH_NONE;
+            virNetServerClientSetAuth(client, 0);
+            auth = VIR_NET_SERVER_SERVICE_AUTH_NONE;
             VIR_FREE(ident);
         }
     }
@@ -2535,9 +2533,7 @@ remoteSASLFinish(virNetServerClientPtr client)
     if (!virNetSASLContextCheckIdentity(saslCtxt, identity))
         return -2;
 
-    if (virNetServerClientSetIdentity(client, identity) < 0)
-        goto error;
-
+    virNetServerClientSetAuth(client, 0);
     virNetServerClientSetSASLSession(client, priv->sasl);
 
     VIR_DEBUG("Authentication successful %d", virNetServerClientGetFD(client));
@@ -2869,7 +2865,7 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
              action, (long long) callerPid, callerUid);
     ret->complete = 1;
 
-    virNetServerClientSetIdentity(client, ident);
+    virNetServerClientSetAuth(client, 0);
     virMutexUnlock(&priv->lock);
     virCommandFree(cmd);
     VIR_FREE(pkout);
@@ -3024,8 +3020,8 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
              action, (long long) callerPid, callerUid,
              polkit_result_to_string_representation(pkresult));
     ret->complete = 1;
-    virNetServerClientSetIdentity(client, ident);
 
+    virNetServerClientSetAuth(client, 0);
     virMutexUnlock(&priv->lock);
     VIR_FREE(ident);
     return 0;
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index acaa4d7..8604587 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -852,7 +852,6 @@ virNetServerClientClose;
 virNetServerClientDelayedClose;
 virNetServerClientGetAuth;
 virNetServerClientGetFD;
-virNetServerClientGetIdentity;
 virNetServerClientGetPrivateData;
 virNetServerClientGetReadonly;
 virNetServerClientGetTLSKeySize;
@@ -871,9 +870,9 @@ virNetServerClientPreExecRestart;
 virNetServerClientRemoteAddrString;
 virNetServerClientRemoveFilter;
 virNetServerClientSendMessage;
+virNetServerClientSetAuth;
 virNetServerClientSetCloseHook;
 virNetServerClientSetDispatcher;
-virNetServerClientSetIdentity;
 virNetServerClientStartKeepAlive;
 virNetServerClientWantClose;
 
diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
index 446e1e9..9e519e6 100644
--- a/src/rpc/virnetserverclient.c
+++ b/src/rpc/virnetserverclient.c
@@ -64,7 +64,6 @@ struct _virNetServerClient
     virNetSocketPtr sock;
     int auth;
     bool readonly;
-    char *identity;
 #if WITH_GNUTLS
     virNetTLSContextPtr tlsCtxt;
     virNetTLSSessionPtr tls;
@@ -442,7 +441,6 @@ virNetServerClientPtr virNetServerClientNewPostExecRestart(virJSONValuePtr objec
     virJSONValuePtr child;
     virNetServerClientPtr client = NULL;
     virNetSocketPtr sock;
-    const char *identity = NULL;
     int auth;
     bool readonly;
     unsigned int nrequests_max;
@@ -463,12 +461,6 @@ virNetServerClientPtr virNetServerClientNewPostExecRestart(virJSONValuePtr objec
                        _("Missing nrequests_client_max field in JSON state document"));
         return NULL;
     }
-    if (virJSONValueObjectHasKey(object, "identity") &&
-        (!(identity = virJSONValueObjectGetString(object, "identity")))) {
-        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
-                       _("Missing identity field in JSON state document"));
-        return NULL;
-    }
 
     if (!(child = virJSONValueObjectGet(object, "sock"))) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -493,10 +485,6 @@ virNetServerClientPtr virNetServerClientNewPostExecRestart(virJSONValuePtr objec
     }
     virObjectUnref(sock);
 
-    if (identity &&
-        virNetServerClientSetIdentity(client, identity) < 0)
-        goto error;
-
     if (privNew) {
         if (!(child = virJSONValueObjectGet(object, "privateData"))) {
             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -536,10 +524,6 @@ virJSONValuePtr virNetServerClientPreExecRestart(virNetServerClientPtr client)
     if (virJSONValueObjectAppendNumberUint(object, "nrequests_max", client->nrequests_max) < 0)
         goto error;
 
-    if (client->identity &&
-        virJSONValueObjectAppendString(object, "identity", client->identity) < 0)
-        goto error;
-
     if (!(child = virNetSocketPreExecRestart(client->sock)))
         goto error;
 
@@ -576,6 +560,13 @@ int virNetServerClientGetAuth(virNetServerClientPtr client)
     return auth;
 }
 
+void virNetServerClientSetAuth(virNetServerClientPtr client, int auth)
+{
+    virObjectLock(client);
+    client->auth = auth;
+    virObjectUnlock(client);
+}
+
 bool virNetServerClientGetReadonly(virNetServerClientPtr client)
 {
     bool readonly;
@@ -663,32 +654,6 @@ void virNetServerClientSetSASLSession(virNetServerClientPtr client,
 #endif
 
 
-int virNetServerClientSetIdentity(virNetServerClientPtr client,
-                                  const char *identity)
-{
-    int ret = -1;
-    virObjectLock(client);
-    if (!(client->identity = strdup(identity))) {
-        virReportOOMError();
-        goto error;
-    }
-    ret = 0;
-
-error:
-    virObjectUnlock(client);
-    return ret;
-}
-
-const char *virNetServerClientGetIdentity(virNetServerClientPtr client)
-{
-    const char *identity;
-    virObjectLock(client);
-    identity = client->identity;
-    virObjectUnlock(client);
-    return identity;
-}
-
-
 void *virNetServerClientGetPrivateData(virNetServerClientPtr client)
 {
     void *data;
@@ -743,7 +708,6 @@ void virNetServerClientDispose(void *obj)
         client->privateDataFreeFunc)
         client->privateDataFreeFunc(client->privateData);
 
-    VIR_FREE(client->identity);
 #if WITH_SASL
     virObjectUnref(client->sasl);
 #endif
@@ -1319,7 +1283,7 @@ bool virNetServerClientNeedAuth(virNetServerClientPtr client)
 {
     bool need = false;
     virObjectLock(client);
-    if (client->auth && !client->identity)
+    if (client->auth)
         need = true;
     virObjectUnlock(client);
     return need;
diff --git a/src/rpc/virnetserverclient.h b/src/rpc/virnetserverclient.h
index 325f5d9..31414bc 100644
--- a/src/rpc/virnetserverclient.h
+++ b/src/rpc/virnetserverclient.h
@@ -76,6 +76,7 @@ void virNetServerClientRemoveFilter(virNetServerClientPtr client,
                                     int filterID);
 
 int virNetServerClientGetAuth(virNetServerClientPtr client);
+void virNetServerClientSetAuth(virNetServerClientPtr client, int auth);
 bool virNetServerClientGetReadonly(virNetServerClientPtr client);
 
 # ifdef WITH_GNUTLS
@@ -92,10 +93,6 @@ int virNetServerClientGetFD(virNetServerClientPtr client);
 
 bool virNetServerClientIsSecure(virNetServerClientPtr client);
 
-int virNetServerClientSetIdentity(virNetServerClientPtr client,
-                                  const char *identity);
-const char *virNetServerClientGetIdentity(virNetServerClientPtr client);
-
 int virNetServerClientGetUNIXIdentity(virNetServerClientPtr client,
                                       uid_t *uid, gid_t *gid, pid_t *pid);
 
-- 
1.8.1.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]