tls: for sd-fd connection store the tls policy in the jcr

core/src/filed/dir_cmd.cc

@@ -47,6 +47,7 @@
 #include "lib/edit.h"
 #include "lib/path_list.h"
 #include "lib/qualified_resource_name_type_converter.h"
+#include "lib/tls_conf.h"
 
 #if defined(WIN32_VSS)
 #include "win32/findlib/win32.h"
@@ -123,7 +124,7 @@ static BareosSocket *connect_to_director(JobControlRecord *jcr, DirectorResource
 static bool response(JobControlRecord *jcr, BareosSocket *sd, char *resp, const char *cmd);
 static void FiledFreeJcr(JobControlRecord *jcr);
 static bool OpenSdReadSession(JobControlRecord *jcr);
-static void SetStorageAuthKey(JobControlRecord *jcr, char *key);
+static void SetStorageAuthKey(JobControlRecord *jcr, char *key, TlsPolicy policy);
 
 /* Exported functions */
 
@@ -796,7 +797,7 @@ static bool SetauthorizationCmd(JobControlRecord *jcr)
       return false;
    }
 
-   SetStorageAuthKey(jcr, sd_auth_key.c_str());
+   SetStorageAuthKey(jcr, sd_auth_key.c_str(), jcr->sd_tls_policy);
    Dmsg2(120, "JobId=%d Auth=%s\n", jcr->JobId, jcr->sd_auth_key);
 
    return dir->fsend(OkAuthorization);
@@ -927,7 +928,7 @@ static bool job_cmd(JobControlRecord *jcr)
       dir->fsend(BADjob);
       return false;
    }
-   SetStorageAuthKey(jcr, sd_auth_key.c_str());
+   SetStorageAuthKey(jcr, sd_auth_key.c_str(), jcr->sd_tls_policy);
    Dmsg2(120, "JobId=%d Auth=%s\n", jcr->JobId, jcr->sd_auth_key);
    Mmsg(jcr->errmsg, "JobId=%d Job=%s", jcr->JobId, jcr->Job);
    NewPlugins(jcr);                  /* instantiate plugins for this jcr */
@@ -1494,7 +1495,7 @@ static bool SessionCmd(JobControlRecord *jcr)
    return dir->fsend(OKsession);
 }
 
-static void SetStorageAuthKey(JobControlRecord *jcr, char *key)
+static void SetStorageAuthKey(JobControlRecord *jcr, char *key, TlsPolicy policy)
 {
    /* if no key don't update anything */
   if (!*key) { return; }
@@ -1523,6 +1524,10 @@ static void SetStorageAuthKey(JobControlRecord *jcr, char *key)
 
    jcr->sd_auth_key = bstrdup(key);
    Dmsg0(5, "set sd auth key\n");
+
+   jcr->sd_tls_policy = policy;
+   Dmsg1(5, "set sd ssl_policy to %d\n", policy);
+
 }
 
 /**
@@ -1531,7 +1536,7 @@ static void SetStorageAuthKey(JobControlRecord *jcr, char *key)
 static bool StorageCmd(JobControlRecord *jcr)
 {
    int stored_port;                /* storage daemon port */
-   int enable_ssl;                 /* enable ssl to sd */
+   TlsPolicy tls_policy;                 /* enable ssl to sd */
    char stored_addr[MAX_NAME_LENGTH];
    PoolMem sd_auth_key(PM_MESSAGE);
    BareosSocket *dir = jcr->dir_bsock;
@@ -1540,17 +1545,17 @@ static bool StorageCmd(JobControlRecord *jcr)
   if (me->nokeepalive) { storage_daemon_socket->ClearKeepalive(); }
    Dmsg1(100, "StorageCmd: %s", dir->msg);
    sd_auth_key.check_size(dir->message_length);
-  if (sscanf(dir->msg, storaddrv1cmd, stored_addr, &stored_port, &enable_ssl, sd_auth_key.c_str()) != 4) {
-    if (sscanf(dir->msg, storaddrv0cmd, stored_addr, &stored_port, &enable_ssl) != 3) {
+  if (sscanf(dir->msg, storaddrv1cmd, stored_addr, &stored_port, &tls_policy, sd_auth_key.c_str()) != 4) {
+    if (sscanf(dir->msg, storaddrv0cmd, stored_addr, &stored_port, &tls_policy) != 3) {
          PmStrcpy(jcr->errmsg, dir->msg);
          Jmsg(jcr, M_FATAL, 0, _("Bad storage command: %s"), jcr->errmsg);
          goto bail_out;
       }
    }
 
-   SetStorageAuthKey(jcr, sd_auth_key.c_str());
+   SetStorageAuthKey(jcr, sd_auth_key.c_str(), tls_policy);
 
-   Dmsg3(110, "Open storage: %s:%d ssl=%d\n", stored_addr, stored_port, enable_ssl);
+   Dmsg3(110, "Open storage: %s:%d ssl=%d\n", stored_addr, stored_port, tls_policy);
 
    storage_daemon_socket->SetSourceAddress(me->FDsrc_addr);
 
@@ -1581,7 +1586,7 @@ static bool StorageCmd(JobControlRecord *jcr)
 
    jcr->store_bsock = storage_daemon_socket;
 
-   if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) {
+   if (me->IsTlsConfigured() || tls_policy == TlsPolicy::kBnetTlsAuto) {
     std::string qualified_resource_name;
     if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
             jcr->Job, R_JOB, jcr->JobId, qualified_resource_name)) {

core/src/include/jcr.h

@@ -35,6 +35,7 @@
 #define BAREOS_INCLUDE_JCR_H_ 1
 
 #include <include/bareos.h>
+#include "lib/tls_conf.h"
 
 #ifdef STORAGE_DAEMON
 #include "stored/read_ctx.h"
@@ -410,7 +411,8 @@ class JobControlRecord {
    POOLMEM *RestoreBootstrap;             /**< Bootstrap file to restore */
    POOLMEM *stime;                        /**< start time for incremental/differential */
    char *sd_auth_key;                     /**< SD auth key */
-   MessagesResource *jcr_msgs;                     /**< Copy of message resource -- actually used */
+   TlsPolicy sd_tls_policy;                  /**< SD Tls Policy */
+   MessagesResource *jcr_msgs;            /**< Copy of message resource -- actually used */
    uint32_t ClientId;                     /**< Client associated with Job */
    char *where;                           /**< Prefix to restore files to */
    char *RegexWhere;                      /**< File relocation in restore */
@@ -679,6 +681,7 @@ extern JobControlRecord *get_jcr_by_session(uint32_t SessionId, uint32_t Session
 extern JobControlRecord *get_jcr_by_partial_name(char *Job);
 extern JobControlRecord *get_jcr_by_full_name(char *Job);
 extern const char *JcrGetAuthenticateKey(uint32_t job_id, const char *unified_job_name);
+TlsPolicy JcrGetTlsPolicy(const char *unified_job_name);
 extern JobControlRecord *get_next_jcr(JobControlRecord *jcr);
 extern void SetJcrJobStatus(JobControlRecord *jcr, int JobStatus);
 extern int num_jobs_run;

core/src/lib/jcr.cc

@@ -46,6 +46,7 @@
 #include "include/bareos.h"
 #include "include/jcr.h"
 #include "lib/edit.h"
+#include "lib/tls_conf.h"
 
 const int debuglevel = 3400;
 
@@ -840,6 +841,25 @@ const char *JcrGetAuthenticateKey(uint32_t job_id, const char *unified_job_name)
   return auth_key;
 }
 
+TlsPolicy JcrGetTlsPolicy(const char *unified_job_name)
+{
+  if (!unified_job_name) { return kBnetTlsUnknown; }
+
+  TlsPolicy policy = kBnetTlsUnknown;
+  JobControlRecord *jcr;
+
+  foreach_jcr (jcr) {
+    if (bstrcmp(jcr->Job, unified_job_name)) {
+      policy = jcr->sd_tls_policy;
+      Dmsg4(debuglevel, "Inc get_jcr jid=%u UseCount=%d Job=%s TlsPolicy=%d\n", jcr->JobId, jcr->UseCount(), jcr->Job, policy);
+      break;
+    }
+  }
+  endeach_jcr(jcr);
+
+  return policy;
+}
+
 static void UpdateWaitTime(JobControlRecord *jcr, int newJobStatus)
 {
   bool enter_in_waittime;

core/src/lib/parse_conf.cc

@@ -51,6 +51,7 @@
  */
 
 #include "include/bareos.h"
+#include "include/jcr.h"
 #include "lib/edit.h"
 #include "lib/parse_conf.h"
 #include "lib/qualified_resource_name_type_converter.h"
@@ -1024,7 +1025,14 @@ bool ConfigurationParser::GetConfiguredTlsPolicy(const std::string &r_code_str,
       return false;
     }
     tls_policy = own_tls_resource->GetPolicy();
-  } else {
+  } else if(r_code_str == std::string("R_JOB")) {
+    TlsPolicy policy = JcrGetTlsPolicy(name.c_str());
+    if (policy == kBnetTlsUnknown) {
+      return false;
+    }
+    tls_policy = policy;
+  }
+  else {
     uint32_t r_code = qualified_resource_name_type_converter_->StringToResourceType(r_code_str);
     if (r_code < 0) { return false; }
 

core/src/lib/tls_conf.h

@@ -33,7 +33,8 @@ enum TlsPolicy : uint32_t
   kBnetTlsEnabled  = 1,   /*!< TLS with certificates is allowed but not required */
   kBnetTlsRequired = 2,   /*!< TLS with certificates is required */
   kBnetTlsAuto     = 4,   /*!< TLS mode will be negotiated by ssl handshake */
-  kBnetTlsDeny     = 0xFF /*!< TLS connection not allowed */
+  kBnetTlsDeny     = 0xFF,/*!< TLS connection not allowed */
+  kBnetTlsUnknown  = 0xFE /*!< TLS connection not allowed */
 };
 
 class TlsResource : public BareosResource {

core/src/stored/dir_cmd.cc

@@ -1542,25 +1542,19 @@ static void SendDirBusyMessage(BareosSocket *dir, Device *dev)
    }
 }
 
-static inline void SetStorageAuthKey(JobControlRecord *jcr, char *key)
+static void SetStorageAuthKey(JobControlRecord *jcr, char *key, TlsPolicy policy)
 {
-   /*
-    * If no key don't update anything
-    */
-   if (!*key) {
-      return;
-   }
+   if (!*key) { return; }
 
-   /*
-    * Clear any sd_auth_key which can be a key when we are acting as
-    * the endpoint for a backup session which we don't seem to be.
-    */
    if (jcr->sd_auth_key) {
       bfree(jcr->sd_auth_key);
    }
 
    jcr->sd_auth_key = bstrdup(key);
    Dmsg0(5, "set sd auth key\n");
+
+   jcr->sd_tls_policy = policy;
+   Dmsg1(5, "set sd ssl_policy to %d\n", policy);
 }
 
 /**
@@ -1579,7 +1573,7 @@ static bool ListenCmd(JobControlRecord *jcr)
 static bool ReplicateCmd(JobControlRecord *jcr)
 {
    int stored_port;                /* storage daemon port */
-   int enable_ssl;                 /* enable ssl to sd */
+   TlsPolicy tls_policy;                 /* enable ssl to sd */
    char JobName[MAX_NAME_LENGTH];
    char stored_addr[MAX_NAME_LENGTH];
    uint32_t JobId = 0;
@@ -1594,14 +1588,14 @@ static bool ReplicateCmd(JobControlRecord *jcr)
    sd_auth_key.check_size(dir->message_length);
 
    if (sscanf(dir->msg, replicatecmd, &JobId, JobName, stored_addr, &stored_port,
-              &enable_ssl, sd_auth_key.c_str()) != 6) {
+              &tls_policy, sd_auth_key.c_str()) != 6) {
       dir->fsend(BADcmd, "replicate", dir->msg);
       return false;
    }
 
-   SetStorageAuthKey(jcr, sd_auth_key.c_str());
+   SetStorageAuthKey(jcr, sd_auth_key.c_str(), tls_policy);
 
-   Dmsg3(110, "Open storage: %s:%d ssl=%d\n", stored_addr, stored_port, enable_ssl);
+   Dmsg3(110, "Open storage: %s:%d ssl=%d\n", stored_addr, stored_port, tls_policy);
 
    storage_daemon_socket->SetSourceAddress(me->SDsrc_addr);
 
@@ -1631,7 +1625,7 @@ static bool ReplicateCmd(JobControlRecord *jcr)
    }
    Dmsg0(110, "Connection OK to SD.\n");
 
-   if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) {
+   if (me->IsTlsConfigured() || tls_policy == TlsPolicy::kBnetTlsAuto) {
      std::string qualified_resource_name;
      if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
              JobName, R_JOB, JobId, qualified_resource_name)) {
@@ -1685,19 +1679,19 @@ static bool RunCmd(JobControlRecord *jcr)
 static bool PassiveCmd(JobControlRecord *jcr)
 {
    int filed_port;                 /* file daemon port */
-   int enable_ssl;                 /* enable ssl to fd */
+   TlsPolicy tls_policy;                 /* enable ssl to fd */
    char filed_addr[MAX_NAME_LENGTH];
    BareosSocket *dir = jcr->dir_bsock;
    BareosSocket *fd;                      /* file daemon bsock */
 
    Dmsg1(100, "PassiveClientCmd: %s", dir->msg);
-   if (sscanf(dir->msg, passiveclientcmd, filed_addr, &filed_port, &enable_ssl) != 3) {
+   if (sscanf(dir->msg, passiveclientcmd, filed_addr, &filed_port, &tls_policy) != 3) {
       PmStrcpy(jcr->errmsg, dir->msg);
       Jmsg(jcr, M_FATAL, 0, _("Bad passiveclientcmd command: %s"), jcr->errmsg);
       goto bail_out;
    }
 
-   Dmsg3(110, "PassiveClientCmd: %s:%d ssl=%d\n", filed_addr, filed_port, enable_ssl);
+   Dmsg3(110, "PassiveClientCmd: %s:%d ssl=%d\n", filed_addr, filed_port, tls_policy);
 
    jcr->passive_client = true;
 
@@ -1725,7 +1719,7 @@ static bool PassiveCmd(JobControlRecord *jcr)
    }
    Dmsg0(110, "Connection OK to FD.\n");
 
-   if (me->IsTlsConfigured() || enable_ssl == TlsPolicy::kBnetTlsAuto) {
+   if (me->IsTlsConfigured() || tls_policy == TlsPolicy::kBnetTlsAuto) {
      std::string qualified_resource_name;
      if (!my_config->GetQualifiedResourceNameTypeConverter()->ResourceToString(
              jcr->Job, R_JOB, jcr->JobId, qualified_resource_name)) {