auth: (experimental) use custom uid and gid fields in client's certif…

…icate as uid/gid for file operations
eshard · Sep 5, 2017 · 768bf63 · piec · Sep 21, 2017 · 768bf63
1 parent a4a417e
commit 768bf63
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 2 deletions.
diff --git a/rpc/rpc-lib/src/Makefile.am b/rpc/rpc-lib/src/Makefile.am
@@ -6,7 +6,8 @@ libgfrpc_la_SOURCES = auth-unix.c rpcsvc-auth.c rpcsvc.c auth-null.c \
 
 libgfrpc_la_LIBADD = $(top_builddir)/libglusterfs/src/libglusterfs.la \
                      $(top_builddir)/rpc/xdr/src/libgfxdr.la
-libgfrpc_la_LDFLAGS = -version-info $(LIBGFRPC_LT_VERSION) $(GF_LDFLAGS)
+libgfrpc_la_LDFLAGS = -version-info $(LIBGFRPC_LT_VERSION) $(GF_LDFLAGS) \
+                      -lssl
 
 libgfrpc_la_HEADERS = rpcsvc.h rpc-transport.h xdr-common.h xdr-rpc.h xdr-rpcclnt.h \
 	rpc-clnt.h rpcsvc-common.h protocol-common.h rpc-drc.h rpc-clnt-ping.h \

diff --git a/rpc/rpc-lib/src/auth-glusterfs.c b/rpc/rpc-lib/src/auth-glusterfs.c
@@ -16,7 +16,9 @@
 #include "xdr-rpc.h"
 #include "xdr-common.h"
 #include "rpc-common-xdr.h"
+#include "rpc/rpc-transport/socket/src/socket.h"
 
+#include <openssl/x509v3.h>
 /* V1 */
 
 ssize_t
@@ -163,6 +165,88 @@ auth_glusterfs_v2_request_init (rpcsvc_request_t *req, void *priv)
         return 0;
 }
 
+int str_to_uid(const unsigned char *str, uid_t *uid)
+{
+        unsigned char *end = NULL;
+        long l = strtol((const char *)str, (char **)&end, 10);
+        if (str == end) {
+                return 1;
+        }
+        if (l == LONG_MAX || l == LONG_MIN) {
+                return 2;
+        }
+        if (l <= 0 || l > 65535) {
+                return 3;
+        }
+        if (uid == NULL) {
+                return 4;
+        }
+        *uid = (uid_t)l;
+        return 0;
+}
+
+int cert_get_uid_gid(X509 *peer, uid_t *uid, gid_t *gid)
+{
+        if (peer == NULL || uid == NULL || gid == NULL) {
+                return 1;
+        }
+
+        const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(peer);
+
+        if (sk_X509_EXTENSION_num(exts) <= 0) {
+                return 2;
+        }
+
+        int uid_ok = 0;
+        int gid_ok = 0;
+        uid_t uid_ = 0;
+        gid_t gid_ = 0;
+
+        for (int i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+                ASN1_OBJECT *obj;
+                X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i);
+
+                obj = X509_EXTENSION_get_object(ex);
+
+                char buf[80];
+                int r = i2t_ASN1_OBJECT(buf, sizeof(buf), obj);
+                if (r > 0) {
+                        if (strcmp(buf, "1.2.3.4.5.6.7") == 0) {
+                                ASN1_OCTET_STRING *data_obj = X509_EXTENSION_get_data(ex);
+
+                                const unsigned char* data_bytes = data_obj->data;
+                                long xlen; int ptag; int pclass;
+                                int ret = ASN1_get_object(&data_bytes, &xlen, &ptag, &pclass, data_obj->length);
+                                if ((ret & 0x80) == 0) {
+                                        if (str_to_uid(data_bytes, &uid_) == 0) {
+                                                uid_ok = 1;
+                                        }
+                                }
+                        } else if (strcmp(buf, "1.2.3.4.5.6.8") == 0) {
+                                ASN1_OCTET_STRING *data_obj = X509_EXTENSION_get_data(ex);
+
+                                const unsigned char* data_bytes = data_obj->data;
+                                long xlen; int ptag; int pclass;
+                                int ret = ASN1_get_object(&data_bytes, &xlen, &ptag, &pclass, data_obj->length);
+                                if ((ret & 0x80) == 0) {
+                                        if (str_to_uid(data_bytes, &gid_) == 0) {
+                                                gid_ok = 1;
+                                        }
+                                }
+                        }
+                }
+        }
+
+        if (uid_ok == 0 || gid_ok == 0) {
+                return 3;
+        }
+
+        *uid = uid_;
+        *gid = gid_;
+
+        return 0;
+}
+
 int auth_glusterfs_v2_authenticate (rpcsvc_request_t *req, void *priv)
 {
         struct auth_glusterfs_parms_v2  au = {0,};
@@ -185,6 +269,33 @@ int auth_glusterfs_v2_authenticate (rpcsvc_request_t *req, void *priv)
         req->pid = au.pid;
         req->uid = au.uid;
         req->gid = au.gid;
+
+#if 1
+        if (req->trans->myinfo.sockaddr.ss_family != AF_UNIX) { /* AF_INET, AF_INET6 */
+                uid_t uid = 0;
+                gid_t gid = 0;
+                /* XXX dirty: accessing private structure */
+                socket_private_t *spriv = req->trans->private;
+                X509 *peer = SSL_get_peer_certificate(spriv->ssl_ssl);
+                if (peer == NULL) {
+                        gf_log ("", GF_LOG_ERROR,
+                                        "SSL_get_peer_certificate -> NULL");
+                        ret = RPCSVC_AUTH_REJECT;
+                        goto err;
+                }
+
+                if (cert_get_uid_gid(peer, &req->uid, &req->gid) == 0) {
+                        gf_log ("", GF_LOG_INFO,
+                                        "uid=%d gid=%d", req->uid, req->gid);
+                } else {
+                        gf_log ("", GF_LOG_ERROR,
+                                        "no uid/gid");
+                        ret = RPCSVC_AUTH_REJECT;
+                        goto err;
+                }
+        }
+#endif
+
         req->lk_owner.len = au.lk_owner.lk_owner_len;
         req->auxgidcount = au.groups.groups_len;
 

diff --git a/xlators/mount/fuse/utils/Makefile.am b/xlators/mount/fuse/utils/Makefile.am
@@ -1,7 +1,7 @@
 utildir = @mountutildir@
 
 if GF_LINUX_HOST_OS
-util_SCRIPTS = mount.glusterfs
+dist_bin_SCRIPTS = mount.glusterfs
 else
 util_SCRIPTS = mount_glusterfs
 endif