From patchwork Wed Jul  8 18:27:31 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever III <chuck.lever@oracle.com>
X-Patchwork-Id: 493087
Return-Path: <fedfs-utils-devel-bounces@oss.oracle.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 2BDCF140774
	for <incoming@patchwork.ozlabs.org>;
	Thu,  9 Jul 2015 04:27:41 +1000 (AEST)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74])
	by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with
	ESMTP id t68IRcee021104
	(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Wed, 8 Jul 2015 18:27:38 GMT
Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2])
	by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t68IRcei001004
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 8 Jul 2015 18:27:38 GMT
Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com)
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <fedfs-utils-devel-bounces@oss.oracle.com>)
	id 1ZCu4I-000698-0M; Wed, 08 Jul 2015 11:27:38 -0700
Received: from aserv0022.oracle.com ([141.146.126.234])
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <chucklever@gmail.com>) id 1ZCu4G-000690-Dp
	for fedfs-utils-devel@oss.oracle.com; Wed, 08 Jul 2015 11:27:36 -0700
Received: from userp1030.oracle.com (userp1030.oracle.com [156.151.31.80])
	by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t68IRaM5001912
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <fedfs-utils-devel@oss.oracle.com>; Wed, 8 Jul 2015 18:27:36 GMT
Received: from userp2030.oracle.com (userp2030.oracle.com [156.151.31.89])
	by userp1030.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with
	ESMTP id t68IRZ7B015673
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <fedfs-utils-devel@oss.oracle.com>; Wed, 8 Jul 2015 18:27:35 GMT
Authentication-Results: userp1030.oracle.com; dkim=pass
	reason="2048-bit key" header.d=gmail.com header.i=@gmail.com
	header.b=aFMVywE2
Received: from pps.filterd (userp2030.oracle.com [127.0.0.1])
	by userp2030.oracle.com (8.14.7/8.14.7) with SMTP id t68IONrB045529
	for <fedfs-utils-devel@oss.oracle.com>; Wed, 8 Jul 2015 18:27:35 GMT
Received: from mail-qg0-f54.google.com (mail-qg0-f54.google.com
	[209.85.192.54]) by userp2030.oracle.com with ESMTP id 1vh4bmr58m-1
	(version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT)
	for <fedfs-utils-devel@oss.oracle.com>;
	Wed, 08 Jul 2015 18:27:35 +0000
Received: by qgeg89 with SMTP id g89so104168861qge.3
	for <fedfs-utils-devel@oss.oracle.com>;
	Wed, 08 Jul 2015 11:27:34 -0700 (PDT)
X-Received: by 10.140.236.22 with SMTP id h22mr18727133qhc.92.1436380054262;
	Wed, 08 Jul 2015 11:27:34 -0700 (PDT)
Received: from seurat.1015granger.net
	([2604:8800:100:81fc:20c:29ff:fe44:ec31])
	by smtp.gmail.com with ESMTPSA id
	f31sm1907581qge.27.2015.07.08.11.27.32
	for <fedfs-utils-devel@oss.oracle.com>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 08 Jul 2015 11:27:33 -0700 (PDT)
From: Chuck Lever <chuck.lever@oracle.com>
To: fedfs-utils-devel@oss.oracle.com
Date: Wed, 08 Jul 2015 11:27:31 -0700
Message-ID: <20150708182731.24274.96633.stgit@seurat.1015granger.net>
In-Reply-To: <20150708182053.24274.13851.stgit@seurat.1015granger.net>
References: <20150708182053.24274.13851.stgit@seurat.1015granger.net>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
X-ServerName: mail-qg0-f54.google.com
X-Proofpoint-Virus-Version: vendor=nai engine=5700 definitions=7856
	signatures=670602
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	kscore.is_bulkscore=0
	kscore.compositescore=1 compositescore=0.9 suspectscore=1
	phishscore=0
	bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0
	urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx
	scancount=1 engine=7.0.1-1506180000 definitions=main-1507080276
Subject: [fedfs-utils] [PATCH 10/11] fedfsd: Use new rpc_gss server-side API
X-BeenThere: fedfs-utils-devel@oss.oracle.com
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: fedfs-utils Developers <fedfs-utils-devel@oss.oracle.com>
List-Id: fedfs-utils Developers <fedfs-utils-devel.oss.oracle.com>
List-Unsubscribe: <https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel>,
	<mailto:fedfs-utils-devel-request@oss.oracle.com?subject=unsubscribe>
List-Archive: <http://oss.oracle.com/pipermail/fedfs-utils-devel>
List-Post: <mailto:fedfs-utils-devel@oss.oracle.com>
List-Help: <mailto:fedfs-utils-devel-request@oss.oracle.com?subject=help>
List-Subscribe: <https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel>,
	<mailto:fedfs-utils-devel-request@oss.oracle.com?subject=subscribe>
Sender: fedfs-utils-devel-bounces@oss.oracle.com
Errors-To: fedfs-utils-devel-bounces@oss.oracle.com
X-Source-IP: userv0022.oracle.com [156.151.31.74]

With libtirpc-0.3, GSS is always loaded and available.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 src/fedfsd/fedfsd.h |    1 
 src/fedfsd/gss.c    |  117 +++++++--------------------------------------------
 src/fedfsd/svc.c    |    3 -
 3 files changed, 16 insertions(+), 105 deletions(-)

diff --git a/src/fedfsd/fedfsd.h b/src/fedfsd/fedfsd.h
index 240524a..220e7e1 100644
--- a/src/fedfsd/fedfsd.h
+++ b/src/fedfsd/fedfsd.h
@@ -51,7 +51,6 @@ _Bool		fedfsd_auth_rpc_gss(struct svc_req *rqstp);
 /*
  * gss.c
  */
-extern bool_t	fedfsd_no_dispatch;
 _Bool		fedfsd_set_up_authenticators(void);
 char *		fedfsd_get_gss_cred(struct svc_req *rqstp);
 
diff --git a/src/fedfsd/gss.c b/src/fedfsd/gss.c
index c63f42f..639f204 100644
--- a/src/fedfsd/gss.c
+++ b/src/fedfsd/gss.c
@@ -1,12 +1,10 @@
 /**
  * @file src/fedfsd/gss.c
  * @brief fedfsd support for RPCSEC GSSAPI
- *
- * Todo: Rework when Linux libtirpc gets a standard RPCSEC API
  */
 
 /*
- * Copyright 2013 Oracle.  All rights reserved.
+ * Copyright 2013, 2015 Oracle.  All rights reserved.
  *
  * This file is part of fedfs-utils.
  *
@@ -38,9 +36,10 @@
 #include <netinet/in.h>
 
 #include <rpc/rpc.h>
+#include <rpc/auth.h>
 #include <rpc/svc.h>
 #include <rpc/svc_auth.h>
-#include <gssapi/gssapi.h>
+#include <rpc/rpcsec_gss.h>
 
 #include "fedfs.h"
 #include "nsdb.h"
@@ -49,117 +48,33 @@
 
 
 /**
- * Internal TI-RPC API for unpacking a GSS credential
- * (Not currently provided by any libtirpc header)
- */
-enum auth_stat		_svcauth_gss(struct svc_req *rqst,
-					struct rpc_msg *msg,
-					bool_t *no_dispatch);
-
-/**
- * TI-RPC API for setting the server's principal name
- * (Not currently provided by any libtirpc header)
- */
-bool_t			svcauth_gss_set_svc_name(gss_name_t name);
-
-/**
  * TI-RPC API for retrieving the caller's principal
  * (Not currently provided by any libtirpc header)
  */
 char			*svcauth_gss_get_principal(SVCAUTH *auth);
 
-
-/**
- * Set to TRUE when the GSS authenticator has already sent an RPC reply
- */
-bool_t fedfsd_no_dispatch = FALSE;
-
-/**
- * Log a GSS error
- *
- * @param prefix NUL-terminated C string containing log entry prefix
- * @param maj_stat major status to report
- * @param min_stat minor status to report
- */
-static void
-fedfsd_log_gss_error(const char *prefix, OM_uint32 maj_stat, OM_uint32 min_stat)
-{
-	gss_buffer_desc maj_msg, min_msg;
-	OM_uint32 min, msg_ctx;
-
-	msg_ctx = 0;
-	gss_display_status(&min, maj_stat, GSS_C_GSS_CODE,
-				GSS_C_NULL_OID, &msg_ctx, &maj_msg);
-	gss_display_status(&min, min_stat, GSS_C_MECH_CODE,
-				GSS_C_NULL_OID, &msg_ctx, &min_msg);
-
-	xlog(D_GENERAL, "%s: %s - %s",
-		prefix, (char *)maj_msg.value, (char *)min_msg.value);
-
-	(void)gss_release_buffer(&min, &min_msg);
-	(void)gss_release_buffer(&min, &maj_msg);
-}
-
 /**
- * Unmarshal GSS credentials carried by a request
+ * Ensure GSS Kerberos authentication is enabled
  *
- * @param rqst handle of an incoming request
- * @param msg RPC header information
- * @return status returned from authentication check
+ * @return true if all handlers were installed successfully.
  */
-static enum auth_stat
-fedfsd_authenticate_gss(struct svc_req *rqst, struct rpc_msg *msg)
-{
-	enum auth_stat stat;
-
-	fedfsd_no_dispatch = FALSE;
-	stat = _svcauth_gss(rqst, msg, &fedfsd_no_dispatch);
-	xlog(D_GENERAL, "%s: stat = %d, no_dispatch = %d\n",
-		__func__, stat, fedfsd_no_dispatch);
-	return stat;
-}
-
-static _Bool
-fedfsd_set_svc_name(void)
+_Bool
+fedfsd_set_up_authenticators(void)
 {
-	OM_uint32 maj_stat, min_stat;
-	gss_buffer_desc namebuf;
-	gss_name_t name;
-
-	namebuf.value = FEDFS_ADMIN_GSS_SERVICE_NAME;
-	namebuf.length = strlen(FEDFS_ADMIN_GSS_SERVICE_NAME);
-
-	maj_stat = gss_import_name(&min_stat, &namebuf,
-					(gss_OID)GSS_C_NT_HOSTBASED_SERVICE,
-					&name);
-	if (maj_stat != GSS_S_COMPLETE) {
-		fedfsd_log_gss_error("Failed to import service name",
-					maj_stat, min_stat);
-		return false;
+	if (!rpc_gss_is_installed("kerberos_v5")) {
+		xlog(D_GENERAL, "%s: kerberos_v5 mechanism not available",
+			__func__);
+		return true;
 	}
 
-	if (svcauth_gss_set_svc_name(name) != TRUE) {
-		(void)gss_release_name(&min_stat, &name);
+	if (!rpc_gss_set_svc_name(FEDFS_ADMIN_GSS_SERVICE_NAME,
+					"kerberos_v5", 0,
+					FEDFS_PROG, FEDFS_V1)) {
+		xlog(D_GENERAL, "%s: Could not set service name", __func__);
 		return false;
 	}
-	return true;
-}
 
-/**
- * Install call-outs to unmarshal each request's credentials
- *
- * @return true if all handlers were installed successfully.
- *
- * libtirpc already provides handlers for dealing with
- * AUTH_NULL and AUTH_SYS.  These cannot be removed.
- * A handler for RPCSEC_GSS must be installed manually.
- */
-_Bool
-fedfsd_set_up_authenticators(void)
-{
-	if (svc_auth_reg(RPCSEC_GSS, fedfsd_authenticate_gss) < 0)
-		return false;
-	return fedfsd_set_svc_name();
+	return true;
 }
 
 /**
diff --git a/src/fedfsd/svc.c b/src/fedfsd/svc.c
index 9198c69..ea057d4 100644
--- a/src/fedfsd/svc.c
+++ b/src/fedfsd/svc.c
@@ -1352,9 +1352,6 @@ fedfsd_dispatch_1(struct svc_req *rqstp, SVCXPRT *xprt)
 {
 	char addrbuf[INET6_ADDRSTRLEN];
 
-	if (fedfsd_no_dispatch)
-		return;
-
 	fedfsd_caller(rqstp, addrbuf, sizeof(addrbuf));
 
 	if (!fedfsd_is_authorized(rqstp)) {