xref: /linux-6.15/include/linux/ceph/auth.h (revision e00a844a) 
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _FS_CEPH_AUTH_H
3 #define _FS_CEPH_AUTH_H
4 
5 #include <linux/ceph/types.h>
6 #include <linux/ceph/buffer.h>
7 
8 /*
9  * Abstract interface for communicating with the authenticate module.
10  * There is some handshake that takes place between us and the monitor
11  * to acquire the necessary keys.  These are used to generate an
12  * 'authorizer' that we use when connecting to a service (mds, osd).
13  */
14 
15 struct ceph_auth_client;
16 struct ceph_msg;
17 
18 struct ceph_authorizer {
19 	void (*destroy)(struct ceph_authorizer *);
20 };
21 
22 struct ceph_auth_handshake {
23 	struct ceph_authorizer *authorizer;
24 	void *authorizer_buf;
25 	size_t authorizer_buf_len;
26 	void *authorizer_reply_buf;
27 	size_t authorizer_reply_buf_len;
28 	int (*sign_message)(struct ceph_auth_handshake *auth,
29 			    struct ceph_msg *msg);
30 	int (*check_message_signature)(struct ceph_auth_handshake *auth,
31 				       struct ceph_msg *msg);
32 };
33 
34 struct ceph_auth_client_ops {
35 	const char *name;
36 
37 	/*
38 	 * true if we are authenticated and can connect to
39 	 * services.
40 	 */
41 	int (*is_authenticated)(struct ceph_auth_client *ac);
42 
43 	/*
44 	 * true if we should (re)authenticate, e.g., when our tickets
45 	 * are getting old and crusty.
46 	 */
47 	int (*should_authenticate)(struct ceph_auth_client *ac);
48 
49 	/*
50 	 * build requests and process replies during monitor
51 	 * handshake.  if handle_reply returns -EAGAIN, we build
52 	 * another request.
53 	 */
54 	int (*build_request)(struct ceph_auth_client *ac, void *buf, void *end);
55 	int (*handle_reply)(struct ceph_auth_client *ac, int result,
56 			    void *buf, void *end);
57 
58 	/*
59 	 * Create authorizer for connecting to a service, and verify
60 	 * the response to authenticate the service.
61 	 */
62 	int (*create_authorizer)(struct ceph_auth_client *ac, int peer_type,
63 				 struct ceph_auth_handshake *auth);
64 	/* ensure that an existing authorizer is up to date */
65 	int (*update_authorizer)(struct ceph_auth_client *ac, int peer_type,
66 				 struct ceph_auth_handshake *auth);
67 	int (*verify_authorizer_reply)(struct ceph_auth_client *ac,
68 				       struct ceph_authorizer *a);
69 	void (*invalidate_authorizer)(struct ceph_auth_client *ac,
70 				      int peer_type);
71 
72 	/* reset when we (re)connect to a monitor */
73 	void (*reset)(struct ceph_auth_client *ac);
74 
75 	void (*destroy)(struct ceph_auth_client *ac);
76 
77 	int (*sign_message)(struct ceph_auth_handshake *auth,
78 			    struct ceph_msg *msg);
79 	int (*check_message_signature)(struct ceph_auth_handshake *auth,
80 				       struct ceph_msg *msg);
81 };
82 
83 struct ceph_auth_client {
84 	u32 protocol;           /* CEPH_AUTH_* */
85 	void *private;          /* for use by protocol implementation */
86 	const struct ceph_auth_client_ops *ops;  /* null iff protocol==0 */
87 
88 	bool negotiating;       /* true if negotiating protocol */
89 	const char *name;       /* entity name */
90 	u64 global_id;          /* our unique id in system */
91 	const struct ceph_crypto_key *key;     /* our secret key */
92 	unsigned want_keys;     /* which services we want */
93 
94 	struct mutex mutex;
95 };
96 
97 extern struct ceph_auth_client *ceph_auth_init(const char *name,
98 					       const struct ceph_crypto_key *key);
99 extern void ceph_auth_destroy(struct ceph_auth_client *ac);
100 
101 extern void ceph_auth_reset(struct ceph_auth_client *ac);
102 
103 extern int ceph_auth_build_hello(struct ceph_auth_client *ac,
104 				 void *buf, size_t len);
105 extern int ceph_handle_auth_reply(struct ceph_auth_client *ac,
106 				  void *buf, size_t len,
107 				  void *reply_buf, size_t reply_len);
108 int ceph_auth_entity_name_encode(const char *name, void **p, void *end);
109 
110 extern int ceph_build_auth(struct ceph_auth_client *ac,
111 		    void *msg_buf, size_t msg_len);
112 
113 extern int ceph_auth_is_authenticated(struct ceph_auth_client *ac);
114 extern int ceph_auth_create_authorizer(struct ceph_auth_client *ac,
115 				       int peer_type,
116 				       struct ceph_auth_handshake *auth);
117 void ceph_auth_destroy_authorizer(struct ceph_authorizer *a);
118 extern int ceph_auth_update_authorizer(struct ceph_auth_client *ac,
119 				       int peer_type,
120 				       struct ceph_auth_handshake *a);
121 extern int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
122 					     struct ceph_authorizer *a);
123 extern void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac,
124 					    int peer_type);
125 
126 static inline int ceph_auth_sign_message(struct ceph_auth_handshake *auth,
127 					 struct ceph_msg *msg)
128 {
129 	if (auth->sign_message)
130 		return auth->sign_message(auth, msg);
131 	return 0;
132 }
133 
134 static inline
135 int ceph_auth_check_message_signature(struct ceph_auth_handshake *auth,
136 				      struct ceph_msg *msg)
137 {
138 	if (auth->check_message_signature)
139 		return auth->check_message_signature(auth, msg);
140 	return 0;
141 }
142 #endif
143