From 47c8dbe5432f49cdeb78b3bd1834f7d111679420 Mon Sep 17 00:00:00 2001 From: trasz Date: Tue, 25 Mar 2014 12:12:37 +0000 Subject: [PATCH] MFC r261758: Add auth-type. Sponsored by: The FreeBSD Foundation --- usr.sbin/ctld/ctl.conf.5 | 12 ++++++++ usr.sbin/ctld/ctld.c | 52 +++++++++++++++++++++++++++++++++ usr.sbin/ctld/ctld.h | 2 ++ usr.sbin/ctld/parse.y | 63 +++++++++++++++++++++++++++++++++------- usr.sbin/ctld/token.l | 1 + 5 files changed, 119 insertions(+), 11 deletions(-) diff --git a/usr.sbin/ctld/ctl.conf.5 b/usr.sbin/ctld/ctl.conf.5 index 187a3bdefe8..6d684aff5d5 100644 --- a/usr.sbin/ctld/ctl.conf.5 +++ b/usr.sbin/ctld/ctl.conf.5 @@ -101,6 +101,11 @@ Setting it to 0 disables the timeout. .Ss auth-group level The following statements are available at the auth-group level: .Bl -tag -width indent +.It Ic auth-type Ao Ar type Ac +Specifies authentication type. +Type can be either "none", "chap", or "chap-mutual". +In most cases it is not neccessary to set the type using this clause; +it is usually used to disable authentication for a given auth-group. .It Ic chap Ao Ar user Ac Aq Ar secret Specifies CHAP authentication credentials. .It Ic chap-mutual Ao Ar user Ac Ao Ar secret Ac Ao Ar mutualuser Ac Aq Ar mutualsecret @@ -147,6 +152,13 @@ There is no default; every target must use either auth-group, or chap, or chap-mutual statements. A special auth-group, "no-authentication", may be used to permit access without authentication. +.It Ic auth-type Ao Ar type Ac +Specifies authentication type. +Type can be either "none", "chap", or "chap-mutual". +In most cases it is not neccessary to set the type using this clause; +it is usually used to disable authentication for a given target. +This clause is mutually exclusive with auth-group; one cannot use +both in a single target. .It Ic chap Ao Ar user Ac Aq Ar secret Specifies CHAP authentication credentials. Note that targets must use either auth-group, or chap, diff --git a/usr.sbin/ctld/ctld.c b/usr.sbin/ctld/ctld.c index 720a1780765..35196951631 100644 --- a/usr.sbin/ctld/ctld.c +++ b/usr.sbin/ctld/ctld.c @@ -417,6 +417,58 @@ auth_group_find(struct conf *conf, const char *name) return (NULL); } +static int +auth_group_set_type(struct auth_group *ag, int type) +{ + + if (ag->ag_type == AG_TYPE_UNKNOWN) { + ag->ag_type = type; + return (0); + } + + if (ag->ag_type == type) + return (0); + + return (1); +} + +int +auth_group_set_type_str(struct auth_group *ag, const char *str) +{ + int error, type; + + if (strcmp(str, "none") == 0) { + type = AG_TYPE_NO_AUTHENTICATION; + } else if (strcmp(str, "chap") == 0) { + type = AG_TYPE_CHAP; + } else if (strcmp(str, "chap-mutual") == 0) { + type = AG_TYPE_CHAP_MUTUAL; + } else { + if (ag->ag_name != NULL) + log_warnx("invalid auth-type \"%s\" for auth-group " + "\"%s\"", str, ag->ag_name); + else + log_warnx("invalid auth-type \"%s\" for target " + "\"%s\"", str, ag->ag_target->t_name); + return (1); + } + + error = auth_group_set_type(ag, type); + if (error != 0) { + if (ag->ag_name != NULL) + log_warnx("cannot set auth-type to \"%s\" for " + "auth-group \"%s\"; already has a different " + "type", str, ag->ag_name); + else + log_warnx("cannot set auth-type to \"%s\" for target " + "\"%s\"; already has a different type", + str, ag->ag_target->t_name); + return (1); + } + + return (error); +} + static struct portal * portal_new(struct portal_group *pg) { diff --git a/usr.sbin/ctld/ctld.h b/usr.sbin/ctld/ctld.h index 3ea999f7a6e..188645e3866 100644 --- a/usr.sbin/ctld/ctld.h +++ b/usr.sbin/ctld/ctld.h @@ -197,6 +197,8 @@ int conf_verify(struct conf *conf); struct auth_group *auth_group_new(struct conf *conf, const char *name); void auth_group_delete(struct auth_group *ag); struct auth_group *auth_group_find(struct conf *conf, const char *name); +int auth_group_set_type_str(struct auth_group *ag, + const char *type); const struct auth *auth_new_chap(struct auth_group *ag, const char *user, const char *secret); diff --git a/usr.sbin/ctld/parse.y b/usr.sbin/ctld/parse.y index 662ae2b09c8..d3d8330a702 100644 --- a/usr.sbin/ctld/parse.y +++ b/usr.sbin/ctld/parse.y @@ -57,10 +57,10 @@ extern void yyrestart(FILE *); %} -%token ALIAS AUTH_GROUP BACKEND BLOCKSIZE CHAP CHAP_MUTUAL CLOSING_BRACKET -%token DEBUG DEVICE_ID DISCOVERY_AUTH_GROUP INITIATOR_NAME INITIATOR_PORTAL -%token LISTEN LISTEN_ISER LUN MAXPROC NUM OPENING_BRACKET OPTION PATH PIDFILE -%token PORTAL_GROUP SERIAL SIZE STR TARGET TIMEOUT +%token ALIAS AUTH_GROUP AUTH_TYPE BACKEND BLOCKSIZE CHAP CHAP_MUTUAL +%token CLOSING_BRACKET DEBUG DEVICE_ID DISCOVERY_AUTH_GROUP INITIATOR_NAME +%token INITIATOR_PORTAL LISTEN LISTEN_ISER LUN MAXPROC NUM OPENING_BRACKET +%token OPTION PATH PIDFILE PORTAL_GROUP SERIAL SIZE STR TARGET TIMEOUT %union { @@ -145,6 +145,8 @@ auth_group_entries: ; auth_group_entry: + auth_group_auth_type + | auth_group_chap | auth_group_chap_mutual @@ -154,6 +156,17 @@ auth_group_entry: auth_group_initiator_portal ; +auth_group_auth_type: AUTH_TYPE STR + { + int error; + + error = auth_group_set_type_str(auth_group, $2); + free($2); + if (error != 0) + return (1); + } + ; + auth_group_chap: CHAP STR STR { const struct auth *ca; @@ -299,6 +312,8 @@ target_entry: | target_auth_group | + target_auth_type + | target_chap | target_chap_mutual @@ -330,7 +345,7 @@ target_auth_group: AUTH_GROUP STR log_warnx("auth-group for target \"%s\" " "specified more than once", target->t_name); else - log_warnx("cannot mix auth-group with explicit " + log_warnx("cannot use both auth-group and explicit " "authorisations for target \"%s\"", target->t_name); return (1); @@ -345,14 +360,40 @@ target_auth_group: AUTH_GROUP STR } ; +target_auth_type: AUTH_TYPE STR + { + int error; + + if (target->t_auth_group != NULL) { + if (target->t_auth_group->ag_name != NULL) { + log_warnx("cannot use both auth-group and " + "auth-type for target \"%s\"", + target->t_name); + return (1); + } + } else { + target->t_auth_group = auth_group_new(conf, NULL); + if (target->t_auth_group == NULL) { + free($2); + return (1); + } + target->t_auth_group->ag_target = target; + } + error = auth_group_set_type_str(target->t_auth_group, $2); + free($2); + if (error != 0) + return (1); + } + ; + target_chap: CHAP STR STR { const struct auth *ca; if (target->t_auth_group != NULL) { if (target->t_auth_group->ag_name != NULL) { - log_warnx("cannot mix auth-group with explicit " - "authorisations for target \"%s\"", + log_warnx("cannot use both auth-group and " + "chap for target \"%s\"", target->t_name); free($2); free($3); @@ -381,8 +422,8 @@ target_chap_mutual: CHAP_MUTUAL STR STR STR STR if (target->t_auth_group != NULL) { if (target->t_auth_group->ag_name != NULL) { - log_warnx("cannot mix auth-group with explicit " - "authorisations for target \"%s\"", + log_warnx("cannot use both auth-group and " + "chap-mutual for target \"%s\"", target->t_name); free($2); free($3); @@ -418,7 +459,7 @@ target_initiator_name: INITIATOR_NAME STR if (target->t_auth_group != NULL) { if (target->t_auth_group->ag_name != NULL) { - log_warnx("cannot mix auth-group with " + log_warnx("cannot use both auth-group and " "initiator-name for target \"%s\"", target->t_name); free($2); @@ -445,7 +486,7 @@ target_initiator_portal: INITIATOR_PORTAL STR if (target->t_auth_group != NULL) { if (target->t_auth_group->ag_name != NULL) { - log_warnx("cannot mix auth-group with " + log_warnx("cannot use both auth-group and " "initiator-portal for target \"%s\"", target->t_name); free($2); diff --git a/usr.sbin/ctld/token.l b/usr.sbin/ctld/token.l index 899a8195986..2846097e3b7 100644 --- a/usr.sbin/ctld/token.l +++ b/usr.sbin/ctld/token.l @@ -50,6 +50,7 @@ extern int yylex(void); %% alias { return ALIAS; } auth-group { return AUTH_GROUP; } +auth-type { return AUTH_TYPE; } backend { return BACKEND; } blocksize { return BLOCKSIZE; } chap { return CHAP; } -- 2.45.2