[libvirt] [PATCH 0/2] admin: sasl: Save the SASL username to client's identity
Erik Skultety (2): admin: Retrieve the SASL context for both local and remote connection daemon: sasl: Don't forget to save SASL username to client's identity daemon/admin_server.c | 14 +++++++------- daemon/remote.c | 6 ++++++ 2 files changed, 13 insertions(+), 7 deletions(-) -- 2.5.5
When commit 4a0e9108 added a support for client information retrieval, it made the API return SASL identity info only for clients connected remotely, yet SASL can be happily used with UNIX sockets as well. Signed-off-by: Erik Skultety <eskultet@redhat.com> --- daemon/admin_server.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/daemon/admin_server.c b/daemon/admin_server.c index 9f24f68..5bbf229 100644 --- a/daemon/admin_server.c +++ b/daemon/admin_server.c @@ -237,19 +237,19 @@ adminClientGetInfo(virNetServerClientPtr client, readonly) < 0) goto cleanup; + if (virIdentityGetSASLUserName(identity, &attr) < 0 || + (attr && + virTypedParamsAddString(&tmpparams, nparams, &maxparams, + VIR_CLIENT_INFO_SASL_USER_NAME, + attr) < 0)) + goto cleanup; + if (!virNetServerClientIsLocal(client)) { if (virTypedParamsAddString(&tmpparams, nparams, &maxparams, VIR_CLIENT_INFO_SOCKET_ADDR, sock_addr) < 0) goto cleanup; - if (virIdentityGetSASLUserName(identity, &attr) < 0 || - (attr && - virTypedParamsAddString(&tmpparams, nparams, &maxparams, - VIR_CLIENT_INFO_SASL_USER_NAME, - attr) < 0)) - goto cleanup; - if (virIdentityGetX509DName(identity, &attr) < 0 || (attr && virTypedParamsAddString(&tmpparams, nparams, &maxparams, -- 2.5.5
Once the SASL authentication process has successfully passed, we should also save the SASL username used to client's identity, so that when a client like virt-admin tries to obtain it, the server will actually format the username to the response data. Signed-off-by: Erik Skultety <eskultet@redhat.com> --- daemon/remote.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/daemon/remote.c b/daemon/remote.c index 4aa43c2..6991a7e 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -3116,6 +3116,7 @@ static int remoteSASLFinish(virNetServerPtr server, virNetServerClientPtr client) { + virIdentityPtr clnt_identity = NULL; const char *identity; struct daemonClientPrivate *priv = virNetServerClientGetPrivateData(client); int ssf; @@ -3138,9 +3139,13 @@ remoteSASLFinish(virNetServerPtr server, if (!virNetSASLContextCheckIdentity(saslCtxt, identity)) return -2; + if (!(clnt_identity = virNetServerClientGetIdentity(client))) + goto error; + virNetServerClientSetAuth(client, 0); virNetServerTrackCompletedAuth(server); virNetServerClientSetSASLSession(client, priv->sasl); + virIdentitySetSASLUserName(clnt_identity, identity); VIR_DEBUG("Authentication successful %d", virNetServerClientGetFD(client)); @@ -3148,6 +3153,7 @@ remoteSASLFinish(virNetServerPtr server, "client=%p auth=%d identity=%s", client, REMOTE_AUTH_SASL, identity); + virObjectUnref(clnt_identity); virObjectUnref(priv->sasl); priv->sasl = NULL; -- 2.5.5
On 29.07.2016 09:54, Erik Skultety wrote:
Erik Skultety (2): admin: Retrieve the SASL context for both local and remote connection daemon: sasl: Don't forget to save SASL username to client's identity
daemon/admin_server.c | 14 +++++++------- daemon/remote.c | 6 ++++++ 2 files changed, 13 insertions(+), 7 deletions(-)
ACK and safe for the freeze. Michal
participants (2)
-
Erik Skultety -
Michal Privoznik