feat(security): handle SASL_LIST_MECHANISMS by server_negotiation

include/dsn/tool-api/network.h

@@ -234,6 +234,7 @@ class rpc_session : public ref_counter
 
     /// for negotiation
     void start_negotiation();
+    security::negotiation *get_negotiation() const;
 
 public:
     ///
@@ -300,6 +301,8 @@ class rpc_session : public ref_counter
 
     void clear_send_queue(bool resend_msgs);
     bool on_disconnected(bool is_write);
+    void on_failure(bool is_write = false);
+    void on_success();
 
 protected:
     // constant info

include/dsn/utility/strings.h

@@ -49,5 +49,5 @@ char *trim_string(char *s);
 
 // calculate the md5 checksum of buffer
 std::string string_md5(const char *buffer, unsigned int length);
-}
-}
+} // namespace utils
+} // namespace dsn

src/runtime/rpc/asio_rpc_session.cpp

@@ -167,13 +167,6 @@ asio_rpc_session::asio_rpc_session(asio_network_provider &net,
     set_options();
 }
 
-void asio_rpc_session::on_failure(bool is_write)
-{
-    if (on_disconnected(is_write)) {
-        close();
-    }
-}
-
 void asio_rpc_session::close()
 {
     utils::auto_write_lock socket_guard(_socket_lock);
@@ -202,9 +195,6 @@ void asio_rpc_session::connect()
 
                 // start auth negotiation when client is connecting to server
                 start_negotiation();
-
-                set_connected();
-                on_send_completed();
                 start_read_next();
             } else {
                 derror("client session connect to %s failed, error = %s",

src/runtime/rpc/asio_rpc_session.h

@@ -56,7 +56,6 @@ class asio_rpc_session : public rpc_session
 
 private:
     void do_read(int read_next) override;
-    void on_failure(bool is_write = false);
     void set_options();
     void on_message_read(message_ex *msg)
     {

src/runtime/rpc/network.cpp

@@ -391,6 +391,21 @@ bool rpc_session::on_disconnected(bool is_write)
     return ret;
 }
 
+void rpc_session::on_failure(bool is_write)
+{
+    if (on_disconnected(is_write)) {
+        close();
+    }
+}
+
+void rpc_session::on_success()
+{
+    if (is_client()) {
+        set_connected();
+        on_send_completed();
+    }
+}
+
 bool rpc_session::on_recv_message(message_ex *msg, int delay_ms)
 {
     if (msg->header->from_address.is_invalid())
@@ -442,6 +457,9 @@ void rpc_session::start_negotiation()
         }
 
         auth_negotiation();
+    } else {
+        // set negotiation success if auth is disabled
+        on_success();
     }
 }
 
@@ -451,6 +469,8 @@ void rpc_session::auth_negotiation()
     _negotiation->start();
 }
 
+security::negotiation *rpc_session::get_negotiation() const { return _negotiation.get(); }
+
 ////////////////////////////////////////////////////////////////////////////////////////////////
 network::network(rpc_engine *srv, network *inner_provider)
     : _engine(srv), _client_hdr_format(NET_HDR_DSN), _unknown_msg_header_format(NET_HDR_INVALID)

src/runtime/security/client_negotiation.cpp

@@ -19,6 +19,8 @@
 #include "negotiation_utils.h"
 
 #include <dsn/dist/fmt_logging.h>
+#include <dsn/tool-api/async_calls.h>
+#include <dsn/utility/smart_pointers.h>
 
 namespace dsn {
 namespace security {
@@ -34,18 +36,24 @@ void client_negotiation::start()
     list_mechanisms();
 }
 
+void client_negotiation::handle_response(error_code err, const negotiation_response &&response)
+{
+    // TBD(zlw)
+}
+
 void client_negotiation::list_mechanisms()
 {
-    negotiation_request request;
-    _status = request.status = negotiation_status::type::SASL_LIST_MECHANISMS;
-    send(request);
+    auto request = dsn::make_unique<negotiation_request>();
+    _status = request->status = negotiation_status::type::SASL_LIST_MECHANISMS;
+    send(std::move(request));
 }
 
-void client_negotiation::send(const negotiation_request &request)
+void client_negotiation::send(std::unique_ptr<negotiation_request> request)
 {
-    message_ptr req = message_ex::create_request(RPC_NEGOTIATION);
-    dsn::marshall(req, request);
-    _session->send_message(req);
+    negotiation_rpc rpc(std::move(request), RPC_NEGOTIATION);
+    rpc.call(_session->remote_address(), nullptr, [this, rpc](error_code err) mutable {
+        handle_response(err, std::move(rpc.response()));
+    });
 }
 
 } // namespace security

src/runtime/security/client_negotiation.h

@@ -30,8 +30,9 @@ class client_negotiation : public negotiation
     void start();
 
 private:
+    void handle_response(error_code err, const negotiation_response &&response);
     void list_mechanisms();
-    void send(const negotiation_request &request);
+    void send(std::unique_ptr<negotiation_request> request);
 };
 
 } // namespace security

src/runtime/security/negotiation.cpp

@@ -24,7 +24,9 @@
 
 namespace dsn {
 namespace security {
-
+/// TODO(zlw):we can't get string list from cflags now,
+/// so we should get supported mechanisms from config in the later
+const std::set<std::string> supported_mechanisms{"GSSAPI"};
 DSN_DEFINE_bool("security", enable_auth, false, "whether open auth or not");
 
 negotiation::~negotiation() {}

src/runtime/security/negotiation.h

@@ -18,12 +18,15 @@
 #pragma once
 
 #include "security_types.h"
+
 #include <memory>
+#include <dsn/cpp/rpc_holder.h>
 
 namespace dsn {
 class rpc_session;
 
 namespace security {
+typedef rpc_holder<negotiation_request, negotiation_response> negotiation_rpc;
 
 class negotiation
 {

src/runtime/security/negotiation_service.cpp

@@ -0,0 +1,51 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "negotiation_service.h"
+#include "negotiation_utils.h"
+#include "server_negotiation.h"
+
+namespace dsn {
+namespace security {
+extern bool FLAGS_enable_auth;
+
+negotiation_service::negotiation_service() : serverlet("negotiation_service") {}
+
+void negotiation_service::open_service()
+{
+    register_rpc_handler_with_rpc_holder(
+        RPC_NEGOTIATION, "Negotiation", &negotiation_service::on_negotiation_request);
+}
+
+void negotiation_service::on_negotiation_request(negotiation_rpc rpc)
+{
+    dassert(!rpc.dsn_request()->io_session->is_client(),
+            "only server session receive negotiation request");
+
+    // reply SASL_AUTH_DISABLE if auth is not enable
+    if (!security::FLAGS_enable_auth) {
+        rpc.response().status = negotiation_status::type::SASL_AUTH_DISABLE;
+        return;
+    }
+
+    server_negotiation *srv_negotiation =
+        static_cast<server_negotiation *>(rpc.dsn_request()->io_session->get_negotiation());
+    srv_negotiation->handle_request(rpc);
+}
+
+} // namespace security
+} // namespace dsn

src/runtime/security/negotiation_service.h

@@ -0,0 +1,40 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#pragma once
+
+#include "server_negotiation.h"
+
+#include <dsn/cpp/serverlet.h>
+
+namespace dsn {
+namespace security {
+
+class negotiation_service : public serverlet<negotiation_service>,
+                            public utils::singleton<negotiation_service>
+{
+public:
+    void open_service();
+
+private:
+    negotiation_service();
+    void on_negotiation_request(negotiation_rpc rpc);
+    friend class utils::singleton<negotiation_service>;
+};
+
+} // namespace security
+} // namespace dsn

src/runtime/security/negotiation_utils.h

@@ -17,10 +17,40 @@
 
 #pragma once
 
+#include "security_types.h"
+
 namespace dsn {
 namespace security {
+inline const char *enum_to_string(negotiation_status::type s)
+{
+    switch (s) {
+    case negotiation_status::type::SASL_LIST_MECHANISMS:
+        return "negotiation_list_mechanisms";
+    case negotiation_status::type::SASL_LIST_MECHANISMS_RESP:
+        return "negotiation_list_mechanisms_resp";
+    case negotiation_status::type::SASL_SELECT_MECHANISMS:
+        return "negotiation_select_mechanisms";
+    case negotiation_status::type::SASL_SELECT_MECHANISMS_OK:
+        return "negotiation_select_mechanisms_ok";
+    case negotiation_status::type::SASL_SUCC:
+        return "negotiation_succ";
+    case negotiation_status::type::SASL_AUTH_FAIL:
+        return "negotiation_auth_fail";
+    case negotiation_status::type::SASL_INITIATE:
+        return "negotiation_initiate";
+    case negotiation_status::type::SASL_CHALLENGE:
+        return "negotiation_challenge";
+    case negotiation_status::type::SASL_CHALLENGE_RESP:
+        return "negotiation_challenge_response";
+    case negotiation_status::type::SASL_AUTH_DISABLE:
+        return "negotiation_auth_disable";
+    case negotiation_status::type::INVALID:
+        return "negotiation_invalid";
+    default:
+        return "negotiation-unknown";
+    }
+}
 
 DEFINE_TASK_CODE_RPC(RPC_NEGOTIATION, TASK_PRIORITY_COMMON, dsn::THREAD_POOL_DEFAULT)
-
 } // namespace security
 } // namespace dsn

src/runtime/security/security.thrift

@@ -35,7 +35,7 @@ enum negotiation_status {
     SASL_SELECT_MECHANISMS_OK
     SASL_INITIATE
     SASL_CHALLENGE
-    SASL_CHANLLENGE_RESP
+    SASL_CHALLENGE_RESP
     SASL_SUCC
     SASL_AUTH_DISABLE
     SASL_AUTH_FAIL

src/runtime/security/server_negotiation.cpp

@@ -16,7 +16,10 @@
 // under the License.
 
 #include "server_negotiation.h"
+#include "negotiation_utils.h"
 
+#include <boost/algorithm/string/join.hpp>
+#include <dsn/utility/strings.h>
 #include <dsn/dist/fmt_logging.h>
 
 namespace dsn {
@@ -33,5 +36,37 @@ void server_negotiation::start()
     ddebug_f("{}: start negotiation", _name);
 }
 
+void server_negotiation::handle_request(negotiation_rpc rpc)
+{
+    if (_status == negotiation_status::type::SASL_LIST_MECHANISMS) {
+        on_list_mechanisms(rpc);
+        return;
+    }
+}
+
+void server_negotiation::on_list_mechanisms(negotiation_rpc rpc)
+{
+    if (rpc.request().status == negotiation_status::type::SASL_LIST_MECHANISMS) {
+        std::string mech_list = boost::join(supported_mechanisms, ",");
+        negotiation_response &response = rpc.response();
+        _status = response.status = negotiation_status::type::SASL_LIST_MECHANISMS_RESP;
+        response.msg = std::move(mech_list);
+    } else {
+        ddebug_f("{}: got message({}) while expect({})",
+                 _name,
+                 enum_to_string(rpc.request().status),
+                 enum_to_string(negotiation_status::type::SASL_LIST_MECHANISMS));
+        fail_negotiation(rpc, "invalid_client_message_status");
+    }
+    return;
+}
+
+void server_negotiation::fail_negotiation(negotiation_rpc rpc, const std::string &reason)
+{
+    negotiation_response &response = rpc.response();
+    _status = response.status = negotiation_status::type::SASL_AUTH_FAIL;
+    response.msg = reason;
+}
+
 } // namespace security
 } // namespace dsn