openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

rpc: remove use of the term 'whitelist' from RPC code 

The term "access control list" better describes the concept involved.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2020-06-16 10:39:17 +01:00
parent d3475e71bc
commit 5f75ec90fe
9 changed files with 40 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/internals/rpc.html.in
View File

@ -447,7 +447,8 @@ C &lt;-- |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo | &lt;-- S (reply)
<dt><code>virNetSASLContextPtr</code> (virnetsaslcontext.h)</dt>
<dd>The virNetSASLContext APIs maintain SASL state for a network
service (server or client). This is primarily used on the server
to provide a whitelist of allowed SASL usernames for clients.
to provide an access control list of SASL usernames permitted as
clients.
</dd>
<dt><code>virNetSASLSessionPtr</code> (virnetsaslcontext.h)</dt>
@ -460,7 +461,7 @@ C &lt;-- |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo | &lt;-- S (reply)
<dt><code>virNetTLSContextPtr</code> (virnettlscontext.h)</dt>
<dd>The virNetTLSContext APIs maintain TLS state for a network
service (server or client). This is primarily used on the server
to provide a whitelist of allowed x509 distinguished names, as
to provide an access control list of x509 distinguished names, as
well as diffie-hellman keys. It can also do validation of
x509 certificates prior to initiating a connection, in order
to improve detection of configuration errors.
@ -760,8 +761,8 @@ C &lt;-- |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo | &lt;-- S (reply)
next step is to decode the RPC header. The header is validated to
ensure the request is sensible, ie the server should not receive a
method reply from a client. If the client has not yet authenticated,
a security check is also applied to make sure the procedure is on the
whitelist of those allowed prior to auth. If the packet is a method
an access control list check is also performed to make sure the procedure
is one of those allowed prior to auth. If the packet is a method
call, it will be placed on a global processing queue. The event loop
thread is now done with the packet for the time being.
</p>

6
src/remote/libvirtd.conf.in
View File

@ -253,11 +253,11 @@
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
# verification.
#tls_no_verify_certificate = 1
# A whitelist of allowed x509 Distinguished Names
# An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@ -282,7 +282,7 @@
@END@
# A whitelist of allowed SASL usernames. The format for username
# An access control list of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#

4
src/remote/remote_daemon_dispatch.c
View File

@ -3861,7 +3861,7 @@ remoteDispatchAuthSaslStart(virNetServerPtr server,
if (err == VIR_NET_SASL_CONTINUE) {
ret->complete = 0;
} else {
/* Check username whitelist ACL */
/* Check username ACL */
if ((err = remoteSASLFinish(server, client)) < 0) {
if (err == -2)
goto authdeny;
@ -3957,7 +3957,7 @@ remoteDispatchAuthSaslStep(virNetServerPtr server,
if (err == VIR_NET_SASL_CONTINUE) {
ret->complete = 0;
} else {
/* Check username whitelist ACL */
/* Check username ACL */
if ((err = remoteSASLFinish(server, client)) < 0) {
if (err == -2)
goto authdeny;

10
src/rpc/virnetsaslcontext.c
View File

@ -36,7 +36,7 @@ VIR_LOG_INIT("rpc.netsaslcontext");
struct _virNetSASLContext {
virObjectLockable parent;
const char *const*usernameWhitelist;
const char *const *usernameACL;
};
struct _virNetSASLSession {
@ -121,7 +121,7 @@ virNetSASLContextPtr virNetSASLContextNewClient(void)
return ctxt;
}
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist)
virNetSASLContextPtr virNetSASLContextNewServer(const char *const *usernameACL)
{
virNetSASLContextPtr ctxt;
@ -132,7 +132,7 @@ virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitel
if (!(ctxt = virObjectLockableNew(virNetSASLContextClass)))
return NULL;
ctxt->usernameWhitelist = usernameWhitelist;
ctxt->usernameACL = usernameACL;
return ctxt;
}
@ -146,7 +146,7 @@ int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
virObjectLock(ctxt);
/* If the list is not set, allow any DN. */
wildcards = ctxt->usernameWhitelist;
wildcards = ctxt->usernameACL;
if (!wildcards) {
ret = 1; /* No ACL, allow all */
goto cleanup;
@ -162,7 +162,7 @@ int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
}
/* Denied */
VIR_ERROR(_("SASL client identity '%s' not allowed in whitelist"), identity);
VIR_ERROR(_("SASL client identity '%s' not allowed by ACL"), identity);
/* This is the most common error: make it informative. */
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",

2
src/rpc/virnetsaslcontext.h
View File

@ -38,7 +38,7 @@ enum {
};
virNetSASLContextPtr virNetSASLContextNewClient(void);
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist);
virNetSASLContextPtr virNetSASLContextNewServer(const char *const *usernameACL);
int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
const char *identity);

30
src/rpc/virnettlscontext.c
View File

@ -60,7 +60,7 @@ struct _virNetTLSContext {
bool isServer;
bool requireValidCert;
const char *const*x509dnWhitelist;
const char *const *x509dnACL;
char *priority;
};
@ -356,7 +356,7 @@ static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
/* Check DN is on tls_allowed_dn_list. */
static int
virNetTLSContextCheckCertDNWhitelist(const char *dname,
virNetTLSContextCheckCertDNACL(const char *dname,
const char *const *wildcards)
{
while (*wildcards) {
@ -367,7 +367,7 @@ virNetTLSContextCheckCertDNWhitelist(const char *dname,
}
/* Log the client's DN for debugging */
VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);
VIR_DEBUG("Failed ACL check for client DN '%s'", dname);
/* This is the most common error: make it informative. */
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
@ -385,10 +385,10 @@ virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
const char *certFile,
const char *hostname,
const char *dname,
const char *const* whitelist)
const char *const *acl)
{
if (whitelist && dname &&
virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
if (acl && dname &&
virNetTLSContextCheckCertDNACL(dname, acl) <= 0)
return -1;
if (hostname &&
@ -675,7 +675,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
const char *cacrl,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert,
@ -740,7 +740,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
}
ctxt->requireValidCert = requireValidCert;
ctxt->x509dnWhitelist = x509dnWhitelist;
ctxt->x509dnACL = x509dnACL;
ctxt->isServer = isServer;
PROBE(RPC_TLS_CONTEXT_NEW,
@ -855,7 +855,7 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert,
@ -869,7 +869,7 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
return NULL;
ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
x509dnWhitelist, priority, sanityCheckCert,
x509dnACL, priority, sanityCheckCert,
requireValidCert, isServer);
VIR_FREE(cacert);
@ -882,12 +882,12 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority,
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnACL, priority,
sanityCheckCert, requireValidCert, true);
}
@ -906,12 +906,12 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
const char *cacrl,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority,
return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnACL, priority,
sanityCheckCert, requireValidCert, true);
}
@ -1063,7 +1063,7 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
VIR_DEBUG("Peer DN is %s", dname);
if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
ctxt->x509dnWhitelist) < 0) {
ctxt->x509dnACL) < 0) {
gnutls_x509_crt_deinit(cert);
goto authdeny;
}

4
src/rpc/virnettlscontext.h
View File

@ -34,7 +34,7 @@ void virNetTLSInit(void);
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert);
@ -49,7 +49,7 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
const char *cacrl,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
const char *const *x509dnACL,
const char *priority,
bool sanityCheckCert,
bool requireValidCert);

6
tests/virconfdata/libvirtd.conf
View File

@ -174,11 +174,11 @@ crl_file = "/etc/pki/CA/crl.pem"
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
# verification.
tls_no_verify_certificate = 1
# A whitelist of allowed x509 Distinguished Names
# An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@ -194,7 +194,7 @@ tls_no_verify_certificate = 1
tls_allowed_dn_list = ["DN1", "DN2"]
# A whitelist of allowed SASL usernames. The format for usernames
# An access control list of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#

6
tests/virconfdata/libvirtd.out
View File

@ -140,9 +140,9 @@ crl_file = "/etc/pki/CA/crl.pem"
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
# verification.
tls_no_verify_certificate = 1
# A whitelist of allowed x509 Distinguished Names
# An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@ -156,7 +156,7 @@ tls_no_verify_certificate = 1
#
# By default, no DN's are checked
tls_allowed_dn_list = [ "DN1", "DN2" ]
# A whitelist of allowed SASL usernames. The format for usernames
# An access control list of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#