2016-05-13 06:51:14 +03:00
|
|
|
// Copyright 2016 The etcd Authors
|
2016-04-13 07:44:53 +03:00
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
|
|
package auth
|
|
|
|
|
|
|
|
|
|
// CAUTION: This randum number based token mechanism is only for testing purpose.
|
|
|
|
|
// JWT based mechanism will be added in the near future.
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/rand"
|
|
|
|
|
"math/big"
|
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem
This commit introduces revision of authStore. The revision number
represents a version of authStore that is incremented by updating auth
related information.
The revision is required for avoiding TOCTOU problems. Currently there
are two types of the TOCTOU problems in v3 auth.
The first one is in ordinal linearizable requests with a sequence like
below ():
1. Request from client CA is processed in follower FA. FA looks up the
username (let it U) for the request from a token of the request. At
this time, the request is authorized correctly.
2. Another request from client CB is processed in follower FB. CB
is for changing U's password.
3. FB forwards the request from CB to the leader before FA. Now U's
password is updated and the request from CA should be rejected.
4. However, the request from CA is processed by the leader because
authentication is already done in FA.
For avoiding the above sequence, this commit lets
etcdserverpb.RequestHeader have a member revision. The member is
initialized during authentication by followers and checked in a
leader. If the revision in RequestHeader is lower than the leader's
authStore revision, it means a sequence like above happened. In such a
case, the state machine returns auth.ErrAuthRevisionObsolete. The
error code lets nodes retry their requests.
The second one, a case of serializable range and txn, is more
subtle. Because these requests are processed in follower directly. The
TOCTOU problem can be caused by a sequence like below:
1. Serializable request from client CA is processed in follower FA. At
first, FA looks up the username (let it U) and its permission
before actual access to KV.
2. Another request from client CB is processed in follower FB and
forwarded to the leader. The cluster including FA now commits a log
entry of the request from CB. Assume the request changed the
permission or password of U.
3. Now the serializable request from CA is accessing to KV. Even if
the access is allowed at the point of 1, now it can be invalid
because of the change introduced in 2.
For avoiding the above sequence, this commit lets the functions of
serializable requests (EtcdServer.Range() and EtcdServer.Txn())
compare the revision in the request header with the latest revision of
authStore after the actual access. If the saved revision is lower than
the latest one, it means the permission can be changed. Although it
would introduce false positives (e.g. changing other user's password),
it prevents the TOCTOU problem. This idea is an implementation of
Anthony's comment:
https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
|
|
|
"strings"
|
2016-11-14 22:17:55 +03:00
|
|
|
"time"
|
2016-04-13 07:44:53 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
|
|
|
|
defaultSimpleTokenLength = 16
|
2016-11-14 22:17:55 +03:00
|
|
|
simpleTokenTTL = 5 * time.Minute
|
|
|
|
|
simpleTokenTTLResolution = 1 * time.Second
|
2016-04-13 07:44:53 +03:00
|
|
|
)
|
|
|
|
|
|
2016-11-14 22:17:55 +03:00
|
|
|
type simpleTokenTTLKeeper struct {
|
|
|
|
|
tokens map[string]time.Time
|
|
|
|
|
addSimpleTokenCh chan string
|
|
|
|
|
resetSimpleTokenCh chan string
|
|
|
|
|
deleteSimpleTokenCh chan string
|
|
|
|
|
stopCh chan chan struct{}
|
|
|
|
|
deleteTokenFunc func(string)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewSimpleTokenTTLKeeper(deletefunc func(string)) *simpleTokenTTLKeeper {
|
|
|
|
|
stk := &simpleTokenTTLKeeper{
|
|
|
|
|
tokens: make(map[string]time.Time),
|
|
|
|
|
addSimpleTokenCh: make(chan string, 1),
|
|
|
|
|
resetSimpleTokenCh: make(chan string, 1),
|
|
|
|
|
deleteSimpleTokenCh: make(chan string, 1),
|
|
|
|
|
stopCh: make(chan chan struct{}),
|
|
|
|
|
deleteTokenFunc: deletefunc,
|
|
|
|
|
}
|
|
|
|
|
go stk.run()
|
|
|
|
|
return stk
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (tm *simpleTokenTTLKeeper) stop() {
|
|
|
|
|
waitCh := make(chan struct{})
|
|
|
|
|
tm.stopCh <- waitCh
|
|
|
|
|
<-waitCh
|
|
|
|
|
close(tm.stopCh)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (tm *simpleTokenTTLKeeper) addSimpleToken(token string) {
|
|
|
|
|
tm.addSimpleTokenCh <- token
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (tm *simpleTokenTTLKeeper) resetSimpleToken(token string) {
|
|
|
|
|
tm.resetSimpleTokenCh <- token
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (tm *simpleTokenTTLKeeper) deleteSimpleToken(token string) {
|
|
|
|
|
tm.deleteSimpleTokenCh <- token
|
|
|
|
|
}
|
|
|
|
|
func (tm *simpleTokenTTLKeeper) run() {
|
|
|
|
|
tokenTicker := time.NewTicker(simpleTokenTTLResolution)
|
|
|
|
|
defer tokenTicker.Stop()
|
|
|
|
|
for {
|
|
|
|
|
select {
|
|
|
|
|
case t := <-tm.addSimpleTokenCh:
|
|
|
|
|
tm.tokens[t] = time.Now().Add(simpleTokenTTL)
|
|
|
|
|
case t := <-tm.resetSimpleTokenCh:
|
|
|
|
|
if _, ok := tm.tokens[t]; ok {
|
|
|
|
|
tm.tokens[t] = time.Now().Add(simpleTokenTTL)
|
|
|
|
|
}
|
|
|
|
|
case t := <-tm.deleteSimpleTokenCh:
|
|
|
|
|
delete(tm.tokens, t)
|
|
|
|
|
case <-tokenTicker.C:
|
|
|
|
|
nowtime := time.Now()
|
|
|
|
|
for t, tokenendtime := range tm.tokens {
|
|
|
|
|
if nowtime.After(tokenendtime) {
|
|
|
|
|
tm.deleteTokenFunc(t)
|
|
|
|
|
delete(tm.tokens, t)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
case waitCh := <-tm.stopCh:
|
|
|
|
|
tm.tokens = make(map[string]time.Time)
|
|
|
|
|
waitCh <- struct{}{}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-09 03:11:26 +03:00
|
|
|
func (as *authStore) GenSimpleToken() (string, error) {
|
2016-04-13 07:44:53 +03:00
|
|
|
ret := make([]byte, defaultSimpleTokenLength)
|
|
|
|
|
|
|
|
|
|
for i := 0; i < defaultSimpleTokenLength; i++ {
|
|
|
|
|
bInt, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters))))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret[i] = letters[bInt.Int64()]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return string(ret), nil
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-09 03:11:26 +03:00
|
|
|
func (as *authStore) assignSimpleTokenToUser(username, token string) {
|
|
|
|
|
as.simpleTokensMu.Lock()
|
2016-04-13 07:44:53 +03:00
|
|
|
|
2016-06-09 03:11:26 +03:00
|
|
|
_, ok := as.simpleTokens[token]
|
|
|
|
|
if ok {
|
|
|
|
|
plog.Panicf("token %s is alredy used", token)
|
2016-04-13 07:44:53 +03:00
|
|
|
}
|
|
|
|
|
|
2016-06-09 03:11:26 +03:00
|
|
|
as.simpleTokens[token] = username
|
2016-11-14 22:17:55 +03:00
|
|
|
as.simpleTokenKeeper.addSimpleToken(token)
|
2016-06-09 03:11:26 +03:00
|
|
|
as.simpleTokensMu.Unlock()
|
2016-04-13 07:44:53 +03:00
|
|
|
}
|
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem
This commit introduces revision of authStore. The revision number
represents a version of authStore that is incremented by updating auth
related information.
The revision is required for avoiding TOCTOU problems. Currently there
are two types of the TOCTOU problems in v3 auth.
The first one is in ordinal linearizable requests with a sequence like
below ():
1. Request from client CA is processed in follower FA. FA looks up the
username (let it U) for the request from a token of the request. At
this time, the request is authorized correctly.
2. Another request from client CB is processed in follower FB. CB
is for changing U's password.
3. FB forwards the request from CB to the leader before FA. Now U's
password is updated and the request from CA should be rejected.
4. However, the request from CA is processed by the leader because
authentication is already done in FA.
For avoiding the above sequence, this commit lets
etcdserverpb.RequestHeader have a member revision. The member is
initialized during authentication by followers and checked in a
leader. If the revision in RequestHeader is lower than the leader's
authStore revision, it means a sequence like above happened. In such a
case, the state machine returns auth.ErrAuthRevisionObsolete. The
error code lets nodes retry their requests.
The second one, a case of serializable range and txn, is more
subtle. Because these requests are processed in follower directly. The
TOCTOU problem can be caused by a sequence like below:
1. Serializable request from client CA is processed in follower FA. At
first, FA looks up the username (let it U) and its permission
before actual access to KV.
2. Another request from client CB is processed in follower FB and
forwarded to the leader. The cluster including FA now commits a log
entry of the request from CB. Assume the request changed the
permission or password of U.
3. Now the serializable request from CA is accessing to KV. Even if
the access is allowed at the point of 1, now it can be invalid
because of the change introduced in 2.
For avoiding the above sequence, this commit lets the functions of
serializable requests (EtcdServer.Range() and EtcdServer.Txn())
compare the revision in the request header with the latest revision of
authStore after the actual access. If the saved revision is lower than
the latest one, it means the permission can be changed. Although it
would introduce false positives (e.g. changing other user's password),
it prevents the TOCTOU problem. This idea is an implementation of
Anthony's comment:
https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
|
|
|
|
|
|
|
|
func (as *authStore) invalidateUser(username string) {
|
|
|
|
|
as.simpleTokensMu.Lock()
|
|
|
|
|
defer as.simpleTokensMu.Unlock()
|
|
|
|
|
|
|
|
|
|
for token, name := range as.simpleTokens {
|
|
|
|
|
if strings.Compare(name, username) == 0 {
|
|
|
|
|
delete(as.simpleTokens, token)
|
2016-11-14 22:17:55 +03:00
|
|
|
as.simpleTokenKeeper.deleteSimpleToken(token)
|
auth, etcdserver: introduce revision of authStore for avoiding TOCTOU problem
This commit introduces revision of authStore. The revision number
represents a version of authStore that is incremented by updating auth
related information.
The revision is required for avoiding TOCTOU problems. Currently there
are two types of the TOCTOU problems in v3 auth.
The first one is in ordinal linearizable requests with a sequence like
below ():
1. Request from client CA is processed in follower FA. FA looks up the
username (let it U) for the request from a token of the request. At
this time, the request is authorized correctly.
2. Another request from client CB is processed in follower FB. CB
is for changing U's password.
3. FB forwards the request from CB to the leader before FA. Now U's
password is updated and the request from CA should be rejected.
4. However, the request from CA is processed by the leader because
authentication is already done in FA.
For avoiding the above sequence, this commit lets
etcdserverpb.RequestHeader have a member revision. The member is
initialized during authentication by followers and checked in a
leader. If the revision in RequestHeader is lower than the leader's
authStore revision, it means a sequence like above happened. In such a
case, the state machine returns auth.ErrAuthRevisionObsolete. The
error code lets nodes retry their requests.
The second one, a case of serializable range and txn, is more
subtle. Because these requests are processed in follower directly. The
TOCTOU problem can be caused by a sequence like below:
1. Serializable request from client CA is processed in follower FA. At
first, FA looks up the username (let it U) and its permission
before actual access to KV.
2. Another request from client CB is processed in follower FB and
forwarded to the leader. The cluster including FA now commits a log
entry of the request from CB. Assume the request changed the
permission or password of U.
3. Now the serializable request from CA is accessing to KV. Even if
the access is allowed at the point of 1, now it can be invalid
because of the change introduced in 2.
For avoiding the above sequence, this commit lets the functions of
serializable requests (EtcdServer.Range() and EtcdServer.Txn())
compare the revision in the request header with the latest revision of
authStore after the actual access. If the saved revision is lower than
the latest one, it means the permission can be changed. Although it
would introduce false positives (e.g. changing other user's password),
it prevents the TOCTOU problem. This idea is an implementation of
Anthony's comment:
https://github.com/coreos/etcd/pull/5739#issuecomment-228128254
2016-06-23 12:31:12 +03:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|