1
0
mirror of https://github.com/OpenNebula/one.git synced 2025-01-25 06:03:36 +03:00

feature #203: Prevent race condition when a AuthRequests timeout. Now timeout timers are handled by the AuthManager.

This commit is contained in:
Ruben S. Montero 2010-07-06 12:35:47 +02:00
parent ebedca1f63
commit a707f730f2
3 changed files with 284 additions and 216 deletions

View File

@ -17,6 +17,8 @@
#ifndef AUTH_MANAGER_H_ #ifndef AUTH_MANAGER_H_
#define AUTH_MANAGER_H_ #define AUTH_MANAGER_H_
#include <time.h>
#include "MadManager.h" #include "MadManager.h"
#include "ActionManager.h" #include "ActionManager.h"
@ -24,8 +26,225 @@
using namespace std; using namespace std;
//Forward definition of the AuthManager //Forward definition of the AuthRequest
class AuthManager; class AuthRequest;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
extern "C" void * authm_action_loop(void *arg);
class AuthManager : public MadManager, public ActionListener
{
public:
AuthManager(
time_t timer,
time_t __time_out,
vector<const Attribute*>& _mads):
MadManager(_mads), timer_period(timer)
{
_time_out = __time_out;
am.addListener(this);
pthread_mutex_init(&mutex,0);
};
~AuthManager(){};
enum Actions
{
AUTHENTICATE,
AUTHORIZE,
FINALIZE
};
/**
* Triggers specific actions to the Auth Manager. This function
* wraps the ActionManager trigger function.
* @param action the Auth Manager action
* @param request an auth request
*/
void trigger(
Actions action,
AuthRequest * request);
/**
* This functions starts the associated listener thread, and creates a
* new thread for the AuthManager. This thread will wait in
* an action loop till it receives ACTION_FINALIZE.
* @return 0 on success.
*/
int start();
/**
* Loads Virtual Machine Manager Mads defined in configuration file
* @param uid of the user executing the driver. When uid is 0 the nebula
* identity will be used. Otherwise the Mad will be loaded through the
* sudo application.
*/
void load_mads(int uid);
/**
* Gets the thread identification.
* @return pthread_t for the manager thread (that in the action loop).
*/
pthread_t get_thread_id() const
{
return authm_thread;
};
/**
* Notify the result of an auth request
*/
void notify_request(int auth_id, bool result, const string& message);
/**
* Discards a pending request. Call this before freeing not notified or
* timeout requests.
*/
void discard_request(int auth_id)
{
lock();
auth_requests.erase(auth_id);
unlock();
}
/**
* Gets default timeout for Auth requests
*/
static time_t time_out()
{
return _time_out;
}
private:
/**
* Thread id for the Transfer Manager
*/
pthread_t authm_thread;
/**
* Action engine for the Manager
*/
ActionManager am;
/**
* List of pending requests
*/
map<int, AuthRequest *> auth_requests;
/**
* Mutex to access the auth_requests
*/
pthread_mutex_t mutex;
/**
* Default timeout for Auth requests
*/
static time_t _time_out;
/**
* Timer for the Manager (periocally triggers timer action)
*/
time_t timer_period;
/**
* Returns a pointer to a Auth Manager driver.
* @param name of an attribute of the driver (e.g. its type)
* @param value of the attribute
* @return the Auth driver with attribute name equal to value
* or 0 in not found
*/
const AuthManagerDriver * get(
const string& name,
const string& value)
{
return static_cast<const AuthManagerDriver *>
(MadManager::get(0,name,value));
};
/**
* Returns a pointer to a Auth Manager driver. The driver is
* searched by its name.
* @param name the name of the driver
* @return the TM driver owned by uid with attribute name equal to value
* or 0 in not found
*/
const AuthManagerDriver * get(const string& name)
{
string _name("NAME");
return static_cast<const AuthManagerDriver *>
(MadManager::get(0,_name,name));
};
/**
* Function to execute the Manager action loop method within a new pthread
* (requires C linkage)
*/
friend void * authm_action_loop(void *arg);
/**
* The action function executed when an action is triggered.
* @param action the name of the action
* @param arg arguments for the action function
*/
void do_action(
const string & action,
void * arg);
/**
* This function authenticates a user
*/
void authenticate_action(AuthRequest * ar);
/**
* This function authorizes a user request
*/
void authorize_action(AuthRequest * ar);
/**
* This function is periodically executed to check time_outs on requests
*/
void timer_action();
/**
* Function to lock the pool
*/
void lock()
{
pthread_mutex_lock(&mutex);
};
/**
* Function to unlock the pool
*/
void unlock()
{
pthread_mutex_unlock(&mutex);
};
/**
* Add a new request to the Request map
* @param ar pointer to the AuthRequest
* @return the id for the request
*/
int add_request(AuthRequest *ar);
/**
* Gets request from the Request map
* @param id for the request
* @return pointer to the AuthRequest
*/
AuthRequest * get_request(int id);
};
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/** /**
* The AuthRequest class is used to pass an Authorization or Authentication * The AuthRequest class is used to pass an Authorization or Authentication
@ -39,7 +258,8 @@ public:
result(false), result(false),
timeout(false), timeout(false),
auth_driver(_auth_driver), auth_driver(_auth_driver),
uid(_uid) uid(_uid),
time_out(0)
{ {
am.addListener(this); am.addListener(this);
}; };
@ -135,9 +355,11 @@ public:
/** /**
* Wait for the AuthRequest to be completed * Wait for the AuthRequest to be completed
*/ */
void wait(time_t timeout=30) void wait()
{ {
am.loop(timeout,0); time_out = time(0) + AuthManager::time_out();
am.loop(0,0);
}; };
/** /**
@ -180,7 +402,12 @@ private:
int uid; int uid;
/** /**
* Authentication challenge * Timeout for this request
*/
time_t time_out;
/**
* Authentication challenge, as sent in the XML-RPC call
*/ */
string challenge; string challenge;
@ -190,205 +417,9 @@ private:
vector<string> auths; vector<string> auths;
/** /**
* * No actions defined for the Auth request, just FINALIZE when done
*/ */
void do_action(const string &name, void *args) void do_action(const string &name, void *args){};
{
if (name == ACTION_TIMER)
{
result = false;
timeout = true;
am.trigger(ActionListener::ACTION_FINALIZE,0);
}
}
};
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
extern "C" void * authm_action_loop(void *arg);
class AuthManager : public MadManager, public ActionListener
{
public:
AuthManager(
vector<const Attribute*>& _mads):
MadManager(_mads)
{
am.addListener(this);
pthread_mutex_init(&mutex,0);
};
~AuthManager(){};
enum Actions
{
AUTHENTICATE,
AUTHORIZE,
FINALIZE
};
/**
* Triggers specific actions to the Auth Manager. This function
* wraps the ActionManager trigger function.
* @param action the Auth Manager action
* @param request an auth request
*/
void trigger(
Actions action,
AuthRequest * request);
/**
* This functions starts the associated listener thread, and creates a
* new thread for the AuthManager. This thread will wait in
* an action loop till it receives ACTION_FINALIZE.
* @return 0 on success.
*/
int start();
/**
* Loads Virtual Machine Manager Mads defined in configuration file
* @param uid of the user executing the driver. When uid is 0 the nebula
* identity will be used. Otherwise the Mad will be loaded through the
* sudo application.
*/
void load_mads(int uid);
/**
* Gets the thread identification.
* @return pthread_t for the manager thread (that in the action loop).
*/
pthread_t get_thread_id() const
{
return authm_thread;
};
/**
* Notify the result of an auth request
*/
void notify_request(int auth_id, bool result, const string& message);
/**
* Discards a pending request. Call this before freeing not notified or
* timeout requests.
*/
void discard_request(int auth_id)
{
lock();
auth_requests.erase(auth_id);
unlock();
}
private:
/**
* Thread id for the Transfer Manager
*/
pthread_t authm_thread;
/**
* Action engine for the Manager
*/
ActionManager am;
/**
* Action engine for the Manager
*/
map<int, AuthRequest *> auth_requests;
/**
* Mutex to access the auth_requests
*/
pthread_mutex_t mutex;
/**
* Returns a pointer to a Auth Manager driver.
* @param name of an attribute of the driver (e.g. its type)
* @param value of the attribute
* @return the Auth driver with attribute name equal to value
* or 0 in not found
*/
const AuthManagerDriver * get(
const string& name,
const string& value)
{
return static_cast<const AuthManagerDriver *>
(MadManager::get(0,name,value));
};
/**
* Returns a pointer to a Auth Manager driver. The driver is
* searched by its name.
* @param name the name of the driver
* @return the TM driver owned by uid with attribute name equal to value
* or 0 in not found
*/
const AuthManagerDriver * get(const string& name)
{
string _name("NAME");
return static_cast<const AuthManagerDriver *>
(MadManager::get(0,_name,name));
};
/**
* Function to execute the Manager action loop method within a new pthread
* (requires C linkage)
*/
friend void * authm_action_loop(void *arg);
/**
* The action function executed when an action is triggered.
* @param action the name of the action
* @param arg arguments for the action function
*/
void do_action(
const string & action,
void * arg);
/**
* This function authenticates a user
*/
void authenticate_action(AuthRequest * ar);
/**
* This function authorizes a user request
*/
void authorize_action(AuthRequest * ar);
/**
* Function to lock the pool
*/
void lock()
{
pthread_mutex_lock(&mutex);
};
/**
* Function to unlock the pool
*/
void unlock()
{
pthread_mutex_unlock(&mutex);
};
/**
* Add a new request to the Request map
* @param ar pointer to the AuthRequest
* @return the id for the request
*/
int add_request(AuthRequest *ar);
/**
* Gets request from the Request map
* @param id for the request
* @return pointer to the AuthRequest
*/
AuthRequest * get_request(int id);
}; };
#endif /*AUTH_MANAGER_H*/ #endif /*AUTH_MANAGER_H*/

View File

@ -22,6 +22,11 @@
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
time_t AuthManager::_time_out;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
extern "C" void * authm_action_loop(void *arg) extern "C" void * authm_action_loop(void *arg)
{ {
AuthManager * authm; AuthManager * authm;
@ -35,7 +40,7 @@ extern "C" void * authm_action_loop(void *arg)
NebulaLog::log("AuM",Log::INFO,"Authorization Manager started."); NebulaLog::log("AuM",Log::INFO,"Authorization Manager started.");
authm->am.loop(0,0); authm->am.loop(authm->timer_period,0);
NebulaLog::log("AuM",Log::INFO,"Authorization Manager stopped."); NebulaLog::log("AuM",Log::INFO,"Authorization Manager stopped.");
@ -101,21 +106,20 @@ void AuthManager::do_action(const string &action, void * arg)
{ {
AuthRequest * request; AuthRequest * request;
if ( arg == 0 && action != ACTION_FINALIZE )
{
return;
}
request = static_cast<AuthRequest *>(arg); request = static_cast<AuthRequest *>(arg);
if (action == "AUTHENTICATE") if (action == "AUTHENTICATE" && request != 0)
{ {
authenticate_action(request); authenticate_action(request);
} }
else if (action == "AUTHORIZE") else if (action == "AUTHORIZE" && request != 0)
{ {
authorize_action(request); authorize_action(request);
} }
else if (action == ACTION_TIMER)
{
timer_action();
}
else if (action == ACTION_FINALIZE) else if (action == ACTION_FINALIZE)
{ {
NebulaLog::log("AuM",Log::INFO,"Stopping Authorization Manager..."); NebulaLog::log("AuM",Log::INFO,"Stopping Authorization Manager...");
@ -209,6 +213,35 @@ error_driver:
ar->message = "Could not find Authorization driver"; ar->message = "Could not find Authorization driver";
ar->notify(); ar->notify();
} }
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void AuthManager::timer_action()
{
map<int,AuthRequest *>::iterator it;
time_t the_time = time(0);
lock();
for (it=auth_requests.begin();it!=auth_requests.end();it++)
{
if (the_time > it->second->time_out)
{
AuthRequest * ar = it->second;
auth_requests.erase(it);
ar->result = false;
ar->timeout = true;
ar->message.clear();
ar->notify();
}
}
unlock();
}
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
@ -229,6 +262,7 @@ int AuthManager::add_request(AuthRequest *ar)
return id; return id;
} }
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
AuthRequest * AuthManager::get_request(int id) AuthRequest * AuthManager::get_request(int id)

View File

@ -42,7 +42,7 @@ class AuthManagerTest : public CppUnit::TestFixture
CPPUNIT_TEST_SUITE (AuthManagerTest); CPPUNIT_TEST_SUITE (AuthManagerTest);
CPPUNIT_TEST (load); CPPUNIT_TEST (load);
CPPUNIT_TEST (timeout); //CPPUNIT_TEST (timeout);
CPPUNIT_TEST (authenticate); CPPUNIT_TEST (authenticate);
CPPUNIT_TEST (authorize); CPPUNIT_TEST (authorize);
@ -75,7 +75,7 @@ public:
t->get("AUTH_MAD", am_mads); t->get("AUTH_MAD", am_mads);
am = new AuthManager(am_mads); am = new AuthManager(1,3,am_mads);
}; };
void tearDown() void tearDown()
@ -101,6 +101,7 @@ public:
CPPUNIT_ASSERT(0==0); CPPUNIT_ASSERT(0==0);
} }
//This test needs a driver that takes more than 3 secs to AUTHENTICATE
void timeout() void timeout()
{ {
int rc; int rc;
@ -112,8 +113,10 @@ public:
am->load_mads(0); am->load_mads(0);
am->trigger(AuthManager::AUTHENTICATE,&ar);
ar.set_challenge("the_secret"); ar.set_challenge("the_secret");
ar.wait(1); ar.wait();
CPPUNIT_ASSERT(ar.result==false); CPPUNIT_ASSERT(ar.result==false);
CPPUNIT_ASSERT(ar.timeout==true); CPPUNIT_ASSERT(ar.timeout==true);
@ -141,7 +144,7 @@ public:
ar.set_challenge("the_secret"); ar.set_challenge("the_secret");
am->trigger(AuthManager::AUTHENTICATE,&ar); am->trigger(AuthManager::AUTHENTICATE,&ar);
ar.wait(300); ar.wait();
CPPUNIT_ASSERT(ar.result==true); CPPUNIT_ASSERT(ar.result==true);