virNetServer: Introduce unauth clients counter

The counter gets incremented on each unauthenticated client added to the server and decremented whenever the client authenticates. Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2025-03-07 17:28:15 +00:00 · 2014-03-04 15:37:27 +01:00 · 2014-03-04 15:37:27 +01:00 · 4015396b2c
commit 4015396b2c
parent 030cbd6302
3 changed files with 58 additions and 11 deletions
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -2619,7 +2619,7 @@ cleanup:
 /*-------------------------------------------------------------*/

 static int
-remoteDispatchAuthList(virNetServerPtr server ATTRIBUTE_UNUSED,
+remoteDispatchAuthList(virNetServerPtr server,
                       virNetServerClientPtr client,
                       virNetMessagePtr msg ATTRIBUTE_UNUSED,
                       virNetMessageErrorPtr rerr,
@ -2649,6 +2649,7 @@ remoteDispatchAuthList(virNetServerPtr server ATTRIBUTE_UNUSED,
                goto cleanup;
            VIR_INFO("Bypass polkit auth for privileged client %s", ident);
            virNetServerClientSetAuth(client, 0);
+            virNetServerTrackCompletedAuth(server);
            auth = VIR_NET_SERVER_SERVICE_AUTH_NONE;
            VIR_FREE(ident);
        }
@ -2764,7 +2765,8 @@ authfail:
 * Returns 0 if ok, -1 on error, -2 if rejected
 */
 static int
-remoteSASLFinish(virNetServerClientPtr client)
+remoteSASLFinish(virNetServerPtr server,
+                 virNetServerClientPtr client)
 {
    const char *identity;
    struct daemonClientPrivate *priv = virNetServerClientGetPrivateData(client);
@ -2789,6 +2791,7 @@ remoteSASLFinish(virNetServerClientPtr client)
        return -2;

    virNetServerClientSetAuth(client, 0);
+    virNetServerTrackCompletedAuth(server);
    virNetServerClientSetSASLSession(client, priv->sasl);

    VIR_DEBUG("Authentication successful %d", virNetServerClientGetFD(client));
@ -2810,7 +2813,7 @@ error:
 * This starts the SASL authentication negotiation.
 */
 static int
-remoteDispatchAuthSaslStart(virNetServerPtr server ATTRIBUTE_UNUSED,
+remoteDispatchAuthSaslStart(virNetServerPtr server,
                            virNetServerClientPtr client,
                            virNetMessagePtr msg ATTRIBUTE_UNUSED,
                            virNetMessageErrorPtr rerr,
@ -2868,7 +2871,7 @@ remoteDispatchAuthSaslStart(virNetServerPtr server ATTRIBUTE_UNUSED,
        ret->complete = 0;
    } else {
        /* Check username whitelist ACL */
-        if ((err = remoteSASLFinish(client)) < 0) {
+        if ((err = remoteSASLFinish(server, client)) < 0) {
            if (err == -2)
                goto authdeny;
            else
@ -2908,7 +2911,7 @@ error:


 static int
-remoteDispatchAuthSaslStep(virNetServerPtr server ATTRIBUTE_UNUSED,
+remoteDispatchAuthSaslStep(virNetServerPtr server,
                           virNetServerClientPtr client,
                           virNetMessagePtr msg ATTRIBUTE_UNUSED,
                           virNetMessageErrorPtr rerr,
@ -2966,7 +2969,7 @@ remoteDispatchAuthSaslStep(virNetServerPtr server ATTRIBUTE_UNUSED,
        ret->complete = 0;
    } else {
        /* Check username whitelist ACL */
-        if ((err = remoteSASLFinish(client)) < 0) {
+        if ((err = remoteSASLFinish(server, client)) < 0) {
            if (err == -2)
                goto authdeny;
            else
@ -3051,7 +3054,7 @@ remoteDispatchAuthSaslStep(virNetServerPtr server ATTRIBUTE_UNUSED,

 #if WITH_POLKIT1
 static int
-remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
+remoteDispatchAuthPolkit(virNetServerPtr server,
                         virNetServerClientPtr client,
                         virNetMessagePtr msg ATTRIBUTE_UNUSED,
                         virNetMessageErrorPtr rerr,
@ -3142,6 +3145,7 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
    ret->complete = 1;

    virNetServerClientSetAuth(client, 0);
+    virNetServerTrackCompletedAuth(server);
    virMutexUnlock(&priv->lock);
    virCommandFree(cmd);
    VIR_FREE(pkout);
@ -3182,7 +3186,7 @@ authdeny:
 }
 #elif WITH_POLKIT0
 static int
-remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
+remoteDispatchAuthPolkit(virNetServerPtr server,
                         virNetServerClientPtr client,
                         virNetMessagePtr msg ATTRIBUTE_UNUSED,
                         virNetMessageErrorPtr rerr,
@ -3297,6 +3301,7 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
    ret->complete = 1;

    virNetServerClientSetAuth(client, 0);
+    virNetServerTrackCompletedAuth(server);
    virMutexUnlock(&priv->lock);
    VIR_FREE(ident);
    return 0;
--- a/src/rpc/virnetserver.c
+++ b/src/rpc/virnetserver.c
@ -88,9 +88,10 @@ struct _virNetServer {
    size_t nprograms;
    virNetServerProgramPtr *programs;

-    size_t nclients;
-    size_t nclients_max;
-    virNetServerClientPtr *clients;
+    size_t nclients;                    /* Current clients count */
+    virNetServerClientPtr *clients;     /* Clients */
+    size_t nclients_max;                /* Max allowed clients count */
+    size_t nclients_unauth;             /* Unauthenticated clients count */

    int keepaliveInterval;
    unsigned int keepaliveCount;
@ -118,6 +119,8 @@ static virClassPtr virNetServerClass;
 static void virNetServerDispose(void *obj);
 static void virNetServerUpdateServicesLocked(virNetServerPtr srv,
                                             bool enabled);
+static inline size_t virNetServerTrackPendingAuthLocked(virNetServerPtr srv);
+static inline size_t virNetServerTrackCompletedAuthLocked(virNetServerPtr srv);

 static int virNetServerOnceInit(void)
 {
@ -273,6 +276,9 @@ static int virNetServerAddClient(virNetServerPtr srv,
    srv->clients[srv->nclients-1] = client;
    virObjectRef(client);

+    if (virNetServerClientNeedAuth(client))
+        virNetServerTrackPendingAuthLocked(srv);
+
    if (srv->nclients == srv->nclients_max) {
        /* Temporarily stop accepting new clients */
        VIR_DEBUG("Temporarily suspending services due to max_clients");
@ -1133,6 +1139,9 @@ void virNetServerRun(virNetServerPtr srv)

                VIR_DELETE_ELEMENT(srv->clients, i, srv->nclients);

+                if (virNetServerClientNeedAuth(client))
+                    virNetServerTrackCompletedAuthLocked(srv);
+
                /* Enable services if we can accept a new client.
                 * The new client can be accepted if we are at the limit. */
                if (srv->nclients == srv->nclients_max - 1) {
@ -1229,3 +1238,33 @@ bool virNetServerKeepAliveRequired(virNetServerPtr srv)
    virObjectUnlock(srv);
    return required;
 }
+
+static inline size_t
+virNetServerTrackPendingAuthLocked(virNetServerPtr srv)
+{
+    return ++srv->nclients_unauth;
+}
+
+static inline size_t
+virNetServerTrackCompletedAuthLocked(virNetServerPtr srv)
+{
+    return --srv->nclients_unauth;
+}
+
+size_t virNetServerTrackPendingAuth(virNetServerPtr srv)
+{
+    size_t ret;
+    virObjectLock(srv);
+    ret = virNetServerTrackPendingAuthLocked(srv);
+    virObjectUnlock(srv);
+    return ret;
+}
+
+size_t virNetServerTrackCompletedAuth(virNetServerPtr srv)
+{
+    size_t ret;
+    virObjectLock(srv);
+    ret = virNetServerTrackCompletedAuthLocked(srv);
+    virObjectUnlock(srv);
+    return ret;
+}
--- a/src/rpc/virnetserver.h
+++ b/src/rpc/virnetserver.h
@ -97,4 +97,7 @@ void virNetServerClose(virNetServerPtr srv);

 bool virNetServerKeepAliveRequired(virNetServerPtr srv);

+size_t virNetServerTrackPendingAuth(virNetServerPtr srv);
+size_t virNetServerTrackCompletedAuth(virNetServerPtr srv);
+
 #endif