External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-03 03:25:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

rpc: remove use of the term 'whitelist' from RPC code

Browse Source 
The term "access control list" better describes the concept involved.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2020-06-16 10:39:17 +01:00
parent d3475e71bc
commit 5f75ec90fe
9 changed files with 40 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/internals/rpc.html.in
View File

@ -447,7 +447,8 @@ C &lt;-- |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo | &lt;-- S (reply)
<dt><code>virNetSASLContextPtr</code> (virnetsaslcontext.h)</dt> <dt><code>virNetSASLContextPtr</code> (virnetsaslcontext.h)</dt>
<dd>The virNetSASLContext APIs maintain SASL state for a network <dd>The virNetSASLContext APIs maintain SASL state for a network
service (server or client). This is primarily used on the server service (server or client). This is primarily used on the server
to provide a whitelist of allowed SASL usernames for clients. to provide an access control list of SASL usernames permitted as
clients.
</dd> </dd>
<dt><code>virNetSASLSessionPtr</code> (virnetsaslcontext.h)</dt> <dt><code>virNetSASLSessionPtr</code> (virnetsaslcontext.h)</dt>
@ -460,7 +461,7 @@ C &lt;-- |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo | &lt;-- S (reply)
<dt><code>virNetTLSContextPtr</code> (virnettlscontext.h)</dt> <dt><code>virNetTLSContextPtr</code> (virnettlscontext.h)</dt>
<dd>The virNetTLSContext APIs maintain TLS state for a network <dd>The virNetTLSContext APIs maintain TLS state for a network
service (server or client). This is primarily used on the server service (server or client). This is primarily used on the server
to provide a whitelist of allowed x509 distinguished names, as to provide an access control list of x509 distinguished names, as
well as diffie-hellman keys. It can also do validation of well as diffie-hellman keys. It can also do validation of
x509 certificates prior to initiating a connection, in order x509 certificates prior to initiating a connection, in order
to improve detection of configuration errors. to improve detection of configuration errors.
@ -760,8 +761,8 @@ C &lt;-- |32| 8 | 1 | 3 | 1 | 1 | 0 | .o.oOo | &lt;-- S (reply)
next step is to decode the RPC header. The header is validated to next step is to decode the RPC header. The header is validated to
ensure the request is sensible, ie the server should not receive a ensure the request is sensible, ie the server should not receive a
method reply from a client. If the client has not yet authenticated, method reply from a client. If the client has not yet authenticated,
a security check is also applied to make sure the procedure is on the an access control list check is also performed to make sure the procedure
whitelist of those allowed prior to auth. If the packet is a method is one of those allowed prior to auth. If the packet is a method
call, it will be placed on a global processing queue. The event loop call, it will be placed on a global processing queue. The event loop
thread is now done with the packet for the time being. thread is now done with the packet for the time being.
</p> </p>

6
src/remote/libvirtd.conf.in
View File

@ -253,11 +253,11 @@
# will be rejected. # will be rejected.
# #
# Default is to always verify. Uncommenting this will disable # Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set # verification.
#tls_no_verify_certificate = 1 #tls_no_verify_certificate = 1
# A whitelist of allowed x509 Distinguished Names # An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as # This list may contain wildcards such as
# #
# "C=GB,ST=London,L=London,O=Red Hat,CN=*" # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@ -282,7 +282,7 @@
@END@ @END@
# A whitelist of allowed SASL usernames. The format for username # An access control list of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames # depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM # look like username@REALM
# #

4
src/remote/remote_daemon_dispatch.c
View File

@ -3861,7 +3861,7 @@ remoteDispatchAuthSaslStart(virNetServerPtr server,
if (err == VIR_NET_SASL_CONTINUE) { if (err == VIR_NET_SASL_CONTINUE) {
ret->complete = 0; ret->complete = 0;
} else { } else {
/* Check username whitelist ACL */ /* Check username ACL */
if ((err = remoteSASLFinish(server, client)) < 0) { if ((err = remoteSASLFinish(server, client)) < 0) {
if (err == -2) if (err == -2)
goto authdeny; goto authdeny;
@ -3957,7 +3957,7 @@ remoteDispatchAuthSaslStep(virNetServerPtr server,
if (err == VIR_NET_SASL_CONTINUE) { if (err == VIR_NET_SASL_CONTINUE) {
ret->complete = 0; ret->complete = 0;
} else { } else {
/* Check username whitelist ACL */ /* Check username ACL */
if ((err = remoteSASLFinish(server, client)) < 0) { if ((err = remoteSASLFinish(server, client)) < 0) {
if (err == -2) if (err == -2)
goto authdeny; goto authdeny;

10
src/rpc/virnetsaslcontext.c
View File

@ -36,7 +36,7 @@ VIR_LOG_INIT("rpc.netsaslcontext");
struct _virNetSASLContext { struct _virNetSASLContext {
virObjectLockable parent; virObjectLockable parent;
const char *const*usernameWhitelist; const char *const *usernameACL;
}; };
struct _virNetSASLSession { struct _virNetSASLSession {
@ -121,7 +121,7 @@ virNetSASLContextPtr virNetSASLContextNewClient(void)
return ctxt; return ctxt;
} }
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist) virNetSASLContextPtr virNetSASLContextNewServer(const char *const *usernameACL)
{ {
virNetSASLContextPtr ctxt; virNetSASLContextPtr ctxt;
@ -132,7 +132,7 @@ virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitel
if (!(ctxt = virObjectLockableNew(virNetSASLContextClass))) if (!(ctxt = virObjectLockableNew(virNetSASLContextClass)))
return NULL; return NULL;
ctxt->usernameWhitelist = usernameWhitelist; ctxt->usernameACL = usernameACL;
return ctxt; return ctxt;
} }
@ -146,7 +146,7 @@ int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
virObjectLock(ctxt); virObjectLock(ctxt);
/* If the list is not set, allow any DN. */ /* If the list is not set, allow any DN. */
wildcards = ctxt->usernameWhitelist; wildcards = ctxt->usernameACL;
if (!wildcards) { if (!wildcards) {
ret = 1; /* No ACL, allow all */ ret = 1; /* No ACL, allow all */
goto cleanup; goto cleanup;
@ -162,7 +162,7 @@ int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
} }
/* Denied */ /* Denied */
VIR_ERROR(_("SASL client identity '%s' not allowed in whitelist"), identity); VIR_ERROR(_("SASL client identity '%s' not allowed by ACL"), identity);
/* This is the most common error: make it informative. */ /* This is the most common error: make it informative. */
virReportError(VIR_ERR_SYSTEM_ERROR, "%s", virReportError(VIR_ERR_SYSTEM_ERROR, "%s",

2
src/rpc/virnetsaslcontext.h
View File

@ -38,7 +38,7 @@ enum {
}; };
virNetSASLContextPtr virNetSASLContextNewClient(void); virNetSASLContextPtr virNetSASLContextNewClient(void);
virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitelist); virNetSASLContextPtr virNetSASLContextNewServer(const char *const *usernameACL);
int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt, int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
const char *identity); const char *identity);

32
src/rpc/virnettlscontext.c
View File

@ -60,7 +60,7 @@ struct _virNetTLSContext {
bool isServer; bool isServer;
bool requireValidCert; bool requireValidCert;
const char *const*x509dnWhitelist; const char *const *x509dnACL;
char *priority; char *priority;
}; };
@ -356,8 +356,8 @@ static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
/* Check DN is on tls_allowed_dn_list. */ /* Check DN is on tls_allowed_dn_list. */
static int static int
virNetTLSContextCheckCertDNWhitelist(const char *dname, virNetTLSContextCheckCertDNACL(const char *dname,
const char *const*wildcards) const char *const *wildcards)
{ {
while (*wildcards) { while (*wildcards) {
if (g_pattern_match_simple(*wildcards, dname)) if (g_pattern_match_simple(*wildcards, dname))
@ -367,7 +367,7 @@ virNetTLSContextCheckCertDNWhitelist(const char *dname,
} }
/* Log the client's DN for debugging */ /* Log the client's DN for debugging */
VIR_DEBUG("Failed whitelist check for client DN '%s'", dname); VIR_DEBUG("Failed ACL check for client DN '%s'", dname);
/* This is the most common error: make it informative. */ /* This is the most common error: make it informative. */
virReportError(VIR_ERR_SYSTEM_ERROR, "%s", virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
@ -385,10 +385,10 @@ virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
const char *certFile, const char *certFile,
const char *hostname, const char *hostname,
const char *dname, const char *dname,
const char *const* whitelist) const char *const *acl)
{ {
if (whitelist && dname && if (acl && dname &&
virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0) virNetTLSContextCheckCertDNACL(dname, acl) <= 0)
return -1; return -1;
if (hostname && if (hostname &&
@ -675,7 +675,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
const char *cacrl, const char *cacrl,
const char *cert, const char *cert,
const char *key, const char *key,
const char *const*x509dnWhitelist, const char *const *x509dnACL,
const char *priority, const char *priority,
bool sanityCheckCert, bool sanityCheckCert,
bool requireValidCert, bool requireValidCert,
@ -740,7 +740,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
} }
ctxt->requireValidCert = requireValidCert; ctxt->requireValidCert = requireValidCert;
ctxt->x509dnWhitelist = x509dnWhitelist; ctxt->x509dnACL = x509dnACL;
ctxt->isServer = isServer; ctxt->isServer = isServer;
PROBE(RPC_TLS_CONTEXT_NEW, PROBE(RPC_TLS_CONTEXT_NEW,
@ -855,7 +855,7 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath, static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
bool tryUserPkiPath, bool tryUserPkiPath,
const char *const*x509dnWhitelist, const char *const *x509dnACL,
const char *priority, const char *priority,
bool sanityCheckCert, bool sanityCheckCert,
bool requireValidCert, bool requireValidCert,
@ -869,7 +869,7 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
return NULL; return NULL;
ctxt = virNetTLSContextNew(cacert, cacrl, cert, key, ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
x509dnWhitelist, priority, sanityCheckCert, x509dnACL, priority, sanityCheckCert,
requireValidCert, isServer); requireValidCert, isServer);
VIR_FREE(cacert); VIR_FREE(cacert);
@ -882,12 +882,12 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath, virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath, bool tryUserPkiPath,
const char *const*x509dnWhitelist, const char *const *x509dnACL,
const char *priority, const char *priority,
bool sanityCheckCert, bool sanityCheckCert,
bool requireValidCert) bool requireValidCert)
{ {
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority, return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnACL, priority,
sanityCheckCert, requireValidCert, true); sanityCheckCert, requireValidCert, true);
} }
@ -906,12 +906,12 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
const char *cacrl, const char *cacrl,
const char *cert, const char *cert,
const char *key, const char *key,
const char *const*x509dnWhitelist, const char *const *x509dnACL,
const char *priority, const char *priority,
bool sanityCheckCert, bool sanityCheckCert,
bool requireValidCert) bool requireValidCert)
{ {
return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority, return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnACL, priority,
sanityCheckCert, requireValidCert, true); sanityCheckCert, requireValidCert, true);
} }
@ -1063,7 +1063,7 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
VIR_DEBUG("Peer DN is %s", dname); VIR_DEBUG("Peer DN is %s", dname);
if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname, if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
ctxt->x509dnWhitelist) < 0) { ctxt->x509dnACL) < 0) {
gnutls_x509_crt_deinit(cert); gnutls_x509_crt_deinit(cert);
goto authdeny; goto authdeny;
} }

4
src/rpc/virnettlscontext.h
View File

@ -34,7 +34,7 @@ void virNetTLSInit(void);
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath, virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath, bool tryUserPkiPath,
const char *const*x509dnWhitelist, const char *const *x509dnACL,
const char *priority, const char *priority,
bool sanityCheckCert, bool sanityCheckCert,
bool requireValidCert); bool requireValidCert);
@ -49,7 +49,7 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
const char *cacrl, const char *cacrl,
const char *cert, const char *cert,
const char *key, const char *key,
const char *const*x509dnWhitelist, const char *const *x509dnACL,
const char *priority, const char *priority,
bool sanityCheckCert, bool sanityCheckCert,
bool requireValidCert); bool requireValidCert);

6
tests/virconfdata/libvirtd.conf
View File

@ -174,11 +174,11 @@ crl_file = "/etc/pki/CA/crl.pem"
# will be rejected. # will be rejected.
# #
# Default is to always verify. Uncommenting this will disable # Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set # verification.
tls_no_verify_certificate = 1 tls_no_verify_certificate = 1
# A whitelist of allowed x509 Distinguished Names # An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as # This list may contain wildcards such as
# #
# "C=GB,ST=London,L=London,O=Red Hat,CN=*" # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@ -194,7 +194,7 @@ tls_no_verify_certificate = 1
tls_allowed_dn_list = ["DN1", "DN2"] tls_allowed_dn_list = ["DN1", "DN2"]
# A whitelist of allowed SASL usernames. The format for usernames # An access control list of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames # depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM # look like username@REALM
# #

6
tests/virconfdata/libvirtd.out
View File

@ -140,9 +140,9 @@ crl_file = "/etc/pki/CA/crl.pem"
# will be rejected. # will be rejected.
# #
# Default is to always verify. Uncommenting this will disable # Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set # verification.
tls_no_verify_certificate = 1 tls_no_verify_certificate = 1
# A whitelist of allowed x509 Distinguished Names # An access control list of allowed x509 Distinguished Names
# This list may contain wildcards such as # This list may contain wildcards such as
# #
# "C=GB,ST=London,L=London,O=Red Hat,CN=*" # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
@ -156,7 +156,7 @@ tls_no_verify_certificate = 1
# #
# By default, no DN's are checked # By default, no DN's are checked
tls_allowed_dn_list = [ "DN1", "DN2" ] tls_allowed_dn_list = [ "DN1", "DN2" ]
# A whitelist of allowed SASL usernames. The format for usernames # An access control list of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames # depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM # look like username@REALM
# #