From 9c7d9414051a9b6febdff80ae3f508b62ab10455 Mon Sep 17 00:00:00 2001
From: Dan Goodliffe <dan@randomdan.homeip.net>
Date: Mon, 20 Jul 2015 21:00:22 +0100
Subject: Implement authtoken security

---
 netfs/daemon/daemonConfig.ice    |  3 +++
 netfs/daemon/daemonService.cpp   |  5 ++++-
 netfs/fuse/fuseApp.cpp           |  5 ++++-
 netfs/fuse/fuseConfig.ice        |  3 +++
 netfs/unittests/Jamfile.jam      |  2 +-
 netfs/unittests/secureDaemon.xml | 12 ++++++++++++
 netfs/unittests/secureFuse.xml   | 16 ++++++++++++++++
 netfs/unittests/testCore.cpp     | 30 ++++++++++++++++++++++++++++++
 8 files changed, 73 insertions(+), 3 deletions(-)
 create mode 100644 netfs/unittests/secureDaemon.xml
 create mode 100644 netfs/unittests/secureFuse.xml

diff --git a/netfs/daemon/daemonConfig.ice b/netfs/daemon/daemonConfig.ice
index bb77344..07fef60 100644
--- a/netfs/daemon/daemonConfig.ice
+++ b/netfs/daemon/daemonConfig.ice
@@ -11,6 +11,9 @@ module NetFS {
 		class Export {
 			["slicer:name:root"]
 			string RootPath;
+
+			["slicer:name:authtoken"]
+			string AuthToken;
 		};
 
 		["slicer:key:name","slicer:value:export","slicer:item:export"]
diff --git a/netfs/daemon/daemonService.cpp b/netfs/daemon/daemonService.cpp
index fe587f1..7a81e51 100644
--- a/netfs/daemon/daemonService.cpp
+++ b/netfs/daemon/daemonService.cpp
@@ -9,13 +9,16 @@ ServiceServer::ServiceServer(NetFS::Daemon::ConfigurationPtr c) :
 }
 
 NetFS::VolumePrx
-ServiceServer::connect(const std::string & share, const std::string &, const Ice::Current & ice)
+ServiceServer::connect(const std::string & share, const std::string & authtoken, const Ice::Current & ice)
 {
 	//boost::lock_guard<boost::mutex> lg(lock);
 	NetFS::Daemon::ExportMap::iterator e = config->Exports.find(share);
 	if (e == config->Exports.end()) {
 		throw NetFS::ConfigError();
 	}
+	if (!e->second->AuthToken.empty() && e->second->AuthToken != authtoken) {
+		throw NetFS::AuthError();
+	}
 	return NetFS::VolumePrx::checkedCast(ice.adapter->addWithUUID(new VolumeServer(e->second->RootPath)));
 }
 
diff --git a/netfs/fuse/fuseApp.cpp b/netfs/fuse/fuseApp.cpp
index ac0dab5..a752e47 100644
--- a/netfs/fuse/fuseApp.cpp
+++ b/netfs/fuse/fuseApp.cpp
@@ -118,7 +118,7 @@ void
 NetFS::FuseApp::connectToVolume()
 {
 	if (!volume) {
-		volume = service->connect(fcr->ExportName, "bar");
+		volume = service->connect(fcr->ExportName, fcr->AuthToken);
 		if (!volume) {
 			throw std::runtime_error("Invalid filesystem proxy");
 		}
@@ -188,6 +188,9 @@ NetFS::FuseApp::onError(const std::exception & e) throw()
 		connectHandles();
 		return 0;
 	}
+	if (dynamic_cast<const NetFS::AuthError *>(&e)) {
+		return -EPERM;
+	}
 	return FuseAppBase::onError(e);
 }
 
diff --git a/netfs/fuse/fuseConfig.ice b/netfs/fuse/fuseConfig.ice
index db37770..d4cee41 100644
--- a/netfs/fuse/fuseConfig.ice
+++ b/netfs/fuse/fuseConfig.ice
@@ -12,6 +12,9 @@ module NetFS {
 
 			["slicer:name:endpoints"]
 			EndpointList Endpoints;
+
+			["slicer:name:authtoken"]
+			string AuthToken;
 		};
 
 		["slicer:key:name","slicer:value:resource","slicer:item:resource"]
diff --git a/netfs/unittests/Jamfile.jam b/netfs/unittests/Jamfile.jam
index 316491e..f1a4663 100644
--- a/netfs/unittests/Jamfile.jam
+++ b/netfs/unittests/Jamfile.jam
@@ -27,7 +27,7 @@ lib testMocks :
 
 
 run testCore.cpp
-	: : defaultDaemon.xml defaultFuse.xml :
+	: : defaultDaemon.xml defaultFuse.xml secureDaemon.xml secureFuse.xml :
 	<define>BOOST_TEST_DYN_LINK
 	<library>boost_utf
 	<library>testMocks
diff --git a/netfs/unittests/secureDaemon.xml b/netfs/unittests/secureDaemon.xml
new file mode 100644
index 0000000..73e2f9d
--- /dev/null
+++ b/netfs/unittests/secureDaemon.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="ascii"?>
+<config>
+  <exports>
+    <export>
+      <name>testvol</name>
+      <export>
+				<authtoken>secure_key</authtoken>
+        <root>/overridden</root>
+      </export>
+    </export>
+  </exports>
+</config>
diff --git a/netfs/unittests/secureFuse.xml b/netfs/unittests/secureFuse.xml
new file mode 100644
index 0000000..e7e8418
--- /dev/null
+++ b/netfs/unittests/secureFuse.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="ascii"?>
+<config>
+	<resources>
+		<resource>
+			<name>testvol</name>
+			<resource>
+				<export>testvol</export>
+				<authtoken>secure_key</authtoken>
+				<endpoints>
+					<endpoint>overridden</endpoint>
+				</endpoints>
+			</resource>
+		</resource>
+	</resources>
+</config>
+
diff --git a/netfs/unittests/testCore.cpp b/netfs/unittests/testCore.cpp
index 10b04e2..927262b 100644
--- a/netfs/unittests/testCore.cpp
+++ b/netfs/unittests/testCore.cpp
@@ -33,6 +33,8 @@ class Core {
 		FuseMockHost fuseHost;
 
 		Ice::CommunicatorPtr ic;
+
+	public:
 		const fuse_operations * fuse;
 };
 
@@ -53,3 +55,31 @@ BOOST_AUTO_TEST_CASE ( clientInitialised )
 
 BOOST_AUTO_TEST_SUITE_END();
 
+BOOST_AUTO_TEST_CASE( testNoAuthNoPass )
+{
+	Core c("defaultDaemon.xml", "defaultFuse.xml");
+	struct statvfs s;
+	BOOST_REQUIRE_EQUAL(0, c.fuse->statfs("/",  &s));
+}
+
+BOOST_AUTO_TEST_CASE( testWithAuthNoPass )
+{
+	Core c("secureDaemon.xml", "defaultFuse.xml");
+	struct statvfs s;
+	BOOST_REQUIRE_EQUAL(-EPERM, c.fuse->statfs("/",  &s));
+}
+
+BOOST_AUTO_TEST_CASE( testWithAuthWithPass )
+{
+	Core c("secureDaemon.xml", "secureFuse.xml");
+	struct statvfs s;
+	BOOST_REQUIRE_EQUAL(0, c.fuse->statfs("/",  &s));
+}
+
+BOOST_AUTO_TEST_CASE( testNoAuthWithPass )
+{
+	Core c("defaultDaemon.xml", "secureFuse.xml");
+	struct statvfs s;
+	BOOST_REQUIRE_EQUAL(0, c.fuse->statfs("/",  &s));
+}
+
-- 
cgit v1.2.3