iscsi&scripts/rpc: Add add/delete_secret_to/from_iscsi_auth_group RPCs

Add RPCs to add/delete a secret to/from an existing authentication group
dynamically.

Use mutex to ensure exclusive access to CHAP secrets.

Tries to use descriptive message in RPCs when error occurs.

Change-Id: I59650ae11a2fe675d03b90bbd4d2dc5b9c0160ed
Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-on: https://review.gerrithub.io/421465
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Chandler-Test-Pool: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>

doc/jsonrpc.md

@@ -2006,6 +2006,86 @@ Example response:
 }
 ~~~
 
+## add_secret_to_iscsi_auth_group {#rpc_add_secret_to_iscsi_auth_group}
+
+Add a secret to an existing authentication group for CHAP authentication.
+
+### Parameters
+
+Name                        | Optional | Type    | Description
+--------------------------- | -------- | --------| -----------
+tag                         | Required | number  | Authentication group tag (unique, integer > 0)
+user                        | Required | string  | Unidirectional CHAP name
+secret                      | Required | string  | Unidirectional CHAP secret
+muser                       | Optional | string  | Bidirectional CHAP name
+msecret                     | Optional | string  | Bidirectional CHAP secret
+
+### Example
+
+Example request:
+
+~~~
+{
+  "params": {
+    "muser": "mu3",
+    "secret": "s3",
+    "tag": 2,
+    "user": "u3",
+    "msecret": "ms3"
+  },
+  "jsonrpc": "2.0",
+  "method": "add_secret_to_iscsi_auth_group",
+  "id": 1
+}
+~~~
+
+Example response:
+
+~~~
+{
+  "jsonrpc": "2.0",
+  "id": 1,
+  "result": true
+}
+~~~
+
+## delete_secret_from_iscsi_auth_group {#rpc_delete_secret_from_iscsi_auth_group}
+
+Delete a secret from an existing authentication group for CHAP authentication.
+
+### Parameters
+
+Name                        | Optional | Type    | Description
+--------------------------- | -------- | --------| -----------
+tag                         | Required | number  | Authentication group tag (unique, integer > 0)
+user                        | Required | string  | Unidirectional CHAP name
+
+### Example
+
+Example request:
+
+~~~
+{
+  "params": {
+    "tag": 2,
+    "user": "u3"
+  },
+  "jsonrpc": "2.0",
+  "method": "delete_secret_from_iscsi_auth_group",
+  "id": 1
+}
+~~~
+
+Example response:
+
+~~~
+{
+  "jsonrpc": "2.0",
+  "id": 1,
+  "result": true
+}
+~~~
+
 ## get_initiator_groups method {#rpc_get_initiator_groups}
 
 Show information about all available initiator groups.

lib/iscsi/iscsi.h

@@ -407,6 +407,8 @@ void spdk_iscsi_delete_auth_group(struct spdk_iscsi_auth_group *group);
 int spdk_iscsi_auth_group_add_secret(struct spdk_iscsi_auth_group *group,
 				     const char *user, const char *secret,
 				     const char *muser, const char *msecret);
+int spdk_iscsi_auth_group_delete_secret(struct spdk_iscsi_auth_group *group,
+					const char *user);
 
 void spdk_iscsi_send_nopin(struct spdk_iscsi_conn *conn);
 void spdk_iscsi_task_response(struct spdk_iscsi_conn *conn,

lib/iscsi/iscsi_rpc.c

@@ -1362,3 +1362,156 @@ spdk_rpc_delete_iscsi_auth_group(struct spdk_jsonrpc_request *request,
 	spdk_jsonrpc_end_result(request, w);
 }
 SPDK_RPC_REGISTER("delete_iscsi_auth_group", spdk_rpc_delete_iscsi_auth_group, SPDK_RPC_RUNTIME)
+
+struct rpc_add_auth_secret {
+	int32_t tag;
+	char *user;
+	char *secret;
+	char *muser;
+	char *msecret;
+};
+
+static void
+free_rpc_add_auth_secret(struct rpc_add_auth_secret *_secret)
+{
+	free(_secret->user);
+	free(_secret->secret);
+	free(_secret->muser);
+	free(_secret->msecret);
+}
+
+static const struct spdk_json_object_decoder rpc_add_auth_secret_decoders[] = {
+	{"tag", offsetof(struct rpc_add_auth_secret, tag), spdk_json_decode_int32},
+	{"user", offsetof(struct rpc_add_auth_secret, user), spdk_json_decode_string},
+	{"secret", offsetof(struct rpc_add_auth_secret, secret), spdk_json_decode_string},
+	{"muser", offsetof(struct rpc_add_auth_secret, muser), spdk_json_decode_string, true},
+	{"msecret", offsetof(struct rpc_add_auth_secret, msecret), spdk_json_decode_string, true},
+};
+
+static void
+spdk_rpc_add_secret_to_iscsi_auth_group(struct spdk_jsonrpc_request *request,
+					const struct spdk_json_val *params)
+{
+	struct rpc_add_auth_secret req = {};
+	struct spdk_json_write_ctx *w;
+	struct spdk_iscsi_auth_group *group;
+	int rc;
+
+	if (spdk_json_decode_object(params, rpc_add_auth_secret_decoders,
+				    SPDK_COUNTOF(rpc_add_auth_secret_decoders), &req)) {
+		SPDK_ERRLOG("spdk_json_decode_object failed\n");
+		spdk_jsonrpc_send_error_response(request, SPDK_JSONRPC_ERROR_INVALID_PARAMS,
+						 "Invalid parameters");
+		free_rpc_add_auth_secret(&req);
+		return;
+	}
+
+	pthread_mutex_lock(&g_spdk_iscsi.mutex);
+
+	group = spdk_iscsi_find_auth_group_by_tag(req.tag);
+	if (group == NULL) {
+		pthread_mutex_unlock(&g_spdk_iscsi.mutex);
+
+		spdk_jsonrpc_send_error_response_fmt(request, SPDK_JSONRPC_ERROR_INVALID_PARAMS,
+						     "Could not find auth group (%d)", req.tag);
+		free_rpc_add_auth_secret(&req);
+		return;
+	}
+
+	rc = spdk_iscsi_auth_group_add_secret(group, req.user, req.secret, req.muser, req.msecret);
+	if (rc != 0) {
+		pthread_mutex_unlock(&g_spdk_iscsi.mutex);
+
+		spdk_jsonrpc_send_error_response_fmt(request, SPDK_JSONRPC_ERROR_INVALID_PARAMS,
+						     "Could not add secret to auth group (%d), %s",
+						     req.tag, spdk_strerror(-rc));
+		free_rpc_add_auth_secret(&req);
+		return;
+	}
+
+	pthread_mutex_unlock(&g_spdk_iscsi.mutex);
+
+	free_rpc_add_auth_secret(&req);
+
+	w = spdk_jsonrpc_begin_result(request);
+	if (w == NULL) {
+		return;
+	}
+
+	spdk_json_write_bool(w, true);
+	spdk_jsonrpc_end_result(request, w);
+}
+SPDK_RPC_REGISTER("add_secret_to_iscsi_auth_group", spdk_rpc_add_secret_to_iscsi_auth_group,
+		  SPDK_RPC_RUNTIME)
+
+struct rpc_delete_auth_secret {
+	int32_t tag;
+	char *user;
+};
+
+static void
+free_rpc_delete_auth_secret(struct rpc_delete_auth_secret *_secret)
+{
+	free(_secret->user);
+}
+
+static const struct spdk_json_object_decoder rpc_delete_auth_secret_decoders[] = {
+	{"tag", offsetof(struct rpc_delete_auth_secret, tag), spdk_json_decode_int32},
+	{"user", offsetof(struct rpc_delete_auth_secret, user), spdk_json_decode_string},
+};
+
+static void
+spdk_rpc_delete_secret_from_iscsi_auth_group(struct spdk_jsonrpc_request *request,
+		const struct spdk_json_val *params)
+{
+	struct rpc_delete_auth_secret req = {};
+	struct spdk_json_write_ctx *w;
+	struct spdk_iscsi_auth_group *group;
+	int rc;
+
+	if (spdk_json_decode_object(params, rpc_delete_auth_secret_decoders,
+				    SPDK_COUNTOF(rpc_delete_auth_secret_decoders), &req)) {
+		SPDK_ERRLOG("spdk_json_decode_object failed\n");
+		spdk_jsonrpc_send_error_response(request, SPDK_JSONRPC_ERROR_INVALID_PARAMS,
+						 "Invalid parameters");
+		free_rpc_delete_auth_secret(&req);
+		return;
+	}
+
+	pthread_mutex_lock(&g_spdk_iscsi.mutex);
+
+	group = spdk_iscsi_find_auth_group_by_tag(req.tag);
+	if (group == NULL) {
+		pthread_mutex_unlock(&g_spdk_iscsi.mutex);
+
+		spdk_jsonrpc_send_error_response_fmt(request, SPDK_JSONRPC_ERROR_INVALID_PARAMS,
+						     "Could not find auth group (%d)", req.tag);
+		free_rpc_delete_auth_secret(&req);
+		return;
+	}
+
+	rc = spdk_iscsi_auth_group_delete_secret(group, req.user);
+	if (rc != 0) {
+		pthread_mutex_unlock(&g_spdk_iscsi.mutex);
+
+		spdk_jsonrpc_send_error_response_fmt(request, SPDK_JSONRPC_ERROR_INVALID_PARAMS,
+						     "Could not delete secret from CHAP group (%d), %s",
+						     req.tag, spdk_strerror(-rc));
+		free_rpc_delete_auth_secret(&req);
+		return;
+	}
+
+	pthread_mutex_unlock(&g_spdk_iscsi.mutex);
+
+	free_rpc_delete_auth_secret(&req);
+
+	w = spdk_jsonrpc_begin_result(request);
+	if (w == NULL) {
+		return;
+	}
+
+	spdk_json_write_bool(w, true);
+	spdk_jsonrpc_end_result(request, w);
+}
+SPDK_RPC_REGISTER("delete_secret_from_iscsi_auth_group",
+		  spdk_rpc_delete_secret_from_iscsi_auth_group, SPDK_RPC_RUNTIME)

lib/iscsi/iscsi_subsystem.c

@@ -874,6 +874,34 @@ spdk_iscsi_auth_group_add_secret(struct spdk_iscsi_auth_group *group,
 	return 0;
 }
 
+int
+spdk_iscsi_auth_group_delete_secret(struct spdk_iscsi_auth_group *group,
+				    const char *user)
+{
+	struct spdk_iscsi_auth_secret *_secret;
+
+	if (user == NULL) {
+		SPDK_ERRLOG("user must be specified\n");
+		return -EINVAL;
+	}
+
+	TAILQ_FOREACH(_secret, &group->secret_head, tailq) {
+		if (strcmp(_secret->user, user) == 0) {
+			break;
+		}
+	}
+
+	if (_secret == NULL) {
+		SPDK_ERRLOG("secret is not found\n");
+		return -ENODEV;
+	}
+
+	TAILQ_REMOVE(&group->secret_head, _secret, tailq);
+	free(_secret);
+
+	return 0;
+}
+
 int
 spdk_iscsi_add_auth_group(int32_t tag, struct spdk_iscsi_auth_group **_group)
 {

scripts/rpc.py

@@ -573,6 +573,33 @@ Format: 'user:u1 secret:s1 muser:mu1 msecret:ms1,user:u2 secret:s2 muser:mu2 mse
     p.add_argument('tag', help='Authentication group tag', type=int)
     p.set_defaults(func=delete_iscsi_auth_group)
 
+    @call_cmd
+    def add_secret_to_iscsi_auth_group(args):
+        rpc.iscsi.add_secret_to_iscsi_auth_group(
+            args.client,
+            tag=args.tag,
+            user=args.user,
+            secret=args.secret,
+            muser=args.muser,
+            msecret=args.msecret)
+
+    p = subparsers.add_parser('add_secret_to_iscsi_auth_group', help='Add a secret to an authentication group.')
+    p.add_argument('tag', help='Authentication group tag', type=int)
+    p.add_argument('-u', '--user', help='User name for one-way CHAP authentication', required=True)
+    p.add_argument('-s', '--secret', help='Secret for one-way CHAP authentication', required=True)
+    p.add_argument('-m', '--muser', help='User name for mutual CHAP authentication')
+    p.add_argument('-r', '--msecret', help='Secret for mutual CHAP authentication')
+    p.set_defaults(func=add_secret_to_iscsi_auth_group)
+
+    @call_cmd
+    def delete_secret_from_iscsi_auth_group(args):
+        rpc.iscsi.delete_secret_from_iscsi_auth_group(args.client, tag=args.tag, user=args.user)
+
+    p = subparsers.add_parser('delete_secret_from_iscsi_auth_group', help='Delete a secret from an authentication group.')
+    p.add_argument('tag', help='Authentication group tag', type=int)
+    p.add_argument('-u', '--user', help='User name for one-way CHAP authentication', required=True)
+    p.set_defaults(func=delete_secret_from_iscsi_auth_group)
+
     @call_cmd
     def get_portal_groups(args):
         print_dict(rpc.iscsi.get_portal_groups(args.client))

scripts/rpc/iscsi.py

@@ -283,6 +283,42 @@ def delete_iscsi_auth_group(client, tag):
     return client.call('delete_iscsi_auth_group', params)
 
 
+def add_secret_to_iscsi_auth_group(client, tag, user, secret, muser=None, msecret=None):
+    """Add a secret to an authentication group.
+
+    Args:
+        tag: Authentication group tag (unique, integer > 0)
+        user: User name for one-way CHAP authentication
+        secret: Secret for one-way CHAP authentication
+        muser: User name for mutual CHAP authentication (optional)
+        msecret: Secret for mutual CHAP authentication (optional)
+
+    Returns:
+        True or False
+    """
+    params = {'tag': tag, 'user': user, 'secret': secret}
+
+    if muser:
+        params['muser'] = muser
+    if msecret:
+        params['msecret'] = msecret
+    return client.call('add_secret_to_iscsi_auth_group', params)
+
+
+def delete_secret_from_iscsi_auth_group(client, tag, user):
+    """Delete a secret from an authentication group.
+
+    Args:
+        tag: Authentication group tag (unique, integer > 0)
+        user: User name for one-way CHAP authentication
+
+    Returns:
+        True or False
+    """
+    params = {'tag': tag, 'user': user}
+    return client.call('delete_secret_from_iscsi_auth_group', params)
+
+
 def delete_pg_ig_maps(client, pg_ig_maps, name):
     """Delete PG-IG maps from the target node.