Add auth-type.

Sponsored by:	The FreeBSD Foundation

usr.sbin/ctld/ctl.conf.5

@@ -101,6 +101,11 @@ Setting it to 0 disables the timeout.
 .Ss auth-group level
 The following statements are available at the auth-group level:
 .Bl -tag -width indent
+.It Ic auth-type Ao Ar type Ac
+Specifies authentication type.
+Type can be either "none", "chap", or "chap-mutual".
+In most cases it is not neccessary to set the type using this clause;
+it is usually used to disable authentication for a given auth-group.
 .It Ic chap Ao Ar user Ac Aq Ar secret
 Specifies CHAP authentication credentials.
 .It Ic chap-mutual Ao Ar user Ac Ao Ar secret Ac Ao Ar mutualuser Ac Aq Ar mutualsecret
@@ -147,6 +152,13 @@ There is no default; every target must use either auth-group,
 or chap, or chap-mutual statements.
 A special auth-group, "no-authentication", may be used to permit access
 without authentication.
+.It Ic auth-type Ao Ar type Ac
+Specifies authentication type.
+Type can be either "none", "chap", or "chap-mutual".
+In most cases it is not neccessary to set the type using this clause;
+it is usually used to disable authentication for a given target.
+This clause is mutually exclusive with auth-group; one cannot use
+both in a single target.
 .It Ic chap Ao Ar user Ac Aq Ar secret
 Specifies CHAP authentication credentials.
 Note that targets must use either auth-group, or chap,

usr.sbin/ctld/ctld.c

@@ -417,6 +417,58 @@ auth_group_find(struct conf *conf, const char *name)
 	return (NULL);
 }
 
+static int
+auth_group_set_type(struct auth_group *ag, int type)
+{
+
+	if (ag->ag_type == AG_TYPE_UNKNOWN) {
+		ag->ag_type = type;
+		return (0);
+	}
+
+	if (ag->ag_type == type)
+		return (0);
+
+	return (1);
+}
+
+int
+auth_group_set_type_str(struct auth_group *ag, const char *str)
+{
+	int error, type;
+
+	if (strcmp(str, "none") == 0) {
+		type = AG_TYPE_NO_AUTHENTICATION;
+	} else if (strcmp(str, "chap") == 0) {
+		type = AG_TYPE_CHAP;
+	} else if (strcmp(str, "chap-mutual") == 0) {
+		type = AG_TYPE_CHAP_MUTUAL;
+	} else {
+		if (ag->ag_name != NULL)
+			log_warnx("invalid auth-type \"%s\" for auth-group "
+			    "\"%s\"", str, ag->ag_name);
+		else
+			log_warnx("invalid auth-type \"%s\" for target "
+			    "\"%s\"", str, ag->ag_target->t_name);
+		return (1);
+	}
+
+	error = auth_group_set_type(ag, type);
+	if (error != 0) {
+		if (ag->ag_name != NULL)
+			log_warnx("cannot set auth-type to \"%s\" for "
+			    "auth-group \"%s\"; already has a different "
+			    "type", str, ag->ag_name);
+		else
+			log_warnx("cannot set auth-type to \"%s\" for target "
+			    "\"%s\"; already has a different type",
+			    str, ag->ag_target->t_name);
+		return (1);
+	}
+
+	return (error);
+}
+
 static struct portal *
 portal_new(struct portal_group *pg)
 {

usr.sbin/ctld/ctld.h

@@ -197,6 +197,8 @@ int			conf_verify(struct conf *conf);
 struct auth_group	*auth_group_new(struct conf *conf, const char *name);
 void			auth_group_delete(struct auth_group *ag);
 struct auth_group	*auth_group_find(struct conf *conf, const char *name);
+int			auth_group_set_type_str(struct auth_group *ag,
+			    const char *type);
 
 const struct auth	*auth_new_chap(struct auth_group *ag,
 			    const char *user, const char *secret);

usr.sbin/ctld/parse.y

@@ -57,10 +57,10 @@ extern void	yyrestart(FILE *);
 
 %}
 
-%token ALIAS AUTH_GROUP BACKEND BLOCKSIZE CHAP CHAP_MUTUAL CLOSING_BRACKET
-%token DEBUG DEVICE_ID DISCOVERY_AUTH_GROUP INITIATOR_NAME INITIATOR_PORTAL
-%token LISTEN LISTEN_ISER LUN MAXPROC NUM OPENING_BRACKET OPTION PATH PIDFILE
-%token PORTAL_GROUP SERIAL SIZE STR TARGET TIMEOUT
+%token ALIAS AUTH_GROUP AUTH_TYPE BACKEND BLOCKSIZE CHAP CHAP_MUTUAL
+%token CLOSING_BRACKET DEBUG DEVICE_ID DISCOVERY_AUTH_GROUP INITIATOR_NAME
+%token INITIATOR_PORTAL LISTEN LISTEN_ISER LUN MAXPROC NUM OPENING_BRACKET
+%token OPTION PATH PIDFILE PORTAL_GROUP SERIAL SIZE STR TARGET TIMEOUT
 
 %union
 {
@@ -145,6 +145,8 @@ auth_group_entries:
 	;
 
 auth_group_entry:
+	auth_group_auth_type
+	|
 	auth_group_chap
 	|
 	auth_group_chap_mutual
@@ -154,6 +156,17 @@ auth_group_entry:
 	auth_group_initiator_portal
 	;
 
+auth_group_auth_type:	AUTH_TYPE STR
+	{
+		int error;
+
+		error = auth_group_set_type_str(auth_group, $2);
+		free($2);
+		if (error != 0)
+			return (1);
+	}
+	;
+
 auth_group_chap:	CHAP STR STR
 	{
 		const struct auth *ca;
@@ -299,6 +312,8 @@ target_entry:
 	|
 	target_auth_group
 	|
+	target_auth_type
+	|
 	target_chap
 	|
 	target_chap_mutual
@@ -330,7 +345,7 @@ target_auth_group:	AUTH_GROUP STR
 				log_warnx("auth-group for target \"%s\" "
 				    "specified more than once", target->t_name);
 			else
-				log_warnx("cannot mix auth-group with explicit "
+				log_warnx("cannot use both auth-group and explicit "
 				    "authorisations for target \"%s\"",
 				    target->t_name);
 			return (1);
@@ -345,14 +360,40 @@ target_auth_group:	AUTH_GROUP STR
 	}
 	;
 
+target_auth_type:	AUTH_TYPE STR
+	{
+		int error;
+
+		if (target->t_auth_group != NULL) {
+			if (target->t_auth_group->ag_name != NULL) {
+				log_warnx("cannot use both auth-group and "
+				    "auth-type for target \"%s\"",
+				    target->t_name);
+				return (1);
+			}
+		} else {
+			target->t_auth_group = auth_group_new(conf, NULL);
+			if (target->t_auth_group == NULL) {
+				free($2);
+				return (1);
+			}
+			target->t_auth_group->ag_target = target;
+		}
+		error = auth_group_set_type_str(target->t_auth_group, $2);
+		free($2);
+		if (error != 0)
+			return (1);
+	}
+	;
+
 target_chap:	CHAP STR STR
 	{
 		const struct auth *ca;
 
 		if (target->t_auth_group != NULL) {
 			if (target->t_auth_group->ag_name != NULL) {
-				log_warnx("cannot mix auth-group with explicit "
-				    "authorisations for target \"%s\"",
+				log_warnx("cannot use both auth-group and "
+				    "chap for target \"%s\"",
 				    target->t_name);
 				free($2);
 				free($3);
@@ -381,8 +422,8 @@ target_chap_mutual:	CHAP_MUTUAL STR STR STR STR
 
 		if (target->t_auth_group != NULL) {
 			if (target->t_auth_group->ag_name != NULL) {
-				log_warnx("cannot mix auth-group with explicit "
-				    "authorisations for target \"%s\"",
+				log_warnx("cannot use both auth-group and "
+				    "chap-mutual for target \"%s\"",
 				    target->t_name);
 				free($2);
 				free($3);
@@ -418,7 +459,7 @@ target_initiator_name:	INITIATOR_NAME STR
 
 		if (target->t_auth_group != NULL) {
 			if (target->t_auth_group->ag_name != NULL) {
-				log_warnx("cannot mix auth-group with "
+				log_warnx("cannot use both auth-group and "
 				    "initiator-name for target \"%s\"",
 				    target->t_name);
 				free($2);
@@ -445,7 +486,7 @@ target_initiator_portal:	INITIATOR_PORTAL STR
 
 		if (target->t_auth_group != NULL) {
 			if (target->t_auth_group->ag_name != NULL) {
-				log_warnx("cannot mix auth-group with "
+				log_warnx("cannot use both auth-group and "
 				    "initiator-portal for target \"%s\"",
 				    target->t_name);
 				free($2);

usr.sbin/ctld/token.l

@@ -50,6 +50,7 @@ extern int	yylex(void);
 %%
 alias			{ return ALIAS; }
 auth-group		{ return AUTH_GROUP; }
+auth-type		{ return AUTH_TYPE; }
 backend			{ return BACKEND; }
 blocksize		{ return BLOCKSIZE; }
 chap			{ return CHAP; }