From ad323b8064478834e9aca6776478c8a210dabf23 Mon Sep 17 00:00:00 2001
From: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Date: Tue, 28 Aug 2018 08:37:35 +0900
Subject: [PATCH] iscsi&scrpts/rpc: Require to specify CHAP secret file
 explicitly to load it

Previous patches enabled users to configure CHAP secrets dynamically
by RPCs. Subsequent patches will enable users to load CHAP secrets
from JSON config file.

Loading CHAP secret file is done by default and this will conflict to
JSON config file.

Hence the path to CHAP secret file is required to specify in the config
file or JSON RPC set_iscsi_options explicitly after this patch.

Users who have used CHAP secret file are expected to specify it explicitly
and this will be no harm for them.

Besides, CHAP secret file is not oly for discovery sessions but also for
login to iSCSI targets. However there were wrong description to make user
misunderstand. Hence remove these wrong description in this patch too.

Change-Id: Ic4093cabc0c14b87e26baef4bba6b0d292e40c06
Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-on: https://review.gerrithub.io/421467
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Chandler-Test-Pool: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
---
 CHANGELOG.md                | 10 ++++----
 doc/jsonrpc.md              |  4 +++-
 lib/iscsi/iscsi.h           |  1 -
 lib/iscsi/iscsi_subsystem.c | 47 +++++++++++++++++++------------------
 scripts/rpc.py              |  2 +-
 scripts/rpc/iscsi.py        |  2 +-
 6 files changed, 35 insertions(+), 31 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 125d3103a9..0ed302fe9b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,10 +33,12 @@ but will be removed in future release.
 been added to set CHAP authentication for discovery sessions and existing
 target nodes, respectively.
 
-CHAP shared secret file is now loaded only once at startup. During run time
-CHAP shared secrets can be configured by new JSON RPCs `add_iscsi_auth_group`,
-`delete_iscsi_auth_group`, `add_secret_to_iscsi_auth_group`, and
-`delete_secret_from_iscsi_auth_group` instead.
+The SPDK iSCSI target supports an AuthFile which can be used to load CHAP
+shared secrets when the iSCSI target starts. SPDK previously provided a
+default location for this file (`/usr/local/etc/spdk/auth.conf`) if none was
+specified. This default has been removed. Users must now explicitly specify
+the location of this file to load CHAP shared secrets from a file, or use
+the related iSCSI RPC methods to add them at runtime.
 
 ## v18.07:
 
diff --git a/doc/jsonrpc.md b/doc/jsonrpc.md
index deaaf2e673..7892f502e7 100644
--- a/doc/jsonrpc.md
+++ b/doc/jsonrpc.md
@@ -1771,7 +1771,7 @@ This RPC may only be called before SPDK subsystems have been initialized. This R
 
 Name                        | Type    | Description
 --------------------------- | --------| -----------
-auth_file                   | string  | Path to CHAP shared secret file for discovery session (default: "/usr/local/etc/spdk/auth.conf")
+auth_file                   | string  | Path to CHAP shared secret file (default: "")
 node_base                   | string  | Prefix of the name of iSCSI target node (default: "iqn.2016-06.io.spdk")
 nop_timeout                 | number  | Timeout in seconds to nop-in request to the initiator (default: 60)
 nop_in_interval             | number  | Time interval in secs between nop-in requests by the target (default: 30)
@@ -1790,6 +1790,8 @@ error_recovery_level        | number  | Session specific parameter, ErrorRecover
 allow_duplicated_isid       | boolean | Allow duplicated initiator session ID (default: `false`)
 min_connections_per_core    | number  | Allocation unit of connections per core (default: 4)
 
+To load CHAP shared secret file, its path is required to specify explicitly in the parameter `auth_file`.
+
 Parameters `disable_chap` and `require_chap` are mutually exclusive. Parameters `no_discovery_auth`, `req_discovery_auth`, `req_discovery_auth_mutual`, and `discovery_auth_group` are still available instead of `disable_chap`, `require_chap`, `mutual_chap`, and `chap_group`, respectivey but will be removed in future releases.
 
 ### Example
diff --git a/lib/iscsi/iscsi.h b/lib/iscsi/iscsi.h
index 169da79fe2..e987a44066 100644
--- a/lib/iscsi/iscsi.h
+++ b/lib/iscsi/iscsi.h
@@ -50,7 +50,6 @@
 
 #define SPDK_ISCSI_BUILD_ETC "/usr/local/etc/spdk"
 #define SPDK_ISCSI_DEFAULT_CONFIG SPDK_ISCSI_BUILD_ETC "/iscsi.conf"
-#define SPDK_ISCSI_DEFAULT_AUTHFILE SPDK_ISCSI_BUILD_ETC "/auth.conf"
 #define SPDK_ISCSI_DEFAULT_NODEBASE "iqn.2016-06.io.spdk"
 
 #define DEFAULT_MAXR2T 4
diff --git a/lib/iscsi/iscsi_subsystem.c b/lib/iscsi/iscsi_subsystem.c
index e4ca017c3b..f63fc32e80 100644
--- a/lib/iscsi/iscsi_subsystem.c
+++ b/lib/iscsi/iscsi_subsystem.c
@@ -62,7 +62,7 @@ static void *g_fini_cb_arg;
 "  NodeBase \"%s\"\n" \
 "\n" \
 "  # files\n" \
-"  AuthFile %s\n" \
+"  %s %s\n" \
 "\n" \
 "  # socket I/O timeout sec. (polling is infinity)\n" \
 "  Timeout %d\n" \
@@ -109,7 +109,9 @@ spdk_iscsi_globals_config_text(FILE *fp)
 	}
 
 	fprintf(fp, ISCSI_CONFIG_TMPL,
-		g_spdk_iscsi.nodebase, g_spdk_iscsi.authfile,
+		g_spdk_iscsi.nodebase,
+		g_spdk_iscsi.authfile ? "AuthFile" : "",
+		g_spdk_iscsi.authfile ? g_spdk_iscsi.authfile : "",
 		g_spdk_iscsi.timeout, authmethod, authgroup,
 		g_spdk_iscsi.MaxSessions, g_spdk_iscsi.MaxConnectionsPerSession,
 		g_spdk_iscsi.MaxConnections,
@@ -334,7 +336,8 @@ struct spdk_iscsi_pdu *spdk_get_pdu(void)
 static void
 spdk_iscsi_log_globals(void)
 {
-	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "AuthFile %s\n", g_spdk_iscsi.authfile);
+	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "AuthFile %s\n",
+		      g_spdk_iscsi.authfile ? g_spdk_iscsi.authfile : "(none)");
 	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "NodeBase %s\n", g_spdk_iscsi.nodebase);
 	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "MaxSessions %d\n", g_spdk_iscsi.MaxSessions);
 	SPDK_DEBUGLOG(SPDK_LOG_ISCSI, "MaxConnectionsPerSession %d\n",
@@ -622,14 +625,6 @@ spdk_iscsi_read_config_file_params(struct spdk_conf_section *sp,
 static int
 spdk_iscsi_opts_verify(struct spdk_iscsi_opts *opts)
 {
-	if (!opts->authfile) {
-		opts->authfile = strdup(SPDK_ISCSI_DEFAULT_AUTHFILE);
-		if (opts->authfile == NULL) {
-			SPDK_ERRLOG("strdup() failed for default authfile\n");
-			return -ENOMEM;
-		}
-	}
-
 	if (!opts->nodebase) {
 		opts->nodebase = strdup(SPDK_ISCSI_DEFAULT_NODEBASE);
 		if (opts->nodebase == NULL) {
@@ -746,10 +741,12 @@ spdk_iscsi_set_global_params(struct spdk_iscsi_opts *opts)
 		return rc;
 	}
 
-	g_spdk_iscsi.authfile = strdup(opts->authfile);
-	if (!g_spdk_iscsi.authfile) {
-		SPDK_ERRLOG("failed to strdup for auth file %s\n", opts->authfile);
-		return -ENOMEM;
+	if (opts->authfile != NULL) {
+		g_spdk_iscsi.authfile = strdup(opts->authfile);
+		if (!g_spdk_iscsi.authfile) {
+			SPDK_ERRLOG("failed to strdup for auth file %s\n", opts->authfile);
+			return -ENOMEM;
+		}
 	}
 
 	g_spdk_iscsi.nodebase = strdup(opts->nodebase);
@@ -1260,14 +1257,16 @@ spdk_iscsi_parse_configuration(void *ctx)
 		SPDK_ERRLOG("spdk_iscsi_parse_tgt_nodes() failed\n");
 	}
 
-	if (access(g_spdk_iscsi.authfile, R_OK) == 0) {
-		rc = spdk_iscsi_parse_auth_info();
-		if (rc < 0) {
-			SPDK_ERRLOG("spdk_iscsi_parse_auth_info() failed\n");
+	if (g_spdk_iscsi.authfile != NULL) {
+		if (access(g_spdk_iscsi.authfile, R_OK) == 0) {
+			rc = spdk_iscsi_parse_auth_info();
+			if (rc < 0) {
+				SPDK_ERRLOG("spdk_iscsi_parse_auth_info() failed\n");
+			}
+		} else {
+			SPDK_INFOLOG(SPDK_LOG_ISCSI, "CHAP secret file is not found in the path %s\n",
+				     g_spdk_iscsi.authfile);
 		}
-	} else {
-		SPDK_INFOLOG(SPDK_LOG_ISCSI, "CHAP secret file is not found in the path %s\n",
-			     g_spdk_iscsi.authfile);
 	}
 
 end:
@@ -1389,7 +1388,9 @@ spdk_iscsi_opts_info_json(struct spdk_json_write_ctx *w)
 {
 	spdk_json_write_object_begin(w);
 
-	spdk_json_write_named_string(w, "auth_file", g_spdk_iscsi.authfile);
+	if (g_spdk_iscsi.authfile != NULL) {
+		spdk_json_write_named_string(w, "auth_file", g_spdk_iscsi.authfile);
+	}
 	spdk_json_write_named_string(w, "node_base", g_spdk_iscsi.nodebase);
 
 	spdk_json_write_named_uint32(w, "max_sessions", g_spdk_iscsi.MaxSessions);
diff --git a/scripts/rpc.py b/scripts/rpc.py
index 230a082f17..41d49eb75f 100755
--- a/scripts/rpc.py
+++ b/scripts/rpc.py
@@ -509,7 +509,7 @@ if __name__ == "__main__":
             min_connections_per_core=args.min_connections_per_core)
 
     p = subparsers.add_parser('set_iscsi_options', help="""Set options of iSCSI subsystem""")
-    p.add_argument('-f', '--auth-file', help='Path to CHAP shared secret file for discovery session')
+    p.add_argument('-f', '--auth-file', help='Path to CHAP shared secret file')
     p.add_argument('-b', '--node-base', help='Prefix of the name of iSCSI target node')
     p.add_argument('-o', '--nop-timeout', help='Timeout in seconds to nop-in request to the initiator', type=int)
     p.add_argument('-n', '--nop-in-interval', help='Time interval in secs between nop-in requests by the target', type=int)
diff --git a/scripts/rpc/iscsi.py b/scripts/rpc/iscsi.py
index 1755129e07..341e746f13 100755
--- a/scripts/rpc/iscsi.py
+++ b/scripts/rpc/iscsi.py
@@ -23,7 +23,7 @@ def set_iscsi_options(
     """Set iSCSI target options.
 
     Args:
-        auth_file: Path to CHAP shared secret file for discovery session (optional)
+        auth_file: Path to CHAP shared secret file (optional)
         node_base: Prefix of the name of iSCSI target node (optional)
         nop_timeout: Timeout in seconds to nop-in request to the initiator (optional)
         nop_in_interval: Time interval in secs between nop-in requests by the target (optional)