MINOR: anon: store the anonymizing key in the global structure

Add a uint32_t key in global to hash words with it. A new CLI command
'set global-key <key>' was added to change the global anonymizing key.
The global may also be set in the configuration using the global
"anonkey" directive. For now this key is not used.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index f1fc0bbff561438cd1d4bcf4eaf6d1e4003c248d..bc4c622da47bcaefb4d902d747f9a1c6b3b4f6bd 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1156,6 +1156,7 @@ The following keywords are supported in the "global" section :
    - tune.zlib.windowsize
 
  * Debugging
+   - anonkey
    - quiet
    - zero-warning
 
@@ -3221,6 +3222,12 @@ tune.zlib.windowsize <number>
 3.3. Debugging
 --------------
 
+anonkey <key>
+  This sets the global anonymizing key to <key>, which must be a 32-bit number
+  between 0 and 4294967295. This is the key that will be used by default by CLI
+  commands when anonymized mode is enabled. This key may also be set at runtime
+  from the CLI command "set global-key".
+
 quiet
   Do not display any message during startup. It is equivalent to the command-
   line argument "-q".

diff --git a/doc/management.txt b/doc/management.txt
index d335d536526e30890ce30774d063ce429ddc65ab..28165352c67b5fe992a0836e58f365fde4788949 100644 (file)
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -2195,6 +2195,11 @@ set dynamic-cookie-key backend <backend> <value>
   Modify the secret key used to generate the dynamic persistent cookies.
   This will break the existing sessions.
 
+set global-key <key>
+  This sets the global anonymizing key to <key>, which must be a 32-bit
+  integer between 0 and 4294967295 (0 disables the global key). This command
+  requires admin privilege.
+
 set map <map> [<key>|#<ref>] <value>
   Modify the value corresponding to each key <key> in a map <map>. <map> is the
   #<id> or <file> returned by "show map". If the <ref> is used in place of

diff --git a/include/haproxy/global-t.h b/include/haproxy/global-t.h
index dc18fa987509417472cc5f1bff4e81bd7e02e27c..99b6acc74990b30e54a0a191ae4dc4eb3e9b2016 100644 (file)
--- a/include/haproxy/global-t.h
+++ b/include/haproxy/global-t.h
@@ -203,6 +203,7 @@ struct global {
        unsigned int shctx_lookups, shctx_misses;
        unsigned int req_count; /* request counter (HTTP or TCP session) for logs and unique_id */
        int last_checks;
+       uint32_t anon_key;
 
        /* leave this at the end to make sure we don't share this cache line by accident */
        ALWAYS_ALIGN(64);

diff --git a/src/cfgparse-global.c b/src/cfgparse-global.c
index 18226bb82065384837d8d278e874d63b21c4d71d..cd96fb676d62d26e5c66b3b68079bbd0e9005a93 100644 (file)
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@@ -1257,6 +1257,28 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
        else if (strcmp(args[0], "numa-cpu-mapping") == 0) {
                global.numa_cpu_mapping = (kwm == KWM_NO) ? 0 : 1;
        }
+       else if (strcmp(args[0], "anonkey") == 0) {
+               long long tmp = 0;
+
+               if (*args[1] == 0) {
+                       ha_alert("parsing [%s:%d]: a key is expected after '%s'.\n",
+                                file, linenum, args[0]);
+                       err_code |= ERR_ALERT | ERR_FATAL;
+                       goto out;
+               }
+
+               if (HA_ATOMIC_LOAD(&global.anon_key) == 0) {
+                       tmp = atoll(args[1]);
+                       if (tmp < 0 || tmp > UINT_MAX) {
+                               ha_alert("parsing [%s:%d]: '%s' value must be within range %u-%u (was '%s').\n",
+                                        file, linenum, args[0], 0, UINT_MAX, args[1]);
+                               err_code |= ERR_ALERT | ERR_FATAL;
+                               goto out;
+                       }
+
+                       HA_ATOMIC_STORE(&global.anon_key, tmp);
+               }
+       }
        else {
                struct cfg_kw_list *kwl;
                const char *best;

diff --git a/src/cli.c b/src/cli.c
index 320bab4c7dc24091a7ecd0a46098ecc8b50c1b4f..aaf0677ac35496ac0f778507d8d86770a23a611e 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -1874,6 +1874,24 @@ int cli_parse_default(char **args, char *payload, struct appctx *appctx, void *p
        return 0;
 }
 
+/* This function set the global anonyzing key, restricted to level 'admin' */
+static int cli_parse_set_global_key(char **args, char *payload, struct appctx *appctx, void *private)
+{
+       long long key;
+
+       if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+               return cli_err(appctx, "Permission denied\n");
+       if (!*args[2])
+                return cli_err(appctx, "Expects an integer value.\n");
+
+       key = atoll(args[2]);
+       if (key < 0 || key > UINT_MAX)
+               return cli_err(appctx, "Value out of range (0 to 4294967295 expected).\n");
+
+       HA_ATOMIC_STORE(&global.anon_key, key);
+       return 1;
+}
+
 /* parse a "set rate-limit" command. It always returns 1. */
 static int cli_parse_set_ratelimit(char **args, char *payload, struct appctx *appctx, void *private)
 {
@@ -3182,6 +3200,7 @@ static struct cli_kw_list cli_kws = {{ },{
        { { "expert-mode", NULL },               NULL,                                                                                                cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER }, // not listed
        { { "experimental-mode", NULL },         NULL,                                                                                                cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER }, // not listed
        { { "mcli-debug-mode", NULL },         NULL,                                                                                                  cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER_ONLY }, // not listed
+       { { "set", "global-key", NULL },         "set global-key <value>                  : change the global anonymizing key",                       cli_parse_set_global_key, NULL, NULL },
        { { "set", "maxconn", "global",  NULL }, "set maxconn global <value>              : change the per-process maxconn setting",                  cli_parse_set_maxconn_global, NULL },
        { { "set", "rate-limit", NULL },         "set rate-limit <setting> <value>        : change a rate limiting value",                            cli_parse_set_ratelimit, NULL },
        { { "set", "severity-output",  NULL },   "set severity-output [none|number|string]: set presence of severity level in feedback information",  cli_parse_set_severity_output, NULL, NULL },