MINOR: anon: store the anonymizing key in the global structure
Add a uint32_t key in global to hash words with it. A new CLI command
'set global-key <key>' was added to change the global anonymizing key.
The global may also be set in the configuration using the global
"anonkey" directive. For now this key is not used.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index f1fc0bb..bc4c622 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1156,6 +1156,7 @@
- tune.zlib.windowsize
* Debugging
+ - anonkey
- quiet
- zero-warning
@@ -3221,6 +3222,12 @@
3.3. Debugging
--------------
+anonkey <key>
+ This sets the global anonymizing key to <key>, which must be a 32-bit number
+ between 0 and 4294967295. This is the key that will be used by default by CLI
+ commands when anonymized mode is enabled. This key may also be set at runtime
+ from the CLI command "set global-key".
+
quiet
Do not display any message during startup. It is equivalent to the command-
line argument "-q".
diff --git a/doc/management.txt b/doc/management.txt
index d335d53..2816535 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -2195,6 +2195,11 @@
Modify the secret key used to generate the dynamic persistent cookies.
This will break the existing sessions.
+set global-key <key>
+ This sets the global anonymizing key to <key>, which must be a 32-bit
+ integer between 0 and 4294967295 (0 disables the global key). This command
+ requires admin privilege.
+
set map <map> [<key>|#<ref>] <value>
Modify the value corresponding to each key <key> in a map <map>. <map> is the
#<id> or <file> returned by "show map". If the <ref> is used in place of
diff --git a/include/haproxy/global-t.h b/include/haproxy/global-t.h
index dc18fa9..99b6acc 100644
--- a/include/haproxy/global-t.h
+++ b/include/haproxy/global-t.h
@@ -203,6 +203,7 @@
unsigned int shctx_lookups, shctx_misses;
unsigned int req_count; /* request counter (HTTP or TCP session) for logs and unique_id */
int last_checks;
+ uint32_t anon_key;
/* leave this at the end to make sure we don't share this cache line by accident */
ALWAYS_ALIGN(64);
diff --git a/src/cfgparse-global.c b/src/cfgparse-global.c
index 18226bb..cd96fb6 100644
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@@ -1257,6 +1257,28 @@
else if (strcmp(args[0], "numa-cpu-mapping") == 0) {
global.numa_cpu_mapping = (kwm == KWM_NO) ? 0 : 1;
}
+ else if (strcmp(args[0], "anonkey") == 0) {
+ long long tmp = 0;
+
+ if (*args[1] == 0) {
+ ha_alert("parsing [%s:%d]: a key is expected after '%s'.\n",
+ file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+
+ if (HA_ATOMIC_LOAD(&global.anon_key) == 0) {
+ tmp = atoll(args[1]);
+ if (tmp < 0 || tmp > UINT_MAX) {
+ ha_alert("parsing [%s:%d]: '%s' value must be within range %u-%u (was '%s').\n",
+ file, linenum, args[0], 0, UINT_MAX, args[1]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+
+ HA_ATOMIC_STORE(&global.anon_key, tmp);
+ }
+ }
else {
struct cfg_kw_list *kwl;
const char *best;
diff --git a/src/cli.c b/src/cli.c
index 320bab4..aaf0677 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -1874,6 +1874,24 @@
return 0;
}
+/* This function set the global anonyzing key, restricted to level 'admin' */
+static int cli_parse_set_global_key(char **args, char *payload, struct appctx *appctx, void *private)
+{
+ long long key;
+
+ if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+ return cli_err(appctx, "Permission denied\n");
+ if (!*args[2])
+ return cli_err(appctx, "Expects an integer value.\n");
+
+ key = atoll(args[2]);
+ if (key < 0 || key > UINT_MAX)
+ return cli_err(appctx, "Value out of range (0 to 4294967295 expected).\n");
+
+ HA_ATOMIC_STORE(&global.anon_key, key);
+ return 1;
+}
+
/* parse a "set rate-limit" command. It always returns 1. */
static int cli_parse_set_ratelimit(char **args, char *payload, struct appctx *appctx, void *private)
{
@@ -3182,6 +3200,7 @@
{ { "expert-mode", NULL }, NULL, cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER }, // not listed
{ { "experimental-mode", NULL }, NULL, cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER }, // not listed
{ { "mcli-debug-mode", NULL }, NULL, cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER_ONLY }, // not listed
+ { { "set", "global-key", NULL }, "set global-key <value> : change the global anonymizing key", cli_parse_set_global_key, NULL, NULL },
{ { "set", "maxconn", "global", NULL }, "set maxconn global <value> : change the per-process maxconn setting", cli_parse_set_maxconn_global, NULL },
{ { "set", "rate-limit", NULL }, "set rate-limit <setting> <value> : change a rate limiting value", cli_parse_set_ratelimit, NULL },
{ { "set", "severity-output", NULL }, "set severity-output [none|number|string]: set presence of severity level in feedback information", cli_parse_set_severity_output, NULL, NULL },