MINOR: anon: store the anonymizing key in the global structure

Add a uint32_t key in global to hash words with it. A new CLI command 'set global-key <key>' was added to change the global anonymizing key. The global may also be set in the configuration using the global "anonkey" directive. For now this key is not used.
2025-02-19 04:07:04 +00:00 · 2022-09-14 17:24:22 +02:00 · 2022-09-14 17:24:22 +02:00 · fad9da83da
commit fad9da83da
parent 9c76637fff
5 changed files with 54 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -1156,6 +1156,7 @@ The following keywords are supported in the "global" section :
   - tune.zlib.windowsize

 * Debugging
+   - anonkey
   - quiet
   - zero-warning

@ -3221,6 +3222,12 @@ tune.zlib.windowsize <number>
 3.3. Debugging
 --------------

+anonkey <key>
+  This sets the global anonymizing key to <key>, which must be a 32-bit number
+  between 0 and 4294967295. This is the key that will be used by default by CLI
+  commands when anonymized mode is enabled. This key may also be set at runtime
+  from the CLI command "set global-key".
+
 quiet
  Do not display any message during startup. It is equivalent to the command-
  line argument "-q".
--- a/doc/management.txt
+++ b/doc/management.txt
@ -2195,6 +2195,11 @@ set dynamic-cookie-key backend <backend> <value>
  Modify the secret key used to generate the dynamic persistent cookies.
  This will break the existing sessions.

+set global-key <key>
+  This sets the global anonymizing key to <key>, which must be a 32-bit
+  integer between 0 and 4294967295 (0 disables the global key). This command
+  requires admin privilege.
+
 set map <map> [<key>|#<ref>] <value>
  Modify the value corresponding to each key <key> in a map <map>. <map> is the
  #<id> or <file> returned by "show map". If the <ref> is used in place of
--- a/include/haproxy/global-t.h
+++ b/include/haproxy/global-t.h
@ -203,6 +203,7 @@ struct global {
 	unsigned int shctx_lookups, shctx_misses;
 	unsigned int req_count; /* request counter (HTTP or TCP session) for logs and unique_id */
 	int last_checks;
+	uint32_t anon_key;

 	/* leave this at the end to make sure we don't share this cache line by accident */
 	ALWAYS_ALIGN(64);
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@ -1257,6 +1257,28 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 	else if (strcmp(args[0], "numa-cpu-mapping") == 0) {
 		global.numa_cpu_mapping = (kwm == KWM_NO) ? 0 : 1;
 	}
+	else if (strcmp(args[0], "anonkey") == 0) {
+		long long tmp = 0;
+
+		if (*args[1] == 0) {
+			ha_alert("parsing [%s:%d]: a key is expected after '%s'.\n",
+				 file, linenum, args[0]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+
+		if (HA_ATOMIC_LOAD(&global.anon_key) == 0) {
+			tmp = atoll(args[1]);
+			if (tmp < 0 || tmp > UINT_MAX) {
+				ha_alert("parsing [%s:%d]: '%s' value must be within range %u-%u (was '%s').\n",
+					 file, linenum, args[0], 0, UINT_MAX, args[1]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+			}
+
+			HA_ATOMIC_STORE(&global.anon_key, tmp);
+		}
+	}
 	else {
 		struct cfg_kw_list *kwl;
 		const char *best;
--- a/src/cli.c
+++ b/src/cli.c
@ -1874,6 +1874,24 @@ int cli_parse_default(char **args, char *payload, struct appctx *appctx, void *p
 	return 0;
 }

+/* This function set the global anonyzing key, restricted to level 'admin' */
+static int cli_parse_set_global_key(char **args, char *payload, struct appctx *appctx, void *private)
+{
+	long long key;
+
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return cli_err(appctx, "Permission denied\n");
+	if (!*args[2])
+                return cli_err(appctx, "Expects an integer value.\n");
+
+	key = atoll(args[2]);
+	if (key < 0 || key > UINT_MAX)
+		return cli_err(appctx, "Value out of range (0 to 4294967295 expected).\n");
+
+	HA_ATOMIC_STORE(&global.anon_key, key);
+	return 1;
+}
+
 /* parse a "set rate-limit" command. It always returns 1. */
 static int cli_parse_set_ratelimit(char **args, char *payload, struct appctx *appctx, void *private)
 {
@ -3182,6 +3200,7 @@ static struct cli_kw_list cli_kws = {{ },{
 	{ { "expert-mode", NULL },               NULL,                                                                                                cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER }, // not listed
 	{ { "experimental-mode", NULL },         NULL,                                                                                                cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER }, // not listed
 	{ { "mcli-debug-mode", NULL },         NULL,                                                                                                  cli_parse_expert_experimental_mode, NULL, NULL, NULL, ACCESS_MASTER_ONLY }, // not listed
+	{ { "set", "global-key", NULL },         "set global-key <value>                  : change the global anonymizing key",                       cli_parse_set_global_key, NULL, NULL },
 	{ { "set", "maxconn", "global",  NULL }, "set maxconn global <value>              : change the per-process maxconn setting",                  cli_parse_set_maxconn_global, NULL },
 	{ { "set", "rate-limit", NULL },         "set rate-limit <setting> <value>        : change a rate limiting value",                            cli_parse_set_ratelimit, NULL },
 	{ { "set", "severity-output",  NULL },   "set severity-output [none|number|string]: set presence of severity level in feedback information",  cli_parse_set_severity_output, NULL, NULL },