rgw: guard restricted fields in es query

don't allow users to use the 'permissions' field.

Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>

diff --git a/src/rgw/rgw_es_query.cc b/src/rgw/rgw_es_query.cc
index 426994f56e62b96f460b42a3f124a0cb0d691120..4f673fb3297d43824cdde589a31c5258e925683d 100644 (file)
--- a/src/rgw/rgw_es_query.cc
+++ b/src/rgw/rgw_es_query.cc
@@ -225,6 +225,7 @@ protected:
   string str_val;
   ESQueryNodeLeafVal *val{nullptr};
   ESEntityTypeMap::EntityType entity_type{ESEntityTypeMap::ES_ENTITY_NONE};
+  bool allow_restricted{false};
 
   bool val_from_str(string *perr) {
     switch (entity_type) {
@@ -269,6 +270,10 @@ public:
   }
   bool handle_nested(ESQueryNode **pnode, string *perr);
 
+  void set_allow_restricted(bool allow) {
+    allow_restricted = allow;
+  }
+
   virtual void dump(Formatter *f) const = 0;
 };
 
@@ -376,7 +381,8 @@ bool ESQueryNode_Op::handle_nested(ESQueryNode **pnode, string *perr)
     *pnode = this;
     auto m = compiler->get_generic_type_map();
     if (m) {
-      bool found = m->find(field_name, &entity_type);
+      bool found = m->find(field_name, &entity_type) &&
+        (allow_restricted || !compiler->is_restricted(field_name));
       if (!found) {
         *perr = string("unexpected generic field '") + field_name + "'";
       }
@@ -635,6 +641,7 @@ bool ESQueryCompiler::compile(string *perr) {
 
   for (auto& c : eq_conds) {
     ESQueryNode_Op_Equal *eq_node = new ESQueryNode_Op_Equal(this, c.first, c.second);
+    eq_node->set_allow_restricted(true); /* can access restricted fields */
     ESQueryNode *effective_node;
     if (!eq_node->init(nullptr, &effective_node, perr)) {
       delete eq_node;

diff --git a/src/rgw/rgw_es_query.h b/src/rgw/rgw_es_query.h
index f60ecd85fcb1ea663c0aafc13fd200d4135e8857..834eb38e687536cc842d45e92c8671a455e56276 100644 (file)
--- a/src/rgw/rgw_es_query.h
+++ b/src/rgw/rgw_es_query.h
@@ -101,6 +101,7 @@ class ESQueryCompiler {
   ESEntityTypeMap *custom_type_map{nullptr};
 
   map<string, string> *field_aliases;
+  set<string> *restricted_fields;
 
 public:
   ESQueryCompiler(const string& query, list<pair<string, string> > *prepend_eq_conds, const string& _custom_prefix) : parser(query), custom_prefix(_custom_prefix) {
@@ -145,6 +146,14 @@ public:
 
     return i->second;
   }
+
+  void set_restricted_fields(set<string> *rf) {
+    restricted_fields = rf;
+  }
+
+  bool is_restricted(const string& f) {
+    return (restricted_fields && restricted_fields->find(f) != restricted_fields->end());
+  }
 };
 
 

diff --git a/src/rgw/rgw_sync_module_es_rest.cc b/src/rgw/rgw_sync_module_es_rest.cc
index b8b3e98ace5aff01d07d2a3e69e7b5be8d083475..cc41c85f7ae4f2f9954555a758b39652577eac2b 100644 (file)
--- a/src/rgw/rgw_sync_module_es_rest.cc
+++ b/src/rgw/rgw_sync_module_es_rest.cc
@@ -158,7 +158,7 @@ void RGWMetadataSearchOp::execute()
                                   { "contenttype", "meta.contenttype" },
   };
   es_query.set_field_aliases(&aliases);
-#warning permissions need to be restricted value
+
   static map<string, ESEntityTypeMap::EntityType> generic_map = { {"bucket", ESEntityTypeMap::ES_ENTITY_STR},
                                                            {"name", ESEntityTypeMap::ES_ENTITY_STR},
                                                            {"instance", ESEntityTypeMap::ES_ENTITY_STR},
@@ -170,6 +170,9 @@ void RGWMetadataSearchOp::execute()
   ESEntityTypeMap gm(generic_map);
   es_query.set_generic_type_map(&gm);
 
+  static set<string> restricted_fields = { {"permissions"} };
+  es_query.set_restricted_fields(&restricted_fields);
+
   static map<string, ESEntityTypeMap::EntityType> custom_map = { };
   ESEntityTypeMap em(custom_map);
   es_query.set_custom_type_map(&em);