osd/OSDCap: enforce network restriction

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/osd/OSDCap.cc b/src/osd/OSDCap.cc
index 98fb9eb2779d0adeb7e3610bce3a9290a282fc0e..bbbe4c54e3b5854c223e5abc1979b31c37ba97ce 100644 (file)
--- a/src/osd/OSDCap.cc
+++ b/src/osd/OSDCap.cc
@@ -21,6 +21,7 @@
 #include "OSDCap.h"
 #include "common/config.h"
 #include "common/debug.h"
+#include "include/ipaddr.h"
 
 using std::ostream;
 using std::vector;
@@ -233,6 +234,12 @@ ostream& operator<<(ostream& out, const OSDCapGrant& g)
   return out;
 }
 
+void OSDCapGrant::set_network(const string& n)
+{
+  network = n;
+  network_valid = ::parse_network(n.c_str(), &network_parsed, &network_prefix);
+}
+
 bool OSDCapGrant::allow_all() const
 {
   if (profile.is_valid()) {
@@ -258,6 +265,15 @@ bool OSDCapGrant::is_capable(
   std::vector<bool>* class_allowed) const
 {
   osd_rwxa_t allow = 0;
+
+  if (network.size() &&
+      (!network_valid ||
+       !network_contains(network_parsed,
+                        network_prefix,
+                        addr))) {
+    return false;
+  }
+
   if (profile.is_valid()) {
     return std::any_of(profile_grants.cbegin(), profile_grants.cend(),
                        [&](const OSDCapGrant& grant) {

diff --git a/src/osd/OSDCap.h b/src/osd/OSDCap.h
index 988af154f6a23994ecddcb9574cb4f03ab1ad638..a5726999ddb0061f749887d790e04216ee712a95 100644 (file)
--- a/src/osd/OSDCap.h
+++ b/src/osd/OSDCap.h
@@ -186,6 +186,9 @@ struct OSDCapGrant {
   OSDCapSpec spec;
   OSDCapProfile profile;
   string network;
+  entity_addr_t network_parsed;
+  unsigned network_prefix = 0;
+  bool network_valid = true;
 
   // explicit grants that a profile grant expands to; populated as
   // needed by expand_profile() and cached here.
@@ -196,18 +199,20 @@ struct OSDCapGrant {
              boost::optional<string> n = {})
     : match(m), spec(s) {
     if (n) {
-      network = *n;
+      set_network(*n);
     }
   }
   explicit OSDCapGrant(const OSDCapProfile& profile,
                       boost::optional<string> n = {})
     : profile(profile) {
     if (n) {
-      network = *n;
+      set_network(*n);
     }
     expand_profile();
   }
 
+  void set_network(const string& n);
+
   bool allow_all() const;
   bool is_capable(const string& pool_name, const string& ns, int64_t pool_auid,
                  const OSDCapPoolTag::app_map_t& application_metadata,

diff --git a/src/test/osd/osdcap.cc b/src/test/osd/osdcap.cc
index 75c847cd513d1488f2f404e8b7f681f5cf051854..854a5aaaf6061fe6ef0545be3b770d4ff8efeaf2 100644 (file)
--- a/src/test/osd/osdcap.cc
+++ b/src/test/osd/osdcap.cc
@@ -1338,3 +1338,16 @@ TEST(OSDCap, AllowProfile) {
                               {{"rbd", "other function", true, true, true}}, addr));
 }
 
+TEST(OSDCap, network) {
+  entity_addr_t a, b, c;
+  a.parse("10.1.2.3");
+  b.parse("192.168.2.3");
+  c.parse("192.167.2.3");
+
+  OSDCap cap;
+  ASSERT_TRUE(cap.parse("allow * network 192.168.0.0/16, allow * network 10.0.0.0/8", NULL));
+
+  ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {{"cls", "", true, true, true}}, a));
+  ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {{"cls", "", true, true, true}}, b));
+  ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {{"cls", "", true, true, true}}, c));
+}