mds/MDSAuthCap: verify the caller_gid is valid

Verify both the caller uid and gid are a match for the given rule.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 483e0a18774d27503bb59c5f303c03e041241046..9f1709f8715a643c294558e53746890a2c0091e2 100644 (file)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -107,10 +107,13 @@ void MDSCapMatch::normalize_path()
 }
 
 bool MDSCapMatch::match(const std::string &target_path,
-                       const int target_uid) const
+                       const int caller_uid,
+                       const int caller_gid) const
 {
   if (uid != MDS_AUTH_UID_ANY) {
-    if (uid != target_uid)
+    if (uid != caller_uid)
+      return false;
+    if (std::find(gids.begin(), gids.end(), caller_gid) == gids.end())
       return false;
   }
   if (path.length()) {
@@ -153,7 +156,7 @@ bool MDSAuthCaps::is_capable(const std::string &inode_path,
        i != grants.end();
        ++i) {
 
-    if (i->match.match(inode_path, caller_uid) &&
+    if (i->match.match(inode_path, caller_uid, caller_gid) &&
        i->spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) {
 
       // check unix permissions?

diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index 7f361ecaefdde25a23121d4024588e36848bf40d..68034ecc82fcaf4203d099241c21b181c4ee7553 100644 (file)
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -80,7 +80,11 @@ struct MDSCapMatch {
   {
     return uid == MDS_AUTH_UID_ANY && path == "";
   }
-  bool match(const std::string &target_path, const int target_uid) const;
+
+  // check whether this grant matches against a given file and caller uid:gid
+  bool match(const std::string &target_path,
+            const int caller_uid,
+            const int caller_gid) const;
 };
 
 struct MDSCapGrant {

diff --git a/src/test/mds/TestMDSAuthCaps.cc b/src/test/mds/TestMDSAuthCaps.cc
index 49d91f21c03f05555f06d1c3dfa2490dbfeb9cf1..b7d3c0b0877abfbb00dd9b782cb7a74130a95263 100644 (file)
--- a/src/test/mds/TestMDSAuthCaps.cc
+++ b/src/test/mds/TestMDSAuthCaps.cc
@@ -16,6 +16,9 @@
 
 #include "include/stringify.h"
 #include "mds/MDSAuthCaps.h"
+#include "common/ceph_argparse.h"
+#include "common/common_init.h"
+#include "global/global_init.h"
 
 #include "gtest/gtest.h"
 
@@ -114,10 +117,11 @@ TEST(MDSAuthCaps, AllowAll) {
 }
 
 TEST(MDSAuthCaps, AllowUid) {
-  MDSAuthCaps cap;
-  ASSERT_TRUE(cap.parse(g_ceph_context, "allow * uid=10", NULL));
+  MDSAuthCaps cap(g_ceph_context);
+  ASSERT_TRUE(cap.parse(g_ceph_context, "allow * uid=10 gids=10,11", NULL));
   ASSERT_FALSE(cap.allow_all());
-  ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0777, 10, 0, MAY_READ | MAY_WRITE, 0, 0));
+  ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0777, 10, 10, MAY_READ | MAY_WRITE, 0, 0));
+  ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0777, 10, 0, MAY_READ | MAY_WRITE, 0, 0));
   ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0777, -1, 0, MAY_READ | MAY_WRITE, 0, 0));
   ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0777, 0, 0, MAY_READ | MAY_WRITE, 0, 0));
   ASSERT_TRUE(cap.is_capable("foo", 0, 10, 0775, 10, 10, MAY_READ, 0, 0));
@@ -129,7 +133,7 @@ TEST(MDSAuthCaps, AllowUid) {
   ASSERT_FALSE(cap.is_capable("foo", 0, 10, 0777, 10, 10, MAY_READ|MAY_CREATE, 0, 0));
   ASSERT_TRUE(cap.is_capable("foo", 0, 10, 0557, 10, 10, MAY_READ, 0, 0));
   ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0557, 10, 10, MAY_READ, 0, 0));
-  ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0557, 10, 10, MAY_CREATE, 0, 0));
+  ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0557, 10, 10, MAY_WRITE, 0, 0));
   ASSERT_FALSE(cap.is_capable("foo", 10, 10, 0577, 10, 10, MAY_WRITE, 0, 0));
 }
 
@@ -182,3 +186,17 @@ TEST(MDSAuthCaps, OutputParsed) {
     ASSERT_EQ(test_values[i].output, stringify(cap));
   }
 }
+
+int main(int argc, char **argv)
+{
+  ::testing::InitGoogleTest(&argc, argv);
+
+  vector<const char*> args;
+  argv_to_vec(argc, (const char **)argv, args);
+  env_to_vec(args, NULL);
+
+  global_init(NULL, args, CEPH_ENTITY_TYPE_CLIENT, CODE_ENVIRONMENT_UTILITY, 0);
+  common_init_finish(g_ceph_context);
+
+  return RUN_ALL_TESTS();
+}