mds: add MDSAuthCaps.maybe_capable(path)

To allow us to query whether a client is
potentially capable of accessing a particular
path, ignoring uids/gids (used to validate
the client's claims about its mounted root)

Signed-off-by: John Spray <john.spray@redhat.com>

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index ccabe0017a898d8615e7818c6d95049bf630bfe0..c8887800bcc52400ca7e4cc0e8382c6fa80a4c5a 100644 (file)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -118,6 +118,16 @@ bool MDSCapMatch::match(const std::string &target_path,
     if (std::find(gids.begin(), gids.end(), caller_gid) == gids.end())
       return false;
   }
+
+  if (!match_path(target_path)) {
+    return false;
+  }
+
+  return true;
+}
+
+bool MDSCapMatch::match_path(const std::string &target_path) const
+{
   if (path.length()) {
     if (target_path.find(path) != 0)
       return false;
@@ -128,9 +138,25 @@ bool MDSCapMatch::match(const std::string &target_path,
        target_path[path.length()] != '/')
       return false;
   }
+
   return true;
 }
 
+/**
+ * Is the client *potentially* able to access this path?  Actual
+ * permission will depend on uids/modes in the full is_capable.
+ */
+bool MDSAuthCaps::path_capable(const std::string &inode_path) const
+{
+  for (const auto &i : grants) {
+    if (i.match.match_path(inode_path)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 /**
  * For a given filesystem path, query whether this capability carries`
  * authorization to read or write.

diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index e75e7e7f6912f4741c9318cbd724f746f0a09f0d..0ecf8ac4a0a693a00371009971713f69023af37b 100644 (file)
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -94,6 +94,8 @@ struct MDSCapMatch {
   bool match(const std::string &target_path,
             const int caller_uid,
             const int caller_gid) const;
+
+  bool match_path(const std::string &target_path) const;
 };
 
 struct MDSCapGrant {
@@ -126,6 +128,7 @@ public:
                  uid_t inode_uid, gid_t inode_gid, unsigned inode_mode,
                  uid_t uid, gid_t gid, unsigned mask,
                  uid_t new_uid, gid_t new_gid) const;
+  bool path_capable(const std::string &inode_path) const;
 
   friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap);
 };