mds/MDSAuthCaps: use bitmask for is_capable()

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 73df5e2cc8ddc84e3926ad49c68633ca896bfc4a..afb1f8a02fb2c7aa8e52ea6aa6152c5af862ac92 100644 (file)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -115,14 +115,13 @@ bool MDSCapMatch::match(const std::string &target_path,
  * This is true if any of the 'grant' clauses in the capability match the
  * requested path + op.
  */
-bool MDSAuthCaps::is_capable(const std::string &path, int uid,
-                            bool may_read, bool may_write) const
+bool MDSAuthCaps::is_capable(const std::string &path, int uid, unsigned mask) const
 {
   for (std::vector<MDSCapGrant>::const_iterator i = grants.begin();
        i != grants.end();
        ++i) {
     if (i->match.match(path, uid) &&
-       i->spec.allows(may_read, may_write)) {
+       i->spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) {
       return true;
     }
   }

diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index f76a12f20ff0922e82db86dcb1c302719811a8a5..d78315ddcc09f8e7cddfdaa1a657377b97675f25 100644 (file)
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -20,6 +20,13 @@
 #include <string>
 #include <sstream>
 
+// unix-style capabilities
+enum {
+  MAY_READ = 1,
+  MAY_WRITE = 2,
+  MAY_EXECUTE = 4,
+};
+
 // what we can do
 struct MDSCapSpec {
   bool read;
@@ -77,7 +84,6 @@ struct MDSCapGrant {
 
 class MDSAuthCaps
 {
-protected:
   std::vector<MDSCapGrant> grants;
 
 public:
@@ -88,8 +94,7 @@ public:
   bool parse(const std::string &str, std::ostream *err);
 
   bool allow_all() const;
-  bool is_capable(const std::string &path, int uid,
-                 bool may_read, bool may_write) const;
+  bool is_capable(const std::string &path, int uid, unsigned mask) const;
 
   friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap);
 };

diff --git a/src/test/mds/TestMDSAuthCaps.cc b/src/test/mds/TestMDSAuthCaps.cc
index fde3cc5b3337bf2753aa2578a835ec469908f3dd..447b7e359abdb5f3f8a18314664273bbe1b3d675 100644 (file)
--- a/src/test/mds/TestMDSAuthCaps.cc
+++ b/src/test/mds/TestMDSAuthCaps.cc
@@ -103,26 +103,26 @@ TEST(MDSAuthCaps, AllowAll) {
 
   ASSERT_TRUE(cap.parse("allow *", NULL));
   ASSERT_TRUE(cap.allow_all());
-  ASSERT_TRUE(cap.is_capable("/foo/bar", 0, true, true));
+  ASSERT_TRUE(cap.is_capable("/foo/bar", 0, MAY_READ | MAY_WRITE));
 }
 
 TEST(MDSAuthCaps, AllowUid) {
   MDSAuthCaps cap;
   ASSERT_TRUE(cap.parse("allow * uid=10", NULL));
   ASSERT_FALSE(cap.allow_all());
-  ASSERT_TRUE(cap.is_capable("/foo", 10, true, true));
-  ASSERT_FALSE(cap.is_capable("/foo", -1, true, true));
-  ASSERT_FALSE(cap.is_capable("/foo", 0, true, true));
+  ASSERT_TRUE(cap.is_capable("/foo", 10, MAY_READ | MAY_WRITE));
+  ASSERT_FALSE(cap.is_capable("/foo", -1, MAY_READ | MAY_WRITE));
+  ASSERT_FALSE(cap.is_capable("/foo", 0, MAY_READ | MAY_WRITE));
 }
 
 TEST(MDSAuthCaps, AllowPath) {
   MDSAuthCaps cap;
   ASSERT_TRUE(cap.parse("allow * path=/sandbox", NULL));
   ASSERT_FALSE(cap.allow_all());
-  ASSERT_TRUE(cap.is_capable("/sandbox/foo", 0, true, true));
-  ASSERT_TRUE(cap.is_capable("/sandbox", 0, true, true));
-  ASSERT_FALSE(cap.is_capable("/sandboxed", 0, true, true));
-  ASSERT_FALSE(cap.is_capable("/foo", 0, true, true));
+  ASSERT_TRUE(cap.is_capable("/sandbox/foo", 0, MAY_READ | MAY_WRITE));
+  ASSERT_TRUE(cap.is_capable("/sandbox", 0, MAY_READ | MAY_WRITE));
+  ASSERT_FALSE(cap.is_capable("/sandboxed", 0, MAY_READ | MAY_WRITE));
+  ASSERT_FALSE(cap.is_capable("/foo", 0, MAY_READ | MAY_WRITE));
 }
 
 TEST(MDSAuthCaps, OutputParsed) {