mon/AuthMonitor: check caps validity for all cap-related commands

Add a validity check for 'auth add' and 'fs authorize'.  'auth caps' and
'auth get-or-create[-key]' already had the check.

Fixes: http://tracker.ceph.com/issues/22525
Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index b7d7c0bd5a8be7d94bc64188007683786832f383..f318fe5e4dcdc85e87cc9c697e90d396d3098eee 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -1147,6 +1147,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
       }
     }
 
+    if (!valid_caps(caps_vec, &ss)) {
+      err = -EINVAL;
+      goto done;
+    }
+
     // are we about to have it?
     if (entity_is_pending(entity)) {
       wait_for_finished_proposal(op,
@@ -1215,7 +1220,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
                                                   get_last_committed() + 1));
     return true;
   } else if ((prefix == "auth get-or-create-key" ||
-            prefix == "auth get-or-create") &&
+             prefix == "auth get-or-create") &&
             !entity_name.empty()) {
     // auth get-or-create <name> [mon osdcapa osd osdcapb ...]
 
@@ -1322,6 +1327,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     string mds_cap_string, osd_cap_string;
     string osd_cap_wanted = "r";
 
+    if (!valid_caps(caps_vec, &ss)) {
+      err = -EINVAL;
+      goto done;
+    }
+
     for (auto it = caps_vec.begin();
         it != caps_vec.end() && (it + 1) != caps_vec.end();
         it += 2) {