From: Sage Weil <sage@redhat.com>
Date: Thu, 28 May 2015 20:48:36 +0000 (-0400)
Subject: mds/MDSAuthCap: fix path match
X-Git-Tag: v10.0.0~123^2~99
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1b0a82ba951eaef86a1a43f161e02eb500b6782a;p=ceph.git

mds/MDSAuthCap: fix path match

Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 4f78db7ac08..73df5e2cc8d 100644
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -88,6 +88,25 @@ struct MDSCapParser : qi::grammar<Iterator, MDSAuthCaps()>
   qi::rule<Iterator, MDSAuthCaps()> mdscaps;
 };
 
+bool MDSCapMatch::match(const std::string &target_path,
+			const int target_uid) const
+{
+  if (uid != MDS_AUTH_UID_ANY) {
+    if (uid != target_uid)
+      return false;
+  }
+  if (path.length()) {
+    if (target_path.find(path) != 0)
+      return false;
+    // if path doesn't already have a trailing /, make sure the target
+    // does so that path=/foo doesn't match target_path=/food
+    if (target_path.length() > path.length() &&
+	path[path.length()-1] != '/' &&
+	target_path[path.length()] != '/')
+      return false;
+  }
+  return true;
+}
 
 /**
  * For a given filesystem path, query whether this capability carries`
@@ -95,18 +114,18 @@ struct MDSCapParser : qi::grammar<Iterator, MDSAuthCaps()>
  *
  * This is true if any of the 'grant' clauses in the capability match the
  * requested path + op.
- *
  */
 bool MDSAuthCaps::is_capable(const std::string &path, int uid,
 			     bool may_read, bool may_write) const
 {
-  for (std::vector<MDSCapGrant>::const_iterator i = grants.begin(); i != grants.end(); ++i) {
+  for (std::vector<MDSCapGrant>::const_iterator i = grants.begin();
+       i != grants.end();
+       ++i) {
     if (i->match.match(path, uid) &&
 	i->spec.allows(may_read, may_write)) {
       return true;
     }
   }
-
   return false;
 }
 
diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index 13cdc29e358..f76a12f20ff 100644
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -63,12 +63,7 @@ struct MDSCapMatch {
   {
     return uid == MDS_AUTH_UID_ANY && path == "/";
   }
-
-  bool match(const std::string &target_path, const int target_uid) const {
-    return
-      (target_path.find(path) == 0 &&
-       (target_uid == uid || uid == MDS_AUTH_UID_ANY));
-  }
+  bool match(const std::string &target_path, const int target_uid) const;
 };
 
 struct MDSCapGrant {
diff --git a/src/test/mds/TestMDSAuthCaps.cc b/src/test/mds/TestMDSAuthCaps.cc
index aa463ebf5b1..fde3cc5b333 100644
--- a/src/test/mds/TestMDSAuthCaps.cc
+++ b/src/test/mds/TestMDSAuthCaps.cc
@@ -121,6 +121,7 @@ TEST(MDSAuthCaps, AllowPath) {
   ASSERT_FALSE(cap.allow_all());
   ASSERT_TRUE(cap.is_capable("/sandbox/foo", 0, true, true));
   ASSERT_TRUE(cap.is_capable("/sandbox", 0, true, true));
+  ASSERT_FALSE(cap.is_capable("/sandboxed", 0, true, true));
   ASSERT_FALSE(cap.is_capable("/foo", 0, true, true));
 }