From: Yehuda Sadeh Date: Wed, 29 Mar 2017 21:44:03 +0000 (-0700) Subject: rgw: guard restricted fields in es query X-Git-Tag: ses5-milestone6~9^2~3^2~46 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3f62f17f94121ec3400d1ae591672155ba51460a;p=ceph.git rgw: guard restricted fields in es query don't allow users to use the 'permissions' field. Signed-off-by: Yehuda Sadeh --- diff --git a/src/rgw/rgw_es_query.cc b/src/rgw/rgw_es_query.cc index 426994f56e62..4f673fb3297d 100644 --- a/src/rgw/rgw_es_query.cc +++ b/src/rgw/rgw_es_query.cc @@ -225,6 +225,7 @@ protected: string str_val; ESQueryNodeLeafVal *val{nullptr}; ESEntityTypeMap::EntityType entity_type{ESEntityTypeMap::ES_ENTITY_NONE}; + bool allow_restricted{false}; bool val_from_str(string *perr) { switch (entity_type) { @@ -269,6 +270,10 @@ public: } bool handle_nested(ESQueryNode **pnode, string *perr); + void set_allow_restricted(bool allow) { + allow_restricted = allow; + } + virtual void dump(Formatter *f) const = 0; }; @@ -376,7 +381,8 @@ bool ESQueryNode_Op::handle_nested(ESQueryNode **pnode, string *perr) *pnode = this; auto m = compiler->get_generic_type_map(); if (m) { - bool found = m->find(field_name, &entity_type); + bool found = m->find(field_name, &entity_type) && + (allow_restricted || !compiler->is_restricted(field_name)); if (!found) { *perr = string("unexpected generic field '") + field_name + "'"; } @@ -635,6 +641,7 @@ bool ESQueryCompiler::compile(string *perr) { for (auto& c : eq_conds) { ESQueryNode_Op_Equal *eq_node = new ESQueryNode_Op_Equal(this, c.first, c.second); + eq_node->set_allow_restricted(true); /* can access restricted fields */ ESQueryNode *effective_node; if (!eq_node->init(nullptr, &effective_node, perr)) { delete eq_node; diff --git a/src/rgw/rgw_es_query.h b/src/rgw/rgw_es_query.h index f60ecd85fcb1..834eb38e6875 100644 --- a/src/rgw/rgw_es_query.h +++ b/src/rgw/rgw_es_query.h @@ -101,6 +101,7 @@ class ESQueryCompiler { ESEntityTypeMap *custom_type_map{nullptr}; map *field_aliases; + set *restricted_fields; public: ESQueryCompiler(const string& query, list > *prepend_eq_conds, const string& _custom_prefix) : parser(query), custom_prefix(_custom_prefix) { @@ -145,6 +146,14 @@ public: return i->second; } + + void set_restricted_fields(set *rf) { + restricted_fields = rf; + } + + bool is_restricted(const string& f) { + return (restricted_fields && restricted_fields->find(f) != restricted_fields->end()); + } }; diff --git a/src/rgw/rgw_sync_module_es_rest.cc b/src/rgw/rgw_sync_module_es_rest.cc index b8b3e98ace5a..cc41c85f7ae4 100644 --- a/src/rgw/rgw_sync_module_es_rest.cc +++ b/src/rgw/rgw_sync_module_es_rest.cc @@ -158,7 +158,7 @@ void RGWMetadataSearchOp::execute() { "contenttype", "meta.contenttype" }, }; es_query.set_field_aliases(&aliases); -#warning permissions need to be restricted value + static map generic_map = { {"bucket", ESEntityTypeMap::ES_ENTITY_STR}, {"name", ESEntityTypeMap::ES_ENTITY_STR}, {"instance", ESEntityTypeMap::ES_ENTITY_STR}, @@ -170,6 +170,9 @@ void RGWMetadataSearchOp::execute() ESEntityTypeMap gm(generic_map); es_query.set_generic_type_map(&gm); + static set restricted_fields = { {"permissions"} }; + es_query.set_restricted_fields(&restricted_fields); + static map custom_map = { }; ESEntityTypeMap em(custom_map); es_query.set_custom_type_map(&em);