From 43f812d15d9a76e546eed84174ad5d44368e2761 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@redhat.com>
Date: Fri, 3 Aug 2018 13:59:40 -0500
Subject: [PATCH] osd/OSDCap: enforce network restriction

Signed-off-by: Sage Weil <sage@redhat.com>
---
 src/osd/OSDCap.cc      | 16 ++++++++++++++++
 src/osd/OSDCap.h       |  9 +++++++--
 src/test/osd/osdcap.cc | 13 +++++++++++++
 3 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/osd/OSDCap.cc b/src/osd/OSDCap.cc
index 98fb9eb2779..bbbe4c54e3b 100644
--- a/src/osd/OSDCap.cc
+++ b/src/osd/OSDCap.cc
@@ -21,6 +21,7 @@
 #include "OSDCap.h"
 #include "common/config.h"
 #include "common/debug.h"
+#include "include/ipaddr.h"
 
 using std::ostream;
 using std::vector;
@@ -233,6 +234,12 @@ ostream& operator<<(ostream& out, const OSDCapGrant& g)
   return out;
 }
 
+void OSDCapGrant::set_network(const string& n)
+{
+  network = n;
+  network_valid = ::parse_network(n.c_str(), &network_parsed, &network_prefix);
+}
+
 bool OSDCapGrant::allow_all() const
 {
   if (profile.is_valid()) {
@@ -258,6 +265,15 @@ bool OSDCapGrant::is_capable(
   std::vector<bool>* class_allowed) const
 {
   osd_rwxa_t allow = 0;
+
+  if (network.size() &&
+      (!network_valid ||
+       !network_contains(network_parsed,
+			 network_prefix,
+			 addr))) {
+    return false;
+  }
+
   if (profile.is_valid()) {
     return std::any_of(profile_grants.cbegin(), profile_grants.cend(),
                        [&](const OSDCapGrant& grant) {
diff --git a/src/osd/OSDCap.h b/src/osd/OSDCap.h
index 988af154f6a..a5726999ddb 100644
--- a/src/osd/OSDCap.h
+++ b/src/osd/OSDCap.h
@@ -186,6 +186,9 @@ struct OSDCapGrant {
   OSDCapSpec spec;
   OSDCapProfile profile;
   string network;
+  entity_addr_t network_parsed;
+  unsigned network_prefix = 0;
+  bool network_valid = true;
 
   // explicit grants that a profile grant expands to; populated as
   // needed by expand_profile() and cached here.
@@ -196,18 +199,20 @@ struct OSDCapGrant {
 	      boost::optional<string> n = {})
     : match(m), spec(s) {
     if (n) {
-      network = *n;
+      set_network(*n);
     }
   }
   explicit OSDCapGrant(const OSDCapProfile& profile,
 		       boost::optional<string> n = {})
     : profile(profile) {
     if (n) {
-      network = *n;
+      set_network(*n);
     }
     expand_profile();
   }
 
+  void set_network(const string& n);
+
   bool allow_all() const;
   bool is_capable(const string& pool_name, const string& ns, int64_t pool_auid,
 		  const OSDCapPoolTag::app_map_t& application_metadata,
diff --git a/src/test/osd/osdcap.cc b/src/test/osd/osdcap.cc
index 75c847cd513..854a5aaaf60 100644
--- a/src/test/osd/osdcap.cc
+++ b/src/test/osd/osdcap.cc
@@ -1338,3 +1338,16 @@ TEST(OSDCap, AllowProfile) {
                               {{"rbd", "other function", true, true, true}}, addr));
 }
 
+TEST(OSDCap, network) {
+  entity_addr_t a, b, c;
+  a.parse("10.1.2.3");
+  b.parse("192.168.2.3");
+  c.parse("192.167.2.3");
+
+  OSDCap cap;
+  ASSERT_TRUE(cap.parse("allow * network 192.168.0.0/16, allow * network 10.0.0.0/8", NULL));
+
+  ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {{"cls", "", true, true, true}}, a));
+  ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {{"cls", "", true, true, true}}, b));
+  ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {{"cls", "", true, true, true}}, c));
+}
-- 
2.39.5