From 59c9104c54d64e449062d350346b33ad0b3371c9 Mon Sep 17 00:00:00 2001 From: Xiubo Li Date: Wed, 2 Nov 2022 09:12:16 +0800 Subject: [PATCH] qa: add test for checking access in client side of root_squash Test the 'chown' and 'truncate', which will call the setattr and 'cat' will open the files. Before each testing will open the file by non-root user and keep it to make sure the Fxw caps are issued, and then user the 'sudo' do to the tests, which will set the uid/gid to 0/0. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li (cherry picked from commit 28023f84d714488a5dfd17b2191790ed15909fb3) Conflicts: qa/tasks/cephfs/caps_helper.py: missed dependency commit f0ffade0525("qa/cephfs/cap_tester: simplify CapTester and its instantiation") --- qa/tasks/cephfs/caps_helper.py | 33 +++++++++++++++++++++++++++++++-- qa/tasks/cephfs/test_admin.py | 3 +++ 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/qa/tasks/cephfs/caps_helper.py b/qa/tasks/cephfs/caps_helper.py index ac9bc4401d9..1ead57b7156 100644 --- a/qa/tasks/cephfs/caps_helper.py +++ b/qa/tasks/cephfs/caps_helper.py @@ -160,11 +160,11 @@ class CapTester(CephFSTestCase): else: raise RuntimeError(f'perm = {perm}\nIt should be "r" or "rw".') - def conduct_pos_test_for_read_caps(self): + def conduct_pos_test_for_read_caps(self, sudo_read=False): for mount, path, data in self.test_set: log.info(f'test read perm: read file {path} and expect data ' f'"{data}"') - contents = mount.read_file(path) + contents = mount.read_file(path, sudo_read) self.assertEqual(data, contents) log.info(f'read perm was tested successfully: "{data}" was ' f'successfully read from path {path}') @@ -193,3 +193,32 @@ class CapTester(CephFSTestCase): cmdargs.pop(-1) log.info('absence of write perm was tested successfully: ' f'failed to be write data to file {path}.') + + def _conduct_neg_test_for_root_squash_caps(self, _cmdargs, sudo_write=False): + possible_errmsgs = ('permission denied', 'operation not permitted') + cmdargs = ['sudo'] if sudo_write else [''] + cmdargs += _cmdargs + + for mount, path, data in self.test_set: + log.info(f'test absence of {_cmdargs[0]} perm: expect failure {path}.') + + # open the file and hold it. The MDS will issue CEPH_CAP_EXCL_* + # to mount + proc = mount.open_background(path) + cmdargs.append(path) + mount.negtestcmd(args=cmdargs, retval=1, errmsgs=possible_errmsgs) + cmdargs.pop(-1) + mount._kill_background(proc) + log.info(f'absence of {_cmdargs[0]} perm was tested successfully') + + def conduct_neg_test_for_chown_caps(self, sudo_write=True): + # flip ownership to nobody. assumption: nobody's id is 65534 + cmdargs = ['chown', '-h', '65534:65534'] + self._conduct_neg_test_for_root_squash_caps(cmdargs, sudo_write) + + def conduct_neg_test_for_truncate_caps(self, sudo_write=True): + cmdargs = ['truncate', '-s', '10GB'] + self._conduct_neg_test_for_root_squash_caps(cmdargs, sudo_write) + + def conduct_pos_test_for_open_caps(self, sudo_read=True): + self.conduct_pos_test_for_read_caps(sudo_read) diff --git a/qa/tasks/cephfs/test_admin.py b/qa/tasks/cephfs/test_admin.py index 866df4082de..8c4abf44fbd 100644 --- a/qa/tasks/cephfs/test_admin.py +++ b/qa/tasks/cephfs/test_admin.py @@ -1312,7 +1312,10 @@ class TestFsAuthorize(CephFSTestCase): # Since root_squash is set in client caps, client can read but not # write even thought access level is set to "rw". self.captester.conduct_pos_test_for_read_caps() + self.captester.conduct_pos_test_for_open_caps() self.captester.conduct_neg_test_for_write_caps(sudo_write=True) + self.captester.conduct_neg_test_for_chown_caps() + self.captester.conduct_neg_test_for_truncate_caps() def test_single_path_authorize_on_nonalphanumeric_fsname(self): """ -- 2.39.5