From a327dd8327acd5055ae5ec2d760cd9a0d0cf94da Mon Sep 17 00:00:00 2001
From: John Spray <john.spray@redhat.com>
Date: Fri, 2 Oct 2015 11:16:45 +0100
Subject: [PATCH] mds: add MDSAuthCaps.maybe_capable(path)

To allow us to query whether a client is
potentially capable of accessing a particular
path, ignoring uids/gids (used to validate
the client's claims about its mounted root)

Signed-off-by: John Spray <john.spray@redhat.com>
---
 src/mds/MDSAuthCaps.cc | 26 ++++++++++++++++++++++++++
 src/mds/MDSAuthCaps.h  |  3 +++
 2 files changed, 29 insertions(+)

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index ccabe0017a898..c8887800bcc52 100644
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -118,6 +118,16 @@ bool MDSCapMatch::match(const std::string &target_path,
     if (std::find(gids.begin(), gids.end(), caller_gid) == gids.end())
       return false;
   }
+
+  if (!match_path(target_path)) {
+    return false;
+  }
+
+  return true;
+}
+
+bool MDSCapMatch::match_path(const std::string &target_path) const
+{
   if (path.length()) {
     if (target_path.find(path) != 0)
       return false;
@@ -128,9 +138,25 @@ bool MDSCapMatch::match(const std::string &target_path,
 	target_path[path.length()] != '/')
       return false;
   }
+
   return true;
 }
 
+/**
+ * Is the client *potentially* able to access this path?  Actual
+ * permission will depend on uids/modes in the full is_capable.
+ */
+bool MDSAuthCaps::path_capable(const std::string &inode_path) const
+{
+  for (const auto &i : grants) {
+    if (i.match.match_path(inode_path)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 /**
  * For a given filesystem path, query whether this capability carries`
  * authorization to read or write.
diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index e75e7e7f6912f..0ecf8ac4a0a69 100644
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -94,6 +94,8 @@ struct MDSCapMatch {
   bool match(const std::string &target_path,
 	     const int caller_uid,
 	     const int caller_gid) const;
+
+  bool match_path(const std::string &target_path) const;
 };
 
 struct MDSCapGrant {
@@ -126,6 +128,7 @@ public:
 		  uid_t inode_uid, gid_t inode_gid, unsigned inode_mode,
 		  uid_t uid, gid_t gid, unsigned mask,
 		  uid_t new_uid, gid_t new_gid) const;
+  bool path_capable(const std::string &inode_path) const;
 
   friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap);
 };
-- 
2.39.5