]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab | |
3 | /* | |
4 | * Ceph - scalable distributed file system | |
5 | * | |
6 | * Copyright (C) 2013 Inktank | |
7 | * | |
8 | * This is free software; you can redistribute it and/or | |
9 | * modify it under the terms of the GNU Lesser General Public | |
10 | * License version 2.1, as published by the Free Software | |
11 | * Foundation. See file COPYING. | |
12 | * | |
13 | */ | |
14 | ||
15 | #include <boost/config/warning_disable.hpp> | |
16 | #include <boost/spirit/include/qi_uint.hpp> | |
17 | #include <boost/spirit/include/qi.hpp> | |
18 | #include <boost/fusion/include/std_pair.hpp> | |
19 | #include <boost/spirit/include/phoenix.hpp> | |
20 | #include <boost/fusion/adapted/struct/adapt_struct.hpp> | |
21 | #include <boost/fusion/include/adapt_struct.hpp> | |
22 | ||
23 | #include "MonCap.h" | |
24 | #include "include/stringify.h" | |
11fdf7f2 | 25 | #include "include/ipaddr.h" |
7c673cae FG |
26 | #include "common/debug.h" |
27 | #include "common/Formatter.h" | |
28 | ||
29 | #include <algorithm> | |
11fdf7f2 | 30 | #include <regex> |
7c673cae | 31 | |
11fdf7f2 | 32 | #include "include/ceph_assert.h" |
c07f9fc5 | 33 | |
7c673cae FG |
34 | static inline bool is_not_alnum_space(char c) |
35 | { | |
36 | return !(isalpha(c) || isdigit(c) || (c == '-') || (c == '_')); | |
37 | } | |
38 | ||
39 | static string maybe_quote_string(const std::string& str) | |
40 | { | |
41 | if (find_if(str.begin(), str.end(), is_not_alnum_space) == str.end()) | |
42 | return str; | |
43 | return string("\"") + str + string("\""); | |
44 | } | |
45 | ||
46 | using std::ostream; | |
47 | using std::vector; | |
48 | ||
49 | #define dout_subsys ceph_subsys_mon | |
50 | ||
31f18b77 | 51 | ostream& operator<<(ostream& out, const mon_rwxa_t& p) |
7c673cae FG |
52 | { |
53 | if (p == MON_CAP_ANY) | |
54 | return out << "*"; | |
55 | ||
56 | if (p & MON_CAP_R) | |
57 | out << "r"; | |
58 | if (p & MON_CAP_W) | |
59 | out << "w"; | |
60 | if (p & MON_CAP_X) | |
61 | out << "x"; | |
62 | return out; | |
63 | } | |
64 | ||
65 | ostream& operator<<(ostream& out, const StringConstraint& c) | |
66 | { | |
c07f9fc5 FG |
67 | switch (c.match_type) { |
68 | case StringConstraint::MATCH_TYPE_EQUAL: | |
7c673cae | 69 | return out << "value " << c.value; |
c07f9fc5 FG |
70 | case StringConstraint::MATCH_TYPE_PREFIX: |
71 | return out << "prefix " << c.value; | |
72 | case StringConstraint::MATCH_TYPE_REGEX: | |
73 | return out << "regex " << c.value; | |
74 | default: | |
75 | break; | |
76 | } | |
77 | return out; | |
7c673cae FG |
78 | } |
79 | ||
80 | ostream& operator<<(ostream& out, const MonCapGrant& m) | |
81 | { | |
82 | out << "allow"; | |
83 | if (m.service.length()) { | |
84 | out << " service " << maybe_quote_string(m.service); | |
85 | } | |
86 | if (m.command.length()) { | |
87 | out << " command " << maybe_quote_string(m.command); | |
88 | if (!m.command_args.empty()) { | |
89 | out << " with"; | |
90 | for (map<string,StringConstraint>::const_iterator p = m.command_args.begin(); | |
91 | p != m.command_args.end(); | |
92 | ++p) { | |
c07f9fc5 FG |
93 | switch (p->second.match_type) { |
94 | case StringConstraint::MATCH_TYPE_EQUAL: | |
95 | out << " " << maybe_quote_string(p->first) << "=" | |
96 | << maybe_quote_string(p->second.value); | |
97 | break; | |
98 | case StringConstraint::MATCH_TYPE_PREFIX: | |
99 | out << " " << maybe_quote_string(p->first) << " prefix " | |
100 | << maybe_quote_string(p->second.value); | |
101 | break; | |
102 | case StringConstraint::MATCH_TYPE_REGEX: | |
103 | out << " " << maybe_quote_string(p->first) << " regex " | |
104 | << maybe_quote_string(p->second.value); | |
105 | break; | |
106 | default: | |
107 | break; | |
108 | } | |
7c673cae FG |
109 | } |
110 | } | |
111 | } | |
112 | if (m.profile.length()) { | |
113 | out << " profile " << maybe_quote_string(m.profile); | |
114 | } | |
115 | if (m.allow != 0) | |
116 | out << " " << m.allow; | |
11fdf7f2 TL |
117 | if (m.network.size()) |
118 | out << " network " << m.network; | |
7c673cae FG |
119 | return out; |
120 | } | |
121 | ||
122 | ||
123 | // <magic> | |
124 | // fusion lets us easily populate structs via the qi parser. | |
125 | ||
126 | typedef map<string,StringConstraint> kvmap; | |
127 | ||
128 | BOOST_FUSION_ADAPT_STRUCT(MonCapGrant, | |
129 | (std::string, service) | |
130 | (std::string, profile) | |
131 | (std::string, command) | |
132 | (kvmap, command_args) | |
11fdf7f2 TL |
133 | (mon_rwxa_t, allow) |
134 | (std::string, network)) | |
7c673cae FG |
135 | |
136 | BOOST_FUSION_ADAPT_STRUCT(StringConstraint, | |
c07f9fc5 FG |
137 | (StringConstraint::MatchType, match_type) |
138 | (std::string, value)) | |
7c673cae FG |
139 | |
140 | // </magic> | |
141 | ||
11fdf7f2 TL |
142 | void MonCapGrant::parse_network() |
143 | { | |
144 | network_valid = ::parse_network(network.c_str(), &network_parsed, | |
145 | &network_prefix); | |
146 | } | |
147 | ||
7c673cae FG |
148 | void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const |
149 | { | |
150 | // only generate this list once | |
151 | if (!profile_grants.empty()) | |
152 | return; | |
153 | ||
154 | if (profile == "read-only") { | |
155 | // grants READ-ONLY caps monitor-wide | |
156 | // 'auth' requires MON_CAP_X even for RO, which we do not grant here. | |
157 | profile_grants.push_back(mon_rwxa_t(MON_CAP_R)); | |
158 | return; | |
159 | } | |
160 | ||
161 | if (profile == "read-write") { | |
162 | // grants READ-WRITE caps monitor-wide | |
163 | // 'auth' requires MON_CAP_X for all operations, which we do not grant. | |
164 | profile_grants.push_back(mon_rwxa_t(MON_CAP_R | MON_CAP_W)); | |
165 | return; | |
166 | } | |
167 | ||
168 | switch (daemon_type) { | |
169 | case CEPH_ENTITY_TYPE_MON: | |
170 | expand_profile_mon(name); | |
171 | return; | |
172 | case CEPH_ENTITY_TYPE_MGR: | |
173 | expand_profile_mgr(name); | |
174 | return; | |
175 | } | |
176 | } | |
177 | ||
178 | void MonCapGrant::expand_profile_mgr(const EntityName& name) const | |
179 | { | |
180 | } | |
181 | ||
182 | void MonCapGrant::expand_profile_mon(const EntityName& name) const | |
183 | { | |
184 | if (profile == "mon") { | |
185 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_ALL)); | |
186 | profile_grants.push_back(MonCapGrant("log", MON_CAP_ALL)); | |
187 | } | |
188 | if (profile == "osd") { | |
189 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_ALL)); | |
190 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
191 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R | MON_CAP_W)); | |
192 | profile_grants.push_back(MonCapGrant("log", MON_CAP_W)); | |
193 | } | |
194 | if (profile == "mds") { | |
195 | profile_grants.push_back(MonCapGrant("mds", MON_CAP_ALL)); | |
196 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
197 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
198 | // This command grant is checked explicitly in MRemoveSnaps handling | |
199 | profile_grants.push_back(MonCapGrant("osd pool rmsnap")); | |
31f18b77 | 200 | profile_grants.push_back(MonCapGrant("osd blacklist")); |
7c673cae FG |
201 | profile_grants.push_back(MonCapGrant("log", MON_CAP_W)); |
202 | } | |
203 | if (profile == "mgr") { | |
204 | profile_grants.push_back(MonCapGrant("mgr", MON_CAP_ALL)); | |
31f18b77 FG |
205 | profile_grants.push_back(MonCapGrant("log", MON_CAP_R | MON_CAP_W)); |
206 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R | MON_CAP_W)); | |
207 | profile_grants.push_back(MonCapGrant("mds", MON_CAP_R | MON_CAP_W)); | |
11fdf7f2 | 208 | profile_grants.push_back(MonCapGrant("fs", MON_CAP_R | MON_CAP_W)); |
7c673cae | 209 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R | MON_CAP_W)); |
31f18b77 FG |
210 | profile_grants.push_back(MonCapGrant("auth", MON_CAP_R | MON_CAP_X)); |
211 | profile_grants.push_back(MonCapGrant("config-key", MON_CAP_R | MON_CAP_W)); | |
11fdf7f2 | 212 | profile_grants.push_back(MonCapGrant("config", MON_CAP_R | MON_CAP_W)); |
7c673cae FG |
213 | } |
214 | if (profile == "osd" || profile == "mds" || profile == "mon" || | |
215 | profile == "mgr") { | |
c07f9fc5 FG |
216 | StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX, |
217 | string("daemon-private/") + stringify(name) + | |
218 | string("/")); | |
7c673cae | 219 | string prefix = string("daemon-private/") + stringify(name) + string("/"); |
c07f9fc5 FG |
220 | profile_grants.push_back(MonCapGrant("config-key get", "key", constraint)); |
221 | profile_grants.push_back(MonCapGrant("config-key put", "key", constraint)); | |
222 | profile_grants.push_back(MonCapGrant("config-key set", "key", constraint)); | |
223 | profile_grants.push_back(MonCapGrant("config-key exists", "key", constraint)); | |
224 | profile_grants.push_back(MonCapGrant("config-key delete", "key", constraint)); | |
7c673cae FG |
225 | } |
226 | if (profile == "bootstrap-osd") { | |
7c673cae FG |
227 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap |
228 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap | |
229 | profile_grants.push_back(MonCapGrant("mon getmap")); | |
c07f9fc5 | 230 | profile_grants.push_back(MonCapGrant("osd new")); |
11fdf7f2 | 231 | profile_grants.push_back(MonCapGrant("osd purge-new")); |
7c673cae FG |
232 | } |
233 | if (profile == "bootstrap-mds") { | |
234 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap | |
235 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap | |
236 | profile_grants.push_back(MonCapGrant("mon getmap")); | |
237 | profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys | |
c07f9fc5 FG |
238 | profile_grants.back().command_args["entity"] = StringConstraint( |
239 | StringConstraint::MATCH_TYPE_PREFIX, "mds."); | |
240 | profile_grants.back().command_args["caps_mon"] = StringConstraint( | |
241 | StringConstraint::MATCH_TYPE_EQUAL, "allow profile mds"); | |
242 | profile_grants.back().command_args["caps_osd"] = StringConstraint( | |
243 | StringConstraint::MATCH_TYPE_EQUAL, "allow rwx"); | |
244 | profile_grants.back().command_args["caps_mds"] = StringConstraint( | |
245 | StringConstraint::MATCH_TYPE_EQUAL, "allow"); | |
7c673cae FG |
246 | } |
247 | if (profile == "bootstrap-mgr") { | |
248 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap | |
249 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap | |
250 | profile_grants.push_back(MonCapGrant("mon getmap")); | |
251 | profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mgr keys | |
c07f9fc5 FG |
252 | profile_grants.back().command_args["entity"] = StringConstraint( |
253 | StringConstraint::MATCH_TYPE_PREFIX, "mgr."); | |
254 | profile_grants.back().command_args["caps_mon"] = StringConstraint( | |
255 | StringConstraint::MATCH_TYPE_EQUAL, "allow profile mgr"); | |
7c673cae FG |
256 | } |
257 | if (profile == "bootstrap-rgw") { | |
258 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap | |
259 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap | |
260 | profile_grants.push_back(MonCapGrant("mon getmap")); | |
261 | profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys | |
c07f9fc5 FG |
262 | profile_grants.back().command_args["entity"] = StringConstraint( |
263 | StringConstraint::MATCH_TYPE_PREFIX, "client.rgw."); | |
264 | profile_grants.back().command_args["caps_mon"] = StringConstraint( | |
265 | StringConstraint::MATCH_TYPE_EQUAL, "allow rw"); | |
266 | profile_grants.back().command_args["caps_osd"] = StringConstraint( | |
267 | StringConstraint::MATCH_TYPE_EQUAL, "allow rwx"); | |
7c673cae | 268 | } |
11fdf7f2 | 269 | if (profile == "bootstrap-rbd" || profile == "bootstrap-rbd-mirror") { |
d2e6a577 | 270 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap |
11fdf7f2 | 271 | profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other rbd keys |
d2e6a577 FG |
272 | profile_grants.back().command_args["entity"] = StringConstraint( |
273 | StringConstraint::MATCH_TYPE_PREFIX, "client."); | |
274 | profile_grants.back().command_args["caps_mon"] = StringConstraint( | |
11fdf7f2 TL |
275 | StringConstraint::MATCH_TYPE_EQUAL, |
276 | (profile == "bootstrap-rbd-mirror" ? "profile rbd-mirror" : | |
277 | "profile rbd")); | |
d2e6a577 FG |
278 | profile_grants.back().command_args["caps_osd"] = StringConstraint( |
279 | StringConstraint::MATCH_TYPE_REGEX, | |
280 | "^([ ,]*profile(=|[ ]+)['\"]?rbd[^ ,'\"]*['\"]?([ ]+pool(=|[ ]+)['\"]?[^,'\"]+['\"]?)?)+$"); | |
281 | } | |
7c673cae FG |
282 | if (profile == "fs-client") { |
283 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
284 | profile_grants.push_back(MonCapGrant("mds", MON_CAP_R)); | |
285 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
286 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); | |
287 | } | |
288 | if (profile == "simple-rados-client") { | |
289 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
290 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
291 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); | |
292 | } | |
11fdf7f2 | 293 | if (profile == "rbd" || profile == "rbd-mirror") { |
c07f9fc5 FG |
294 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); |
295 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
296 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); | |
297 | ||
298 | // exclusive lock dead-client blacklisting (IP+nonce required) | |
299 | profile_grants.push_back(MonCapGrant("osd blacklist")); | |
300 | profile_grants.back().command_args["blacklistop"] = StringConstraint( | |
301 | StringConstraint::MATCH_TYPE_EQUAL, "add"); | |
302 | profile_grants.back().command_args["addr"] = StringConstraint( | |
d2e6a577 | 303 | StringConstraint::MATCH_TYPE_REGEX, "^[^/]+/[0-9]+$"); |
11fdf7f2 TL |
304 | |
305 | } | |
306 | if (profile == "rbd-mirror") { | |
307 | StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX, | |
308 | "rbd/mirror/"); | |
309 | profile_grants.push_back(MonCapGrant("config-key get", "key", constraint)); | |
c07f9fc5 | 310 | } |
7c673cae FG |
311 | |
312 | if (profile == "role-definer") { | |
313 | // grants ALL caps to the auth subsystem, read-only on the | |
314 | // monitor subsystem and nothing else. | |
315 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
316 | profile_grants.push_back(MonCapGrant("auth", MON_CAP_ALL)); | |
317 | } | |
318 | } | |
319 | ||
320 | mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct, | |
321 | int daemon_type, | |
322 | EntityName name, | |
323 | const std::string& s, const std::string& c, | |
324 | const map<string,string>& c_args) const | |
325 | { | |
326 | if (profile.length()) { | |
327 | expand_profile(daemon_type, name); | |
328 | mon_rwxa_t a; | |
329 | for (list<MonCapGrant>::const_iterator p = profile_grants.begin(); | |
330 | p != profile_grants.end(); ++p) | |
331 | a = a | p->get_allowed(cct, daemon_type, name, s, c, c_args); | |
332 | return a; | |
333 | } | |
334 | if (service.length()) { | |
335 | if (service != s) | |
336 | return 0; | |
337 | return allow; | |
338 | } | |
339 | if (command.length()) { | |
340 | if (command != c) | |
341 | return 0; | |
342 | for (map<string,StringConstraint>::const_iterator p = command_args.begin(); p != command_args.end(); ++p) { | |
343 | map<string,string>::const_iterator q = c_args.find(p->first); | |
344 | // argument must be present if a constraint exists | |
345 | if (q == c_args.end()) | |
346 | return 0; | |
c07f9fc5 FG |
347 | switch (p->second.match_type) { |
348 | case StringConstraint::MATCH_TYPE_EQUAL: | |
7c673cae FG |
349 | if (p->second.value != q->second) |
350 | return 0; | |
c07f9fc5 FG |
351 | break; |
352 | case StringConstraint::MATCH_TYPE_PREFIX: | |
353 | if (q->second.find(p->second.value) != 0) | |
7c673cae | 354 | return 0; |
c07f9fc5 FG |
355 | break; |
356 | case StringConstraint::MATCH_TYPE_REGEX: | |
11fdf7f2 TL |
357 | try { |
358 | std::regex pattern( | |
359 | p->second.value, std::regex::extended); | |
360 | if (!std::regex_match(q->second, pattern)) | |
c07f9fc5 | 361 | return 0; |
11fdf7f2 TL |
362 | } catch(const std::regex_error&) { |
363 | return 0; | |
364 | } | |
c07f9fc5 FG |
365 | break; |
366 | default: | |
367 | break; | |
7c673cae FG |
368 | } |
369 | } | |
370 | return MON_CAP_ALL; | |
371 | } | |
f64942e4 AA |
372 | // we don't allow config-key service to be accessed with blanket caps other |
373 | // than '*' (i.e., 'any'), and that should have been checked by the caller | |
374 | // via 'is_allow_all()'. | |
375 | if (s == "config-key") { | |
376 | return 0; | |
377 | } | |
7c673cae FG |
378 | return allow; |
379 | } | |
380 | ||
381 | ostream& operator<<(ostream&out, const MonCap& m) | |
382 | { | |
383 | for (vector<MonCapGrant>::const_iterator p = m.grants.begin(); p != m.grants.end(); ++p) { | |
384 | if (p != m.grants.begin()) | |
385 | out << ", "; | |
386 | out << *p; | |
387 | } | |
388 | return out; | |
389 | } | |
390 | ||
391 | bool MonCap::is_allow_all() const | |
392 | { | |
393 | for (vector<MonCapGrant>::const_iterator p = grants.begin(); p != grants.end(); ++p) | |
394 | if (p->is_allow_all()) | |
395 | return true; | |
396 | return false; | |
397 | } | |
398 | ||
399 | void MonCap::set_allow_all() | |
400 | { | |
401 | grants.clear(); | |
402 | grants.push_back(MonCapGrant(MON_CAP_ANY)); | |
403 | text = "allow *"; | |
404 | } | |
405 | ||
11fdf7f2 TL |
406 | bool MonCap::is_capable( |
407 | CephContext *cct, | |
408 | int daemon_type, | |
409 | EntityName name, | |
410 | const string& service, | |
411 | const string& command, const map<string,string>& command_args, | |
412 | bool op_may_read, bool op_may_write, bool op_may_exec, | |
413 | const entity_addr_t& addr) const | |
7c673cae FG |
414 | { |
415 | if (cct) | |
416 | ldout(cct, 20) << "is_capable service=" << service << " command=" << command | |
417 | << (op_may_read ? " read":"") | |
418 | << (op_may_write ? " write":"") | |
419 | << (op_may_exec ? " exec":"") | |
11fdf7f2 | 420 | << " addr " << addr |
7c673cae FG |
421 | << " on cap " << *this |
422 | << dendl; | |
11fdf7f2 | 423 | |
7c673cae FG |
424 | mon_rwxa_t allow = 0; |
425 | for (vector<MonCapGrant>::const_iterator p = grants.begin(); | |
426 | p != grants.end(); ++p) { | |
427 | if (cct) | |
11fdf7f2 TL |
428 | ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p |
429 | << dendl; | |
430 | ||
431 | if (p->network.size() && | |
432 | (!p->network_valid || | |
433 | !network_contains(p->network_parsed, | |
434 | p->network_prefix, | |
435 | addr))) { | |
436 | continue; | |
437 | } | |
7c673cae FG |
438 | |
439 | if (p->is_allow_all()) { | |
440 | if (cct) | |
441 | ldout(cct, 20) << " allow all" << dendl; | |
442 | return true; | |
443 | } | |
444 | ||
445 | // check enumerated caps | |
446 | allow = allow | p->get_allowed(cct, daemon_type, name, service, command, | |
447 | command_args); | |
448 | if ((!op_may_read || (allow & MON_CAP_R)) && | |
449 | (!op_may_write || (allow & MON_CAP_W)) && | |
450 | (!op_may_exec || (allow & MON_CAP_X))) { | |
451 | if (cct) | |
452 | ldout(cct, 20) << " match" << dendl; | |
453 | return true; | |
454 | } | |
455 | } | |
456 | return false; | |
457 | } | |
458 | ||
459 | void MonCap::encode(bufferlist& bl) const | |
460 | { | |
461 | ENCODE_START(4, 4, bl); // legacy MonCaps was 3, 3 | |
11fdf7f2 | 462 | encode(text, bl); |
7c673cae FG |
463 | ENCODE_FINISH(bl); |
464 | } | |
465 | ||
11fdf7f2 | 466 | void MonCap::decode(bufferlist::const_iterator& bl) |
7c673cae FG |
467 | { |
468 | string s; | |
469 | DECODE_START(4, bl); | |
11fdf7f2 | 470 | decode(s, bl); |
7c673cae FG |
471 | DECODE_FINISH(bl); |
472 | parse(s, NULL); | |
473 | } | |
474 | ||
475 | void MonCap::dump(Formatter *f) const | |
476 | { | |
477 | f->dump_string("text", text); | |
478 | } | |
479 | ||
480 | void MonCap::generate_test_instances(list<MonCap*>& ls) | |
481 | { | |
482 | ls.push_back(new MonCap); | |
483 | ls.push_back(new MonCap); | |
484 | ls.back()->parse("allow *"); | |
485 | ls.push_back(new MonCap); | |
486 | ls.back()->parse("allow rwx"); | |
487 | ls.push_back(new MonCap); | |
488 | ls.back()->parse("allow service foo x"); | |
489 | ls.push_back(new MonCap); | |
490 | ls.back()->parse("allow command bar x"); | |
491 | ls.push_back(new MonCap); | |
492 | ls.back()->parse("allow service foo r, allow command bar x"); | |
493 | ls.push_back(new MonCap); | |
494 | ls.back()->parse("allow command bar with k1=v1 x"); | |
495 | ls.push_back(new MonCap); | |
496 | ls.back()->parse("allow command bar with k1=v1 k2=v2 x"); | |
497 | } | |
498 | ||
499 | // grammar | |
500 | namespace qi = boost::spirit::qi; | |
501 | namespace ascii = boost::spirit::ascii; | |
502 | namespace phoenix = boost::phoenix; | |
503 | ||
504 | ||
505 | template <typename Iterator> | |
506 | struct MonCapParser : qi::grammar<Iterator, MonCap()> | |
507 | { | |
508 | MonCapParser() : MonCapParser::base_type(moncap) | |
509 | { | |
510 | using qi::char_; | |
511 | using qi::int_; | |
512 | using qi::ulong_long; | |
513 | using qi::lexeme; | |
514 | using qi::alnum; | |
515 | using qi::_val; | |
516 | using qi::_1; | |
517 | using qi::_2; | |
518 | using qi::_3; | |
519 | using qi::eps; | |
520 | using qi::lit; | |
521 | ||
522 | quoted_string %= | |
523 | lexeme['"' >> +(char_ - '"') >> '"'] | | |
524 | lexeme['\'' >> +(char_ - '\'') >> '\'']; | |
f64942e4 | 525 | unquoted_word %= +char_("a-zA-Z0-9_./-"); |
7c673cae | 526 | str %= quoted_string | unquoted_word; |
11fdf7f2 | 527 | network_str %= +char_("/.:a-fA-F0-9]["); |
7c673cae FG |
528 | |
529 | spaces = +(lit(' ') | lit('\n') | lit('\t')); | |
530 | ||
531 | // command := command[=]cmd [k1=v1 k2=v2 ...] | |
c07f9fc5 FG |
532 | str_match = '=' >> qi::attr(StringConstraint::MATCH_TYPE_EQUAL) >> str; |
533 | str_prefix = spaces >> lit("prefix") >> spaces >> | |
534 | qi::attr(StringConstraint::MATCH_TYPE_PREFIX) >> str; | |
535 | str_regex = spaces >> lit("regex") >> spaces >> | |
536 | qi::attr(StringConstraint::MATCH_TYPE_REGEX) >> str; | |
537 | kv_pair = str >> (str_match | str_prefix | str_regex); | |
7c673cae FG |
538 | kv_map %= kv_pair >> *(spaces >> kv_pair); |
539 | command_match = -spaces >> lit("allow") >> spaces >> lit("command") >> (lit('=') | spaces) | |
540 | >> qi::attr(string()) >> qi::attr(string()) | |
541 | >> str | |
542 | >> -(spaces >> lit("with") >> spaces >> kv_map) | |
11fdf7f2 TL |
543 | >> qi::attr(0) |
544 | >> -(spaces >> lit("network") >> spaces >> network_str); | |
7c673cae FG |
545 | |
546 | // service foo rwxa | |
547 | service_match %= -spaces >> lit("allow") >> spaces >> lit("service") >> (lit('=') | spaces) | |
548 | >> str >> qi::attr(string()) >> qi::attr(string()) | |
549 | >> qi::attr(map<string,StringConstraint>()) | |
11fdf7f2 TL |
550 | >> spaces >> rwxa |
551 | >> -(spaces >> lit("network") >> spaces >> network_str); | |
7c673cae FG |
552 | |
553 | // profile foo | |
c07f9fc5 FG |
554 | profile_match %= -spaces >> -(lit("allow") >> spaces) |
555 | >> lit("profile") >> (lit('=') | spaces) | |
7c673cae FG |
556 | >> qi::attr(string()) |
557 | >> str | |
558 | >> qi::attr(string()) | |
559 | >> qi::attr(map<string,StringConstraint>()) | |
11fdf7f2 TL |
560 | >> qi::attr(0) |
561 | >> -(spaces >> lit("network") >> spaces >> network_str); | |
7c673cae FG |
562 | |
563 | // rwxa | |
564 | rwxa_match %= -spaces >> lit("allow") >> spaces | |
565 | >> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string()) | |
566 | >> qi::attr(map<string,StringConstraint>()) | |
11fdf7f2 TL |
567 | >> rwxa |
568 | >> -(spaces >> lit("network") >> spaces >> network_str); | |
7c673cae FG |
569 | |
570 | // rwxa := * | [r][w][x] | |
571 | rwxa = | |
572 | (lit("*")[_val = MON_CAP_ANY]) | | |
11fdf7f2 | 573 | (lit("all")[_val = MON_CAP_ANY]) | |
7c673cae FG |
574 | ( eps[_val = 0] >> |
575 | ( lit('r')[_val |= MON_CAP_R] || | |
576 | lit('w')[_val |= MON_CAP_W] || | |
577 | lit('x')[_val |= MON_CAP_X] | |
578 | ) | |
579 | ); | |
580 | ||
581 | // grant := allow ... | |
582 | grant = -spaces >> (rwxa_match | profile_match | service_match | command_match) >> -spaces; | |
583 | ||
584 | // moncap := grant [grant ...] | |
585 | grants %= (grant % (*lit(' ') >> (lit(';') | lit(',')) >> *lit(' '))); | |
586 | moncap = grants [_val = phoenix::construct<MonCap>(_1)]; | |
587 | ||
588 | } | |
589 | qi::rule<Iterator> spaces; | |
590 | qi::rule<Iterator, unsigned()> rwxa; | |
591 | qi::rule<Iterator, string()> quoted_string; | |
592 | qi::rule<Iterator, string()> unquoted_word; | |
11fdf7f2 | 593 | qi::rule<Iterator, string()> str, network_str; |
7c673cae | 594 | |
c07f9fc5 | 595 | qi::rule<Iterator, StringConstraint()> str_match, str_prefix, str_regex; |
7c673cae FG |
596 | qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair; |
597 | qi::rule<Iterator, map<string, StringConstraint>()> kv_map; | |
598 | ||
599 | qi::rule<Iterator, MonCapGrant()> rwxa_match; | |
600 | qi::rule<Iterator, MonCapGrant()> command_match; | |
601 | qi::rule<Iterator, MonCapGrant()> service_match; | |
602 | qi::rule<Iterator, MonCapGrant()> profile_match; | |
603 | qi::rule<Iterator, MonCapGrant()> grant; | |
604 | qi::rule<Iterator, std::vector<MonCapGrant>()> grants; | |
605 | qi::rule<Iterator, MonCap()> moncap; | |
606 | }; | |
607 | ||
608 | bool MonCap::parse(const string& str, ostream *err) | |
609 | { | |
11fdf7f2 TL |
610 | auto iter = str.begin(); |
611 | auto end = str.end(); | |
612 | ||
613 | MonCapParser<string::const_iterator> exp; | |
614 | bool r = qi::parse(iter, end, exp, *this); | |
7c673cae FG |
615 | if (r && iter == end) { |
616 | text = str; | |
11fdf7f2 TL |
617 | for (auto& g : grants) { |
618 | g.parse_network(); | |
619 | } | |
7c673cae FG |
620 | return true; |
621 | } | |
622 | ||
623 | // Make sure no grants are kept after parsing failed! | |
624 | grants.clear(); | |
625 | ||
626 | if (err) { | |
627 | if (iter != end) | |
11fdf7f2 TL |
628 | *err << "mon capability parse failed, stopped at '" |
629 | << std::string(iter, end) | |
630 | << "' of '" << str << "'"; | |
7c673cae | 631 | else |
11fdf7f2 | 632 | *err << "mon capability parse failed, stopped at end of '" << str << "'"; |
7c673cae FG |
633 | } |
634 | ||
635 | return false; | |
636 | } | |
637 |