]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab | |
3 | /* | |
4 | * Ceph - scalable distributed file system | |
5 | * | |
6 | * Copyright (C) 2009-2011 New Dream Network | |
7 | * | |
8 | * This is free software; you can redistribute it and/or | |
9 | * modify it under the terms of the GNU Lesser General Public | |
10 | * License version 2.1, as published by the Free Software | |
11 | * Foundation. See file COPYING. | |
12 | * | |
13 | */ | |
14 | ||
15 | #include <boost/config/warning_disable.hpp> | |
16 | #include <boost/spirit/include/qi.hpp> | |
17 | #include <boost/spirit/include/phoenix_operator.hpp> | |
18 | #include <boost/spirit/include/phoenix.hpp> | |
19 | ||
20 | #include "OSDCap.h" | |
21 | #include "common/config.h" | |
22 | #include "common/debug.h" | |
23 | ||
24 | using std::ostream; | |
25 | using std::vector; | |
26 | ||
31f18b77 | 27 | ostream& operator<<(ostream& out, const osd_rwxa_t& p) |
7c673cae FG |
28 | { |
29 | if (p == OSD_CAP_ANY) | |
30 | return out << "*"; | |
31 | ||
32 | if (p & OSD_CAP_R) | |
33 | out << "r"; | |
34 | if (p & OSD_CAP_W) | |
35 | out << "w"; | |
36 | if ((p & OSD_CAP_X) == OSD_CAP_X) { | |
37 | out << "x"; | |
38 | } else { | |
39 | if (p & OSD_CAP_CLS_R) | |
40 | out << " class-read"; | |
41 | if (p & OSD_CAP_CLS_W) | |
42 | out << " class-write"; | |
43 | } | |
44 | return out; | |
45 | } | |
46 | ||
47 | ostream& operator<<(ostream& out, const OSDCapSpec& s) | |
48 | { | |
49 | if (s.allow) | |
50 | return out << s.allow; | |
51 | if (s.class_name.length()) | |
52 | return out << "class '" << s.class_name << "' '" << s.class_allow << "'"; | |
53 | return out; | |
54 | } | |
55 | ||
56 | ostream& operator<<(ostream& out, const OSDCapMatch& m) | |
57 | { | |
58 | if (m.auid != -1LL) { | |
59 | out << "auid " << m.auid << " "; | |
60 | } | |
61 | if (m.object_prefix.length()) { | |
62 | out << "object_prefix " << m.object_prefix << " "; | |
63 | } | |
64 | if (m.pool_name.length()) { | |
65 | out << "pool " << m.pool_name << " "; | |
66 | } | |
67 | if (m.is_nspace) { | |
68 | out << "namespace "; | |
69 | if (m.nspace.length() == 0) | |
70 | out << "\"\""; | |
71 | else | |
72 | out << m.nspace; | |
73 | out << " "; | |
74 | } | |
75 | return out; | |
76 | } | |
77 | ||
78 | bool OSDCapMatch::is_match(const string& pn, const string& ns, int64_t pool_auid, const string& object) const | |
79 | { | |
80 | if (auid >= 0) { | |
81 | if (auid != pool_auid) | |
82 | return false; | |
83 | } | |
84 | if (pool_name.length()) { | |
85 | if (pool_name != pn) | |
86 | return false; | |
87 | } | |
88 | if (is_nspace) { | |
89 | if (nspace != ns) | |
90 | return false; | |
91 | } | |
92 | if (object_prefix.length()) { | |
93 | if (object.find(object_prefix) != 0) | |
94 | return false; | |
95 | } | |
96 | return true; | |
97 | } | |
98 | ||
99 | bool OSDCapMatch::is_match_all() const | |
100 | { | |
101 | if (auid >= 0) | |
102 | return false; | |
103 | if (pool_name.length()) | |
104 | return false; | |
105 | if (is_nspace) | |
106 | return false; | |
107 | if (object_prefix.length()) | |
108 | return false; | |
109 | return true; | |
110 | } | |
111 | ||
112 | ostream& operator<<(ostream& out, const OSDCapGrant& g) | |
113 | { | |
114 | return out << "grant(" << g.match << g.spec << ")"; | |
115 | } | |
116 | ||
117 | ||
118 | bool OSDCap::allow_all() const | |
119 | { | |
120 | for (vector<OSDCapGrant>::const_iterator p = grants.begin(); p != grants.end(); ++p) | |
121 | if (p->match.is_match_all() && p->spec.allow_all()) | |
122 | return true; | |
123 | return false; | |
124 | } | |
125 | ||
126 | void OSDCap::set_allow_all() | |
127 | { | |
128 | grants.clear(); | |
129 | grants.push_back(OSDCapGrant(OSDCapMatch(), OSDCapSpec(OSD_CAP_ANY))); | |
130 | } | |
131 | ||
132 | bool OSDCap::is_capable(const string& pool_name, const string& ns, int64_t pool_auid, | |
133 | const string& object, bool op_may_read, bool op_may_write, | |
134 | const std::vector<OpRequest::ClassInfo>& classes) const | |
135 | { | |
136 | const size_t num_classes = classes.size(); | |
137 | std::vector<bool> class_allowed(num_classes, false); | |
138 | osd_rwxa_t allow = 0; | |
139 | for (vector<OSDCapGrant>::const_iterator p = grants.begin(); | |
140 | p != grants.end(); ++p) { | |
141 | if (p->match.is_match(pool_name, ns, pool_auid, object)) { | |
142 | allow = allow | p->spec.allow; | |
143 | if ((op_may_read && !(allow & OSD_CAP_R)) || | |
144 | (op_may_write && !(allow & OSD_CAP_W))) | |
145 | continue; | |
146 | if (num_classes) { | |
147 | // check 'allow *' | |
148 | if (p->spec.allow_all()) | |
149 | return true; | |
150 | // compare this grant to each class in the operation | |
151 | for (size_t i = 0; i < num_classes; i++) { | |
152 | // check 'allow class foo' | |
153 | if (classes[i].name == p->spec.class_name && | |
154 | !p->spec.class_name.empty()) { | |
155 | class_allowed[i] = true; | |
156 | continue; | |
157 | } | |
158 | // check 'allow x | class-{rw}': must be on whitelist | |
159 | if (!classes[i].whitelisted) | |
160 | continue; | |
161 | if ((classes[i].read && !(allow & OSD_CAP_CLS_R)) || | |
162 | (classes[i].write && !(allow & OSD_CAP_CLS_W))) { | |
163 | continue; | |
164 | } | |
165 | class_allowed[i] = true; | |
166 | } | |
167 | if (std::all_of(class_allowed.cbegin(), class_allowed.cend(), | |
168 | [](bool v) { return v; })) | |
169 | return true; | |
170 | else | |
171 | continue; | |
172 | } | |
173 | return true; | |
174 | } | |
175 | } | |
176 | return false; | |
177 | } | |
178 | ||
179 | ||
180 | // grammar | |
181 | namespace qi = boost::spirit::qi; | |
182 | namespace ascii = boost::spirit::ascii; | |
183 | namespace phoenix = boost::phoenix; | |
184 | ||
185 | template <typename Iterator> | |
186 | struct OSDCapParser : qi::grammar<Iterator, OSDCap()> | |
187 | { | |
188 | OSDCapParser() : OSDCapParser::base_type(osdcap) | |
189 | { | |
190 | using qi::char_; | |
191 | using qi::int_; | |
192 | using qi::lexeme; | |
193 | using qi::alnum; | |
194 | using qi::_val; | |
195 | using qi::_1; | |
196 | using qi::_2; | |
197 | using qi::_3; | |
198 | using qi::eps; | |
199 | using qi::lit; | |
200 | ||
201 | quoted_string %= | |
202 | lexeme['"' >> +(char_ - '"') >> '"'] | | |
203 | lexeme['\'' >> +(char_ - '\'') >> '\'']; | |
204 | equoted_string %= | |
205 | lexeme['"' >> *(char_ - '"') >> '"'] | | |
206 | lexeme['\'' >> *(char_ - '\'') >> '\'']; | |
207 | unquoted_word %= +char_("a-zA-Z0-9_.-"); | |
208 | str %= quoted_string | unquoted_word; | |
209 | estr %= equoted_string | unquoted_word; | |
210 | ||
211 | spaces = +ascii::space; | |
212 | ||
213 | ||
214 | // match := [pool[=]<poolname> [namespace[=]<namespace>] | auid <123>] [object_prefix <prefix>] | |
215 | pool_name %= -(spaces >> lit("pool") >> (lit('=') | spaces) >> str); | |
216 | nspace %= (spaces >> lit("namespace") >> (lit('=') | spaces) >> estr); | |
217 | auid %= (spaces >> lit("auid") >> spaces >> int_); | |
218 | object_prefix %= -(spaces >> lit("object_prefix") >> spaces >> str); | |
219 | ||
220 | match = ( (auid >> object_prefix) [_val = phoenix::construct<OSDCapMatch>(_1, _2)] | | |
221 | (pool_name >> nspace >> object_prefix) [_val = phoenix::construct<OSDCapMatch>(_1, _2, _3)] | | |
222 | (pool_name >> object_prefix) [_val = phoenix::construct<OSDCapMatch>(_1, _2)]); | |
223 | ||
224 | // rwxa := * | [r][w][x] [class-read] [class-write] | |
225 | rwxa = | |
226 | (spaces >> lit("*")[_val = OSD_CAP_ANY]) | | |
227 | ( eps[_val = 0] >> | |
228 | ( | |
229 | spaces >> | |
230 | ( lit('r')[_val |= OSD_CAP_R] || | |
231 | lit('w')[_val |= OSD_CAP_W] || | |
232 | lit('x')[_val |= OSD_CAP_X] )) || | |
233 | ( (spaces >> lit("class-read")[_val |= OSD_CAP_CLS_R]) || | |
234 | (spaces >> lit("class-write")[_val |= OSD_CAP_CLS_W]) )); | |
235 | ||
236 | // capspec := * | rwx | class <name> [classcap] | |
237 | capspec = | |
238 | rwxa [_val = phoenix::construct<OSDCapSpec>(_1)] | | |
239 | ( spaces >> lit("class") >> spaces >> ((str >> spaces >> str) [_val = phoenix::construct<OSDCapSpec>(_1, _2)] | | |
240 | str [_val = phoenix::construct<OSDCapSpec>(_1, string())] )); | |
241 | ||
242 | // grant := allow match capspec | |
243 | grant = (*ascii::blank >> lit("allow") >> | |
244 | ((capspec >> match) [_val = phoenix::construct<OSDCapGrant>(_2, _1)] | | |
245 | (match >> capspec) [_val = phoenix::construct<OSDCapGrant>(_1, _2)]) >> | |
246 | *ascii::blank); | |
247 | // osdcap := grant [grant ...] | |
248 | grants %= (grant % (lit(';') | lit(','))); | |
249 | osdcap = grants [_val = phoenix::construct<OSDCap>(_1)]; | |
250 | } | |
251 | qi::rule<Iterator> spaces; | |
252 | qi::rule<Iterator, unsigned()> rwxa; | |
253 | qi::rule<Iterator, string()> quoted_string, equoted_string; | |
254 | qi::rule<Iterator, string()> unquoted_word; | |
255 | qi::rule<Iterator, string()> str, estr; | |
256 | qi::rule<Iterator, int()> auid; | |
257 | qi::rule<Iterator, OSDCapSpec()> capspec; | |
258 | qi::rule<Iterator, string()> pool_name; | |
259 | qi::rule<Iterator, string()> nspace; | |
260 | qi::rule<Iterator, string()> object_prefix; | |
261 | qi::rule<Iterator, OSDCapMatch()> match; | |
262 | qi::rule<Iterator, OSDCapGrant()> grant; | |
263 | qi::rule<Iterator, std::vector<OSDCapGrant>()> grants; | |
264 | qi::rule<Iterator, OSDCap()> osdcap; | |
265 | }; | |
266 | ||
267 | bool OSDCap::parse(const string& str, ostream *err) | |
268 | { | |
269 | OSDCapParser<string::const_iterator> g; | |
270 | string::const_iterator iter = str.begin(); | |
271 | string::const_iterator end = str.end(); | |
272 | ||
273 | bool r = qi::phrase_parse(iter, end, g, ascii::space, *this); | |
274 | if (r && iter == end) | |
275 | return true; | |
276 | ||
277 | // Make sure no grants are kept after parsing failed! | |
278 | grants.clear(); | |
279 | ||
280 | if (err) | |
281 | *err << "osdcap parse failed, stopped at '" << std::string(iter, end) | |
282 | << "' of '" << str << "'\n"; | |
283 | ||
284 | return false; | |
285 | } | |
286 |