]>
git.proxmox.com Git - ceph.git/blob - ceph/src/test/mgr/test_mgrcap.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2012 Inktank
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
17 #include "include/stringify.h"
18 #include "mgr/MgrCap.h"
20 #include "gtest/gtest.h"
24 const char *parse_good
[] = {
36 "allow service=foo x",
37 "allow service=\"froo\" x",
38 "allow profile read-only",
39 "allow profile read-write",
40 "allow profile \"rbd-read-only\", allow *",
41 "allow command \"a b c\"",
43 "allow command abc with arg=foo",
44 "allow command abc with arg=foo arg2=bar",
45 "allow command abc with arg=foo arg2=bar",
46 "allow command abc with arg=foo arg2 prefix bar arg3 prefix baz",
47 "allow command abc with arg=foo arg2 prefix \"bar bingo\" arg3 prefix baz",
48 "allow command abc with arg regex \"^[0-9a-z.]*$\"",
49 "allow command abc with arg regex \"\(invaluid regex\"",
50 "allow service foo x",
51 "allow service foo x; allow service bar x",
52 "allow service foo w ;allow service bar x",
53 "allow service foo w , allow service bar x",
54 "allow service foo r , allow service bar x",
55 "allow service foo_foo r, allow service bar r",
56 "allow service foo-foo r, allow service bar r",
57 "allow service \" foo \" w, allow service bar r",
60 "allow module foo_foo r",
61 "allow module \" foo \" w",
62 "allow module foo with arg1=value1 x",
63 "allow command abc with arg=foo arg2=bar, allow service foo r",
64 "allow command abc.def with arg=foo arg2=bar, allow service foo r",
65 "allow command \"foo bar\" with arg=\"baz\"",
66 "allow command \"foo bar\" with arg=\"baz.xx\"",
67 "allow command \"foo bar\" with arg = \"baz.xx\"",
71 "profile rbd pool=ABC namespace=NS",
72 "profile \"rbd-read-only\", profile crash",
73 "allow * network 1.2.3.4/24",
74 "allow * network ::1/128",
75 "allow * network [aa:bb::1]/128",
76 "allow service=foo x network 1.2.3.4/16",
77 "allow command abc network 1.2.3.4/8",
78 "profile crash network 1.2.3.4/32",
79 "allow profile crash network 1.2.3.4/32",
83 TEST(MgrCap
, ParseGood
) {
84 for (int i
=0; parse_good
[i
]; ++i
) {
85 string str
= parse_good
[i
];
87 std::cout
<< "Testing good input: '" << str
<< "'" << std::endl
;
88 ASSERT_TRUE(cap
.parse(str
, &cout
));
89 std::cout
<< " -> " << cap
94 // these should stringify to the input value
95 const char *parse_identity
[] = {
99 "allow service foo x",
101 "profile rbd-read-only, allow *",
102 "profile rbd namespace=NS pool=ABC",
104 "allow command \"a b c\"",
105 "allow command abc with arg=foo",
106 "allow command abc with arg=foo arg2=bar",
107 "allow command abc with arg=foo arg2=bar",
108 "allow command abc with arg=foo arg2 prefix bar arg3 prefix baz",
109 "allow command abc with arg=foo arg2 prefix \"bar bingo\" arg3 prefix baz",
110 "allow service foo x",
111 "allow service foo x, allow service bar x",
112 "allow service foo w, allow service bar x",
113 "allow service foo r, allow service bar x",
114 "allow service foo_foo r, allow service bar r",
115 "allow service foo-foo r, allow service bar r",
116 "allow service \" foo \" w, allow service bar r",
117 "allow module foo x",
118 "allow module \" foo_foo \" r",
119 "allow module foo with arg1=value1 x",
120 "allow command abc with arg=foo arg2=bar, allow service foo r",
124 TEST(MgrCap
, ParseIdentity
)
126 for (int i
=0; parse_identity
[i
]; ++i
) {
127 string str
= parse_identity
[i
];
129 std::cout
<< "Testing good input: '" << str
<< "'" << std::endl
;
130 ASSERT_TRUE(cap
.parse(str
, &cout
));
131 string out
= stringify(cap
);
136 const char *parse_bad
[] = {
142 "profile foo bar rwx",
143 "allow profile foo rwx",
145 "allow profile foo bar rwx",
147 "allow command baz x",
152 "allow r pool foo r",
153 "allow wwx pool taco",
154 "allow wwx pool taco^funny&chars",
155 "allow rwx pool 'weird name''",
156 "allow rwx object_prefix \"beforepool\" pool weird",
157 "allow rwx auid 123 pool asdf",
158 "allow command foo a prefix b",
159 "allow command foo with a prefixb",
160 "allow command foo with a = prefix b",
161 "allow command foo with a prefix b c",
165 TEST(MgrCap
, ParseBad
) {
166 for (int i
=0; parse_bad
[i
]; ++i
) {
167 string str
= parse_bad
[i
];
169 std::cout
<< "Testing bad input: '" << str
<< "'" << std::endl
;
170 ASSERT_FALSE(cap
.parse(str
, &cout
));
174 TEST(MgrCap
, AllowAll
) {
176 ASSERT_FALSE(cap
.is_allow_all());
178 ASSERT_TRUE(cap
.parse("allow r", nullptr));
179 ASSERT_FALSE(cap
.is_allow_all());
182 ASSERT_TRUE(cap
.parse("allow w", nullptr));
183 ASSERT_FALSE(cap
.is_allow_all());
186 ASSERT_TRUE(cap
.parse("allow x", nullptr));
187 ASSERT_FALSE(cap
.is_allow_all());
190 ASSERT_TRUE(cap
.parse("allow rwx", nullptr));
191 ASSERT_FALSE(cap
.is_allow_all());
194 ASSERT_TRUE(cap
.parse("allow rw", nullptr));
195 ASSERT_FALSE(cap
.is_allow_all());
198 ASSERT_TRUE(cap
.parse("allow rx", nullptr));
199 ASSERT_FALSE(cap
.is_allow_all());
202 ASSERT_TRUE(cap
.parse("allow wx", nullptr));
203 ASSERT_FALSE(cap
.is_allow_all());
206 ASSERT_TRUE(cap
.parse("allow *", nullptr));
207 ASSERT_TRUE(cap
.is_allow_all());
208 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "foo", "", "asdf", {}, true, true,
212 ASSERT_FALSE(cap2
.is_allow_all());
213 cap2
.set_allow_all();
214 ASSERT_TRUE(cap2
.is_allow_all());
217 TEST(MgrCap
, Network
) {
219 bool r
= cap
.parse("allow * network 192.168.0.0/16, allow * network 10.0.0.0/8", nullptr);
222 entity_addr_t a
, b
, c
;
224 b
.parse("192.168.2.3");
225 c
.parse("192.167.2.3");
227 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "foo", "", "asdf", {}, true, true,
229 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "foo", "", "asdf", {}, true, true,
231 ASSERT_FALSE(cap
.is_capable(nullptr, {}, "foo", "", "asdf", {}, true, true,
235 TEST(MgrCap
, CommandRegEx
) {
237 ASSERT_FALSE(cap
.is_allow_all());
238 ASSERT_TRUE(cap
.parse("allow command abc with arg regex \"^[0-9a-z.]*$\"",
242 name
.from_str("osd.123");
243 ASSERT_TRUE(cap
.is_capable(nullptr, name
, "", "", "abc",
244 {{"arg", "12345abcde"}}, true, true, true, {}));
245 ASSERT_FALSE(cap
.is_capable(nullptr, name
, "", "", "abc", {{"arg", "~!@#$"}},
246 true, true, true, {}));
248 ASSERT_TRUE(cap
.parse("allow command abc with arg regex \"[*\"", nullptr));
249 ASSERT_FALSE(cap
.is_capable(nullptr, name
, "", "", "abc", {{"arg", ""}}, true,
253 TEST(MgrCap
, Module
) {
255 ASSERT_FALSE(cap
.is_allow_all());
256 ASSERT_TRUE(cap
.parse("allow module abc r, allow module bcd w", nullptr));
258 ASSERT_FALSE(cap
.is_capable(nullptr, {}, "", "abc", "", {}, true, true, false,
260 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "", "abc", "", {}, true, false, false,
262 ASSERT_FALSE(cap
.is_capable(nullptr, {}, "", "bcd", "", {}, true, true, false,
264 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "", "bcd", "", {}, false, true, false,
268 TEST(MgrCap
, Profile
) {
270 ASSERT_FALSE(cap
.is_allow_all());
272 ASSERT_FALSE(cap
.parse("profile unknown"));
273 ASSERT_FALSE(cap
.parse("profile rbd invalid-key=value"));
275 ASSERT_TRUE(cap
.parse("profile rbd", nullptr));
276 ASSERT_FALSE(cap
.is_capable(nullptr, {}, "", "abc", "", {}, true, false,
278 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "", "rbd_support", "", {}, true,
280 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "", "rbd_support", "", {}, true,
283 ASSERT_TRUE(cap
.parse("profile rbd pool=abc namespace prefix def", nullptr));
284 ASSERT_FALSE(cap
.is_capable(nullptr, {}, "", "rbd_support", "", {},
285 true, true, false, {}));
286 ASSERT_FALSE(cap
.is_capable(nullptr, {}, "", "rbd_support", "",
288 true, true, false, {}));
289 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "", "rbd_support", "",
290 {{"pool", "abc"}, {"namespace", "defghi"}},
291 true, true, false, {}));
293 ASSERT_TRUE(cap
.parse("profile rbd-read-only", nullptr));
294 ASSERT_FALSE(cap
.is_capable(nullptr, {}, "", "abc", "", {}, true, false,
296 ASSERT_FALSE(cap
.is_capable(nullptr, {}, "", "rbd_support", "", {}, true,
298 ASSERT_TRUE(cap
.is_capable(nullptr, {}, "", "rbd_support", "", {}, true,