X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fceph%2Fsrc%2Ftest%2Fmon%2Fmoncap.cc;fp=src%2Fceph%2Fsrc%2Ftest%2Fmon%2Fmoncap.cc;h=38ecfca7f37814fe4098b00f5916924d8fae3874;hb=812ff6ca9fcd3e629e49d4328905f33eee8ca3f5;hp=0000000000000000000000000000000000000000;hpb=15280273faafb77777eab341909a3f495cf248d9;p=stor4nfv.git diff --git a/src/ceph/src/test/mon/moncap.cc b/src/ceph/src/test/mon/moncap.cc new file mode 100644 index 0000000..38ecfca --- /dev/null +++ b/src/ceph/src/test/mon/moncap.cc @@ -0,0 +1,289 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab +/* + * Ceph - scalable distributed file system + * + * Copyright (C) 2012 Inktank + * + * This is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License version 2.1, as published by the Free Software + * Foundation. See file COPYING. + * + */ + +#include + +#include "include/stringify.h" +#include "mon/MonCap.h" + +#include "gtest/gtest.h" + +const char *parse_good[] = { + + // MonCapMatch + "allow *", + "allow r", + "allow rwx", + "allow r", + " allow rwx", + "allow rwx ", + " allow rwx ", + " allow\t rwx ", + "\tallow\nrwx\t", + "allow service=foo x", + "allow service=\"froo\" x", + "allow profile osd", + "allow profile osd-bootstrap", + "allow profile \"mds-bootstrap\", allow *", + "allow command \"a b c\"", + "allow command abc", + "allow command abc with arg=foo", + "allow command abc with arg=foo arg2=bar", + "allow command abc with arg=foo arg2=bar", + "allow command abc with arg=foo arg2 prefix bar arg3 prefix baz", + "allow command abc with arg=foo arg2 prefix \"bar bingo\" arg3 prefix baz", + "allow command abc with arg regex \"^[0-9a-z.]*$\"", + "allow command abc with arg regex \"\(invaluid regex\"", + "allow service foo x", + "allow service foo x; allow service bar x", + "allow service foo w ;allow service bar x", + "allow service foo w , allow service bar x", + "allow service foo r , allow service bar x", + "allow service foo_foo r, allow service bar r", + "allow service foo-foo r, allow service bar r", + "allow service \" foo \" w, allow service bar r", + "allow command abc with arg=foo arg2=bar, allow service foo r", + "allow command abc.def with arg=foo arg2=bar, allow service foo r", + "allow command \"foo bar\" with arg=\"baz\"", + "allow command \"foo bar\" with arg=\"baz.xx\"", + "profile osd", + "profile \"mds-bootstrap\", profile foo", + 0 +}; + +TEST(MonCap, ParseGood) { + for (int i=0; parse_good[i]; ++i) { + string str = parse_good[i]; + MonCap cap; + std::cout << "Testing good input: '" << str << "'" << std::endl; + ASSERT_TRUE(cap.parse(str, &cout)); + std::cout << " -> " << cap << std::endl; + } +} + +// these should stringify to the input value +const char *parse_identity[] = { + "allow *", + "allow r", + "allow rwx", + "allow service foo x", + "allow profile osd", + "allow profile osd-bootstrap", + "allow profile mds-bootstrap, allow *", + "allow profile \"foo bar\", allow *", + "allow command abc", + "allow command \"a b c\"", + "allow command abc with arg=foo", + "allow command abc with arg=foo arg2=bar", + "allow command abc with arg=foo arg2=bar", + "allow command abc with arg=foo arg2 prefix bar arg3 prefix baz", + "allow command abc with arg=foo arg2 prefix \"bar bingo\" arg3 prefix baz", + "allow service foo x", + "allow service foo x, allow service bar x", + "allow service foo w, allow service bar x", + "allow service foo r, allow service bar x", + "allow service foo_foo r, allow service bar r", + "allow service foo-foo r, allow service bar r", + "allow service \" foo \" w, allow service bar r", + "allow command abc with arg=foo arg2=bar, allow service foo r", + 0 +}; + +TEST(MonCap, ParseIdentity) +{ + for (int i=0; parse_identity[i]; ++i) { + string str = parse_identity[i]; + MonCap cap; + std::cout << "Testing good input: '" << str << "'" << std::endl; + ASSERT_TRUE(cap.parse(str, &cout)); + string out = stringify(cap); + ASSERT_EQ(out, str); + } +} + +const char *parse_bad[] = { + "allow r foo", + "allow*", + "foo allow *", + "allow profile foo rwx", + "allow profile", + "allow profile foo bar rwx", + "allow service bar", + "allow command baz x", + "allow r w", + "ALLOW r", + "allow rwx,", + "allow rwx x", + "allow r pool foo r", + "allow wwx pool taco", + "allow wwx pool taco^funny&chars", + "allow rwx pool 'weird name''", + "allow rwx object_prefix \"beforepool\" pool weird", + "allow rwx auid 123 pool asdf", + "allow command foo a prefix b", + "allow command foo with a prefixb", + "allow command foo with a = prefix b", + "allow command foo with a prefix b c", + 0 +}; + +TEST(MonCap, ParseBad) { + for (int i=0; parse_bad[i]; ++i) { + string str = parse_bad[i]; + MonCap cap; + std::cout << "Testing bad input: '" << str << "'" << std::endl; + ASSERT_FALSE(cap.parse(str, &cout)); + } +} + +TEST(MonCap, AllowAll) { + MonCap cap; + ASSERT_FALSE(cap.is_allow_all()); + + ASSERT_TRUE(cap.parse("allow r", NULL)); + ASSERT_FALSE(cap.is_allow_all()); + cap.grants.clear(); + + ASSERT_TRUE(cap.parse("allow w", NULL)); + ASSERT_FALSE(cap.is_allow_all()); + cap.grants.clear(); + + ASSERT_TRUE(cap.parse("allow x", NULL)); + ASSERT_FALSE(cap.is_allow_all()); + cap.grants.clear(); + + ASSERT_TRUE(cap.parse("allow rwx", NULL)); + ASSERT_FALSE(cap.is_allow_all()); + cap.grants.clear(); + + ASSERT_TRUE(cap.parse("allow rw", NULL)); + ASSERT_FALSE(cap.is_allow_all()); + cap.grants.clear(); + + ASSERT_TRUE(cap.parse("allow rx", NULL)); + ASSERT_FALSE(cap.is_allow_all()); + cap.grants.clear(); + + ASSERT_TRUE(cap.parse("allow wx", NULL)); + ASSERT_FALSE(cap.is_allow_all()); + cap.grants.clear(); + + ASSERT_TRUE(cap.parse("allow *", NULL)); + ASSERT_TRUE(cap.is_allow_all()); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), + "foo", "asdf", map(), true, true, true)); + + MonCap cap2; + ASSERT_FALSE(cap2.is_allow_all()); + cap2.set_allow_all(); + ASSERT_TRUE(cap2.is_allow_all()); +} + +TEST(MonCap, ProfileOSD) { + MonCap cap; + bool r = cap.parse("allow profile osd", NULL); + ASSERT_TRUE(r); + + EntityName name; + name.from_str("osd.123"); + map ca; + + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "osd", "", ca, true, false, false)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "osd", "", ca, true, true, false)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "osd", "", ca, true, true, true)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "osd", "", ca, true, true, true)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "mon", "", ca, true, false,false)); + + ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "mds", "", ca, true, true, true)); + ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "mon", "", ca, true, true, true)); + + ca.clear(); + ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key get", ca, true, true, true)); + ca["key"] = "daemon-private/osd.123"; + ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key get", ca, true, true, true)); + ca["key"] = "daemon-private/osd.12/asdf"; + ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key get", ca, true, true, true)); + ca["key"] = "daemon-private/osd.123/"; + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key get", ca, true, true, true)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key get", ca, true, true, true)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key get", ca, true, true, true)); + ca["key"] = "daemon-private/osd.123/foo"; + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key get", ca, true, true, true)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key put", ca, true, true, true)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key set", ca, true, true, true)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key exists", ca, true, true, true)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, + name, "", "config-key delete", ca, true, true, true)); +} + +TEST(MonCap, CommandRegEx) { + MonCap cap; + ASSERT_FALSE(cap.is_allow_all()); + ASSERT_TRUE(cap.parse("allow command abc with arg regex \"^[0-9a-z.]*$\"", NULL)); + + EntityName name; + name.from_str("osd.123"); + ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", + "abc", {{"arg", "12345abcde"}}, true, true, true)); + ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", + "abc", {{"arg", "~!@#$"}}, true, true, true)); + + ASSERT_TRUE(cap.parse("allow command abc with arg regex \"[*\"", NULL)); + ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", + "abc", {{"arg", ""}}, true, true, true)); +} + +TEST(MonCap, ProfileBootstrapRBD) { + MonCap cap; + ASSERT_FALSE(cap.is_allow_all()); + ASSERT_TRUE(cap.parse("profile bootstrap-rbd", NULL)); + + EntityName name; + name.from_str("mon.a"); + ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + "auth get-or-create", { + {"entity", "client.rbd"}, + {"caps_mon", "profile rbd"}, + {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"}, + }, true, true, true)); + ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + "auth get-or-create", { + {"entity", "client.rbd"}, + {"caps_mon", "allow *"}, + {"caps_osd", "profile rbd"}, + }, true, true, true)); + ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + "auth get-or-create", { + {"entity", "client.rbd"}, + {"caps_mon", "profile rbd"}, + {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"}, + }, true, true, true)); +}