summaryrefslogtreecommitdiffstats
path: root/libglusterfs
diff options
context:
space:
mode:
authorSantosh Kumar Pradhan <spradhan@redhat.com>2014-04-09 10:19:43 +0530
committerVijay Bellur <vbellur@redhat.com>2014-04-22 23:40:26 -0700
commit00e247ee44067f2b3e7ca5f7e6dc2f7934c97181 (patch)
tree43868ec642fae37fcb013e8c2f66659bf9d7b3cc /libglusterfs
parentb6cc23204f1941184cb08ec3d84beecd2d06fd91 (diff)
gNFS: Support wildcard in RPC auth allow/reject
RFE: Support wildcard in "nfs.rpc-auth-allow" and "nfs.rpc-auth-reject". e.g. *.redhat.com 192.168.1[1-5].* 192.168.1[1-5].*, *.redhat.com, 192.168.21.9 Along with wildcard, support for subnetwork or IP range e.g. 192.168.10.23/24 The option will be validated for following categories: 1) Anonymous i.e. "*" 2) Wildcard pattern i.e. string containing any ('*', '?', '[') 3) IPv4 address 4) IPv6 address 5) FQDN 6) subnetwork or IPv4 range Currently this does not support IPv6 subnetwork. Change-Id: Iac8caf5e490c8174d61111dad47fd547d4f67bf4 BUG: 1086097 Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com> Reviewed-on: http://review.gluster.org/7485 Reviewed-by: Poornima G <pgurusid@redhat.com> Reviewed-by: Harshavardhana <harsha@harshavardhana.net> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Diffstat (limited to 'libglusterfs')
-rw-r--r--libglusterfs/src/common-utils.c123
-rw-r--r--libglusterfs/src/common-utils.h5
-rw-r--r--libglusterfs/src/options.c40
-rw-r--r--libglusterfs/src/options.h1
4 files changed, 166 insertions, 3 deletions
diff --git a/libglusterfs/src/common-utils.c b/libglusterfs/src/common-utils.c
index 80d9d294053..b7d06d9251e 100644
--- a/libglusterfs/src/common-utils.c
+++ b/libglusterfs/src/common-utils.c
@@ -1858,6 +1858,70 @@ out:
return ret;
}
+/**
+ * valid_ipv4_subnetwork() takes the pattern and checks if it contains
+ * a valid ipv4 subnetwork pattern i.e. xx.xx.xx.xx/n. IPv4 address
+ * part (xx.xx.xx.xx) and mask bits lengh part (n). The mask bits lengh
+ * must be in 0-32 range (ipv4 addr is 32 bit). The pattern must be
+ * in this format.
+ *
+ * Returns _gf_true if both IP addr and mask bits len are valid
+ * _gf_false otherwise.
+ */
+gf_boolean_t
+valid_ipv4_subnetwork (const char *address)
+{
+ char *slash = NULL;
+ char *paddr = NULL;
+ char *endptr = NULL;
+ long prefixlen = -1;
+ gf_boolean_t retv = _gf_true;
+
+ if (address == NULL) {
+ gf_log_callingfn (THIS->name, GF_LOG_WARNING,
+ "argument invalid");
+ return _gf_false;
+ }
+
+ paddr = gf_strdup (address);
+ if (paddr == NULL) /* ENOMEM */
+ return _gf_false;
+
+ /*
+ * INVALID: If '/' is not present OR
+ * Nothing specified after '/'
+ */
+ slash = strchr(paddr, '/');
+ if ((slash == NULL) || (slash[1] == '\0')) {
+ gf_log_callingfn (THIS->name, GF_LOG_WARNING,
+ "Invalid IPv4 subnetwork format");
+ retv = _gf_false;
+ goto out;
+ }
+
+ *slash = '\0';
+ retv = valid_ipv4_address (paddr, strlen(paddr), _gf_false);
+ if (retv == _gf_false) {
+ gf_log_callingfn (THIS->name, GF_LOG_WARNING,
+ "Invalid IPv4 subnetwork address");
+ goto out;
+ }
+
+ prefixlen = strtol (slash + 1, &endptr, 10);
+ if ((errno != 0) || (*endptr != '\0') ||
+ (prefixlen < 0) || (prefixlen > 32)) {
+ gf_log_callingfn (THIS->name, GF_LOG_WARNING,
+ "Invalid IPv4 subnetwork mask");
+ retv = _gf_false;
+ goto out;
+ }
+
+ retv = _gf_true;
+out:
+ GF_FREE (paddr);
+ return retv;
+}
+
char
valid_ipv6_address (char *address, int length, gf_boolean_t wildcard_acc)
{
@@ -1939,6 +2003,65 @@ out:
}
/**
+ * valid_mount_auth_address - Validate the rpc-auth.addr.allow/reject pattern
+ *
+ * @param address - Pattern to be validated
+ *
+ * @return _gf_true if "address" is "*" (anonymous) 'OR'
+ * if "address" is valid FQDN or valid IPv4/6 address 'OR'
+ * if "address" contains wildcard chars e.g. "'*' or '?' or '['"
+ * if "address" is valid ipv4 subnet pattern (xx.xx.xx.xx/n)
+ * _gf_false otherwise
+ *
+ *
+ * NB: If the user/admin set for wildcard pattern, then it does not have
+ * to be validated. Make it similar to the way exportfs (kNFS) works.
+ */
+gf_boolean_t
+valid_mount_auth_address (char *address)
+{
+ int length = 0;
+ char *cp = NULL;
+
+ /* 1. Check for "NULL and empty string */
+ if ((address == NULL) || (address[0] == '\0')){
+ gf_log_callingfn (THIS->name,
+ GF_LOG_WARNING, "argument invalid");
+ return _gf_false;
+ }
+
+ /* 2. Check for Anonymous */
+ if (strcmp(address, "*") == 0)
+ return _gf_true;
+
+ for (cp = address; *cp; cp++) {
+ /* 3. Check for wildcard pattern */
+ if (*cp == '*' || *cp == '?' || *cp == '[') {
+ return _gf_true;
+ }
+
+ /*
+ * 4. check for IPv4 subnetwork i.e. xx.xx.xx.xx/n
+ * TODO: check for IPv6 subnetwork
+ * NB: Wildcard must not be mixed with subnetwork.
+ */
+ if (*cp == '/') {
+ return valid_ipv4_subnetwork (address);
+ }
+ }
+
+ /* 5. Check for v4/v6 IP addr and FQDN/hostname */
+ length = strlen (address);
+ if ((valid_ipv4_address (address, length, _gf_false)) ||
+ (valid_ipv6_address (address, length, _gf_false)) ||
+ (valid_host_name (address, length))) {
+ return _gf_true;
+ }
+
+ return _gf_false;
+}
+
+/**
* gf_sock_union_equal_addr - check if two given gf_sock_unions have same addr
*
* @param a - first sock union
diff --git a/libglusterfs/src/common-utils.h b/libglusterfs/src/common-utils.h
index e17029dbaf9..3a58a933121 100644
--- a/libglusterfs/src/common-utils.h
+++ b/libglusterfs/src/common-utils.h
@@ -580,9 +580,8 @@ char valid_host_name (char *address, int length);
char valid_ipv4_address (char *address, int length, gf_boolean_t wildcard_acc);
char valid_ipv6_address (char *address, int length, gf_boolean_t wildcard_acc);
char valid_internet_address (char *address, gf_boolean_t wildcard_acc);
-char valid_ipv4_wildcard_check (char *address);
-char valid_ipv6_wildcard_check (char *address);
-char valid_wildcard_internet_address (char *address);
+gf_boolean_t valid_mount_auth_address (char *address);
+gf_boolean_t valid_ipv4_subnetwork (const char *address);
gf_boolean_t gf_sock_union_equal_addr (union gf_sock_union *a,
union gf_sock_union *b);
diff --git a/libglusterfs/src/options.c b/libglusterfs/src/options.c
index 31e5a681d11..a0881b4ad91 100644
--- a/libglusterfs/src/options.c
+++ b/libglusterfs/src/options.c
@@ -574,6 +574,45 @@ out:
return ret;
}
+static int
+xlator_option_validate_mntauth (xlator_t *xl, const char *key,
+ const char *value, volume_option_t *opt,
+ char **op_errstr)
+{
+ int ret = -1;
+ char *dup_val = NULL;
+ char *addr_tok = NULL;
+ char *save_ptr = NULL;
+ char errstr[4096] = {0,};
+
+ dup_val = gf_strdup (value);
+ if (!dup_val)
+ goto out;
+
+ addr_tok = strtok_r (dup_val, ",", &save_ptr);
+ if (addr_tok == NULL)
+ goto out;
+ while (addr_tok) {
+ if (!valid_mount_auth_address (addr_tok))
+ goto out;
+
+ addr_tok = strtok_r (NULL, ",", &save_ptr);
+ }
+ ret = 0;
+
+out:
+ if (ret) {
+ snprintf (errstr, sizeof (errstr), "option %s %s: '%s' is not "
+ "a valid mount-auth-address", key, value, value);
+ gf_log (xl->name, GF_LOG_ERROR, "%s", errstr);
+ if (op_errstr)
+ *op_errstr = gf_strdup (errstr);
+ }
+ GF_FREE (dup_val);
+
+ return ret;
+}
+
/*XXX: the rules to validate are as per block-size required for stripe xlator */
static int
gf_validate_size (const char *sizestr, volume_option_t *opt)
@@ -744,6 +783,7 @@ xlator_option_validate (xlator_t *xl, char *key, char *value,
xlator_option_validate_priority_list,
[GF_OPTION_TYPE_SIZE_LIST] = xlator_option_validate_size_list,
[GF_OPTION_TYPE_ANY] = xlator_option_validate_any,
+ [GF_OPTION_TYPE_CLIENT_AUTH_ADDR] = xlator_option_validate_mntauth,
[GF_OPTION_TYPE_MAX] = NULL,
};
diff --git a/libglusterfs/src/options.h b/libglusterfs/src/options.h
index 62f4ee92e91..134cc360293 100644
--- a/libglusterfs/src/options.h
+++ b/libglusterfs/src/options.h
@@ -38,6 +38,7 @@ typedef enum {
GF_OPTION_TYPE_INTERNET_ADDRESS_LIST,
GF_OPTION_TYPE_PRIORITY_LIST,
GF_OPTION_TYPE_SIZE_LIST,
+ GF_OPTION_TYPE_CLIENT_AUTH_ADDR,
GF_OPTION_TYPE_MAX,
} volume_option_type_t;