diff options
| -rw-r--r-- | tests/bugs/protocol/bug-1321578.t | 37 | ||||
| -rw-r--r-- | xlators/protocol/auth/addr/src/addr.c | 39 |
2 files changed, 68 insertions, 8 deletions
diff --git a/tests/bugs/protocol/bug-1321578.t b/tests/bugs/protocol/bug-1321578.t new file mode 100644 index 00000000000..160fc408fba --- /dev/null +++ b/tests/bugs/protocol/bug-1321578.t @@ -0,0 +1,37 @@ +#!/bin/bash +. $(dirname $0)/../../include.rc +. $(dirname $0)/../../volume.rc + +check_mounted () { + df | grep $1 | wc -l +} + + +TEST glusterd +TEST $CLI volume create $V0 $H0:$B0/$V0 + +# Set auth.allow to dummy hostname so it *doesn't* include ourselves. +TEST $CLI volume set $V0 auth.allow example.org +TEST $CLI volume start $V0 + +# "System getspec" will include the username and password if the request comes +# from a server (which we are). Unfortunately, this will cause authentication +# to succeed in auth.login regardless of whether auth.addr is working properly +# or not, which is useless to us. To get a proper test, strip out those lines. +$CLI system getspec $V0 | sed -e /username/d -e /password/d > fubar.vol + +# This mount should fail because auth.allow doesn't include us. +TEST $GFS -f fubar.vol $M0 + +# If we had DONT_EXPECT_WITHIN we could use that, but we don't. +sleep 10 +EXPECT 0 check_mounted $M0 + +# Set auth.allow to include us. This mount should therefore succeed. +TEST $CLI volume set $V0 auth.allow $H0 + +TEST $GFS -f fubar.vol $M0 +sleep 10 +EXPECT 1 check_mounted $M0 + +cleanup diff --git a/xlators/protocol/auth/addr/src/addr.c b/xlators/protocol/auth/addr/src/addr.c index 7ccbb577f48..cafcf28f1e9 100644 --- a/xlators/protocol/auth/addr/src/addr.c +++ b/xlators/protocol/auth/addr/src/addr.c @@ -44,6 +44,7 @@ gf_auth (dict_t *input_params, dict_t *config_params) char peer_addr[UNIX_PATH_MAX] = {0,}; char *type = NULL; gf_boolean_t allow_insecure = _gf_false; + int length = 0; name = data_to_str (dict_get (input_params, "remote-subvolume")); if (!name) { @@ -158,11 +159,22 @@ gf_auth (dict_t *input_params, dict_t *config_params) addr_str++; } - match = fnmatch (addr_str, peer_addr, 0); - if (negate ? match : !match) { - result = AUTH_REJECT; - goto out; + length = strlen(addr_str); + if ((addr_str[0] != '*') && + valid_host_name (addr_str, length)) { + match = gf_is_same_address(addr_str, peer_addr); + if (match) { + result = AUTH_REJECT; + goto out; + } + } else { + match = fnmatch (addr_str, peer_addr, 0); + if (negate ? match : !match) { + result = AUTH_REJECT; + goto out; + } } + addr_str = strtok_r (NULL, ADDR_DELIMITER, &tmp); } GF_FREE (addr_cpy); @@ -185,11 +197,22 @@ gf_auth (dict_t *input_params, dict_t *config_params) addr_str++; } - match = fnmatch (addr_str, peer_addr, 0); - if (negate ? match : !match) { - result = AUTH_ACCEPT; - goto out; + length = strlen(addr_str); + if ((addr_str[0] != '*') && + valid_host_name (addr_str, length)) { + match = gf_is_same_address(addr_str, peer_addr); + if (match) { + result = AUTH_ACCEPT; + goto out; + } + } else { + match = fnmatch (addr_str, peer_addr, 0); + if (negate ? match : !match) { + result = AUTH_ACCEPT; + goto out; + } } + addr_str = strtok_r (NULL, ADDR_DELIMITER, &tmp); } } |