From ea4249b5686e1971c2f25a5ce2a7330b12caf716 Mon Sep 17 00:00:00 2001 From: Douglas Fuller Date: Wed, 23 Aug 2017 16:35:04 -0400 Subject: [PATCH] OSD/auth caps: Add OSD auth caps based on pool tag Extend the OSD auth caps syntax to include RADOS pool tags. New syntax: allow rw tag = Access is granted if the pool contains the : in its application metadata. Feature: http://tracker.ceph.com/issues/21084 Signed-off-by: Douglas Fuller --- doc/man/8/ceph-authtool.rst | 3 +- doc/rados/operations/user-management.rst | 15 +- src/osd/OSDCap.cc | 80 +- src/osd/OSDCap.h | 33 +- src/osd/PG.cc | 5 +- src/test/osd/osdcap.cc | 1248 ++++++++++++---------- src/vstart.sh | 8 +- 7 files changed, 833 insertions(+), 559 deletions(-) diff --git a/doc/man/8/ceph-authtool.rst b/doc/man/8/ceph-authtool.rst index f1ac1521ef9..f3e406b1ec2 100644 --- a/doc/man/8/ceph-authtool.rst +++ b/doc/man/8/ceph-authtool.rst @@ -139,7 +139,8 @@ In general, an osd capability follows the grammar:: osdcap := grant[,grant...] grant := allow (match capspec | capspec match) - match := [pool[=] | object_prefix ] + match := [pool[=] | object_prefix + | tag = ] capspec := * | [r][w][x] [class-read] [class-write] The capspec determines what kind of operations the entity can perform:: diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst index 8a35a501ab1..aac6ef0c714 100644 --- a/doc/rados/operations/user-management.rst +++ b/doc/rados/operations/user-management.rst @@ -92,9 +92,10 @@ Authorization (Capabilities) Ceph uses the term "capabilities" (caps) to describe authorizing an authenticated user to exercise the functionality of the monitors, OSDs and -metadata servers. Capabilities can also restrict access to data within a pool or -a namespace within a pool. A Ceph administrative user sets a user's -capabilities when creating or updating a user. +metadata servers. Capabilities can also restrict access to data within a pool, +a namespace within a pool, or a set of pools based on their application tags. +A Ceph administrative user sets a user's capabilities when creating or updating +a user. Capability syntax follows the form:: @@ -110,7 +111,7 @@ Capability syntax follows the form:: ``class-write`` access settings or ``profile {name}``. Additionally, OSD capabilities also allow for pool and namespace settings. :: - osd 'allow {access} [pool={pool-name} [namespace={namespace-name}]]' + osd 'allow {access} [pool={pool-name} [namespace={namespace-name}]] [tag {application} {key}={value}]' osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]]' - **Metadata Server Caps:** For administrators, use ``allow *``. For all @@ -216,6 +217,12 @@ OpenStack, a typical deployment would have pools for volumes, images, backups and virtual machines, and users such as ``client.glance``, ``client.cinder``, etc. +Application Tags +---------------- + +Access may be restricted to specific pools as defined by their application +metadata. The ``*`` wildcard may be used for the ``key`` argument, the +``value`` argument, or both. Namespace --------- diff --git a/src/osd/OSDCap.cc b/src/osd/OSDCap.cc index c3aa6b6caa3..fd0857336b1 100644 --- a/src/osd/OSDCap.cc +++ b/src/osd/OSDCap.cc @@ -70,12 +70,21 @@ ostream& operator<<(ostream& out, const OSDCapPoolNamespace& pns) return out; } +ostream& operator<<(ostream &out, const OSDCapPoolTag &pt) +{ + out << "app " << pt.application << " key " << pt.key << " val " << pt.value + << " "; + return out; +} + ostream& operator<<(ostream& out, const OSDCapMatch& m) { if (m.auid != -1LL) { out << "auid " << m.auid << " "; - } else { + } else if (!m.pool_namespace.pool_name.empty() || m.pool_namespace.nspace) { out << m.pool_namespace; + } else if (!m.pool_tag.application.empty()) { + out << m.pool_tag; } if (m.object_prefix.length()) { @@ -116,14 +125,52 @@ bool OSDCapPoolNamespace::is_match_all() const return true; } +bool OSDCapPoolTag::is_match(const app_map_t& app_map) const +{ + if (application.empty()) { + return true; + } + auto kv_map = app_map.find(application); + if (kv_map == app_map.end()) { + return false; + } + if (!key.compare("*") && !value.compare("*")) { + return true; + } + if (!key.compare("*")) { + for (auto it : kv_map->second) { + if (it.second == value) { + return true; + } + } + return false; + } + auto kv_val = kv_map->second.find(key); + if (kv_val == kv_map->second.end()) { + return false; + } + if (!value.compare("*")) { + return true; + } + return kv_val->second == value; +} + +bool OSDCapPoolTag::is_match_all() const { + return application.empty(); +} + bool OSDCapMatch::is_match(const string& pn, const string& ns, - int64_t pool_auid, const string& object) const + int64_t pool_auid, + const OSDCapPoolTag::app_map_t& app_map, + const string& object) const { if (auid >= 0) { if (auid != pool_auid) return false; } else if (!pool_namespace.is_match(pn, ns)) { return false; + } else if (!pool_tag.is_match(app_map)) { + return false; } if (object_prefix.length()) { @@ -139,6 +186,8 @@ bool OSDCapMatch::is_match_all() const return false; } else if (!pool_namespace.is_match_all()) { return false; + } else if (!pool_tag.is_match_all()) { + return false; } if (object_prefix.length()) { @@ -180,7 +229,9 @@ bool OSDCapGrant::allow_all() const } bool OSDCapGrant::is_capable(const string& pool_name, const string& ns, - int64_t pool_auid, const string& object, + int64_t pool_auid, + const OSDCapPoolTag::app_map_t& application_metadata, + const string& object, bool op_may_read, bool op_may_write, const std::vector& classes, std::vector* class_allowed) const @@ -189,11 +240,14 @@ bool OSDCapGrant::is_capable(const string& pool_name, const string& ns, if (profile.is_valid()) { return std::any_of(profile_grants.cbegin(), profile_grants.cend(), [&](const OSDCapGrant& grant) { - return grant.is_capable(pool_name, ns, pool_auid, object, op_may_read, - op_may_write, classes, class_allowed); - }); + return grant.is_capable(pool_name, ns, pool_auid, + application_metadata, + object, op_may_read, + op_may_write, classes, + class_allowed); + }); } else { - if (match.is_match(pool_name, ns, pool_auid, object)) { + if (match.is_match(pool_name, ns, pool_auid, application_metadata, object)) { allow = allow | spec.allow; if ((op_may_read && !(allow & OSD_CAP_R)) || (op_may_write && !(allow & OSD_CAP_W))) { @@ -283,13 +337,15 @@ void OSDCap::set_allow_all() } bool OSDCap::is_capable(const string& pool_name, const string& ns, - int64_t pool_auid, const string& object, + int64_t pool_auid, + const OSDCapPoolTag::app_map_t& application_metadata, + const string& object, bool op_may_read, bool op_may_write, const std::vector& classes) const { std::vector class_allowed(classes.size(), false); for (auto &grant : grants) { - if (grant.is_capable(pool_name, ns, pool_auid, object, op_may_read, + if (grant.is_capable(pool_name, ns, pool_auid, application_metadata, object, op_may_read, op_may_write, classes, &class_allowed)) { return true; } @@ -337,8 +393,13 @@ struct OSDCapParser : qi::grammar // match := [pool[=] [namespace[=]] | auid <123>] [object_prefix ] auid %= (spaces >> lit("auid") >> spaces >> int_); object_prefix %= -(spaces >> lit("object_prefix") >> spaces >> str); + pooltag %= (spaces >> lit("tag") + >> spaces >> str // application + >> spaces >> (str | char_('*')) // key + >> -spaces >> lit('=') >> -spaces >> (str | char_('*'))); // value match = ( + pooltag [_val = phoenix::construct(_1)] | (auid >> object_prefix) [_val = phoenix::construct(_1, _2)] | (pool_name >> nspace >> object_prefix) [_val = phoenix::construct(_1, _2, _3)] | (pool_name >> object_prefix) [_val = phoenix::construct(_1, _2)]); @@ -390,6 +451,7 @@ struct OSDCapParser : qi::grammar qi::rule pool_name; qi::rule nspace; qi::rule object_prefix; + qi::rule pooltag; qi::rule match; qi::rule profile_name; qi::rule profile; diff --git a/src/osd/OSDCap.h b/src/osd/OSDCap.h index 4030d4572c4..2a37a28d35f 100644 --- a/src/osd/OSDCap.h +++ b/src/osd/OSDCap.h @@ -36,6 +36,7 @@ using std::ostream; #include #include #include +#include static const __u8 OSD_CAP_R = (1 << 1); // read static const __u8 OSD_CAP_W = (1 << 2); // write @@ -95,14 +96,38 @@ struct OSDCapPoolNamespace { ostream& operator<<(ostream& out, const OSDCapPoolNamespace& pns); +struct OSDCapPoolTag { + typedef std::map > app_map_t; + std::string application; + std::string key; + std::string value; + + OSDCapPoolTag () {} + OSDCapPoolTag(const std::string& application, const std::string& key, + const std::string& value) : + application(application), key(key), value(value) {} + + bool is_match(const app_map_t& app_map) const; + bool is_match_all() const; +}; +// adapt for parsing with boost::spirit::qi in OSDCapParser +BOOST_FUSION_ADAPT_STRUCT(OSDCapPoolTag, + (std::string, application) + (std::string, key) + (std::string, value)) + +ostream& operator<<(ostream& out, const OSDCapPoolTag& pt); struct OSDCapMatch { + typedef std::map > app_map_t; // auid and pool_name/nspace are mutually exclusive int64_t auid = CEPH_AUTH_UID_DEFAULT; OSDCapPoolNamespace pool_namespace; + OSDCapPoolTag pool_tag; std::string object_prefix; OSDCapMatch() {} + OSDCapMatch(const OSDCapPoolTag& pt) : pool_tag(pt) {} OSDCapMatch(const OSDCapPoolNamespace& pns) : pool_namespace(pns) {} OSDCapMatch(const std::string& pl, const std::string& pre) : pool_namespace(pl), object_prefix(pre) {} @@ -111,6 +136,9 @@ struct OSDCapMatch { : pool_namespace(pl, ns), object_prefix(pre) {} OSDCapMatch(uint64_t auid, const std::string& pre) : auid(auid), object_prefix(pre) {} + OSDCapMatch(const std::string& dummy, const std::string& app, + const std::string& key, const std::string& val) + : pool_tag(app, key, val) {} /** * check if given request parameters match our constraints @@ -122,7 +150,8 @@ struct OSDCapMatch { * @return true if we match, false otherwise */ bool is_match(const std::string& pool_name, const std::string& nspace_name, - int64_t pool_auid, const std::string& object) const; + int64_t pool_auid, const app_map_t& app_map, + const std::string& object) const; bool is_match_all() const; }; @@ -165,6 +194,7 @@ struct OSDCapGrant { bool allow_all() const; bool is_capable(const string& pool_name, const string& ns, int64_t pool_auid, + const OSDCapPoolTag::app_map_t& application_metadata, const string& object, bool op_may_read, bool op_may_write, const std::vector& classes, std::vector* class_allowed) const; @@ -202,6 +232,7 @@ struct OSDCap { * @return true if the operation is allowed, false otherwise */ bool is_capable(const string& pool_name, const string& ns, int64_t pool_auid, + const OSDCapPoolTag::app_map_t& application_metadata, const string& object, bool op_may_read, bool op_may_write, const std::vector& classes) const; }; diff --git a/src/osd/PG.cc b/src/osd/PG.cc index e35a18c1524..70ad29f9f88 100644 --- a/src/osd/PG.cc +++ b/src/osd/PG.cc @@ -1881,7 +1881,9 @@ bool PG::op_has_sufficient_caps(OpRequestRef& op) req->get_hobj().get_key(); bool cap = caps.is_capable(pool.name, req->get_hobj().nspace, - pool.auid, key, + pool.auid, + pool.info.application_metadata, + key, op->need_read_cap(), op->need_write_cap(), op->classes()); @@ -1891,6 +1893,7 @@ bool PG::op_has_sufficient_caps(OpRequestRef& op) << " pool=" << pool.id << " (" << pool.name << " " << req->get_hobj().nspace << ") owner=" << pool.auid + << " pool_app_metadata=" << pool.info.application_metadata << " need_read_cap=" << op->need_read_cap() << " need_write_cap=" << op->need_write_cap() << " classes=" << op->classes() diff --git a/src/test/osd/osdcap.cc b/src/test/osd/osdcap.cc index 3a594e3b8a7..dd5ea7accbf 100644 --- a/src/test/osd/osdcap.cc +++ b/src/test/osd/osdcap.cc @@ -71,6 +71,11 @@ const char *parse_good[] = { "allow pool foo namespace=\"\" rwx; allow pool bar namespace='' object_prefix rbd r", "allow pool foo namespace \"\" rwx; allow pool bar namespace '' object_prefix rbd r", "profile abc, profile abc pool=bar, profile abc pool=bar namespace=foo", + "allow rwx tag application key=value", + "allow rwx tag application key = value", + "allow rwx tag application key =value", + "allow rwx tag application key= value", + "allow rwx tag application key = value", 0 }; @@ -105,6 +110,7 @@ const char *parse_bad[] = { "allow namespace=foo", "allow rwx auid 123 namespace asdf", "allow wwx pool ''", + "allow rwx tag application key value", 0 }; @@ -151,16 +157,23 @@ TEST(OSDCap, AllowAll) { ASSERT_TRUE(cap.parse("allow *", NULL)); ASSERT_TRUE(cap.allow_all()); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "asdf", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "anamespace", 0, "asdf", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "asdf", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "anamespace", 0, "asdf", true, true, {{"cls", true, true, true}})); - + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "anamespace", 0, {}, "asdf", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "asdf", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "anamespace", 0, {}, "asdf", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "asdf", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "anamespace", 0, {{"application", {{"key", "value"}}}}, "asdf", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "asdf", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "anamespace", 0, {{"application", {{"key", "value"}}}}, "asdf", true, true, {{"cls", true, true, true}})); // 'allow *' overrides whitelist - ASSERT_TRUE(cap.is_capable("foo", "", 0, "asdf", true, true, {{"cls", true, true, false}})); - ASSERT_TRUE(cap.is_capable("foo", "anamespace", 0, "asdf", true, true, {{"cls", true, true, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "asdf", true, true, {{"cls", true, true, false}})); - ASSERT_TRUE(cap.is_capable("bar", "anamespace", 0, "asdf", true, true, {{"cls", true, true, false}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {{"cls", true, true, false}})); + ASSERT_TRUE(cap.is_capable("foo", "anamespace", 0, {}, "asdf", true, true, {{"cls", true, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "asdf", true, true, {{"cls", true, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "anamespace", 0, {}, "asdf", true, true, {{"cls", true, true, false}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "asdf", true, true, {{"cls", true, true, false}})); + ASSERT_TRUE(cap.is_capable("foo", "anamespace", 0, {{"application", {{"key", "value"}}}}, "asdf", true, true, {{"cls", true, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "asdf", true, true, {{"cls", true, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "anamespace", 0, {{"application", {{"key", "value"}}}}, "asdf", true, true, {{"cls", true, true, false}})); } TEST(OSDCap, AllowPool) { @@ -168,14 +181,21 @@ TEST(OSDCap, AllowPool) { bool r = cap.parse("allow rwx pool foo", NULL); ASSERT_TRUE(r); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, true}})); // true->false for classes not on whitelist - ASSERT_FALSE(cap.is_capable("foo", "", 0, "", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "", true, true, {{"cls", true, true, true}})); + + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, true}})); } TEST(OSDCap, AllowPools) { @@ -183,20 +203,30 @@ TEST(OSDCap, AllowPools) { bool r = cap.parse("allow rwx pool foo, allow r pool bar", NULL); ASSERT_TRUE(r); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, true}})); // true-false for classes not on whitelist - ASSERT_FALSE(cap.is_capable("foo", "", 0, "", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "", true, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "ns", 0, "", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "ns", 0, {}, "", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "ns", 0, {{"application", {{"key", "value"}}}}, "", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {{"application", {{"key", "value"}}}}, "", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "", true, false, {})); - ASSERT_FALSE(cap.is_capable("baz", "ns", 0, "", true, false, {})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "", true, false, {})); + ASSERT_FALSE(cap.is_capable("baz", "ns", 0, {}, "", true, false, {})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {{"application", {{"key", "value"}}}}, "", true, false, {})); + ASSERT_FALSE(cap.is_capable("baz", "ns", 0, {{"application", {{"key", "value"}}}}, "", true, false, {})); } TEST(OSDCap, AllowPools2) { @@ -204,12 +234,12 @@ TEST(OSDCap, AllowPools2) { bool r = cap.parse("allow r, allow rwx pool foo", NULL); ASSERT_TRUE(r); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "", true, true, {{"cls", true, true, true}})); // true-false for classes not on whitelist - ASSERT_FALSE(cap.is_capable("foo", "", 0, "", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "", true, false, {})); } TEST(OSDCap, ObjectPrefix) { @@ -217,17 +247,17 @@ TEST(OSDCap, ObjectPrefix) { bool r = cap.parse("allow rwx object_prefix foo", NULL); ASSERT_TRUE(r); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "food", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo_bar", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "food", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo_bar", true, true, {{"cls", true, true, true}})); // true-false for classes not on whitelist - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "food", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo_bar", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "food", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo_bar", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "_foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, " foo ", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "fo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "_foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, " foo ", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "fo", true, true, {{"cls", true, true, true}})); } TEST(OSDCap, ObjectPoolAndPrefix) { @@ -235,412 +265,544 @@ TEST(OSDCap, ObjectPoolAndPrefix) { bool r = cap.parse("allow rwx pool bar object_prefix foo", NULL); ASSERT_TRUE(r); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "food", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo_bar", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "food", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo_bar", true, true, {{"cls", true, true, true}})); // true-false for classes not on whitelist - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "food", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo_bar", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "food", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo_bar", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "food", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "fo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "food", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "fo", true, true, {{"cls", true, true, true}})); } TEST(OSDCap, BasicR) { OSDCap cap; ASSERT_TRUE(cap.parse("allow r", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); } TEST(OSDCap, BasicW) { OSDCap cap; ASSERT_TRUE(cap.parse("allow w", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, true, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); } TEST(OSDCap, BasicX) { OSDCap cap; ASSERT_TRUE(cap.parse("allow x", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); // true->false when class not on whitelist - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); } TEST(OSDCap, BasicRW) { OSDCap cap; ASSERT_TRUE(cap.parse("allow rw", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); } TEST(OSDCap, BasicRX) { OSDCap cap; ASSERT_TRUE(cap.parse("allow rx", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, true, true}})); // true->false for class not on whitelist - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); } TEST(OSDCap, BasicWX) { OSDCap cap; ASSERT_TRUE(cap.parse("allow wx", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); // true->false for class not on whitelist - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); } TEST(OSDCap, BasicRWX) { OSDCap cap; ASSERT_TRUE(cap.parse("allow rwx", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); // true->false for class not on whitelist - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, false, false}})); } TEST(OSDCap, BasicRWClassRClassW) { OSDCap cap; ASSERT_TRUE(cap.parse("allow rw class-read class-write", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, false, false}})); } TEST(OSDCap, ClassR) { OSDCap cap; ASSERT_TRUE(cap.parse("allow class-read", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); } TEST(OSDCap, ClassW) { OSDCap cap; ASSERT_TRUE(cap.parse("allow class-write", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); } TEST(OSDCap, ClassRW) { OSDCap cap; ASSERT_TRUE(cap.parse("allow class-read class-write", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); } TEST(OSDCap, BasicRClassR) { OSDCap cap; ASSERT_TRUE(cap.parse("allow r class-read", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); - ASSERT_TRUE(cap.is_capable("bar", "any", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "any", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "any", 0, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "any", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "any", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "any", 0, {}, "foo", true, false, {})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "any", 0, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "any", 0, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "any", 0, {}, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "any", 0, {}, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "any", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "any", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "any", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "any", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "any", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "any", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "any", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "any", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "any", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "any", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); } TEST(OSDCap, PoolClassR) { OSDCap cap; ASSERT_TRUE(cap.parse("allow pool bar r class-read, allow pool foo rwx", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); - ASSERT_TRUE(cap.is_capable("bar", "ns", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "ns", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "ns", 0, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "ns", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "ns", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "ns", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", false, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", false, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, false}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", false, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", false, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", false, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", true, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", false, false, {})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", false, false, {})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, true}})); } TEST(OSDCap, PoolClassRNS) { OSDCap cap; ASSERT_TRUE(cap.parse("allow pool bar namespace='' r class-read, allow pool foo namespace=ns rwx", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "ns", 0, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("bar", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "other", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "other", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "other", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("bar", "other", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "other", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "other", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "other", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "other", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "other", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", false, false, {})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", false, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", false, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", false, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", true, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "ns", 0, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, false}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", false, false, {})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("baz", "", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", false, false, {})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("baz", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, true}})); } TEST(OSDCap, NSClassR) { OSDCap cap; ASSERT_TRUE(cap.parse("allow namespace '' rw class-read class-write, allow namespace test r", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, false}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", false, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", false, false, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", false, true, {{"cls", true, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, false, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", false, true, true}})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, true}})); // true->false when class not whitelisted - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", false, false, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", false, true, {{"cls", true, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, false, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", false, true, false}})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", false, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {{"cls", true, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "test", 0, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("bar", "test", 0, {}, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("bar", "test", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "test", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "test", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "test", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "test", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "test", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "test", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "test", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "test", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "test", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("bar", "test", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); - ASSERT_TRUE(cap.is_capable("foo", "test", 0, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "test", 0, {}, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("foo", "test", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("foo", "test", 0, "foo", true, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("foo", "test", 0, "foo", true, true, {{"cls", true, true, true}})); - ASSERT_FALSE(cap.is_capable("foo", "test", 0, "foo", false, true, {{"cls", false, true, true}})); - ASSERT_FALSE(cap.is_capable("foo", "test", 0, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "test", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "test", 0, {}, "foo", true, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("foo", "test", 0, {}, "foo", true, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "test", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "test", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "test", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); - ASSERT_FALSE(cap.is_capable("foo", "bad", 0, "foo", true, false, {})); - ASSERT_FALSE(cap.is_capable("foo", "bad", 0, "foo", false, true, {})); - ASSERT_FALSE(cap.is_capable("foo", "bad", 0, "foo", false, false, {{"cls", true, false, true}})); - ASSERT_FALSE(cap.is_capable("foo", "bad", 0, "foo", false, false, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "bad", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("foo", "bad", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "bad", 0, {}, "foo", false, false, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("foo", "bad", 0, {}, "foo", false, false, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "bad", 0, {{"application", {{"key", "value"}}}}, "foo", false, false, {{"cls", false, true, true}})); +} + +TEST(OSDCap, PoolTagBasic) +{ + OSDCap cap; + ASSERT_TRUE(cap.parse("allow rwx tag application key=value", NULL)); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key", "value"}}}}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key", "value"}}}, {"app2", {{"foo", "bar"}}}}, "foo", true, true, {})); + + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key2", "value"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"app2", {{"key", "value"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key2", "value"}}}, {"app2", {{"foo", "bar"}}}}, "foo", true, true, {})); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "ns", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); + + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, false, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, false, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "ns", 0, {}, "foo", true, true, {})); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {{"cls", true, false, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {{"cls", false, false, true}})); + // true->false when class not whitelisted + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {{"cls", false, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {{"cls", true, true, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {{"cls", true, false, false}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", false, true, {{"cls", false, true, false}})); + + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", true, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", true, false, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", false, true, true}})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", false, true, {{"cls", false, false, true}})); +} + +TEST(OSDCap, PoolTagWildK) +{ + OSDCap cap; + ASSERT_TRUE(cap.parse("allow rwx tag application *=value", NULL)); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key", "value"}}}}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key", "value"}}}, {"app2", {{"foo", "bar"}}}}, "foo", true, true, {})); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key2", "value"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"app2", {{"key", "value"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key2", "value"}}}, {"app2", {{"foo", "bar"}}}}, "foo", true, true, {})); +} + +TEST(OSDCap, PoolTagWildV) +{ + OSDCap cap; + ASSERT_TRUE(cap.parse("allow rwx tag application key=*", NULL)); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key", "value"}}}}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key", "value"}}}, {"app2", {{"foo", "bar"}}}}, "foo", true, true, {})); + + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"key2", "value"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"app2", {{"key", "value"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key2", "value"}}}, {"app2", {{"foo", "bar"}}}}, "foo", true, true, {})); +} + +TEST(OSDCap, PoolTagWildKV) +{ + OSDCap cap; + ASSERT_TRUE(cap.parse("allow rwx tag application *=*", NULL)); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key", "value"}}}}, "foo", true, true, {})); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key", "value"}}}}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key", "value"}}}, {"app2", {{"foo", "bar"}}}}, "foo", true, true, {})); + + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {}}}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"key2", "value"}}}}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {{"app2", {{"key", "value"}}}}, "foo", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "foo", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {{"application", {{"foo", "bar"}, {"key2", "value"}}}, {"app2", {{"foo", "bar"}}}}, "foo", true, true, {})); } TEST(OSDCap, OutputParsed) @@ -689,7 +851,9 @@ TEST(OSDCap, OutputParsed) {"allow pool images r, allow pool rbd rwx", "osdcap[grant(pool images r),grant(pool rbd rwx)]"}, {"allow class-read object_prefix rbd_children, allow pool libvirt-pool-test rwx", - "osdcap[grant(object_prefix rbd_children class-read),grant(pool libvirt-pool-test rwx)]"} + "osdcap[grant(object_prefix rbd_children class-read),grant(pool libvirt-pool-test rwx)]"}, + {"allow rwx tag application key=value", + "osdcap[grant(app application key key val value rwx)]"} }; size_t num_tests = sizeof(test_values) / sizeof(*test_values); @@ -706,39 +870,39 @@ TEST(OSDCap, AllowClass) { ASSERT_TRUE(cap.parse("allow class foo", NULL)); // can call any method on class foo regardless of whitelist status - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}})); // does not permit invoking class bar - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, true, false}})); } TEST(OSDCap, AllowClass2) { OSDCap cap; ASSERT_TRUE(cap.parse("allow class foo, allow class bar", NULL)); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", false, true, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, false, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", false, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, true, false}})); } TEST(OSDCap, AllowClassRWX) { @@ -746,22 +910,22 @@ TEST(OSDCap, AllowClassRWX) { ASSERT_TRUE(cap.parse("allow rwx, allow class foo", NULL)); // can call any method on class foo regardless of whitelist status - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}})); // does not permit invoking class bar - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, true, false}})); // allows class bar if it is whitelisted - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"bar", true, true, true}})); } TEST(OSDCap, AllowClassMulti) { @@ -770,155 +934,155 @@ TEST(OSDCap, AllowClassMulti) { // can call any method on foo, but not bar, so the entire op is rejected // bar with whitelist is rejected because it still needs rwx/class-read,write - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, true}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, false}})); // these are OK because 'bar' is on the whitelist BUT the calls don't read or write - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, true}})); // can call any method on foo or bar regardless of whitelist status OSDCap cap2; ASSERT_TRUE(cap2.parse("allow class foo, allow class bar", NULL)); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, false}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, true}})); - ASSERT_TRUE(cap2.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, false}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap2.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, false}})); } TEST(OSDCap, AllowClassMultiRWX) { @@ -926,112 +1090,112 @@ TEST(OSDCap, AllowClassMultiRWX) { ASSERT_TRUE(cap.parse("allow rwx, allow class foo", NULL)); // can call anything on foo, but only whitelisted methods on bar - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, true}})); // fails because bar not whitelisted - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, true}, {"bar", false, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, true, false}, {"bar", false, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, true}, {"bar", false, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", true, false, false}, {"bar", false, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, true}, {"bar", false, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, true, false}, {"bar", false, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, true}, {"bar", false, false, false}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, true}})); - ASSERT_TRUE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, true}})); + ASSERT_TRUE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, true}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, false}})); - ASSERT_FALSE(cap.is_capable("bar", "", 0, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", true, false, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, true, false}})); + ASSERT_FALSE(cap.is_capable("bar", "", 0, {}, "foo", false, false, {{"foo", false, false, false}, {"bar", false, false, false}})); } TEST(OSDCap, AllowProfile) { OSDCap cap; ASSERT_TRUE(cap.parse("profile read-only, profile read-write pool abc", NULL)); ASSERT_FALSE(cap.allow_all()); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "asdf", true, true, {})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "asdf", true, false, {})); - ASSERT_TRUE(cap.is_capable("abc", "", 0, "asdf", false, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "asdf", true, false, {})); + ASSERT_TRUE(cap.is_capable("abc", "", 0, {}, "asdf", false, true, {})); // RBD cap.grants.clear(); ASSERT_TRUE(cap.parse("profile rbd pool abc", NULL)); ASSERT_FALSE(cap.allow_all()); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "asdf", true, true, {})); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "rbd_children", true, false, {})); - ASSERT_TRUE(cap.is_capable("foo", "", 0, "rbd_children", false, false, + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "asdf", true, true, {})); + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "rbd_children", true, false, {})); + ASSERT_TRUE(cap.is_capable("foo", "", 0, {}, "rbd_children", false, false, {{"rbd", true, false, true}})); - ASSERT_TRUE(cap.is_capable("abc", "", 0, "asdf", true, true, + ASSERT_TRUE(cap.is_capable("abc", "", 0, {}, "asdf", true, true, {{"rbd", true, true, true}})); cap.grants.clear(); ASSERT_TRUE(cap.parse("profile rbd-read-only pool abc", NULL)); ASSERT_FALSE(cap.allow_all()); - ASSERT_FALSE(cap.is_capable("foo", "", 0, "rbd_children", true, false, {})); - ASSERT_TRUE(cap.is_capable("abc", "", 0, "asdf", true, false, + ASSERT_FALSE(cap.is_capable("foo", "", 0, {}, "rbd_children", true, false, {})); + ASSERT_TRUE(cap.is_capable("abc", "", 0, {}, "asdf", true, false, {{"rbd", true, false, true}})); } diff --git a/src/vstart.sh b/src/vstart.sh index ac5f1907f85..19c9e74437e 100755 --- a/src/vstart.sh +++ b/src/vstart.sh @@ -584,6 +584,12 @@ start_mon() { --cap mgr 'allow *' \ "$keyring_fn" + prun $SUDO "$CEPH_BIN/ceph-authtool" --gen-key --name=client.fs --set-uid=0 \ + --cap mon 'allow r' \ + --cap osd 'allow rw tag cephfs data=*' \ + --cap mds 'allow rwp' \ + "$keyring_fn" + prun $SUDO "$CEPH_BIN/ceph-authtool" --gen-key --name=client.rgw \ --cap mon 'allow rw' \ --cap osd 'allow rwx' \ @@ -731,7 +737,7 @@ EOF EOF fi prun $SUDO "$CEPH_BIN/ceph-authtool" --create-keyring --gen-key --name="mds.$name" "$key_fn" - ceph_adm -i "$key_fn" auth add "mds.$name" mon 'allow profile mds' osd 'allow *' mds 'allow' mgr 'allow profile mds' + ceph_adm -i "$key_fn" auth add "mds.$name" mon 'allow profile mds' osd 'allow rw tag cephfs *=*' mds 'allow' mgr 'allow profile mds' if [ "$standby" -eq 1 ]; then prun $SUDO "$CEPH_BIN/ceph-authtool" --create-keyring --gen-key --name="mds.${name}s" \ "$CEPH_DEV_DIR/mds.${name}s/keyring"