mon/AuthMonitor: check caps validity for all cap-related commands

Add a validity check for 'auth add' and 'fs authorize'. 'auth caps' and 'auth get-or-create[-key]' already had the check. Fixes: http://tracker.ceph.com/issues/22525 Signed-off-by: Sage Weil <sage@redhat.com>
2025-01-19 17:41:39 +00:00 · 2018-04-09 16:40:37 -05:00 · 2018-04-09 16:40:37 -05:00 · fa588730bf
commit fa588730bf
parent 113fa941e3
1 changed files with 11 additions and 1 deletions
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@ -1147,6 +1147,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
      }
    }

+    if (!valid_caps(caps_vec, &ss)) {
+      err = -EINVAL;
+      goto done;
+    }
+
    // are we about to have it?
    if (entity_is_pending(entity)) {
      wait_for_finished_proposal(op,
@ -1215,7 +1220,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
 						   get_last_committed() + 1));
    return true;
  } else if ((prefix == "auth get-or-create-key" ||
-	     prefix == "auth get-or-create") &&
+	      prefix == "auth get-or-create") &&
 	     !entity_name.empty()) {
    // auth get-or-create <name> [mon osdcapa osd osdcapb ...]

@ -1322,6 +1327,11 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
    string mds_cap_string, osd_cap_string;
    string osd_cap_wanted = "r";

+    if (!valid_caps(caps_vec, &ss)) {
+      err = -EINVAL;
+      goto done;
+    }
+
    for (auto it = caps_vec.begin();
 	 it != caps_vec.end() && (it + 1) != caps_vec.end();
 	 it += 2) {