Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch for v10.2.7 #190

Open
wants to merge 6 commits into
base: origin-v10.2.7-1733765573
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions qa/suites/rados/singleton/all/mon-config-key-caps.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
roles:
- - mon.a
- mgr.x
- osd.0
- osd.1
- osd.2
- client.0
tasks:
- install:
- ceph:
log-whitelist:
- overall HEALTH_
- \(AUTH_BAD_CAPS\)
- workunit:
clients:
all:
- mon/test_config_key_caps.sh
201 changes: 201 additions & 0 deletions qa/workunits/mon/test_config_key_caps.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
#!/usr/bin/env bash

set -x
set -e

tmp=$(mktemp -d -p /tmp test_mon_config_key_caps.XXXXX)
entities=()

function cleanup()
{
set +e
set +x
if [[ -e $tmp/keyring ]] && [[ -e $tmp/keyring.orig ]]; then
grep '\[.*\..*\]' $tmp/keyring.orig > $tmp/entities.orig
for e in $(grep '\[.*\..*\]' $tmp/keyring | \
diff $tmp/entities.orig - | \
sed -n 's/^.*\[\(.*\..*\)\]/\1/p');
do
ceph auth rm $e 2>&1 >& /dev/null
done
fi
#rm -fr $tmp
}

trap cleanup 0 # cleanup on exit

function expect_false()
{
set -x
if "$@"; then return 1; else return 0; fi
}

# for cleanup purposes
ceph auth export -o $tmp/keyring.orig

k=$tmp/keyring

# setup a few keys
ceph config-key ls
ceph config-key set daemon-private/osd.123/test-foo
ceph config-key set mgr/test-foo
ceph config-key set device/test-foo
ceph config-key set test/foo

allow_aa=client.allow_aa
allow_bb=client.allow_bb
allow_cc=client.allow_cc

mgr_a=mgr.a
mgr_b=mgr.b
osd_a=osd.100
osd_b=osd.200

prefix_aa=client.prefix_aa
prefix_bb=client.prefix_bb
prefix_cc=client.prefix_cc
match_aa=client.match_aa
match_bb=client.match_bb

fail_aa=client.fail_aa
fail_bb=client.fail_bb
fail_cc=client.fail_cc
fail_dd=client.fail_dd
fail_ee=client.fail_ee
fail_ff=client.fail_ff
fail_gg=client.fail_gg
fail_writes=client.fail_writes

ceph auth get-or-create $allow_aa mon 'allow *'
ceph auth get-or-create $allow_bb mon 'allow service config-key rwx'
ceph auth get-or-create $allow_cc mon 'allow command "config-key get"'

ceph auth get-or-create $mgr_a mon 'allow profile mgr'
ceph auth get-or-create $mgr_b mon 'allow profile mgr'
ceph auth get-or-create $osd_a mon 'allow profile osd'
ceph auth get-or-create $osd_b mon 'allow profile osd'

ceph auth get-or-create $prefix_aa mon \
"allow command \"config-key get\" with key prefix client/$prefix_aa"

cap="allow command \"config-key set\" with key prefix client/"
cap="$cap,allow command \"config-key get\" with key prefix client/$prefix_bb"
ceph auth get-or-create $prefix_bb mon "$cap"

cap="allow command \"config-key get\" with key prefix client/"
cap="$cap, allow command \"config-key set\" with key prefix client/"
cap="$cap, allow command \"config-key ls\""
ceph auth get-or-create $prefix_cc mon "$cap"

cap="allow command \"config-key get\" with key=client/$match_aa/foo"
ceph auth get-or-create $match_aa mon "$cap"
cap="allow command \"config-key get\" with key=client/$match_bb/foo"
cap="$cap,allow command \"config-key set\" with key=client/$match_bb/foo"
ceph auth get-or-create $match_bb mon "$cap"

ceph auth get-or-create $fail_aa mon 'allow rx'
ceph auth get-or-create $fail_bb mon 'allow r,allow w'
ceph auth get-or-create $fail_cc mon 'allow rw'
ceph auth get-or-create $fail_dd mon 'allow rwx'
ceph auth get-or-create $fail_ee mon 'allow profile bootstrap-rgw'
ceph auth get-or-create $fail_ff mon 'allow profile bootstrap-rbd'
# write commands will require rw; wx is not enough
ceph auth get-or-create $fail_gg mon 'allow service config-key wx'
# read commands will only require 'r'; 'rx' should be enough.
ceph auth get-or-create $fail_writes mon 'allow service config-key rx'

# grab keyring
ceph auth export -o $k

# keys will all the caps can do whatever
for c in $allow_aa $allow_bb $allow_cc $mgr_a $mgr_b; do
ceph -k $k --name $c config-key get daemon-private/osd.123/test-foo
ceph -k $k --name $c config-key get mgr/test-foo
ceph -k $k --name $c config-key get device/test-foo
ceph -k $k --name $c config-key get test/foo
done

for c in $osd_a $osd_b; do
ceph -k $k --name $c config-key put daemon-private/$c/test-foo
ceph -k $k --name $c config-key get daemon-private/$c/test-foo
expect_false ceph -k $k --name $c config-key ls
expect_false ceph -k $k --name $c config-key get mgr/test-foo
expect_false ceph -k $k --name $c config-key get device/test-foo
expect_false ceph -k $k --name $c config-key get test/foo
done

expect_false ceph -k $k --name $osd_a get daemon-private/$osd_b/test-foo
expect_false ceph -k $k --name $osd_b get daemon-private/$osd_a/test-foo

expect_false ceph -k $k --name $prefix_aa \
config-key ls
expect_false ceph -k $k --name $prefix_aa \
config-key get daemon-private/osd.123/test-foo
expect_false ceph -k $k --name $prefix_aa \
config-key set test/bar
expect_false ceph -k $k --name $prefix_aa \
config-key set client/$prefix_aa/foo

# write something so we can read, use a custom entity
ceph -k $k --name $allow_bb config-key set client/$prefix_aa/foo
ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/foo
# check one writes to the other's prefix, the other is able to read
ceph -k $k --name $prefix_bb config-key set client/$prefix_aa/bar
ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/bar

ceph -k $k --name $prefix_bb config-key set client/$prefix_bb/foo
ceph -k $k --name $prefix_bb config-key get client/$prefix_bb/foo

expect_false ceph -k $k --name $prefix_bb config-key get client/$prefix_aa/bar
expect_false ceph -k $k --name $prefix_bb config-key ls
expect_false ceph -k $k --name $prefix_bb \
config-key get daemon-private/osd.123/test-foo
expect_false ceph -k $k --name $prefix_bb config-key get mgr/test-foo
expect_false ceph -k $k --name $prefix_bb config-key get device/test-foo
expect_false ceph -k $k --name $prefix_bb config-key get test/bar
expect_false ceph -k $k --name $prefix_bb config-key set test/bar

ceph -k $k --name $prefix_cc config-key set client/$match_aa/foo
ceph -k $k --name $prefix_cc config-key set client/$match_bb/foo
ceph -k $k --name $prefix_cc config-key get client/$match_aa/foo
ceph -k $k --name $prefix_cc config-key get client/$match_bb/foo
expect_false ceph -k $k --name $prefix_cc config-key set other/prefix
expect_false ceph -k $k --name $prefix_cc config-key get mgr/test-foo
ceph -k $k --name $prefix_cc config-key ls >& /dev/null

ceph -k $k --name $match_aa config-key get client/$match_aa/foo
expect_false ceph -k $k --name $match_aa config-key get client/$match_bb/foo
expect_false ceph -k $k --name $match_aa config-key set client/$match_aa/foo
ceph -k $k --name $match_bb config-key get client/$match_bb/foo
ceph -k $k --name $match_bb config-key set client/$match_bb/foo
expect_false ceph -k $k --name $match_bb config-key get client/$match_aa/foo
expect_false ceph -k $k --name $match_bb config-key set client/$match_aa/foo

keys=(daemon-private/osd.123/test-foo
mgr/test-foo
device/test-foo
test/foo
client/$prefix_aa/foo
client/$prefix_bb/foo
client/$match_aa/foo
client/$match_bb/foo
)
# expect these all to fail accessing config-key
for c in $fail_aa $fail_bb $fail_cc \
$fail_dd $fail_ee $fail_ff \
$fail_gg; do
for m in get set; do
for key in ${keys[*]} client/$prefix_aa/foo client/$prefix_bb/foo; do
expect_false ceph -k $k --name $c config-key $m $key
done
done
done

# fail writes but succeed on reads
expect_false ceph -k $k --name $fail_writes config-key set client/$match_aa/foo
expect_false ceph -k $k --name $fail_writes config-key set test/foo
ceph -k $k --name $fail_writes config-key ls
ceph -k $k --name $fail_writes config-key get client/$match_aa/foo
ceph -k $k --name $fail_writes config-key get daemon-private/osd.123/test-foo

echo "OK"
8 changes: 7 additions & 1 deletion src/mon/MonCap.cc
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,12 @@ mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,
}
return MON_CAP_ALL;
}
// we don't allow config-key service to be accessed with blanket caps other
// than '*' (i.e., 'any'), and that should have been checked by the caller
// via 'is_allow_all()'.
if (s == "config-key") {
return 0;
}
return allow;
}

Expand Down Expand Up @@ -382,7 +388,7 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
quoted_string %=
lexeme['"' >> +(char_ - '"') >> '"'] |
lexeme['\'' >> +(char_ - '\'') >> '\''];
unquoted_word %= +char_("a-zA-Z0-9_.-");
unquoted_word %= +char_("a-zA-Z0-9_/.-");
str %= quoted_string | unquoted_word;

spaces = +(lit(' ') | lit('\n') | lit('\t'));
Expand Down
12 changes: 7 additions & 5 deletions src/rgw/rgw_cors.cc
Original file line number Diff line number Diff line change
Expand Up @@ -142,11 +142,13 @@ bool RGWCORSRule::is_header_allowed(const char *h, size_t len) {

void RGWCORSRule::format_exp_headers(string& s) {
s = "";
for(list<string>::iterator it = exposable_hdrs.begin();
it != exposable_hdrs.end(); ++it) {
if (s.length() > 0)
s.append(",");
s.append((*it));
for (const auto& header : exposable_hdrs) {
if (s.length() > 0)
s.append(",");
// these values are sent to clients in a 'Access-Control-Expose-Headers'
// response header, so we escape '\n' and '\r' to avoid header injection
std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
}
}

Expand Down
27 changes: 27 additions & 0 deletions src/rgw/rgw_rest_s3.cc
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,15 @@ int decode_attr_bl_single_value(map<string, bufferlist>& attrs, const char *attr
return 0;
}

inline bool str_has_cntrl(const std::string s) {
return std::any_of(s.begin(), s.end(), ::iscntrl);
}

inline bool str_has_cntrl(const char* s) {
std::string _s(s);
return str_has_cntrl(_s);
}

int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
off_t bl_len)
{
Expand Down Expand Up @@ -222,6 +231,24 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs,
bool exists;
string val = s->info.args.get(p->param, &exists);
if (exists) {
/* reject unauthenticated response header manipulation, see
* https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */
if (s->auth.identity->is_anonymous()) {
return -ERR_INVALID_REQUEST;
}
/* HTTP specification says no control characters should be present in
* header values: https://tools.ietf.org/html/rfc7230#section-3.2
* field-vchar = VCHAR / obs-text
*
* Failure to validate this permits a CRLF injection in HTTP headers,
* whereas S3 GetObject only permits specific headers.
*/
if(str_has_cntrl(val)) {
/* TODO: return a more distinct error in future;
* stating what the problem is */
return -ERR_INVALID_REQUEST;
}

if (strcmp(p->param, "response-content-type") != 0) {
response_attrs[p->http_attr] = val;
} else {
Expand Down