iscsi and ut/iscsi: deny initiator grp w/ empty netmask

spdk_iscsi_tgt_node_access() (in lib/iscsi/tgt_node.c) regards
empty netmask of IG as ALL (allow all initiator's IP address).
However any user cannot create IG whose netmask is empty by both
JSON-RPC and config file. Instead user can create IG whose
netmask is ALL.

The code to regard empty netmask of IG as ALL never run in production.
Hence delete the code and add UT to confirm the fix.

Change-Id: Ib7206d0986db9093cfb6b36191be26293ff6c67a
Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
Reviewed-on: https://review.gerrithub.io/382920
Reviewed-by: Daniel Verkamp <daniel.verkamp@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Ziye Yang <optimistyzy@gmail.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
This commit is contained in:
Shuhei Matsumoto 2017-10-24 10:20:09 +09:00 committed by Daniel Verkamp
parent e5c6b9c761
commit fed2667127
2 changed files with 178 additions and 4 deletions

View File

@ -211,10 +211,6 @@ spdk_iscsi_tgt_node_access(struct spdk_iscsi_conn *conn,
if (strcasecmp(igp->initiators[j], "ALL") == 0
|| strcasecmp(igp->initiators[j], iqn) == 0) {
/* OK iqn, check netmask */
if (igp->nnetmasks == 0) {
/* OK, empty netmask as ALL */
return 1;
}
for (k = 0; k < igp->nnetmasks; k++) {
SPDK_DEBUGLOG(SPDK_TRACE_ISCSI,
"netmask=%s, addr=%s\n",

View File

@ -108,6 +108,177 @@ config_file_fail_cases(void)
spdk_conf_free(config);
}
static void
allow_ipv6_allowed(void)
{
int rc;
char *netmask;
char *addr;
netmask = "[2001:ad6:1234::]/48";
addr = "2001:ad6:1234:5678:9abc::";
rc = spdk_iscsi_tgt_node_allow_ipv6(netmask, addr);
CU_ASSERT(rc != 0);
rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr);
CU_ASSERT(rc != 0);
}
static void
allow_ipv6_denied(void)
{
int rc;
char *netmask;
char *addr;
netmask = "[2001:ad6:1234::]/56";
addr = "2001:ad6:1234:5678:9abc::";
rc = spdk_iscsi_tgt_node_allow_ipv6(netmask, addr);
CU_ASSERT(rc == 0);
rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr);
CU_ASSERT(rc == 0);
}
static void
allow_ipv4_allowed(void)
{
int rc;
char *netmask;
char *addr;
netmask = "192.168.2.0/24";
addr = "192.168.2.1";
rc = spdk_iscsi_tgt_node_allow_ipv4(netmask, addr);
CU_ASSERT(rc != 0);
rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr);
CU_ASSERT(rc != 0);
}
static void
allow_ipv4_denied(void)
{
int rc;
char *netmask;
char *addr;
netmask = "192.168.2.0";
addr = "192.168.2.1";
rc = spdk_iscsi_tgt_node_allow_ipv4(netmask, addr);
CU_ASSERT(rc == 0);
rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr);
CU_ASSERT(rc == 0);
}
static void
node_access_allowed(void)
{
struct spdk_iscsi_tgt_node tgtnode;
struct spdk_iscsi_portal_grp pg;
struct spdk_iscsi_init_grp ig;
struct spdk_iscsi_conn conn;
struct spdk_iscsi_portal portal;
char *initiators[] = {"iqn.2017-10.spdk.io:0001"};
char *netmasks[] = {"192.168.2.0/24"};
char *iqn, *addr;
int rc;
/* portal group initialization */
memset(&pg, 0, sizeof(struct spdk_iscsi_portal_grp));
pg.tag = 1;
/* initiator group initialization */
memset(&ig, 0, sizeof(struct spdk_iscsi_init_grp));
ig.tag = 1;
ig.ninitiators = 1;
ig.initiators = &initiators[0];
ig.nnetmasks = 1;
ig.netmasks = &netmasks[0];
/* target initialization */
memset(&tgtnode, 0, sizeof(struct spdk_iscsi_tgt_node));
tgtnode.maxmap = 1;
tgtnode.name = "iqn.2017-10.spdk.io:0001";
tgtnode.map[0].pg = &pg;
tgtnode.map[0].ig = &ig;
/* portal initialization */
memset(&portal, 0, sizeof(struct spdk_iscsi_portal));
portal.group = &pg;
portal.host = "192.168.2.0";
portal.port = "3260";
/* input for UT */
memset(&conn, 0, sizeof(struct spdk_iscsi_conn));
conn.portal = &portal;
iqn = "iqn.2017-10.spdk.io:0001";
addr = "192.168.2.1";
rc = spdk_iscsi_tgt_node_access(&conn, &tgtnode, iqn, addr);
CU_ASSERT(rc == 1);
}
static void
node_access_denied_by_empty_netmask(void)
{
struct spdk_iscsi_tgt_node tgtnode;
struct spdk_iscsi_portal_grp pg;
struct spdk_iscsi_init_grp ig;
struct spdk_iscsi_conn conn;
struct spdk_iscsi_portal portal;
char *initiators[] = {"iqn.2017-10.spdk.io:0001"};
char *iqn, *addr;
int rc;
/* portal group initialization */
memset(&pg, 0, sizeof(struct spdk_iscsi_portal_grp));
pg.tag = 1;
/* initiator group initialization */
memset(&ig, 0, sizeof(struct spdk_iscsi_init_grp));
ig.tag = 1;
ig.ninitiators = 1;
ig.initiators = &initiators[0];
ig.nnetmasks = 0;
ig.netmasks = NULL;
/* target initialization */
memset(&tgtnode, 0, sizeof(struct spdk_iscsi_tgt_node));
tgtnode.maxmap = 1;
tgtnode.name = "iqn.2017-10.spdk.io:0001";
tgtnode.map[0].pg = &pg;
tgtnode.map[0].ig = &ig;
/* portal initialization */
memset(&portal, 0, sizeof(struct spdk_iscsi_portal));
portal.group = &pg;
portal.host = "192.168.2.0";
portal.port = "3260";
/* input for UT */
memset(&conn, 0, sizeof(struct spdk_iscsi_conn));
conn.portal = &portal;
iqn = "iqn.2017-10.spdk.io:0001";
addr = "192.168.3.1";
rc = spdk_iscsi_tgt_node_access(&conn, &tgtnode, iqn, addr);
CU_ASSERT(rc == 0);
}
int
main(int argc, char **argv)
{
@ -133,6 +304,13 @@ main(int argc, char **argv)
if (
CU_add_test(suite, "config file fail cases", config_file_fail_cases) == NULL
|| CU_add_test(suite, "allow ipv6 allowed case", allow_ipv6_allowed) == NULL
|| CU_add_test(suite, "allow ipv6 denied case", allow_ipv6_denied) == NULL
|| CU_add_test(suite, "allow ipv4 allowed case", allow_ipv4_allowed) == NULL
|| CU_add_test(suite, "allow ipv4 denied case", allow_ipv4_denied) == NULL
|| CU_add_test(suite, "node access allowed case", node_access_allowed) == NULL
|| CU_add_test(suite, "node access denied case (empty netmask)",
node_access_denied_by_empty_netmask) == NULL
) {
CU_cleanup_registry();
return CU_get_error();