iscsi and ut/iscsi: deny initiator grp w/ empty netmask
spdk_iscsi_tgt_node_access() (in lib/iscsi/tgt_node.c) regards empty netmask of IG as ALL (allow all initiator's IP address). However any user cannot create IG whose netmask is empty by both JSON-RPC and config file. Instead user can create IG whose netmask is ALL. The code to regard empty netmask of IG as ALL never run in production. Hence delete the code and add UT to confirm the fix. Change-Id: Ib7206d0986db9093cfb6b36191be26293ff6c67a Signed-off-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com> Reviewed-on: https://review.gerrithub.io/382920 Reviewed-by: Daniel Verkamp <daniel.verkamp@intel.com> Reviewed-by: Jim Harris <james.r.harris@intel.com> Tested-by: SPDK Automated Test System <sys_sgsw@intel.com> Reviewed-by: Ziye Yang <optimistyzy@gmail.com> Reviewed-by: Ben Walker <benjamin.walker@intel.com>
This commit is contained in:
parent
e5c6b9c761
commit
fed2667127
@ -211,10 +211,6 @@ spdk_iscsi_tgt_node_access(struct spdk_iscsi_conn *conn,
|
|||||||
if (strcasecmp(igp->initiators[j], "ALL") == 0
|
if (strcasecmp(igp->initiators[j], "ALL") == 0
|
||||||
|| strcasecmp(igp->initiators[j], iqn) == 0) {
|
|| strcasecmp(igp->initiators[j], iqn) == 0) {
|
||||||
/* OK iqn, check netmask */
|
/* OK iqn, check netmask */
|
||||||
if (igp->nnetmasks == 0) {
|
|
||||||
/* OK, empty netmask as ALL */
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
for (k = 0; k < igp->nnetmasks; k++) {
|
for (k = 0; k < igp->nnetmasks; k++) {
|
||||||
SPDK_DEBUGLOG(SPDK_TRACE_ISCSI,
|
SPDK_DEBUGLOG(SPDK_TRACE_ISCSI,
|
||||||
"netmask=%s, addr=%s\n",
|
"netmask=%s, addr=%s\n",
|
||||||
|
@ -108,6 +108,177 @@ config_file_fail_cases(void)
|
|||||||
spdk_conf_free(config);
|
spdk_conf_free(config);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
allow_ipv6_allowed(void)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
char *netmask;
|
||||||
|
char *addr;
|
||||||
|
|
||||||
|
netmask = "[2001:ad6:1234::]/48";
|
||||||
|
addr = "2001:ad6:1234:5678:9abc::";
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_allow_ipv6(netmask, addr);
|
||||||
|
CU_ASSERT(rc != 0);
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr);
|
||||||
|
CU_ASSERT(rc != 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
allow_ipv6_denied(void)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
char *netmask;
|
||||||
|
char *addr;
|
||||||
|
|
||||||
|
netmask = "[2001:ad6:1234::]/56";
|
||||||
|
addr = "2001:ad6:1234:5678:9abc::";
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_allow_ipv6(netmask, addr);
|
||||||
|
CU_ASSERT(rc == 0);
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr);
|
||||||
|
CU_ASSERT(rc == 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
allow_ipv4_allowed(void)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
char *netmask;
|
||||||
|
char *addr;
|
||||||
|
|
||||||
|
netmask = "192.168.2.0/24";
|
||||||
|
addr = "192.168.2.1";
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_allow_ipv4(netmask, addr);
|
||||||
|
CU_ASSERT(rc != 0);
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr);
|
||||||
|
CU_ASSERT(rc != 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
allow_ipv4_denied(void)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
char *netmask;
|
||||||
|
char *addr;
|
||||||
|
|
||||||
|
netmask = "192.168.2.0";
|
||||||
|
addr = "192.168.2.1";
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_allow_ipv4(netmask, addr);
|
||||||
|
CU_ASSERT(rc == 0);
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr);
|
||||||
|
CU_ASSERT(rc == 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
node_access_allowed(void)
|
||||||
|
{
|
||||||
|
struct spdk_iscsi_tgt_node tgtnode;
|
||||||
|
struct spdk_iscsi_portal_grp pg;
|
||||||
|
struct spdk_iscsi_init_grp ig;
|
||||||
|
struct spdk_iscsi_conn conn;
|
||||||
|
struct spdk_iscsi_portal portal;
|
||||||
|
char *initiators[] = {"iqn.2017-10.spdk.io:0001"};
|
||||||
|
char *netmasks[] = {"192.168.2.0/24"};
|
||||||
|
char *iqn, *addr;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
/* portal group initialization */
|
||||||
|
memset(&pg, 0, sizeof(struct spdk_iscsi_portal_grp));
|
||||||
|
pg.tag = 1;
|
||||||
|
|
||||||
|
/* initiator group initialization */
|
||||||
|
memset(&ig, 0, sizeof(struct spdk_iscsi_init_grp));
|
||||||
|
ig.tag = 1;
|
||||||
|
|
||||||
|
ig.ninitiators = 1;
|
||||||
|
ig.initiators = &initiators[0];
|
||||||
|
|
||||||
|
ig.nnetmasks = 1;
|
||||||
|
ig.netmasks = &netmasks[0];
|
||||||
|
|
||||||
|
/* target initialization */
|
||||||
|
memset(&tgtnode, 0, sizeof(struct spdk_iscsi_tgt_node));
|
||||||
|
tgtnode.maxmap = 1;
|
||||||
|
tgtnode.name = "iqn.2017-10.spdk.io:0001";
|
||||||
|
tgtnode.map[0].pg = &pg;
|
||||||
|
tgtnode.map[0].ig = &ig;
|
||||||
|
|
||||||
|
/* portal initialization */
|
||||||
|
memset(&portal, 0, sizeof(struct spdk_iscsi_portal));
|
||||||
|
portal.group = &pg;
|
||||||
|
portal.host = "192.168.2.0";
|
||||||
|
portal.port = "3260";
|
||||||
|
|
||||||
|
/* input for UT */
|
||||||
|
memset(&conn, 0, sizeof(struct spdk_iscsi_conn));
|
||||||
|
conn.portal = &portal;
|
||||||
|
|
||||||
|
iqn = "iqn.2017-10.spdk.io:0001";
|
||||||
|
addr = "192.168.2.1";
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_access(&conn, &tgtnode, iqn, addr);
|
||||||
|
CU_ASSERT(rc == 1);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
node_access_denied_by_empty_netmask(void)
|
||||||
|
{
|
||||||
|
struct spdk_iscsi_tgt_node tgtnode;
|
||||||
|
struct spdk_iscsi_portal_grp pg;
|
||||||
|
struct spdk_iscsi_init_grp ig;
|
||||||
|
struct spdk_iscsi_conn conn;
|
||||||
|
struct spdk_iscsi_portal portal;
|
||||||
|
char *initiators[] = {"iqn.2017-10.spdk.io:0001"};
|
||||||
|
char *iqn, *addr;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
/* portal group initialization */
|
||||||
|
memset(&pg, 0, sizeof(struct spdk_iscsi_portal_grp));
|
||||||
|
pg.tag = 1;
|
||||||
|
|
||||||
|
/* initiator group initialization */
|
||||||
|
memset(&ig, 0, sizeof(struct spdk_iscsi_init_grp));
|
||||||
|
ig.tag = 1;
|
||||||
|
|
||||||
|
ig.ninitiators = 1;
|
||||||
|
ig.initiators = &initiators[0];
|
||||||
|
|
||||||
|
ig.nnetmasks = 0;
|
||||||
|
ig.netmasks = NULL;
|
||||||
|
|
||||||
|
/* target initialization */
|
||||||
|
memset(&tgtnode, 0, sizeof(struct spdk_iscsi_tgt_node));
|
||||||
|
tgtnode.maxmap = 1;
|
||||||
|
tgtnode.name = "iqn.2017-10.spdk.io:0001";
|
||||||
|
tgtnode.map[0].pg = &pg;
|
||||||
|
tgtnode.map[0].ig = &ig;
|
||||||
|
|
||||||
|
/* portal initialization */
|
||||||
|
memset(&portal, 0, sizeof(struct spdk_iscsi_portal));
|
||||||
|
portal.group = &pg;
|
||||||
|
portal.host = "192.168.2.0";
|
||||||
|
portal.port = "3260";
|
||||||
|
|
||||||
|
/* input for UT */
|
||||||
|
memset(&conn, 0, sizeof(struct spdk_iscsi_conn));
|
||||||
|
conn.portal = &portal;
|
||||||
|
|
||||||
|
iqn = "iqn.2017-10.spdk.io:0001";
|
||||||
|
addr = "192.168.3.1";
|
||||||
|
|
||||||
|
rc = spdk_iscsi_tgt_node_access(&conn, &tgtnode, iqn, addr);
|
||||||
|
CU_ASSERT(rc == 0);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
main(int argc, char **argv)
|
main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
@ -133,6 +304,13 @@ main(int argc, char **argv)
|
|||||||
|
|
||||||
if (
|
if (
|
||||||
CU_add_test(suite, "config file fail cases", config_file_fail_cases) == NULL
|
CU_add_test(suite, "config file fail cases", config_file_fail_cases) == NULL
|
||||||
|
|| CU_add_test(suite, "allow ipv6 allowed case", allow_ipv6_allowed) == NULL
|
||||||
|
|| CU_add_test(suite, "allow ipv6 denied case", allow_ipv6_denied) == NULL
|
||||||
|
|| CU_add_test(suite, "allow ipv4 allowed case", allow_ipv4_allowed) == NULL
|
||||||
|
|| CU_add_test(suite, "allow ipv4 denied case", allow_ipv4_denied) == NULL
|
||||||
|
|| CU_add_test(suite, "node access allowed case", node_access_allowed) == NULL
|
||||||
|
|| CU_add_test(suite, "node access denied case (empty netmask)",
|
||||||
|
node_access_denied_by_empty_netmask) == NULL
|
||||||
) {
|
) {
|
||||||
CU_cleanup_registry();
|
CU_cleanup_registry();
|
||||||
return CU_get_error();
|
return CU_get_error();
|
||||||
|
Loading…
Reference in New Issue
Block a user