From fed266712755b47631bb4acab3f12f3dc116fe4d Mon Sep 17 00:00:00 2001 From: Shuhei Matsumoto Date: Tue, 24 Oct 2017 10:20:09 +0900 Subject: [PATCH] iscsi and ut/iscsi: deny initiator grp w/ empty netmask spdk_iscsi_tgt_node_access() (in lib/iscsi/tgt_node.c) regards empty netmask of IG as ALL (allow all initiator's IP address). However any user cannot create IG whose netmask is empty by both JSON-RPC and config file. Instead user can create IG whose netmask is ALL. The code to regard empty netmask of IG as ALL never run in production. Hence delete the code and add UT to confirm the fix. Change-Id: Ib7206d0986db9093cfb6b36191be26293ff6c67a Signed-off-by: Shuhei Matsumoto Reviewed-on: https://review.gerrithub.io/382920 Reviewed-by: Daniel Verkamp Reviewed-by: Jim Harris Tested-by: SPDK Automated Test System Reviewed-by: Ziye Yang Reviewed-by: Ben Walker --- lib/iscsi/tgt_node.c | 4 - test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c | 178 +++++++++++++++++++ 2 files changed, 178 insertions(+), 4 deletions(-) diff --git a/lib/iscsi/tgt_node.c b/lib/iscsi/tgt_node.c index 30a093887..108539a00 100644 --- a/lib/iscsi/tgt_node.c +++ b/lib/iscsi/tgt_node.c @@ -211,10 +211,6 @@ spdk_iscsi_tgt_node_access(struct spdk_iscsi_conn *conn, if (strcasecmp(igp->initiators[j], "ALL") == 0 || strcasecmp(igp->initiators[j], iqn) == 0) { /* OK iqn, check netmask */ - if (igp->nnetmasks == 0) { - /* OK, empty netmask as ALL */ - return 1; - } for (k = 0; k < igp->nnetmasks; k++) { SPDK_DEBUGLOG(SPDK_TRACE_ISCSI, "netmask=%s, addr=%s\n", diff --git a/test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c b/test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c index adb4c1356..674e8140c 100644 --- a/test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c +++ b/test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c @@ -108,6 +108,177 @@ config_file_fail_cases(void) spdk_conf_free(config); } +static void +allow_ipv6_allowed(void) +{ + int rc; + char *netmask; + char *addr; + + netmask = "[2001:ad6:1234::]/48"; + addr = "2001:ad6:1234:5678:9abc::"; + + rc = spdk_iscsi_tgt_node_allow_ipv6(netmask, addr); + CU_ASSERT(rc != 0); + + rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr); + CU_ASSERT(rc != 0); +} + +static void +allow_ipv6_denied(void) +{ + int rc; + char *netmask; + char *addr; + + netmask = "[2001:ad6:1234::]/56"; + addr = "2001:ad6:1234:5678:9abc::"; + + rc = spdk_iscsi_tgt_node_allow_ipv6(netmask, addr); + CU_ASSERT(rc == 0); + + rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr); + CU_ASSERT(rc == 0); +} + +static void +allow_ipv4_allowed(void) +{ + int rc; + char *netmask; + char *addr; + + netmask = "192.168.2.0/24"; + addr = "192.168.2.1"; + + rc = spdk_iscsi_tgt_node_allow_ipv4(netmask, addr); + CU_ASSERT(rc != 0); + + rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr); + CU_ASSERT(rc != 0); +} + +static void +allow_ipv4_denied(void) +{ + int rc; + char *netmask; + char *addr; + + netmask = "192.168.2.0"; + addr = "192.168.2.1"; + + rc = spdk_iscsi_tgt_node_allow_ipv4(netmask, addr); + CU_ASSERT(rc == 0); + + rc = spdk_iscsi_tgt_node_allow_netmask(netmask, addr); + CU_ASSERT(rc == 0); +} + +static void +node_access_allowed(void) +{ + struct spdk_iscsi_tgt_node tgtnode; + struct spdk_iscsi_portal_grp pg; + struct spdk_iscsi_init_grp ig; + struct spdk_iscsi_conn conn; + struct spdk_iscsi_portal portal; + char *initiators[] = {"iqn.2017-10.spdk.io:0001"}; + char *netmasks[] = {"192.168.2.0/24"}; + char *iqn, *addr; + int rc; + + /* portal group initialization */ + memset(&pg, 0, sizeof(struct spdk_iscsi_portal_grp)); + pg.tag = 1; + + /* initiator group initialization */ + memset(&ig, 0, sizeof(struct spdk_iscsi_init_grp)); + ig.tag = 1; + + ig.ninitiators = 1; + ig.initiators = &initiators[0]; + + ig.nnetmasks = 1; + ig.netmasks = &netmasks[0]; + + /* target initialization */ + memset(&tgtnode, 0, sizeof(struct spdk_iscsi_tgt_node)); + tgtnode.maxmap = 1; + tgtnode.name = "iqn.2017-10.spdk.io:0001"; + tgtnode.map[0].pg = &pg; + tgtnode.map[0].ig = &ig; + + /* portal initialization */ + memset(&portal, 0, sizeof(struct spdk_iscsi_portal)); + portal.group = &pg; + portal.host = "192.168.2.0"; + portal.port = "3260"; + + /* input for UT */ + memset(&conn, 0, sizeof(struct spdk_iscsi_conn)); + conn.portal = &portal; + + iqn = "iqn.2017-10.spdk.io:0001"; + addr = "192.168.2.1"; + + rc = spdk_iscsi_tgt_node_access(&conn, &tgtnode, iqn, addr); + CU_ASSERT(rc == 1); + +} + +static void +node_access_denied_by_empty_netmask(void) +{ + struct spdk_iscsi_tgt_node tgtnode; + struct spdk_iscsi_portal_grp pg; + struct spdk_iscsi_init_grp ig; + struct spdk_iscsi_conn conn; + struct spdk_iscsi_portal portal; + char *initiators[] = {"iqn.2017-10.spdk.io:0001"}; + char *iqn, *addr; + int rc; + + /* portal group initialization */ + memset(&pg, 0, sizeof(struct spdk_iscsi_portal_grp)); + pg.tag = 1; + + /* initiator group initialization */ + memset(&ig, 0, sizeof(struct spdk_iscsi_init_grp)); + ig.tag = 1; + + ig.ninitiators = 1; + ig.initiators = &initiators[0]; + + ig.nnetmasks = 0; + ig.netmasks = NULL; + + /* target initialization */ + memset(&tgtnode, 0, sizeof(struct spdk_iscsi_tgt_node)); + tgtnode.maxmap = 1; + tgtnode.name = "iqn.2017-10.spdk.io:0001"; + tgtnode.map[0].pg = &pg; + tgtnode.map[0].ig = &ig; + + /* portal initialization */ + memset(&portal, 0, sizeof(struct spdk_iscsi_portal)); + portal.group = &pg; + portal.host = "192.168.2.0"; + portal.port = "3260"; + + /* input for UT */ + memset(&conn, 0, sizeof(struct spdk_iscsi_conn)); + conn.portal = &portal; + + iqn = "iqn.2017-10.spdk.io:0001"; + addr = "192.168.3.1"; + + rc = spdk_iscsi_tgt_node_access(&conn, &tgtnode, iqn, addr); + CU_ASSERT(rc == 0); + +} + int main(int argc, char **argv) { @@ -133,6 +304,13 @@ main(int argc, char **argv) if ( CU_add_test(suite, "config file fail cases", config_file_fail_cases) == NULL + || CU_add_test(suite, "allow ipv6 allowed case", allow_ipv6_allowed) == NULL + || CU_add_test(suite, "allow ipv6 denied case", allow_ipv6_denied) == NULL + || CU_add_test(suite, "allow ipv4 allowed case", allow_ipv4_allowed) == NULL + || CU_add_test(suite, "allow ipv4 denied case", allow_ipv4_denied) == NULL + || CU_add_test(suite, "node access allowed case", node_access_allowed) == NULL + || CU_add_test(suite, "node access denied case (empty netmask)", + node_access_denied_by_empty_netmask) == NULL ) { CU_cleanup_registry(); return CU_get_error();