Allow virtual filesystem to check user subject.

Signed-off-by: David Kocher <dkocher@iterate.ch>
dCache · Dec 14, 2021 · 3956d03 · 3956d03
1 parent 207eeb3
commit 3956d03
Show file tree

Hide file tree

Showing 7 changed files with 12 additions and 10 deletions.
diff --git a/core/src/main/java/org/dcache/nfs/v3/NfsServerV3.java b/core/src/main/java/org/dcache/nfs/v3/NfsServerV3.java
@@ -210,7 +210,7 @@ public ACCESS3res NFSPROC3_ACCESS_3(RpcCall call$, ACCESS3args arg1) {
 
             HimeraNfsUtils.fill_attributes(objStat, res.resok.obj_attributes.attributes);
 
-            int realAccess = fs.access(inode,  arg1.access.value);
+            int realAccess = fs.access(call$.getCredential().getSubject(), inode,  arg1.access.value);
 
             res.resok.access = new uint32(realAccess);
         } catch (ChimeraNFSException hne) {

diff --git a/core/src/main/java/org/dcache/nfs/v4/OperationACCESS.java b/core/src/main/java/org/dcache/nfs/v4/OperationACCESS.java
@@ -61,7 +61,7 @@ public void process(CompoundContext context, nfs_resop4 result)
             throw new InvalException("invalid access mask");
         }
 
-        final int realAccess = context.getFs().access(context.currentInode(), requestedAccess);
+        final int realAccess = context.getFs().access(context.getSubject(), context.currentInode(), requestedAccess);
 
         _log.debug("NFS Request ACCESS uid: {} {} {}",
                     context.getSubject(), requestedAccess, realAccess );

diff --git a/core/src/main/java/org/dcache/nfs/v4/OperationOPEN.java b/core/src/main/java/org/dcache/nfs/v4/OperationOPEN.java
@@ -183,7 +183,7 @@ public void process(CompoundContext context, nfs_resop4 result) throws ChimeraNF
                                     Integer.toOctalString(fileStat.getMode() & 0777));
                         }
 
-                        if (context.getFs().access(inode, nfs4_prot.ACCESS4_MODIFY) == 0) {
+                        if (context.getFs().access(context.getSubject(), inode, nfs4_prot.ACCESS4_MODIFY) == 0) {
                             throw new AccessException();
                         }
 
@@ -297,7 +297,7 @@ private void checkCanAccess(CompoundContext context, Inode inode, uint32_t share
                 throw new InvalException("Invalid share_access mode: " + share_access.value);
         }
 
-        if (context.getFs().access(inode, accessMode) != accessMode) {
+        if (context.getFs().access(context.getSubject(), inode, accessMode) != accessMode) {
             throw new AccessException();
         }
 

diff --git a/core/src/main/java/org/dcache/nfs/vfs/ForwardingFileSystem.java b/core/src/main/java/org/dcache/nfs/vfs/ForwardingFileSystem.java
@@ -42,8 +42,8 @@ public abstract class ForwardingFileSystem implements VirtualFileSystem {
     protected abstract VirtualFileSystem delegate();
 
     @Override
-    public int access(Inode inode, int mode) throws IOException {
-        return delegate().access(inode, mode);
+    public int access(Subject subject, Inode inode, int mode) throws IOException {
+        return delegate().access(subject, inode, mode);
     }
 
     @Override

diff --git a/core/src/main/java/org/dcache/nfs/vfs/PseudoFs.java b/core/src/main/java/org/dcache/nfs/vfs/PseudoFs.java
@@ -102,7 +102,7 @@ private boolean canAccess(Inode inode, Stat stat, int mode) {
     }
 
     @Override
-    public int access(Inode inode, int mode) throws IOException {
+    public int access(Subject subject, Inode inode, int mode) throws IOException {
         int accessmask = 0;
 
         if ((mode & ~ACCESS4_MASK) != 0) {
@@ -171,7 +171,7 @@ public int access(Inode inode, int mode) throws IOException {
             }
         }
 
-        return accessmask & _inner.access(inode, accessmask);
+        return accessmask & _inner.access(subject, inode, accessmask);
     }
 
     @Override

diff --git a/core/src/main/java/org/dcache/nfs/vfs/VirtualFileSystem.java b/core/src/main/java/org/dcache/nfs/vfs/VirtualFileSystem.java
@@ -50,12 +50,14 @@ public interface VirtualFileSystem {
     /**
      * Check access to file system object.
      *
+     *
+     * @param subject User
      * @param inode inode of the object to check.
      * @param mode a mask of permission bits to check.
      * @return an allowed subset of permissions from the given mask.
      * @throws IOException
      */
-    int access(Inode inode, int mode) throws IOException;
+    int access(Subject subject, Inode inode, int mode) throws IOException;
 
     /**
      * Create a new object in a given directory with a specific name.

diff --git a/core/src/test/java/org/dcache/nfs/vfs/DummyVFS.java b/core/src/test/java/org/dcache/nfs/vfs/DummyVFS.java
@@ -483,7 +483,7 @@ private Stat statPath(Path p, long inodeNumber) throws IOException {
     }
 
     @Override
-    public int access(Inode inode, int mode) throws IOException {
+    public int access(Subject subject, Inode inode, int mode) throws IOException {
         return mode;
     }