Reduce number of callbacks when checking access flags. (#89)

dkocher · web-flow · commit 15d38f2600c7 · 2020-05-21T22:24:47.000+02:00
* Reduce number of callbacks when checking access flags.

Signed-off-by: David Kocher &lt;dkocher@iterate.ch&gt;

* Fix test.

Signed-off-by: David Kocher &lt;dkocher@iterate.ch&gt;
diff --git a/core/src/main/java/org/dcache/nfs/vfs/PseudoFs.java b/core/src/main/java/org/dcache/nfs/vfs/PseudoFs.java
@@ -85,9 +85,9 @@ protected VirtualFileSystem delegate() {
         return _inner;
     }
 
-    private boolean canAccess(Inode inode, int mode) {
+    private boolean canAccess(Inode inode, Stat stat, int mode) {
         try {
-            checkAccess(inode, mode, false);
+            checkAccess(inode, stat, mode, false);
             return true;
         } catch (IOException e) {
         }
@@ -102,38 +102,39 @@ public int access(Inode inode, int mode) throws IOException {
             throw new InvalException("invalid access mask");
         }
 
+        Stat stat = _inner.getattr(inode);
         if ((mode & ACCESS4_READ) != 0) {
-            if (canAccess(inode, ACE4_READ_DATA)) {
+            if (canAccess(inode, stat, ACE4_READ_DATA)) {
                 accessmask |= ACCESS4_READ;
             }
         }
 
         if ((mode & ACCESS4_LOOKUP) != 0) {
-            if (canAccess(inode, ACE4_EXECUTE)) {
+            if (canAccess(inode, stat, ACE4_EXECUTE)) {
                 accessmask |= ACCESS4_LOOKUP;
             }
         }
 
         if ((mode & ACCESS4_MODIFY) != 0) {
-            if (canAccess(inode, ACE4_WRITE_DATA)) {
+            if (canAccess(inode, stat, ACE4_WRITE_DATA)) {
                 accessmask |= ACCESS4_MODIFY;
             }
         }
 
         if ((mode & ACCESS4_EXECUTE) != 0) {
-            if (canAccess(inode, ACE4_EXECUTE)) {
+            if (canAccess(inode, stat, ACE4_EXECUTE)) {
                 accessmask |= ACCESS4_EXECUTE;
             }
         }
 
         if ((mode & ACCESS4_EXTEND) != 0) {
-            if (canAccess(inode, ACE4_APPEND_DATA)) {
+            if (canAccess(inode, stat, ACE4_APPEND_DATA)) {
                 accessmask |= ACCESS4_EXTEND;
             }
         }
 
         if ((mode & ACCESS4_DELETE) != 0) {
-            if (canAccess(inode, ACE4_DELETE_CHILD)) {
+            if (canAccess(inode, stat, ACE4_DELETE_CHILD)) {
                 accessmask |= ACCESS4_DELETE;
             }
         }
@@ -146,19 +147,19 @@ public int access(Inode inode, int mode) throws IOException {
          */
 
         if ((mode & ACCESS4_XAREAD) != 0) {
-            if (canAccess(inode, ACE4_READ_DATA)) {
+            if (canAccess(inode, stat, ACE4_READ_DATA)) {
                 accessmask |= ACCESS4_XAREAD;
             }
         }
 
         if ((mode & ACCESS4_XALIST) != 0) {
-            if (canAccess(inode, ACE4_READ_DATA)) {
+            if (canAccess(inode, stat, ACE4_READ_DATA)) {
                 accessmask |= ACCESS4_XALIST;
             }
         }
 
         if ((mode & ACCESS4_XAWRITE) != 0) {
-            if (canAccess(inode, ACE4_WRITE_DATA)) {
+            if (canAccess(inode, stat, ACE4_WRITE_DATA)) {
                 accessmask |= ACCESS4_XAWRITE;
             }
         }
@@ -393,6 +394,10 @@ private Subject checkAccess(Inode inode, int requestedMask) throws IOException {
     }
 
     private Subject checkAccess(Inode inode, int requestedMask, boolean shouldLog) throws IOException {
+        return checkAccess(inode, _inner.getattr(inode), requestedMask, shouldLog);
+    }
+
+    private Subject checkAccess(Inode inode, Stat stat, int requestedMask, boolean shouldLog) throws IOException {
 
         Subject effectiveSubject = _subject;
         Access aclMatched = Access.UNDEFINED;
@@ -453,7 +458,6 @@ private Subject checkAccess(Inode inode, int requestedMask, boolean shouldLog) t
          * always allows it.
          */
         if ((aclMatched == Access.UNDEFINED) && (requestedMask != ACE4_READ_ATTRIBUTES)) {
-            Stat stat = _inner.getattr(inode);
             int unixAccessmask = unixToAccessmask(effectiveSubject, stat);
             if ((unixAccessmask & requestedMask) != requestedMask) {
                 if (shouldLog) {
diff --git a/core/src/test/java/org/dcache/nfs/vfs/PseudoFsTest.java b/core/src/test/java/org/dcache/nfs/vfs/PseudoFsTest.java
@@ -24,6 +24,8 @@
 import java.nio.charset.StandardCharsets;
 import java.util.stream.Stream;
 import javax.security.auth.Subject;
+
+import com.google.common.primitives.Longs;
 import org.dcache.auth.Subjects;
 import org.dcache.nfs.ExportFile;
 import org.dcache.nfs.FsExport;
@@ -383,7 +385,7 @@ public void testAccessDenyOnHighjackedInode() throws IOException {
         Inode inode = new Inode(
                 new FileHandle.FileHandleBuilder()
                     .setExportIdx(1)
-                    .build(new byte[] {0x1})
+                    .build(Longs.toByteArray(1L))
             );
 
         given(mockedExportFile.getExport(1, localAddress.getAddress())).willReturn(null);

Original file line number	Diff line number	Diff line change
`@@ -85,9 +85,9 @@ protected VirtualFileSystem delegate() {`
`85`	`85`	`return _inner;`
`86`	`86`	`}`
`87`	`87`
`88`		`- private boolean canAccess(Inode inode, int mode) {`
	`88`	`+ private boolean canAccess(Inode inode, Stat stat, int mode) {`
`89`	`89`	`try {`
`90`		`- checkAccess(inode, mode, false);`
	`90`	`+ checkAccess(inode, stat, mode, false);`
`91`	`91`	`return true;`
`92`	`92`	`} catch (IOException e) {`
`93`	`93`	`}`
`@@ -102,38 +102,39 @@ public int access(Inode inode, int mode) throws IOException {`
`102`	`102`	`throw new InvalException("invalid access mask");`
`103`	`103`	`}`
`104`	`104`
	`105`	`+ Stat stat = _inner.getattr(inode);`
`105`	`106`	`if ((mode & ACCESS4_READ) != 0) {`
`106`		`- if (canAccess(inode, ACE4_READ_DATA)) {`
	`107`	`+ if (canAccess(inode, stat, ACE4_READ_DATA)) {`
`107`	`108`	`accessmask \|= ACCESS4_READ;`
`108`	`109`	`}`
`109`	`110`	`}`
`110`	`111`
`111`	`112`	`if ((mode & ACCESS4_LOOKUP) != 0) {`
`112`		`- if (canAccess(inode, ACE4_EXECUTE)) {`
	`113`	`+ if (canAccess(inode, stat, ACE4_EXECUTE)) {`
`113`	`114`	`accessmask \|= ACCESS4_LOOKUP;`
`114`	`115`	`}`
`115`	`116`	`}`
`116`	`117`
`117`	`118`	`if ((mode & ACCESS4_MODIFY) != 0) {`
`118`		`- if (canAccess(inode, ACE4_WRITE_DATA)) {`
	`119`	`+ if (canAccess(inode, stat, ACE4_WRITE_DATA)) {`
`119`	`120`	`accessmask \|= ACCESS4_MODIFY;`
`120`	`121`	`}`
`121`	`122`	`}`
`122`	`123`
`123`	`124`	`if ((mode & ACCESS4_EXECUTE) != 0) {`
`124`		`- if (canAccess(inode, ACE4_EXECUTE)) {`
	`125`	`+ if (canAccess(inode, stat, ACE4_EXECUTE)) {`
`125`	`126`	`accessmask \|= ACCESS4_EXECUTE;`
`126`	`127`	`}`
`127`	`128`	`}`
`128`	`129`
`129`	`130`	`if ((mode & ACCESS4_EXTEND) != 0) {`
`130`		`- if (canAccess(inode, ACE4_APPEND_DATA)) {`
	`131`	`+ if (canAccess(inode, stat, ACE4_APPEND_DATA)) {`
`131`	`132`	`accessmask \|= ACCESS4_EXTEND;`
`132`	`133`	`}`
`133`	`134`	`}`
`134`	`135`
`135`	`136`	`if ((mode & ACCESS4_DELETE) != 0) {`
`136`		`- if (canAccess(inode, ACE4_DELETE_CHILD)) {`
	`137`	`+ if (canAccess(inode, stat, ACE4_DELETE_CHILD)) {`
`137`	`138`	`accessmask \|= ACCESS4_DELETE;`
`138`	`139`	`}`
`139`	`140`	`}`
`@@ -146,19 +147,19 @@ public int access(Inode inode, int mode) throws IOException {`
`146`	`147`	`*/`
`147`	`148`
`148`	`149`	`if ((mode & ACCESS4_XAREAD) != 0) {`
`149`		`- if (canAccess(inode, ACE4_READ_DATA)) {`
	`150`	`+ if (canAccess(inode, stat, ACE4_READ_DATA)) {`
`150`	`151`	`accessmask \|= ACCESS4_XAREAD;`
`151`	`152`	`}`
`152`	`153`	`}`
`153`	`154`
`154`	`155`	`if ((mode & ACCESS4_XALIST) != 0) {`
`155`		`- if (canAccess(inode, ACE4_READ_DATA)) {`
	`156`	`+ if (canAccess(inode, stat, ACE4_READ_DATA)) {`
`156`	`157`	`accessmask \|= ACCESS4_XALIST;`
`157`	`158`	`}`
`158`	`159`	`}`
`159`	`160`
`160`	`161`	`if ((mode & ACCESS4_XAWRITE) != 0) {`
`161`		`- if (canAccess(inode, ACE4_WRITE_DATA)) {`
	`162`	`+ if (canAccess(inode, stat, ACE4_WRITE_DATA)) {`
`162`	`163`	`accessmask \|= ACCESS4_XAWRITE;`
`163`	`164`	`}`
`164`	`165`	`}`
`@@ -393,6 +394,10 @@ private Subject checkAccess(Inode inode, int requestedMask) throws IOException {`
`393`	`394`	`}`
`394`	`395`
`395`	`396`	`private Subject checkAccess(Inode inode, int requestedMask, boolean shouldLog) throws IOException {`
	`397`	`+ return checkAccess(inode, _inner.getattr(inode), requestedMask, shouldLog);`
	`398`	`+ }`
	`399`	`+`
	`400`	`+ private Subject checkAccess(Inode inode, Stat stat, int requestedMask, boolean shouldLog) throws IOException {`
`396`	`401`
`397`	`402`	`Subject effectiveSubject = _subject;`
`398`	`403`	`Access aclMatched = Access.UNDEFINED;`
`@@ -453,7 +458,6 @@ private Subject checkAccess(Inode inode, int requestedMask, boolean shouldLog) t`
`453`	`458`	`* always allows it.`
`454`	`459`	`*/`
`455`	`460`	`if ((aclMatched == Access.UNDEFINED) && (requestedMask != ACE4_READ_ATTRIBUTES)) {`
`456`		`- Stat stat = _inner.getattr(inode);`
`457`	`461`	`int unixAccessmask = unixToAccessmask(effectiveSubject, stat);`
`458`	`462`	`if ((unixAccessmask & requestedMask) != requestedMask) {`
`459`	`463`	`if (shouldLog) {`