]>
Commit | Line | Data |
---|---|---|
7c673cae | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
7c673cae FG |
3 | |
4 | #include <string.h> | |
5 | ||
6 | #include <iostream> | |
7 | #include <map> | |
8 | ||
9 | #include "include/types.h" | |
10 | ||
11 | #include "rgw_acl_s3.h" | |
12 | #include "rgw_user.h" | |
20effc67 | 13 | #include "rgw_sal.h" |
7c673cae FG |
14 | |
15 | #define dout_subsys ceph_subsys_rgw | |
16 | ||
7c673cae FG |
17 | |
18 | ||
19 | #define RGW_URI_ALL_USERS "http://acs.amazonaws.com/groups/global/AllUsers" | |
20 | #define RGW_URI_AUTH_USERS "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" | |
21 | ||
20effc67 TL |
22 | using namespace std; |
23 | ||
7c673cae FG |
24 | static string rgw_uri_all_users = RGW_URI_ALL_USERS; |
25 | static string rgw_uri_auth_users = RGW_URI_AUTH_USERS; | |
26 | ||
27 | void ACLPermission_S3::to_xml(ostream& out) | |
28 | { | |
29 | if ((flags & RGW_PERM_FULL_CONTROL) == RGW_PERM_FULL_CONTROL) { | |
30 | out << "<Permission>FULL_CONTROL</Permission>"; | |
31 | } else { | |
32 | if (flags & RGW_PERM_READ) | |
33 | out << "<Permission>READ</Permission>"; | |
34 | if (flags & RGW_PERM_WRITE) | |
35 | out << "<Permission>WRITE</Permission>"; | |
36 | if (flags & RGW_PERM_READ_ACP) | |
37 | out << "<Permission>READ_ACP</Permission>"; | |
38 | if (flags & RGW_PERM_WRITE_ACP) | |
39 | out << "<Permission>WRITE_ACP</Permission>"; | |
40 | } | |
41 | } | |
42 | ||
43 | bool ACLPermission_S3:: | |
44 | xml_end(const char *el) | |
45 | { | |
46 | const char *s = data.c_str(); | |
47 | if (strcasecmp(s, "READ") == 0) { | |
48 | flags |= RGW_PERM_READ; | |
49 | return true; | |
50 | } else if (strcasecmp(s, "WRITE") == 0) { | |
51 | flags |= RGW_PERM_WRITE; | |
52 | return true; | |
53 | } else if (strcasecmp(s, "READ_ACP") == 0) { | |
54 | flags |= RGW_PERM_READ_ACP; | |
55 | return true; | |
56 | } else if (strcasecmp(s, "WRITE_ACP") == 0) { | |
57 | flags |= RGW_PERM_WRITE_ACP; | |
58 | return true; | |
59 | } else if (strcasecmp(s, "FULL_CONTROL") == 0) { | |
60 | flags |= RGW_PERM_FULL_CONTROL; | |
61 | return true; | |
62 | } | |
63 | return false; | |
64 | } | |
65 | ||
66 | ||
67 | class ACLGranteeType_S3 { | |
68 | public: | |
69 | static const char *to_string(ACLGranteeType& type) { | |
70 | switch (type.get_type()) { | |
71 | case ACL_TYPE_CANON_USER: | |
72 | return "CanonicalUser"; | |
73 | case ACL_TYPE_EMAIL_USER: | |
74 | return "AmazonCustomerByEmail"; | |
75 | case ACL_TYPE_GROUP: | |
76 | return "Group"; | |
77 | default: | |
78 | return "unknown"; | |
79 | } | |
80 | } | |
81 | ||
82 | static void set(const char *s, ACLGranteeType& type) { | |
83 | if (!s) { | |
84 | type.set(ACL_TYPE_UNKNOWN); | |
85 | return; | |
86 | } | |
87 | if (strcmp(s, "CanonicalUser") == 0) | |
88 | type.set(ACL_TYPE_CANON_USER); | |
89 | else if (strcmp(s, "AmazonCustomerByEmail") == 0) | |
90 | type.set(ACL_TYPE_EMAIL_USER); | |
91 | else if (strcmp(s, "Group") == 0) | |
92 | type.set(ACL_TYPE_GROUP); | |
93 | else | |
94 | type.set(ACL_TYPE_UNKNOWN); | |
95 | } | |
96 | }; | |
97 | ||
98 | class ACLID_S3 : public XMLObj | |
99 | { | |
100 | public: | |
101 | ACLID_S3() {} | |
102 | ~ACLID_S3() override {} | |
103 | string& to_str() { return data; } | |
104 | }; | |
105 | ||
106 | class ACLURI_S3 : public XMLObj | |
107 | { | |
108 | public: | |
109 | ACLURI_S3() {} | |
110 | ~ACLURI_S3() override {} | |
111 | }; | |
112 | ||
113 | class ACLEmail_S3 : public XMLObj | |
114 | { | |
115 | public: | |
116 | ACLEmail_S3() {} | |
117 | ~ACLEmail_S3() override {} | |
118 | }; | |
119 | ||
120 | class ACLDisplayName_S3 : public XMLObj | |
121 | { | |
122 | public: | |
123 | ACLDisplayName_S3() {} | |
124 | ~ACLDisplayName_S3() override {} | |
125 | }; | |
126 | ||
127 | bool ACLOwner_S3::xml_end(const char *el) { | |
128 | ACLID_S3 *acl_id = static_cast<ACLID_S3 *>(find_first("ID")); | |
129 | ACLID_S3 *acl_name = static_cast<ACLID_S3 *>(find_first("DisplayName")); | |
130 | ||
131 | // ID is mandatory | |
132 | if (!acl_id) | |
133 | return false; | |
134 | id = acl_id->get_data(); | |
135 | ||
136 | // DisplayName is optional | |
137 | if (acl_name) | |
138 | display_name = acl_name->get_data(); | |
139 | else | |
140 | display_name = ""; | |
141 | ||
142 | return true; | |
143 | } | |
144 | ||
145 | void ACLOwner_S3::to_xml(ostream& out) { | |
146 | string s; | |
147 | id.to_str(s); | |
148 | if (s.empty()) | |
149 | return; | |
150 | out << "<Owner>" << "<ID>" << s << "</ID>"; | |
151 | if (!display_name.empty()) | |
152 | out << "<DisplayName>" << display_name << "</DisplayName>"; | |
153 | out << "</Owner>"; | |
154 | } | |
155 | ||
156 | bool ACLGrant_S3::xml_end(const char *el) { | |
157 | ACLGrantee_S3 *acl_grantee; | |
158 | ACLID_S3 *acl_id; | |
159 | ACLURI_S3 *acl_uri; | |
160 | ACLEmail_S3 *acl_email; | |
161 | ACLPermission_S3 *acl_permission; | |
162 | ACLDisplayName_S3 *acl_name; | |
163 | string uri; | |
164 | ||
165 | acl_grantee = static_cast<ACLGrantee_S3 *>(find_first("Grantee")); | |
166 | if (!acl_grantee) | |
167 | return false; | |
168 | string type_str; | |
169 | if (!acl_grantee->get_attr("xsi:type", type_str)) | |
170 | return false; | |
171 | ACLGranteeType_S3::set(type_str.c_str(), type); | |
172 | ||
173 | acl_permission = static_cast<ACLPermission_S3 *>(find_first("Permission")); | |
174 | if (!acl_permission) | |
175 | return false; | |
176 | ||
177 | permission = *acl_permission; | |
178 | ||
179 | id.clear(); | |
180 | name.clear(); | |
181 | email.clear(); | |
182 | ||
183 | switch (type.get_type()) { | |
184 | case ACL_TYPE_CANON_USER: | |
185 | acl_id = static_cast<ACLID_S3 *>(acl_grantee->find_first("ID")); | |
186 | if (!acl_id) | |
187 | return false; | |
188 | id = acl_id->to_str(); | |
189 | acl_name = static_cast<ACLDisplayName_S3 *>(acl_grantee->find_first("DisplayName")); | |
190 | if (acl_name) | |
191 | name = acl_name->get_data(); | |
192 | break; | |
193 | case ACL_TYPE_GROUP: | |
194 | acl_uri = static_cast<ACLURI_S3 *>(acl_grantee->find_first("URI")); | |
195 | if (!acl_uri) | |
196 | return false; | |
197 | uri = acl_uri->get_data(); | |
198 | group = uri_to_group(uri); | |
199 | break; | |
200 | case ACL_TYPE_EMAIL_USER: | |
201 | acl_email = static_cast<ACLEmail_S3 *>(acl_grantee->find_first("EmailAddress")); | |
202 | if (!acl_email) | |
203 | return false; | |
204 | email = acl_email->get_data(); | |
205 | break; | |
206 | default: | |
207 | // unknown user type | |
208 | return false; | |
209 | }; | |
210 | return true; | |
211 | } | |
212 | ||
213 | void ACLGrant_S3::to_xml(CephContext *cct, ostream& out) { | |
214 | ACLPermission_S3& perm = static_cast<ACLPermission_S3 &>(permission); | |
215 | ||
216 | /* only show s3 compatible permissions */ | |
217 | if (!(perm.get_permissions() & RGW_PERM_ALL_S3)) | |
218 | return; | |
219 | ||
220 | string uri; | |
221 | ||
222 | out << "<Grant>" << | |
223 | "<Grantee xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"" << ACLGranteeType_S3::to_string(type) << "\">"; | |
224 | switch (type.get_type()) { | |
225 | case ACL_TYPE_CANON_USER: | |
226 | out << "<ID>" << id << "</ID>"; | |
227 | if (name.size()) { | |
228 | out << "<DisplayName>" << name << "</DisplayName>"; | |
229 | } | |
230 | break; | |
231 | case ACL_TYPE_EMAIL_USER: | |
232 | out << "<EmailAddress>" << email << "</EmailAddress>"; | |
233 | break; | |
234 | case ACL_TYPE_GROUP: | |
235 | if (!group_to_uri(group, uri)) { | |
236 | ldout(cct, 0) << "ERROR: group_to_uri failed with group=" << (int)group << dendl; | |
237 | break; | |
238 | } | |
239 | out << "<URI>" << uri << "</URI>"; | |
240 | break; | |
241 | default: | |
242 | break; | |
243 | } | |
244 | out << "</Grantee>"; | |
245 | perm.to_xml(out); | |
246 | out << "</Grant>"; | |
247 | } | |
248 | ||
249 | bool ACLGrant_S3::group_to_uri(ACLGroupTypeEnum group, string& uri) | |
250 | { | |
251 | switch (group) { | |
252 | case ACL_GROUP_ALL_USERS: | |
253 | uri = rgw_uri_all_users; | |
254 | return true; | |
255 | case ACL_GROUP_AUTHENTICATED_USERS: | |
256 | uri = rgw_uri_auth_users; | |
257 | return true; | |
258 | default: | |
259 | return false; | |
260 | } | |
261 | } | |
262 | ||
263 | bool RGWAccessControlList_S3::xml_end(const char *el) { | |
264 | XMLObjIter iter = find("Grant"); | |
265 | ACLGrant_S3 *grant = static_cast<ACLGrant_S3 *>(iter.get_next()); | |
266 | while (grant) { | |
267 | add_grant(grant); | |
268 | grant = static_cast<ACLGrant_S3 *>(iter.get_next()); | |
269 | } | |
270 | return true; | |
271 | } | |
272 | ||
273 | void RGWAccessControlList_S3::to_xml(ostream& out) { | |
274 | multimap<string, ACLGrant>::iterator iter; | |
275 | out << "<AccessControlList>"; | |
276 | for (iter = grant_map.begin(); iter != grant_map.end(); ++iter) { | |
277 | ACLGrant_S3& grant = static_cast<ACLGrant_S3 &>(iter->second); | |
278 | grant.to_xml(cct, out); | |
279 | } | |
280 | out << "</AccessControlList>"; | |
281 | } | |
282 | ||
283 | struct s3_acl_header { | |
284 | int rgw_perm; | |
285 | const char *http_header; | |
286 | }; | |
287 | ||
31f18b77 | 288 | static const char *get_acl_header(const RGWEnv *env, |
7c673cae FG |
289 | const struct s3_acl_header *perm) |
290 | { | |
291 | const char *header = perm->http_header; | |
292 | ||
293 | return env->get(header, NULL); | |
294 | } | |
295 | ||
20effc67 | 296 | static int parse_grantee_str(const DoutPrefixProvider *dpp, rgw::sal::Store* store, string& grantee_str, |
7c673cae FG |
297 | const struct s3_acl_header *perm, ACLGrant& grant) |
298 | { | |
299 | string id_type, id_val_quoted; | |
300 | int rgw_perm = perm->rgw_perm; | |
301 | int ret; | |
302 | ||
7c673cae FG |
303 | ret = parse_key_value(grantee_str, id_type, id_val_quoted); |
304 | if (ret < 0) | |
305 | return ret; | |
306 | ||
307 | string id_val = rgw_trim_quotes(id_val_quoted); | |
308 | ||
309 | if (strcasecmp(id_type.c_str(), "emailAddress") == 0) { | |
20effc67 TL |
310 | std::unique_ptr<rgw::sal::User> user; |
311 | ret = store->get_user_by_email(dpp, id_val, null_yield, &user); | |
7c673cae FG |
312 | if (ret < 0) |
313 | return ret; | |
314 | ||
20effc67 | 315 | grant.set_canon(user->get_id(), user->get_display_name(), rgw_perm); |
7c673cae | 316 | } else if (strcasecmp(id_type.c_str(), "id") == 0) { |
20effc67 TL |
317 | std::unique_ptr<rgw::sal::User> user = store->get_user(rgw_user(id_val)); |
318 | ret = user->load_user(dpp, null_yield); | |
7c673cae FG |
319 | if (ret < 0) |
320 | return ret; | |
321 | ||
20effc67 | 322 | grant.set_canon(user->get_id(), user->get_display_name(), rgw_perm); |
7c673cae FG |
323 | } else if (strcasecmp(id_type.c_str(), "uri") == 0) { |
324 | ACLGroupTypeEnum gid = grant.uri_to_group(id_val); | |
325 | if (gid == ACL_GROUP_NONE) | |
326 | return -EINVAL; | |
327 | ||
328 | grant.set_group(gid, rgw_perm); | |
329 | } else { | |
330 | return -EINVAL; | |
331 | } | |
332 | ||
333 | return 0; | |
334 | } | |
335 | ||
20effc67 TL |
336 | static int parse_acl_header(const DoutPrefixProvider *dpp, rgw::sal::Store* store, |
337 | const RGWEnv *env, const struct s3_acl_header *perm, | |
338 | std::list<ACLGrant>& _grants) | |
7c673cae FG |
339 | { |
340 | std::list<string> grantees; | |
341 | std::string hacl_str; | |
342 | ||
343 | const char *hacl = get_acl_header(env, perm); | |
344 | if (hacl == NULL) | |
345 | return 0; | |
346 | ||
347 | hacl_str = hacl; | |
348 | get_str_list(hacl_str, ",", grantees); | |
349 | ||
350 | for (list<string>::iterator it = grantees.begin(); it != grantees.end(); ++it) { | |
351 | ACLGrant grant; | |
20effc67 | 352 | int ret = parse_grantee_str(dpp, store, *it, perm, grant); |
7c673cae FG |
353 | if (ret < 0) |
354 | return ret; | |
355 | ||
356 | _grants.push_back(grant); | |
357 | } | |
358 | ||
359 | return 0; | |
360 | } | |
361 | ||
362 | int RGWAccessControlList_S3::create_canned(ACLOwner& owner, ACLOwner& bucket_owner, const string& canned_acl) | |
363 | { | |
364 | acl_user_map.clear(); | |
365 | grant_map.clear(); | |
366 | ||
367 | ACLGrant owner_grant; | |
368 | ||
369 | rgw_user bid = bucket_owner.get_id(); | |
370 | string bname = bucket_owner.get_display_name(); | |
371 | ||
372 | /* owner gets full control */ | |
373 | owner_grant.set_canon(owner.get_id(), owner.get_display_name(), RGW_PERM_FULL_CONTROL); | |
374 | add_grant(&owner_grant); | |
375 | ||
376 | if (canned_acl.size() == 0 || canned_acl.compare("private") == 0) { | |
377 | return 0; | |
378 | } | |
379 | ||
380 | ACLGrant bucket_owner_grant; | |
381 | ACLGrant group_grant; | |
382 | if (canned_acl.compare("public-read") == 0) { | |
383 | group_grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_READ); | |
384 | add_grant(&group_grant); | |
385 | } else if (canned_acl.compare("public-read-write") == 0) { | |
386 | group_grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_READ); | |
387 | add_grant(&group_grant); | |
388 | group_grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_WRITE); | |
389 | add_grant(&group_grant); | |
390 | } else if (canned_acl.compare("authenticated-read") == 0) { | |
391 | group_grant.set_group(ACL_GROUP_AUTHENTICATED_USERS, RGW_PERM_READ); | |
392 | add_grant(&group_grant); | |
393 | } else if (canned_acl.compare("bucket-owner-read") == 0) { | |
394 | bucket_owner_grant.set_canon(bid, bname, RGW_PERM_READ); | |
395 | if (bid.compare(owner.get_id()) != 0) | |
396 | add_grant(&bucket_owner_grant); | |
397 | } else if (canned_acl.compare("bucket-owner-full-control") == 0) { | |
398 | bucket_owner_grant.set_canon(bid, bname, RGW_PERM_FULL_CONTROL); | |
399 | if (bid.compare(owner.get_id()) != 0) | |
400 | add_grant(&bucket_owner_grant); | |
401 | } else { | |
402 | return -EINVAL; | |
403 | } | |
404 | ||
405 | return 0; | |
406 | } | |
407 | ||
408 | int RGWAccessControlList_S3::create_from_grants(std::list<ACLGrant>& grants) | |
409 | { | |
410 | if (grants.empty()) | |
411 | return -EINVAL; | |
412 | ||
413 | acl_user_map.clear(); | |
414 | grant_map.clear(); | |
415 | ||
416 | for (std::list<ACLGrant>::iterator it = grants.begin(); it != grants.end(); ++it) { | |
417 | ACLGrant g = *it; | |
418 | add_grant(&g); | |
419 | } | |
420 | ||
421 | return 0; | |
422 | } | |
423 | ||
424 | bool RGWAccessControlPolicy_S3::xml_end(const char *el) { | |
425 | RGWAccessControlList_S3 *s3acl = | |
426 | static_cast<RGWAccessControlList_S3 *>(find_first("AccessControlList")); | |
427 | if (!s3acl) | |
428 | return false; | |
429 | ||
430 | acl = *s3acl; | |
431 | ||
432 | ACLOwner *owner_p = static_cast<ACLOwner_S3 *>(find_first("Owner")); | |
433 | if (!owner_p) | |
434 | return false; | |
435 | owner = *owner_p; | |
436 | return true; | |
437 | } | |
438 | ||
439 | void RGWAccessControlPolicy_S3::to_xml(ostream& out) { | |
440 | out << "<AccessControlPolicy xmlns=\"" << XMLNS_AWS_S3 << "\">"; | |
441 | ACLOwner_S3& _owner = static_cast<ACLOwner_S3 &>(owner); | |
442 | RGWAccessControlList_S3& _acl = static_cast<RGWAccessControlList_S3 &>(acl); | |
443 | _owner.to_xml(out); | |
444 | _acl.to_xml(out); | |
445 | out << "</AccessControlPolicy>"; | |
446 | } | |
447 | ||
448 | static const s3_acl_header acl_header_perms[] = { | |
449 | {RGW_PERM_READ, "HTTP_X_AMZ_GRANT_READ"}, | |
450 | {RGW_PERM_WRITE, "HTTP_X_AMZ_GRANT_WRITE"}, | |
451 | {RGW_PERM_READ_ACP,"HTTP_X_AMZ_GRANT_READ_ACP"}, | |
452 | {RGW_PERM_WRITE_ACP, "HTTP_X_AMZ_GRANT_WRITE_ACP"}, | |
453 | {RGW_PERM_FULL_CONTROL, "HTTP_X_AMZ_GRANT_FULL_CONTROL"}, | |
454 | {0, NULL} | |
455 | }; | |
456 | ||
20effc67 TL |
457 | int RGWAccessControlPolicy_S3::create_from_headers(const DoutPrefixProvider *dpp, |
458 | rgw::sal::Store* store, | |
459 | const RGWEnv *env, ACLOwner& _owner) | |
7c673cae FG |
460 | { |
461 | std::list<ACLGrant> grants; | |
11fdf7f2 | 462 | int r = 0; |
7c673cae FG |
463 | |
464 | for (const struct s3_acl_header *p = acl_header_perms; p->rgw_perm; p++) { | |
20effc67 | 465 | r = parse_acl_header(dpp, store, env, p, grants); |
11fdf7f2 TL |
466 | if (r < 0) { |
467 | return r; | |
468 | } | |
7c673cae FG |
469 | } |
470 | ||
471 | RGWAccessControlList_S3& _acl = static_cast<RGWAccessControlList_S3 &>(acl); | |
11fdf7f2 | 472 | r = _acl.create_from_grants(grants); |
7c673cae FG |
473 | |
474 | owner = _owner; | |
475 | ||
476 | return r; | |
477 | } | |
478 | ||
479 | /* | |
480 | can only be called on object that was parsed | |
481 | */ | |
20effc67 TL |
482 | int RGWAccessControlPolicy_S3::rebuild(const DoutPrefixProvider *dpp, |
483 | rgw::sal::Store* store, ACLOwner *owner, | |
484 | RGWAccessControlPolicy& dest, std::string &err_msg) | |
7c673cae FG |
485 | { |
486 | if (!owner) | |
487 | return -EINVAL; | |
488 | ||
489 | ACLOwner *requested_owner = static_cast<ACLOwner_S3 *>(find_first("Owner")); | |
490 | if (requested_owner) { | |
491 | rgw_user& requested_id = requested_owner->get_id(); | |
492 | if (!requested_id.empty() && requested_id.compare(owner->get_id()) != 0) | |
493 | return -EPERM; | |
494 | } | |
495 | ||
20effc67 TL |
496 | std::unique_ptr<rgw::sal::User> user = store->get_user(owner->get_id()); |
497 | if (user->load_user(dpp, null_yield) < 0) { | |
b3b6e05e | 498 | ldpp_dout(dpp, 10) << "owner info does not exist" << dendl; |
9f95a23c | 499 | err_msg = "Invalid id"; |
7c673cae FG |
500 | return -EINVAL; |
501 | } | |
502 | ACLOwner& dest_owner = dest.get_owner(); | |
503 | dest_owner.set_id(owner->get_id()); | |
20effc67 | 504 | dest_owner.set_name(user->get_display_name()); |
7c673cae | 505 | |
b3b6e05e TL |
506 | ldpp_dout(dpp, 20) << "owner id=" << owner->get_id() << dendl; |
507 | ldpp_dout(dpp, 20) << "dest owner id=" << dest.get_owner().get_id() << dendl; | |
7c673cae FG |
508 | |
509 | RGWAccessControlList& dst_acl = dest.get_acl(); | |
510 | ||
511 | multimap<string, ACLGrant>& grant_map = acl.get_grant_map(); | |
512 | multimap<string, ACLGrant>::iterator iter; | |
513 | for (iter = grant_map.begin(); iter != grant_map.end(); ++iter) { | |
514 | ACLGrant& src_grant = iter->second; | |
515 | ACLGranteeType& type = src_grant.get_type(); | |
516 | ACLGrant new_grant; | |
517 | bool grant_ok = false; | |
518 | rgw_user uid; | |
519 | RGWUserInfo grant_user; | |
520 | switch (type.get_type()) { | |
521 | case ACL_TYPE_EMAIL_USER: | |
522 | { | |
523 | string email; | |
524 | rgw_user u; | |
525 | if (!src_grant.get_id(u)) { | |
b3b6e05e | 526 | ldpp_dout(dpp, 0) << "ERROR: src_grant.get_id() failed" << dendl; |
7c673cae FG |
527 | return -EINVAL; |
528 | } | |
529 | email = u.id; | |
b3b6e05e | 530 | ldpp_dout(dpp, 10) << "grant user email=" << email << dendl; |
20effc67 | 531 | if (store->get_user_by_email(dpp, email, null_yield, &user) < 0) { |
b3b6e05e | 532 | ldpp_dout(dpp, 10) << "grant user email not found or other error" << dendl; |
9f95a23c | 533 | err_msg = "The e-mail address you provided does not match any account on record."; |
7c673cae FG |
534 | return -ERR_UNRESOLVABLE_EMAIL; |
535 | } | |
20effc67 | 536 | grant_user = user->get_info(); |
7c673cae FG |
537 | uid = grant_user.user_id; |
538 | } | |
539 | case ACL_TYPE_CANON_USER: | |
540 | { | |
541 | if (type.get_type() == ACL_TYPE_CANON_USER) { | |
542 | if (!src_grant.get_id(uid)) { | |
b3b6e05e | 543 | ldpp_dout(dpp, 0) << "ERROR: src_grant.get_id() failed" << dendl; |
9f95a23c | 544 | err_msg = "Invalid id"; |
7c673cae FG |
545 | return -EINVAL; |
546 | } | |
547 | } | |
548 | ||
20effc67 TL |
549 | if (grant_user.user_id.empty()) { |
550 | user = store->get_user(uid); | |
551 | if (user->load_user(dpp, null_yield) < 0) { | |
552 | ldpp_dout(dpp, 10) << "grant user does not exist:" << uid << dendl; | |
553 | err_msg = "Invalid id"; | |
554 | return -EINVAL; | |
555 | } else { | |
556 | grant_user = user->get_info(); | |
557 | } | |
7c673cae | 558 | } |
20effc67 TL |
559 | ACLPermission& perm = src_grant.get_permission(); |
560 | new_grant.set_canon(uid, grant_user.display_name, perm.get_permissions()); | |
561 | grant_ok = true; | |
562 | rgw_user new_id; | |
563 | new_grant.get_id(new_id); | |
564 | ldpp_dout(dpp, 10) << "new grant: " << new_id << ":" << grant_user.display_name << dendl; | |
7c673cae FG |
565 | } |
566 | break; | |
567 | case ACL_TYPE_GROUP: | |
568 | { | |
569 | string uri; | |
570 | if (ACLGrant_S3::group_to_uri(src_grant.get_group(), uri)) { | |
571 | new_grant = src_grant; | |
572 | grant_ok = true; | |
b3b6e05e | 573 | ldpp_dout(dpp, 10) << "new grant: " << uri << dendl; |
7c673cae | 574 | } else { |
b3b6e05e | 575 | ldpp_dout(dpp, 10) << "bad grant group:" << (int)src_grant.get_group() << dendl; |
9f95a23c | 576 | err_msg = "Invalid group uri"; |
7c673cae FG |
577 | return -EINVAL; |
578 | } | |
579 | } | |
580 | default: | |
581 | break; | |
582 | } | |
583 | if (grant_ok) { | |
584 | dst_acl.add_grant(&new_grant); | |
585 | } | |
586 | } | |
587 | ||
588 | return 0; | |
589 | } | |
590 | ||
591 | bool RGWAccessControlPolicy_S3::compare_group_name(string& id, ACLGroupTypeEnum group) | |
592 | { | |
593 | switch (group) { | |
594 | case ACL_GROUP_ALL_USERS: | |
595 | return (id.compare(RGW_USER_ANON_ID) == 0); | |
596 | case ACL_GROUP_AUTHENTICATED_USERS: | |
597 | return (id.compare(rgw_uri_auth_users) == 0); | |
598 | default: | |
599 | return id.empty(); | |
600 | } | |
601 | ||
602 | // shouldn't get here | |
603 | return false; | |
604 | } | |
605 | ||
606 | XMLObj *RGWACLXMLParser_S3::alloc_obj(const char *el) | |
607 | { | |
608 | XMLObj * obj = NULL; | |
609 | if (strcmp(el, "AccessControlPolicy") == 0) { | |
610 | obj = new RGWAccessControlPolicy_S3(cct); | |
611 | } else if (strcmp(el, "Owner") == 0) { | |
612 | obj = new ACLOwner_S3(); | |
613 | } else if (strcmp(el, "AccessControlList") == 0) { | |
614 | obj = new RGWAccessControlList_S3(cct); | |
615 | } else if (strcmp(el, "ID") == 0) { | |
616 | obj = new ACLID_S3(); | |
617 | } else if (strcmp(el, "DisplayName") == 0) { | |
618 | obj = new ACLDisplayName_S3(); | |
619 | } else if (strcmp(el, "Grant") == 0) { | |
620 | obj = new ACLGrant_S3(); | |
621 | } else if (strcmp(el, "Grantee") == 0) { | |
622 | obj = new ACLGrantee_S3(); | |
623 | } else if (strcmp(el, "Permission") == 0) { | |
624 | obj = new ACLPermission_S3(); | |
625 | } else if (strcmp(el, "URI") == 0) { | |
626 | obj = new ACLURI_S3(); | |
627 | } else if (strcmp(el, "EmailAddress") == 0) { | |
628 | obj = new ACLEmail_S3(); | |
629 | } | |
630 | ||
631 | return obj; | |
632 | } | |
633 | ||
20effc67 TL |
634 | ACLGroupTypeEnum ACLGrant_S3::uri_to_group(string& uri) |
635 | { | |
636 | if (uri.compare(rgw_uri_all_users) == 0) | |
637 | return ACL_GROUP_ALL_USERS; | |
638 | else if (uri.compare(rgw_uri_auth_users) == 0) | |
639 | return ACL_GROUP_AUTHENTICATED_USERS; | |
640 | ||
641 | return ACL_GROUP_NONE; | |
642 | } | |
643 |