[ceph.git] / ceph / src / rgw / rgw_acl_swift.cc

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp

#include <string.h>

#include <vector>

#include <boost/algorithm/string/predicate.hpp>

#include "common/ceph_json.h"
#include "rgw_common.h"
#include "rgw_user.h"
#include "rgw_acl_swift.h"
#include "rgw_sal.h"

#define dout_subsys ceph_subsys_rgw


#define SWIFT_PERM_READ  RGW_PERM_READ_OBJS
#define SWIFT_PERM_WRITE RGW_PERM_WRITE_OBJS
/* FIXME: do we really need separate RW? */
#define SWIFT_PERM_RWRT  (SWIFT_PERM_READ | SWIFT_PERM_WRITE)
#define SWIFT_PERM_ADMIN RGW_PERM_FULL_CONTROL

#define SWIFT_GROUP_ALL_USERS ".r:*"

using namespace std;

static int parse_list(const char* uid_list,
                      std::vector<std::string>& uids)           /* out */
{
  char *s = strdup(uid_list);
  if (!s) {
    return -ENOMEM;
  }

  char *tokctx;
  const char *p = strtok_r(s, " ,", &tokctx);
  while (p) {
    if (*p) {
      string acl = p;
      uids.push_back(acl);
    }
    p = strtok_r(NULL, " ,", &tokctx);
  }
  free(s);
  return 0;
}

static bool is_referrer(const std::string& designator)
{
  return designator.compare(".r") == 0 ||
         designator.compare(".ref") == 0 ||
         designator.compare(".referer") == 0 ||
         designator.compare(".referrer") == 0;
}

static bool uid_is_public(const string& uid)
{
  if (uid[0] != '.' || uid[1] != 'r')
    return false;

  int pos = uid.find(':');
  if (pos < 0 || pos == (int)uid.size())
    return false;

  string sub = uid.substr(0, pos);
  string after = uid.substr(pos + 1);

  if (after.compare("*") != 0)
    return false;

  return is_referrer(sub);
}

static boost::optional<ACLGrant> referrer_to_grant(std::string url_spec,
                                                   const uint32_t perm)
{
  /* This function takes url_spec as non-ref std::string because of the trim
   * operation that is essential to preserve compliance with Swift. It can't
   * be easily accomplished with std::string_view. */
  try {
    bool is_negative;
    ACLGrant grant;

    if ('-' == url_spec[0]) {
      url_spec = url_spec.substr(1);
      boost::algorithm::trim(url_spec);

      is_negative = true;
    } else {
      is_negative = false;
    }

    if (url_spec != RGW_REFERER_WILDCARD) {
      if ('*' == url_spec[0]) {
        url_spec = url_spec.substr(1);
        boost::algorithm::trim(url_spec);
      }

      if (url_spec.empty() || url_spec == ".") {
        return boost::none;
      }
    } else {
      /* Please be aware we're specially handling the .r:* in _add_grant()
       * of RGWAccessControlList as the S3 API has a similar concept, and
       * thus we can have a small portion of compatibility. */
    }

    grant.set_referer(url_spec, is_negative ? 0 : perm);
    return grant;
  } catch (const std::out_of_range&) {
    return boost::none;
  }
}

static ACLGrant user_to_grant(const DoutPrefixProvider *dpp,
			      CephContext* const cct,
                              rgw::sal::Driver* driver,
                              const std::string& uid,
                              const uint32_t perm)
{
  RGWUserInfo grant_user;
  ACLGrant grant;
  std::unique_ptr<rgw::sal::User> user;

  user = driver->get_user(rgw_user(uid));
  if (user->load_user(dpp, null_yield) < 0) {
    ldpp_dout(dpp, 10) << "grant user does not exist: " << uid << dendl;
    /* skipping silently */
    grant.set_canon(user->get_id(), std::string(), perm);
  } else {
    grant.set_canon(user->get_id(), user->get_display_name(), perm);
  }

  return grant;
}

int RGWAccessControlPolicy_SWIFT::add_grants(const DoutPrefixProvider *dpp,
					     rgw::sal::Driver* driver,
                                             const std::vector<std::string>& uids,
                                             const uint32_t perm)
{
  for (const auto& uid : uids) {
    boost::optional<ACLGrant> grant;
    ldpp_dout(dpp, 20) << "trying to add grant for ACL uid=" << uid << dendl;

    /* Let's check whether the item has a separator potentially indicating
     * a special meaning (like an HTTP referral-based grant). */
    const size_t pos = uid.find(':');
    if (std::string::npos == pos) {
      /* No, it don't have -- we've got just a regular user identifier. */
      grant = user_to_grant(dpp, cct, driver, uid, perm);
    } else {
      /* Yes, *potentially* an HTTP referral. */
      auto designator = uid.substr(0, pos);
      auto designatee = uid.substr(pos + 1);

      /* Swift strips whitespaces at both beginning and end. */
      boost::algorithm::trim(designator);
      boost::algorithm::trim(designatee);

      if (! boost::algorithm::starts_with(designator, ".")) {
        grant = user_to_grant(dpp, cct, driver, uid, perm);
      } else if ((perm & SWIFT_PERM_WRITE) == 0 && is_referrer(designator)) {
        /* HTTP referrer-based ACLs aren't acceptable for writes. */
        grant = referrer_to_grant(designatee, perm);
      }
    }

    if (grant) {
      acl.add_grant(&*grant);
    } else {
      return -EINVAL;
    }
  }

  return 0;
}


int RGWAccessControlPolicy_SWIFT::create(const DoutPrefixProvider *dpp,
					 rgw::sal::Driver* driver,
                                         const rgw_user& id,
                                         const std::string& name,
                                         const char* read_list,
                                         const char* write_list,
                                         uint32_t& rw_mask)
{
  acl.create_default(id, name);
  owner.set_id(id);
  owner.set_name(name);
  rw_mask = 0;

  if (read_list) {
    std::vector<std::string> uids;
    int r = parse_list(read_list, uids);
    if (r < 0) {
      ldpp_dout(dpp, 0) << "ERROR: parse_list for read returned r="
                    << r << dendl;
      return r;
    }

    r = add_grants(dpp, driver, uids, SWIFT_PERM_READ);
    if (r < 0) {
      ldpp_dout(dpp, 0) << "ERROR: add_grants for read returned r="
                    << r << dendl;
      return r;
    }
    rw_mask |= SWIFT_PERM_READ;
  }
  if (write_list) {
    std::vector<std::string> uids;
    int r = parse_list(write_list, uids);
    if (r < 0) {
      ldpp_dout(dpp, 0) << "ERROR: parse_list for write returned r="
                    << r << dendl;
      return r;
    }

    r = add_grants(dpp, driver, uids, SWIFT_PERM_WRITE);
    if (r < 0) {
      ldpp_dout(dpp, 0) << "ERROR: add_grants for write returned r="
                    << r << dendl;
      return r;
    }
    rw_mask |= SWIFT_PERM_WRITE;
  }
  return 0;
}

void RGWAccessControlPolicy_SWIFT::filter_merge(uint32_t rw_mask,
                                                RGWAccessControlPolicy_SWIFT *old)
{
  /* rw_mask&SWIFT_PERM_READ => setting read acl,
   * rw_mask&SWIFT_PERM_WRITE => setting write acl
   * when bit is cleared, copy matching elements from old.
   */
  if (rw_mask == (SWIFT_PERM_READ|SWIFT_PERM_WRITE)) {
    return;
  }
  rw_mask ^= (SWIFT_PERM_READ|SWIFT_PERM_WRITE);
  for (auto &iter: old->acl.get_grant_map()) {
    ACLGrant& grant = iter.second;
    uint32_t perm = grant.get_permission().get_permissions();
    rgw_user id;
    string url_spec;
    if (!grant.get_id(id)) {
      if (grant.get_group() != ACL_GROUP_ALL_USERS) {
        url_spec = grant.get_referer();
        if (url_spec.empty()) {
          continue;
        }
        if (perm == 0) {
          /* We need to carry also negative, HTTP referrer-based ACLs. */
          perm = SWIFT_PERM_READ;
        }
      }
    }
    if (perm & rw_mask) {
      acl.add_grant(&grant);
    }
  }
}

void RGWAccessControlPolicy_SWIFT::to_str(string& read, string& write)
{
  multimap<string, ACLGrant>& m = acl.get_grant_map();
  multimap<string, ACLGrant>::iterator iter;

  for (iter = m.begin(); iter != m.end(); ++iter) {
    ACLGrant& grant = iter->second;
    const uint32_t perm = grant.get_permission().get_permissions();
    rgw_user id;
    string url_spec;
    if (!grant.get_id(id)) {
      if (grant.get_group() == ACL_GROUP_ALL_USERS) {
        id = SWIFT_GROUP_ALL_USERS;
      } else {
        url_spec = grant.get_referer();
        if (url_spec.empty()) {
          continue;
        }
        id = (perm != 0) ? ".r:" + url_spec : ".r:-" + url_spec;
      }
    }
    if (perm & SWIFT_PERM_READ) {
      if (!read.empty()) {
        read.append(",");
      }
      read.append(id.to_str());
    } else if (perm & SWIFT_PERM_WRITE) {
      if (!write.empty()) {
        write.append(",");
      }
      write.append(id.to_str());
    } else if (perm == 0 && !url_spec.empty()) {
      /* only X-Container-Read headers support referers */
      if (!read.empty()) {
        read.append(",");
      }
      read.append(id.to_str());
    }
  }
}

void RGWAccessControlPolicy_SWIFTAcct::add_grants(const DoutPrefixProvider *dpp,
						  rgw::sal::Driver* driver,
                                                  const std::vector<std::string>& uids,
                                                  const uint32_t perm)
{
  for (const auto& uid : uids) {
    ACLGrant grant;

    if (uid_is_public(uid)) {
      grant.set_group(ACL_GROUP_ALL_USERS, perm);
      acl.add_grant(&grant);
    } else  {
      std::unique_ptr<rgw::sal::User> user = driver->get_user(rgw_user(uid));

      if (user->load_user(dpp, null_yield) < 0) {
        ldpp_dout(dpp, 10) << "grant user does not exist:" << uid << dendl;
        /* skipping silently */
        grant.set_canon(user->get_id(), std::string(), perm);
        acl.add_grant(&grant);
      } else {
        grant.set_canon(user->get_id(), user->get_display_name(), perm);
        acl.add_grant(&grant);
      }
    }
  }
}

bool RGWAccessControlPolicy_SWIFTAcct::create(const DoutPrefixProvider *dpp,
					      rgw::sal::Driver* driver,
                                              const rgw_user& id,
                                              const std::string& name,
                                              const std::string& acl_str)
{
  acl.create_default(id, name);
  owner.set_id(id);
  owner.set_name(name);

  JSONParser parser;

  if (!parser.parse(acl_str.c_str(), acl_str.length())) {
    ldpp_dout(dpp, 0) << "ERROR: JSONParser::parse returned error=" << dendl;
    return false;
  }

  JSONObjIter iter = parser.find_first("admin");
  if (!iter.end() && (*iter)->is_array()) {
    std::vector<std::string> admin;
    decode_json_obj(admin, *iter);
    ldpp_dout(dpp, 0) << "admins: " << admin << dendl;

    add_grants(dpp, driver, admin, SWIFT_PERM_ADMIN);
  }

  iter = parser.find_first("read-write");
  if (!iter.end() && (*iter)->is_array()) {
    std::vector<std::string> readwrite;
    decode_json_obj(readwrite, *iter);
    ldpp_dout(dpp, 0) << "read-write: " << readwrite << dendl;

    add_grants(dpp, driver, readwrite, SWIFT_PERM_RWRT);
  }

  iter = parser.find_first("read-only");
  if (!iter.end() && (*iter)->is_array()) {
    std::vector<std::string> readonly;
    decode_json_obj(readonly, *iter);
    ldpp_dout(dpp, 0) << "read-only: " << readonly << dendl;

    add_grants(dpp, driver, readonly, SWIFT_PERM_READ);
  }

  return true;
}

boost::optional<std::string> RGWAccessControlPolicy_SWIFTAcct::to_str() const
{
  std::vector<std::string> admin;
  std::vector<std::string> readwrite;
  std::vector<std::string> readonly;

  /* Parition the grant map into three not-overlapping groups. */
  for (const auto& item : get_acl().get_grant_map()) {
    const ACLGrant& grant = item.second;
    const uint32_t perm = grant.get_permission().get_permissions();

    rgw_user id;
    if (!grant.get_id(id)) {
      if (grant.get_group() != ACL_GROUP_ALL_USERS) {
        continue;
      }
      id = SWIFT_GROUP_ALL_USERS;
    } else if (owner.get_id() == id) {
      continue;
    }

    if (SWIFT_PERM_ADMIN == (perm & SWIFT_PERM_ADMIN)) {
      admin.insert(admin.end(), id.to_str());
    } else if (SWIFT_PERM_RWRT == (perm & SWIFT_PERM_RWRT)) {
      readwrite.insert(readwrite.end(), id.to_str());
    } else if (SWIFT_PERM_READ == (perm & SWIFT_PERM_READ)) {
      readonly.insert(readonly.end(), id.to_str());
    } else {
      // FIXME: print a warning
    }
  }

  /* If there is no grant to serialize, let's exit earlier to not return
   * an empty JSON object which brakes the functional tests of Swift. */
  if (admin.empty() && readwrite.empty() && readonly.empty()) {
    return boost::none;
  }

  /* Serialize the groups. */
  JSONFormatter formatter;

  formatter.open_object_section("acl");
  if (!readonly.empty()) {
    encode_json("read-only", readonly, &formatter);
  }
  if (!readwrite.empty()) {
    encode_json("read-write", readwrite, &formatter);
  }
  if (!admin.empty()) {
    encode_json("admin", admin, &formatter);
  }
  formatter.close_section();

  std::ostringstream oss;
  formatter.flush(oss);

  return oss.str();
}
Commit	Line	Data
7c673cae	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
9f95a23c	2	// vim: ts=8 sw=2 smarttab ft=cpp
7c673cae FG	3
	4	#include <string.h>
	5
	6	#include <vector>
	7
	8	#include <boost/algorithm/string/predicate.hpp>
	9
	10	#include "common/ceph_json.h"
	11	#include "rgw_common.h"
	12	#include "rgw_user.h"
	13	#include "rgw_acl_swift.h"
20effc67	14	#include "rgw_sal.h"
7c673cae FG	15
	16	#define dout_subsys ceph_subsys_rgw
	17
7c673cae FG	18
	19	#define SWIFT_PERM_READ RGW_PERM_READ_OBJS
	20	#define SWIFT_PERM_WRITE RGW_PERM_WRITE_OBJS
	21	/* FIXME: do we really need separate RW? */
	22	#define SWIFT_PERM_RWRT (SWIFT_PERM_READ \| SWIFT_PERM_WRITE)
	23	#define SWIFT_PERM_ADMIN RGW_PERM_FULL_CONTROL
	24
	25	#define SWIFT_GROUP_ALL_USERS ".r:*"
	26
20effc67 TL	27	using namespace std;
20effc67 TL	28
28e407b8	29	static int parse_list(const char* uid_list,
7c673cae FG	30	std::vector<std::string>& uids) /* out */
7c673cae FG	31	{
28e407b8	32	char *s = strdup(uid_list);
7c673cae FG	33	if (!s) {
	34	return -ENOMEM;
	35	}
	36
	37	char *tokctx;
	38	const char *p = strtok_r(s, " ,", &tokctx);
	39	while (p) {
	40	if (*p) {
	41	string acl = p;
	42	uids.push_back(acl);
	43	}
	44	p = strtok_r(NULL, " ,", &tokctx);
	45	}
	46	free(s);
	47	return 0;
	48	}
	49
	50	static bool is_referrer(const std::string& designator)
	51	{
	52	return designator.compare(".r") == 0 \|\|
	53	designator.compare(".ref") == 0 \|\|
	54	designator.compare(".referer") == 0 \|\|
	55	designator.compare(".referrer") == 0;
	56	}
	57
	58	static bool uid_is_public(const string& uid)
	59	{
	60	if (uid[0] != '.' \|\| uid[1] != 'r')
	61	return false;
	62
	63	int pos = uid.find(':');
	64	if (pos < 0 \|\| pos == (int)uid.size())
	65	return false;
	66
	67	string sub = uid.substr(0, pos);
	68	string after = uid.substr(pos + 1);
	69
	70	if (after.compare("*") != 0)
	71	return false;
	72
	73	return is_referrer(sub);
	74	}
	75
	76	static boost::optional<ACLGrant> referrer_to_grant(std::string url_spec,
	77	const uint32_t perm)
	78	{
	79	/* This function takes url_spec as non-ref std::string because of the trim
	80	* operation that is essential to preserve compliance with Swift. It can't
f67539c2	81	* be easily accomplished with std::string_view. */
7c673cae FG	82	try {
	83	bool is_negative;
	84	ACLGrant grant;
	85
	86	if ('-' == url_spec[0]) {
	87	url_spec = url_spec.substr(1);
	88	boost::algorithm::trim(url_spec);
	89
	90	is_negative = true;
	91	} else {
	92	is_negative = false;
	93	}
	94
31f18b77	95	if (url_spec != RGW_REFERER_WILDCARD) {
7c673cae FG	96	if ('*' == url_spec[0]) {
	97	url_spec = url_spec.substr(1);
	98	boost::algorithm::trim(url_spec);
	99	}
	100
	101	if (url_spec.empty() \|\| url_spec == ".") {
	102	return boost::none;
	103	}
31f18b77 FG	104	} else {
	105	/* Please be aware we're specially handling the .r:* in _add_grant()
	106	* of RGWAccessControlList as the S3 API has a similar concept, and
	107	* thus we can have a small portion of compatibility. */
7c673cae FG	108	}
7c673cae FG	109
31f18b77	110	grant.set_referer(url_spec, is_negative ? 0 : perm);
7c673cae	111	return grant;
11fdf7f2	112	} catch (const std::out_of_range&) {
7c673cae FG	113	return boost::none;
	114	}
	115	}
	116
20effc67 TL	117	static ACLGrant user_to_grant(const DoutPrefixProvider *dpp,
20effc67 TL	118	CephContext* const cct,
1e59de90	119	rgw::sal::Driver* driver,
7c673cae FG	120	const std::string& uid,
	121	const uint32_t perm)
	122	{
7c673cae FG	123	RGWUserInfo grant_user;
7c673cae FG	124	ACLGrant grant;
20effc67	125	std::unique_ptr<rgw::sal::User> user;
7c673cae	126
1e59de90	127	user = driver->get_user(rgw_user(uid));
20effc67 TL	128	if (user->load_user(dpp, null_yield) < 0) {
20effc67 TL	129	ldpp_dout(dpp, 10) << "grant user does not exist: " << uid << dendl;
7c673cae	130	/* skipping silently */
20effc67	131	grant.set_canon(user->get_id(), std::string(), perm);
7c673cae	132	} else {
20effc67	133	grant.set_canon(user->get_id(), user->get_display_name(), perm);
7c673cae FG	134	}
	135
	136	return grant;
	137	}
	138
20effc67	139	int RGWAccessControlPolicy_SWIFT::add_grants(const DoutPrefixProvider *dpp,
1e59de90	140	rgw::sal::Driver* driver,
7c673cae FG	141	const std::vector<std::string>& uids,
	142	const uint32_t perm)
	143	{
	144	for (const auto& uid : uids) {
	145	boost::optional<ACLGrant> grant;
b3b6e05e	146	ldpp_dout(dpp, 20) << "trying to add grant for ACL uid=" << uid << dendl;
7c673cae FG	147
	148	/* Let's check whether the item has a separator potentially indicating
	149	* a special meaning (like an HTTP referral-based grant). */
	150	const size_t pos = uid.find(':');
	151	if (std::string::npos == pos) {
	152	/* No, it don't have -- we've got just a regular user identifier. */
1e59de90	153	grant = user_to_grant(dpp, cct, driver, uid, perm);
7c673cae FG	154	} else {
	155	/* Yes, potentially an HTTP referral. */
	156	auto designator = uid.substr(0, pos);
	157	auto designatee = uid.substr(pos + 1);
	158
	159	/* Swift strips whitespaces at both beginning and end. */
	160	boost::algorithm::trim(designator);
	161	boost::algorithm::trim(designatee);
	162
	163	if (! boost::algorithm::starts_with(designator, ".")) {
1e59de90	164	grant = user_to_grant(dpp, cct, driver, uid, perm);
7c673cae FG	165	} else if ((perm & SWIFT_PERM_WRITE) == 0 && is_referrer(designator)) {
	166	/* HTTP referrer-based ACLs aren't acceptable for writes. */
	167	grant = referrer_to_grant(designatee, perm);
	168	}
	169	}
	170
	171	if (grant) {
	172	acl.add_grant(&*grant);
	173	} else {
	174	return -EINVAL;
	175	}
	176	}
	177
	178	return 0;
	179	}
	180
	181
20effc67	182	int RGWAccessControlPolicy_SWIFT::create(const DoutPrefixProvider *dpp,
1e59de90	183	rgw::sal::Driver* driver,
7c673cae FG	184	const rgw_user& id,
7c673cae FG	185	const std::string& name,
28e407b8 AA	186	const char* read_list,
28e407b8 AA	187	const char* write_list,
7c673cae FG	188	uint32_t& rw_mask)
	189	{
	190	acl.create_default(id, name);
	191	owner.set_id(id);
	192	owner.set_name(name);
	193	rw_mask = 0;
	194
28e407b8	195	if (read_list) {
7c673cae FG	196	std::vector<std::string> uids;
	197	int r = parse_list(read_list, uids);
	198	if (r < 0) {
b3b6e05e	199	ldpp_dout(dpp, 0) << "ERROR: parse_list for read returned r="
7c673cae FG	200	<< r << dendl;
	201	return r;
	202	}
	203
1e59de90	204	r = add_grants(dpp, driver, uids, SWIFT_PERM_READ);
7c673cae	205	if (r < 0) {
20effc67	206	ldpp_dout(dpp, 0) << "ERROR: add_grants for read returned r="
7c673cae FG	207	<< r << dendl;
	208	return r;
	209	}
	210	rw_mask \|= SWIFT_PERM_READ;
	211	}
28e407b8	212	if (write_list) {
7c673cae FG	213	std::vector<std::string> uids;
	214	int r = parse_list(write_list, uids);
	215	if (r < 0) {
b3b6e05e	216	ldpp_dout(dpp, 0) << "ERROR: parse_list for write returned r="
7c673cae FG	217	<< r << dendl;
	218	return r;
	219	}
	220
1e59de90	221	r = add_grants(dpp, driver, uids, SWIFT_PERM_WRITE);
7c673cae	222	if (r < 0) {
20effc67	223	ldpp_dout(dpp, 0) << "ERROR: add_grants for write returned r="
7c673cae FG	224	<< r << dendl;
	225	return r;
	226	}
	227	rw_mask \|= SWIFT_PERM_WRITE;
	228	}
	229	return 0;
	230	}
	231
	232	void RGWAccessControlPolicy_SWIFT::filter_merge(uint32_t rw_mask,
	233	RGWAccessControlPolicy_SWIFT *old)
	234	{
	235	/* rw_mask&SWIFT_PERM_READ => setting read acl,
	236	* rw_mask&SWIFT_PERM_WRITE => setting write acl
	237	* when bit is cleared, copy matching elements from old.
	238	*/
	239	if (rw_mask == (SWIFT_PERM_READ\|SWIFT_PERM_WRITE)) {
	240	return;
	241	}
	242	rw_mask ^= (SWIFT_PERM_READ\|SWIFT_PERM_WRITE);
	243	for (auto &iter: old->acl.get_grant_map()) {
	244	ACLGrant& grant = iter.second;
	245	uint32_t perm = grant.get_permission().get_permissions();
	246	rgw_user id;
	247	string url_spec;
	248	if (!grant.get_id(id)) {
	249	if (grant.get_group() != ACL_GROUP_ALL_USERS) {
	250	url_spec = grant.get_referer();
	251	if (url_spec.empty()) {
	252	continue;
	253	}
	254	if (perm == 0) {
	255	/* We need to carry also negative, HTTP referrer-based ACLs. */
	256	perm = SWIFT_PERM_READ;
	257	}
	258	}
	259	}
	260	if (perm & rw_mask) {
	261	acl.add_grant(&grant);
	262	}
	263	}
	264	}
	265
	266	void RGWAccessControlPolicy_SWIFT::to_str(string& read, string& write)
	267	{
	268	multimap<string, ACLGrant>& m = acl.get_grant_map();
	269	multimap<string, ACLGrant>::iterator iter;
	270
	271	for (iter = m.begin(); iter != m.end(); ++iter) {
	272	ACLGrant& grant = iter->second;
	273	const uint32_t perm = grant.get_permission().get_permissions();
	274	rgw_user id;
	275	string url_spec;
	276	if (!grant.get_id(id)) {
	277	if (grant.get_group() == ACL_GROUP_ALL_USERS) {
	278	id = SWIFT_GROUP_ALL_USERS;
	279	} else {
	280	url_spec = grant.get_referer();
	281	if (url_spec.empty()) {
	282	continue;
	283	}
	284	id = (perm != 0) ? ".r:" + url_spec : ".r:-" + url_spec;
	285	}
	286	}
	287	if (perm & SWIFT_PERM_READ) {
288	if (!read.empty()) {
289	read.append(",");
290	}
291	read.append(id.to_str());
292	} else if (perm & SWIFT_PERM_WRITE) {
293	if (!write.empty()) {
294	write.append(",");
295	}
296	write.append(id.to_str());
297	} else if (perm == 0 && !url_spec.empty()) {
298	/* only X-Container-Read headers support referers */
299	if (!read.empty()) {
300	read.append(",");
301	}
302	read.append(id.to_str());
303	}
304	}
305	}
306
20effc67	307	void RGWAccessControlPolicy_SWIFTAcct::add_grants(const DoutPrefixProvider *dpp,
1e59de90	308	rgw::sal::Driver* driver,
7c673cae FG	309	const std::vector<std::string>& uids,
	310	const uint32_t perm)
	311	{
	312	for (const auto& uid : uids) {
	313	ACLGrant grant;
7c673cae FG	314
	315	if (uid_is_public(uid)) {
	316	grant.set_group(ACL_GROUP_ALL_USERS, perm);
	317	acl.add_grant(&grant);
	318	} else {
1e59de90	319	std::unique_ptr<rgw::sal::User> user = driver->get_user(rgw_user(uid));
7c673cae	320
20effc67 TL	321	if (user->load_user(dpp, null_yield) < 0) {
20effc67 TL	322	ldpp_dout(dpp, 10) << "grant user does not exist:" << uid << dendl;
7c673cae	323	/* skipping silently */
20effc67	324	grant.set_canon(user->get_id(), std::string(), perm);
7c673cae FG	325	acl.add_grant(&grant);
7c673cae FG	326	} else {
20effc67	327	grant.set_canon(user->get_id(), user->get_display_name(), perm);
7c673cae FG	328	acl.add_grant(&grant);
	329	}
	330	}
	331	}
	332	}
	333
20effc67	334	bool RGWAccessControlPolicy_SWIFTAcct::create(const DoutPrefixProvider *dpp,
1e59de90	335	rgw::sal::Driver* driver,
7c673cae FG	336	const rgw_user& id,
	337	const std::string& name,
	338	const std::string& acl_str)
	339	{
	340	acl.create_default(id, name);
	341	owner.set_id(id);
	342	owner.set_name(name);
	343
	344	JSONParser parser;
	345
	346	if (!parser.parse(acl_str.c_str(), acl_str.length())) {
b3b6e05e	347	ldpp_dout(dpp, 0) << "ERROR: JSONParser::parse returned error=" << dendl;
7c673cae FG	348	return false;
	349	}
	350
	351	JSONObjIter iter = parser.find_first("admin");
	352	if (!iter.end() && (*iter)->is_array()) {
	353	std::vector<std::string> admin;
	354	decode_json_obj(admin, *iter);
20effc67	355	ldpp_dout(dpp, 0) << "admins: " << admin << dendl;
7c673cae	356
1e59de90	357	add_grants(dpp, driver, admin, SWIFT_PERM_ADMIN);
7c673cae FG	358	}
	359
	360	iter = parser.find_first("read-write");
	361	if (!iter.end() && (*iter)->is_array()) {
	362	std::vector<std::string> readwrite;
	363	decode_json_obj(readwrite, *iter);
20effc67	364	ldpp_dout(dpp, 0) << "read-write: " << readwrite << dendl;
7c673cae	365
1e59de90	366	add_grants(dpp, driver, readwrite, SWIFT_PERM_RWRT);
7c673cae FG	367	}
	368
	369	iter = parser.find_first("read-only");
	370	if (!iter.end() && (*iter)->is_array()) {
	371	std::vector<std::string> readonly;
	372	decode_json_obj(readonly, *iter);
20effc67	373	ldpp_dout(dpp, 0) << "read-only: " << readonly << dendl;
7c673cae	374
1e59de90	375	add_grants(dpp, driver, readonly, SWIFT_PERM_READ);
7c673cae FG	376	}
	377
	378	return true;
	379	}
	380
224ce89b	381	boost::optional<std::string> RGWAccessControlPolicy_SWIFTAcct::to_str() const
7c673cae FG	382	{
	383	std::vector<std::string> admin;
	384	std::vector<std::string> readwrite;
	385	std::vector<std::string> readonly;
	386
	387	/* Parition the grant map into three not-overlapping groups. */
	388	for (const auto& item : get_acl().get_grant_map()) {
	389	const ACLGrant& grant = item.second;
	390	const uint32_t perm = grant.get_permission().get_permissions();
	391
	392	rgw_user id;
	393	if (!grant.get_id(id)) {
	394	if (grant.get_group() != ACL_GROUP_ALL_USERS) {
	395	continue;
	396	}
	397	id = SWIFT_GROUP_ALL_USERS;
	398	} else if (owner.get_id() == id) {
	399	continue;
	400	}
	401
	402	if (SWIFT_PERM_ADMIN == (perm & SWIFT_PERM_ADMIN)) {
	403	admin.insert(admin.end(), id.to_str());
	404	} else if (SWIFT_PERM_RWRT == (perm & SWIFT_PERM_RWRT)) {
	405	readwrite.insert(readwrite.end(), id.to_str());
	406	} else if (SWIFT_PERM_READ == (perm & SWIFT_PERM_READ)) {
	407	readonly.insert(readonly.end(), id.to_str());
	408	} else {
	409	// FIXME: print a warning
	410	}
	411	}
	412
224ce89b WB	413	/* If there is no grant to serialize, let's exit earlier to not return
	414	* an empty JSON object which brakes the functional tests of Swift. */
	415	if (admin.empty() && readwrite.empty() && readonly.empty()) {
	416	return boost::none;
	417	}
	418
7c673cae FG	419	/* Serialize the groups. */
	420	JSONFormatter formatter;
	421
	422	formatter.open_object_section("acl");
	423	if (!readonly.empty()) {
	424	encode_json("read-only", readonly, &formatter);
	425	}
	426	if (!readwrite.empty()) {
	427	encode_json("read-write", readwrite, &formatter);
	428	}
	429	if (!admin.empty()) {
	430	encode_json("admin", admin, &formatter);
	431	}
	432	formatter.close_section();
	433
	434	std::ostringstream oss;
	435	formatter.flush(oss);
	436
224ce89b	437	return oss.str();
7c673cae	438	}