[ceph.git] / ceph / src / rgw / rgw_acl_swift.cc

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp

#include <string.h>

#include <vector>

#include <boost/algorithm/string/predicate.hpp>

#include "common/ceph_json.h"
#include "rgw_common.h"
#include "rgw_user.h"
#include "rgw_acl_swift.h"

#define dout_subsys ceph_subsys_rgw


#define SWIFT_PERM_READ  RGW_PERM_READ_OBJS
#define SWIFT_PERM_WRITE RGW_PERM_WRITE_OBJS
/* FIXME: do we really need separate RW? */
#define SWIFT_PERM_RWRT  (SWIFT_PERM_READ | SWIFT_PERM_WRITE)
#define SWIFT_PERM_ADMIN RGW_PERM_FULL_CONTROL

#define SWIFT_GROUP_ALL_USERS ".r:*"

static int parse_list(const char* uid_list,
                      std::vector<std::string>& uids)           /* out */
{
  char *s = strdup(uid_list);
  if (!s) {
    return -ENOMEM;
  }

  char *tokctx;
  const char *p = strtok_r(s, " ,", &tokctx);
  while (p) {
    if (*p) {
      string acl = p;
      uids.push_back(acl);
    }
    p = strtok_r(NULL, " ,", &tokctx);
  }
  free(s);
  return 0;
}

static bool is_referrer(const std::string& designator)
{
  return designator.compare(".r") == 0 ||
         designator.compare(".ref") == 0 ||
         designator.compare(".referer") == 0 ||
         designator.compare(".referrer") == 0;
}

static bool uid_is_public(const string& uid)
{
  if (uid[0] != '.' || uid[1] != 'r')
    return false;

  int pos = uid.find(':');
  if (pos < 0 || pos == (int)uid.size())
    return false;

  string sub = uid.substr(0, pos);
  string after = uid.substr(pos + 1);

  if (after.compare("*") != 0)
    return false;

  return is_referrer(sub);
}

static boost::optional<ACLGrant> referrer_to_grant(std::string url_spec,
                                                   const uint32_t perm)
{
  /* This function takes url_spec as non-ref std::string because of the trim
   * operation that is essential to preserve compliance with Swift. It can't
   * be easily accomplished with boost::string_ref. */
  try {
    bool is_negative;
    ACLGrant grant;

    if ('-' == url_spec[0]) {
      url_spec = url_spec.substr(1);
      boost::algorithm::trim(url_spec);

      is_negative = true;
    } else {
      is_negative = false;
    }

    if (url_spec != RGW_REFERER_WILDCARD) {
      if ('*' == url_spec[0]) {
        url_spec = url_spec.substr(1);
        boost::algorithm::trim(url_spec);
      }

      if (url_spec.empty() || url_spec == ".") {
        return boost::none;
      }
    } else {
      /* Please be aware we're specially handling the .r:* in _add_grant()
       * of RGWAccessControlList as the S3 API has a similar concept, and
       * thus we can have a small portion of compatibility. */
    }

    grant.set_referer(url_spec, is_negative ? 0 : perm);
    return grant;
  } catch (const std::out_of_range&) {
    return boost::none;
  }
}

static ACLGrant user_to_grant(CephContext* const cct,
                              RGWUserCtl* const user_ctl,
                              const std::string& uid,
                              const uint32_t perm)
{
  rgw_user user(uid);
  RGWUserInfo grant_user;
  ACLGrant grant;

  if (user_ctl->get_info_by_uid(user, &grant_user, null_yield) < 0) {
    ldout(cct, 10) << "grant user does not exist: " << uid << dendl;
    /* skipping silently */
    grant.set_canon(user, std::string(), perm);
  } else {
    grant.set_canon(user, grant_user.display_name, perm);
  }

  return grant;
}

int RGWAccessControlPolicy_SWIFT::add_grants(RGWUserCtl* const user_ctl,
                                             const std::vector<std::string>& uids,
                                             const uint32_t perm)
{
  for (const auto& uid : uids) {
    boost::optional<ACLGrant> grant;
    ldout(cct, 20) << "trying to add grant for ACL uid=" << uid << dendl;

    /* Let's check whether the item has a separator potentially indicating
     * a special meaning (like an HTTP referral-based grant). */
    const size_t pos = uid.find(':');
    if (std::string::npos == pos) {
      /* No, it don't have -- we've got just a regular user identifier. */
      grant = user_to_grant(cct, user_ctl, uid, perm);
    } else {
      /* Yes, *potentially* an HTTP referral. */
      auto designator = uid.substr(0, pos);
      auto designatee = uid.substr(pos + 1);

      /* Swift strips whitespaces at both beginning and end. */
      boost::algorithm::trim(designator);
      boost::algorithm::trim(designatee);

      if (! boost::algorithm::starts_with(designator, ".")) {
        grant = user_to_grant(cct, user_ctl, uid, perm);
      } else if ((perm & SWIFT_PERM_WRITE) == 0 && is_referrer(designator)) {
        /* HTTP referrer-based ACLs aren't acceptable for writes. */
        grant = referrer_to_grant(designatee, perm);
      }
    }

    if (grant) {
      acl.add_grant(&*grant);
    } else {
      return -EINVAL;
    }
  }

  return 0;
}


int RGWAccessControlPolicy_SWIFT::create(RGWUserCtl* const user_ctl,
                                         const rgw_user& id,
                                         const std::string& name,
                                         const char* read_list,
                                         const char* write_list,
                                         uint32_t& rw_mask)
{
  acl.create_default(id, name);
  owner.set_id(id);
  owner.set_name(name);
  rw_mask = 0;

  if (read_list) {
    std::vector<std::string> uids;
    int r = parse_list(read_list, uids);
    if (r < 0) {
      ldout(cct, 0) << "ERROR: parse_list for read returned r="
                    << r << dendl;
      return r;
    }

    r = add_grants(user_ctl, uids, SWIFT_PERM_READ);
    if (r < 0) {
      ldout(cct, 0) << "ERROR: add_grants for read returned r="
                    << r << dendl;
      return r;
    }
    rw_mask |= SWIFT_PERM_READ;
  }
  if (write_list) {
    std::vector<std::string> uids;
    int r = parse_list(write_list, uids);
    if (r < 0) {
      ldout(cct, 0) << "ERROR: parse_list for write returned r="
                    << r << dendl;
      return r;
    }

    r = add_grants(user_ctl, uids, SWIFT_PERM_WRITE);
    if (r < 0) {
      ldout(cct, 0) << "ERROR: add_grants for write returned r="
                    << r << dendl;
      return r;
    }
    rw_mask |= SWIFT_PERM_WRITE;
  }
  return 0;
}

void RGWAccessControlPolicy_SWIFT::filter_merge(uint32_t rw_mask,
                                                RGWAccessControlPolicy_SWIFT *old)
{
  /* rw_mask&SWIFT_PERM_READ => setting read acl,
   * rw_mask&SWIFT_PERM_WRITE => setting write acl
   * when bit is cleared, copy matching elements from old.
   */
  if (rw_mask == (SWIFT_PERM_READ|SWIFT_PERM_WRITE)) {
    return;
  }
  rw_mask ^= (SWIFT_PERM_READ|SWIFT_PERM_WRITE);
  for (auto &iter: old->acl.get_grant_map()) {
    ACLGrant& grant = iter.second;
    uint32_t perm = grant.get_permission().get_permissions();
    rgw_user id;
    string url_spec;
    if (!grant.get_id(id)) {
      if (grant.get_group() != ACL_GROUP_ALL_USERS) {
        url_spec = grant.get_referer();
        if (url_spec.empty()) {
          continue;
        }
        if (perm == 0) {
          /* We need to carry also negative, HTTP referrer-based ACLs. */
          perm = SWIFT_PERM_READ;
        }
      }
    }
    if (perm & rw_mask) {
      acl.add_grant(&grant);
    }
  }
}

void RGWAccessControlPolicy_SWIFT::to_str(string& read, string& write)
{
  multimap<string, ACLGrant>& m = acl.get_grant_map();
  multimap<string, ACLGrant>::iterator iter;

  for (iter = m.begin(); iter != m.end(); ++iter) {
    ACLGrant& grant = iter->second;
    const uint32_t perm = grant.get_permission().get_permissions();
    rgw_user id;
    string url_spec;
    if (!grant.get_id(id)) {
      if (grant.get_group() == ACL_GROUP_ALL_USERS) {
        id = SWIFT_GROUP_ALL_USERS;
      } else {
        url_spec = grant.get_referer();
        if (url_spec.empty()) {
          continue;
        }
        id = (perm != 0) ? ".r:" + url_spec : ".r:-" + url_spec;
      }
    }
    if (perm & SWIFT_PERM_READ) {
      if (!read.empty()) {
        read.append(",");
      }
      read.append(id.to_str());
    } else if (perm & SWIFT_PERM_WRITE) {
      if (!write.empty()) {
        write.append(",");
      }
      write.append(id.to_str());
    } else if (perm == 0 && !url_spec.empty()) {
      /* only X-Container-Read headers support referers */
      if (!read.empty()) {
        read.append(",");
      }
      read.append(id.to_str());
    }
  }
}

void RGWAccessControlPolicy_SWIFTAcct::add_grants(RGWUserCtl * const user_ctl,
                                                  const std::vector<std::string>& uids,
                                                  const uint32_t perm)
{
  for (const auto& uid : uids) {
    ACLGrant grant;
    RGWUserInfo grant_user;

    if (uid_is_public(uid)) {
      grant.set_group(ACL_GROUP_ALL_USERS, perm);
      acl.add_grant(&grant);
    } else  {
      rgw_user user(uid);

      if (user_ctl->get_info_by_uid(user, &grant_user, null_yield) < 0) {
        ldout(cct, 10) << "grant user does not exist:" << uid << dendl;
        /* skipping silently */
        grant.set_canon(user, std::string(), perm);
        acl.add_grant(&grant);
      } else {
        grant.set_canon(user, grant_user.display_name, perm);
        acl.add_grant(&grant);
      }
    }
  }
}

bool RGWAccessControlPolicy_SWIFTAcct::create(RGWUserCtl * const user_ctl,
                                              const rgw_user& id,
                                              const std::string& name,
                                              const std::string& acl_str)
{
  acl.create_default(id, name);
  owner.set_id(id);
  owner.set_name(name);

  JSONParser parser;

  if (!parser.parse(acl_str.c_str(), acl_str.length())) {
    ldout(cct, 0) << "ERROR: JSONParser::parse returned error=" << dendl;
    return false;
  }

  JSONObjIter iter = parser.find_first("admin");
  if (!iter.end() && (*iter)->is_array()) {
    std::vector<std::string> admin;
    decode_json_obj(admin, *iter);
    ldout(cct, 0) << "admins: " << admin << dendl;

    add_grants(user_ctl, admin, SWIFT_PERM_ADMIN);
  }

  iter = parser.find_first("read-write");
  if (!iter.end() && (*iter)->is_array()) {
    std::vector<std::string> readwrite;
    decode_json_obj(readwrite, *iter);
    ldout(cct, 0) << "read-write: " << readwrite << dendl;

    add_grants(user_ctl, readwrite, SWIFT_PERM_RWRT);
  }

  iter = parser.find_first("read-only");
  if (!iter.end() && (*iter)->is_array()) {
    std::vector<std::string> readonly;
    decode_json_obj(readonly, *iter);
    ldout(cct, 0) << "read-only: " << readonly << dendl;

    add_grants(user_ctl, readonly, SWIFT_PERM_READ);
  }

  return true;
}

boost::optional<std::string> RGWAccessControlPolicy_SWIFTAcct::to_str() const
{
  std::vector<std::string> admin;
  std::vector<std::string> readwrite;
  std::vector<std::string> readonly;

  /* Parition the grant map into three not-overlapping groups. */
  for (const auto& item : get_acl().get_grant_map()) {
    const ACLGrant& grant = item.second;
    const uint32_t perm = grant.get_permission().get_permissions();

    rgw_user id;
    if (!grant.get_id(id)) {
      if (grant.get_group() != ACL_GROUP_ALL_USERS) {
        continue;
      }
      id = SWIFT_GROUP_ALL_USERS;
    } else if (owner.get_id() == id) {
      continue;
    }

    if (SWIFT_PERM_ADMIN == (perm & SWIFT_PERM_ADMIN)) {
      admin.insert(admin.end(), id.to_str());
    } else if (SWIFT_PERM_RWRT == (perm & SWIFT_PERM_RWRT)) {
      readwrite.insert(readwrite.end(), id.to_str());
    } else if (SWIFT_PERM_READ == (perm & SWIFT_PERM_READ)) {
      readonly.insert(readonly.end(), id.to_str());
    } else {
      // FIXME: print a warning
    }
  }

  /* If there is no grant to serialize, let's exit earlier to not return
   * an empty JSON object which brakes the functional tests of Swift. */
  if (admin.empty() && readwrite.empty() && readonly.empty()) {
    return boost::none;
  }

  /* Serialize the groups. */
  JSONFormatter formatter;

  formatter.open_object_section("acl");
  if (!readonly.empty()) {
    encode_json("read-only", readonly, &formatter);
  }
  if (!readwrite.empty()) {
    encode_json("read-write", readwrite, &formatter);
  }
  if (!admin.empty()) {
    encode_json("admin", admin, &formatter);
  }
  formatter.close_section();

  std::ostringstream oss;
  formatter.flush(oss);

  return oss.str();
}
Commit	Line	Data
7c673cae	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
9f95a23c	2	// vim: ts=8 sw=2 smarttab ft=cpp
7c673cae FG	3
	4	#include <string.h>
	5
	6	#include <vector>
	7
	8	#include <boost/algorithm/string/predicate.hpp>
	9
	10	#include "common/ceph_json.h"
	11	#include "rgw_common.h"
	12	#include "rgw_user.h"
	13	#include "rgw_acl_swift.h"
	14
	15	#define dout_subsys ceph_subsys_rgw
	16
7c673cae FG	17
	18	#define SWIFT_PERM_READ RGW_PERM_READ_OBJS
	19	#define SWIFT_PERM_WRITE RGW_PERM_WRITE_OBJS
	20	/* FIXME: do we really need separate RW? */
	21	#define SWIFT_PERM_RWRT (SWIFT_PERM_READ \| SWIFT_PERM_WRITE)
	22	#define SWIFT_PERM_ADMIN RGW_PERM_FULL_CONTROL
	23
	24	#define SWIFT_GROUP_ALL_USERS ".r:*"
	25
28e407b8	26	static int parse_list(const char* uid_list,
7c673cae FG	27	std::vector<std::string>& uids) /* out */
7c673cae FG	28	{
28e407b8	29	char *s = strdup(uid_list);
7c673cae FG	30	if (!s) {
	31	return -ENOMEM;
	32	}
	33
	34	char *tokctx;
	35	const char *p = strtok_r(s, " ,", &tokctx);
	36	while (p) {
	37	if (*p) {
	38	string acl = p;
	39	uids.push_back(acl);
	40	}
	41	p = strtok_r(NULL, " ,", &tokctx);
	42	}
	43	free(s);
	44	return 0;
	45	}
	46
	47	static bool is_referrer(const std::string& designator)
	48	{
	49	return designator.compare(".r") == 0 \|\|
	50	designator.compare(".ref") == 0 \|\|
	51	designator.compare(".referer") == 0 \|\|
	52	designator.compare(".referrer") == 0;
	53	}
	54
	55	static bool uid_is_public(const string& uid)
	56	{
	57	if (uid[0] != '.' \|\| uid[1] != 'r')
	58	return false;
	59
	60	int pos = uid.find(':');
	61	if (pos < 0 \|\| pos == (int)uid.size())
	62	return false;
	63
	64	string sub = uid.substr(0, pos);
	65	string after = uid.substr(pos + 1);
	66
	67	if (after.compare("*") != 0)
	68	return false;
	69
	70	return is_referrer(sub);
	71	}
	72
	73	static boost::optional<ACLGrant> referrer_to_grant(std::string url_spec,
	74	const uint32_t perm)
	75	{
	76	/* This function takes url_spec as non-ref std::string because of the trim
	77	* operation that is essential to preserve compliance with Swift. It can't
	78	* be easily accomplished with boost::string_ref. */
	79	try {
	80	bool is_negative;
	81	ACLGrant grant;
	82
	83	if ('-' == url_spec[0]) {
	84	url_spec = url_spec.substr(1);
	85	boost::algorithm::trim(url_spec);
	86
	87	is_negative = true;
	88	} else {
	89	is_negative = false;
	90	}
	91
31f18b77	92	if (url_spec != RGW_REFERER_WILDCARD) {
7c673cae FG	93	if ('*' == url_spec[0]) {
	94	url_spec = url_spec.substr(1);
	95	boost::algorithm::trim(url_spec);
	96	}
	97
	98	if (url_spec.empty() \|\| url_spec == ".") {
	99	return boost::none;
	100	}
31f18b77 FG	101	} else {
	102	/* Please be aware we're specially handling the .r:* in _add_grant()
	103	* of RGWAccessControlList as the S3 API has a similar concept, and
	104	* thus we can have a small portion of compatibility. */
7c673cae FG	105	}
7c673cae FG	106
31f18b77	107	grant.set_referer(url_spec, is_negative ? 0 : perm);
7c673cae	108	return grant;
11fdf7f2	109	} catch (const std::out_of_range&) {
7c673cae FG	110	return boost::none;
	111	}
	112	}
	113
	114	static ACLGrant user_to_grant(CephContext* const cct,
9f95a23c	115	RGWUserCtl* const user_ctl,
7c673cae FG	116	const std::string& uid,
	117	const uint32_t perm)
	118	{
	119	rgw_user user(uid);
	120	RGWUserInfo grant_user;
	121	ACLGrant grant;
	122
9f95a23c	123	if (user_ctl->get_info_by_uid(user, &grant_user, null_yield) < 0) {
7c673cae FG	124	ldout(cct, 10) << "grant user does not exist: " << uid << dendl;
	125	/* skipping silently */
	126	grant.set_canon(user, std::string(), perm);
	127	} else {
	128	grant.set_canon(user, grant_user.display_name, perm);
	129	}
	130
	131	return grant;
	132	}
	133
9f95a23c	134	int RGWAccessControlPolicy_SWIFT::add_grants(RGWUserCtl* const user_ctl,
7c673cae FG	135	const std::vector<std::string>& uids,
	136	const uint32_t perm)
	137	{
	138	for (const auto& uid : uids) {
	139	boost::optional<ACLGrant> grant;
	140	ldout(cct, 20) << "trying to add grant for ACL uid=" << uid << dendl;
	141
	142	/* Let's check whether the item has a separator potentially indicating
	143	* a special meaning (like an HTTP referral-based grant). */
	144	const size_t pos = uid.find(':');
	145	if (std::string::npos == pos) {
	146	/* No, it don't have -- we've got just a regular user identifier. */
9f95a23c	147	grant = user_to_grant(cct, user_ctl, uid, perm);
7c673cae FG	148	} else {
	149	/* Yes, potentially an HTTP referral. */
	150	auto designator = uid.substr(0, pos);
	151	auto designatee = uid.substr(pos + 1);
	152
	153	/* Swift strips whitespaces at both beginning and end. */
	154	boost::algorithm::trim(designator);
	155	boost::algorithm::trim(designatee);
	156
	157	if (! boost::algorithm::starts_with(designator, ".")) {
9f95a23c	158	grant = user_to_grant(cct, user_ctl, uid, perm);
7c673cae FG	159	} else if ((perm & SWIFT_PERM_WRITE) == 0 && is_referrer(designator)) {
	160	/* HTTP referrer-based ACLs aren't acceptable for writes. */
	161	grant = referrer_to_grant(designatee, perm);
	162	}
	163	}
	164
	165	if (grant) {
	166	acl.add_grant(&*grant);
	167	} else {
	168	return -EINVAL;
	169	}
	170	}
	171
	172	return 0;
	173	}
	174
	175
9f95a23c	176	int RGWAccessControlPolicy_SWIFT::create(RGWUserCtl* const user_ctl,
7c673cae FG	177	const rgw_user& id,
7c673cae FG	178	const std::string& name,
28e407b8 AA	179	const char* read_list,
28e407b8 AA	180	const char* write_list,
7c673cae FG	181	uint32_t& rw_mask)
	182	{
	183	acl.create_default(id, name);
	184	owner.set_id(id);
	185	owner.set_name(name);
	186	rw_mask = 0;
	187
28e407b8	188	if (read_list) {
7c673cae FG	189	std::vector<std::string> uids;
	190	int r = parse_list(read_list, uids);
	191	if (r < 0) {
	192	ldout(cct, 0) << "ERROR: parse_list for read returned r="
	193	<< r << dendl;
	194	return r;
	195	}
	196
9f95a23c	197	r = add_grants(user_ctl, uids, SWIFT_PERM_READ);
7c673cae FG	198	if (r < 0) {
	199	ldout(cct, 0) << "ERROR: add_grants for read returned r="
	200	<< r << dendl;
	201	return r;
	202	}
	203	rw_mask \|= SWIFT_PERM_READ;
	204	}
28e407b8	205	if (write_list) {
7c673cae FG	206	std::vector<std::string> uids;
	207	int r = parse_list(write_list, uids);
	208	if (r < 0) {
	209	ldout(cct, 0) << "ERROR: parse_list for write returned r="
	210	<< r << dendl;
	211	return r;
	212	}
	213
9f95a23c	214	r = add_grants(user_ctl, uids, SWIFT_PERM_WRITE);
7c673cae FG	215	if (r < 0) {
	216	ldout(cct, 0) << "ERROR: add_grants for write returned r="
	217	<< r << dendl;
	218	return r;
	219	}
	220	rw_mask \|= SWIFT_PERM_WRITE;
	221	}
	222	return 0;
	223	}
	224
	225	void RGWAccessControlPolicy_SWIFT::filter_merge(uint32_t rw_mask,
	226	RGWAccessControlPolicy_SWIFT *old)
	227	{
	228	/* rw_mask&SWIFT_PERM_READ => setting read acl,
	229	* rw_mask&SWIFT_PERM_WRITE => setting write acl
	230	* when bit is cleared, copy matching elements from old.
	231	*/
	232	if (rw_mask == (SWIFT_PERM_READ\|SWIFT_PERM_WRITE)) {
	233	return;
	234	}
	235	rw_mask ^= (SWIFT_PERM_READ\|SWIFT_PERM_WRITE);
	236	for (auto &iter: old->acl.get_grant_map()) {
	237	ACLGrant& grant = iter.second;
	238	uint32_t perm = grant.get_permission().get_permissions();
	239	rgw_user id;
	240	string url_spec;
	241	if (!grant.get_id(id)) {
	242	if (grant.get_group() != ACL_GROUP_ALL_USERS) {
	243	url_spec = grant.get_referer();
	244	if (url_spec.empty()) {
	245	continue;
	246	}
	247	if (perm == 0) {
	248	/* We need to carry also negative, HTTP referrer-based ACLs. */
	249	perm = SWIFT_PERM_READ;
	250	}
	251	}
	252	}
	253	if (perm & rw_mask) {
	254	acl.add_grant(&grant);
	255	}
	256	}
	257	}
	258
	259	void RGWAccessControlPolicy_SWIFT::to_str(string& read, string& write)
	260	{
	261	multimap<string, ACLGrant>& m = acl.get_grant_map();
	262	multimap<string, ACLGrant>::iterator iter;
	263
	264	for (iter = m.begin(); iter != m.end(); ++iter) {
	265	ACLGrant& grant = iter->second;
	266	const uint32_t perm = grant.get_permission().get_permissions();
	267	rgw_user id;
	268	string url_spec;
	269	if (!grant.get_id(id)) {
	270	if (grant.get_group() == ACL_GROUP_ALL_USERS) {
	271	id = SWIFT_GROUP_ALL_USERS;
	272	} else {
	273	url_spec = grant.get_referer();
	274	if (url_spec.empty()) {
	275	continue;
	276	}
	277	id = (perm != 0) ? ".r:" + url_spec : ".r:-" + url_spec;
	278	}
279	}
280	if (perm & SWIFT_PERM_READ) {
281	if (!read.empty()) {
282	read.append(",");
283	}
284	read.append(id.to_str());
285	} else if (perm & SWIFT_PERM_WRITE) {
286	if (!write.empty()) {
287	write.append(",");
288	}
289	write.append(id.to_str());
290	} else if (perm == 0 && !url_spec.empty()) {
291	/* only X-Container-Read headers support referers */
292	if (!read.empty()) {
293	read.append(",");
294	}
295	read.append(id.to_str());
296	}
297	}
298	}
299
9f95a23c	300	void RGWAccessControlPolicy_SWIFTAcct::add_grants(RGWUserCtl * const user_ctl,
7c673cae FG	301	const std::vector<std::string>& uids,
	302	const uint32_t perm)
	303	{
	304	for (const auto& uid : uids) {
	305	ACLGrant grant;
	306	RGWUserInfo grant_user;
	307
	308	if (uid_is_public(uid)) {
	309	grant.set_group(ACL_GROUP_ALL_USERS, perm);
	310	acl.add_grant(&grant);
	311	} else {
	312	rgw_user user(uid);
	313
9f95a23c	314	if (user_ctl->get_info_by_uid(user, &grant_user, null_yield) < 0) {
7c673cae FG	315	ldout(cct, 10) << "grant user does not exist:" << uid << dendl;
	316	/* skipping silently */
	317	grant.set_canon(user, std::string(), perm);
	318	acl.add_grant(&grant);
	319	} else {
	320	grant.set_canon(user, grant_user.display_name, perm);
	321	acl.add_grant(&grant);
	322	}
	323	}
	324	}
	325	}
	326
9f95a23c	327	bool RGWAccessControlPolicy_SWIFTAcct::create(RGWUserCtl * const user_ctl,
7c673cae FG	328	const rgw_user& id,
	329	const std::string& name,
	330	const std::string& acl_str)
	331	{
	332	acl.create_default(id, name);
	333	owner.set_id(id);
	334	owner.set_name(name);
	335
	336	JSONParser parser;
	337
	338	if (!parser.parse(acl_str.c_str(), acl_str.length())) {
	339	ldout(cct, 0) << "ERROR: JSONParser::parse returned error=" << dendl;
	340	return false;
	341	}
	342
	343	JSONObjIter iter = parser.find_first("admin");
	344	if (!iter.end() && (*iter)->is_array()) {
	345	std::vector<std::string> admin;
	346	decode_json_obj(admin, *iter);
	347	ldout(cct, 0) << "admins: " << admin << dendl;
	348
9f95a23c	349	add_grants(user_ctl, admin, SWIFT_PERM_ADMIN);
7c673cae FG	350	}
	351
	352	iter = parser.find_first("read-write");
	353	if (!iter.end() && (*iter)->is_array()) {
	354	std::vector<std::string> readwrite;
	355	decode_json_obj(readwrite, *iter);
	356	ldout(cct, 0) << "read-write: " << readwrite << dendl;
	357
9f95a23c	358	add_grants(user_ctl, readwrite, SWIFT_PERM_RWRT);
7c673cae FG	359	}
	360
	361	iter = parser.find_first("read-only");
	362	if (!iter.end() && (*iter)->is_array()) {
	363	std::vector<std::string> readonly;
	364	decode_json_obj(readonly, *iter);
	365	ldout(cct, 0) << "read-only: " << readonly << dendl;
	366
9f95a23c	367	add_grants(user_ctl, readonly, SWIFT_PERM_READ);
7c673cae FG	368	}
	369
	370	return true;
	371	}
	372
224ce89b	373	boost::optional<std::string> RGWAccessControlPolicy_SWIFTAcct::to_str() const
7c673cae FG	374	{
	375	std::vector<std::string> admin;
	376	std::vector<std::string> readwrite;
	377	std::vector<std::string> readonly;
	378
	379	/* Parition the grant map into three not-overlapping groups. */
	380	for (const auto& item : get_acl().get_grant_map()) {
	381	const ACLGrant& grant = item.second;
	382	const uint32_t perm = grant.get_permission().get_permissions();
	383
	384	rgw_user id;
	385	if (!grant.get_id(id)) {
	386	if (grant.get_group() != ACL_GROUP_ALL_USERS) {
	387	continue;
	388	}
	389	id = SWIFT_GROUP_ALL_USERS;
	390	} else if (owner.get_id() == id) {
	391	continue;
	392	}
	393
	394	if (SWIFT_PERM_ADMIN == (perm & SWIFT_PERM_ADMIN)) {
	395	admin.insert(admin.end(), id.to_str());
	396	} else if (SWIFT_PERM_RWRT == (perm & SWIFT_PERM_RWRT)) {
	397	readwrite.insert(readwrite.end(), id.to_str());
	398	} else if (SWIFT_PERM_READ == (perm & SWIFT_PERM_READ)) {
	399	readonly.insert(readonly.end(), id.to_str());
	400	} else {
	401	// FIXME: print a warning
	402	}
	403	}
	404
224ce89b WB	405	/* If there is no grant to serialize, let's exit earlier to not return
	406	* an empty JSON object which brakes the functional tests of Swift. */
	407	if (admin.empty() && readwrite.empty() && readonly.empty()) {
	408	return boost::none;
	409	}
	410
7c673cae FG	411	/* Serialize the groups. */
	412	JSONFormatter formatter;
	413
	414	formatter.open_object_section("acl");
	415	if (!readonly.empty()) {
	416	encode_json("read-only", readonly, &formatter);
	417	}
	418	if (!readwrite.empty()) {
	419	encode_json("read-write", readwrite, &formatter);
	420	}
	421	if (!admin.empty()) {
	422	encode_json("admin", admin, &formatter);
	423	}
	424	formatter.close_section();
	425
	426	std::ostringstream oss;
	427	formatter.flush(oss);
	428
224ce89b	429	return oss.str();
7c673cae	430	}