[ceph.git] / ceph / src / rgw / rgw_auth_filters.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab

#ifndef CEPH_RGW_AUTH_FILTERS_H
#define CEPH_RGW_AUTH_FILTERS_H

#include <type_traits>

#include <boost/logic/tribool.hpp>
#include <boost/optional.hpp>

#include "rgw_common.h"
#include "rgw_auth.h"

namespace rgw {
namespace auth {

/* Abstract decorator over any implementation of rgw::auth::IdentityApplier
 * which could be provided both as a pointer-to-object or the object itself. */
template <typename DecorateeT>
class DecoratedApplier : public rgw::auth::IdentityApplier {
  typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;

  static_assert(std::is_base_of<rgw::auth::IdentityApplier,
                                DerefedDecorateeT>::value,
                "DecorateeT must be a subclass of rgw::auth::IdentityApplier");

  DecorateeT decoratee;

  /* There is an indirection layer over accessing decoratee to share the same
   * code base between dynamic and static decorators. The difference is about
   * what we store internally: pointer to a decorated object versus the whole
   * object itself. Googling for "SFINAE" can help to understand the code. */
  template <typename T = void,
            typename std::enable_if<
    std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  DerefedDecorateeT& get_decoratee() {
    return *decoratee;
  }

  template <typename T = void,
            typename std::enable_if<
    ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  DerefedDecorateeT& get_decoratee() {
    return decoratee;
  }

  template <typename T = void,
            typename std::enable_if<
    std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  const DerefedDecorateeT& get_decoratee() const {
    return *decoratee;
  }

  template <typename T = void,
            typename std::enable_if<
    ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  const DerefedDecorateeT& get_decoratee() const {
    return decoratee;
  }

public:
  DecoratedApplier(DecorateeT&& decoratee)
    : decoratee(std::forward<DecorateeT>(decoratee)) {
  }

  uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
    return get_decoratee().get_perms_from_aclspec(aclspec);
  }

  bool is_admin_of(const rgw_user& uid) const override {
    return get_decoratee().is_admin_of(uid);
  }

  bool is_owner_of(const rgw_user& uid) const override {
    return get_decoratee().is_owner_of(uid);
  }

  uint32_t get_perm_mask() const override {
    return get_decoratee().get_perm_mask();
  }

  bool is_identity(
    const boost::container::flat_set<Principal>& ids) const override {
    return get_decoratee().is_identity(ids);
  }

  void to_str(std::ostream& out) const override {
    get_decoratee().to_str(out);
  }

  void load_acct_info(RGWUserInfo& user_info) const override {  /* out */
    return get_decoratee().load_acct_info(user_info);
  }

  void modify_request_state(req_state * s) const override {     /* in/out */
    return get_decoratee().modify_request_state(s);
  }
};


template <typename T>
class ThirdPartyAccountApplier : public DecoratedApplier<T> {
  /* const */RGWRados* const store;
  const rgw_user acct_user_override;

public:
  /* A value representing situations where there is no requested account
   * override. In other words, acct_user_override will be equal to this
   * constant where the request isn't a cross-tenant one. */
  static const rgw_user UNKNOWN_ACCT;

  template <typename U>
  ThirdPartyAccountApplier(RGWRados* const store,
                           const rgw_user acct_user_override,
                           U&& decoratee)
    : DecoratedApplier<T>(std::move(decoratee)),
      store(store),
      acct_user_override(acct_user_override) {
  }

  void to_str(std::ostream& out) const override;
  void load_acct_info(RGWUserInfo& user_info) const override;   /* out */
};

/* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
 * of the default construction. */
template <typename T>
const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;

template <typename T>
void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
{
  out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
      <<   " -> ";
  DecoratedApplier<T>::to_str(out);
}

template <typename T>
void ThirdPartyAccountApplier<T>::load_acct_info(RGWUserInfo& user_info) const
{
  if (UNKNOWN_ACCT == acct_user_override) {
    /* There is no override specified by the upper layer. This means that we'll
     * load the account owned by the authenticated identity (aka auth_user). */
    DecoratedApplier<T>::load_acct_info(user_info);
  } else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
    /* The override has been specified but the account belongs to the authenticated
     * identity. We may safely forward the call to a next stage. */
    DecoratedApplier<T>::load_acct_info(user_info);
  } else {
    /* Compatibility mechanism for multi-tenancy. For more details refer to
     * load_acct_info method of rgw::auth::RemoteApplier. */
    if (acct_user_override.tenant.empty()) {
      const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);

      if (rgw_get_user_info_by_uid(store, tenanted_uid, user_info) >= 0) {
        /* Succeeded. */
        return;
      }
    }

    const int ret = rgw_get_user_info_by_uid(store, acct_user_override, user_info);
    if (ret < 0) {
      /* We aren't trying to recover from ENOENT here. It's supposed that creating
       * someone else's account isn't a thing we want to support in this filter. */
      if (ret == -ENOENT) {
        throw -EACCES;
      } else {
        throw ret;
      }
    }

  }
}

template <typename T> static inline
ThirdPartyAccountApplier<T> add_3rdparty(RGWRados* const store,
                                         const rgw_user acct_user_override,
                                         T&& t) {
  return ThirdPartyAccountApplier<T>(store, acct_user_override,
                                     std::forward<T>(t));
}


template <typename T>
class SysReqApplier : public DecoratedApplier<T> {
  CephContext* const cct;
  /*const*/ RGWRados* const store;
  const RGWHTTPArgs& args;
  mutable boost::tribool is_system;

public:
  template <typename U>
  SysReqApplier(CephContext* const cct,
                /*const*/ RGWRados* const store,
                const req_state* const s,
                U&& decoratee)
    : DecoratedApplier<T>(std::forward<T>(decoratee)),
      cct(cct),
      store(store),
      args(s->info.args),
      is_system(boost::logic::indeterminate) {
  }

  void to_str(std::ostream& out) const override;
  void load_acct_info(RGWUserInfo& user_info) const override;   /* out */
  void modify_request_state(req_state* s) const override;       /* in/out */
};

template <typename T>
void SysReqApplier<T>::to_str(std::ostream& out) const
{
  out << "rgw::auth::SysReqApplier" << " -> ";
  DecoratedApplier<T>::to_str(out);
}

template <typename T>
void SysReqApplier<T>::load_acct_info(RGWUserInfo& user_info) const
{
  DecoratedApplier<T>::load_acct_info(user_info);
  is_system = user_info.system;

  if (is_system) {
    //dout(20) << "system request" << dendl;

    rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
    if (! effective_uid.empty()) {
      /* We aren't writing directly to user_info for consistency and security
       * reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
       * calls ::decode instead. */
      RGWUserInfo euser_info;
      if (rgw_get_user_info_by_uid(store, effective_uid, euser_info) < 0) {
        //ldout(s->cct, 0) << "User lookup failed!" << dendl;
        throw -EACCES;
      }
      user_info = euser_info;
    }
  }
}

template <typename T>
void SysReqApplier<T>::modify_request_state(req_state* const s) const
{
  if (boost::logic::indeterminate(is_system)) {
    RGWUserInfo unused_info;
    load_acct_info(unused_info);
  }

  if (is_system) {
    s->info.args.set_system();
    s->system_request = true;
  }
}

template <typename T> static inline
SysReqApplier<T> add_sysreq(CephContext* const cct,
                            /* const */ RGWRados* const store,
                            const req_state* const s,
                            T&& t) {
  return SysReqApplier<T>(cct, store, s, std::forward<T>(t));
}

} /* namespace auth */
} /* namespace rgw */

#endif /* CEPH_RGW_AUTH_FILTERS_H */
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3
	4	#ifndef CEPH_RGW_AUTH_FILTERS_H
	5	#define CEPH_RGW_AUTH_FILTERS_H
	6
	7	#include <type_traits>
	8
	9	#include <boost/logic/tribool.hpp>
	10	#include <boost/optional.hpp>
	11
	12	#include "rgw_common.h"
	13	#include "rgw_auth.h"
	14
	15	namespace rgw {
	16	namespace auth {
	17
	18	/* Abstract decorator over any implementation of rgw::auth::IdentityApplier
	19	* which could be provided both as a pointer-to-object or the object itself. */
	20	template <typename DecorateeT>
	21	class DecoratedApplier : public rgw::auth::IdentityApplier {
	22	typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;
	23
	24	static_assert(std::is_base_of<rgw::auth::IdentityApplier,
	25	DerefedDecorateeT>::value,
	26	"DecorateeT must be a subclass of rgw::auth::IdentityApplier");
	27
	28	DecorateeT decoratee;
	29
	30	/* There is an indirection layer over accessing decoratee to share the same
	31	* code base between dynamic and static decorators. The difference is about
	32	* what we store internally: pointer to a decorated object versus the whole
	33	* object itself. Googling for "SFINAE" can help to understand the code. */
	34	template <typename T = void,
	35	typename std::enable_if<
	36	std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
	37	DerefedDecorateeT& get_decoratee() {
	38	return *decoratee;
	39	}
	40
	41	template <typename T = void,
	42	typename std::enable_if<
	43	! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
	44	DerefedDecorateeT& get_decoratee() {
	45	return decoratee;
	46	}
	47
	48	template <typename T = void,
	49	typename std::enable_if<
	50	std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
	51	const DerefedDecorateeT& get_decoratee() const {
	52	return *decoratee;
	53	}
	54
	55	template <typename T = void,
	56	typename std::enable_if<
	57	! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
	58	const DerefedDecorateeT& get_decoratee() const {
	59	return decoratee;
	60	}
	61
	62	public:
	63	DecoratedApplier(DecorateeT&& decoratee)
	64	: decoratee(std::forward<DecorateeT>(decoratee)) {
65	}
66
67	uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
68	return get_decoratee().get_perms_from_aclspec(aclspec);
69	}
70
71	bool is_admin_of(const rgw_user& uid) const override {
72	return get_decoratee().is_admin_of(uid);
73	}
74
75	bool is_owner_of(const rgw_user& uid) const override {
76	return get_decoratee().is_owner_of(uid);
77	}
78
79	uint32_t get_perm_mask() const override {
80	return get_decoratee().get_perm_mask();
81	}
82
31f18b77 FG	83	bool is_identity(
	84	const boost::container::flat_set<Principal>& ids) const override {
	85	return get_decoratee().is_identity(ids);
	86	}
	87
7c673cae FG	88	void to_str(std::ostream& out) const override {
	89	get_decoratee().to_str(out);
	90	}
	91
	92	void load_acct_info(RGWUserInfo& user_info) const override { /* out */
	93	return get_decoratee().load_acct_info(user_info);
	94	}
	95
	96	void modify_request_state(req_state * s) const override { /* in/out */
	97	return get_decoratee().modify_request_state(s);
	98	}
	99	};
	100
	101
	102	template <typename T>
	103	class ThirdPartyAccountApplier : public DecoratedApplier<T> {
	104	/* const /RGWRados const store;
	105	const rgw_user acct_user_override;
	106
	107	public:
	108	/* A value representing situations where there is no requested account
	109	* override. In other words, acct_user_override will be equal to this
	110	* constant where the request isn't a cross-tenant one. */
	111	static const rgw_user UNKNOWN_ACCT;
	112
	113	template <typename U>
	114	ThirdPartyAccountApplier(RGWRados* const store,
	115	const rgw_user acct_user_override,
	116	U&& decoratee)
	117	: DecoratedApplier<T>(std::move(decoratee)),
	118	store(store),
	119	acct_user_override(acct_user_override) {
	120	}
	121
	122	void to_str(std::ostream& out) const override;
	123	void load_acct_info(RGWUserInfo& user_info) const override; /* out */
	124	};
	125
	126	/* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
	127	* of the default construction. */
	128	template <typename T>
	129	const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;
	130
	131	template <typename T>
	132	void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
	133	{
	134	out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
	135	<< " -> ";
	136	DecoratedApplier<T>::to_str(out);
	137	}
	138
	139	template <typename T>
	140	void ThirdPartyAccountApplier<T>::load_acct_info(RGWUserInfo& user_info) const
	141	{
	142	if (UNKNOWN_ACCT == acct_user_override) {
	143	/* There is no override specified by the upper layer. This means that we'll
	144	* load the account owned by the authenticated identity (aka auth_user). */
	145	DecoratedApplier<T>::load_acct_info(user_info);
	146	} else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
	147	/* The override has been specified but the account belongs to the authenticated
	148	* identity. We may safely forward the call to a next stage. */
	149	DecoratedApplier<T>::load_acct_info(user_info);
	150	} else {
	151	/* Compatibility mechanism for multi-tenancy. For more details refer to
152	* load_acct_info method of rgw::auth::RemoteApplier. */
153	if (acct_user_override.tenant.empty()) {
154	const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);
155
156	if (rgw_get_user_info_by_uid(store, tenanted_uid, user_info) >= 0) {
157	/* Succeeded. */
158	return;
159	}
160	}
161
162	const int ret = rgw_get_user_info_by_uid(store, acct_user_override, user_info);
163	if (ret < 0) {
164	/* We aren't trying to recover from ENOENT here. It's supposed that creating
165	* someone else's account isn't a thing we want to support in this filter. */
166	if (ret == -ENOENT) {
167	throw -EACCES;
168	} else {
169	throw ret;
170	}
171	}
172
173	}
174	}
175
176	template <typename T> static inline
177	ThirdPartyAccountApplier<T> add_3rdparty(RGWRados* const store,
178	const rgw_user acct_user_override,
179	T&& t) {
180	return ThirdPartyAccountApplier<T>(store, acct_user_override,
181	std::forward<T>(t));
182	}
183
184
185	template <typename T>
186	class SysReqApplier : public DecoratedApplier<T> {
187	CephContext* const cct;
188	/const/ RGWRados* const store;
189	const RGWHTTPArgs& args;
190	mutable boost::tribool is_system;
191
192	public:
193	template <typename U>
194	SysReqApplier(CephContext* const cct,
195	/const/ RGWRados* const store,
196	const req_state* const s,
197	U&& decoratee)
198	: DecoratedApplier<T>(std::forward<T>(decoratee)),
199	cct(cct),
200	store(store),
201	args(s->info.args),
202	is_system(boost::logic::indeterminate) {
203	}
204
205	void to_str(std::ostream& out) const override;
206	void load_acct_info(RGWUserInfo& user_info) const override; /* out */
207	void modify_request_state(req_state* s) const override; /* in/out */
208	};
209
210	template <typename T>
211	void SysReqApplier<T>::to_str(std::ostream& out) const
212	{
213	out << "rgw::auth::SysReqApplier" << " -> ";
214	DecoratedApplier<T>::to_str(out);
215	}
216
217	template <typename T>
218	void SysReqApplier<T>::load_acct_info(RGWUserInfo& user_info) const
219	{
220	DecoratedApplier<T>::load_acct_info(user_info);
221	is_system = user_info.system;
222
223	if (is_system) {
224	//dout(20) << "system request" << dendl;
225
226	rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
227	if (! effective_uid.empty()) {
228	/* We aren't writing directly to user_info for consistency and security
229	* reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
230	* calls ::decode instead. */
231	RGWUserInfo euser_info;
232	if (rgw_get_user_info_by_uid(store, effective_uid, euser_info) < 0) {
233	//ldout(s->cct, 0) << "User lookup failed!" << dendl;
234	throw -EACCES;
235	}
236	user_info = euser_info;
237	}
238	}
239	}
240
241	template <typename T>
242	void SysReqApplier<T>::modify_request_state(req_state* const s) const
243	{
244	if (boost::logic::indeterminate(is_system)) {
245	RGWUserInfo unused_info;
246	load_acct_info(unused_info);
247	}
248
249	if (is_system) {
250	s->info.args.set_system();
251	s->system_request = true;
252	}
253	}
254
255	template <typename T> static inline
256	SysReqApplier<T> add_sysreq(CephContext* const cct,
257	/* const / RGWRados const store,
258	const req_state* const s,
259	T&& t) {
260	return SysReqApplier<T>(cct, store, s, std::forward<T>(t));
261	}
262
263	} /* namespace auth */
264	} /* namespace rgw */
265
266	#endif /* CEPH_RGW_AUTH_FILTERS_H */