[ceph.git] / ceph / src / rgw / rgw_auth_filters.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp

#ifndef CEPH_RGW_AUTH_FILTERS_H
#define CEPH_RGW_AUTH_FILTERS_H

#include <type_traits>

#include <boost/logic/tribool.hpp>
#include <boost/optional.hpp>

#include "rgw_service.h"
#include "rgw_common.h"
#include "rgw_auth.h"
#include "rgw_user.h"

namespace rgw {
namespace auth {

/* Abstract decorator over any implementation of rgw::auth::IdentityApplier
 * which could be provided both as a pointer-to-object or the object itself. */
template <typename DecorateeT>
class DecoratedApplier : public rgw::auth::IdentityApplier {
  typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;

  static_assert(std::is_base_of<rgw::auth::IdentityApplier,
                                DerefedDecorateeT>::value,
                "DecorateeT must be a subclass of rgw::auth::IdentityApplier");

  DecorateeT decoratee;

  /* There is an indirection layer over accessing decoratee to share the same
   * code base between dynamic and static decorators. The difference is about
   * what we store internally: pointer to a decorated object versus the whole
   * object itself. Googling for "SFINAE" can help to understand the code. */
  template <typename T = void,
            typename std::enable_if<
    std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  DerefedDecorateeT& get_decoratee() {
    return *decoratee;
  }

  template <typename T = void,
            typename std::enable_if<
    ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  DerefedDecorateeT& get_decoratee() {
    return decoratee;
  }

  template <typename T = void,
            typename std::enable_if<
    std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  const DerefedDecorateeT& get_decoratee() const {
    return *decoratee;
  }

  template <typename T = void,
            typename std::enable_if<
    ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  const DerefedDecorateeT& get_decoratee() const {
    return decoratee;
  }

public:
  explicit DecoratedApplier(DecorateeT&& decoratee)
    : decoratee(std::forward<DecorateeT>(decoratee)) {
  }

  uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
    return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
  }

  bool is_admin_of(const rgw_user& uid) const override {
    return get_decoratee().is_admin_of(uid);
  }

  bool is_owner_of(const rgw_user& uid) const override {
    return get_decoratee().is_owner_of(uid);
  }

  bool is_anonymous() const override {
    return get_decoratee().is_anonymous();
  }

  uint32_t get_perm_mask() const override {
    return get_decoratee().get_perm_mask();
  }

  uint32_t get_identity_type() const override {
    return get_decoratee().get_identity_type();
  }

  string get_acct_name() const override {
    return get_decoratee().get_acct_name();
  }

  string get_subuser() const override {
    return get_decoratee().get_subuser();
  }

  bool is_identity(
    const boost::container::flat_set<Principal>& ids) const override {
    return get_decoratee().is_identity(ids);
  }

  void to_str(std::ostream& out) const override {
    get_decoratee().to_str(out);
  }

  string get_role_tenant() const override {     /* in/out */
    return get_decoratee().get_role_tenant();
  }

  void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override {  /* out */
    return get_decoratee().load_acct_info(dpp, user_info);
  }

  void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override {     /* in/out */
    return get_decoratee().modify_request_state(dpp, s);
  }
};


template <typename T>
class ThirdPartyAccountApplier : public DecoratedApplier<T> {
  /* const */RGWCtl* const ctl;
  const rgw_user acct_user_override;

public:
  /* A value representing situations where there is no requested account
   * override. In other words, acct_user_override will be equal to this
   * constant where the request isn't a cross-tenant one. */
  static const rgw_user UNKNOWN_ACCT;

  template <typename U>
  ThirdPartyAccountApplier(RGWCtl* const ctl,
                           const rgw_user &acct_user_override,
                           U&& decoratee)
    : DecoratedApplier<T>(std::move(decoratee)),
      ctl(ctl),
      acct_user_override(acct_user_override) {
  }

  void to_str(std::ostream& out) const override;
  void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override;   /* out */
};

/* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
 * of the default construction. */
template <typename T>
const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;

template <typename T>
void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
{
  out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
      <<   " -> ";
  DecoratedApplier<T>::to_str(out);
}

template <typename T>
void ThirdPartyAccountApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
{
  if (UNKNOWN_ACCT == acct_user_override) {
    /* There is no override specified by the upper layer. This means that we'll
     * load the account owned by the authenticated identity (aka auth_user). */
    DecoratedApplier<T>::load_acct_info(dpp, user_info);
  } else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
    /* The override has been specified but the account belongs to the authenticated
     * identity. We may safely forward the call to a next stage. */
    DecoratedApplier<T>::load_acct_info(dpp, user_info);
  } else if (this->is_anonymous()) {
    /* If the user was authed by the anonymous engine then scope the ANON user
     * to the correct tenant */
    if (acct_user_override.tenant.empty())
      user_info.user_id = rgw_user(acct_user_override.id, RGW_USER_ANON_ID);
    else
      user_info.user_id = rgw_user(acct_user_override.tenant, RGW_USER_ANON_ID);
  } else {
    /* Compatibility mechanism for multi-tenancy. For more details refer to
     * load_acct_info method of rgw::auth::RemoteApplier. */
    if (acct_user_override.tenant.empty()) {
      const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);

      if (ctl->user->get_info_by_uid(dpp, tenanted_uid, &user_info, null_yield) >= 0) {
        /* Succeeded. */
        return;
      }
    }

    const int ret = ctl->user->get_info_by_uid(dpp, acct_user_override, &user_info, null_yield);
    if (ret < 0) {
      /* We aren't trying to recover from ENOENT here. It's supposed that creating
       * someone else's account isn't a thing we want to support in this filter. */
      if (ret == -ENOENT) {
        throw -EACCES;
      } else {
        throw ret;
      }
    }

  }
}

template <typename T> static inline
ThirdPartyAccountApplier<T> add_3rdparty(RGWCtl* const ctl,
                                         const rgw_user &acct_user_override,
                                         T&& t) {
  return ThirdPartyAccountApplier<T>(ctl, acct_user_override,
                                     std::forward<T>(t));
}


template <typename T>
class SysReqApplier : public DecoratedApplier<T> {
  CephContext* const cct;
  /*const*/ RGWCtl* const ctl;
  const RGWHTTPArgs& args;
  mutable boost::tribool is_system;

public:
  template <typename U>
  SysReqApplier(CephContext* const cct,
                /*const*/ RGWCtl* const ctl,
                const req_state* const s,
                U&& decoratee)
    : DecoratedApplier<T>(std::forward<T>(decoratee)),
      cct(cct),
      ctl(ctl),
      args(s->info.args),
      is_system(boost::logic::indeterminate) {
  }

  void to_str(std::ostream& out) const override;
  void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override;   /* out */
  void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;       /* in/out */
};

template <typename T>
void SysReqApplier<T>::to_str(std::ostream& out) const
{
  out << "rgw::auth::SysReqApplier" << " -> ";
  DecoratedApplier<T>::to_str(out);
}

template <typename T>
void SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
{
  DecoratedApplier<T>::load_acct_info(dpp, user_info);
  is_system = user_info.system;

  if (is_system) {
    //ldpp_dout(dpp, 20) << "system request" << dendl;

    rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
    if (! effective_uid.empty()) {
      /* We aren't writing directly to user_info for consistency and security
       * reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
       * calls ::decode instead. */
      RGWUserInfo euser_info;
      if (ctl->user->get_info_by_uid(dpp, effective_uid, &euser_info, null_yield) < 0) {
        //ldpp_dout(dpp, 0) << "User lookup failed!" << dendl;
        throw -EACCES;
      }
      user_info = euser_info;
    }
  }
}

template <typename T>
void SysReqApplier<T>::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s) const
{
  if (boost::logic::indeterminate(is_system)) {
    RGWUserInfo unused_info;
    load_acct_info(dpp, unused_info);
  }

  if (is_system) {
    s->info.args.set_system();
    s->system_request = true;
  }
  DecoratedApplier<T>::modify_request_state(dpp, s);
}

template <typename T> static inline
SysReqApplier<T> add_sysreq(CephContext* const cct,
                            /* const */ RGWCtl* const ctl,
                            const req_state* const s,
                            T&& t) {
  return SysReqApplier<T>(cct, ctl, s, std::forward<T>(t));
}

} /* namespace auth */
} /* namespace rgw */

#endif /* CEPH_RGW_AUTH_FILTERS_H */
Commit	Line	Data
7c673cae	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
9f95a23c	2	// vim: ts=8 sw=2 smarttab ft=cpp
7c673cae FG	3
	4	#ifndef CEPH_RGW_AUTH_FILTERS_H
	5	#define CEPH_RGW_AUTH_FILTERS_H
	6
	7	#include <type_traits>
	8
	9	#include <boost/logic/tribool.hpp>
	10	#include <boost/optional.hpp>
	11
f67539c2	12	#include "rgw_service.h"
7c673cae FG	13	#include "rgw_common.h"
7c673cae FG	14	#include "rgw_auth.h"
f67539c2	15	#include "rgw_user.h"
7c673cae FG	16
	17	namespace rgw {
	18	namespace auth {
	19
	20	/* Abstract decorator over any implementation of rgw::auth::IdentityApplier
	21	* which could be provided both as a pointer-to-object or the object itself. */
	22	template <typename DecorateeT>
	23	class DecoratedApplier : public rgw::auth::IdentityApplier {
	24	typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;
	25
	26	static_assert(std::is_base_of<rgw::auth::IdentityApplier,
	27	DerefedDecorateeT>::value,
	28	"DecorateeT must be a subclass of rgw::auth::IdentityApplier");
	29
	30	DecorateeT decoratee;
	31
	32	/* There is an indirection layer over accessing decoratee to share the same
	33	* code base between dynamic and static decorators. The difference is about
	34	* what we store internally: pointer to a decorated object versus the whole
	35	* object itself. Googling for "SFINAE" can help to understand the code. */
	36	template <typename T = void,
	37	typename std::enable_if<
	38	std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
	39	DerefedDecorateeT& get_decoratee() {
	40	return *decoratee;
	41	}
	42
	43	template <typename T = void,
	44	typename std::enable_if<
	45	! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
	46	DerefedDecorateeT& get_decoratee() {
	47	return decoratee;
	48	}
	49
	50	template <typename T = void,
	51	typename std::enable_if<
	52	std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
	53	const DerefedDecorateeT& get_decoratee() const {
	54	return *decoratee;
	55	}
	56
	57	template <typename T = void,
	58	typename std::enable_if<
	59	! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
	60	const DerefedDecorateeT& get_decoratee() const {
	61	return decoratee;
	62	}
	63
	64	public:
11fdf7f2	65	explicit DecoratedApplier(DecorateeT&& decoratee)
7c673cae FG	66	: decoratee(std::forward<DecorateeT>(decoratee)) {
	67	}
	68
11fdf7f2 TL	69	uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
11fdf7f2 TL	70	return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
7c673cae FG	71	}
	72
	73	bool is_admin_of(const rgw_user& uid) const override {
	74	return get_decoratee().is_admin_of(uid);
	75	}
	76
	77	bool is_owner_of(const rgw_user& uid) const override {
	78	return get_decoratee().is_owner_of(uid);
	79	}
	80
f91f0fd5 TL	81	bool is_anonymous() const override {
	82	return get_decoratee().is_anonymous();
	83	}
	84
7c673cae FG	85	uint32_t get_perm_mask() const override {
	86	return get_decoratee().get_perm_mask();
	87	}
	88
11fdf7f2 TL	89	uint32_t get_identity_type() const override {
	90	return get_decoratee().get_identity_type();
	91	}
	92
	93	string get_acct_name() const override {
	94	return get_decoratee().get_acct_name();
	95	}
	96
f6b5b4d7 TL	97	string get_subuser() const override {
	98	return get_decoratee().get_subuser();
	99	}
	100
31f18b77 FG	101	bool is_identity(
	102	const boost::container::flat_set<Principal>& ids) const override {
	103	return get_decoratee().is_identity(ids);
	104	}
	105
7c673cae FG	106	void to_str(std::ostream& out) const override {
	107	get_decoratee().to_str(out);
	108	}
	109
f67539c2 TL	110	string get_role_tenant() const override { /* in/out */
	111	return get_decoratee().get_role_tenant();
	112	}
	113
11fdf7f2 TL	114	void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override { /* out */
11fdf7f2 TL	115	return get_decoratee().load_acct_info(dpp, user_info);
7c673cae FG	116	}
7c673cae FG	117
11fdf7f2 TL	118	void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override { /* in/out */
11fdf7f2 TL	119	return get_decoratee().modify_request_state(dpp, s);
7c673cae FG	120	}
	121	};
	122
	123
	124	template <typename T>
	125	class ThirdPartyAccountApplier : public DecoratedApplier<T> {
9f95a23c	126	/* const /RGWCtl const ctl;
7c673cae FG	127	const rgw_user acct_user_override;
	128
	129	public:
	130	/* A value representing situations where there is no requested account
	131	* override. In other words, acct_user_override will be equal to this
	132	* constant where the request isn't a cross-tenant one. */
	133	static const rgw_user UNKNOWN_ACCT;
	134
	135	template <typename U>
9f95a23c	136	ThirdPartyAccountApplier(RGWCtl* const ctl,
11fdf7f2	137	const rgw_user &acct_user_override,
7c673cae FG	138	U&& decoratee)
7c673cae FG	139	: DecoratedApplier<T>(std::move(decoratee)),
9f95a23c	140	ctl(ctl),
7c673cae FG	141	acct_user_override(acct_user_override) {
	142	}
	143
	144	void to_str(std::ostream& out) const override;
11fdf7f2	145	void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
7c673cae FG	146	};
	147
	148	/* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
	149	* of the default construction. */
	150	template <typename T>
	151	const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;
	152
	153	template <typename T>
	154	void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
	155	{
	156	out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
	157	<< " -> ";
	158	DecoratedApplier<T>::to_str(out);
	159	}
	160
	161	template <typename T>
11fdf7f2	162	void ThirdPartyAccountApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
7c673cae FG	163	{
	164	if (UNKNOWN_ACCT == acct_user_override) {
	165	/* There is no override specified by the upper layer. This means that we'll
	166	* load the account owned by the authenticated identity (aka auth_user). */
11fdf7f2	167	DecoratedApplier<T>::load_acct_info(dpp, user_info);
7c673cae FG	168	} else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
	169	/* The override has been specified but the account belongs to the authenticated
	170	* identity. We may safely forward the call to a next stage. */
11fdf7f2	171	DecoratedApplier<T>::load_acct_info(dpp, user_info);
f91f0fd5 TL	172	} else if (this->is_anonymous()) {
	173	/* If the user was authed by the anonymous engine then scope the ANON user
	174	* to the correct tenant */
	175	if (acct_user_override.tenant.empty())
	176	user_info.user_id = rgw_user(acct_user_override.id, RGW_USER_ANON_ID);
	177	else
	178	user_info.user_id = rgw_user(acct_user_override.tenant, RGW_USER_ANON_ID);
7c673cae FG	179	} else {
	180	/* Compatibility mechanism for multi-tenancy. For more details refer to
	181	* load_acct_info method of rgw::auth::RemoteApplier. */
	182	if (acct_user_override.tenant.empty()) {
	183	const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);
	184
b3b6e05e	185	if (ctl->user->get_info_by_uid(dpp, tenanted_uid, &user_info, null_yield) >= 0) {
7c673cae FG	186	/* Succeeded. */
	187	return;
	188	}
	189	}
	190
b3b6e05e	191	const int ret = ctl->user->get_info_by_uid(dpp, acct_user_override, &user_info, null_yield);
7c673cae FG	192	if (ret < 0) {
	193	/* We aren't trying to recover from ENOENT here. It's supposed that creating
	194	* someone else's account isn't a thing we want to support in this filter. */
	195	if (ret == -ENOENT) {
	196	throw -EACCES;
	197	} else {
	198	throw ret;
	199	}
	200	}
	201
	202	}
	203	}
	204
	205	template <typename T> static inline
9f95a23c	206	ThirdPartyAccountApplier<T> add_3rdparty(RGWCtl* const ctl,
11fdf7f2	207	const rgw_user &acct_user_override,
7c673cae	208	T&& t) {
9f95a23c	209	return ThirdPartyAccountApplier<T>(ctl, acct_user_override,
7c673cae FG	210	std::forward<T>(t));
	211	}
	212
	213
	214	template <typename T>
	215	class SysReqApplier : public DecoratedApplier<T> {
	216	CephContext* const cct;
9f95a23c	217	/const/ RGWCtl* const ctl;
7c673cae FG	218	const RGWHTTPArgs& args;
	219	mutable boost::tribool is_system;
	220
	221	public:
	222	template <typename U>
	223	SysReqApplier(CephContext* const cct,
9f95a23c	224	/const/ RGWCtl* const ctl,
7c673cae FG	225	const req_state* const s,
	226	U&& decoratee)
	227	: DecoratedApplier<T>(std::forward<T>(decoratee)),
	228	cct(cct),
9f95a23c	229	ctl(ctl),
7c673cae FG	230	args(s->info.args),
	231	is_system(boost::logic::indeterminate) {
	232	}
	233
	234	void to_str(std::ostream& out) const override;
11fdf7f2 TL	235	void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
11fdf7f2 TL	236	void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; /* in/out */
7c673cae FG	237	};
	238
	239	template <typename T>
	240	void SysReqApplier<T>::to_str(std::ostream& out) const
	241	{
	242	out << "rgw::auth::SysReqApplier" << " -> ";
	243	DecoratedApplier<T>::to_str(out);
	244	}
	245
	246	template <typename T>
11fdf7f2	247	void SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
7c673cae	248	{
11fdf7f2	249	DecoratedApplier<T>::load_acct_info(dpp, user_info);
7c673cae FG	250	is_system = user_info.system;
	251
	252	if (is_system) {
11fdf7f2	253	//ldpp_dout(dpp, 20) << "system request" << dendl;
7c673cae FG	254
	255	rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
	256	if (! effective_uid.empty()) {
	257	/* We aren't writing directly to user_info for consistency and security
	258	* reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
	259	* calls ::decode instead. */
	260	RGWUserInfo euser_info;
b3b6e05e	261	if (ctl->user->get_info_by_uid(dpp, effective_uid, &euser_info, null_yield) < 0) {
11fdf7f2	262	//ldpp_dout(dpp, 0) << "User lookup failed!" << dendl;
7c673cae FG	263	throw -EACCES;
	264	}
	265	user_info = euser_info;
	266	}
	267	}
	268	}
	269
	270	template <typename T>
11fdf7f2	271	void SysReqApplier<T>::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s) const
7c673cae FG	272	{
	273	if (boost::logic::indeterminate(is_system)) {
	274	RGWUserInfo unused_info;
11fdf7f2	275	load_acct_info(dpp, unused_info);
7c673cae FG	276	}
	277
	278	if (is_system) {
	279	s->info.args.set_system();
	280	s->system_request = true;
	281	}
11fdf7f2	282	DecoratedApplier<T>::modify_request_state(dpp, s);
7c673cae FG	283	}
	284
	285	template <typename T> static inline
	286	SysReqApplier<T> add_sysreq(CephContext* const cct,
9f95a23c	287	/* const / RGWCtl const ctl,
7c673cae FG	288	const req_state* const s,
7c673cae FG	289	T&& t) {
9f95a23c	290	return SysReqApplier<T>(cct, ctl, s, std::forward<T>(t));
7c673cae FG	291	}
	292
	293	} /* namespace auth */
	294	} /* namespace rgw */
	295
	296	#endif /* CEPH_RGW_AUTH_FILTERS_H */