[ceph.git] / ceph / src / rgw / rgw_auth_keystone.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab


#ifndef CEPH_RGW_AUTH_KEYSTONE_H
#define CEPH_RGW_AUTH_KEYSTONE_H

#include <utility>
#include <boost/optional.hpp>
#include <boost/utility/string_view.hpp>

#include "rgw_auth.h"
#include "rgw_rest_s3.h"
#include "rgw_common.h"
#include "rgw_keystone.h"

namespace rgw {
namespace auth {
namespace keystone {

/* Dedicated namespace for Keystone-related auth engines. We need it because
 * Keystone offers three different authentication mechanisms (token, EC2 and
 * regular user/pass). RadosGW actually does support the first two. */

class TokenEngine : public rgw::auth::Engine {
  CephContext* const cct;

  using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
  using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
  using result_t = rgw::auth::Engine::result_t;
  using token_envelope_t = rgw::keystone::TokenEnvelope;

  const rgw::auth::TokenExtractor* const extractor;
  const rgw::auth::RemoteApplier::Factory* const apl_factory;
  rgw::keystone::Config& config;
  rgw::keystone::TokenCache& token_cache;

  /* Helper methods. */
  bool is_applicable(const std::string& token) const noexcept;
  token_envelope_t decode_pki_token(const std::string& token) const;

  boost::optional<token_envelope_t>
  get_from_keystone(const std::string& token) const;

  acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
  auth_info_t get_creds_info(const token_envelope_t& token,
                             const std::vector<std::string>& admin_roles
                            ) const noexcept;
  result_t authenticate(const std::string& token,
                        const req_state* s) const;

public:
  TokenEngine(CephContext* const cct,
              const rgw::auth::TokenExtractor* const extractor,
              const rgw::auth::RemoteApplier::Factory* const apl_factory,
              rgw::keystone::Config& config,
              rgw::keystone::TokenCache& token_cache)
    : cct(cct),
      extractor(extractor),
      apl_factory(apl_factory),
      config(config),
      token_cache(token_cache) {
  }

  const char* get_name() const noexcept override {
    return "rgw::auth::keystone::TokenEngine";
  }

  result_t authenticate(const req_state* const s) const override {
    return authenticate(extractor->get_token(s), s);
  }
}; /* class TokenEngine */


class EC2Engine : public rgw::auth::s3::AWSEngine {
  using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
  using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
  using result_t = rgw::auth::Engine::result_t;
  using token_envelope_t = rgw::keystone::TokenEnvelope;

  const rgw::auth::RemoteApplier::Factory* const apl_factory;
  rgw::keystone::Config& config;
  rgw::keystone::TokenCache& token_cache;

  /* Helper methods. */
  acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
  auth_info_t get_creds_info(const token_envelope_t& token,
                             const std::vector<std::string>& admin_roles
                            ) const noexcept;
  std::pair<boost::optional<token_envelope_t>, int>
  get_from_keystone(const boost::string_view& access_key_id,
                    const std::string& string_to_sign,
                    const boost::string_view& signature) const;
  result_t authenticate(const boost::string_view& access_key_id,
                        const boost::string_view& signature,
                        const string_to_sign_t& string_to_sign,
                        const signature_factory_t&,
                        const completer_factory_t& completer_factory,
                        const req_state* s) const override;
public:
  EC2Engine(CephContext* const cct,
            const rgw::auth::s3::AWSEngine::VersionAbstractor* const ver_abstractor,
            const rgw::auth::RemoteApplier::Factory* const apl_factory,
            rgw::keystone::Config& config,
            /* The token cache is used ONLY for the retrieving admin token.
             * Due to the architecture of AWS Auth S3 credentials cannot be
             * cached at all. */
            rgw::keystone::TokenCache& token_cache)
    : AWSEngine(cct, *ver_abstractor),
      apl_factory(apl_factory),
      config(config),
      token_cache(token_cache) {
  }

  using AWSEngine::authenticate;

  const char* get_name() const noexcept override {
    return "rgw::auth::keystone::EC2Engine";
  }

}; /* class EC2Engine */

}; /* namespace keystone */
}; /* namespace auth */
}; /* namespace rgw */

#endif /* CEPH_RGW_AUTH_KEYSTONE_H */
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3
	4
	5	#ifndef CEPH_RGW_AUTH_KEYSTONE_H
	6	#define CEPH_RGW_AUTH_KEYSTONE_H
	7
	8	#include <utility>
	9	#include <boost/optional.hpp>
31f18b77	10	#include <boost/utility/string_view.hpp>
7c673cae FG	11
	12	#include "rgw_auth.h"
	13	#include "rgw_rest_s3.h"
	14	#include "rgw_common.h"
	15	#include "rgw_keystone.h"
	16
	17	namespace rgw {
	18	namespace auth {
	19	namespace keystone {
	20
	21	/* Dedicated namespace for Keystone-related auth engines. We need it because
	22	* Keystone offers three different authentication mechanisms (token, EC2 and
	23	* regular user/pass). RadosGW actually does support the first two. */
	24
	25	class TokenEngine : public rgw::auth::Engine {
	26	CephContext* const cct;
	27
	28	using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
	29	using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
	30	using result_t = rgw::auth::Engine::result_t;
	31	using token_envelope_t = rgw::keystone::TokenEnvelope;
	32
	33	const rgw::auth::TokenExtractor* const extractor;
	34	const rgw::auth::RemoteApplier::Factory* const apl_factory;
	35	rgw::keystone::Config& config;
	36	rgw::keystone::TokenCache& token_cache;
	37
	38	/* Helper methods. */
	39	bool is_applicable(const std::string& token) const noexcept;
	40	token_envelope_t decode_pki_token(const std::string& token) const;
	41
	42	boost::optional<token_envelope_t>
	43	get_from_keystone(const std::string& token) const;
	44
	45	acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
	46	auth_info_t get_creds_info(const token_envelope_t& token,
	47	const std::vector<std::string>& admin_roles
	48	) const noexcept;
	49	result_t authenticate(const std::string& token,
	50	const req_state* s) const;
	51
	52	public:
	53	TokenEngine(CephContext* const cct,
	54	const rgw::auth::TokenExtractor* const extractor,
	55	const rgw::auth::RemoteApplier::Factory* const apl_factory,
	56	rgw::keystone::Config& config,
	57	rgw::keystone::TokenCache& token_cache)
	58	: cct(cct),
	59	extractor(extractor),
	60	apl_factory(apl_factory),
	61	config(config),
	62	token_cache(token_cache) {
	63	}
	64
	65	const char* get_name() const noexcept override {
	66	return "rgw::auth::keystone::TokenEngine";
	67	}
	68
	69	result_t authenticate(const req_state* const s) const override {
	70	return authenticate(extractor->get_token(s), s);
	71	}
	72	}; /* class TokenEngine */
	73
	74
31f18b77	75	class EC2Engine : public rgw::auth::s3::AWSEngine {
7c673cae FG	76	using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
	77	using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
	78	using result_t = rgw::auth::Engine::result_t;
	79	using token_envelope_t = rgw::keystone::TokenEnvelope;
	80
	81	const rgw::auth::RemoteApplier::Factory* const apl_factory;
	82	rgw::keystone::Config& config;
	83	rgw::keystone::TokenCache& token_cache;
	84
	85	/* Helper methods. */
	86	acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
	87	auth_info_t get_creds_info(const token_envelope_t& token,
	88	const std::vector<std::string>& admin_roles
	89	) const noexcept;
	90	std::pair<boost::optional<token_envelope_t>, int>
31f18b77	91	get_from_keystone(const boost::string_view& access_key_id,
7c673cae	92	const std::string& string_to_sign,
31f18b77 FG	93	const boost::string_view& signature) const;
	94	result_t authenticate(const boost::string_view& access_key_id,
	95	const boost::string_view& signature,
	96	const string_to_sign_t& string_to_sign,
	97	const signature_factory_t&,
	98	const completer_factory_t& completer_factory,
7c673cae FG	99	const req_state* s) const override;
	100	public:
	101	EC2Engine(CephContext* const cct,
31f18b77	102	const rgw::auth::s3::AWSEngine::VersionAbstractor* const ver_abstractor,
7c673cae FG	103	const rgw::auth::RemoteApplier::Factory* const apl_factory,
	104	rgw::keystone::Config& config,
	105	/* The token cache is used ONLY for the retrieving admin token.
	106	* Due to the architecture of AWS Auth S3 credentials cannot be
	107	* cached at all. */
	108	rgw::keystone::TokenCache& token_cache)
31f18b77	109	: AWSEngine(cct, *ver_abstractor),
7c673cae FG	110	apl_factory(apl_factory),
	111	config(config),
	112	token_cache(token_cache) {
	113	}
	114
31f18b77	115	using AWSEngine::authenticate;
7c673cae FG	116
	117	const char* get_name() const noexcept override {
	118	return "rgw::auth::keystone::EC2Engine";
	119	}
	120
	121	}; /* class EC2Engine */
	122
	123	}; /* namespace keystone */
	124	}; /* namespace auth */
	125	}; /* namespace rgw */
	126
	127	#endif /* CEPH_RGW_AUTH_KEYSTONE_H */