]>
Commit | Line | Data |
---|---|---|
31f18b77 | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
31f18b77 FG |
3 | |
4 | ||
5 | #include <cstring> | |
11fdf7f2 TL |
6 | #include <iostream> |
7 | #include <regex> | |
31f18b77 FG |
8 | #include <sstream> |
9 | #include <stack> | |
10 | #include <utility> | |
11 | ||
1e59de90 TL |
12 | #include <arpa/inet.h> |
13 | ||
11fdf7f2 TL |
14 | #include <experimental/iterator> |
15 | ||
31f18b77 FG |
16 | #include "rapidjson/reader.h" |
17 | ||
1e59de90 TL |
18 | #include "include/expected.hpp" |
19 | ||
31f18b77 FG |
20 | #include "rgw_auth.h" |
21 | #include "rgw_iam_policy.h" | |
22 | ||
1e59de90 | 23 | |
31f18b77 FG |
24 | namespace { |
25 | constexpr int dout_subsys = ceph_subsys_rgw; | |
26 | } | |
27 | ||
20effc67 | 28 | using std::dec; |
20effc67 | 29 | using std::hex; |
31f18b77 | 30 | using std::int64_t; |
31f18b77 FG |
31 | using std::size_t; |
32 | using std::string; | |
33 | using std::stringstream; | |
34 | using std::ostream; | |
35 | using std::uint16_t; | |
36 | using std::uint64_t; | |
31f18b77 FG |
37 | |
38 | using boost::container::flat_set; | |
11fdf7f2 | 39 | using std::regex; |
11fdf7f2 TL |
40 | using std::regex_match; |
41 | using std::smatch; | |
31f18b77 FG |
42 | |
43 | using rapidjson::BaseReaderHandler; | |
44 | using rapidjson::UTF8; | |
45 | using rapidjson::SizeType; | |
46 | using rapidjson::Reader; | |
47 | using rapidjson::kParseCommentsFlag; | |
48 | using rapidjson::kParseNumbersAsStringsFlag; | |
49 | using rapidjson::StringStream; | |
31f18b77 FG |
50 | |
51 | using rgw::auth::Principal; | |
52 | ||
53 | namespace rgw { | |
54 | namespace IAM { | |
55 | #include "rgw_iam_policy_keywords.frag.cc" | |
56 | ||
57 | struct actpair { | |
58 | const char* name; | |
59 | const uint64_t bit; | |
60 | }; | |
61 | ||
31f18b77 | 62 | |
31f18b77 FG |
63 | |
64 | static const actpair actpairs[] = | |
65 | {{ "s3:AbortMultipartUpload", s3AbortMultipartUpload }, | |
66 | { "s3:CreateBucket", s3CreateBucket }, | |
67 | { "s3:DeleteBucketPolicy", s3DeleteBucketPolicy }, | |
68 | { "s3:DeleteBucket", s3DeleteBucket }, | |
69 | { "s3:DeleteBucketWebsite", s3DeleteBucketWebsite }, | |
70 | { "s3:DeleteObject", s3DeleteObject }, | |
71 | { "s3:DeleteObjectVersion", s3DeleteObjectVersion }, | |
224ce89b WB |
72 | { "s3:DeleteObjectTagging", s3DeleteObjectTagging }, |
73 | { "s3:DeleteObjectVersionTagging", s3DeleteObjectVersionTagging }, | |
9f95a23c TL |
74 | { "s3:DeleteBucketPublicAccessBlock", s3DeleteBucketPublicAccessBlock}, |
75 | { "s3:DeletePublicAccessBlock", s3DeletePublicAccessBlock}, | |
31f18b77 FG |
76 | { "s3:DeleteReplicationConfiguration", s3DeleteReplicationConfiguration }, |
77 | { "s3:GetAccelerateConfiguration", s3GetAccelerateConfiguration }, | |
78 | { "s3:GetBucketAcl", s3GetBucketAcl }, | |
79 | { "s3:GetBucketCORS", s3GetBucketCORS }, | |
20effc67 | 80 | { "s3:GetBucketEncryption", s3GetBucketEncryption }, |
31f18b77 FG |
81 | { "s3:GetBucketLocation", s3GetBucketLocation }, |
82 | { "s3:GetBucketLogging", s3GetBucketLogging }, | |
83 | { "s3:GetBucketNotification", s3GetBucketNotification }, | |
84 | { "s3:GetBucketPolicy", s3GetBucketPolicy }, | |
9f95a23c TL |
85 | { "s3:GetBucketPolicyStatus", s3GetBucketPolicyStatus }, |
86 | { "s3:GetBucketPublicAccessBlock", s3GetBucketPublicAccessBlock }, | |
31f18b77 FG |
87 | { "s3:GetBucketRequestPayment", s3GetBucketRequestPayment }, |
88 | { "s3:GetBucketTagging", s3GetBucketTagging }, | |
89 | { "s3:GetBucketVersioning", s3GetBucketVersioning }, | |
90 | { "s3:GetBucketWebsite", s3GetBucketWebsite }, | |
91 | { "s3:GetLifecycleConfiguration", s3GetLifecycleConfiguration }, | |
eafe8130 | 92 | { "s3:GetBucketObjectLockConfiguration", s3GetBucketObjectLockConfiguration }, |
9f95a23c | 93 | { "s3:GetPublicAccessBlock", s3GetPublicAccessBlock }, |
31f18b77 FG |
94 | { "s3:GetObjectAcl", s3GetObjectAcl }, |
95 | { "s3:GetObject", s3GetObject }, | |
96 | { "s3:GetObjectTorrent", s3GetObjectTorrent }, | |
97 | { "s3:GetObjectVersionAcl", s3GetObjectVersionAcl }, | |
98 | { "s3:GetObjectVersion", s3GetObjectVersion }, | |
99 | { "s3:GetObjectVersionTorrent", s3GetObjectVersionTorrent }, | |
224ce89b WB |
100 | { "s3:GetObjectTagging", s3GetObjectTagging }, |
101 | { "s3:GetObjectVersionTagging", s3GetObjectVersionTagging}, | |
eafe8130 TL |
102 | { "s3:GetObjectRetention", s3GetObjectRetention}, |
103 | { "s3:GetObjectLegalHold", s3GetObjectLegalHold}, | |
31f18b77 FG |
104 | { "s3:GetReplicationConfiguration", s3GetReplicationConfiguration }, |
105 | { "s3:ListAllMyBuckets", s3ListAllMyBuckets }, | |
28e407b8 | 106 | { "s3:ListBucketMultipartUploads", s3ListBucketMultipartUploads }, |
31f18b77 FG |
107 | { "s3:ListBucket", s3ListBucket }, |
108 | { "s3:ListBucketVersions", s3ListBucketVersions }, | |
109 | { "s3:ListMultipartUploadParts", s3ListMultipartUploadParts }, | |
110 | { "s3:PutAccelerateConfiguration", s3PutAccelerateConfiguration }, | |
111 | { "s3:PutBucketAcl", s3PutBucketAcl }, | |
112 | { "s3:PutBucketCORS", s3PutBucketCORS }, | |
20effc67 | 113 | { "s3:PutBucketEncryption", s3PutBucketEncryption }, |
31f18b77 FG |
114 | { "s3:PutBucketLogging", s3PutBucketLogging }, |
115 | { "s3:PutBucketNotification", s3PutBucketNotification }, | |
116 | { "s3:PutBucketPolicy", s3PutBucketPolicy }, | |
117 | { "s3:PutBucketRequestPayment", s3PutBucketRequestPayment }, | |
118 | { "s3:PutBucketTagging", s3PutBucketTagging }, | |
119 | { "s3:PutBucketVersioning", s3PutBucketVersioning }, | |
120 | { "s3:PutBucketWebsite", s3PutBucketWebsite }, | |
121 | { "s3:PutLifecycleConfiguration", s3PutLifecycleConfiguration }, | |
eafe8130 | 122 | { "s3:PutBucketObjectLockConfiguration", s3PutBucketObjectLockConfiguration }, |
31f18b77 FG |
123 | { "s3:PutObjectAcl", s3PutObjectAcl }, |
124 | { "s3:PutObject", s3PutObject }, | |
125 | { "s3:PutObjectVersionAcl", s3PutObjectVersionAcl }, | |
224ce89b WB |
126 | { "s3:PutObjectTagging", s3PutObjectTagging }, |
127 | { "s3:PutObjectVersionTagging", s3PutObjectVersionTagging }, | |
eafe8130 TL |
128 | { "s3:PutObjectRetention", s3PutObjectRetention }, |
129 | { "s3:PutObjectLegalHold", s3PutObjectLegalHold }, | |
130 | { "s3:BypassGovernanceRetention", s3BypassGovernanceRetention }, | |
9f95a23c TL |
131 | { "s3:PutBucketPublicAccessBlock", s3PutBucketPublicAccessBlock }, |
132 | { "s3:PutPublicAccessBlock", s3PutPublicAccessBlock }, | |
31f18b77 | 133 | { "s3:PutReplicationConfiguration", s3PutReplicationConfiguration }, |
11fdf7f2 TL |
134 | { "s3:RestoreObject", s3RestoreObject }, |
135 | { "iam:PutUserPolicy", iamPutUserPolicy }, | |
136 | { "iam:GetUserPolicy", iamGetUserPolicy }, | |
137 | { "iam:DeleteUserPolicy", iamDeleteUserPolicy }, | |
138 | { "iam:ListUserPolicies", iamListUserPolicies }, | |
139 | { "iam:CreateRole", iamCreateRole}, | |
140 | { "iam:DeleteRole", iamDeleteRole}, | |
141 | { "iam:GetRole", iamGetRole}, | |
1e59de90 | 142 | { "iam:ModifyRoleTrustPolicy", iamModifyRoleTrustPolicy}, |
11fdf7f2 TL |
143 | { "iam:ListRoles", iamListRoles}, |
144 | { "iam:PutRolePolicy", iamPutRolePolicy}, | |
145 | { "iam:GetRolePolicy", iamGetRolePolicy}, | |
146 | { "iam:ListRolePolicies", iamListRolePolicies}, | |
147 | { "iam:DeleteRolePolicy", iamDeleteRolePolicy}, | |
f91f0fd5 TL |
148 | { "iam:CreateOIDCProvider", iamCreateOIDCProvider}, |
149 | { "iam:DeleteOIDCProvider", iamDeleteOIDCProvider}, | |
150 | { "iam:GetOIDCProvider", iamGetOIDCProvider}, | |
151 | { "iam:ListOIDCProviders", iamListOIDCProviders}, | |
20effc67 TL |
152 | { "iam:TagRole", iamTagRole}, |
153 | { "iam:ListRoleTags", iamListRoleTags}, | |
154 | { "iam:UntagRole", iamUntagRole}, | |
1e59de90 | 155 | { "iam:UpdateRole", iamUpdateRole}, |
11fdf7f2 TL |
156 | { "sts:AssumeRole", stsAssumeRole}, |
157 | { "sts:AssumeRoleWithWebIdentity", stsAssumeRoleWithWebIdentity}, | |
158 | { "sts:GetSessionToken", stsGetSessionToken}, | |
20effc67 | 159 | { "sts:TagSession", stsTagSession}, |
11fdf7f2 | 160 | }; |
31f18b77 FG |
161 | |
162 | struct PolicyParser; | |
163 | ||
1e59de90 TL |
164 | const Keyword top[1]{{"<Top>", TokenKind::pseudo, TokenID::Top, 0, false, |
165 | false}}; | |
166 | const Keyword cond_key[1]{{"<Condition Key>", TokenKind::cond_key, | |
167 | TokenID::CondKey, 0, true, false}}; | |
31f18b77 FG |
168 | |
169 | struct ParseState { | |
170 | PolicyParser* pp; | |
171 | const Keyword* w; | |
172 | ||
173 | bool arraying = false; | |
174 | bool objecting = false; | |
c07f9fc5 | 175 | bool cond_ifexists = false; |
31f18b77 FG |
176 | |
177 | void reset(); | |
178 | ||
1e59de90 TL |
179 | void annotate(std::string&& a); |
180 | ||
181 | boost::optional<Principal> parse_principal(string&& s, string* errmsg); | |
182 | ||
31f18b77 FG |
183 | ParseState(PolicyParser* pp, const Keyword* w) |
184 | : pp(pp), w(w) {} | |
185 | ||
186 | bool obj_start(); | |
187 | ||
188 | bool obj_end(); | |
189 | ||
190 | bool array_start() { | |
191 | if (w->arrayable && !arraying) { | |
192 | arraying = true; | |
193 | return true; | |
194 | } | |
1e59de90 TL |
195 | annotate(fmt::format("`{}` does not take array.", |
196 | w->name)); | |
31f18b77 FG |
197 | return false; |
198 | } | |
199 | ||
200 | bool array_end(); | |
201 | ||
202 | bool key(const char* s, size_t l); | |
203 | bool do_string(CephContext* cct, const char* s, size_t l); | |
204 | bool number(const char* str, size_t l); | |
205 | }; | |
206 | ||
207 | // If this confuses you, look up the Curiously Recurring Template Pattern | |
208 | struct PolicyParser : public BaseReaderHandler<UTF8<>, PolicyParser> { | |
209 | keyword_hash tokens; | |
210 | std::vector<ParseState> s; | |
211 | CephContext* cct; | |
212 | const string& tenant; | |
213 | Policy& policy; | |
d2e6a577 | 214 | uint32_t v = 0; |
31f18b77 | 215 | |
1e59de90 TL |
216 | const bool reject_invalid_principals; |
217 | ||
31f18b77 FG |
218 | uint32_t seen = 0; |
219 | ||
1e59de90 TL |
220 | std::string annotation{"No error?"}; |
221 | ||
31f18b77 FG |
222 | uint32_t dex(TokenID in) const { |
223 | switch (in) { | |
224 | case TokenID::Version: | |
225 | return 0x1; | |
226 | case TokenID::Id: | |
227 | return 0x2; | |
228 | case TokenID::Statement: | |
229 | return 0x4; | |
230 | case TokenID::Sid: | |
231 | return 0x8; | |
232 | case TokenID::Effect: | |
233 | return 0x10; | |
234 | case TokenID::Principal: | |
235 | return 0x20; | |
236 | case TokenID::NotPrincipal: | |
237 | return 0x40; | |
238 | case TokenID::Action: | |
239 | return 0x80; | |
240 | case TokenID::NotAction: | |
241 | return 0x100; | |
242 | case TokenID::Resource: | |
243 | return 0x200; | |
244 | case TokenID::NotResource: | |
245 | return 0x400; | |
246 | case TokenID::Condition: | |
247 | return 0x800; | |
248 | case TokenID::AWS: | |
249 | return 0x1000; | |
250 | case TokenID::Federated: | |
251 | return 0x2000; | |
252 | case TokenID::Service: | |
253 | return 0x4000; | |
254 | case TokenID::CanonicalUser: | |
255 | return 0x8000; | |
256 | default: | |
257 | ceph_abort(); | |
258 | } | |
259 | } | |
260 | bool test(TokenID in) { | |
261 | return seen & dex(in); | |
262 | } | |
263 | void set(TokenID in) { | |
264 | seen |= dex(in); | |
d2e6a577 FG |
265 | if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) | |
266 | dex(TokenID::Principal) | dex(TokenID::NotPrincipal) | | |
267 | dex(TokenID::Action) | dex(TokenID::NotAction) | | |
268 | dex(TokenID::Resource) | dex(TokenID::NotResource) | | |
269 | dex(TokenID::Condition) | dex(TokenID::AWS) | | |
270 | dex(TokenID::Federated) | dex(TokenID::Service) | | |
271 | dex(TokenID::CanonicalUser))) { | |
272 | v |= dex(in); | |
c07f9fc5 | 273 | } |
31f18b77 FG |
274 | } |
275 | void set(std::initializer_list<TokenID> l) { | |
276 | for (auto in : l) { | |
277 | seen |= dex(in); | |
d2e6a577 FG |
278 | if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) | |
279 | dex(TokenID::Principal) | dex(TokenID::NotPrincipal) | | |
280 | dex(TokenID::Action) | dex(TokenID::NotAction) | | |
281 | dex(TokenID::Resource) | dex(TokenID::NotResource) | | |
282 | dex(TokenID::Condition) | dex(TokenID::AWS) | | |
283 | dex(TokenID::Federated) | dex(TokenID::Service) | | |
284 | dex(TokenID::CanonicalUser))) { | |
285 | v |= dex(in); | |
c07f9fc5 | 286 | } |
31f18b77 FG |
287 | } |
288 | } | |
289 | void reset(TokenID in) { | |
290 | seen &= ~dex(in); | |
d2e6a577 FG |
291 | if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) | |
292 | dex(TokenID::Principal) | dex(TokenID::NotPrincipal) | | |
293 | dex(TokenID::Action) | dex(TokenID::NotAction) | | |
294 | dex(TokenID::Resource) | dex(TokenID::NotResource) | | |
295 | dex(TokenID::Condition) | dex(TokenID::AWS) | | |
296 | dex(TokenID::Federated) | dex(TokenID::Service) | | |
297 | dex(TokenID::CanonicalUser))) { | |
298 | v &= ~dex(in); | |
c07f9fc5 | 299 | } |
31f18b77 FG |
300 | } |
301 | void reset(std::initializer_list<TokenID> l) { | |
302 | for (auto in : l) { | |
303 | seen &= ~dex(in); | |
d2e6a577 FG |
304 | if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) | |
305 | dex(TokenID::Principal) | dex(TokenID::NotPrincipal) | | |
306 | dex(TokenID::Action) | dex(TokenID::NotAction) | | |
307 | dex(TokenID::Resource) | dex(TokenID::NotResource) | | |
308 | dex(TokenID::Condition) | dex(TokenID::AWS) | | |
309 | dex(TokenID::Federated) | dex(TokenID::Service) | | |
310 | dex(TokenID::CanonicalUser))) { | |
311 | v &= ~dex(in); | |
c07f9fc5 FG |
312 | } |
313 | } | |
314 | } | |
d2e6a577 FG |
315 | void reset(uint32_t& v) { |
316 | seen &= ~v; | |
317 | v = 0; | |
31f18b77 FG |
318 | } |
319 | ||
1e59de90 TL |
320 | PolicyParser(CephContext* cct, const string& tenant, Policy& policy, |
321 | bool reject_invalid_principals) | |
322 | : cct(cct), tenant(tenant), policy(policy), | |
323 | reject_invalid_principals(reject_invalid_principals) {} | |
31f18b77 FG |
324 | PolicyParser(const PolicyParser& policy) = delete; |
325 | ||
326 | bool StartObject() { | |
327 | if (s.empty()) { | |
328 | s.push_back({this, top}); | |
329 | s.back().objecting = true; | |
330 | return true; | |
331 | } | |
332 | ||
333 | return s.back().obj_start(); | |
334 | } | |
335 | bool EndObject(SizeType memberCount) { | |
336 | if (s.empty()) { | |
1e59de90 | 337 | annotation = "Attempt to end unopened object at top level."; |
31f18b77 FG |
338 | return false; |
339 | } | |
31f18b77 FG |
340 | return s.back().obj_end(); |
341 | } | |
342 | bool Key(const char* str, SizeType length, bool copy) { | |
343 | if (s.empty()) { | |
1e59de90 | 344 | annotation = "Key not allowed at top level."; |
31f18b77 FG |
345 | return false; |
346 | } | |
31f18b77 FG |
347 | return s.back().key(str, length); |
348 | } | |
349 | ||
350 | bool String(const char* str, SizeType length, bool copy) { | |
351 | if (s.empty()) { | |
1e59de90 | 352 | annotation = "String not allowed at top level."; |
31f18b77 FG |
353 | return false; |
354 | } | |
31f18b77 FG |
355 | return s.back().do_string(cct, str, length); |
356 | } | |
357 | bool RawNumber(const char* str, SizeType length, bool copy) { | |
358 | if (s.empty()) { | |
1e59de90 | 359 | annotation = "Number not allowed at top level."; |
31f18b77 FG |
360 | return false; |
361 | } | |
362 | ||
363 | return s.back().number(str, length); | |
364 | } | |
365 | bool StartArray() { | |
366 | if (s.empty()) { | |
1e59de90 | 367 | annotation = "Array not allowed at top level."; |
31f18b77 FG |
368 | return false; |
369 | } | |
370 | ||
371 | return s.back().array_start(); | |
372 | } | |
373 | bool EndArray(SizeType) { | |
374 | if (s.empty()) { | |
375 | return false; | |
376 | } | |
377 | ||
378 | return s.back().array_end(); | |
379 | } | |
380 | ||
381 | bool Default() { | |
382 | return false; | |
383 | } | |
384 | }; | |
385 | ||
386 | ||
387 | // I really despise this misfeature of C++. | |
388 | // | |
1e59de90 TL |
389 | void ParseState::annotate(std::string&& a) { |
390 | pp->annotation = std::move(a); | |
391 | } | |
392 | ||
31f18b77 FG |
393 | bool ParseState::obj_end() { |
394 | if (objecting) { | |
395 | objecting = false; | |
396 | if (!arraying) { | |
397 | pp->s.pop_back(); | |
398 | } else { | |
399 | reset(); | |
400 | } | |
401 | return true; | |
402 | } | |
1e59de90 TL |
403 | annotate( |
404 | fmt::format("Attempt to end unopened object on keyword `{}`.", | |
405 | w->name)); | |
31f18b77 FG |
406 | return false; |
407 | } | |
408 | ||
409 | bool ParseState::key(const char* s, size_t l) { | |
c07f9fc5 FG |
410 | auto token_len = l; |
411 | bool ifexists = false; | |
412 | if (w->id == TokenID::Condition && w->kind == TokenKind::statement) { | |
413 | static constexpr char IfExists[] = "IfExists"; | |
f67539c2 | 414 | if (boost::algorithm::ends_with(std::string_view{s, l}, IfExists)) { |
c07f9fc5 FG |
415 | ifexists = true; |
416 | token_len -= sizeof(IfExists)-1; | |
417 | } | |
418 | } | |
419 | auto k = pp->tokens.lookup(s, token_len); | |
31f18b77 FG |
420 | |
421 | if (!k) { | |
422 | if (w->kind == TokenKind::cond_op) { | |
d2e6a577 | 423 | auto id = w->id; |
31f18b77 | 424 | auto& t = pp->policy.statements.back(); |
d2e6a577 | 425 | auto c_ife = cond_ifexists; |
31f18b77 | 426 | pp->s.emplace_back(pp, cond_key); |
d2e6a577 | 427 | t.conditions.emplace_back(id, s, l, c_ife); |
31f18b77 FG |
428 | return true; |
429 | } else { | |
1e59de90 | 430 | annotate(fmt::format("Unknown key `{}`.", std::string_view{s, token_len})); |
31f18b77 FG |
431 | return false; |
432 | } | |
433 | } | |
434 | ||
435 | // If the token we're going with belongs within the condition at the | |
436 | // top of the stack and we haven't already encountered it, push it | |
437 | // on the stack | |
31f18b77 FG |
438 | // Top |
439 | if ((((w->id == TokenID::Top) && (k->kind == TokenKind::top)) || | |
440 | // Statement | |
441 | ((w->id == TokenID::Statement) && (k->kind == TokenKind::statement)) || | |
442 | ||
443 | /// Principal | |
444 | ((w->id == TokenID::Principal || w->id == TokenID::NotPrincipal) && | |
445 | (k->kind == TokenKind::princ_type))) && | |
446 | ||
447 | // Check that it hasn't been encountered. Note that this | |
448 | // conjoins with the run of disjunctions above. | |
449 | !pp->test(k->id)) { | |
450 | pp->set(k->id); | |
451 | pp->s.emplace_back(pp, k); | |
452 | return true; | |
453 | } else if ((w->id == TokenID::Condition) && | |
454 | (k->kind == TokenKind::cond_op)) { | |
455 | pp->s.emplace_back(pp, k); | |
c07f9fc5 | 456 | pp->s.back().cond_ifexists = ifexists; |
31f18b77 FG |
457 | return true; |
458 | } | |
1e59de90 TL |
459 | annotate(fmt::format("Token `{}` is not allowed in the context of `{}`.", |
460 | k->name, w->name)); | |
31f18b77 FG |
461 | return false; |
462 | } | |
463 | ||
464 | // I should just rewrite a few helper functions to use iterators, | |
465 | // which will make all of this ever so much nicer. | |
1e59de90 TL |
466 | boost::optional<Principal> ParseState::parse_principal(string&& s, |
467 | string* errmsg) { | |
468 | if ((w->id == TokenID::AWS) && (s == "*")) { | |
469 | // Wildcard! | |
31f18b77 | 470 | return Principal::wildcard(); |
1e59de90 | 471 | } else if (w->id == TokenID::CanonicalUser) { |
31f18b77 | 472 | // Do nothing for now. |
1e59de90 TL |
473 | if (errmsg) |
474 | *errmsg = "RGW does not support canonical users."; | |
475 | return boost::none; | |
476 | } else if (w->id == TokenID::AWS || w->id == TokenID::Federated) { | |
477 | // AWS and Federated ARNs | |
b32b8144 FG |
478 | if (auto a = ARN::parse(s)) { |
479 | if (a->resource == "root") { | |
480 | return Principal::tenant(std::move(a->account)); | |
481 | } | |
482 | ||
483 | static const char rx_str[] = "([^/]*)/(.*)"; | |
484 | static const regex rx(rx_str, sizeof(rx_str) - 1, | |
11fdf7f2 TL |
485 | std::regex_constants::ECMAScript | |
486 | std::regex_constants::optimize); | |
b32b8144 FG |
487 | smatch match; |
488 | if (regex_match(a->resource, match, rx) && match.size() == 3) { | |
489 | if (match[1] == "user") { | |
490 | return Principal::user(std::move(a->account), | |
491 | match[2]); | |
492 | } | |
493 | ||
494 | if (match[1] == "role") { | |
495 | return Principal::role(std::move(a->account), | |
496 | match[2]); | |
497 | } | |
11fdf7f2 TL |
498 | |
499 | if (match[1] == "oidc-provider") { | |
500 | return Principal::oidc_provider(std::move(match[2])); | |
501 | } | |
1e59de90 TL |
502 | if (match[1] == "assumed-role") { |
503 | return Principal::assumed_role(std::move(a->account), match[2]); | |
504 | } | |
b32b8144 | 505 | } |
1e59de90 | 506 | } else if (std::none_of(s.begin(), s.end(), |
31f18b77 FG |
507 | [](const char& c) { |
508 | return (c == ':') || (c == '/'); | |
509 | })) { | |
1e59de90 TL |
510 | // Since tenants are simply prefixes, there's no really good |
511 | // way to see if one exists or not. So we return the thing and | |
512 | // let them try to match against it. | |
513 | return Principal::tenant(std::move(s)); | |
31f18b77 | 514 | } |
1e59de90 TL |
515 | if (errmsg) |
516 | *errmsg = | |
517 | fmt::format( | |
518 | "`{}` is not a supported AWS or Federated ARN. Supported ARNs are " | |
519 | "forms like: " | |
520 | "`arn:aws:iam::tenant:root` or a bare tenant name for a tenant, " | |
521 | "`arn:aws:iam::tenant:role/role-name` for a role, " | |
522 | "`arn:aws:sts::tenant:assumed-role/role-name/role-session-name` " | |
523 | "for an assumed role, " | |
524 | "`arn:aws:iam::tenant:user/user-name` for a user, " | |
525 | "`arn:aws:iam::tenant:oidc-provider/idp-url` for OIDC.", s); | |
31f18b77 FG |
526 | } |
527 | ||
1e59de90 TL |
528 | if (errmsg) |
529 | *errmsg = fmt::format("RGW does not support principals of type `{}`.", | |
530 | w->name); | |
31f18b77 FG |
531 | return boost::none; |
532 | } | |
533 | ||
534 | bool ParseState::do_string(CephContext* cct, const char* s, size_t l) { | |
535 | auto k = pp->tokens.lookup(s, l); | |
536 | Policy& p = pp->policy; | |
11fdf7f2 TL |
537 | bool is_action = false; |
538 | bool is_validaction = false; | |
31f18b77 FG |
539 | Statement* t = p.statements.empty() ? nullptr : &(p.statements.back()); |
540 | ||
541 | // Top level! | |
1e59de90 TL |
542 | if (w->id == TokenID::Version) { |
543 | if (k && k->kind == TokenKind::version_key) { | |
544 | p.version = static_cast<Version>(k->specific); | |
545 | } else { | |
546 | annotate( | |
547 | fmt::format("`{}` is not a valid version. Valid versions are " | |
548 | "`2008-10-17` and `2012-10-17`.", | |
549 | std::string_view{s, l})); | |
550 | ||
551 | return false; | |
552 | } | |
31f18b77 FG |
553 | } else if (w->id == TokenID::Id) { |
554 | p.id = string(s, l); | |
555 | ||
556 | // Statement | |
557 | ||
558 | } else if (w->id == TokenID::Sid) { | |
559 | t->sid.emplace(s, l); | |
1e59de90 TL |
560 | } else if (w->id == TokenID::Effect) { |
561 | if (k && k->kind == TokenKind::effect_key) { | |
562 | t->effect = static_cast<Effect>(k->specific); | |
563 | } else { | |
564 | annotate(fmt::format("`{}` is not a valid effect.", | |
565 | std::string_view{s, l})); | |
566 | return false; | |
567 | } | |
31f18b77 FG |
568 | } else if (w->id == TokenID::Principal && s && *s == '*') { |
569 | t->princ.emplace(Principal::wildcard()); | |
570 | } else if (w->id == TokenID::NotPrincipal && s && *s == '*') { | |
571 | t->noprinc.emplace(Principal::wildcard()); | |
572 | } else if ((w->id == TokenID::Action) || | |
573 | (w->id == TokenID::NotAction)) { | |
11fdf7f2 TL |
574 | is_action = true; |
575 | if (*s == '*') { | |
576 | is_validaction = true; | |
577 | (w->id == TokenID::Action ? | |
578 | t->action = allValue : t->notaction = allValue); | |
579 | } else { | |
580 | for (auto& p : actpairs) { | |
581 | if (match_policy({s, l}, p.name, MATCH_POLICY_ACTION)) { | |
582 | is_validaction = true; | |
583 | (w->id == TokenID::Action ? t->action[p.bit] = 1 : t->notaction[p.bit] = 1); | |
584 | } | |
585 | if ((t->action & s3AllValue) == s3AllValue) { | |
586 | t->action[s3All] = 1; | |
587 | } | |
588 | if ((t->notaction & s3AllValue) == s3AllValue) { | |
589 | t->notaction[s3All] = 1; | |
590 | } | |
591 | if ((t->action & iamAllValue) == iamAllValue) { | |
592 | t->action[iamAll] = 1; | |
593 | } | |
594 | if ((t->notaction & iamAllValue) == iamAllValue) { | |
595 | t->notaction[iamAll] = 1; | |
596 | } | |
597 | if ((t->action & stsAllValue) == stsAllValue) { | |
598 | t->action[stsAll] = 1; | |
599 | } | |
600 | if ((t->notaction & stsAllValue) == stsAllValue) { | |
601 | t->notaction[stsAll] = 1; | |
602 | } | |
31f18b77 FG |
603 | } |
604 | } | |
605 | } else if (w->id == TokenID::Resource || w->id == TokenID::NotResource) { | |
606 | auto a = ARN::parse({s, l}, true); | |
1e59de90 TL |
607 | if (!a) { |
608 | annotate( | |
609 | fmt::format("`{}` is not a valid ARN. Resource ARNs should have a " | |
610 | "format like `arn:aws:s3::tenant:resource' or " | |
611 | "`arn:aws:s3:::resource`.", | |
612 | std::string_view{s, l})); | |
613 | return false; | |
614 | } | |
31f18b77 | 615 | // You can't specify resources for someone ELSE'S account. |
1e59de90 TL |
616 | if (a->account.empty() || a->account == pp->tenant || |
617 | a->account == "*") { | |
31f18b77 FG |
618 | if (a->account.empty() || a->account == "*") |
619 | a->account = pp->tenant; | |
620 | (w->id == TokenID::Resource ? t->resource : t->notresource) | |
621 | .emplace(std::move(*a)); | |
20effc67 | 622 | } else { |
1e59de90 TL |
623 | annotate(fmt::format("Policy owned by tenant `{}` cannot grant access to " |
624 | "resource owned by tenant `{}`.", | |
625 | pp->tenant, a->account)); | |
20effc67 TL |
626 | return false; |
627 | } | |
31f18b77 FG |
628 | } else if (w->kind == TokenKind::cond_key) { |
629 | auto& t = pp->policy.statements.back(); | |
20effc67 TL |
630 | if (l > 0 && *s == '$') { |
631 | if (l >= 2 && *(s+1) == '{') { | |
632 | if (l > 0 && *(s+l-1) == '}') { | |
633 | t.conditions.back().isruntime = true; | |
634 | } else { | |
1e59de90 TL |
635 | annotate(fmt::format("Invalid interpolation `{}`.", |
636 | std::string_view{s, l})); | |
20effc67 TL |
637 | return false; |
638 | } | |
639 | } else { | |
1e59de90 TL |
640 | annotate(fmt::format("Invalid interpolation `{}`.", |
641 | std::string_view{s, l})); | |
20effc67 TL |
642 | return false; |
643 | } | |
644 | } | |
31f18b77 FG |
645 | t.conditions.back().vals.emplace_back(s, l); |
646 | ||
647 | // Principals | |
648 | ||
649 | } else if (w->kind == TokenKind::princ_type) { | |
3efd9988 | 650 | if (pp->s.size() <= 1) { |
1e59de90 | 651 | annotate(fmt::format("Principle isn't allowed at top level.")); |
3efd9988 FG |
652 | return false; |
653 | } | |
31f18b77 FG |
654 | auto& pri = pp->s[pp->s.size() - 2].w->id == TokenID::Principal ? |
655 | t->princ : t->noprinc; | |
656 | ||
1e59de90 TL |
657 | string errmsg; |
658 | if (auto o = parse_principal({s, l}, &errmsg)) { | |
31f18b77 | 659 | pri.emplace(std::move(*o)); |
1e59de90 TL |
660 | } else if (pp->reject_invalid_principals) { |
661 | annotate(std::move(errmsg)); | |
662 | return false; | |
663 | } else { | |
664 | ldout(cct, 0) << "Ignored principle `" << std::string_view{s, l} << "`: " | |
665 | << errmsg << dendl; | |
b32b8144 | 666 | } |
31f18b77 | 667 | } else { |
1e59de90 TL |
668 | // Failure |
669 | annotate(fmt::format("`{}` is not valid in the context of `{}`.", | |
670 | std::string_view{s, l}, w->name)); | |
31f18b77 FG |
671 | return false; |
672 | } | |
673 | ||
674 | if (!arraying) { | |
675 | pp->s.pop_back(); | |
676 | } | |
677 | ||
1e59de90 TL |
678 | if (is_action && !is_validaction) { |
679 | annotate(fmt::format("`{}` is not a valid action.", | |
680 | std::string_view{s, l})); | |
11fdf7f2 TL |
681 | return false; |
682 | } | |
683 | ||
31f18b77 FG |
684 | return true; |
685 | } | |
686 | ||
687 | bool ParseState::number(const char* s, size_t l) { | |
688 | // Top level! | |
689 | if (w->kind == TokenKind::cond_key) { | |
690 | auto& t = pp->policy.statements.back(); | |
691 | t.conditions.back().vals.emplace_back(s, l); | |
31f18b77 | 692 | } else { |
1e59de90 TL |
693 | // Failure |
694 | annotate("Numbers are not allowed outside condition arguments."); | |
31f18b77 FG |
695 | return false; |
696 | } | |
697 | ||
698 | if (!arraying) { | |
699 | pp->s.pop_back(); | |
700 | } | |
701 | ||
702 | return true; | |
703 | } | |
704 | ||
705 | void ParseState::reset() { | |
c07f9fc5 | 706 | pp->reset(pp->v); |
31f18b77 FG |
707 | } |
708 | ||
709 | bool ParseState::obj_start() { | |
710 | if (w->objectable && !objecting) { | |
711 | objecting = true; | |
712 | if (w->id == TokenID::Statement) { | |
11fdf7f2 | 713 | pp->policy.statements.emplace_back(); |
31f18b77 FG |
714 | } |
715 | ||
716 | return true; | |
717 | } | |
718 | ||
1e59de90 TL |
719 | annotate(fmt::format("The {} keyword cannot introduce an object.", |
720 | w->name)); | |
721 | ||
31f18b77 FG |
722 | return false; |
723 | } | |
724 | ||
725 | ||
726 | bool ParseState::array_end() { | |
727 | if (arraying && !objecting) { | |
728 | pp->s.pop_back(); | |
729 | return true; | |
730 | } | |
731 | ||
1e59de90 | 732 | annotate("Attempt to close unopened array."); |
31f18b77 FG |
733 | return false; |
734 | } | |
735 | ||
736 | ostream& operator <<(ostream& m, const MaskedIP& ip) { | |
737 | // I have a theory about why std::bitset is the way it is. | |
738 | if (ip.v6) { | |
b32b8144 FG |
739 | for (int i = 7; i >= 0; --i) { |
740 | uint16_t hextet = 0; | |
741 | for (int j = 15; j >= 0; --j) { | |
742 | hextet |= (ip.addr[(i * 16) + j] << j); | |
31f18b77 | 743 | } |
b32b8144 | 744 | m << hex << (unsigned int) hextet; |
31f18b77 | 745 | if (i != 0) { |
b32b8144 | 746 | m << ":"; |
31f18b77 FG |
747 | } |
748 | } | |
749 | } else { | |
750 | // It involves Satan. | |
751 | for (int i = 3; i >= 0; --i) { | |
752 | uint8_t b = 0; | |
753 | for (int j = 7; j >= 0; --j) { | |
754 | b |= (ip.addr[(i * 8) + j] << j); | |
755 | } | |
b32b8144 | 756 | m << (unsigned int) b; |
31f18b77 FG |
757 | if (i != 0) { |
758 | m << "."; | |
759 | } | |
760 | } | |
761 | } | |
b32b8144 | 762 | m << "/" << dec << ip.prefix; |
31f18b77 FG |
763 | // It would explain a lot |
764 | return m; | |
765 | } | |
766 | ||
31f18b77 | 767 | bool Condition::eval(const Environment& env) const { |
20effc67 | 768 | std::vector<std::string> runtime_vals; |
31f18b77 FG |
769 | auto i = env.find(key); |
770 | if (op == TokenID::Null) { | |
771 | return i == env.end() ? true : false; | |
772 | } | |
773 | ||
774 | if (i == env.end()) { | |
20effc67 TL |
775 | if (op == TokenID::ForAllValuesStringEquals || |
776 | op == TokenID::ForAllValuesStringEqualsIgnoreCase || | |
777 | op == TokenID::ForAllValuesStringLike) { | |
778 | return true; | |
779 | } else { | |
780 | return ifexists; | |
781 | } | |
782 | } | |
783 | ||
784 | if (isruntime) { | |
785 | string k = vals.back(); | |
786 | k.erase(0,2); //erase $, { | |
787 | k.erase(k.length() - 1, 1); //erase } | |
788 | const auto& it = env.equal_range(k); | |
789 | for (auto itr = it.first; itr != it.second; itr++) { | |
790 | runtime_vals.emplace_back(itr->second); | |
791 | } | |
31f18b77 FG |
792 | } |
793 | const auto& s = i->second; | |
794 | ||
20effc67 TL |
795 | const auto& itr = env.equal_range(key); |
796 | ||
31f18b77 FG |
797 | switch (op) { |
798 | // String! | |
20effc67 | 799 | case TokenID::ForAnyValueStringEquals: |
31f18b77 | 800 | case TokenID::StringEquals: |
20effc67 | 801 | return orrible(std::equal_to<std::string>(), itr, isruntime? runtime_vals : vals); |
31f18b77 FG |
802 | |
803 | case TokenID::StringNotEquals: | |
11fdf7f2 | 804 | return orrible(std::not_fn(std::equal_to<std::string>()), |
20effc67 | 805 | itr, isruntime? runtime_vals : vals); |
31f18b77 | 806 | |
20effc67 | 807 | case TokenID::ForAnyValueStringEqualsIgnoreCase: |
31f18b77 | 808 | case TokenID::StringEqualsIgnoreCase: |
20effc67 | 809 | return orrible(ci_equal_to(), itr, isruntime? runtime_vals : vals); |
31f18b77 FG |
810 | |
811 | case TokenID::StringNotEqualsIgnoreCase: | |
20effc67 | 812 | return orrible(std::not_fn(ci_equal_to()), itr, isruntime? runtime_vals : vals); |
31f18b77 | 813 | |
20effc67 | 814 | case TokenID::ForAnyValueStringLike: |
31f18b77 | 815 | case TokenID::StringLike: |
20effc67 | 816 | return orrible(string_like(), itr, isruntime? runtime_vals : vals); |
d2e6a577 | 817 | |
31f18b77 | 818 | case TokenID::StringNotLike: |
20effc67 TL |
819 | return orrible(std::not_fn(string_like()), itr, isruntime? runtime_vals : vals); |
820 | ||
821 | case TokenID::ForAllValuesStringEquals: | |
822 | return andible(std::equal_to<std::string>(), itr, isruntime? runtime_vals : vals); | |
823 | ||
824 | case TokenID::ForAllValuesStringLike: | |
825 | return andible(string_like(), itr, isruntime? runtime_vals : vals); | |
826 | ||
827 | case TokenID::ForAllValuesStringEqualsIgnoreCase: | |
828 | return andible(ci_equal_to(), itr, isruntime? runtime_vals : vals); | |
31f18b77 FG |
829 | |
830 | // Numeric | |
831 | case TokenID::NumericEquals: | |
832 | return shortible(std::equal_to<double>(), as_number, s, vals); | |
833 | ||
834 | case TokenID::NumericNotEquals: | |
11fdf7f2 | 835 | return shortible(std::not_fn(std::equal_to<double>()), |
31f18b77 FG |
836 | as_number, s, vals); |
837 | ||
838 | ||
839 | case TokenID::NumericLessThan: | |
840 | return shortible(std::less<double>(), as_number, s, vals); | |
841 | ||
842 | ||
843 | case TokenID::NumericLessThanEquals: | |
844 | return shortible(std::less_equal<double>(), as_number, s, vals); | |
845 | ||
846 | case TokenID::NumericGreaterThan: | |
847 | return shortible(std::greater<double>(), as_number, s, vals); | |
848 | ||
849 | case TokenID::NumericGreaterThanEquals: | |
850 | return shortible(std::greater_equal<double>(), as_number, s, vals); | |
851 | ||
852 | // Date! | |
853 | case TokenID::DateEquals: | |
854 | return shortible(std::equal_to<ceph::real_time>(), as_date, s, vals); | |
855 | ||
856 | case TokenID::DateNotEquals: | |
11fdf7f2 | 857 | return shortible(std::not_fn(std::equal_to<ceph::real_time>()), |
31f18b77 FG |
858 | as_date, s, vals); |
859 | ||
860 | case TokenID::DateLessThan: | |
861 | return shortible(std::less<ceph::real_time>(), as_date, s, vals); | |
862 | ||
863 | ||
864 | case TokenID::DateLessThanEquals: | |
865 | return shortible(std::less_equal<ceph::real_time>(), as_date, s, vals); | |
866 | ||
867 | case TokenID::DateGreaterThan: | |
868 | return shortible(std::greater<ceph::real_time>(), as_date, s, vals); | |
869 | ||
870 | case TokenID::DateGreaterThanEquals: | |
871 | return shortible(std::greater_equal<ceph::real_time>(), as_date, s, | |
872 | vals); | |
873 | ||
874 | // Bool! | |
875 | case TokenID::Bool: | |
876 | return shortible(std::equal_to<bool>(), as_bool, s, vals); | |
877 | ||
878 | // Binary! | |
879 | case TokenID::BinaryEquals: | |
880 | return shortible(std::equal_to<ceph::bufferlist>(), as_binary, s, | |
881 | vals); | |
882 | ||
883 | // IP Address! | |
884 | case TokenID::IpAddress: | |
885 | return shortible(std::equal_to<MaskedIP>(), as_network, s, vals); | |
886 | ||
887 | case TokenID::NotIpAddress: | |
b32b8144 FG |
888 | { |
889 | auto xc = as_network(s); | |
890 | if (!xc) { | |
891 | return false; | |
892 | } | |
893 | ||
894 | for (const string& d : vals) { | |
895 | auto xd = as_network(d); | |
896 | if (!xd) { | |
897 | continue; | |
898 | } | |
899 | ||
900 | if (xc == xd) { | |
901 | return false; | |
902 | } | |
903 | } | |
904 | return true; | |
905 | } | |
31f18b77 FG |
906 | |
907 | #if 0 | |
908 | // Amazon Resource Names! (Does S3 need this?) | |
909 | TokenID::ArnEquals, TokenID::ArnNotEquals, TokenID::ArnLike, | |
910 | TokenID::ArnNotLike, | |
911 | #endif | |
912 | ||
913 | default: | |
914 | return false; | |
915 | } | |
916 | } | |
917 | ||
11fdf7f2 | 918 | boost::optional<MaskedIP> Condition::as_network(const string& s) { |
31f18b77 FG |
919 | MaskedIP m; |
920 | if (s.empty()) { | |
11fdf7f2 | 921 | return boost::none; |
31f18b77 FG |
922 | } |
923 | ||
b32b8144 | 924 | m.v6 = (s.find(':') == string::npos) ? false : true; |
11fdf7f2 | 925 | |
31f18b77 FG |
926 | auto slash = s.find('/'); |
927 | if (slash == string::npos) { | |
928 | m.prefix = m.v6 ? 128 : 32; | |
929 | } else { | |
930 | char* end = 0; | |
931 | m.prefix = strtoul(s.data() + slash + 1, &end, 10); | |
932 | if (*end != 0 || (m.v6 && m.prefix > 128) || | |
933 | (!m.v6 && m.prefix > 32)) { | |
11fdf7f2 | 934 | return boost::none; |
31f18b77 FG |
935 | } |
936 | } | |
937 | ||
938 | string t; | |
939 | auto p = &s; | |
940 | ||
941 | if (slash != string::npos) { | |
942 | t.assign(s, 0, slash); | |
943 | p = &t; | |
944 | } | |
945 | ||
946 | if (m.v6) { | |
b32b8144 | 947 | struct in6_addr a; |
31f18b77 | 948 | if (inet_pton(AF_INET6, p->c_str(), static_cast<void*>(&a)) != 1) { |
11fdf7f2 | 949 | return boost::none; |
31f18b77 FG |
950 | } |
951 | ||
b32b8144 FG |
952 | m.addr |= Address(a.s6_addr[15]) << 0; |
953 | m.addr |= Address(a.s6_addr[14]) << 8; | |
954 | m.addr |= Address(a.s6_addr[13]) << 16; | |
955 | m.addr |= Address(a.s6_addr[12]) << 24; | |
956 | m.addr |= Address(a.s6_addr[11]) << 32; | |
957 | m.addr |= Address(a.s6_addr[10]) << 40; | |
958 | m.addr |= Address(a.s6_addr[9]) << 48; | |
959 | m.addr |= Address(a.s6_addr[8]) << 56; | |
960 | m.addr |= Address(a.s6_addr[7]) << 64; | |
961 | m.addr |= Address(a.s6_addr[6]) << 72; | |
962 | m.addr |= Address(a.s6_addr[5]) << 80; | |
963 | m.addr |= Address(a.s6_addr[4]) << 88; | |
964 | m.addr |= Address(a.s6_addr[3]) << 96; | |
965 | m.addr |= Address(a.s6_addr[2]) << 104; | |
966 | m.addr |= Address(a.s6_addr[1]) << 112; | |
967 | m.addr |= Address(a.s6_addr[0]) << 120; | |
31f18b77 | 968 | } else { |
b32b8144 | 969 | struct in_addr a; |
31f18b77 | 970 | if (inet_pton(AF_INET, p->c_str(), static_cast<void*>(&a)) != 1) { |
11fdf7f2 | 971 | return boost::none; |
31f18b77 | 972 | } |
b32b8144 FG |
973 | |
974 | m.addr = ntohl(a.s_addr); | |
31f18b77 FG |
975 | } |
976 | ||
b32b8144 | 977 | return m; |
31f18b77 FG |
978 | } |
979 | ||
980 | namespace { | |
981 | const char* condop_string(const TokenID t) { | |
982 | switch (t) { | |
983 | case TokenID::StringEquals: | |
984 | return "StringEquals"; | |
985 | ||
986 | case TokenID::StringNotEquals: | |
987 | return "StringNotEquals"; | |
988 | ||
989 | case TokenID::StringEqualsIgnoreCase: | |
990 | return "StringEqualsIgnoreCase"; | |
991 | ||
992 | case TokenID::StringNotEqualsIgnoreCase: | |
993 | return "StringNotEqualsIgnoreCase"; | |
994 | ||
995 | case TokenID::StringLike: | |
996 | return "StringLike"; | |
997 | ||
998 | case TokenID::StringNotLike: | |
999 | return "StringNotLike"; | |
1000 | ||
1001 | // Numeric! | |
1002 | case TokenID::NumericEquals: | |
1003 | return "NumericEquals"; | |
1004 | ||
1005 | case TokenID::NumericNotEquals: | |
1006 | return "NumericNotEquals"; | |
1007 | ||
1008 | case TokenID::NumericLessThan: | |
1009 | return "NumericLessThan"; | |
1010 | ||
1011 | case TokenID::NumericLessThanEquals: | |
1012 | return "NumericLessThanEquals"; | |
1013 | ||
1014 | case TokenID::NumericGreaterThan: | |
1015 | return "NumericGreaterThan"; | |
1016 | ||
1017 | case TokenID::NumericGreaterThanEquals: | |
1018 | return "NumericGreaterThanEquals"; | |
1019 | ||
1020 | case TokenID::DateEquals: | |
1021 | return "DateEquals"; | |
1022 | ||
1023 | case TokenID::DateNotEquals: | |
1024 | return "DateNotEquals"; | |
1025 | ||
1026 | case TokenID::DateLessThan: | |
1027 | return "DateLessThan"; | |
1028 | ||
1029 | case TokenID::DateLessThanEquals: | |
1030 | return "DateLessThanEquals"; | |
1031 | ||
1032 | case TokenID::DateGreaterThan: | |
1033 | return "DateGreaterThan"; | |
1034 | ||
1035 | case TokenID::DateGreaterThanEquals: | |
1036 | return "DateGreaterThanEquals"; | |
1037 | ||
1038 | case TokenID::Bool: | |
1039 | return "Bool"; | |
1040 | ||
1041 | case TokenID::BinaryEquals: | |
1042 | return "BinaryEquals"; | |
1043 | ||
1044 | case TokenID::IpAddress: | |
1045 | return "case TokenID::IpAddress"; | |
1046 | ||
1047 | case TokenID::NotIpAddress: | |
1048 | return "NotIpAddress"; | |
1049 | ||
1050 | case TokenID::ArnEquals: | |
1051 | return "ArnEquals"; | |
1052 | ||
1053 | case TokenID::ArnNotEquals: | |
1054 | return "ArnNotEquals"; | |
1055 | ||
1056 | case TokenID::ArnLike: | |
1057 | return "ArnLike"; | |
1058 | ||
1059 | case TokenID::ArnNotLike: | |
1060 | return "ArnNotLike"; | |
1061 | ||
1062 | case TokenID::Null: | |
1063 | return "Null"; | |
1064 | ||
1065 | default: | |
1066 | return "InvalidConditionOperator"; | |
1067 | } | |
1068 | } | |
1069 | ||
1070 | template<typename Iterator> | |
1071 | ostream& print_array(ostream& m, Iterator begin, Iterator end) { | |
1072 | if (begin == end) { | |
11fdf7f2 | 1073 | m << "[]"; |
31f18b77 | 1074 | } else { |
31f18b77 | 1075 | m << "[ "; |
11fdf7f2 TL |
1076 | std::copy(begin, end, std::experimental::make_ostream_joiner(m, ", ")); |
1077 | m << " ]"; | |
31f18b77 | 1078 | } |
31f18b77 FG |
1079 | return m; |
1080 | } | |
11fdf7f2 TL |
1081 | |
1082 | template<typename Iterator> | |
1083 | ostream& print_dict(ostream& m, Iterator begin, Iterator end) { | |
1084 | m << "{ "; | |
1085 | std::copy(begin, end, std::experimental::make_ostream_joiner(m, ", ")); | |
1086 | m << " }"; | |
1087 | return m; | |
1088 | } | |
1089 | ||
31f18b77 FG |
1090 | } |
1091 | ||
1092 | ostream& operator <<(ostream& m, const Condition& c) { | |
11fdf7f2 | 1093 | m << condop_string(c.op); |
31f18b77 FG |
1094 | if (c.ifexists) { |
1095 | m << "IfExists"; | |
1096 | } | |
1097 | m << ": { " << c.key; | |
1098 | print_array(m, c.vals.cbegin(), c.vals.cend()); | |
11fdf7f2 | 1099 | return m << " }"; |
31f18b77 FG |
1100 | } |
1101 | ||
1102 | Effect Statement::eval(const Environment& e, | |
11fdf7f2 | 1103 | boost::optional<const rgw::auth::Identity&> ida, |
20effc67 | 1104 | uint64_t act, boost::optional<const ARN&> res, boost::optional<PolicyPrincipal&> princ_type) const { |
f6b5b4d7 | 1105 | |
522d829b | 1106 | if (eval_principal(e, ida, princ_type) == Effect::Deny) { |
f6b5b4d7 | 1107 | return Effect::Pass; |
31f18b77 FG |
1108 | } |
1109 | ||
20effc67 TL |
1110 | if (res && resource.empty() && notresource.empty()) { |
1111 | return Effect::Pass; | |
1112 | } | |
1113 | if (!res && (!resource.empty() || !notresource.empty())) { | |
1114 | return Effect::Pass; | |
1115 | } | |
1116 | if (!resource.empty() && res) { | |
11fdf7f2 TL |
1117 | if (!std::any_of(resource.begin(), resource.end(), |
1118 | [&res](const ARN& pattern) { | |
20effc67 | 1119 | return pattern.match(*res); |
11fdf7f2 TL |
1120 | })) { |
1121 | return Effect::Pass; | |
1122 | } | |
20effc67 | 1123 | } else if (!notresource.empty() && res) { |
11fdf7f2 TL |
1124 | if (std::any_of(notresource.begin(), notresource.end(), |
1125 | [&res](const ARN& pattern) { | |
20effc67 | 1126 | return pattern.match(*res); |
11fdf7f2 TL |
1127 | })) { |
1128 | return Effect::Pass; | |
1129 | } | |
31f18b77 FG |
1130 | } |
1131 | ||
11fdf7f2 | 1132 | if (!(action[act] == 1) || (notaction[act] == 1)) { |
31f18b77 FG |
1133 | return Effect::Pass; |
1134 | } | |
1135 | ||
1136 | if (std::all_of(conditions.begin(), | |
1137 | conditions.end(), | |
1138 | [&e](const Condition& c) { return c.eval(e);})) { | |
1139 | return effect; | |
1140 | } | |
1141 | ||
1142 | return Effect::Pass; | |
1143 | } | |
1144 | ||
11fdf7f2 | 1145 | Effect Statement::eval_principal(const Environment& e, |
522d829b TL |
1146 | boost::optional<const rgw::auth::Identity&> ida, boost::optional<PolicyPrincipal&> princ_type) const { |
1147 | if (princ_type) { | |
1148 | *princ_type = PolicyPrincipal::Other; | |
1149 | } | |
11fdf7f2 TL |
1150 | if (ida) { |
1151 | if (princ.empty() && noprinc.empty()) { | |
1152 | return Effect::Deny; | |
1153 | } | |
522d829b | 1154 | if (ida->get_identity_type() != TYPE_ROLE && !princ.empty() && !ida->is_identity(princ)) { |
11fdf7f2 | 1155 | return Effect::Deny; |
522d829b TL |
1156 | } |
1157 | if (ida->get_identity_type() == TYPE_ROLE && !princ.empty()) { | |
1158 | bool princ_matched = false; | |
1159 | for (auto p : princ) { // Check each principal to determine the type of the one that has matched | |
1160 | boost::container::flat_set<Principal> id; | |
1161 | id.insert(p); | |
1162 | if (ida->is_identity(id)) { | |
1163 | if (p.is_assumed_role() || p.is_user()) { | |
1164 | if (princ_type) *princ_type = PolicyPrincipal::Session; | |
1165 | } else { | |
1166 | if (princ_type) *princ_type = PolicyPrincipal::Role; | |
1167 | } | |
1168 | princ_matched = true; | |
1169 | } | |
1170 | } | |
1171 | if (!princ_matched) { | |
1172 | return Effect::Deny; | |
1173 | } | |
11fdf7f2 TL |
1174 | } else if (!noprinc.empty() && ida->is_identity(noprinc)) { |
1175 | return Effect::Deny; | |
1176 | } | |
1177 | } | |
1178 | return Effect::Allow; | |
1179 | } | |
1180 | ||
1181 | Effect Statement::eval_conditions(const Environment& e) const { | |
1182 | if (std::all_of(conditions.begin(), | |
1183 | conditions.end(), | |
1184 | [&e](const Condition& c) { return c.eval(e);})) { | |
1185 | return Effect::Allow; | |
1186 | } | |
1187 | return Effect::Deny; | |
1188 | } | |
1189 | ||
31f18b77 FG |
1190 | namespace { |
1191 | const char* action_bit_string(uint64_t action) { | |
1192 | switch (action) { | |
1193 | case s3GetObject: | |
1194 | return "s3:GetObject"; | |
1195 | ||
1196 | case s3GetObjectVersion: | |
1197 | return "s3:GetObjectVersion"; | |
1198 | ||
1199 | case s3PutObject: | |
1200 | return "s3:PutObject"; | |
1201 | ||
1202 | case s3GetObjectAcl: | |
1203 | return "s3:GetObjectAcl"; | |
1204 | ||
1205 | case s3GetObjectVersionAcl: | |
1206 | return "s3:GetObjectVersionAcl"; | |
1207 | ||
1208 | case s3PutObjectAcl: | |
1209 | return "s3:PutObjectAcl"; | |
1210 | ||
1211 | case s3PutObjectVersionAcl: | |
1212 | return "s3:PutObjectVersionAcl"; | |
1213 | ||
1214 | case s3DeleteObject: | |
1215 | return "s3:DeleteObject"; | |
1216 | ||
1217 | case s3DeleteObjectVersion: | |
1218 | return "s3:DeleteObjectVersion"; | |
1219 | ||
1220 | case s3ListMultipartUploadParts: | |
1221 | return "s3:ListMultipartUploadParts"; | |
1222 | ||
1223 | case s3AbortMultipartUpload: | |
1224 | return "s3:AbortMultipartUpload"; | |
1225 | ||
1226 | case s3GetObjectTorrent: | |
1227 | return "s3:GetObjectTorrent"; | |
1228 | ||
1229 | case s3GetObjectVersionTorrent: | |
1230 | return "s3:GetObjectVersionTorrent"; | |
1231 | ||
1232 | case s3RestoreObject: | |
1233 | return "s3:RestoreObject"; | |
1234 | ||
1235 | case s3CreateBucket: | |
1236 | return "s3:CreateBucket"; | |
1237 | ||
1238 | case s3DeleteBucket: | |
1239 | return "s3:DeleteBucket"; | |
1240 | ||
1241 | case s3ListBucket: | |
1242 | return "s3:ListBucket"; | |
1243 | ||
1244 | case s3ListBucketVersions: | |
1245 | return "s3:ListBucketVersions"; | |
1246 | case s3ListAllMyBuckets: | |
1247 | return "s3:ListAllMyBuckets"; | |
1248 | ||
28e407b8 AA |
1249 | case s3ListBucketMultipartUploads: |
1250 | return "s3:ListBucketMultipartUploads"; | |
31f18b77 FG |
1251 | |
1252 | case s3GetAccelerateConfiguration: | |
1253 | return "s3:GetAccelerateConfiguration"; | |
1254 | ||
1255 | case s3PutAccelerateConfiguration: | |
1256 | return "s3:PutAccelerateConfiguration"; | |
1257 | ||
1258 | case s3GetBucketAcl: | |
1259 | return "s3:GetBucketAcl"; | |
1260 | ||
1261 | case s3PutBucketAcl: | |
1262 | return "s3:PutBucketAcl"; | |
1263 | ||
1264 | case s3GetBucketCORS: | |
1265 | return "s3:GetBucketCORS"; | |
1266 | ||
1267 | case s3PutBucketCORS: | |
1268 | return "s3:PutBucketCORS"; | |
1269 | ||
20effc67 TL |
1270 | case s3GetBucketEncryption: |
1271 | return "s3:GetBucketEncryption"; | |
1272 | ||
1273 | case s3PutBucketEncryption: | |
1274 | return "s3:PutBucketEncryption"; | |
1275 | ||
31f18b77 FG |
1276 | case s3GetBucketVersioning: |
1277 | return "s3:GetBucketVersioning"; | |
1278 | ||
1279 | case s3PutBucketVersioning: | |
1280 | return "s3:PutBucketVersioning"; | |
1281 | ||
1282 | case s3GetBucketRequestPayment: | |
1283 | return "s3:GetBucketRequestPayment"; | |
1284 | ||
1285 | case s3PutBucketRequestPayment: | |
1286 | return "s3:PutBucketRequestPayment"; | |
1287 | ||
1288 | case s3GetBucketLocation: | |
1289 | return "s3:GetBucketLocation"; | |
1290 | ||
1291 | case s3GetBucketPolicy: | |
1292 | return "s3:GetBucketPolicy"; | |
1293 | ||
1294 | case s3DeleteBucketPolicy: | |
1295 | return "s3:DeleteBucketPolicy"; | |
1296 | ||
1297 | case s3PutBucketPolicy: | |
1298 | return "s3:PutBucketPolicy"; | |
1299 | ||
1300 | case s3GetBucketNotification: | |
1301 | return "s3:GetBucketNotification"; | |
1302 | ||
1303 | case s3PutBucketNotification: | |
1304 | return "s3:PutBucketNotification"; | |
1305 | ||
1306 | case s3GetBucketLogging: | |
1307 | return "s3:GetBucketLogging"; | |
1308 | ||
1309 | case s3PutBucketLogging: | |
1310 | return "s3:PutBucketLogging"; | |
1311 | ||
1312 | case s3GetBucketTagging: | |
1313 | return "s3:GetBucketTagging"; | |
1314 | ||
1315 | case s3PutBucketTagging: | |
1316 | return "s3:PutBucketTagging"; | |
1317 | ||
1318 | case s3GetBucketWebsite: | |
1319 | return "s3:GetBucketWebsite"; | |
1320 | ||
1321 | case s3PutBucketWebsite: | |
1322 | return "s3:PutBucketWebsite"; | |
1323 | ||
1324 | case s3DeleteBucketWebsite: | |
1325 | return "s3:DeleteBucketWebsite"; | |
1326 | ||
1327 | case s3GetLifecycleConfiguration: | |
1328 | return "s3:GetLifecycleConfiguration"; | |
1329 | ||
1330 | case s3PutLifecycleConfiguration: | |
1331 | return "s3:PutLifecycleConfiguration"; | |
1332 | ||
1333 | case s3PutReplicationConfiguration: | |
1334 | return "s3:PutReplicationConfiguration"; | |
1335 | ||
1336 | case s3GetReplicationConfiguration: | |
1337 | return "s3:GetReplicationConfiguration"; | |
1338 | ||
1339 | case s3DeleteReplicationConfiguration: | |
1340 | return "s3:DeleteReplicationConfiguration"; | |
224ce89b WB |
1341 | |
1342 | case s3PutObjectTagging: | |
1343 | return "s3:PutObjectTagging"; | |
1344 | ||
1345 | case s3PutObjectVersionTagging: | |
1346 | return "s3:PutObjectVersionTagging"; | |
1347 | ||
1348 | case s3GetObjectTagging: | |
1349 | return "s3:GetObjectTagging"; | |
1350 | ||
1351 | case s3GetObjectVersionTagging: | |
1352 | return "s3:GetObjectVersionTagging"; | |
1353 | ||
1354 | case s3DeleteObjectTagging: | |
1355 | return "s3:DeleteObjectTagging"; | |
1356 | ||
1357 | case s3DeleteObjectVersionTagging: | |
1358 | return "s3:DeleteObjectVersionTagging"; | |
11fdf7f2 | 1359 | |
eafe8130 TL |
1360 | case s3PutBucketObjectLockConfiguration: |
1361 | return "s3:PutBucketObjectLockConfiguration"; | |
1362 | ||
1363 | case s3GetBucketObjectLockConfiguration: | |
1364 | return "s3:GetBucketObjectLockConfiguration"; | |
1365 | ||
1366 | case s3PutObjectRetention: | |
1367 | return "s3:PutObjectRetention"; | |
1368 | ||
1369 | case s3GetObjectRetention: | |
1370 | return "s3:GetObjectRetention"; | |
1371 | ||
1372 | case s3PutObjectLegalHold: | |
1373 | return "s3:PutObjectLegalHold"; | |
1374 | ||
1375 | case s3GetObjectLegalHold: | |
1376 | return "s3:GetObjectLegalHold"; | |
1377 | ||
1378 | case s3BypassGovernanceRetention: | |
1379 | return "s3:BypassGovernanceRetention"; | |
1380 | ||
11fdf7f2 TL |
1381 | case iamPutUserPolicy: |
1382 | return "iam:PutUserPolicy"; | |
1383 | ||
1384 | case iamGetUserPolicy: | |
1385 | return "iam:GetUserPolicy"; | |
1386 | ||
1387 | case iamListUserPolicies: | |
1388 | return "iam:ListUserPolicies"; | |
1389 | ||
1390 | case iamDeleteUserPolicy: | |
1391 | return "iam:DeleteUserPolicy"; | |
1392 | ||
1393 | case iamCreateRole: | |
1394 | return "iam:CreateRole"; | |
1395 | ||
1396 | case iamDeleteRole: | |
1397 | return "iam:DeleteRole"; | |
1398 | ||
1399 | case iamGetRole: | |
1400 | return "iam:GetRole"; | |
1401 | ||
1e59de90 TL |
1402 | case iamModifyRoleTrustPolicy: |
1403 | return "iam:ModifyRoleTrustPolicy"; | |
11fdf7f2 TL |
1404 | |
1405 | case iamListRoles: | |
1406 | return "iam:ListRoles"; | |
1407 | ||
1408 | case iamPutRolePolicy: | |
1409 | return "iam:PutRolePolicy"; | |
1410 | ||
1411 | case iamGetRolePolicy: | |
1412 | return "iam:GetRolePolicy"; | |
1413 | ||
1414 | case iamListRolePolicies: | |
1415 | return "iam:ListRolePolicies"; | |
1416 | ||
1417 | case iamDeleteRolePolicy: | |
1418 | return "iam:DeleteRolePolicy"; | |
1419 | ||
f91f0fd5 TL |
1420 | case iamCreateOIDCProvider: |
1421 | return "iam:CreateOIDCProvider"; | |
1422 | ||
1423 | case iamDeleteOIDCProvider: | |
1424 | return "iam:DeleteOIDCProvider"; | |
1425 | ||
1426 | case iamGetOIDCProvider: | |
1427 | return "iam:GetOIDCProvider"; | |
1428 | ||
1429 | case iamListOIDCProviders: | |
1430 | return "iam:ListOIDCProviders"; | |
1431 | ||
20effc67 TL |
1432 | case iamTagRole: |
1433 | return "iam:TagRole"; | |
1434 | ||
1435 | case iamListRoleTags: | |
1436 | return "iam:ListRoleTags"; | |
1437 | ||
1438 | case iamUntagRole: | |
1439 | return "iam:UntagRole"; | |
1440 | ||
1e59de90 TL |
1441 | case iamUpdateRole: |
1442 | return "iam:UpdateRole"; | |
1443 | ||
11fdf7f2 TL |
1444 | case stsAssumeRole: |
1445 | return "sts:AssumeRole"; | |
1446 | ||
1447 | case stsAssumeRoleWithWebIdentity: | |
1448 | return "sts:AssumeRoleWithWebIdentity"; | |
1449 | ||
1450 | case stsGetSessionToken: | |
1451 | return "sts:GetSessionToken"; | |
20effc67 TL |
1452 | |
1453 | case stsTagSession: | |
1454 | return "sts:TagSession"; | |
31f18b77 FG |
1455 | } |
1456 | return "s3Invalid"; | |
1457 | } | |
1458 | ||
11fdf7f2 | 1459 | ostream& print_actions(ostream& m, const Action_t a) { |
31f18b77 FG |
1460 | bool begun = false; |
1461 | m << "[ "; | |
11fdf7f2 TL |
1462 | for (auto i = 0U; i < allCount; ++i) { |
1463 | if (a[i] == 1) { | |
31f18b77 | 1464 | if (begun) { |
11fdf7f2 | 1465 | m << ", "; |
31f18b77 | 1466 | } else { |
11fdf7f2 | 1467 | begun = true; |
31f18b77 | 1468 | } |
11fdf7f2 | 1469 | m << action_bit_string(i); |
31f18b77 FG |
1470 | } |
1471 | } | |
1472 | if (begun) { | |
1473 | m << " ]"; | |
1474 | } else { | |
1475 | m << "]"; | |
1476 | } | |
1477 | return m; | |
1478 | } | |
1479 | } | |
1480 | ||
1481 | ostream& operator <<(ostream& m, const Statement& s) { | |
1482 | m << "{ "; | |
1483 | if (s.sid) { | |
1484 | m << "Sid: " << *s.sid << ", "; | |
1485 | } | |
1486 | if (!s.princ.empty()) { | |
1487 | m << "Principal: "; | |
11fdf7f2 | 1488 | print_dict(m, s.princ.cbegin(), s.princ.cend()); |
31f18b77 FG |
1489 | m << ", "; |
1490 | } | |
1491 | if (!s.noprinc.empty()) { | |
1492 | m << "NotPrincipal: "; | |
11fdf7f2 | 1493 | print_dict(m, s.noprinc.cbegin(), s.noprinc.cend()); |
31f18b77 FG |
1494 | m << ", "; |
1495 | } | |
1496 | ||
1497 | m << "Effect: " << | |
1498 | (s.effect == Effect::Allow ? | |
1499 | (const char*) "Allow" : | |
1500 | (const char*) "Deny"); | |
1501 | ||
11fdf7f2 | 1502 | if (s.action.any() || s.notaction.any() || !s.resource.empty() || |
31f18b77 FG |
1503 | !s.notresource.empty() || !s.conditions.empty()) { |
1504 | m << ", "; | |
1505 | } | |
1506 | ||
11fdf7f2 | 1507 | if (s.action.any()) { |
31f18b77 FG |
1508 | m << "Action: "; |
1509 | print_actions(m, s.action); | |
1510 | ||
11fdf7f2 | 1511 | if (s.notaction.any() || !s.resource.empty() || |
31f18b77 FG |
1512 | !s.notresource.empty() || !s.conditions.empty()) { |
1513 | m << ", "; | |
1514 | } | |
1515 | } | |
1516 | ||
11fdf7f2 | 1517 | if (s.notaction.any()) { |
31f18b77 FG |
1518 | m << "NotAction: "; |
1519 | print_actions(m, s.notaction); | |
1520 | ||
1521 | if (!s.resource.empty() || !s.notresource.empty() || | |
1522 | !s.conditions.empty()) { | |
1523 | m << ", "; | |
1524 | } | |
1525 | } | |
1526 | ||
1527 | if (!s.resource.empty()) { | |
1528 | m << "Resource: "; | |
1529 | print_array(m, s.resource.cbegin(), s.resource.cend()); | |
1530 | ||
1531 | if (!s.notresource.empty() || !s.conditions.empty()) { | |
1532 | m << ", "; | |
1533 | } | |
1534 | } | |
1535 | ||
1536 | if (!s.notresource.empty()) { | |
1537 | m << "NotResource: "; | |
1538 | print_array(m, s.notresource.cbegin(), s.notresource.cend()); | |
1539 | ||
1540 | if (!s.conditions.empty()) { | |
1541 | m << ", "; | |
1542 | } | |
1543 | } | |
1544 | ||
1545 | if (!s.conditions.empty()) { | |
1546 | m << "Condition: "; | |
11fdf7f2 | 1547 | print_dict(m, s.conditions.cbegin(), s.conditions.cend()); |
31f18b77 FG |
1548 | } |
1549 | ||
1550 | return m << " }"; | |
1551 | } | |
1552 | ||
31f18b77 | 1553 | Policy::Policy(CephContext* cct, const string& tenant, |
1e59de90 TL |
1554 | const bufferlist& _text, |
1555 | bool reject_invalid_principals) | |
31f18b77 FG |
1556 | : text(_text.to_str()) { |
1557 | StringStream ss(text.data()); | |
1e59de90 | 1558 | PolicyParser pp(cct, tenant, *this, reject_invalid_principals); |
31f18b77 FG |
1559 | auto pr = Reader{}.Parse<kParseNumbersAsStringsFlag | |
1560 | kParseCommentsFlag>(ss, pp); | |
1561 | if (!pr) { | |
1e59de90 | 1562 | throw PolicyParseException(pr, pp.annotation); |
31f18b77 FG |
1563 | } |
1564 | } | |
1565 | ||
1566 | Effect Policy::eval(const Environment& e, | |
11fdf7f2 | 1567 | boost::optional<const rgw::auth::Identity&> ida, |
20effc67 | 1568 | std::uint64_t action, boost::optional<const ARN&> resource, |
522d829b | 1569 | boost::optional<PolicyPrincipal&> princ_type) const { |
31f18b77 FG |
1570 | auto allowed = false; |
1571 | for (auto& s : statements) { | |
522d829b | 1572 | auto g = s.eval(e, ida, action, resource, princ_type); |
31f18b77 FG |
1573 | if (g == Effect::Deny) { |
1574 | return g; | |
1575 | } else if (g == Effect::Allow) { | |
1576 | allowed = true; | |
1577 | } | |
1578 | } | |
1579 | return allowed ? Effect::Allow : Effect::Pass; | |
1580 | } | |
1581 | ||
11fdf7f2 | 1582 | Effect Policy::eval_principal(const Environment& e, |
522d829b | 1583 | boost::optional<const rgw::auth::Identity&> ida, boost::optional<PolicyPrincipal&> princ_type) const { |
11fdf7f2 TL |
1584 | auto allowed = false; |
1585 | for (auto& s : statements) { | |
522d829b | 1586 | auto g = s.eval_principal(e, ida, princ_type); |
11fdf7f2 TL |
1587 | if (g == Effect::Deny) { |
1588 | return g; | |
1589 | } else if (g == Effect::Allow) { | |
1590 | allowed = true; | |
1591 | } | |
1592 | } | |
1593 | return allowed ? Effect::Allow : Effect::Deny; | |
1594 | } | |
1595 | ||
1596 | Effect Policy::eval_conditions(const Environment& e) const { | |
1597 | auto allowed = false; | |
1598 | for (auto& s : statements) { | |
1599 | auto g = s.eval_conditions(e); | |
1600 | if (g == Effect::Deny) { | |
1601 | return g; | |
1602 | } else if (g == Effect::Allow) { | |
1603 | allowed = true; | |
1604 | } | |
1605 | } | |
1606 | return allowed ? Effect::Allow : Effect::Deny; | |
1607 | } | |
1608 | ||
31f18b77 FG |
1609 | ostream& operator <<(ostream& m, const Policy& p) { |
1610 | m << "{ Version: " | |
1611 | << (p.version == Version::v2008_10_17 ? "2008-10-17" : "2012-10-17"); | |
1612 | ||
1613 | if (p.id || !p.statements.empty()) { | |
1614 | m << ", "; | |
1615 | } | |
1616 | ||
1617 | if (p.id) { | |
1618 | m << "Id: " << *p.id; | |
1619 | if (!p.statements.empty()) { | |
1620 | m << ", "; | |
1621 | } | |
1622 | } | |
1623 | ||
1624 | if (!p.statements.empty()) { | |
1625 | m << "Statements: "; | |
1626 | print_array(m, p.statements.cbegin(), p.statements.cend()); | |
1627 | m << ", "; | |
1628 | } | |
1629 | return m << " }"; | |
1630 | } | |
1631 | ||
9f95a23c TL |
1632 | static const Environment iam_all_env = { |
1633 | {"aws:SourceIp","1.1.1.1"}, | |
1634 | {"aws:UserId","anonymous"}, | |
1635 | {"s3:x-amz-server-side-encryption-aws-kms-key-id","secret"} | |
1636 | }; | |
1637 | ||
1638 | struct IsPublicStatement | |
1639 | { | |
1640 | bool operator() (const Statement &s) const { | |
1641 | if (s.effect == Effect::Allow) { | |
1642 | for (const auto& p : s.princ) { | |
1643 | if (p.is_wildcard()) { | |
1644 | return s.eval_conditions(iam_all_env) == Effect::Allow; | |
1645 | } | |
1646 | } | |
1647 | // no princ should not contain fixed values | |
1648 | return std::none_of(s.noprinc.begin(), s.noprinc.end(), [](const rgw::auth::Principal& p) { | |
1649 | return p.is_wildcard(); | |
1650 | }); | |
1651 | } | |
1652 | return false; | |
1653 | } | |
1654 | }; | |
1655 | ||
1656 | ||
1657 | bool is_public(const Policy& p) | |
1658 | { | |
1659 | return std::any_of(p.statements.begin(), p.statements.end(), IsPublicStatement()); | |
31f18b77 | 1660 | } |
9f95a23c TL |
1661 | |
1662 | } // namespace IAM | |
1663 | } // namespace rgw |