ceph/src/rgw/rgw_auth_filters.h

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3
   4 #ifndef CEPH_RGW_AUTH_FILTERS_H
   5 #define CEPH_RGW_AUTH_FILTERS_H
   6
   7 #include <type_traits>
   8
   9 #include <boost/logic/tribool.hpp>
  10 #include <boost/optional.hpp>
  11
  12 #include "rgw_common.h"
  13 #include "rgw_auth.h"
  14
  15 namespace rgw {
  16 namespace auth {
  17
  18 /* Abstract decorator over any implementation of rgw::auth::IdentityApplier
  19  * which could be provided both as a pointer-to-object or the object itself. */
  20 template <typename DecorateeT>
  21 class DecoratedApplier : public rgw::auth::IdentityApplier {
  22   typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;
  23
  24   static_assert(std::is_base_of<rgw::auth::IdentityApplier,
  25                                 DerefedDecorateeT>::value,
  26                 "DecorateeT must be a subclass of rgw::auth::IdentityApplier");
  27
  28   DecorateeT decoratee;
  29
  30   /* There is an indirection layer over accessing decoratee to share the same
  31    * code base between dynamic and static decorators. The difference is about
  32    * what we store internally: pointer to a decorated object versus the whole
  33    * object itself. Googling for "SFINAE" can help to understand the code. */
  34   template <typename T = void,
  35             typename std::enable_if<
  36     std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  37   DerefedDecorateeT& get_decoratee() {
  38     return *decoratee;
  39   }
  40
  41   template <typename T = void,
  42             typename std::enable_if<
  43     ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  44   DerefedDecorateeT& get_decoratee() {
  45     return decoratee;
  46   }
  47
  48   template <typename T = void,
  49             typename std::enable_if<
  50     std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  51   const DerefedDecorateeT& get_decoratee() const {
  52     return *decoratee;
  53   }
  54
  55   template <typename T = void,
  56             typename std::enable_if<
  57     ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  58   const DerefedDecorateeT& get_decoratee() const {
  59     return decoratee;
  60   }
  61
  62 public:
  63   DecoratedApplier(DecorateeT&& decoratee)
  64     : decoratee(std::forward<DecorateeT>(decoratee)) {
  65   }
  66
  67   uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
  68     return get_decoratee().get_perms_from_aclspec(aclspec);
  69   }
  70
  71   bool is_admin_of(const rgw_user& uid) const override {
  72     return get_decoratee().is_admin_of(uid);
  73   }
  74
  75   bool is_owner_of(const rgw_user& uid) const override {
  76     return get_decoratee().is_owner_of(uid);
  77   }
  78
  79   uint32_t get_perm_mask() const override {
  80     return get_decoratee().get_perm_mask();
  81   }
  82
  83   void to_str(std::ostream& out) const override {
  84     get_decoratee().to_str(out);
  85   }
  86
  87   void load_acct_info(RGWUserInfo& user_info) const override {  /* out */
  88     return get_decoratee().load_acct_info(user_info);
  89   }
  90
  91   void modify_request_state(req_state * s) const override {     /* in/out */
  92     return get_decoratee().modify_request_state(s);
  93   }
  94 };
  95
  96
  97 template <typename T>
  98 class ThirdPartyAccountApplier : public DecoratedApplier<T> {
  99   /* const */RGWRados* const store;
 100   const rgw_user acct_user_override;
 101
 102 public:
 103   /* A value representing situations where there is no requested account
 104    * override. In other words, acct_user_override will be equal to this
 105    * constant where the request isn't a cross-tenant one. */
 106   static const rgw_user UNKNOWN_ACCT;
 107
 108   template <typename U>
 109   ThirdPartyAccountApplier(RGWRados* const store,
 110                            const rgw_user acct_user_override,
 111                            U&& decoratee)
 112     : DecoratedApplier<T>(std::move(decoratee)),
 113       store(store),
 114       acct_user_override(acct_user_override) {
 115   }
 116
 117   void to_str(std::ostream& out) const override;
 118   void load_acct_info(RGWUserInfo& user_info) const override;   /* out */
 119 };
 120
 121 /* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
 122  * of the default construction. */
 123 template <typename T>
 124 const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;
 125
 126 template <typename T>
 127 void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
 128 {
 129   out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
 130       <<   " -> ";
 131   DecoratedApplier<T>::to_str(out);
 132 }
 133
 134 template <typename T>
 135 void ThirdPartyAccountApplier<T>::load_acct_info(RGWUserInfo& user_info) const
 136 {
 137   if (UNKNOWN_ACCT == acct_user_override) {
 138     /* There is no override specified by the upper layer. This means that we'll
 139      * load the account owned by the authenticated identity (aka auth_user). */
 140     DecoratedApplier<T>::load_acct_info(user_info);
 141   } else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
 142     /* The override has been specified but the account belongs to the authenticated
 143      * identity. We may safely forward the call to a next stage. */
 144     DecoratedApplier<T>::load_acct_info(user_info);
 145   } else {
 146     /* Compatibility mechanism for multi-tenancy. For more details refer to
 147      * load_acct_info method of rgw::auth::RemoteApplier. */
 148     if (acct_user_override.tenant.empty()) {
 149       const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);
 150
 151       if (rgw_get_user_info_by_uid(store, tenanted_uid, user_info) >= 0) {
 152         /* Succeeded. */
 153         return;
 154       }
 155     }
 156
 157     const int ret = rgw_get_user_info_by_uid(store, acct_user_override, user_info);
 158     if (ret < 0) {
 159       /* We aren't trying to recover from ENOENT here. It's supposed that creating
 160        * someone else's account isn't a thing we want to support in this filter. */
 161       if (ret == -ENOENT) {
 162         throw -EACCES;
 163       } else {
 164         throw ret;
 165       }
 166     }
 167
 168   }
 169 }
 170
 171 template <typename T> static inline
 172 ThirdPartyAccountApplier<T> add_3rdparty(RGWRados* const store,
 173                                          const rgw_user acct_user_override,
 174                                          T&& t) {
 175   return ThirdPartyAccountApplier<T>(store, acct_user_override,
 176                                      std::forward<T>(t));
 177 }
 178
 179
 180 template <typename T>
 181 class SysReqApplier : public DecoratedApplier<T> {
 182   CephContext* const cct;
 183   /*const*/ RGWRados* const store;
 184   const RGWHTTPArgs& args;
 185   mutable boost::tribool is_system;
 186
 187 public:
 188   template <typename U>
 189   SysReqApplier(CephContext* const cct,
 190                 /*const*/ RGWRados* const store,
 191                 const req_state* const s,
 192                 U&& decoratee)
 193     : DecoratedApplier<T>(std::forward<T>(decoratee)),
 194       cct(cct),
 195       store(store),
 196       args(s->info.args),
 197       is_system(boost::logic::indeterminate) {
 198   }
 199
 200   void to_str(std::ostream& out) const override;
 201   void load_acct_info(RGWUserInfo& user_info) const override;   /* out */
 202   void modify_request_state(req_state* s) const override;       /* in/out */
 203 };
 204
 205 template <typename T>
 206 void SysReqApplier<T>::to_str(std::ostream& out) const
 207 {
 208   out << "rgw::auth::SysReqApplier" << " -> ";
 209   DecoratedApplier<T>::to_str(out);
 210 }
 211
 212 template <typename T>
 213 void SysReqApplier<T>::load_acct_info(RGWUserInfo& user_info) const
 214 {
 215   DecoratedApplier<T>::load_acct_info(user_info);
 216   is_system = user_info.system;
 217
 218   if (is_system) {
 219     //dout(20) << "system request" << dendl;
 220
 221     rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
 222     if (! effective_uid.empty()) {
 223       /* We aren't writing directly to user_info for consistency and security
 224        * reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
 225        * calls ::decode instead. */
 226       RGWUserInfo euser_info;
 227       if (rgw_get_user_info_by_uid(store, effective_uid, euser_info) < 0) {
 228         //ldout(s->cct, 0) << "User lookup failed!" << dendl;
 229         throw -EACCES;
 230       }
 231       user_info = euser_info;
 232     }
 233   }
 234 }
 235
 236 template <typename T>
 237 void SysReqApplier<T>::modify_request_state(req_state* const s) const
 238 {
 239   if (boost::logic::indeterminate(is_system)) {
 240     RGWUserInfo unused_info;
 241     load_acct_info(unused_info);
 242   }
 243
 244   if (is_system) {
 245     s->info.args.set_system();
 246     s->system_request = true;
 247   }
 248 }
 249
 250 template <typename T> static inline
 251 SysReqApplier<T> add_sysreq(CephContext* const cct,
 252                             /* const */ RGWRados* const store,
 253                             const req_state* const s,
 254                             T&& t) {
 255   return SysReqApplier<T>(cct, store, s, std::forward<T>(t));
 256 }
 257
 258 } /* namespace auth */
 259 } /* namespace rgw */
 260
 261 #endif /* CEPH_RGW_AUTH_FILTERS_H */