]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_auth_filters.h
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bump version to 15.2.4-pve1
[ceph.git] / ceph / src / rgw / rgw_auth_filters.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
3
4 #ifndef CEPH_RGW_AUTH_FILTERS_H
5 #define CEPH_RGW_AUTH_FILTERS_H
6
7 #include <type_traits>
8
9 #include <boost/logic/tribool.hpp>
10 #include <boost/optional.hpp>
11
12 #include "rgw_common.h"
13 #include "rgw_auth.h"
14
15 namespace rgw {
16 namespace auth {
17
18 /* Abstract decorator over any implementation of rgw::auth::IdentityApplier
19 * which could be provided both as a pointer-to-object or the object itself. */
20 template <typename DecorateeT>
21 class DecoratedApplier : public rgw::auth::IdentityApplier {
22 typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;
23
24 static_assert(std::is_base_of<rgw::auth::IdentityApplier,
25 DerefedDecorateeT>::value,
26 "DecorateeT must be a subclass of rgw::auth::IdentityApplier");
27
28 DecorateeT decoratee;
29
30 /* There is an indirection layer over accessing decoratee to share the same
31 * code base between dynamic and static decorators. The difference is about
32 * what we store internally: pointer to a decorated object versus the whole
33 * object itself. Googling for "SFINAE" can help to understand the code. */
34 template <typename T = void,
35 typename std::enable_if<
36 std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
37 DerefedDecorateeT& get_decoratee() {
38 return *decoratee;
39 }
40
41 template <typename T = void,
42 typename std::enable_if<
43 ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
44 DerefedDecorateeT& get_decoratee() {
45 return decoratee;
46 }
47
48 template <typename T = void,
49 typename std::enable_if<
50 std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
51 const DerefedDecorateeT& get_decoratee() const {
52 return *decoratee;
53 }
54
55 template <typename T = void,
56 typename std::enable_if<
57 ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
58 const DerefedDecorateeT& get_decoratee() const {
59 return decoratee;
60 }
61
62 public:
63 explicit DecoratedApplier(DecorateeT&& decoratee)
64 : decoratee(std::forward<DecorateeT>(decoratee)) {
65 }
66
67 uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
68 return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
69 }
70
71 bool is_admin_of(const rgw_user& uid) const override {
72 return get_decoratee().is_admin_of(uid);
73 }
74
75 bool is_owner_of(const rgw_user& uid) const override {
76 return get_decoratee().is_owner_of(uid);
77 }
78
79 uint32_t get_perm_mask() const override {
80 return get_decoratee().get_perm_mask();
81 }
82
83 uint32_t get_identity_type() const override {
84 return get_decoratee().get_identity_type();
85 }
86
87 string get_acct_name() const override {
88 return get_decoratee().get_acct_name();
89 }
90
91 bool is_identity(
92 const boost::container::flat_set<Principal>& ids) const override {
93 return get_decoratee().is_identity(ids);
94 }
95
96 void to_str(std::ostream& out) const override {
97 get_decoratee().to_str(out);
98 }
99
100 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override { /* out */
101 return get_decoratee().load_acct_info(dpp, user_info);
102 }
103
104 void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override { /* in/out */
105 return get_decoratee().modify_request_state(dpp, s);
106 }
107 };
108
109
110 template <typename T>
111 class ThirdPartyAccountApplier : public DecoratedApplier<T> {
112 /* const */RGWCtl* const ctl;
113 const rgw_user acct_user_override;
114
115 public:
116 /* A value representing situations where there is no requested account
117 * override. In other words, acct_user_override will be equal to this
118 * constant where the request isn't a cross-tenant one. */
119 static const rgw_user UNKNOWN_ACCT;
120
121 template <typename U>
122 ThirdPartyAccountApplier(RGWCtl* const ctl,
123 const rgw_user &acct_user_override,
124 U&& decoratee)
125 : DecoratedApplier<T>(std::move(decoratee)),
126 ctl(ctl),
127 acct_user_override(acct_user_override) {
128 }
129
130 void to_str(std::ostream& out) const override;
131 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
132 };
133
134 /* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
135 * of the default construction. */
136 template <typename T>
137 const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;
138
139 template <typename T>
140 void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
141 {
142 out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
143 << " -> ";
144 DecoratedApplier<T>::to_str(out);
145 }
146
147 template <typename T>
148 void ThirdPartyAccountApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
149 {
150 if (UNKNOWN_ACCT == acct_user_override) {
151 /* There is no override specified by the upper layer. This means that we'll
152 * load the account owned by the authenticated identity (aka auth_user). */
153 DecoratedApplier<T>::load_acct_info(dpp, user_info);
154 } else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
155 /* The override has been specified but the account belongs to the authenticated
156 * identity. We may safely forward the call to a next stage. */
157 DecoratedApplier<T>::load_acct_info(dpp, user_info);
158 } else {
159 /* Compatibility mechanism for multi-tenancy. For more details refer to
160 * load_acct_info method of rgw::auth::RemoteApplier. */
161 if (acct_user_override.tenant.empty()) {
162 const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);
163
164 if (ctl->user->get_info_by_uid(tenanted_uid, &user_info, null_yield) >= 0) {
165 /* Succeeded. */
166 return;
167 }
168 }
169
170 const int ret = ctl->user->get_info_by_uid(acct_user_override, &user_info, null_yield);
171 if (ret < 0) {
172 /* We aren't trying to recover from ENOENT here. It's supposed that creating
173 * someone else's account isn't a thing we want to support in this filter. */
174 if (ret == -ENOENT) {
175 throw -EACCES;
176 } else {
177 throw ret;
178 }
179 }
180
181 }
182 }
183
184 template <typename T> static inline
185 ThirdPartyAccountApplier<T> add_3rdparty(RGWCtl* const ctl,
186 const rgw_user &acct_user_override,
187 T&& t) {
188 return ThirdPartyAccountApplier<T>(ctl, acct_user_override,
189 std::forward<T>(t));
190 }
191
192
193 template <typename T>
194 class SysReqApplier : public DecoratedApplier<T> {
195 CephContext* const cct;
196 /*const*/ RGWCtl* const ctl;
197 const RGWHTTPArgs& args;
198 mutable boost::tribool is_system;
199
200 public:
201 template <typename U>
202 SysReqApplier(CephContext* const cct,
203 /*const*/ RGWCtl* const ctl,
204 const req_state* const s,
205 U&& decoratee)
206 : DecoratedApplier<T>(std::forward<T>(decoratee)),
207 cct(cct),
208 ctl(ctl),
209 args(s->info.args),
210 is_system(boost::logic::indeterminate) {
211 }
212
213 void to_str(std::ostream& out) const override;
214 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
215 void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; /* in/out */
216 };
217
218 template <typename T>
219 void SysReqApplier<T>::to_str(std::ostream& out) const
220 {
221 out << "rgw::auth::SysReqApplier" << " -> ";
222 DecoratedApplier<T>::to_str(out);
223 }
224
225 template <typename T>
226 void SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
227 {
228 DecoratedApplier<T>::load_acct_info(dpp, user_info);
229 is_system = user_info.system;
230
231 if (is_system) {
232 //ldpp_dout(dpp, 20) << "system request" << dendl;
233
234 rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
235 if (! effective_uid.empty()) {
236 /* We aren't writing directly to user_info for consistency and security
237 * reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
238 * calls ::decode instead. */
239 RGWUserInfo euser_info;
240 if (ctl->user->get_info_by_uid(effective_uid, &euser_info, null_yield) < 0) {
241 //ldpp_dout(dpp, 0) << "User lookup failed!" << dendl;
242 throw -EACCES;
243 }
244 user_info = euser_info;
245 }
246 }
247 }
248
249 template <typename T>
250 void SysReqApplier<T>::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s) const
251 {
252 if (boost::logic::indeterminate(is_system)) {
253 RGWUserInfo unused_info;
254 load_acct_info(dpp, unused_info);
255 }
256
257 if (is_system) {
258 s->info.args.set_system();
259 s->system_request = true;
260 }
261 DecoratedApplier<T>::modify_request_state(dpp, s);
262 }
263
264 template <typename T> static inline
265 SysReqApplier<T> add_sysreq(CephContext* const cct,
266 /* const */ RGWCtl* const ctl,
267 const req_state* const s,
268 T&& t) {
269 return SysReqApplier<T>(cct, ctl, s, std::forward<T>(t));
270 }
271
272 } /* namespace auth */
273 } /* namespace rgw */
274
275 #endif /* CEPH_RGW_AUTH_FILTERS_H */
Ceph