ceph/src/rgw/rgw_auth_filters.h

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab ft=cpp
   3
   4 #ifndef CEPH_RGW_AUTH_FILTERS_H
   5 #define CEPH_RGW_AUTH_FILTERS_H
   6
   7 #include <type_traits>
   8
   9 #include <boost/logic/tribool.hpp>
  10 #include <boost/optional.hpp>
  11
  12 #include "rgw_service.h"
  13 #include "rgw_common.h"
  14 #include "rgw_auth.h"
  15 #include "rgw_user.h"
  16
  17 namespace rgw {
  18 namespace auth {
  19
  20 /* Abstract decorator over any implementation of rgw::auth::IdentityApplier
  21  * which could be provided both as a pointer-to-object or the object itself. */
  22 template <typename DecorateeT>
  23 class DecoratedApplier : public rgw::auth::IdentityApplier {
  24   typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;
  25
  26   static_assert(std::is_base_of<rgw::auth::IdentityApplier,
  27                                 DerefedDecorateeT>::value,
  28                 "DecorateeT must be a subclass of rgw::auth::IdentityApplier");
  29
  30   DecorateeT decoratee;
  31
  32   /* There is an indirection layer over accessing decoratee to share the same
  33    * code base between dynamic and static decorators. The difference is about
  34    * what we store internally: pointer to a decorated object versus the whole
  35    * object itself. Googling for "SFINAE" can help to understand the code. */
  36   template <typename T = void,
  37             typename std::enable_if<
  38     std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  39   DerefedDecorateeT& get_decoratee() {
  40     return *decoratee;
  41   }
  42
  43   template <typename T = void,
  44             typename std::enable_if<
  45     ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  46   DerefedDecorateeT& get_decoratee() {
  47     return decoratee;
  48   }
  49
  50   template <typename T = void,
  51             typename std::enable_if<
  52     std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  53   const DerefedDecorateeT& get_decoratee() const {
  54     return *decoratee;
  55   }
  56
  57   template <typename T = void,
  58             typename std::enable_if<
  59     ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
  60   const DerefedDecorateeT& get_decoratee() const {
  61     return decoratee;
  62   }
  63
  64 public:
  65   explicit DecoratedApplier(DecorateeT&& decoratee)
  66     : decoratee(std::forward<DecorateeT>(decoratee)) {
  67   }
  68
  69   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
  70     return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
  71   }
  72
  73   bool is_admin_of(const rgw_user& uid) const override {
  74     return get_decoratee().is_admin_of(uid);
  75   }
  76
  77   bool is_owner_of(const rgw_user& uid) const override {
  78     return get_decoratee().is_owner_of(uid);
  79   }
  80
  81   bool is_anonymous() const override {
  82     return get_decoratee().is_anonymous();
  83   }
  84
  85   uint32_t get_perm_mask() const override {
  86     return get_decoratee().get_perm_mask();
  87   }
  88
  89   uint32_t get_identity_type() const override {
  90     return get_decoratee().get_identity_type();
  91   }
  92
  93   std::string get_acct_name() const override {
  94     return get_decoratee().get_acct_name();
  95   }
  96
  97   std::string get_subuser() const override {
  98     return get_decoratee().get_subuser();
  99   }
 100
 101   bool is_identity(
 102     const boost::container::flat_set<Principal>& ids) const override {
 103     return get_decoratee().is_identity(ids);
 104   }
 105
 106   void to_str(std::ostream& out) const override {
 107     get_decoratee().to_str(out);
 108   }
 109
 110   std::string get_role_tenant() const override {     /* in/out */
 111     return get_decoratee().get_role_tenant();
 112   }
 113
 114   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override {  /* out */
 115     return get_decoratee().load_acct_info(dpp, user_info);
 116   }
 117
 118   void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override {     /* in/out */
 119     return get_decoratee().modify_request_state(dpp, s);
 120   }
 121
 122   void write_ops_log_entry(rgw_log_entry& entry) const override {
 123     return get_decoratee().write_ops_log_entry(entry);
 124   }
 125 };
 126
 127
 128 template <typename T>
 129 class ThirdPartyAccountApplier : public DecoratedApplier<T> {
 130   rgw::sal::Store* store;
 131   const rgw_user acct_user_override;
 132
 133 public:
 134   /* A value representing situations where there is no requested account
 135    * override. In other words, acct_user_override will be equal to this
 136    * constant where the request isn't a cross-tenant one. */
 137   static const rgw_user UNKNOWN_ACCT;
 138
 139   template <typename U>
 140   ThirdPartyAccountApplier(rgw::sal::Store* store,
 141                            const rgw_user &acct_user_override,
 142                            U&& decoratee)
 143     : DecoratedApplier<T>(std::move(decoratee)),
 144       store(store),
 145       acct_user_override(acct_user_override) {
 146   }
 147
 148   void to_str(std::ostream& out) const override;
 149   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override;   /* out */
 150 };
 151
 152 /* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
 153  * of the default construction. */
 154 template <typename T>
 155 const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;
 156
 157 template <typename T>
 158 void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
 159 {
 160   out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
 161       <<   " -> ";
 162   DecoratedApplier<T>::to_str(out);
 163 }
 164
 165 template <typename T>
 166 void ThirdPartyAccountApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
 167 {
 168   if (UNKNOWN_ACCT == acct_user_override) {
 169     /* There is no override specified by the upper layer. This means that we'll
 170      * load the account owned by the authenticated identity (aka auth_user). */
 171     DecoratedApplier<T>::load_acct_info(dpp, user_info);
 172   } else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
 173     /* The override has been specified but the account belongs to the authenticated
 174      * identity. We may safely forward the call to a next stage. */
 175     DecoratedApplier<T>::load_acct_info(dpp, user_info);
 176   } else if (this->is_anonymous()) {
 177     /* If the user was authed by the anonymous engine then scope the ANON user
 178      * to the correct tenant */
 179     if (acct_user_override.tenant.empty())
 180       user_info.user_id = rgw_user(acct_user_override.id, RGW_USER_ANON_ID);
 181     else
 182       user_info.user_id = rgw_user(acct_user_override.tenant, RGW_USER_ANON_ID);
 183   } else {
 184     /* Compatibility mechanism for multi-tenancy. For more details refer to
 185      * load_acct_info method of rgw::auth::RemoteApplier. */
 186     std::unique_ptr<rgw::sal::User> user;
 187
 188     if (acct_user_override.tenant.empty()) {
 189       const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);
 190       user = store->get_user(tenanted_uid);
 191
 192       if (user->load_user(dpp, null_yield) >= 0) {
 193         user_info = user->get_info();
 194         /* Succeeded. */
 195         return;
 196       }
 197     }
 198
 199     user = store->get_user(acct_user_override);
 200     const int ret = user->load_user(dpp, null_yield);
 201     if (ret < 0) {
 202       /* We aren't trying to recover from ENOENT here. It's supposed that creating
 203        * someone else's account isn't a thing we want to support in this filter. */
 204       if (ret == -ENOENT) {
 205         throw -EACCES;
 206       } else {
 207         throw ret;
 208       }
 209     }
 210     user_info = user->get_info();
 211   }
 212 }
 213
 214 template <typename T> static inline
 215 ThirdPartyAccountApplier<T> add_3rdparty(rgw::sal::Store* store,
 216                                          const rgw_user &acct_user_override,
 217                                          T&& t) {
 218   return ThirdPartyAccountApplier<T>(store, acct_user_override,
 219                                      std::forward<T>(t));
 220 }
 221
 222
 223 template <typename T>
 224 class SysReqApplier : public DecoratedApplier<T> {
 225   CephContext* const cct;
 226   rgw::sal::Store* store;
 227   const RGWHTTPArgs& args;
 228   mutable boost::tribool is_system;
 229
 230 public:
 231   template <typename U>
 232   SysReqApplier(CephContext* const cct,
 233                 rgw::sal::Store* store,
 234                 const req_state* const s,
 235                 U&& decoratee)
 236     : DecoratedApplier<T>(std::forward<T>(decoratee)),
 237       cct(cct),
 238       store(store),
 239       args(s->info.args),
 240       is_system(boost::logic::indeterminate) {
 241   }
 242
 243   void to_str(std::ostream& out) const override;
 244   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override;   /* out */
 245   void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;       /* in/out */
 246 };
 247
 248 template <typename T>
 249 void SysReqApplier<T>::to_str(std::ostream& out) const
 250 {
 251   out << "rgw::auth::SysReqApplier" << " -> ";
 252   DecoratedApplier<T>::to_str(out);
 253 }
 254
 255 template <typename T>
 256 void SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
 257 {
 258   DecoratedApplier<T>::load_acct_info(dpp, user_info);
 259   is_system = user_info.system;
 260
 261   if (is_system) {
 262     //ldpp_dout(dpp, 20) << "system request" << dendl;
 263
 264     rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
 265     if (! effective_uid.empty()) {
 266       /* We aren't writing directly to user_info for consistency and security
 267        * reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
 268        * calls ::decode instead. */
 269       std::unique_ptr<rgw::sal::User> user = store->get_user(effective_uid);
 270       if (user->load_user(dpp, null_yield) < 0) {
 271         //ldpp_dout(dpp, 0) << "User lookup failed!" << dendl;
 272         throw -EACCES;
 273       }
 274       user_info = user->get_info();
 275     }
 276   }
 277 }
 278
 279 template <typename T>
 280 void SysReqApplier<T>::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s) const
 281 {
 282   if (boost::logic::indeterminate(is_system)) {
 283     RGWUserInfo unused_info;
 284     load_acct_info(dpp, unused_info);
 285   }
 286
 287   if (is_system) {
 288     s->info.args.set_system();
 289     s->system_request = true;
 290   }
 291   DecoratedApplier<T>::modify_request_state(dpp, s);
 292 }
 293
 294 template <typename T> static inline
 295 SysReqApplier<T> add_sysreq(CephContext* const cct,
 296                             rgw::sal::Store* store,
 297                             const req_state* const s,
 298                             T&& t) {
 299   return SysReqApplier<T>(cct, store, s, std::forward<T>(t));
 300 }
 301
 302 } /* namespace auth */
 303 } /* namespace rgw */
 304
 305 #endif /* CEPH_RGW_AUTH_FILTERS_H */