]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_iam_policy.h
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
import ceph 16.2.6
[ceph.git] / ceph / src / rgw / rgw_iam_policy.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
3
4 #ifndef CEPH_RGW_IAM_POLICY_H
5 #define CEPH_RGW_IAM_POLICY_H
6
7 #include <bitset>
8 #include <chrono>
9 #include <cstdint>
10 #include <iostream>
11 #include <string>
12 #include <string_view>
13
14 #include <boost/algorithm/string/predicate.hpp>
15 #include <boost/container/flat_map.hpp>
16 #include <boost/container/flat_set.hpp>
17 #include <boost/optional.hpp>
18 #include <boost/thread/shared_mutex.hpp>
19 #include <boost/variant.hpp>
20
21 #include "common/ceph_time.h"
22 #include "common/iso_8601.h"
23
24 #include "rapidjson/error/error.h"
25 #include "rapidjson/error/en.h"
26
27 #include "rgw_acl.h"
28 #include "rgw_basic_types.h"
29 #include "rgw_iam_policy_keywords.h"
30 #include "rgw_string.h"
31 #include "rgw_arn.h"
32
33 namespace rgw {
34 namespace auth {
35 class Identity;
36 }
37 }
38
39 namespace rgw {
40 namespace IAM {
41
42 static constexpr std::uint64_t s3GetObject = 0;
43 static constexpr std::uint64_t s3GetObjectVersion = 1;
44 static constexpr std::uint64_t s3PutObject = 2;
45 static constexpr std::uint64_t s3GetObjectAcl = 3;
46 static constexpr std::uint64_t s3GetObjectVersionAcl = 4;
47 static constexpr std::uint64_t s3PutObjectAcl = 5;
48 static constexpr std::uint64_t s3PutObjectVersionAcl = 6;
49 static constexpr std::uint64_t s3DeleteObject = 7;
50 static constexpr std::uint64_t s3DeleteObjectVersion = 8;
51 static constexpr std::uint64_t s3ListMultipartUploadParts = 9;
52 static constexpr std::uint64_t s3AbortMultipartUpload = 10;
53 static constexpr std::uint64_t s3GetObjectTorrent = 11;
54 static constexpr std::uint64_t s3GetObjectVersionTorrent = 12;
55 static constexpr std::uint64_t s3RestoreObject = 13;
56 static constexpr std::uint64_t s3CreateBucket = 14;
57 static constexpr std::uint64_t s3DeleteBucket = 15;
58 static constexpr std::uint64_t s3ListBucket = 16;
59 static constexpr std::uint64_t s3ListBucketVersions = 17;
60 static constexpr std::uint64_t s3ListAllMyBuckets = 18;
61 static constexpr std::uint64_t s3ListBucketMultipartUploads = 19;
62 static constexpr std::uint64_t s3GetAccelerateConfiguration = 20;
63 static constexpr std::uint64_t s3PutAccelerateConfiguration = 21;
64 static constexpr std::uint64_t s3GetBucketAcl = 22;
65 static constexpr std::uint64_t s3PutBucketAcl = 23;
66 static constexpr std::uint64_t s3GetBucketCORS = 24;
67 static constexpr std::uint64_t s3PutBucketCORS = 25;
68 static constexpr std::uint64_t s3GetBucketVersioning = 26;
69 static constexpr std::uint64_t s3PutBucketVersioning = 27;
70 static constexpr std::uint64_t s3GetBucketRequestPayment = 28;
71 static constexpr std::uint64_t s3PutBucketRequestPayment = 29;
72 static constexpr std::uint64_t s3GetBucketLocation = 30;
73 static constexpr std::uint64_t s3GetBucketPolicy = 31;
74 static constexpr std::uint64_t s3DeleteBucketPolicy = 32;
75 static constexpr std::uint64_t s3PutBucketPolicy = 33;
76 static constexpr std::uint64_t s3GetBucketNotification = 34;
77 static constexpr std::uint64_t s3PutBucketNotification = 35;
78 static constexpr std::uint64_t s3GetBucketLogging = 36;
79 static constexpr std::uint64_t s3PutBucketLogging = 37;
80 static constexpr std::uint64_t s3GetBucketTagging = 38;
81 static constexpr std::uint64_t s3PutBucketTagging = 39;
82 static constexpr std::uint64_t s3GetBucketWebsite = 40;
83 static constexpr std::uint64_t s3PutBucketWebsite = 41;
84 static constexpr std::uint64_t s3DeleteBucketWebsite = 42;
85 static constexpr std::uint64_t s3GetLifecycleConfiguration = 43;
86 static constexpr std::uint64_t s3PutLifecycleConfiguration = 44;
87 static constexpr std::uint64_t s3PutReplicationConfiguration = 45;
88 static constexpr std::uint64_t s3GetReplicationConfiguration = 46;
89 static constexpr std::uint64_t s3DeleteReplicationConfiguration = 47;
90 static constexpr std::uint64_t s3GetObjectTagging = 48;
91 static constexpr std::uint64_t s3PutObjectTagging = 49;
92 static constexpr std::uint64_t s3DeleteObjectTagging = 50;
93 static constexpr std::uint64_t s3GetObjectVersionTagging = 51;
94 static constexpr std::uint64_t s3PutObjectVersionTagging = 52;
95 static constexpr std::uint64_t s3DeleteObjectVersionTagging = 53;
96 static constexpr std::uint64_t s3PutBucketObjectLockConfiguration = 54;
97 static constexpr std::uint64_t s3GetBucketObjectLockConfiguration = 55;
98 static constexpr std::uint64_t s3PutObjectRetention = 56;
99 static constexpr std::uint64_t s3GetObjectRetention = 57;
100 static constexpr std::uint64_t s3PutObjectLegalHold = 58;
101 static constexpr std::uint64_t s3GetObjectLegalHold = 59;
102 static constexpr std::uint64_t s3BypassGovernanceRetention = 60;
103 static constexpr std::uint64_t s3GetBucketPolicyStatus = 61;
104 static constexpr std::uint64_t s3PutPublicAccessBlock = 62;
105 static constexpr std::uint64_t s3GetPublicAccessBlock = 63;
106 static constexpr std::uint64_t s3DeletePublicAccessBlock = 64;
107 static constexpr std::uint64_t s3GetBucketPublicAccessBlock = 65;
108 static constexpr std::uint64_t s3PutBucketPublicAccessBlock = 66;
109 static constexpr std::uint64_t s3DeleteBucketPublicAccessBlock = 67;
110 static constexpr std::uint64_t s3All = 68;
111
112 static constexpr std::uint64_t iamPutUserPolicy = s3All + 1;
113 static constexpr std::uint64_t iamGetUserPolicy = s3All + 2;
114 static constexpr std::uint64_t iamDeleteUserPolicy = s3All + 3;
115 static constexpr std::uint64_t iamListUserPolicies = s3All + 4;
116 static constexpr std::uint64_t iamCreateRole = s3All + 5;
117 static constexpr std::uint64_t iamDeleteRole = s3All + 6;
118 static constexpr std::uint64_t iamModifyRole = s3All + 7;
119 static constexpr std::uint64_t iamGetRole = s3All + 8;
120 static constexpr std::uint64_t iamListRoles = s3All + 9;
121 static constexpr std::uint64_t iamPutRolePolicy = s3All + 10;
122 static constexpr std::uint64_t iamGetRolePolicy = s3All + 11;
123 static constexpr std::uint64_t iamListRolePolicies = s3All + 12;
124 static constexpr std::uint64_t iamDeleteRolePolicy = s3All + 13;
125 static constexpr std::uint64_t iamCreateOIDCProvider = s3All + 14;
126 static constexpr std::uint64_t iamDeleteOIDCProvider = s3All + 15;
127 static constexpr std::uint64_t iamGetOIDCProvider = s3All + 16;
128 static constexpr std::uint64_t iamListOIDCProviders = s3All + 17;
129 static constexpr std::uint64_t iamAll = s3All + 18;
130
131 static constexpr std::uint64_t stsAssumeRole = iamAll + 1;
132 static constexpr std::uint64_t stsAssumeRoleWithWebIdentity = iamAll + 2;
133 static constexpr std::uint64_t stsGetSessionToken = iamAll + 3;
134 static constexpr std::uint64_t stsAll = iamAll + 4;
135
136 static constexpr std::uint64_t s3Count = s3All;
137 static constexpr std::uint64_t allCount = stsAll + 1;
138
139 using Action_t = std::bitset<allCount>;
140 using NotAction_t = Action_t;
141
142 template <size_t N>
143 constexpr std::bitset<N> make_bitmask(size_t s) {
144 // unfortunately none of the shift/logic operators of std::bitset have a constexpr variation
145 return s < 64 ? std::bitset<N> ((1ULL << s) - 1) :
146 std::bitset<N>((1ULL << 63) - 1) | make_bitmask<N> (s - 63) << 63;
147 }
148
149 template <size_t N>
150 constexpr std::bitset<N> set_cont_bits(size_t start, size_t end)
151 {
152 return (make_bitmask<N>(end - start)) << start;
153 }
154
155 static const Action_t None(0);
156 static const Action_t s3AllValue = set_cont_bits<allCount>(0,s3All);
157 static const Action_t iamAllValue = set_cont_bits<allCount>(s3All+1,iamAll);
158 static const Action_t stsAllValue = set_cont_bits<allCount>(iamAll+1,stsAll);
159 static const Action_t allValue = set_cont_bits<allCount>(0,allCount);
160
161 namespace {
162 // Please update the table in doc/radosgw/s3/authentication.rst if you
163 // modify this function.
164 inline int op_to_perm(std::uint64_t op) {
165 switch (op) {
166 case s3GetObject:
167 case s3GetObjectTorrent:
168 case s3GetObjectVersion:
169 case s3GetObjectVersionTorrent:
170 case s3GetObjectTagging:
171 case s3GetObjectVersionTagging:
172 case s3GetObjectRetention:
173 case s3GetObjectLegalHold:
174 case s3ListAllMyBuckets:
175 case s3ListBucket:
176 case s3ListBucketMultipartUploads:
177 case s3ListBucketVersions:
178 case s3ListMultipartUploadParts:
179 return RGW_PERM_READ;
180
181 case s3AbortMultipartUpload:
182 case s3CreateBucket:
183 case s3DeleteBucket:
184 case s3DeleteObject:
185 case s3DeleteObjectVersion:
186 case s3PutObject:
187 case s3PutObjectTagging:
188 case s3PutObjectVersionTagging:
189 case s3DeleteObjectTagging:
190 case s3DeleteObjectVersionTagging:
191 case s3RestoreObject:
192 case s3PutObjectRetention:
193 case s3PutObjectLegalHold:
194 case s3BypassGovernanceRetention:
195 return RGW_PERM_WRITE;
196
197 case s3GetAccelerateConfiguration:
198 case s3GetBucketAcl:
199 case s3GetBucketCORS:
200 case s3GetBucketLocation:
201 case s3GetBucketLogging:
202 case s3GetBucketNotification:
203 case s3GetBucketPolicy:
204 case s3GetBucketPolicyStatus:
205 case s3GetBucketRequestPayment:
206 case s3GetBucketTagging:
207 case s3GetBucketVersioning:
208 case s3GetBucketWebsite:
209 case s3GetLifecycleConfiguration:
210 case s3GetObjectAcl:
211 case s3GetObjectVersionAcl:
212 case s3GetReplicationConfiguration:
213 case s3GetBucketObjectLockConfiguration:
214 case s3GetBucketPublicAccessBlock:
215 return RGW_PERM_READ_ACP;
216
217 case s3DeleteBucketPolicy:
218 case s3DeleteBucketWebsite:
219 case s3DeleteReplicationConfiguration:
220 case s3PutAccelerateConfiguration:
221 case s3PutBucketAcl:
222 case s3PutBucketCORS:
223 case s3PutBucketLogging:
224 case s3PutBucketNotification:
225 case s3PutBucketPolicy:
226 case s3PutBucketRequestPayment:
227 case s3PutBucketTagging:
228 case s3PutBucketVersioning:
229 case s3PutBucketWebsite:
230 case s3PutLifecycleConfiguration:
231 case s3PutObjectAcl:
232 case s3PutObjectVersionAcl:
233 case s3PutReplicationConfiguration:
234 case s3PutBucketObjectLockConfiguration:
235 case s3PutBucketPublicAccessBlock:
236 return RGW_PERM_WRITE_ACP;
237
238 case s3All:
239 return RGW_PERM_FULL_CONTROL;
240 }
241 return RGW_PERM_INVALID;
242 }
243 }
244
245 enum class PolicyPrincipal {
246 Role,
247 Session,
248 Other
249 };
250
251 using Environment = boost::container::flat_map<std::string, std::string>;
252
253 using Address = std::bitset<128>;
254 struct MaskedIP {
255 bool v6;
256 Address addr;
257 // Since we're mapping IPv6 to IPv4 addresses, we may want to
258 // consider making the prefix always be in terms of a v6 address
259 // and just use the v6 bit to rewrite it as a v4 prefix for
260 // output.
261 unsigned int prefix;
262 };
263
264 std::ostream& operator <<(std::ostream& m, const MaskedIP& ip);
265
266 inline bool operator ==(const MaskedIP& l, const MaskedIP& r) {
267 auto shift = std::max((l.v6 ? 128 : 32) - ((int) l.prefix),
268 (r.v6 ? 128 : 32) - ((int) r.prefix));
269 ceph_assert(shift >= 0);
270 return (l.addr >> shift) == (r.addr >> shift);
271 }
272
273 struct Condition {
274 TokenID op;
275 // Originally I was going to use a perfect hash table, but Marcus
276 // says keys are to be added at run-time not compile time.
277
278 // In future development, use symbol internment.
279 std::string key;
280 bool ifexists = false;
281 // Much to my annoyance there is no actual way to do this in a
282 // typed way that is compatible with AWS. I know this because I've
283 // seen examples where the same value is used as a string in one
284 // context and a date in another.
285 std::vector<std::string> vals;
286
287 Condition() = default;
288 Condition(TokenID op, const char* s, std::size_t len, bool ifexists)
289 : op(op), key(s, len), ifexists(ifexists) {}
290
291 bool eval(const Environment& e) const;
292
293 static boost::optional<double> as_number(const std::string& s) {
294 std::size_t p = 0;
295
296 try {
297 double d = std::stod(s, &p);
298 if (p < s.length()) {
299 return boost::none;
300 }
301
302 return d;
303 } catch (const std::logic_error& e) {
304 return boost::none;
305 }
306 }
307
308 static boost::optional<ceph::real_time> as_date(const std::string& s) {
309 std::size_t p = 0;
310
311 try {
312 double d = std::stod(s, &p);
313 if (p == s.length()) {
314 return ceph::real_time(
315 std::chrono::seconds(static_cast<uint64_t>(d)) +
316 std::chrono::nanoseconds(
317 static_cast<uint64_t>((d - static_cast<uint64_t>(d))
318 * 1000000000)));
319 }
320
321 return from_iso_8601(std::string_view(s), false);
322 } catch (const std::logic_error& e) {
323 return boost::none;
324 }
325 }
326
327 static boost::optional<bool> as_bool(const std::string& s) {
328 std::size_t p = 0;
329
330 if (s.empty() || boost::iequals(s, "false")) {
331 return false;
332 }
333
334 try {
335 double d = std::stod(s, &p);
336 if (p == s.length()) {
337 return !((d == +0.0) || (d == -0.0) || std::isnan(d));
338 }
339 } catch (const std::logic_error& e) {
340 // Fallthrough
341 }
342
343 return true;
344 }
345
346 static boost::optional<ceph::bufferlist> as_binary(const std::string& s) {
347 // In a just world
348 ceph::bufferlist base64;
349 // I could populate a bufferlist
350 base64.push_back(buffer::create_static(
351 s.length(),
352 const_cast<char*>(s.data()))); // Yuck
353 // From a base64 encoded std::string.
354 ceph::bufferlist bin;
355
356 try {
357 bin.decode_base64(base64);
358 } catch (const ceph::buffer::malformed_input& e) {
359 return boost::none;
360 }
361 return bin;
362 }
363
364 static boost::optional<MaskedIP> as_network(const std::string& s);
365
366
367 struct ci_equal_to {
368 bool operator ()(const std::string& s1,
369 const std::string& s2) const {
370 return boost::iequals(s1, s2);
371 }
372 };
373
374 struct string_like {
375 bool operator ()(const std::string& input,
376 const std::string& pattern) const {
377 return match_wildcards(pattern, input, 0);
378 }
379 };
380
381 struct ci_starts_with {
382 bool operator()(const std::string& s1,
383 const std::string& s2) const {
384 return boost::istarts_with(s1, s2);
385 }
386 };
387
388 template<typename F>
389 static bool orrible(F&& f, const std::string& c,
390 const std::vector<std::string>& v) {
391 for (const auto& d : v) {
392 if (std::forward<F>(f)(c, d)) {
393 return true;
394 }
395 }
396 return false;
397 }
398
399 template<typename F, typename X>
400 static bool shortible(F&& f, X& x, const std::string& c,
401 const std::vector<std::string>& v) {
402 auto xc = std::forward<X>(x)(c);
403 if (!xc) {
404 return false;
405 }
406
407 for (const auto& d : v) {
408 auto xd = std::forward<X>(x)(d);
409 if (!xd) {
410 continue;
411 }
412
413 if (std::forward<F>(f)(*xc, *xd)) {
414 return true;
415 }
416 }
417 return false;
418 }
419
420 template <typename F>
421 bool has_key_p(const std::string& _key, F p) const {
422 return p(key, _key);
423 }
424 };
425
426 std::ostream& operator <<(std::ostream& m, const Condition& c);
427
428 struct Statement {
429 boost::optional<std::string> sid = boost::none;
430
431 boost::container::flat_set<rgw::auth::Principal> princ;
432 boost::container::flat_set<rgw::auth::Principal> noprinc;
433
434 // Every statement MUST provide an effect. I just initialize it to
435 // deny as defensive programming.
436 Effect effect = Effect::Deny;
437
438 Action_t action = 0;
439 NotAction_t notaction = 0;
440
441 boost::container::flat_set<ARN> resource;
442 boost::container::flat_set<ARN> notresource;
443
444 std::vector<Condition> conditions;
445
446 Effect eval(const Environment& e,
447 boost::optional<const rgw::auth::Identity&> ida,
448 std::uint64_t action, const ARN& resource, boost::optional<PolicyPrincipal&> princ_type=boost::none) const;
449
450 Effect eval_principal(const Environment& e,
451 boost::optional<const rgw::auth::Identity&> ida, boost::optional<PolicyPrincipal&> princ_type=boost::none) const;
452
453 Effect eval_conditions(const Environment& e) const;
454 };
455
456 std::ostream& operator <<(ostream& m, const Statement& s);
457
458 struct PolicyParseException : public std::exception {
459 rapidjson::ParseResult pr;
460
461 explicit PolicyParseException(rapidjson::ParseResult&& pr)
462 : pr(pr) { }
463 const char* what() const noexcept override {
464 return rapidjson::GetParseError_En(pr.Code());
465 }
466 };
467
468 struct Policy {
469 std::string text;
470 Version version = Version::v2008_10_17;
471 boost::optional<std::string> id = boost::none;
472
473 std::vector<Statement> statements;
474
475 Policy(CephContext* cct, const std::string& tenant,
476 const bufferlist& text);
477
478 Effect eval(const Environment& e,
479 boost::optional<const rgw::auth::Identity&> ida,
480 std::uint64_t action, const ARN& resource, boost::optional<PolicyPrincipal&> princ_type=boost::none) const;
481
482 Effect eval_principal(const Environment& e,
483 boost::optional<const rgw::auth::Identity&> ida, boost::optional<PolicyPrincipal&> princ_type=boost::none) const;
484
485 Effect eval_conditions(const Environment& e) const;
486
487 template <typename F>
488 bool has_conditional(const string& conditional, F p) const {
489 for (const auto&s: statements){
490 if (std::any_of(s.conditions.begin(), s.conditions.end(),
491 [&](const Condition& c) { return c.has_key_p(conditional, p);}))
492 return true;
493 }
494 return false;
495 }
496
497 bool has_conditional(const string& c) const {
498 return has_conditional(c, Condition::ci_equal_to());
499 }
500
501 bool has_partial_conditional(const string& c) const {
502 return has_conditional(c, Condition::ci_starts_with());
503 }
504 };
505
506 std::ostream& operator <<(ostream& m, const Policy& p);
507 bool is_public(const Policy& p);
508
509 }
510 }
511
512 #endif
Ceph