1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 #ifndef CEPH_RGW_REST_S3_H
6 #define CEPH_RGW_REST_S3_H
7 #define TIME_BUF_SIZE 128
11 #include <boost/utility/string_view.hpp>
12 #include <boost/container/static_vector.hpp>
14 #include "common/backport14.h"
15 #include "common/sstring.hh"
18 #include "rgw_http_errors.h"
19 #include "rgw_acl_s3.h"
20 #include "rgw_policy_s3.h"
21 #include "rgw_lc_s3.h"
22 #include "rgw_keystone.h"
23 #include "rgw_rest_conn.h"
27 #include "rgw_token.h"
28 #include "include/assert.h"
31 #include "rgw_auth_filters.h"
33 #define RGW_AUTH_GRACE_MINS 15
35 struct rgw_http_error
{
40 void rgw_get_errno_s3(struct rgw_http_error
*e
, int err_no
);
42 class RGWGetObj_ObjStore_S3
: public RGWGetObj_ObjStore
45 // Serving a custom error page from an object is really a 200 response with
46 // just the status line altered.
47 int custom_http_ret
= 0;
48 std::map
<std::string
, std::string
> crypt_http_responses
;
50 RGWGetObj_ObjStore_S3() {}
51 ~RGWGetObj_ObjStore_S3() override
{}
53 int get_params() override
;
54 int send_response_data_error() override
;
55 int send_response_data(bufferlist
& bl
, off_t ofs
, off_t len
) override
;
56 void set_custom_http_response(int http_ret
) { custom_http_ret
= http_ret
; }
57 int get_decrypt_filter(std::unique_ptr
<RGWGetDataCB
>* filter
,
59 bufferlist
* manifest_bl
) override
;
62 class RGWGetObjTags_ObjStore_S3
: public RGWGetObjTags_ObjStore
66 RGWGetObjTags_ObjStore_S3() {}
67 ~RGWGetObjTags_ObjStore_S3() {}
69 void send_response_data(bufferlist
&bl
) override
;
72 class RGWPutObjTags_ObjStore_S3
: public RGWPutObjTags_ObjStore
75 RGWPutObjTags_ObjStore_S3() {}
76 ~RGWPutObjTags_ObjStore_S3() {}
78 int get_params() override
;
79 void send_response() override
;
82 class RGWDeleteObjTags_ObjStore_S3
: public RGWDeleteObjTags
85 ~RGWDeleteObjTags_ObjStore_S3() override
{}
86 void send_response() override
;
89 class RGWListBuckets_ObjStore_S3
: public RGWListBuckets_ObjStore
{
91 RGWListBuckets_ObjStore_S3() {}
92 ~RGWListBuckets_ObjStore_S3() override
{}
94 int get_params() override
{
95 limit
= -1; /* no limit */
98 void send_response_begin(bool has_buckets
) override
;
99 void send_response_data(RGWUserBuckets
& buckets
) override
;
100 void send_response_end() override
;
103 class RGWGetUsage_ObjStore_S3
: public RGWGetUsage_ObjStore
{
105 RGWGetUsage_ObjStore_S3() {}
106 ~RGWGetUsage_ObjStore_S3() override
{}
108 int get_params() override
;
109 void send_response() override
;
112 class RGWListBucket_ObjStore_S3
: public RGWListBucket_ObjStore
{
115 RGWListBucket_ObjStore_S3() : objs_container(false) {
118 ~RGWListBucket_ObjStore_S3() override
{}
120 int get_params() override
;
121 void send_response() override
;
122 void send_versioned_response();
125 class RGWGetBucketLogging_ObjStore_S3
: public RGWGetBucketLogging
{
127 RGWGetBucketLogging_ObjStore_S3() {}
128 ~RGWGetBucketLogging_ObjStore_S3() override
{}
130 void send_response() override
;
133 class RGWGetBucketLocation_ObjStore_S3
: public RGWGetBucketLocation
{
135 RGWGetBucketLocation_ObjStore_S3() {}
136 ~RGWGetBucketLocation_ObjStore_S3() override
{}
138 void send_response() override
;
141 class RGWGetBucketVersioning_ObjStore_S3
: public RGWGetBucketVersioning
{
143 RGWGetBucketVersioning_ObjStore_S3() {}
144 ~RGWGetBucketVersioning_ObjStore_S3() override
{}
146 void send_response() override
;
149 class RGWSetBucketVersioning_ObjStore_S3
: public RGWSetBucketVersioning
{
151 RGWSetBucketVersioning_ObjStore_S3() {}
152 ~RGWSetBucketVersioning_ObjStore_S3() override
{}
154 int get_params() override
;
155 void send_response() override
;
158 class RGWGetBucketWebsite_ObjStore_S3
: public RGWGetBucketWebsite
{
160 RGWGetBucketWebsite_ObjStore_S3() {}
161 ~RGWGetBucketWebsite_ObjStore_S3() override
{}
163 void send_response() override
;
166 class RGWSetBucketWebsite_ObjStore_S3
: public RGWSetBucketWebsite
{
168 RGWSetBucketWebsite_ObjStore_S3() {}
169 ~RGWSetBucketWebsite_ObjStore_S3() override
{}
171 int get_params() override
;
172 void send_response() override
;
175 class RGWDeleteBucketWebsite_ObjStore_S3
: public RGWDeleteBucketWebsite
{
177 RGWDeleteBucketWebsite_ObjStore_S3() {}
178 ~RGWDeleteBucketWebsite_ObjStore_S3() override
{}
180 void send_response() override
;
183 class RGWStatBucket_ObjStore_S3
: public RGWStatBucket_ObjStore
{
185 RGWStatBucket_ObjStore_S3() {}
186 ~RGWStatBucket_ObjStore_S3() override
{}
188 void send_response() override
;
191 class RGWCreateBucket_ObjStore_S3
: public RGWCreateBucket_ObjStore
{
193 RGWCreateBucket_ObjStore_S3() {}
194 ~RGWCreateBucket_ObjStore_S3() override
{}
196 int get_params() override
;
197 void send_response() override
;
200 class RGWDeleteBucket_ObjStore_S3
: public RGWDeleteBucket_ObjStore
{
202 RGWDeleteBucket_ObjStore_S3() {}
203 ~RGWDeleteBucket_ObjStore_S3() override
{}
205 void send_response() override
;
208 class RGWPutObj_ObjStore_S3
: public RGWPutObj_ObjStore
{
210 std::map
<std::string
, std::string
> crypt_http_responses
;
213 RGWPutObj_ObjStore_S3() {}
214 ~RGWPutObj_ObjStore_S3() override
{}
216 int get_params() override
;
217 int get_data(bufferlist
& bl
) override
;
218 void send_response() override
;
220 int get_encrypt_filter(std::unique_ptr
<RGWPutObjDataProcessor
>* filter
,
221 RGWPutObjDataProcessor
* cb
) override
;
222 int get_decrypt_filter(std::unique_ptr
<RGWGetDataCB
>* filter
,
224 map
<string
, bufferlist
>& attrs
,
225 bufferlist
* manifest_bl
) override
;
228 class RGWPostObj_ObjStore_S3
: public RGWPostObj_ObjStore
{
229 parts_collection_t parts
;
230 std::string filename
;
231 std::string content_type
;
233 RGWPolicy post_policy
;
234 map
<string
, string
> crypt_http_responses
;
236 const rgw::auth::StrategyRegistry
* auth_registry_ptr
= nullptr;
240 void rebuild_key(string
& key
);
242 std::string
get_current_filename() const override
;
243 std::string
get_current_content_type() const override
;
246 RGWPostObj_ObjStore_S3() {}
247 ~RGWPostObj_ObjStore_S3() override
{}
249 int verify_requester(const rgw::auth::StrategyRegistry
& auth_registry
) {
250 auth_registry_ptr
= &auth_registry
;
251 return RGWPostObj_ObjStore::verify_requester(auth_registry
);
254 int get_params() override
;
255 int complete_get_params();
257 void send_response() override
;
258 int get_data(ceph::bufferlist
& bl
, bool& again
) override
;
259 int get_encrypt_filter(std::unique_ptr
<RGWPutObjDataProcessor
>* filter
,
260 RGWPutObjDataProcessor
* cb
) override
;
263 class RGWDeleteObj_ObjStore_S3
: public RGWDeleteObj_ObjStore
{
265 RGWDeleteObj_ObjStore_S3() {}
266 ~RGWDeleteObj_ObjStore_S3() override
{}
268 int get_params() override
;
269 void send_response() override
;
272 class RGWCopyObj_ObjStore_S3
: public RGWCopyObj_ObjStore
{
275 RGWCopyObj_ObjStore_S3() : sent_header(false) {}
276 ~RGWCopyObj_ObjStore_S3() override
{}
278 int init_dest_policy() override
;
279 int get_params() override
;
280 void send_partial_response(off_t ofs
) override
;
281 void send_response() override
;
284 class RGWGetACLs_ObjStore_S3
: public RGWGetACLs_ObjStore
{
286 RGWGetACLs_ObjStore_S3() {}
287 ~RGWGetACLs_ObjStore_S3() override
{}
289 void send_response() override
;
292 class RGWPutACLs_ObjStore_S3
: public RGWPutACLs_ObjStore
{
294 RGWPutACLs_ObjStore_S3() {}
295 ~RGWPutACLs_ObjStore_S3() override
{}
297 int get_policy_from_state(RGWRados
*store
, struct req_state
*s
, stringstream
& ss
) override
;
298 void send_response() override
;
299 int get_params() override
;
302 class RGWGetLC_ObjStore_S3
: public RGWGetLC_ObjStore
{
304 RGWLifecycleConfiguration_S3 config
;
306 RGWGetLC_ObjStore_S3() {}
307 ~RGWGetLC_ObjStore_S3() override
{}
308 void execute() override
;
310 void send_response() override
;
313 class RGWPutLC_ObjStore_S3
: public RGWPutLC_ObjStore
{
315 RGWPutLC_ObjStore_S3() {}
316 ~RGWPutLC_ObjStore_S3() override
{}
318 void send_response() override
;
321 class RGWDeleteLC_ObjStore_S3
: public RGWDeleteLC_ObjStore
{
323 RGWDeleteLC_ObjStore_S3() {}
324 ~RGWDeleteLC_ObjStore_S3() override
{}
326 void send_response() override
;
329 class RGWGetCORS_ObjStore_S3
: public RGWGetCORS_ObjStore
{
331 RGWGetCORS_ObjStore_S3() {}
332 ~RGWGetCORS_ObjStore_S3() override
{}
334 void send_response() override
;
337 class RGWPutCORS_ObjStore_S3
: public RGWPutCORS_ObjStore
{
339 RGWPutCORS_ObjStore_S3() {}
340 ~RGWPutCORS_ObjStore_S3() override
{}
342 int get_params() override
;
343 void send_response() override
;
346 class RGWDeleteCORS_ObjStore_S3
: public RGWDeleteCORS_ObjStore
{
348 RGWDeleteCORS_ObjStore_S3() {}
349 ~RGWDeleteCORS_ObjStore_S3() override
{}
351 void send_response() override
;
354 class RGWOptionsCORS_ObjStore_S3
: public RGWOptionsCORS_ObjStore
{
356 RGWOptionsCORS_ObjStore_S3() {}
357 ~RGWOptionsCORS_ObjStore_S3() override
{}
359 void send_response() override
;
362 class RGWGetRequestPayment_ObjStore_S3
: public RGWGetRequestPayment
{
364 RGWGetRequestPayment_ObjStore_S3() {}
365 ~RGWGetRequestPayment_ObjStore_S3() override
{}
367 void send_response() override
;
370 class RGWSetRequestPayment_ObjStore_S3
: public RGWSetRequestPayment
{
372 RGWSetRequestPayment_ObjStore_S3() {}
373 ~RGWSetRequestPayment_ObjStore_S3() override
{}
375 int get_params() override
;
376 void send_response() override
;
379 class RGWInitMultipart_ObjStore_S3
: public RGWInitMultipart_ObjStore
{
381 std::map
<std::string
, std::string
> crypt_http_responses
;
383 RGWInitMultipart_ObjStore_S3() {}
384 ~RGWInitMultipart_ObjStore_S3() override
{}
386 int get_params() override
;
387 void send_response() override
;
388 int prepare_encryption(map
<string
, bufferlist
>& attrs
) override
;
391 class RGWCompleteMultipart_ObjStore_S3
: public RGWCompleteMultipart_ObjStore
{
393 RGWCompleteMultipart_ObjStore_S3() {}
394 ~RGWCompleteMultipart_ObjStore_S3() override
{}
396 int get_params() override
;
397 void send_response() override
;
400 class RGWAbortMultipart_ObjStore_S3
: public RGWAbortMultipart_ObjStore
{
402 RGWAbortMultipart_ObjStore_S3() {}
403 ~RGWAbortMultipart_ObjStore_S3() override
{}
405 void send_response() override
;
408 class RGWListMultipart_ObjStore_S3
: public RGWListMultipart_ObjStore
{
410 RGWListMultipart_ObjStore_S3() {}
411 ~RGWListMultipart_ObjStore_S3() override
{}
413 void send_response() override
;
416 class RGWListBucketMultiparts_ObjStore_S3
: public RGWListBucketMultiparts_ObjStore
{
418 RGWListBucketMultiparts_ObjStore_S3() {
421 ~RGWListBucketMultiparts_ObjStore_S3() override
{}
423 void send_response() override
;
426 class RGWDeleteMultiObj_ObjStore_S3
: public RGWDeleteMultiObj_ObjStore
{
428 RGWDeleteMultiObj_ObjStore_S3() {}
429 ~RGWDeleteMultiObj_ObjStore_S3() override
{}
431 int get_params() override
;
432 void send_status() override
;
433 void begin_response() override
;
434 void send_partial_response(rgw_obj_key
& key
, bool delete_marker
,
435 const string
& marker_version_id
, int ret
) override
;
436 void end_response() override
;
439 class RGWGetObjLayout_ObjStore_S3
: public RGWGetObjLayout
{
441 RGWGetObjLayout_ObjStore_S3() {}
442 ~RGWGetObjLayout_ObjStore_S3() {}
444 void send_response();
447 class RGWConfigBucketMetaSearch_ObjStore_S3
: public RGWConfigBucketMetaSearch
{
449 RGWConfigBucketMetaSearch_ObjStore_S3() {}
450 ~RGWConfigBucketMetaSearch_ObjStore_S3() {}
452 int get_params() override
;
453 void send_response() override
;
456 class RGWGetBucketMetaSearch_ObjStore_S3
: public RGWGetBucketMetaSearch
{
458 RGWGetBucketMetaSearch_ObjStore_S3() {}
459 ~RGWGetBucketMetaSearch_ObjStore_S3() {}
461 void send_response() override
;
464 class RGWDelBucketMetaSearch_ObjStore_S3
: public RGWDelBucketMetaSearch
{
466 RGWDelBucketMetaSearch_ObjStore_S3() {}
467 ~RGWDelBucketMetaSearch_ObjStore_S3() {}
469 void send_response() override
;
474 static int authorize(RGWRados
*store
,
475 const rgw::auth::StrategyRegistry
& auth_registry
,
476 struct req_state
*s
);
479 class RGWHandler_Auth_S3
: public RGWHandler_REST
{
480 friend class RGWRESTMgr_S3
;
482 const rgw::auth::StrategyRegistry
& auth_registry
;
485 RGWHandler_Auth_S3(const rgw::auth::StrategyRegistry
& auth_registry
)
487 auth_registry(auth_registry
) {
489 ~RGWHandler_Auth_S3() override
= default;
491 static int validate_bucket_name(const string
& bucket
);
492 static int validate_object_name(const string
& bucket
);
494 int init(RGWRados
*store
,
496 rgw::io::BasicClient
*cio
) override
;
497 int authorize() override
{
498 return RGW_Auth_S3::authorize(store
, auth_registry
, s
);
500 int postauth_init() override
{ return 0; }
503 class RGWHandler_REST_S3
: public RGWHandler_REST
{
504 friend class RGWRESTMgr_S3
;
506 const rgw::auth::StrategyRegistry
& auth_registry
;
508 static int init_from_header(struct req_state
*s
, int default_formatter
, bool configurable_format
);
510 RGWHandler_REST_S3(const rgw::auth::StrategyRegistry
& auth_registry
)
512 auth_registry(auth_registry
) {
514 ~RGWHandler_REST_S3() override
= default;
516 int init(RGWRados
*store
,
518 rgw::io::BasicClient
*cio
) override
;
519 int authorize() override
{
520 return RGW_Auth_S3::authorize(store
, auth_registry
, s
);
522 int postauth_init() override
;
525 class RGWHandler_REST_Service_S3
: public RGWHandler_REST_S3
{
528 return s
->info
.args
.exists("usage");
530 RGWOp
*op_get() override
;
531 RGWOp
*op_head() override
;
532 RGWOp
*op_post() override
;
534 using RGWHandler_REST_S3::RGWHandler_REST_S3
;
535 ~RGWHandler_REST_Service_S3() override
= default;
538 class RGWHandler_REST_Bucket_S3
: public RGWHandler_REST_S3
{
541 return s
->info
.args
.exists("acl");
544 return s
->info
.args
.exists("cors");
547 return s
->info
.args
.exists("lifecycle");
549 bool is_obj_update_op() override
{
550 return is_acl_op() || is_cors_op();
552 bool is_request_payment_op() {
553 return s
->info
.args
.exists("requestPayment");
555 bool is_policy_op() {
556 return s
->info
.args
.exists("policy");
558 RGWOp
*get_obj_op(bool get_data
);
560 RGWOp
*op_get() override
;
561 RGWOp
*op_head() override
;
562 RGWOp
*op_put() override
;
563 RGWOp
*op_delete() override
;
564 RGWOp
*op_post() override
;
565 RGWOp
*op_options() override
;
567 using RGWHandler_REST_S3::RGWHandler_REST_S3
;
568 ~RGWHandler_REST_Bucket_S3() override
= default;
571 class RGWHandler_REST_Obj_S3
: public RGWHandler_REST_S3
{
574 return s
->info
.args
.exists("acl");
577 return s
->info
.args
.exists("cors");
579 bool is_tagging_op() {
580 return s
->info
.args
.exists("tagging");
582 bool is_obj_update_op() override
{
583 return is_acl_op() || is_tagging_op() ;
585 RGWOp
*get_obj_op(bool get_data
);
587 RGWOp
*op_get() override
;
588 RGWOp
*op_head() override
;
589 RGWOp
*op_put() override
;
590 RGWOp
*op_delete() override
;
591 RGWOp
*op_post() override
;
592 RGWOp
*op_options() override
;
594 using RGWHandler_REST_S3::RGWHandler_REST_S3
;
595 ~RGWHandler_REST_Obj_S3() override
= default;
598 class RGWRESTMgr_S3
: public RGWRESTMgr
{
600 bool enable_s3website
;
602 explicit RGWRESTMgr_S3(bool enable_s3website
= false)
603 : enable_s3website(enable_s3website
) {
606 ~RGWRESTMgr_S3() override
= default;
608 RGWHandler_REST
*get_handler(struct req_state
* s
,
609 const rgw::auth::StrategyRegistry
& auth_registry
,
610 const std::string
& frontend_prefix
) override
;
613 class RGWHandler_REST_Obj_S3Website
;
615 static inline bool looks_like_ip_address(const char *bucket
)
618 bool expect_period
= false;
619 for (const char *b
= bucket
; *b
; ++b
) {
626 expect_period
= false;
628 else if (isdigit(*b
)) {
629 expect_period
= true;
635 return (num_periods
== 3);
638 static inline int valid_s3_object_name(const string
& name
) {
639 if (name
.size() > 1024) {
640 return -ERR_INVALID_OBJECT_NAME
;
642 if (check_utf8(name
.c_str(), name
.size())) {
643 return -ERR_INVALID_OBJECT_NAME
;
648 static inline int valid_s3_bucket_name(const string
& name
, bool relaxed
=false)
650 // This function enforces Amazon's spec for bucket names.
651 // (The requirements, not the recommendations.)
652 int len
= name
.size();
655 return -ERR_INVALID_BUCKET_NAME
;
656 } else if (len
> 255) {
658 return -ERR_INVALID_BUCKET_NAME
;
661 // bucket names must start with a number, letter, or underscore
662 if (!(isalpha(name
[0]) || isdigit(name
[0]))) {
664 return -ERR_INVALID_BUCKET_NAME
;
665 else if (!(name
[0] == '_' || name
[0] == '.' || name
[0] == '-'))
666 return -ERR_INVALID_BUCKET_NAME
;
669 for (const char *s
= name
.c_str(); *s
; ++s
) {
671 if (isdigit(c
) || (c
== '.'))
675 if ((c
== '-') || (c
== '_'))
678 return -ERR_INVALID_BUCKET_NAME
;
681 if (looks_like_ip_address(name
.c_str()))
682 return -ERR_INVALID_BUCKET_NAME
;
692 class AWSEngine
: public rgw::auth::Engine
{
694 class VersionAbstractor
{
695 static constexpr size_t DIGEST_SIZE_V2
= CEPH_CRYPTO_HMACSHA1_DIGESTSIZE
;
696 static constexpr size_t DIGEST_SIZE_V4
= CEPH_CRYPTO_HMACSHA256_DIGESTSIZE
;
698 /* Knowing the signature max size allows us to employ the sstring, and thus
699 * avoid dynamic allocations. The multiplier comes from representing digest
700 * in the base64-encoded form. */
701 static constexpr size_t SIGNATURE_MAX_SIZE
= \
702 ceph::max(DIGEST_SIZE_V2
, DIGEST_SIZE_V4
) * 2 + sizeof('\0');
705 virtual ~VersionAbstractor() {};
707 using access_key_id_t
= boost::string_view
;
708 using client_signature_t
= boost::string_view
;
709 using server_signature_t
= basic_sstring
<char, uint16_t, SIGNATURE_MAX_SIZE
>;
710 using string_to_sign_t
= std::string
;
712 /* Transformation for crafting the AWS signature at server side which is
713 * used later to compare with the user-provided one. The methodology for
714 * doing that depends on AWS auth version. */
715 using signature_factory_t
= \
716 std::function
<server_signature_t(CephContext
* cct
,
717 const std::string
& secret_key
,
718 const string_to_sign_t
& string_to_sign
)>;
720 /* Return an instance of Completer for verifying the payload's fingerprint
721 * if necessary. Otherwise caller gets nullptr. Caller may provide secret
723 using completer_factory_t
= \
724 std::function
<rgw::auth::Completer::cmplptr_t(
725 const boost::optional
<std::string
>& secret_key
)>;
728 access_key_id_t access_key_id
;
729 client_signature_t client_signature
;
730 string_to_sign_t string_to_sign
;
731 signature_factory_t signature_factory
;
732 completer_factory_t completer_factory
;
735 virtual auth_data_t
get_auth_data(const req_state
* s
) const = 0;
740 const VersionAbstractor
& ver_abstractor
;
742 AWSEngine(CephContext
* const cct
, const VersionAbstractor
& ver_abstractor
)
744 ver_abstractor(ver_abstractor
) {
747 using result_t
= rgw::auth::Engine::result_t
;
748 using string_to_sign_t
= VersionAbstractor::string_to_sign_t
;
749 using signature_factory_t
= VersionAbstractor::signature_factory_t
;
750 using completer_factory_t
= VersionAbstractor::completer_factory_t
;
752 /* TODO(rzarzynski): clean up. We've too many input parameter hee. Also
753 * the signature get_auth_data() of VersionAbstractor is too complicated.
754 * Replace these thing with a simple, dedicated structure. */
755 virtual result_t
authenticate(const boost::string_view
& access_key_id
,
756 const boost::string_view
& signature
,
757 const string_to_sign_t
& string_to_sign
,
758 const signature_factory_t
& signature_factory
,
759 const completer_factory_t
& completer_factory
,
760 const req_state
* s
) const = 0;
763 result_t
authenticate(const req_state
* const s
) const final
;
767 class AWSGeneralAbstractor
: public AWSEngine::VersionAbstractor
{
768 CephContext
* const cct
;
770 bool is_time_skew_ok(const utime_t
& header_time
,
771 const bool qsr
) const;
773 virtual boost::optional
<std::string
>
774 get_v4_canonical_headers(const req_info
& info
,
775 const boost::string_view
& signedheaders
,
776 const bool using_qs
) const;
778 auth_data_t
get_auth_data_v2(const req_state
* s
) const;
779 auth_data_t
get_auth_data_v4(const req_state
* s
, bool using_qs
) const;
782 AWSGeneralAbstractor(CephContext
* const cct
)
786 auth_data_t
get_auth_data(const req_state
* s
) const override
;
789 class AWSGeneralBoto2Abstractor
: public AWSGeneralAbstractor
{
790 boost::optional
<std::string
>
791 get_v4_canonical_headers(const req_info
& info
,
792 const boost::string_view
& signedheaders
,
793 const bool using_qs
) const override
;
796 using AWSGeneralAbstractor::AWSGeneralAbstractor
;
799 class AWSBrowserUploadAbstractor
: public AWSEngine::VersionAbstractor
{
800 static std::string
to_string(ceph::bufferlist bl
) {
801 return std::string(bl
.c_str(),
802 static_cast<std::string::size_type
>(bl
.length()));
805 auth_data_t
get_auth_data_v2(const req_state
* s
) const;
806 auth_data_t
get_auth_data_v4(const req_state
* s
) const;
809 AWSBrowserUploadAbstractor(CephContext
*) {
812 auth_data_t
get_auth_data(const req_state
* s
) const override
;
816 class LDAPEngine
: public AWSEngine
{
817 static rgw::LDAPHelper
* ldh
;
818 static std::mutex mtx
;
820 static void init(CephContext
* const cct
);
822 using acl_strategy_t
= rgw::auth::RemoteApplier::acl_strategy_t
;
823 using auth_info_t
= rgw::auth::RemoteApplier::AuthInfo
;
824 using result_t
= rgw::auth::Engine::result_t
;
827 RGWRados
* const store
;
828 const rgw::auth::RemoteApplier::Factory
* const apl_factory
;
830 acl_strategy_t
get_acl_strategy() const;
831 auth_info_t
get_creds_info(const rgw::RGWToken
& token
) const noexcept
;
833 result_t
authenticate(const boost::string_view
& access_key_id
,
834 const boost::string_view
& signature
,
835 const string_to_sign_t
& string_to_sign
,
836 const signature_factory_t
&,
837 const completer_factory_t
& completer_factory
,
838 const req_state
* s
) const override
;
840 LDAPEngine(CephContext
* const cct
,
841 RGWRados
* const store
,
842 const VersionAbstractor
& ver_abstractor
,
843 const rgw::auth::RemoteApplier::Factory
* const apl_factory
)
844 : AWSEngine(cct
, ver_abstractor
),
846 apl_factory(apl_factory
) {
850 using AWSEngine::authenticate
;
852 const char* get_name() const noexcept override
{
853 return "rgw::auth::s3::LDAPEngine";
858 class LocalEngine
: public AWSEngine
{
859 RGWRados
* const store
;
860 const rgw::auth::LocalApplier::Factory
* const apl_factory
;
862 result_t
authenticate(const boost::string_view
& access_key_id
,
863 const boost::string_view
& signature
,
864 const string_to_sign_t
& string_to_sign
,
865 const signature_factory_t
& signature_factory
,
866 const completer_factory_t
& completer_factory
,
867 const req_state
* s
) const override
;
869 LocalEngine(CephContext
* const cct
,
870 RGWRados
* const store
,
871 const VersionAbstractor
& ver_abstractor
,
872 const rgw::auth::LocalApplier::Factory
* const apl_factory
)
873 : AWSEngine(cct
, ver_abstractor
),
875 apl_factory(apl_factory
) {
878 using AWSEngine::authenticate
;
880 const char* get_name() const noexcept override
{
881 return "rgw::auth::s3::LocalEngine";
886 class S3AnonymousEngine
: public rgw::auth::AnonymousEngine
{
887 bool is_applicable(const req_state
* s
) const noexcept override
;
890 /* Let's reuse the parent class' constructor. */
891 using rgw::auth::AnonymousEngine::AnonymousEngine
;
893 const char* get_name() const noexcept override
{
894 return "rgw::auth::s3::S3AnonymousEngine";
899 class S3AuthFactory
: public rgw::auth::RemoteApplier::Factory
,
900 public rgw::auth::LocalApplier::Factory
{
901 typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t
;
902 RGWRados
* const store
;
905 S3AuthFactory(RGWRados
* const store
)
909 aplptr_t
create_apl_remote(CephContext
* const cct
,
910 const req_state
* const s
,
911 rgw::auth::RemoteApplier::acl_strategy_t
&& acl_alg
,
912 const rgw::auth::RemoteApplier::AuthInfo info
915 new rgw::auth::RemoteApplier(cct
, store
, std::move(acl_alg
), info
,
916 cct
->_conf
->rgw_keystone_implicit_tenants
));
919 aplptr_t
create_apl_local(CephContext
* const cct
,
920 const req_state
* const s
,
921 const RGWUserInfo
& user_info
,
922 const std::string
& subuser
) const override
{
924 new rgw::auth::LocalApplier(cct
, user_info
, subuser
));
930 } /* namespace auth */
931 } /* namespace rgw */
934 #endif /* CEPH_RGW_REST_S3_H */