1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
7 #include "common/errno.h"
8 #include "common/Formatter.h"
9 #include "common/ceph_json.h"
11 #include "include/types.h"
12 #include "rgw_string.h"
14 #include "rgw_common.h"
17 #include "rgw_rest_user_policy.h"
19 #define dout_subsys ceph_subsys_rgw
21 using rgw::IAM::Policy
;
23 void RGWRestUserPolicy::dump(Formatter
*f
) const
25 encode_json("policyname", policy_name
, f
);
26 encode_json("username", user_name
, f
);
27 encode_json("policydocument", policy
, f
);
30 void RGWRestUserPolicy::send_response()
33 set_req_state_err(s
, op_ret
);
39 int RGWRestUserPolicy::verify_permission()
41 if (s
->auth
.identity
->is_anonymous()) {
45 if(int ret
= check_caps(s
->user
->caps
); ret
== 0) {
49 uint64_t op
= get_op();
50 string user_name
= s
->info
.args
.get("UserName");
51 rgw_user
user_id(user_name
);
52 if (! verify_user_permission(this, s
, rgw::ARN(rgw::ARN(user_id
.id
,
54 user_id
.tenant
)), op
)) {
60 bool RGWRestUserPolicy::validate_input()
62 if (policy_name
.length() > MAX_POLICY_NAME_LEN
) {
63 ldout(s
->cct
, 0) << "ERROR: Invalid policy name length " << dendl
;
67 std::regex
regex_policy_name("[A-Za-z0-9:=,.@-]+");
68 if (! std::regex_match(policy_name
, regex_policy_name
)) {
69 ldout(s
->cct
, 0) << "ERROR: Invalid chars in policy name " << dendl
;
76 int RGWUserPolicyRead::check_caps(RGWUserCaps
& caps
)
78 return caps
.check_cap("user-policy", RGW_CAP_READ
);
81 int RGWUserPolicyWrite::check_caps(RGWUserCaps
& caps
)
83 return caps
.check_cap("user-policy", RGW_CAP_WRITE
);
86 uint64_t RGWPutUserPolicy::get_op()
88 return rgw::IAM::iamPutUserPolicy
;
91 int RGWPutUserPolicy::get_params()
93 policy_name
= url_decode(s
->info
.args
.get("PolicyName"), true);
94 user_name
= url_decode(s
->info
.args
.get("UserName"), true);
95 policy
= url_decode(s
->info
.args
.get("PolicyDocument"), true);
97 if (policy_name
.empty() || user_name
.empty() || policy
.empty()) {
98 ldout(s
->cct
, 20) << "ERROR: one of policy name, user name or policy document is empty"
103 if (! validate_input()) {
110 void RGWPutUserPolicy::execute()
112 op_ret
= get_params();
117 bufferlist bl
= bufferlist::static_from_string(policy
);
120 rgw_user
user_id(user_name
);
121 op_ret
= rgw_get_user_info_by_uid(store
, user_id
, info
);
123 op_ret
= -ERR_NO_SUCH_ENTITY
;
127 map
<string
, bufferlist
> uattrs
;
128 op_ret
= rgw_get_user_attrs_by_uid(store
, user_id
, uattrs
);
129 if (op_ret
== -ENOENT
) {
130 op_ret
= -ERR_NO_SUCH_ENTITY
;
135 const Policy
p(s
->cct
, s
->user
->user_id
.tenant
, bl
);
136 map
<string
, string
> policies
;
137 if (auto it
= uattrs
.find(RGW_ATTR_USER_POLICY
); it
!= uattrs
.end()) {
138 bufferlist out_bl
= uattrs
[RGW_ATTR_USER_POLICY
];
139 decode(policies
, out_bl
);
142 policies
[policy_name
] = policy
;
143 encode(policies
, in_bl
);
144 uattrs
[RGW_ATTR_USER_POLICY
] = in_bl
;
146 RGWObjVersionTracker objv_tracker
;
147 op_ret
= rgw_store_user_info(store
, info
, &info
, &objv_tracker
, real_time(), false, &uattrs
);
149 op_ret
= -ERR_INTERNAL_ERROR
;
151 } catch (rgw::IAM::PolicyParseException
& e
) {
152 ldout(s
->cct
, 20) << "failed to parse policy: " << e
.what() << dendl
;
153 op_ret
= -ERR_MALFORMED_DOC
;
157 uint64_t RGWGetUserPolicy::get_op()
159 return rgw::IAM::iamGetUserPolicy
;
162 int RGWGetUserPolicy::get_params()
164 policy_name
= s
->info
.args
.get("PolicyName");
165 user_name
= s
->info
.args
.get("UserName");
167 if (policy_name
.empty() || user_name
.empty()) {
168 ldout(s
->cct
, 20) << "ERROR: one of policy name or user name is empty"
176 void RGWGetUserPolicy::execute()
178 op_ret
= get_params();
183 rgw_user
user_id(user_name
);
184 map
<string
, bufferlist
> uattrs
;
185 op_ret
= rgw_get_user_attrs_by_uid(store
, user_id
, uattrs
);
186 if (op_ret
== -ENOENT
) {
187 ldout(s
->cct
, 0) << "ERROR: attrs not found for user" << user_name
<< dendl
;
188 op_ret
= -ERR_NO_SUCH_ENTITY
;
193 map
<string
, string
> policies
;
194 if (auto it
= uattrs
.find(RGW_ATTR_USER_POLICY
); it
!= uattrs
.end()) {
195 bufferlist bl
= uattrs
[RGW_ATTR_USER_POLICY
];
196 decode(policies
, bl
);
197 if (auto it
= policies
.find(policy_name
); it
!= policies
.end()) {
198 policy
= policies
[policy_name
];
199 s
->formatter
->open_object_section("userpolicy");
201 s
->formatter
->close_section();
203 ldout(s
->cct
, 0) << "ERROR: policy not found" << policy
<< dendl
;
204 op_ret
= -ERR_NO_SUCH_ENTITY
;
208 ldout(s
->cct
, 0) << "ERROR: RGW_ATTR_USER_POLICY not found" << dendl
;
209 op_ret
= -ERR_NO_SUCH_ENTITY
;
214 op_ret
= -ERR_INTERNAL_ERROR
;
218 uint64_t RGWListUserPolicies::get_op()
220 return rgw::IAM::iamListUserPolicies
;
223 int RGWListUserPolicies::get_params()
225 user_name
= s
->info
.args
.get("UserName");
227 if (user_name
.empty()) {
228 ldout(s
->cct
, 20) << "ERROR: user name is empty" << dendl
;
235 void RGWListUserPolicies::execute()
237 op_ret
= get_params();
242 rgw_user
user_id(user_name
);
243 map
<string
, bufferlist
> uattrs
;
244 op_ret
= rgw_get_user_attrs_by_uid(store
, user_id
, uattrs
);
245 if (op_ret
== -ENOENT
) {
246 ldout(s
->cct
, 0) << "ERROR: attrs not found for user" << user_name
<< dendl
;
247 op_ret
= -ERR_NO_SUCH_ENTITY
;
252 map
<string
, string
> policies
;
253 if (auto it
= uattrs
.find(RGW_ATTR_USER_POLICY
); it
!= uattrs
.end()) {
254 bufferlist bl
= uattrs
[RGW_ATTR_USER_POLICY
];
255 decode(policies
, bl
);
256 for (const auto& p
: policies
) {
257 s
->formatter
->open_object_section("policies");
258 s
->formatter
->dump_string("policy", p
.first
);
259 s
->formatter
->close_section();
262 ldout(s
->cct
, 0) << "ERROR: RGW_ATTR_USER_POLICY not found" << dendl
;
263 op_ret
= -ERR_NO_SUCH_ENTITY
;
268 op_ret
= -ERR_INTERNAL_ERROR
;
272 uint64_t RGWDeleteUserPolicy::get_op()
274 return rgw::IAM::iamDeleteUserPolicy
;
277 int RGWDeleteUserPolicy::get_params()
279 policy_name
= s
->info
.args
.get("PolicyName");
280 user_name
= s
->info
.args
.get("UserName");
282 if (policy_name
.empty() || user_name
.empty()) {
283 ldout(s
->cct
, 20) << "ERROR: One of policy name or user name is empty"<< dendl
;
290 void RGWDeleteUserPolicy::execute()
292 op_ret
= get_params();
298 rgw_user
user_id(user_name
);
299 op_ret
= rgw_get_user_info_by_uid(store
, user_id
, info
);
301 op_ret
= -ERR_NO_SUCH_ENTITY
;
305 map
<string
, bufferlist
> uattrs
;
306 op_ret
= rgw_get_user_attrs_by_uid(store
, user_id
, uattrs
);
307 if (op_ret
== -ENOENT
) {
308 op_ret
= -ERR_NO_SUCH_ENTITY
;
312 map
<string
, string
> policies
;
313 if (auto it
= uattrs
.find(RGW_ATTR_USER_POLICY
); it
!= uattrs
.end()) {
314 bufferlist out_bl
= uattrs
[RGW_ATTR_USER_POLICY
];
315 decode(policies
, out_bl
);
317 if (auto p
= policies
.find(policy_name
); p
!= policies
.end()) {
320 encode(policies
, in_bl
);
321 uattrs
[RGW_ATTR_USER_POLICY
] = in_bl
;
323 RGWObjVersionTracker objv_tracker
;
324 op_ret
= rgw_store_user_info(store
, info
, &info
, &objv_tracker
, real_time(), false, &uattrs
);
326 op_ret
= -ERR_INTERNAL_ERROR
;
329 op_ret
= -ERR_NO_SUCH_ENTITY
;
333 op_ret
= -ERR_NO_SUCH_ENTITY
;