#include <iostream>
#include "rapidjson/reader.h"
+#include "common/backport14.h"
#include "rgw_auth.h"
#include <arpa/inet.h>
#include "rgw_iam_policy.h"
return false;
}
- if (!::match(region, candidate.region, MATCH_POLICY_ARN)) {
+ if (!match_policy(region, candidate.region, MATCH_POLICY_ARN)) {
return false;
}
- if (!::match(account, candidate.account, MATCH_POLICY_ARN)) {
+ if (!match_policy(account, candidate.account, MATCH_POLICY_ARN)) {
return false;
}
- if (!::match(resource, candidate.resource, MATCH_POLICY_ARN)) {
+ if (!match_policy(resource, candidate.resource, MATCH_POLICY_ARN)) {
return false;
}
CephContext* cct;
const string& tenant;
Policy& policy;
- std::set<TokenID> v;
+ uint32_t v = 0;
uint32_t seen = 0;
}
void set(TokenID in) {
seen |= dex(in);
- if (in == TokenID::Sid || in == TokenID::Effect || in == TokenID::Principal || in == TokenID::NotPrincipal ||
- in == TokenID::Action || in == TokenID::NotAction || in == TokenID::Resource || in == TokenID::NotResource ||
- in == TokenID::Condition || in == TokenID::AWS || in == TokenID::Federated || in == TokenID::Service ||
- in == TokenID::CanonicalUser) {
- v.insert(in);
+ if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
+ dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
+ dex(TokenID::Action) | dex(TokenID::NotAction) |
+ dex(TokenID::Resource) | dex(TokenID::NotResource) |
+ dex(TokenID::Condition) | dex(TokenID::AWS) |
+ dex(TokenID::Federated) | dex(TokenID::Service) |
+ dex(TokenID::CanonicalUser))) {
+ v |= dex(in);
}
}
void set(std::initializer_list<TokenID> l) {
for (auto in : l) {
seen |= dex(in);
- if (in == TokenID::Sid || in == TokenID::Effect || in == TokenID::Principal || in == TokenID::NotPrincipal ||
- in == TokenID::Action || in == TokenID::NotAction || in == TokenID::Resource || in == TokenID::NotResource ||
- in == TokenID::Condition || in == TokenID::AWS || in == TokenID::Federated || in == TokenID::Service ||
- in == TokenID::CanonicalUser) {
- v.insert(in);
+ if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
+ dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
+ dex(TokenID::Action) | dex(TokenID::NotAction) |
+ dex(TokenID::Resource) | dex(TokenID::NotResource) |
+ dex(TokenID::Condition) | dex(TokenID::AWS) |
+ dex(TokenID::Federated) | dex(TokenID::Service) |
+ dex(TokenID::CanonicalUser))) {
+ v |= dex(in);
}
}
}
void reset(TokenID in) {
seen &= ~dex(in);
- if (in == TokenID::Sid || in == TokenID::Effect || in == TokenID::Principal || in == TokenID::NotPrincipal ||
- in == TokenID::Action || in == TokenID::NotAction || in == TokenID::Resource || in == TokenID::NotResource ||
- in == TokenID::Condition || in == TokenID::AWS || in == TokenID::Federated || in == TokenID::Service ||
- in == TokenID::CanonicalUser) {
- v.erase(in);
+ if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
+ dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
+ dex(TokenID::Action) | dex(TokenID::NotAction) |
+ dex(TokenID::Resource) | dex(TokenID::NotResource) |
+ dex(TokenID::Condition) | dex(TokenID::AWS) |
+ dex(TokenID::Federated) | dex(TokenID::Service) |
+ dex(TokenID::CanonicalUser))) {
+ v &= ~dex(in);
}
}
void reset(std::initializer_list<TokenID> l) {
for (auto in : l) {
seen &= ~dex(in);
- if (in == TokenID::Sid || in == TokenID::Effect || in == TokenID::Principal || in == TokenID::NotPrincipal ||
- in == TokenID::Action || in == TokenID::NotAction || in == TokenID::Resource || in == TokenID::NotResource ||
- in == TokenID::Condition || in == TokenID::AWS || in == TokenID::Federated || in == TokenID::Service ||
- in == TokenID::CanonicalUser) {
- v.erase(in);
+ if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
+ dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
+ dex(TokenID::Action) | dex(TokenID::NotAction) |
+ dex(TokenID::Resource) | dex(TokenID::NotResource) |
+ dex(TokenID::Condition) | dex(TokenID::AWS) |
+ dex(TokenID::Federated) | dex(TokenID::Service) |
+ dex(TokenID::CanonicalUser))) {
+ v &= ~dex(in);
}
}
}
- void reset(std::set<TokenID> v) {
- for (auto in : v) {
- seen &= ~dex(in);
- v.erase(in);
- }
+ void reset(uint32_t& v) {
+ seen &= ~v;
+ v = 0;
}
PolicyParser(CephContext* cct, const string& tenant, Policy& policy)
if (!k) {
if (w->kind == TokenKind::cond_op) {
+ auto id = w->id;
auto& t = pp->policy.statements.back();
+ auto c_ife = cond_ifexists;
pp->s.emplace_back(pp, cond_key);
- t.conditions.emplace_back(w->id, s, l, cond_ifexists);
+ t.conditions.emplace_back(id, s, l, c_ife);
return true;
} else {
return false;
} else if ((w->id == TokenID::Action) ||
(w->id == TokenID::NotAction)) {
for (auto& p : actpairs) {
- if (match({s, l}, p.name, MATCH_POLICY_ACTION)) {
+ if (match_policy({s, l}, p.name, MATCH_POLICY_ACTION)) {
(w->id == TokenID::Action ? t->action : t->notaction) |= p.bit;
}
}
return orrible(std::equal_to<std::string>(), s, vals);
case TokenID::StringNotEquals:
- return orrible(std::not2(std::equal_to<std::string>()),
+ return orrible(ceph::not_fn(std::equal_to<std::string>()),
s, vals);
case TokenID::StringEqualsIgnoreCase:
return orrible(ci_equal_to(), s, vals);
case TokenID::StringNotEqualsIgnoreCase:
- return orrible(std::not2(ci_equal_to()), s, vals);
+ return orrible(ceph::not_fn(ci_equal_to()), s, vals);
- // Implement actual StringLike with wildcarding later
case TokenID::StringLike:
- return orrible(std::equal_to<std::string>(), s, vals);
+ return orrible(string_like(), s, vals);
+
case TokenID::StringNotLike:
- return orrible(std::not2(std::equal_to<std::string>()),
- s, vals);
+ return orrible(ceph::not_fn(string_like()), s, vals);
// Numeric
case TokenID::NumericEquals:
return shortible(std::equal_to<double>(), as_number, s, vals);
case TokenID::NumericNotEquals:
- return shortible(std::not2(std::equal_to<double>()),
+ return shortible(ceph::not_fn(std::equal_to<double>()),
as_number, s, vals);
return shortible(std::equal_to<ceph::real_time>(), as_date, s, vals);
case TokenID::DateNotEquals:
- return shortible(std::not2(std::equal_to<ceph::real_time>()),
+ return shortible(ceph::not_fn(std::equal_to<ceph::real_time>()),
as_date, s, vals);
case TokenID::DateLessThan:
return shortible(std::equal_to<MaskedIP>(), as_network, s, vals);
case TokenID::NotIpAddress:
- return shortible(std::not2(std::equal_to<MaskedIP>()), as_network, s,
+ return shortible(ceph::not_fn(std::equal_to<MaskedIP>()), as_network, s,
vals);
#if 0