[ceph.git] / ceph / src / rgw / rgw_acl.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp

#ifndef CEPH_RGW_ACL_H
#define CEPH_RGW_ACL_H

#include <map>
#include <string>
#include <string_view>
#include <include/types.h>

#include <boost/optional.hpp>
#include <boost/algorithm/string/predicate.hpp>

#include "common/debug.h"

#include "rgw_basic_types.h"

#define RGW_PERM_NONE            0x00
#define RGW_PERM_READ            0x01
#define RGW_PERM_WRITE           0x02
#define RGW_PERM_READ_ACP        0x04
#define RGW_PERM_WRITE_ACP       0x08
#define RGW_PERM_READ_OBJS       0x10
#define RGW_PERM_WRITE_OBJS      0x20
#define RGW_PERM_FULL_CONTROL    ( RGW_PERM_READ | RGW_PERM_WRITE | \
                                  RGW_PERM_READ_ACP | RGW_PERM_WRITE_ACP )
#define RGW_PERM_ALL_S3          RGW_PERM_FULL_CONTROL
#define RGW_PERM_INVALID         0xFF00

static constexpr char RGW_REFERER_WILDCARD[] = "*";

enum ACLGranteeTypeEnum {
/* numbers are encoded, should not change */
  ACL_TYPE_CANON_USER = 0,
  ACL_TYPE_EMAIL_USER = 1,
  ACL_TYPE_GROUP      = 2,
  ACL_TYPE_UNKNOWN    = 3,
  ACL_TYPE_REFERER    = 4,
};

enum ACLGroupTypeEnum {
/* numbers are encoded should not change */
  ACL_GROUP_NONE                = 0,
  ACL_GROUP_ALL_USERS           = 1,
  ACL_GROUP_AUTHENTICATED_USERS = 2,
};

class ACLPermission
{
protected:
  int flags;
public:
  ACLPermission() : flags(0) {}
  ~ACLPermission() {}
  uint32_t get_permissions() const { return flags; }
  void set_permissions(uint32_t perm) { flags = perm; }

  void encode(bufferlist& bl) const {
    ENCODE_START(2, 2, bl);
    encode(flags, bl);
    ENCODE_FINISH(bl);
  }
  void decode(bufferlist::const_iterator& bl) {
    DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
    decode(flags, bl);
    DECODE_FINISH(bl);
  }
  void dump(Formatter *f) const;
  static void generate_test_instances(list<ACLPermission*>& o);

  friend bool operator==(const ACLPermission& lhs, const ACLPermission& rhs);
  friend bool operator!=(const ACLPermission& lhs, const ACLPermission& rhs);
};
WRITE_CLASS_ENCODER(ACLPermission)

class ACLGranteeType
{
protected:
  __u32 type;
public:
  ACLGranteeType() : type(ACL_TYPE_UNKNOWN) {}
  virtual ~ACLGranteeType() {}
//  virtual const char *to_string() = 0;
  ACLGranteeTypeEnum get_type() const { return (ACLGranteeTypeEnum)type; }
  void set(ACLGranteeTypeEnum t) { type = t; }
//  virtual void set(const char *s) = 0;
  void encode(bufferlist& bl) const {
    ENCODE_START(2, 2, bl);
    encode(type, bl);
    ENCODE_FINISH(bl);
  }
  void decode(bufferlist::const_iterator& bl) {
    DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
    decode(type, bl);
    DECODE_FINISH(bl);
  }
  void dump(Formatter *f) const;
  static void generate_test_instances(list<ACLGranteeType*>& o);

  friend bool operator==(const ACLGranteeType& lhs, const ACLGranteeType& rhs);
  friend bool operator!=(const ACLGranteeType& lhs, const ACLGranteeType& rhs);
};
WRITE_CLASS_ENCODER(ACLGranteeType)

class ACLGrantee
{
public:
  ACLGrantee() {}
  ~ACLGrantee() {}
};


class ACLGrant
{
protected:
  ACLGranteeType type;
  rgw_user id;
  string email;
  mutable rgw_user email_id;
  ACLPermission permission;
  string name;
  ACLGroupTypeEnum group;
  string url_spec;

public:
  ACLGrant() : group(ACL_GROUP_NONE) {}
  virtual ~ACLGrant() {}

  /* there's an assumption here that email/uri/id encodings are
     different and there can't be any overlap */
  bool get_id(rgw_user& _id) const {
    switch(type.get_type()) {
    case ACL_TYPE_EMAIL_USER:
      _id = email; // implies from_str() that parses the 't:u' syntax
      return true;
    case ACL_TYPE_GROUP:
    case ACL_TYPE_REFERER:
      return false;
    default:
      _id = id;
      return true;
    }
  }

  const rgw_user* get_id() const {
    switch(type.get_type()) {
    case ACL_TYPE_EMAIL_USER:
      email_id.from_str(email);
      return &email_id;
    case ACL_TYPE_GROUP:
    case ACL_TYPE_REFERER:
      return nullptr;
    default:
      return &id;
    }
  }

  ACLGranteeType& get_type() { return type; }
  const ACLGranteeType& get_type() const { return type; }
  ACLPermission& get_permission() { return permission; }
  const ACLPermission& get_permission() const { return permission; }
  ACLGroupTypeEnum get_group() const { return group; }
  const string& get_referer() const { return url_spec; }

  void encode(bufferlist& bl) const {
    ENCODE_START(5, 3, bl);
    encode(type, bl);
    string s;
    id.to_str(s);
    encode(s, bl);
    string uri;
    encode(uri, bl);
    encode(email, bl);
    encode(permission, bl);
    encode(name, bl);
    __u32 g = (__u32)group;
    encode(g, bl);
    encode(url_spec, bl);
    ENCODE_FINISH(bl);
  }
  void decode(bufferlist::const_iterator& bl) {
    DECODE_START_LEGACY_COMPAT_LEN(5, 3, 3, bl);
    decode(type, bl);
    string s;
    decode(s, bl);
    id.from_str(s);
    string uri;
    decode(uri, bl);
    decode(email, bl);
    decode(permission, bl);
    decode(name, bl);
    if (struct_v > 1) {
      __u32 g;
      decode(g, bl);
      group = (ACLGroupTypeEnum)g;
    } else {
      group = uri_to_group(uri);
    }
    if (struct_v >= 5) {
      decode(url_spec, bl);
    } else {
      url_spec.clear();
    }
    DECODE_FINISH(bl);
  }
  void dump(Formatter *f) const;
  static void generate_test_instances(list<ACLGrant*>& o);

  ACLGroupTypeEnum uri_to_group(string& uri);

  void set_canon(const rgw_user& _id, const string& _name, const uint32_t perm) {
    type.set(ACL_TYPE_CANON_USER);
    id = _id;
    name = _name;
    permission.set_permissions(perm);
  }
  void set_group(ACLGroupTypeEnum _group, const uint32_t perm) {
    type.set(ACL_TYPE_GROUP);
    group = _group;
    permission.set_permissions(perm);
  }
  void set_referer(const std::string& _url_spec, const uint32_t perm) {
    type.set(ACL_TYPE_REFERER);
    url_spec = _url_spec;
    permission.set_permissions(perm);
  }

  friend bool operator==(const ACLGrant& lhs, const ACLGrant& rhs);
  friend bool operator!=(const ACLGrant& lhs, const ACLGrant& rhs);
};
WRITE_CLASS_ENCODER(ACLGrant)

struct ACLReferer {
  std::string url_spec;
  uint32_t perm;

  ACLReferer() : perm(0) {}
  ACLReferer(const std::string& url_spec,
             const uint32_t perm)
    : url_spec(url_spec),
      perm(perm) {
  }

  bool is_match(std::string_view http_referer) const {
    const auto http_host = get_http_host(http_referer);
    if (!http_host || http_host->length() < url_spec.length()) {
      return false;
    }

    if ("*" == url_spec) {
      return true;
    }

    if (http_host->compare(url_spec) == 0) {
      return true;
    }

    if ('.' == url_spec[0]) {
      /* Wildcard support: a referer matches the spec when its last char are
       * perfectly equal to spec. */
      return boost::algorithm::ends_with(http_host.value(), url_spec);
    }

    return false;
  }

  void encode(bufferlist& bl) const {
    ENCODE_START(1, 1, bl);
    encode(url_spec, bl);
    encode(perm, bl);
    ENCODE_FINISH(bl);
  }
  void decode(bufferlist::const_iterator& bl) {
    DECODE_START_LEGACY_COMPAT_LEN(1, 1, 1, bl);
    decode(url_spec, bl);
    decode(perm, bl);
    DECODE_FINISH(bl);
  }
  void dump(Formatter *f) const;

  friend bool operator==(const ACLReferer& lhs, const ACLReferer& rhs);
  friend bool operator!=(const ACLReferer& lhs, const ACLReferer& rhs);

private:
  boost::optional<std::string_view> get_http_host(const std::string_view url) const {
    size_t pos = url.find("://");
    if (pos == std::string_view::npos || boost::algorithm::starts_with(url, "://") ||
        boost::algorithm::ends_with(url, "://") || boost::algorithm::ends_with(url, "@")) {
      return boost::none;
    }
    std::string_view url_sub = url.substr(pos + strlen("://"));
    pos = url_sub.find('@');
    if (pos != std::string_view::npos) {
      url_sub = url_sub.substr(pos + 1);
    }
    pos = url_sub.find_first_of("/:");
    if (pos == std::string_view::npos) {
      /* no port or path exists */
      return url_sub;
    }
    return url_sub.substr(0, pos);
  }
};
WRITE_CLASS_ENCODER(ACLReferer)

namespace rgw {
namespace auth {
  class Identity;
}
}

using ACLGrantMap = std::multimap<std::string, ACLGrant>;

class RGWAccessControlList
{
protected:
  CephContext *cct;
  /* FIXME: in the feature we should consider switching to uint32_t also
   * in data structures. */
  map<string, int> acl_user_map;
  map<uint32_t, int> acl_group_map;
  list<ACLReferer> referer_list;
  ACLGrantMap grant_map;
  void _add_grant(ACLGrant *grant);
public:
  explicit RGWAccessControlList(CephContext *_cct) : cct(_cct) {}
  RGWAccessControlList() : cct(NULL) {}

  void set_ctx(CephContext *ctx) {
    cct = ctx;
  }

  virtual ~RGWAccessControlList() {}

  uint32_t get_perm(const DoutPrefixProvider* dpp,
                    const rgw::auth::Identity& auth_identity,
                    uint32_t perm_mask);
  uint32_t get_group_perm(const DoutPrefixProvider *dpp, ACLGroupTypeEnum group, uint32_t perm_mask) const;
  uint32_t get_referer_perm(uint32_t current_perm,
                            std::string http_referer,
                            uint32_t perm_mask);
  void encode(bufferlist& bl) const {
    ENCODE_START(4, 3, bl);
    bool maps_initialized = true;
    encode(maps_initialized, bl);
    encode(acl_user_map, bl);
    encode(grant_map, bl);
    encode(acl_group_map, bl);
    encode(referer_list, bl);
    ENCODE_FINISH(bl);
  }
  void decode(bufferlist::const_iterator& bl) {
    DECODE_START_LEGACY_COMPAT_LEN(4, 3, 3, bl);
    bool maps_initialized;
    decode(maps_initialized, bl);
    decode(acl_user_map, bl);
    decode(grant_map, bl);
    if (struct_v >= 2) {
      decode(acl_group_map, bl);
    } else if (!maps_initialized) {
      ACLGrantMap::iterator iter;
      for (iter = grant_map.begin(); iter != grant_map.end(); ++iter) {
        ACLGrant& grant = iter->second;
        _add_grant(&grant);
      }
    }
    if (struct_v >= 4) {
      decode(referer_list, bl);
    }
    DECODE_FINISH(bl);
  }
  void dump(Formatter *f) const;
  static void generate_test_instances(list<RGWAccessControlList*>& o);

  void add_grant(ACLGrant *grant);
  void remove_canon_user_grant(rgw_user& user_id);

  ACLGrantMap& get_grant_map() { return grant_map; }
  const ACLGrantMap& get_grant_map() const { return grant_map; }

  void create_default(const rgw_user& id, string name) {
    acl_user_map.clear();
    acl_group_map.clear();
    referer_list.clear();

    ACLGrant grant;
    grant.set_canon(id, name, RGW_PERM_FULL_CONTROL);
    add_grant(&grant);
  }

  friend bool operator==(const RGWAccessControlList& lhs, const RGWAccessControlList& rhs);
  friend bool operator!=(const RGWAccessControlList& lhs, const RGWAccessControlList& rhs);
};
WRITE_CLASS_ENCODER(RGWAccessControlList)

class ACLOwner
{
protected:
  rgw_user id;
  string display_name;
public:
  ACLOwner() {}
  ACLOwner(const rgw_user& _id) : id(_id) {}
  ~ACLOwner() {}

  void encode(bufferlist& bl) const {
    ENCODE_START(3, 2, bl);
    string s;
    id.to_str(s);
    encode(s, bl);
    encode(display_name, bl);
    ENCODE_FINISH(bl);
  }
  void decode(bufferlist::const_iterator& bl) {
    DECODE_START_LEGACY_COMPAT_LEN(3, 2, 2, bl);
    string s;
    decode(s, bl);
    id.from_str(s);
    decode(display_name, bl);
    DECODE_FINISH(bl);
  }
  void dump(Formatter *f) const;
  void decode_json(JSONObj *obj);
  static void generate_test_instances(list<ACLOwner*>& o);
  void set_id(const rgw_user& _id) { id = _id; }
  void set_name(const string& name) { display_name = name; }

  rgw_user& get_id() { return id; }
  const rgw_user& get_id() const { return id; }
  string& get_display_name() { return display_name; }
  const string& get_display_name() const { return display_name; }
  friend bool operator==(const ACLOwner& lhs, const ACLOwner& rhs);
  friend bool operator!=(const ACLOwner& lhs, const ACLOwner& rhs);
};
WRITE_CLASS_ENCODER(ACLOwner)

class RGWAccessControlPolicy
{
protected:
  CephContext *cct;
  RGWAccessControlList acl;
  ACLOwner owner;

public:
  explicit RGWAccessControlPolicy(CephContext *_cct) : cct(_cct), acl(_cct) {}
  RGWAccessControlPolicy() : cct(NULL), acl(NULL) {}
  virtual ~RGWAccessControlPolicy() {}

  void set_ctx(CephContext *ctx) {
    cct = ctx;
    acl.set_ctx(ctx);
  }

  uint32_t get_perm(const DoutPrefixProvider* dpp,
                    const rgw::auth::Identity& auth_identity,
                    uint32_t perm_mask,
                    const char * http_referer,
                    bool ignore_public_acls=false);
  bool verify_permission(const DoutPrefixProvider* dpp,
                         const rgw::auth::Identity& auth_identity,
                         uint32_t user_perm_mask,
                         uint32_t perm,
                         const char * http_referer = nullptr,
                         bool ignore_public_acls=false);

  void encode(bufferlist& bl) const {
    ENCODE_START(2, 2, bl);
    encode(owner, bl);
    encode(acl, bl);
    ENCODE_FINISH(bl);
  }
  void decode(bufferlist::const_iterator& bl) {
    DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
    decode(owner, bl);
    decode(acl, bl);
    DECODE_FINISH(bl);
  }
  void dump(Formatter *f) const;
  static void generate_test_instances(list<RGWAccessControlPolicy*>& o);
  void decode_owner(bufferlist::const_iterator& bl) { // sometimes we only need that, should be faster
    DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
    decode(owner, bl);
    DECODE_FINISH(bl);
  }

  void set_owner(ACLOwner& o) { owner = o; }
  ACLOwner& get_owner() {
    return owner;
  }

  void create_default(const rgw_user& id, string& name) {
    acl.create_default(id, name);
    owner.set_id(id);
    owner.set_name(name);
  }
  RGWAccessControlList& get_acl() {
    return acl;
  }
  const RGWAccessControlList& get_acl() const {
    return acl;
  }

  virtual bool compare_group_name(string& id, ACLGroupTypeEnum group) { return false; }
  bool is_public(const DoutPrefixProvider *dpp) const;

  friend bool operator==(const RGWAccessControlPolicy& lhs, const RGWAccessControlPolicy& rhs);
  friend bool operator!=(const RGWAccessControlPolicy& lhs, const RGWAccessControlPolicy& rhs);
};
WRITE_CLASS_ENCODER(RGWAccessControlPolicy)

#endif
Commit	Line	Data
7c673cae	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
9f95a23c	2	// vim: ts=8 sw=2 smarttab ft=cpp
7c673cae FG	3
	4	#ifndef CEPH_RGW_ACL_H
	5	#define CEPH_RGW_ACL_H
	6
	7	#include <map>
	8	#include <string>
f67539c2	9	#include <string_view>
7c673cae FG	10	#include <include/types.h>
	11
	12	#include <boost/optional.hpp>
f67539c2	13	#include <boost/algorithm/string/predicate.hpp>
7c673cae FG	14
	15	#include "common/debug.h"
	16
	17	#include "rgw_basic_types.h"
	18
7c673cae FG	19	#define RGW_PERM_NONE 0x00
	20	#define RGW_PERM_READ 0x01
	21	#define RGW_PERM_WRITE 0x02
	22	#define RGW_PERM_READ_ACP 0x04
	23	#define RGW_PERM_WRITE_ACP 0x08
	24	#define RGW_PERM_READ_OBJS 0x10
	25	#define RGW_PERM_WRITE_OBJS 0x20
	26	#define RGW_PERM_FULL_CONTROL ( RGW_PERM_READ \| RGW_PERM_WRITE \| \
	27	RGW_PERM_READ_ACP \| RGW_PERM_WRITE_ACP )
	28	#define RGW_PERM_ALL_S3 RGW_PERM_FULL_CONTROL
	29	#define RGW_PERM_INVALID 0xFF00
	30
31f18b77 FG	31	static constexpr char RGW_REFERER_WILDCARD[] = "*";
31f18b77 FG	32
7c673cae FG	33	enum ACLGranteeTypeEnum {
	34	/* numbers are encoded, should not change */
	35	ACL_TYPE_CANON_USER = 0,
	36	ACL_TYPE_EMAIL_USER = 1,
	37	ACL_TYPE_GROUP = 2,
	38	ACL_TYPE_UNKNOWN = 3,
	39	ACL_TYPE_REFERER = 4,
	40	};
	41
	42	enum ACLGroupTypeEnum {
	43	/* numbers are encoded should not change */
	44	ACL_GROUP_NONE = 0,
	45	ACL_GROUP_ALL_USERS = 1,
	46	ACL_GROUP_AUTHENTICATED_USERS = 2,
	47	};
	48
	49	class ACLPermission
	50	{
	51	protected:
	52	int flags;
	53	public:
	54	ACLPermission() : flags(0) {}
	55	~ACLPermission() {}
	56	uint32_t get_permissions() const { return flags; }
	57	void set_permissions(uint32_t perm) { flags = perm; }
	58
	59	void encode(bufferlist& bl) const {
	60	ENCODE_START(2, 2, bl);
11fdf7f2	61	encode(flags, bl);
7c673cae FG	62	ENCODE_FINISH(bl);
7c673cae FG	63	}
11fdf7f2	64	void decode(bufferlist::const_iterator& bl) {
7c673cae	65	DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
11fdf7f2	66	decode(flags, bl);
7c673cae FG	67	DECODE_FINISH(bl);
	68	}
	69	void dump(Formatter *f) const;
	70	static void generate_test_instances(list<ACLPermission*>& o);
f67539c2 TL	71
	72	friend bool operator==(const ACLPermission& lhs, const ACLPermission& rhs);
	73	friend bool operator!=(const ACLPermission& lhs, const ACLPermission& rhs);
7c673cae FG	74	};
	75	WRITE_CLASS_ENCODER(ACLPermission)
	76
	77	class ACLGranteeType
	78	{
	79	protected:
	80	__u32 type;
	81	public:
	82	ACLGranteeType() : type(ACL_TYPE_UNKNOWN) {}
	83	virtual ~ACLGranteeType() {}
	84	// virtual const char *to_string() = 0;
	85	ACLGranteeTypeEnum get_type() const { return (ACLGranteeTypeEnum)type; }
	86	void set(ACLGranteeTypeEnum t) { type = t; }
	87	// virtual void set(const char *s) = 0;
	88	void encode(bufferlist& bl) const {
	89	ENCODE_START(2, 2, bl);
11fdf7f2	90	encode(type, bl);
7c673cae FG	91	ENCODE_FINISH(bl);
7c673cae FG	92	}
11fdf7f2	93	void decode(bufferlist::const_iterator& bl) {
7c673cae	94	DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
11fdf7f2	95	decode(type, bl);
7c673cae FG	96	DECODE_FINISH(bl);
	97	}
	98	void dump(Formatter *f) const;
	99	static void generate_test_instances(list<ACLGranteeType*>& o);
f67539c2 TL	100
	101	friend bool operator==(const ACLGranteeType& lhs, const ACLGranteeType& rhs);
	102	friend bool operator!=(const ACLGranteeType& lhs, const ACLGranteeType& rhs);
7c673cae FG	103	};
	104	WRITE_CLASS_ENCODER(ACLGranteeType)
	105
	106	class ACLGrantee
	107	{
	108	public:
	109	ACLGrantee() {}
	110	~ACLGrantee() {}
	111	};
	112
	113
	114	class ACLGrant
	115	{
	116	protected:
	117	ACLGranteeType type;
	118	rgw_user id;
	119	string email;
f67539c2	120	mutable rgw_user email_id;
7c673cae FG	121	ACLPermission permission;
	122	string name;
	123	ACLGroupTypeEnum group;
	124	string url_spec;
	125
	126	public:
	127	ACLGrant() : group(ACL_GROUP_NONE) {}
	128	virtual ~ACLGrant() {}
	129
	130	/* there's an assumption here that email/uri/id encodings are
	131	different and there can't be any overlap */
	132	bool get_id(rgw_user& _id) const {
	133	switch(type.get_type()) {
	134	case ACL_TYPE_EMAIL_USER:
	135	_id = email; // implies from_str() that parses the 't:u' syntax
	136	return true;
	137	case ACL_TYPE_GROUP:
	138	case ACL_TYPE_REFERER:
	139	return false;
	140	default:
	141	_id = id;
	142	return true;
	143	}
	144	}
f67539c2 TL	145
	146	const rgw_user* get_id() const {
	147	switch(type.get_type()) {
	148	case ACL_TYPE_EMAIL_USER:
	149	email_id.from_str(email);
	150	return &email_id;
	151	case ACL_TYPE_GROUP:
	152	case ACL_TYPE_REFERER:
	153	return nullptr;
	154	default:
	155	return &id;
	156	}
	157	}
	158
7c673cae FG	159	ACLGranteeType& get_type() { return type; }
	160	const ACLGranteeType& get_type() const { return type; }
	161	ACLPermission& get_permission() { return permission; }
	162	const ACLPermission& get_permission() const { return permission; }
	163	ACLGroupTypeEnum get_group() const { return group; }
	164	const string& get_referer() const { return url_spec; }
	165
	166	void encode(bufferlist& bl) const {
	167	ENCODE_START(5, 3, bl);
11fdf7f2	168	encode(type, bl);
7c673cae FG	169	string s;
7c673cae FG	170	id.to_str(s);
11fdf7f2	171	encode(s, bl);
7c673cae	172	string uri;
11fdf7f2 TL	173	encode(uri, bl);
	174	encode(email, bl);
	175	encode(permission, bl);
	176	encode(name, bl);
7c673cae	177	__u32 g = (__u32)group;
11fdf7f2 TL	178	encode(g, bl);
11fdf7f2 TL	179	encode(url_spec, bl);
7c673cae FG	180	ENCODE_FINISH(bl);
7c673cae FG	181	}
11fdf7f2	182	void decode(bufferlist::const_iterator& bl) {
7c673cae	183	DECODE_START_LEGACY_COMPAT_LEN(5, 3, 3, bl);
11fdf7f2	184	decode(type, bl);
7c673cae	185	string s;
11fdf7f2	186	decode(s, bl);
7c673cae FG	187	id.from_str(s);
7c673cae FG	188	string uri;
11fdf7f2 TL	189	decode(uri, bl);
	190	decode(email, bl);
	191	decode(permission, bl);
	192	decode(name, bl);
7c673cae FG	193	if (struct_v > 1) {
7c673cae FG	194	__u32 g;
11fdf7f2	195	decode(g, bl);
7c673cae FG	196	group = (ACLGroupTypeEnum)g;
	197	} else {
	198	group = uri_to_group(uri);
	199	}
	200	if (struct_v >= 5) {
11fdf7f2	201	decode(url_spec, bl);
7c673cae FG	202	} else {
	203	url_spec.clear();
	204	}
	205	DECODE_FINISH(bl);
	206	}
	207	void dump(Formatter *f) const;
	208	static void generate_test_instances(list<ACLGrant*>& o);
	209
	210	ACLGroupTypeEnum uri_to_group(string& uri);
f67539c2	211
7c673cae FG	212	void set_canon(const rgw_user& _id, const string& _name, const uint32_t perm) {
	213	type.set(ACL_TYPE_CANON_USER);
	214	id = _id;
	215	name = _name;
	216	permission.set_permissions(perm);
	217	}
	218	void set_group(ACLGroupTypeEnum _group, const uint32_t perm) {
	219	type.set(ACL_TYPE_GROUP);
	220	group = _group;
	221	permission.set_permissions(perm);
	222	}
	223	void set_referer(const std::string& _url_spec, const uint32_t perm) {
	224	type.set(ACL_TYPE_REFERER);
	225	url_spec = _url_spec;
	226	permission.set_permissions(perm);
	227	}
f67539c2 TL	228
	229	friend bool operator==(const ACLGrant& lhs, const ACLGrant& rhs);
	230	friend bool operator!=(const ACLGrant& lhs, const ACLGrant& rhs);
7c673cae FG	231	};
	232	WRITE_CLASS_ENCODER(ACLGrant)
	233
	234	struct ACLReferer {
	235	std::string url_spec;
	236	uint32_t perm;
	237
	238	ACLReferer() : perm(0) {}
	239	ACLReferer(const std::string& url_spec,
	240	const uint32_t perm)
	241	: url_spec(url_spec),
	242	perm(perm) {
	243	}
	244
f67539c2	245	bool is_match(std::string_view http_referer) const {
7c673cae FG	246	const auto http_host = get_http_host(http_referer);
	247	if (!http_host \|\| http_host->length() < url_spec.length()) {
	248	return false;
	249	}
	250
31f18b77 FG	251	if ("*" == url_spec) {
	252	return true;
	253	}
	254
7c673cae FG	255	if (http_host->compare(url_spec) == 0) {
	256	return true;
	257	}
	258
	259	if ('.' == url_spec[0]) {
	260	/* Wildcard support: a referer matches the spec when its last char are
	261	* perfectly equal to spec. */
f67539c2	262	return boost::algorithm::ends_with(http_host.value(), url_spec);
7c673cae FG	263	}
	264
	265	return false;
	266	}
	267
	268	void encode(bufferlist& bl) const {
	269	ENCODE_START(1, 1, bl);
11fdf7f2 TL	270	encode(url_spec, bl);
11fdf7f2 TL	271	encode(perm, bl);
7c673cae FG	272	ENCODE_FINISH(bl);
7c673cae FG	273	}
11fdf7f2	274	void decode(bufferlist::const_iterator& bl) {
7c673cae	275	DECODE_START_LEGACY_COMPAT_LEN(1, 1, 1, bl);
11fdf7f2 TL	276	decode(url_spec, bl);
11fdf7f2 TL	277	decode(perm, bl);
7c673cae FG	278	DECODE_FINISH(bl);
	279	}
	280	void dump(Formatter *f) const;
	281
f67539c2 TL	282	friend bool operator==(const ACLReferer& lhs, const ACLReferer& rhs);
	283	friend bool operator!=(const ACLReferer& lhs, const ACLReferer& rhs);
	284
7c673cae	285	private:
f67539c2	286	boost::optional<std::string_view> get_http_host(const std::string_view url) const {
7c673cae	287	size_t pos = url.find("://");
f67539c2 TL	288	if (pos == std::string_view::npos \|\| boost::algorithm::starts_with(url, "://") \|\|
f67539c2 TL	289	boost::algorithm::ends_with(url, "://") \|\| boost::algorithm::ends_with(url, "@")) {
7c673cae FG	290	return boost::none;
7c673cae FG	291	}
f67539c2	292	std::string_view url_sub = url.substr(pos + strlen("://"));
7c673cae	293	pos = url_sub.find('@');
f67539c2	294	if (pos != std::string_view::npos) {
7c673cae FG	295	url_sub = url_sub.substr(pos + 1);
	296	}
	297	pos = url_sub.find_first_of("/:");
f67539c2	298	if (pos == std::string_view::npos) {
7c673cae FG	299	/* no port or path exists */
	300	return url_sub;
	301	}
	302	return url_sub.substr(0, pos);
	303	}
	304	};
	305	WRITE_CLASS_ENCODER(ACLReferer)
	306
	307	namespace rgw {
	308	namespace auth {
	309	class Identity;
	310	}
	311	}
	312
f67539c2 TL	313	using ACLGrantMap = std::multimap<std::string, ACLGrant>;
f67539c2 TL	314
7c673cae FG	315	class RGWAccessControlList
	316	{
	317	protected:
	318	CephContext *cct;
	319	/* FIXME: in the feature we should consider switching to uint32_t also
	320	* in data structures. */
	321	map<string, int> acl_user_map;
	322	map<uint32_t, int> acl_group_map;
	323	list<ACLReferer> referer_list;
f67539c2	324	ACLGrantMap grant_map;
7c673cae FG	325	void _add_grant(ACLGrant *grant);
	326	public:
	327	explicit RGWAccessControlList(CephContext *_cct) : cct(_cct) {}
	328	RGWAccessControlList() : cct(NULL) {}
	329
	330	void set_ctx(CephContext *ctx) {
	331	cct = ctx;
	332	}
	333
	334	virtual ~RGWAccessControlList() {}
	335
11fdf7f2 TL	336	uint32_t get_perm(const DoutPrefixProvider* dpp,
11fdf7f2 TL	337	const rgw::auth::Identity& auth_identity,
7c673cae	338	uint32_t perm_mask);
b3b6e05e	339	uint32_t get_group_perm(const DoutPrefixProvider *dpp, ACLGroupTypeEnum group, uint32_t perm_mask) const;
31f18b77 FG	340	uint32_t get_referer_perm(uint32_t current_perm,
	341	std::string http_referer,
	342	uint32_t perm_mask);
7c673cae FG	343	void encode(bufferlist& bl) const {
	344	ENCODE_START(4, 3, bl);
	345	bool maps_initialized = true;
11fdf7f2 TL	346	encode(maps_initialized, bl);
	347	encode(acl_user_map, bl);
	348	encode(grant_map, bl);
	349	encode(acl_group_map, bl);
	350	encode(referer_list, bl);
7c673cae FG	351	ENCODE_FINISH(bl);
7c673cae FG	352	}
11fdf7f2	353	void decode(bufferlist::const_iterator& bl) {
7c673cae FG	354	DECODE_START_LEGACY_COMPAT_LEN(4, 3, 3, bl);
7c673cae FG	355	bool maps_initialized;
11fdf7f2 TL	356	decode(maps_initialized, bl);
	357	decode(acl_user_map, bl);
	358	decode(grant_map, bl);
7c673cae	359	if (struct_v >= 2) {
11fdf7f2	360	decode(acl_group_map, bl);
7c673cae	361	} else if (!maps_initialized) {
f67539c2	362	ACLGrantMap::iterator iter;
7c673cae FG	363	for (iter = grant_map.begin(); iter != grant_map.end(); ++iter) {
	364	ACLGrant& grant = iter->second;
	365	_add_grant(&grant);
	366	}
	367	}
	368	if (struct_v >= 4) {
11fdf7f2	369	decode(referer_list, bl);
7c673cae FG	370	}
	371	DECODE_FINISH(bl);
	372	}
	373	void dump(Formatter *f) const;
	374	static void generate_test_instances(list<RGWAccessControlList*>& o);
	375
	376	void add_grant(ACLGrant *grant);
9f95a23c	377	void remove_canon_user_grant(rgw_user& user_id);
7c673cae	378
f67539c2 TL	379	ACLGrantMap& get_grant_map() { return grant_map; }
f67539c2 TL	380	const ACLGrantMap& get_grant_map() const { return grant_map; }
7c673cae FG	381
	382	void create_default(const rgw_user& id, string name) {
	383	acl_user_map.clear();
	384	acl_group_map.clear();
	385	referer_list.clear();
	386
	387	ACLGrant grant;
	388	grant.set_canon(id, name, RGW_PERM_FULL_CONTROL);
	389	add_grant(&grant);
	390	}
f67539c2 TL	391
	392	friend bool operator==(const RGWAccessControlList& lhs, const RGWAccessControlList& rhs);
	393	friend bool operator!=(const RGWAccessControlList& lhs, const RGWAccessControlList& rhs);
7c673cae FG	394	};
	395	WRITE_CLASS_ENCODER(RGWAccessControlList)
	396
	397	class ACLOwner
	398	{
	399	protected:
	400	rgw_user id;
	401	string display_name;
	402	public:
	403	ACLOwner() {}
f67539c2	404	ACLOwner(const rgw_user& _id) : id(_id) {}
7c673cae FG	405	~ACLOwner() {}
	406
	407	void encode(bufferlist& bl) const {
	408	ENCODE_START(3, 2, bl);
	409	string s;
	410	id.to_str(s);
11fdf7f2 TL	411	encode(s, bl);
11fdf7f2 TL	412	encode(display_name, bl);
7c673cae FG	413	ENCODE_FINISH(bl);
7c673cae FG	414	}
11fdf7f2	415	void decode(bufferlist::const_iterator& bl) {
7c673cae FG	416	DECODE_START_LEGACY_COMPAT_LEN(3, 2, 2, bl);
7c673cae FG	417	string s;
11fdf7f2	418	decode(s, bl);
7c673cae	419	id.from_str(s);
11fdf7f2	420	decode(display_name, bl);
7c673cae FG	421	DECODE_FINISH(bl);
	422	}
	423	void dump(Formatter *f) const;
31f18b77	424	void decode_json(JSONObj *obj);
7c673cae FG	425	static void generate_test_instances(list<ACLOwner*>& o);
	426	void set_id(const rgw_user& _id) { id = _id; }
	427	void set_name(const string& name) { display_name = name; }
	428
	429	rgw_user& get_id() { return id; }
	430	const rgw_user& get_id() const { return id; }
	431	string& get_display_name() { return display_name; }
f67539c2 TL	432	const string& get_display_name() const { return display_name; }
	433	friend bool operator==(const ACLOwner& lhs, const ACLOwner& rhs);
	434	friend bool operator!=(const ACLOwner& lhs, const ACLOwner& rhs);
7c673cae FG	435	};
	436	WRITE_CLASS_ENCODER(ACLOwner)
	437
	438	class RGWAccessControlPolicy
	439	{
	440	protected:
	441	CephContext *cct;
	442	RGWAccessControlList acl;
	443	ACLOwner owner;
	444
	445	public:
	446	explicit RGWAccessControlPolicy(CephContext *_cct) : cct(_cct), acl(_cct) {}
	447	RGWAccessControlPolicy() : cct(NULL), acl(NULL) {}
	448	virtual ~RGWAccessControlPolicy() {}
	449
	450	void set_ctx(CephContext *ctx) {
	451	cct = ctx;
	452	acl.set_ctx(ctx);
	453	}
	454
11fdf7f2 TL	455	uint32_t get_perm(const DoutPrefixProvider* dpp,
11fdf7f2 TL	456	const rgw::auth::Identity& auth_identity,
7c673cae	457	uint32_t perm_mask,
9f95a23c TL	458	const char * http_referer,
9f95a23c TL	459	bool ignore_public_acls=false);
11fdf7f2 TL	460	bool verify_permission(const DoutPrefixProvider* dpp,
11fdf7f2 TL	461	const rgw::auth::Identity& auth_identity,
7c673cae FG	462	uint32_t user_perm_mask,
7c673cae FG	463	uint32_t perm,
9f95a23c TL	464	const char * http_referer = nullptr,
9f95a23c TL	465	bool ignore_public_acls=false);
7c673cae FG	466
	467	void encode(bufferlist& bl) const {
	468	ENCODE_START(2, 2, bl);
11fdf7f2 TL	469	encode(owner, bl);
11fdf7f2 TL	470	encode(acl, bl);
7c673cae FG	471	ENCODE_FINISH(bl);
7c673cae FG	472	}
11fdf7f2	473	void decode(bufferlist::const_iterator& bl) {
7c673cae	474	DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
11fdf7f2 TL	475	decode(owner, bl);
11fdf7f2 TL	476	decode(acl, bl);
7c673cae FG	477	DECODE_FINISH(bl);
	478	}
	479	void dump(Formatter *f) const;
	480	static void generate_test_instances(list<RGWAccessControlPolicy*>& o);
11fdf7f2	481	void decode_owner(bufferlist::const_iterator& bl) { // sometimes we only need that, should be faster
7c673cae	482	DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl);
11fdf7f2	483	decode(owner, bl);
7c673cae FG	484	DECODE_FINISH(bl);
	485	}
	486
	487	void set_owner(ACLOwner& o) { owner = o; }
	488	ACLOwner& get_owner() {
	489	return owner;
	490	}
	491
	492	void create_default(const rgw_user& id, string& name) {
	493	acl.create_default(id, name);
	494	owner.set_id(id);
	495	owner.set_name(name);
	496	}
	497	RGWAccessControlList& get_acl() {
	498	return acl;
	499	}
	500	const RGWAccessControlList& get_acl() const {
	501	return acl;
	502	}
	503
	504	virtual bool compare_group_name(string& id, ACLGroupTypeEnum group) { return false; }
b3b6e05e	505	bool is_public(const DoutPrefixProvider *dpp) const;
f67539c2 TL	506
	507	friend bool operator==(const RGWAccessControlPolicy& lhs, const RGWAccessControlPolicy& rhs);
	508	friend bool operator!=(const RGWAccessControlPolicy& lhs, const RGWAccessControlPolicy& rhs);
7c673cae FG	509	};
	510	WRITE_CLASS_ENCODER(RGWAccessControlPolicy)
	511
	512	#endif