[ceph.git] / ceph / src / rgw / rgw_auth.cc

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab

#include <array>

#include "rgw_common.h"
#include "rgw_auth.h"
#include "rgw_user.h"
#include "rgw_http_client.h"
#include "rgw_keystone.h"

#include "include/str_list.h"

#define dout_context g_ceph_context
#define dout_subsys ceph_subsys_rgw


namespace rgw {
namespace auth {

std::unique_ptr<rgw::auth::Identity>
transform_old_authinfo(const req_state* const s)
{
  /* This class is not intended for public use. Should be removed altogether
   * with this function after moving all our APIs to the new authentication
   * infrastructure. */
  class DummyIdentityApplier : public rgw::auth::Identity {
    CephContext* const cct;

    /* For this particular case it's OK to use rgw_user structure to convey
     * the identity info as this was the policy for doing that before the
     * new auth. */
    const rgw_user id;
    const int perm_mask;
    const bool is_admin;
  public:
    DummyIdentityApplier(CephContext* const cct,
                         const rgw_user& auth_id,
                         const int perm_mask,
                         const bool is_admin)
      : cct(cct),
        id(auth_id),
        perm_mask(perm_mask),
        is_admin(is_admin) {
    }

    uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
      return rgw_perms_from_aclspec_default_strategy(id, aclspec);
    }

    bool is_admin_of(const rgw_user& acct_id) const override {
      return is_admin;
    }

    bool is_owner_of(const rgw_user& acct_id) const override {
      return id == acct_id;
    }

    bool is_identity(const idset_t& ids) const override {
      for (auto& p : ids) {
	if (p.is_wildcard()) {
	  return true;
	} else if (p.is_tenant() && p.get_tenant() == id.tenant) {
	  return true;
	} else if (p.is_user() &&
		   (p.get_tenant() == id.tenant) &&
		   (p.get_id() == id.id)) {
	  return true;
	}
      }
      return false;
    }

    uint32_t get_perm_mask() const override {
      return perm_mask;
    }

    void to_str(std::ostream& out) const override {
      out << "RGWDummyIdentityApplier(auth_id=" << id
          << ", perm_mask=" << perm_mask
          << ", is_admin=" << is_admin << ")";
    }
  };

  return std::unique_ptr<rgw::auth::Identity>(
        new DummyIdentityApplier(s->cct,
                                 s->user->user_id,
                                 s->perm_mask,
  /* System user has admin permissions by default - it's supposed to pass
   * through any security check. */
                                 s->system_request));
}

} /* namespace auth */
} /* namespace rgw */


uint32_t rgw_perms_from_aclspec_default_strategy(
  const rgw_user& uid,
  const rgw::auth::Identity::aclspec_t& aclspec)
{
  dout(5) << "Searching permissions for uid=" << uid <<  dendl;

  const auto iter = aclspec.find(uid.to_str());
  if (std::end(aclspec) != iter) {
    dout(5) << "Found permission: " << iter->second << dendl;
    return iter->second;
  }

  dout(5) << "Permissions for user not found" << dendl;
  return 0;
}


static inline const std::string make_spec_item(const std::string& tenant,
                                               const std::string& id)
{
  return tenant + ":" + id;
}


static inline std::pair<bool, rgw::auth::Engine::result_t>
strategy_handle_rejected(rgw::auth::Engine::result_t&& engine_result,
                         const rgw::auth::Strategy::Control policy,
                         rgw::auth::Engine::result_t&& strategy_result)
{
  using Control = rgw::auth::Strategy::Control;
  switch (policy) {
    case Control::REQUISITE:
      /* Don't try next. */
      return std::make_pair(false, std::move(engine_result));

    case Control::SUFFICIENT:
      /* Don't try next. */
      return std::make_pair(false, std::move(engine_result));

    case Control::FALLBACK:
      /* Don't try next. */
      return std::make_pair(false, std::move(strategy_result));

    default:
      /* Huh, memory corruption? */
      abort();
  }
}

static inline std::pair<bool, rgw::auth::Engine::result_t>
strategy_handle_denied(rgw::auth::Engine::result_t&& engine_result,
                       const rgw::auth::Strategy::Control policy,
                       rgw::auth::Engine::result_t&& strategy_result)
{
  using Control = rgw::auth::Strategy::Control;
  switch (policy) {
    case Control::REQUISITE:
      /* Don't try next. */
      return std::make_pair(false, std::move(engine_result));

    case Control::SUFFICIENT:
      /* Just try next. */
      return std::make_pair(true, std::move(engine_result));

    case Control::FALLBACK:
      return std::make_pair(true, std::move(strategy_result));

    default:
      /* Huh, memory corruption? */
      abort();
  }
}

static inline std::pair<bool, rgw::auth::Engine::result_t>
strategy_handle_granted(rgw::auth::Engine::result_t&& engine_result,
                        const rgw::auth::Strategy::Control policy,
                        rgw::auth::Engine::result_t&& strategy_result)
{
  using Control = rgw::auth::Strategy::Control;
  switch (policy) {
    case Control::REQUISITE:
      /* Try next. */
      return std::make_pair(true, std::move(engine_result));

    case Control::SUFFICIENT:
      /* Don't try next. */
      return std::make_pair(false, std::move(engine_result));

    case Control::FALLBACK:
      /* Don't try next. */
      return std::make_pair(false, std::move(engine_result));

    default:
      /* Huh, memory corruption? */
      abort();
  }
}

rgw::auth::Engine::result_t
rgw::auth::Strategy::authenticate(const req_state* const s) const
{
  result_t strategy_result = result_t::deny();

  for (const stack_item_t& kv : auth_stack) {
    const rgw::auth::Engine& engine = kv.first;
    const auto& policy = kv.second;

    dout(20) << get_name() << ": trying " << engine.get_name() << dendl;

    result_t engine_result = result_t::deny();
    try {
      engine_result = engine.authenticate(s);
    } catch (const int err) {
      engine_result = result_t::deny(err);
    }

    bool try_next = true;
    switch (engine_result.get_status()) {
      case result_t::Status::REJECTED: {
        dout(20) << engine.get_name() << " rejected with reason="
                 << engine_result.get_reason() << dendl;

        std::tie(try_next, strategy_result) = \
          strategy_handle_rejected(std::move(engine_result), policy,
                                   std::move(strategy_result));
        break;
      }
      case result_t::Status::DENIED: {
        dout(20) << engine.get_name() << " denied with reason="
                 << engine_result.get_reason() << dendl;

        std::tie(try_next, strategy_result) = \
          strategy_handle_denied(std::move(engine_result), policy,
                                 std::move(strategy_result));
        break;
      }
      case result_t::Status::GRANTED: {
        dout(20) << engine.get_name() << " granted access" << dendl;

        std::tie(try_next, strategy_result) = \
          strategy_handle_granted(std::move(engine_result), policy,
                                  std::move(strategy_result));
        break;
      }
      default: {
        abort();
      }
    }

    if (! try_next) {
      break;
    }
  }

  return strategy_result;
}

int
rgw::auth::Strategy::apply(const rgw::auth::Strategy& auth_strategy,
                           req_state* const s) noexcept
{
  try {
    auto result = auth_strategy.authenticate(s);
    if (result.get_status() != decltype(result)::Status::GRANTED) {
      /* Access denied is acknowledged by returning a std::unique_ptr with
       * nullptr inside. */
      ldout(s->cct, 5) << "Failed the auth strategy, reason="
                       << result.get_reason() << dendl;
      return result.get_reason();
    }

    try {
      rgw::auth::IdentityApplier::aplptr_t applier = result.get_applier();
      rgw::auth::Completer::cmplptr_t completer = result.get_completer();

      /* Account used by a given RGWOp is decoupled from identity employed
       * in the authorization phase (RGWOp::verify_permissions). */
      applier->load_acct_info(*s->user);
      s->perm_mask = applier->get_perm_mask();

      /* This is the signle place where we pass req_state as a pointer
       * to non-const and thus its modification is allowed. In the time
       * of writing only RGWTempURLEngine needed that feature. */
      applier->modify_request_state(s);
      if (completer) {
        completer->modify_request_state(s);
      }

      s->auth.identity = std::move(applier);
      s->auth.completer = std::move(completer);

      return 0;
    } catch (const int err) {
      ldout(s->cct, 5) << "applier throwed err=" << err << dendl;
      return err;
    }
  } catch (const int err) {
    ldout(s->cct, 5) << "auth engine throwed err=" << err << dendl;
    return err;
  }

  /* We never should be here. */
  return -EPERM;
}

void
rgw::auth::Strategy::add_engine(const Control ctrl_flag,
                                const Engine& engine) noexcept
{
  auth_stack.push_back(std::make_pair(std::cref(engine), ctrl_flag));
}


/* rgw::auth::RemoteAuthApplier */
uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const
{
  uint32_t perm = 0;

  /* For backward compatibility with ACLOwner. */
  perm |= rgw_perms_from_aclspec_default_strategy(info.acct_user,
                                                  aclspec);

  /* We also need to cover cases where rgw_keystone_implicit_tenants
   * was enabled. */
  if (info.acct_user.tenant.empty()) {
    const rgw_user tenanted_acct_user(info.acct_user.id, info.acct_user.id);

    perm |= rgw_perms_from_aclspec_default_strategy(tenanted_acct_user,
                                                    aclspec);
  }

  /* Now it's a time for invoking additional strategy that was supplied by
   * a specific auth engine. */
  if (extra_acl_strategy) {
    perm |= extra_acl_strategy(aclspec);
  }

  ldout(cct, 20) << "from ACL got perm=" << perm << dendl;
  return perm;
}

bool rgw::auth::RemoteApplier::is_admin_of(const rgw_user& uid) const
{
  return info.is_admin;
}

bool rgw::auth::RemoteApplier::is_owner_of(const rgw_user& uid) const
{
  if (info.acct_user.tenant.empty()) {
    const rgw_user tenanted_acct_user(info.acct_user.id, info.acct_user.id);

    if (tenanted_acct_user == uid) {
      return true;
    }
  }

  return info.acct_user == uid;
}

bool rgw::auth::RemoteApplier::is_identity(const idset_t& ids) const {
  for (auto& id : ids) {
    if (id.is_wildcard()) {
      return true;

      // We also need to cover cases where rgw_keystone_implicit_tenants
      // was enabled. */
    } else if (id.is_tenant() &&
	       (info.acct_user.tenant.empty() ?
		info.acct_user.id :
		info.acct_user.tenant) == id.get_tenant()) {
      return true;
    } else if (id.is_user() &&
	       info.acct_user.id == id.get_id() &&
	       (info.acct_user.tenant.empty() ?
		info.acct_user.id :
		info.acct_user.tenant) == id.get_tenant()) {
      return true;
    }
  }
  return false;
}

void rgw::auth::RemoteApplier::to_str(std::ostream& out) const
{
  out << "rgw::auth::RemoteApplier(acct_user=" << info.acct_user
      << ", acct_name=" << info.acct_name
      << ", perm_mask=" << info.perm_mask
      << ", is_admin=" << info.is_admin << ")";
}

void rgw::auth::ImplicitTenants::recompute_value(const md_config_t *c)
{
  std::string s = c->get_val<std::string>("rgw_keystone_implicit_tenants");
  int v = 0;
  if (boost::iequals(s, "both")
    || boost::iequals(s, "true")
    || boost::iequals(s, "1")) {
    v = IMPLICIT_TENANTS_S3|IMPLICIT_TENANTS_SWIFT;
  } else if (boost::iequals(s, "0")
    || boost::iequals(s, "none")
    || boost::iequals(s, "false")) {
    v = 0;
  } else if (boost::iequals(s, "s3")) {
    v = IMPLICIT_TENANTS_S3;
  } else if (boost::iequals(s, "swift")) {
    v = IMPLICIT_TENANTS_SWIFT;
  } else {  /* "" (and anything else) */
    v = IMPLICIT_TENANTS_BAD;
    // assert(0);
  }
  saved = v;
}

const char **rgw::auth::ImplicitTenants::get_tracked_conf_keys() const
{
  static const char *keys[] = {
    "rgw_keystone_implicit_tenants",
  NULL };
  return keys;
}

void rgw::auth::ImplicitTenants::handle_conf_change(const struct md_config_t *c,
	const std::set <std::string> &changed)
{
  if (changed.count("rgw_keystone_implicit_tenants")) {
    recompute_value(c);
  }
}

void rgw::auth::RemoteApplier::create_account(const rgw_user& acct_user,
                                              bool implicit_tenant,
                                              RGWUserInfo& user_info) const      /* out */
{
  rgw_user new_acct_user = acct_user;

  if (info.acct_type) {
    //ldap/keystone for s3 users
    user_info.type = info.acct_type;
  }

  /* An upper layer may enforce creating new accounts within their own
   * tenants. */
  if (new_acct_user.tenant.empty() && implicit_tenant) {
    new_acct_user.tenant = new_acct_user.id;
  }

  user_info.user_id = new_acct_user;
  user_info.display_name = info.acct_name;

  int ret = rgw_store_user_info(store, user_info, nullptr, nullptr,
                                real_time(), true);
  if (ret < 0) {
    ldout(cct, 0) << "ERROR: failed to store new user info: user="
                  << user_info.user_id << " ret=" << ret << dendl;
    throw ret;
  }
}

/* TODO(rzarzynski): we need to handle display_name changes. */
void rgw::auth::RemoteApplier::load_acct_info(RGWUserInfo& user_info) const      /* out */
{
  /* It's supposed that RGWRemoteAuthApplier tries to load account info
   * that belongs to the authenticated identity. Another policy may be
   * applied by using a RGWThirdPartyAccountAuthApplier decorator. */
  const rgw_user& acct_user = info.acct_user;
  auto implicit_value = implicit_tenant_context.get_value();
  bool implicit_tenant = implicit_value.implicit_tenants_for_(implicit_tenant_bit);
  bool split_mode = implicit_value.is_split_mode();

  /* Normally, empty "tenant" field of acct_user means the authenticated
   * identity has the legacy, global tenant. However, due to inclusion
   * of multi-tenancy, we got some special compatibility kludge for remote
   * backends like Keystone.
   * If the global tenant is the requested one, we try the same tenant as
   * the user name first. If that RGWUserInfo exists, we use it. This way,
   * migrated OpenStack users can get their namespaced containers and nobody's
   * the wiser.
   * If that fails, we look up in the requested (possibly empty) tenant.
   * If that fails too, we create the account within the global or separated
   * namespace depending on rgw_keystone_implicit_tenants.
   * For compatibility with previous versions of ceph, it is possible
   * to enable implicit_tenants for only s3 or only swift.
   * in this mode ("split_mode"), we must constrain the id lookups to
   * only use the identifier space that would be used if the id were
   * to be created. */

  if (split_mode && !implicit_tenant)
	;	/* suppress lookup for id used by "other" protocol */
  else if (acct_user.tenant.empty()) {
    const rgw_user tenanted_uid(acct_user.id, acct_user.id);

    if (rgw_get_user_info_by_uid(store, tenanted_uid, user_info) >= 0) {
      /* Succeeded. */
      return;
    }
  }

  if (split_mode && implicit_tenant)
	;	/* suppress lookup for id used by "other" protocol */
  else if (rgw_get_user_info_by_uid(store, acct_user, user_info) >= 0) {
      /* Succeeded. */
      return;
  }

  ldout(cct, 0) << "NOTICE: couldn't map swift user " << acct_user << dendl;
  create_account(acct_user, implicit_tenant, user_info);

  /* Succeeded if we are here (create_account() hasn't throwed). */
}


/* rgw::auth::LocalApplier */
/* static declaration */
const std::string rgw::auth::LocalApplier::NO_SUBUSER;

uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const
{
  return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec);
}

bool rgw::auth::LocalApplier::is_admin_of(const rgw_user& uid) const
{
  return user_info.admin || user_info.system;
}

bool rgw::auth::LocalApplier::is_owner_of(const rgw_user& uid) const
{
  return uid == user_info.user_id;
}

bool rgw::auth::LocalApplier::is_identity(const idset_t& ids) const {
  for (auto& id : ids) {
    if (id.is_wildcard()) {
      return true;
    } else if (id.is_tenant() &&
	       id.get_tenant() == user_info.user_id.tenant) {
      return true;
    } else if (id.is_user() &&
	       (id.get_tenant() == user_info.user_id.tenant) &&
	       (id.get_id() == user_info.user_id.id)) {
      return true;
    }
  }
  return false;
}

void rgw::auth::LocalApplier::to_str(std::ostream& out) const {
  out << "rgw::auth::LocalApplier(acct_user=" << user_info.user_id
      << ", acct_name=" << user_info.display_name
      << ", subuser=" << subuser
      << ", perm_mask=" << get_perm_mask()
      << ", is_admin=" << static_cast<bool>(user_info.admin) << ")";
}

uint32_t rgw::auth::LocalApplier::get_perm_mask(const std::string& subuser_name,
                                                const RGWUserInfo &uinfo) const
{
  if (! subuser_name.empty() && subuser_name != NO_SUBUSER) {
    const auto iter = uinfo.subusers.find(subuser_name);

    if (iter != std::end(uinfo.subusers)) {
      return iter->second.perm_mask;
    } else {
      /* Subuser specified but not found. */
      return RGW_PERM_NONE;
    }
  } else {
    /* Due to backward compatibility. */
    return RGW_PERM_FULL_CONTROL;
  }
}

void rgw::auth::LocalApplier::load_acct_info(RGWUserInfo& user_info) const /* out */
{
  /* Load the account that belongs to the authenticated identity. An extra call
   * to RADOS may be safely skipped in this case. */
  user_info = this->user_info;
}


rgw::auth::Engine::result_t
rgw::auth::AnonymousEngine::authenticate(const req_state* const s) const
{
  if (! is_applicable(s)) {
    return result_t::deny(-EPERM);
  } else {
    RGWUserInfo user_info;
    rgw_get_anon_user(user_info);

    auto apl = \
      apl_factory->create_apl_local(cct, s, user_info,
                                    rgw::auth::LocalApplier::NO_SUBUSER);
    return result_t::grant(std::move(apl));
  }
}
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3
	4	#include <array>
	5
	6	#include "rgw_common.h"
	7	#include "rgw_auth.h"
	8	#include "rgw_user.h"
	9	#include "rgw_http_client.h"
	10	#include "rgw_keystone.h"
	11
	12	#include "include/str_list.h"
	13
	14	#define dout_context g_ceph_context
	15	#define dout_subsys ceph_subsys_rgw
	16
	17
	18	namespace rgw {
	19	namespace auth {
	20
	21	std::unique_ptr<rgw::auth::Identity>
	22	transform_old_authinfo(const req_state* const s)
	23	{
	24	/* This class is not intended for public use. Should be removed altogether
	25	* with this function after moving all our APIs to the new authentication
	26	* infrastructure. */
	27	class DummyIdentityApplier : public rgw::auth::Identity {
	28	CephContext* const cct;
	29
	30	/* For this particular case it's OK to use rgw_user structure to convey
	31	* the identity info as this was the policy for doing that before the
	32	* new auth. */
	33	const rgw_user id;
	34	const int perm_mask;
	35	const bool is_admin;
	36	public:
	37	DummyIdentityApplier(CephContext* const cct,
	38	const rgw_user& auth_id,
	39	const int perm_mask,
	40	const bool is_admin)
	41	: cct(cct),
	42	id(auth_id),
	43	perm_mask(perm_mask),
	44	is_admin(is_admin) {
	45	}
	46
	47	uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
	48	return rgw_perms_from_aclspec_default_strategy(id, aclspec);
	49	}
	50
	51	bool is_admin_of(const rgw_user& acct_id) const override {
	52	return is_admin;
	53	}
	54
	55	bool is_owner_of(const rgw_user& acct_id) const override {
	56	return id == acct_id;
	57	}
	58
31f18b77 FG	59	bool is_identity(const idset_t& ids) const override {
	60	for (auto& p : ids) {
	61	if (p.is_wildcard()) {
	62	return true;
	63	} else if (p.is_tenant() && p.get_tenant() == id.tenant) {
	64	return true;
	65	} else if (p.is_user() &&
	66	(p.get_tenant() == id.tenant) &&
	67	(p.get_id() == id.id)) {
	68	return true;
	69	}
	70	}
	71	return false;
	72	}
	73
7c673cae FG	74	uint32_t get_perm_mask() const override {
	75	return perm_mask;
	76	}
	77
	78	void to_str(std::ostream& out) const override {
	79	out << "RGWDummyIdentityApplier(auth_id=" << id
	80	<< ", perm_mask=" << perm_mask
	81	<< ", is_admin=" << is_admin << ")";
	82	}
	83	};
	84
	85	return std::unique_ptr<rgw::auth::Identity>(
	86	new DummyIdentityApplier(s->cct,
	87	s->user->user_id,
	88	s->perm_mask,
	89	/* System user has admin permissions by default - it's supposed to pass
	90	* through any security check. */
	91	s->system_request));
	92	}
	93
	94	} /* namespace auth */
	95	} /* namespace rgw */
	96
	97
	98	uint32_t rgw_perms_from_aclspec_default_strategy(
	99	const rgw_user& uid,
	100	const rgw::auth::Identity::aclspec_t& aclspec)
	101	{
	102	dout(5) << "Searching permissions for uid=" << uid << dendl;
	103
	104	const auto iter = aclspec.find(uid.to_str());
	105	if (std::end(aclspec) != iter) {
	106	dout(5) << "Found permission: " << iter->second << dendl;
	107	return iter->second;
	108	}
	109
	110	dout(5) << "Permissions for user not found" << dendl;
	111	return 0;
	112	}
	113
	114
	115	static inline const std::string make_spec_item(const std::string& tenant,
	116	const std::string& id)
	117	{
	118	return tenant + ":" + id;
	119	}
	120
	121
	122	static inline std::pair<bool, rgw::auth::Engine::result_t>
	123	strategy_handle_rejected(rgw::auth::Engine::result_t&& engine_result,
	124	const rgw::auth::Strategy::Control policy,
	125	rgw::auth::Engine::result_t&& strategy_result)
	126	{
	127	using Control = rgw::auth::Strategy::Control;
	128	switch (policy) {
	129	case Control::REQUISITE:
	130	/* Don't try next. */
	131	return std::make_pair(false, std::move(engine_result));
	132
	133	case Control::SUFFICIENT:
	134	/* Don't try next. */
	135	return std::make_pair(false, std::move(engine_result));
	136
	137	case Control::FALLBACK:
138	/* Don't try next. */
139	return std::make_pair(false, std::move(strategy_result));
140
141	default:
142	/* Huh, memory corruption? */
143	abort();
144	}
145	}
146
147	static inline std::pair<bool, rgw::auth::Engine::result_t>
148	strategy_handle_denied(rgw::auth::Engine::result_t&& engine_result,
149	const rgw::auth::Strategy::Control policy,
150	rgw::auth::Engine::result_t&& strategy_result)
151	{
152	using Control = rgw::auth::Strategy::Control;
153	switch (policy) {
154	case Control::REQUISITE:
155	/* Don't try next. */
156	return std::make_pair(false, std::move(engine_result));
157
158	case Control::SUFFICIENT:
159	/* Just try next. */
160	return std::make_pair(true, std::move(engine_result));
161
162	case Control::FALLBACK:
163	return std::make_pair(true, std::move(strategy_result));
164
165	default:
166	/* Huh, memory corruption? */
167	abort();
168	}
169	}
170
171	static inline std::pair<bool, rgw::auth::Engine::result_t>
172	strategy_handle_granted(rgw::auth::Engine::result_t&& engine_result,
173	const rgw::auth::Strategy::Control policy,
174	rgw::auth::Engine::result_t&& strategy_result)
175	{
176	using Control = rgw::auth::Strategy::Control;
177	switch (policy) {
178	case Control::REQUISITE:
179	/* Try next. */
180	return std::make_pair(true, std::move(engine_result));
181
182	case Control::SUFFICIENT:
183	/* Don't try next. */
184	return std::make_pair(false, std::move(engine_result));
185
186	case Control::FALLBACK:
187	/* Don't try next. */
188	return std::make_pair(false, std::move(engine_result));
189
190	default:
191	/* Huh, memory corruption? */
192	abort();
193	}
194	}
195
196	rgw::auth::Engine::result_t
197	rgw::auth::Strategy::authenticate(const req_state* const s) const
198	{
199	result_t strategy_result = result_t::deny();
200
201	for (const stack_item_t& kv : auth_stack) {
202	const rgw::auth::Engine& engine = kv.first;
203	const auto& policy = kv.second;
204
205	dout(20) << get_name() << ": trying " << engine.get_name() << dendl;
206
207	result_t engine_result = result_t::deny();
208	try {
209	engine_result = engine.authenticate(s);
210	} catch (const int err) {
211	engine_result = result_t::deny(err);
212	}
213
214	bool try_next = true;
215	switch (engine_result.get_status()) {
216	case result_t::Status::REJECTED: {
217	dout(20) << engine.get_name() << " rejected with reason="
218	<< engine_result.get_reason() << dendl;
219
220	std::tie(try_next, strategy_result) = \
221	strategy_handle_rejected(std::move(engine_result), policy,
222	std::move(strategy_result));
223	break;
224	}
225	case result_t::Status::DENIED: {
226	dout(20) << engine.get_name() << " denied with reason="
227	<< engine_result.get_reason() << dendl;
228
229	std::tie(try_next, strategy_result) = \
230	strategy_handle_denied(std::move(engine_result), policy,
231	std::move(strategy_result));
232	break;
233	}
234	case result_t::Status::GRANTED: {
235	dout(20) << engine.get_name() << " granted access" << dendl;
236
237	std::tie(try_next, strategy_result) = \
238	strategy_handle_granted(std::move(engine_result), policy,
239	std::move(strategy_result));
240	break;
241	}
242	default: {
243	abort();
244	}
245	}
246
247	if (! try_next) {
248	break;
249	}
250	}
251
252	return strategy_result;
253	}
254
31f18b77 FG	255	int
	256	rgw::auth::Strategy::apply(const rgw::auth::Strategy& auth_strategy,
	257	req_state* const s) noexcept
	258	{
	259	try {
	260	auto result = auth_strategy.authenticate(s);
	261	if (result.get_status() != decltype(result)::Status::GRANTED) {
	262	/* Access denied is acknowledged by returning a std::unique_ptr with
	263	* nullptr inside. */
	264	ldout(s->cct, 5) << "Failed the auth strategy, reason="
	265	<< result.get_reason() << dendl;
	266	return result.get_reason();
	267	}
	268
	269	try {
	270	rgw::auth::IdentityApplier::aplptr_t applier = result.get_applier();
	271	rgw::auth::Completer::cmplptr_t completer = result.get_completer();
	272
	273	/* Account used by a given RGWOp is decoupled from identity employed
	274	* in the authorization phase (RGWOp::verify_permissions). */
	275	applier->load_acct_info(*s->user);
	276	s->perm_mask = applier->get_perm_mask();
	277
	278	/* This is the signle place where we pass req_state as a pointer
	279	* to non-const and thus its modification is allowed. In the time
	280	* of writing only RGWTempURLEngine needed that feature. */
	281	applier->modify_request_state(s);
	282	if (completer) {
	283	completer->modify_request_state(s);
	284	}
	285
	286	s->auth.identity = std::move(applier);
	287	s->auth.completer = std::move(completer);
	288
	289	return 0;
	290	} catch (const int err) {
	291	ldout(s->cct, 5) << "applier throwed err=" << err << dendl;
	292	return err;
	293	}
	294	} catch (const int err) {
	295	ldout(s->cct, 5) << "auth engine throwed err=" << err << dendl;
	296	return err;
	297	}
	298
	299	/* We never should be here. */
	300	return -EPERM;
	301	}
	302
7c673cae FG	303	void
	304	rgw::auth::Strategy::add_engine(const Control ctrl_flag,
	305	const Engine& engine) noexcept
	306	{
	307	auth_stack.push_back(std::make_pair(std::cref(engine), ctrl_flag));
	308	}
	309
	310
	311	/* rgw::auth::RemoteAuthApplier */
	312	uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const
	313	{
	314	uint32_t perm = 0;
	315
	316	/* For backward compatibility with ACLOwner. */
	317	perm \|= rgw_perms_from_aclspec_default_strategy(info.acct_user,
	318	aclspec);
	319
	320	/* We also need to cover cases where rgw_keystone_implicit_tenants
	321	* was enabled. */
	322	if (info.acct_user.tenant.empty()) {
	323	const rgw_user tenanted_acct_user(info.acct_user.id, info.acct_user.id);
	324
	325	perm \|= rgw_perms_from_aclspec_default_strategy(tenanted_acct_user,
	326	aclspec);
	327	}
	328
	329	/* Now it's a time for invoking additional strategy that was supplied by
	330	* a specific auth engine. */
	331	if (extra_acl_strategy) {
	332	perm \|= extra_acl_strategy(aclspec);
	333	}
	334
	335	ldout(cct, 20) << "from ACL got perm=" << perm << dendl;
	336	return perm;
	337	}
	338
	339	bool rgw::auth::RemoteApplier::is_admin_of(const rgw_user& uid) const
	340	{
	341	return info.is_admin;
	342	}
	343
	344	bool rgw::auth::RemoteApplier::is_owner_of(const rgw_user& uid) const
	345	{
	346	if (info.acct_user.tenant.empty()) {
	347	const rgw_user tenanted_acct_user(info.acct_user.id, info.acct_user.id);
	348
	349	if (tenanted_acct_user == uid) {
	350	return true;
	351	}
	352	}
	353
	354	return info.acct_user == uid;
	355	}
	356
31f18b77 FG	357	bool rgw::auth::RemoteApplier::is_identity(const idset_t& ids) const {
	358	for (auto& id : ids) {
	359	if (id.is_wildcard()) {
	360	return true;
	361
	362	// We also need to cover cases where rgw_keystone_implicit_tenants
	363	// was enabled. */
	364	} else if (id.is_tenant() &&
	365	(info.acct_user.tenant.empty() ?
	366	info.acct_user.id :
	367	info.acct_user.tenant) == id.get_tenant()) {
	368	return true;
	369	} else if (id.is_user() &&
	370	info.acct_user.id == id.get_id() &&
	371	(info.acct_user.tenant.empty() ?
	372	info.acct_user.id :
	373	info.acct_user.tenant) == id.get_tenant()) {
	374	return true;
	375	}
	376	}
	377	return false;
	378	}
	379
7c673cae FG	380	void rgw::auth::RemoteApplier::to_str(std::ostream& out) const
	381	{
	382	out << "rgw::auth::RemoteApplier(acct_user=" << info.acct_user
	383	<< ", acct_name=" << info.acct_name
	384	<< ", perm_mask=" << info.perm_mask
	385	<< ", is_admin=" << info.is_admin << ")";
	386	}
	387
28e407b8 AA	388	void rgw::auth::ImplicitTenants::recompute_value(const md_config_t *c)
	389	{
	390	std::string s = c->get_val<std::string>("rgw_keystone_implicit_tenants");
	391	int v = 0;
	392	if (boost::iequals(s, "both")
	393	\|\| boost::iequals(s, "true")
	394	\|\| boost::iequals(s, "1")) {
	395	v = IMPLICIT_TENANTS_S3\|IMPLICIT_TENANTS_SWIFT;
	396	} else if (boost::iequals(s, "0")
	397	\|\| boost::iequals(s, "none")
	398	\|\| boost::iequals(s, "false")) {
	399	v = 0;
	400	} else if (boost::iequals(s, "s3")) {
	401	v = IMPLICIT_TENANTS_S3;
	402	} else if (boost::iequals(s, "swift")) {
	403	v = IMPLICIT_TENANTS_SWIFT;
	404	} else { /* "" (and anything else) */
	405	v = IMPLICIT_TENANTS_BAD;
	406	// assert(0);
	407	}
	408	saved = v;
	409	}
	410
	411	const char **rgw::auth::ImplicitTenants::get_tracked_conf_keys() const
	412	{
	413	static const char *keys[] = {
	414	"rgw_keystone_implicit_tenants",
	415	NULL };
	416	return keys;
	417	}
	418
	419	void rgw::auth::ImplicitTenants::handle_conf_change(const struct md_config_t *c,
	420	const std::set <std::string> &changed)
	421	{
	422	if (changed.count("rgw_keystone_implicit_tenants")) {
	423	recompute_value(c);
	424	}
	425	}
	426
7c673cae	427	void rgw::auth::RemoteApplier::create_account(const rgw_user& acct_user,
28e407b8	428	bool implicit_tenant,
7c673cae FG	429	RGWUserInfo& user_info) const /* out */
	430	{
	431	rgw_user new_acct_user = acct_user;
	432
	433	if (info.acct_type) {
	434	//ldap/keystone for s3 users
	435	user_info.type = info.acct_type;
	436	}
	437
	438	/* An upper layer may enforce creating new accounts within their own
	439	* tenants. */
28e407b8	440	if (new_acct_user.tenant.empty() && implicit_tenant) {
7c673cae FG	441	new_acct_user.tenant = new_acct_user.id;
	442	}
	443
	444	user_info.user_id = new_acct_user;
	445	user_info.display_name = info.acct_name;
	446
	447	int ret = rgw_store_user_info(store, user_info, nullptr, nullptr,
	448	real_time(), true);
	449	if (ret < 0) {
	450	ldout(cct, 0) << "ERROR: failed to store new user info: user="
	451	<< user_info.user_id << " ret=" << ret << dendl;
	452	throw ret;
	453	}
	454	}
	455
	456	/* TODO(rzarzynski): we need to handle display_name changes. */
	457	void rgw::auth::RemoteApplier::load_acct_info(RGWUserInfo& user_info) const /* out */
	458	{
	459	/* It's supposed that RGWRemoteAuthApplier tries to load account info
	460	* that belongs to the authenticated identity. Another policy may be
	461	* applied by using a RGWThirdPartyAccountAuthApplier decorator. */
	462	const rgw_user& acct_user = info.acct_user;
28e407b8 AA	463	auto implicit_value = implicit_tenant_context.get_value();
	464	bool implicit_tenant = implicit_value.implicit_tenants_for_(implicit_tenant_bit);
	465	bool split_mode = implicit_value.is_split_mode();
7c673cae FG	466
	467	/* Normally, empty "tenant" field of acct_user means the authenticated
	468	* identity has the legacy, global tenant. However, due to inclusion
	469	* of multi-tenancy, we got some special compatibility kludge for remote
	470	* backends like Keystone.
	471	* If the global tenant is the requested one, we try the same tenant as
	472	* the user name first. If that RGWUserInfo exists, we use it. This way,
	473	* migrated OpenStack users can get their namespaced containers and nobody's
	474	* the wiser.
	475	* If that fails, we look up in the requested (possibly empty) tenant.
	476	* If that fails too, we create the account within the global or separated
28e407b8 AA	477	* namespace depending on rgw_keystone_implicit_tenants.
	478	* For compatibility with previous versions of ceph, it is possible
	479	* to enable implicit_tenants for only s3 or only swift.
	480	* in this mode ("split_mode"), we must constrain the id lookups to
	481	* only use the identifier space that would be used if the id were
	482	* to be created. */
	483
	484	if (split_mode && !implicit_tenant)
	485	; /* suppress lookup for id used by "other" protocol */
	486	else if (acct_user.tenant.empty()) {
7c673cae FG	487	const rgw_user tenanted_uid(acct_user.id, acct_user.id);
	488
	489	if (rgw_get_user_info_by_uid(store, tenanted_uid, user_info) >= 0) {
	490	/* Succeeded. */
	491	return;
	492	}
	493	}
	494
28e407b8 AA	495	if (split_mode && implicit_tenant)
	496	; /* suppress lookup for id used by "other" protocol */
	497	else if (rgw_get_user_info_by_uid(store, acct_user, user_info) >= 0) {
	498	/* Succeeded. */
	499	return;
7c673cae FG	500	}
7c673cae FG	501
28e407b8 AA	502	ldout(cct, 0) << "NOTICE: couldn't map swift user " << acct_user << dendl;
	503	create_account(acct_user, implicit_tenant, user_info);
	504
7c673cae FG	505	/* Succeeded if we are here (create_account() hasn't throwed). */
	506	}
	507
	508
	509	/* rgw::auth::LocalApplier */
	510	/* static declaration */
	511	const std::string rgw::auth::LocalApplier::NO_SUBUSER;
	512
	513	uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const
	514	{
	515	return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec);
	516	}
	517
	518	bool rgw::auth::LocalApplier::is_admin_of(const rgw_user& uid) const
	519	{
	520	return user_info.admin \|\| user_info.system;
	521	}
	522
	523	bool rgw::auth::LocalApplier::is_owner_of(const rgw_user& uid) const
	524	{
	525	return uid == user_info.user_id;
	526	}
	527
31f18b77 FG	528	bool rgw::auth::LocalApplier::is_identity(const idset_t& ids) const {
	529	for (auto& id : ids) {
	530	if (id.is_wildcard()) {
	531	return true;
	532	} else if (id.is_tenant() &&
	533	id.get_tenant() == user_info.user_id.tenant) {
	534	return true;
	535	} else if (id.is_user() &&
	536	(id.get_tenant() == user_info.user_id.tenant) &&
	537	(id.get_id() == user_info.user_id.id)) {
	538	return true;
	539	}
	540	}
	541	return false;
	542	}
	543
	544	void rgw::auth::LocalApplier::to_str(std::ostream& out) const {
7c673cae FG	545	out << "rgw::auth::LocalApplier(acct_user=" << user_info.user_id
	546	<< ", acct_name=" << user_info.display_name
	547	<< ", subuser=" << subuser
	548	<< ", perm_mask=" << get_perm_mask()
	549	<< ", is_admin=" << static_cast<bool>(user_info.admin) << ")";
	550	}
	551
	552	uint32_t rgw::auth::LocalApplier::get_perm_mask(const std::string& subuser_name,
	553	const RGWUserInfo &uinfo) const
	554	{
	555	if (! subuser_name.empty() && subuser_name != NO_SUBUSER) {
	556	const auto iter = uinfo.subusers.find(subuser_name);
	557
	558	if (iter != std::end(uinfo.subusers)) {
	559	return iter->second.perm_mask;
	560	} else {
	561	/* Subuser specified but not found. */
	562	return RGW_PERM_NONE;
	563	}
	564	} else {
	565	/* Due to backward compatibility. */
	566	return RGW_PERM_FULL_CONTROL;
	567	}
	568	}
	569
	570	void rgw::auth::LocalApplier::load_acct_info(RGWUserInfo& user_info) const /* out */
	571	{
	572	/* Load the account that belongs to the authenticated identity. An extra call
	573	* to RADOS may be safely skipped in this case. */
	574	user_info = this->user_info;
	575	}
	576
	577
	578	rgw::auth::Engine::result_t
	579	rgw::auth::AnonymousEngine::authenticate(const req_state* const s) const
	580	{
	581	if (! is_applicable(s)) {
31f18b77	582	return result_t::deny(-EPERM);
7c673cae FG	583	} else {
	584	RGWUserInfo user_info;
	585	rgw_get_anon_user(user_info);
	586
d2e6a577 FG	587	auto apl = \
	588	apl_factory->create_apl_local(cct, s, user_info,
	589	rgw::auth::LocalApplier::NO_SUBUSER);
7c673cae FG	590	return result_t::grant(std::move(apl));
	591	}
	592	}