[ceph.git] / ceph / src / rgw / rgw_auth_s3.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab

#ifndef CEPH_RGW_AUTH_S3_H
#define CEPH_RGW_AUTH_S3_H

#include <array>
#include <memory>
#include <string>
#include <tuple>

#include <boost/algorithm/string.hpp>
#include <boost/container/static_vector.hpp>
#include <boost/utility/string_ref.hpp>
#include <boost/utility/string_view.hpp>

#include "common/sstring.hh"
#include "rgw_common.h"
#include "rgw_rest_s3.h"

#include "rgw_auth.h"
#include "rgw_auth_filters.h"
#include "rgw_auth_keystone.h"


namespace rgw {
namespace auth {
namespace s3 {

static constexpr auto RGW_AUTH_GRACE = std::chrono::minutes{15};

// returns true if the request time is within RGW_AUTH_GRACE of the current time
bool is_time_skew_ok(time_t t);

class ExternalAuthStrategy : public rgw::auth::Strategy,
                             public rgw::auth::RemoteApplier::Factory {
  typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;
  RGWRados* const store;

  using keystone_config_t = rgw::keystone::CephCtxConfig;
  using keystone_cache_t = rgw::keystone::TokenCache;
  using EC2Engine = rgw::auth::keystone::EC2Engine;

  boost::optional <EC2Engine> keystone_engine;
  LDAPEngine ldap_engine;

  aplptr_t create_apl_remote(CephContext* const cct,
                             const req_state* const s,
                             rgw::auth::RemoteApplier::acl_strategy_t&& acl_alg,
                             const rgw::auth::RemoteApplier::AuthInfo info
                            ) const override {
    auto apl = rgw::auth::add_sysreq(cct, store, s,
      rgw::auth::RemoteApplier(cct, store, std::move(acl_alg), info,
                               cct->_conf->rgw_keystone_implicit_tenants));
    /* TODO(rzarzynski): replace with static_ptr. */
    return aplptr_t(new decltype(apl)(std::move(apl)));
  }

public:
  ExternalAuthStrategy(CephContext* const cct,
                       RGWRados* const store,
                       AWSEngine::VersionAbstractor* const ver_abstractor)
    : store(store),
      ldap_engine(cct, store, *ver_abstractor,
                  static_cast<rgw::auth::RemoteApplier::Factory*>(this)) {

    if (cct->_conf->rgw_s3_auth_use_keystone &&
        ! cct->_conf->rgw_keystone_url.empty()) {

      keystone_engine.emplace(cct, ver_abstractor,
                              static_cast<rgw::auth::RemoteApplier::Factory*>(this),
                              keystone_config_t::get_instance(),
                              keystone_cache_t::get_instance<keystone_config_t>());
      add_engine(Control::SUFFICIENT, *keystone_engine);

    }

    if (cct->_conf->rgw_s3_auth_use_ldap &&
        ! cct->_conf->rgw_ldap_uri.empty()) {
      add_engine(Control::SUFFICIENT, ldap_engine);
    }
  }

  const char* get_name() const noexcept override {
    return "rgw::auth::s3::AWSv2ExternalAuthStrategy";
  }
};


template <class AbstractorT,
          bool AllowAnonAccessT = false>
class AWSAuthStrategy : public rgw::auth::Strategy,
                        public rgw::auth::LocalApplier::Factory {
  typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;

  static_assert(std::is_base_of<rgw::auth::s3::AWSEngine::VersionAbstractor,
                                AbstractorT>::value,
                "AbstractorT must be a subclass of rgw::auth::s3::VersionAbstractor");

  RGWRados* const store;
  AbstractorT ver_abstractor;

  S3AnonymousEngine anonymous_engine;
  ExternalAuthStrategy external_engines;
  LocalEngine local_engine;

  aplptr_t create_apl_local(CephContext* const cct,
                            const req_state* const s,
                            const RGWUserInfo& user_info,
                            const std::string& subuser) const override {
    auto apl = rgw::auth::add_sysreq(cct, store, s,
      rgw::auth::LocalApplier(cct, user_info, subuser));
    /* TODO(rzarzynski): replace with static_ptr. */
    return aplptr_t(new decltype(apl)(std::move(apl)));
  }

public:
  AWSAuthStrategy(CephContext* const cct,
                  RGWRados* const store)
    : store(store),
      ver_abstractor(cct),
      anonymous_engine(cct,
                       static_cast<rgw::auth::LocalApplier::Factory*>(this)),
      external_engines(cct, store, &ver_abstractor),
      local_engine(cct, store, ver_abstractor,
                   static_cast<rgw::auth::LocalApplier::Factory*>(this)) {
    /* The anynoymous auth. */
    if (AllowAnonAccessT) {
      add_engine(Control::SUFFICIENT, anonymous_engine);
    }

    /* The external auth. */
    Control local_engine_mode;
    if (! external_engines.is_empty()) {
      add_engine(Control::SUFFICIENT, external_engines);

      local_engine_mode = Control::FALLBACK;
    } else {
      local_engine_mode = Control::SUFFICIENT;
    }

    /* The local auth. */
    if (cct->_conf->rgw_s3_auth_use_rados) {
      add_engine(local_engine_mode, local_engine);
    }
  }

  const char* get_name() const noexcept override {
    return "rgw::auth::s3::AWSAuthStrategy";
  }
};


class AWSv4ComplMulti : public rgw::auth::Completer,
                        public rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>,
                        public std::enable_shared_from_this<AWSv4ComplMulti> {
  using io_base_t = rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>;
  using signing_key_t = std::array<unsigned char,
                                   CEPH_CRYPTO_HMACSHA256_DIGESTSIZE>;

  CephContext* const cct;

  const boost::string_view date;
  const boost::string_view credential_scope;
  const signing_key_t signing_key;

  class ChunkMeta {
    size_t data_offset_in_stream = 0;
    size_t data_length = 0;
    std::string signature;

    ChunkMeta(const size_t data_starts_in_stream,
              const size_t data_length,
              const boost::string_ref signature)
      : data_offset_in_stream(data_starts_in_stream),
        data_length(data_length),
        signature(signature.to_string()) {
    }

    ChunkMeta(const boost::string_view& signature)
      : signature(signature.to_string()) {
    }

  public:
    static constexpr size_t SIG_SIZE = 64;

    /* Let's suppose the data length fields can't exceed uint64_t. */
    static constexpr size_t META_MAX_SIZE = \
      sarrlen("\r\nffffffffffffffff;chunk-signature=") + SIG_SIZE + sarrlen("\r\n");

    /* The metadata size of for the last, empty chunk. */
    static constexpr size_t META_MIN_SIZE = \
      sarrlen("0;chunk-signature=") + SIG_SIZE + sarrlen("\r\n");

    /* Detect whether a given stream_pos fits in boundaries of a chunk. */
    bool is_new_chunk_in_stream(size_t stream_pos) const;

    /* Get the remaining data size. */
    size_t get_data_size(size_t stream_pos) const;

    const std::string& get_signature() const {
      return signature;
    }

    /* Factory: create an object representing metadata of first, initial chunk
     * in a stream. */
    static ChunkMeta create_first(const boost::string_view& seed_signature) {
      return ChunkMeta(seed_signature);
    }

    /* Factory: parse a block of META_MAX_SIZE bytes and creates an object
     * representing non-first chunk in a stream. As the process is sequential
     * and depends on the previous chunk, caller must pass it. */
    static std::pair<ChunkMeta, size_t> create_next(CephContext* cct,
                                                    ChunkMeta&& prev,
                                                    const char* metabuf,
                                                    size_t metabuf_len);
  } chunk_meta;

  size_t stream_pos;
  boost::container::static_vector<char, ChunkMeta::META_MAX_SIZE> parsing_buf;
  ceph::crypto::SHA256* sha256_hash;
  std::string prev_chunk_signature;

  bool is_signature_mismatched();
  std::string calc_chunk_signature(const std::string& payload_hash) const;

public:
  /* We need the constructor to be public because of the std::make_shared that
   * is employed by the create() method. */
  AWSv4ComplMulti(const req_state* const s,
                  boost::string_view date,
                  boost::string_view credential_scope,
                  boost::string_view seed_signature,
                  const signing_key_t& signing_key)
    : io_base_t(nullptr),
      cct(s->cct),
      date(std::move(date)),
      credential_scope(std::move(credential_scope)),
      signing_key(signing_key),

      /* The evolving state. */
      chunk_meta(ChunkMeta::create_first(seed_signature)),
      stream_pos(0),
      sha256_hash(calc_hash_sha256_open_stream()),
      prev_chunk_signature(std::move(seed_signature)) {
  }

  ~AWSv4ComplMulti() {
    if (sha256_hash) {
      calc_hash_sha256_close_stream(&sha256_hash);
    }
  }

  /* rgw::io::DecoratedRestfulClient. */
  size_t recv_body(char* buf, size_t max) override;

  /* rgw::auth::Completer. */
  void modify_request_state(req_state* s_rw) override;
  bool complete() override;

  /* Factories. */
  static cmplptr_t create(const req_state* s,
                          boost::string_view date,
                          boost::string_view credential_scope,
                          boost::string_view seed_signature,
                          const boost::optional<std::string>& secret_key);

};

class AWSv4ComplSingle : public rgw::auth::Completer,
                         public rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>,
                         public std::enable_shared_from_this<AWSv4ComplSingle> {
  using io_base_t = rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>;

  CephContext* const cct;
  const char* const expected_request_payload_hash;
  ceph::crypto::SHA256* sha256_hash = nullptr;

public:
  /* Defined in rgw_auth_s3.cc because of get_v4_exp_payload_hash(). We need
   * the constructor to be public because of the std::make_shared employed by
   * the create() method. */
  AWSv4ComplSingle(const req_state* const s);

  ~AWSv4ComplSingle() {
    if (sha256_hash) {
      calc_hash_sha256_close_stream(&sha256_hash);
    }
  }

  /* rgw::io::DecoratedRestfulClient. */
  size_t recv_body(char* buf, size_t max) override;

  /* rgw::auth::Completer. */
  void modify_request_state(req_state* s_rw) override;
  bool complete() override;

  /* Factories. */
  static cmplptr_t create(const req_state* s,
                          const boost::optional<std::string>&);

};

} /* namespace s3 */
} /* namespace auth */
} /* namespace rgw */

void rgw_create_s3_canonical_header(
  const char *method,
  const char *content_md5,
  const char *content_type,
  const char *date,
  const std::map<std::string, std::string>& meta_map,
  const char *request_uri,
  const std::map<std::string, std::string>& sub_resources,
  std::string& dest_str);
bool rgw_create_s3_canonical_header(const req_info& info,
                                    utime_t *header_time,       /* out */
                                    std::string& dest,          /* out */
                                    bool qsr);
static inline std::tuple<bool, std::string, utime_t>
rgw_create_s3_canonical_header(const req_info& info, const bool qsr) {
  std::string dest;
  utime_t header_time;

  const bool ok = rgw_create_s3_canonical_header(info, &header_time, dest, qsr);
  return std::make_tuple(ok, dest, header_time);
}

namespace rgw {
namespace auth {
namespace s3 {

static constexpr char AWS4_HMAC_SHA256_STR[] = "AWS4-HMAC-SHA256";
static constexpr char AWS4_HMAC_SHA256_PAYLOAD_STR[] = "AWS4-HMAC-SHA256-PAYLOAD";

static constexpr char AWS4_EMPTY_PAYLOAD_HASH[] = \
  "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";

static constexpr char AWS4_UNSIGNED_PAYLOAD_HASH[] = "UNSIGNED-PAYLOAD";

static constexpr char AWS4_STREAMING_PAYLOAD_HASH[] = \
  "STREAMING-AWS4-HMAC-SHA256-PAYLOAD";

int parse_credentials(const req_info& info,                     /* in */
                      boost::string_view& access_key_id,        /* out */
                      boost::string_view& credential_scope,     /* out */
                      boost::string_view& signedheaders,        /* out */
                      boost::string_view& signature,            /* out */
                      boost::string_view& date,                 /* out */
                      bool& using_qs);                          /* out */

static inline std::string get_v4_canonical_uri(const req_info& info) {
  /* The code should normalize according to RFC 3986 but S3 does NOT do path
   * normalization that SigV4 typically does. This code follows the same
   * approach that boto library. See auth.py:canonical_uri(...). */

  std::string canonical_uri = info.request_uri_aws4;

  if (canonical_uri.empty()) {
    canonical_uri = "/";
  } else {
    boost::replace_all(canonical_uri, "+", "%20");
  }

  return canonical_uri;
}

static inline const char* get_v4_exp_payload_hash(const req_info& info)
{
  /* In AWSv4 the hash of real, transfered payload IS NOT necessary to form
   * a Canonical Request, and thus verify a Signature. x-amz-content-sha256
   * header lets get the information very early -- before seeing first byte
   * of HTTP body. As a consequence, we can decouple Signature verification
   * from payload's fingerprint check. */
  const char *expected_request_payload_hash = \
    info.env->get("HTTP_X_AMZ_CONTENT_SHA256");

  if (!expected_request_payload_hash) {
    /* An HTTP client MUST send x-amz-content-sha256. The single exception
     * is the case of using the Query Parameters where "UNSIGNED-PAYLOAD"
     * literals are used for crafting Canonical Request:
     *
     *  You don't include a payload hash in the Canonical Request, because
     *  when you create a presigned URL, you don't know the payload content
     *  because the URL is used to upload an arbitrary payload. Instead, you
     *  use a constant string UNSIGNED-PAYLOAD. */
    expected_request_payload_hash = AWS4_UNSIGNED_PAYLOAD_HASH;
  }

  return expected_request_payload_hash;
}

static inline bool is_v4_payload_unsigned(const char* const exp_payload_hash)
{
  return boost::equals(exp_payload_hash, AWS4_UNSIGNED_PAYLOAD_HASH);
}

static inline bool is_v4_payload_empty(const req_state* const s)
{
  /* from rfc2616 - 4.3 Message Body
   *
   * "The presence of a message-body in a request is signaled by the inclusion
   * of a Content-Length or Transfer-Encoding header field in the request's
   * message-headers." */
  return s->content_length == 0 &&
         s->info.env->get("HTTP_TRANSFER_ENCODING") == nullptr;
}

static inline bool is_v4_payload_streamed(const char* const exp_payload_hash)
{
  return boost::equals(exp_payload_hash, AWS4_STREAMING_PAYLOAD_HASH);
}

std::string get_v4_canonical_qs(const req_info& info, bool using_qs);

boost::optional<std::string>
get_v4_canonical_headers(const req_info& info,
                         const boost::string_view& signedheaders,
                         bool using_qs,
                         bool force_boto2_compat);

extern sha256_digest_t
get_v4_canon_req_hash(CephContext* cct,
                      const boost::string_view& http_verb,
                      const std::string& canonical_uri,
                      const std::string& canonical_qs,
                      const std::string& canonical_hdrs,
                      const boost::string_view& signed_hdrs,
                      const boost::string_view& request_payload_hash);

AWSEngine::VersionAbstractor::string_to_sign_t
get_v4_string_to_sign(CephContext* cct,
                      const boost::string_view& algorithm,
                      const boost::string_view& request_date,
                      const boost::string_view& credential_scope,
                      const sha256_digest_t& canonreq_hash);

extern AWSEngine::VersionAbstractor::server_signature_t
get_v4_signature(const boost::string_view& credential_scope,
                 CephContext* const cct,
                 const boost::string_view& secret_key,
                 const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign);

extern AWSEngine::VersionAbstractor::server_signature_t
get_v2_signature(CephContext*,
                 const std::string& secret_key,
                 const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign);

} /* namespace s3 */
} /* namespace auth */
} /* namespace rgw */

#endif
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3
	4	#ifndef CEPH_RGW_AUTH_S3_H
	5	#define CEPH_RGW_AUTH_S3_H
	6
31f18b77 FG	7	#include <array>
31f18b77 FG	8	#include <memory>
7c673cae FG	9	#include <string>
	10	#include <tuple>
	11
31f18b77 FG	12	#include <boost/algorithm/string.hpp>
	13	#include <boost/container/static_vector.hpp>
	14	#include <boost/utility/string_ref.hpp>
	15	#include <boost/utility/string_view.hpp>
	16
	17	#include "common/sstring.hh"
7c673cae FG	18	#include "rgw_common.h"
	19	#include "rgw_rest_s3.h"
	20
	21	#include "rgw_auth.h"
	22	#include "rgw_auth_filters.h"
	23	#include "rgw_auth_keystone.h"
	24
	25
	26	namespace rgw {
	27	namespace auth {
	28	namespace s3 {
	29
94b18763 FG	30	static constexpr auto RGW_AUTH_GRACE = std::chrono::minutes{15};
	31
	32	// returns true if the request time is within RGW_AUTH_GRACE of the current time
	33	bool is_time_skew_ok(time_t t);
	34
7c673cae FG	35	class ExternalAuthStrategy : public rgw::auth::Strategy,
	36	public rgw::auth::RemoteApplier::Factory {
	37	typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;
	38	RGWRados* const store;
	39
	40	using keystone_config_t = rgw::keystone::CephCtxConfig;
	41	using keystone_cache_t = rgw::keystone::TokenCache;
	42	using EC2Engine = rgw::auth::keystone::EC2Engine;
	43
3efd9988	44	boost::optional <EC2Engine> keystone_engine;
7c673cae FG	45	LDAPEngine ldap_engine;
	46
	47	aplptr_t create_apl_remote(CephContext* const cct,
	48	const req_state* const s,
	49	rgw::auth::RemoteApplier::acl_strategy_t&& acl_alg,
	50	const rgw::auth::RemoteApplier::AuthInfo info
	51	) const override {
	52	auto apl = rgw::auth::add_sysreq(cct, store, s,
	53	rgw::auth::RemoteApplier(cct, store, std::move(acl_alg), info,
224ce89b	54	cct->_conf->rgw_keystone_implicit_tenants));
7c673cae FG	55	/* TODO(rzarzynski): replace with static_ptr. */
	56	return aplptr_t(new decltype(apl)(std::move(apl)));
	57	}
	58
	59	public:
	60	ExternalAuthStrategy(CephContext* const cct,
	61	RGWRados* const store,
31f18b77	62	AWSEngine::VersionAbstractor* const ver_abstractor)
7c673cae	63	: store(store),
31f18b77	64	ldap_engine(cct, store, *ver_abstractor,
7c673cae FG	65	static_cast<rgw::auth::RemoteApplier::Factory*>(this)) {
	66
	67	if (cct->_conf->rgw_s3_auth_use_keystone &&
	68	! cct->_conf->rgw_keystone_url.empty()) {
3efd9988 FG	69
	70	keystone_engine.emplace(cct, ver_abstractor,
	71	static_cast<rgw::auth::RemoteApplier::Factory*>(this),
	72	keystone_config_t::get_instance(),
	73	keystone_cache_t::get_instance<keystone_config_t>());
	74	add_engine(Control::SUFFICIENT, *keystone_engine);
	75
7c673cae FG	76	}
	77
	78	if (cct->_conf->rgw_s3_auth_use_ldap &&
	79	! cct->_conf->rgw_ldap_uri.empty()) {
	80	add_engine(Control::SUFFICIENT, ldap_engine);
	81	}
	82	}
	83
	84	const char* get_name() const noexcept override {
	85	return "rgw::auth::s3::AWSv2ExternalAuthStrategy";
	86	}
	87	};
	88
	89
d2e6a577 FG	90	template <class AbstractorT,
d2e6a577 FG	91	bool AllowAnonAccessT = false>
31f18b77 FG	92	class AWSAuthStrategy : public rgw::auth::Strategy,
31f18b77 FG	93	public rgw::auth::LocalApplier::Factory {
7c673cae FG	94	typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;
7c673cae FG	95
31f18b77 FG	96	static_assert(std::is_base_of<rgw::auth::s3::AWSEngine::VersionAbstractor,
	97	AbstractorT>::value,
	98	"AbstractorT must be a subclass of rgw::auth::s3::VersionAbstractor");
7c673cae FG	99
7c673cae FG	100	RGWRados* const store;
31f18b77	101	AbstractorT ver_abstractor;
7c673cae	102
d2e6a577	103	S3AnonymousEngine anonymous_engine;
7c673cae	104	ExternalAuthStrategy external_engines;
31f18b77	105	LocalEngine local_engine;
7c673cae FG	106
	107	aplptr_t create_apl_local(CephContext* const cct,
	108	const req_state* const s,
	109	const RGWUserInfo& user_info,
	110	const std::string& subuser) const override {
	111	auto apl = rgw::auth::add_sysreq(cct, store, s,
	112	rgw::auth::LocalApplier(cct, user_info, subuser));
	113	/* TODO(rzarzynski): replace with static_ptr. */
	114	return aplptr_t(new decltype(apl)(std::move(apl)));
	115	}
	116
	117	public:
31f18b77 FG	118	AWSAuthStrategy(CephContext* const cct,
31f18b77 FG	119	RGWRados* const store)
7c673cae	120	: store(store),
31f18b77	121	ver_abstractor(cct),
d2e6a577 FG	122	anonymous_engine(cct,
d2e6a577 FG	123	static_cast<rgw::auth::LocalApplier::Factory*>(this)),
31f18b77 FG	124	external_engines(cct, store, &ver_abstractor),
31f18b77 FG	125	local_engine(cct, store, ver_abstractor,
7c673cae	126	static_cast<rgw::auth::LocalApplier::Factory*>(this)) {
d2e6a577 FG	127	/* The anynoymous auth. */
	128	if (AllowAnonAccessT) {
	129	add_engine(Control::SUFFICIENT, anonymous_engine);
	130	}
7c673cae	131
d2e6a577	132	/* The external auth. */
7c673cae FG	133	Control local_engine_mode;
	134	if (! external_engines.is_empty()) {
	135	add_engine(Control::SUFFICIENT, external_engines);
	136
	137	local_engine_mode = Control::FALLBACK;
	138	} else {
	139	local_engine_mode = Control::SUFFICIENT;
	140	}
	141
d2e6a577	142	/* The local auth. */
7c673cae FG	143	if (cct->_conf->rgw_s3_auth_use_rados) {
	144	add_engine(local_engine_mode, local_engine);
	145	}
	146	}
	147
	148	const char* get_name() const noexcept override {
31f18b77	149	return "rgw::auth::s3::AWSAuthStrategy";
7c673cae FG	150	}
	151	};
	152
31f18b77 FG	153
	154	class AWSv4ComplMulti : public rgw::auth::Completer,
	155	public rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>,
	156	public std::enable_shared_from_this<AWSv4ComplMulti> {
	157	using io_base_t = rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>;
	158	using signing_key_t = std::array<unsigned char,
	159	CEPH_CRYPTO_HMACSHA256_DIGESTSIZE>;
	160
	161	CephContext* const cct;
	162
	163	const boost::string_view date;
	164	const boost::string_view credential_scope;
	165	const signing_key_t signing_key;
	166
	167	class ChunkMeta {
	168	size_t data_offset_in_stream = 0;
	169	size_t data_length = 0;
	170	std::string signature;
	171
	172	ChunkMeta(const size_t data_starts_in_stream,
	173	const size_t data_length,
	174	const boost::string_ref signature)
	175	: data_offset_in_stream(data_starts_in_stream),
	176	data_length(data_length),
	177	signature(signature.to_string()) {
	178	}
	179
	180	ChunkMeta(const boost::string_view& signature)
	181	: signature(signature.to_string()) {
	182	}
	183
	184	public:
	185	static constexpr size_t SIG_SIZE = 64;
	186
	187	/* Let's suppose the data length fields can't exceed uint64_t. */
	188	static constexpr size_t META_MAX_SIZE = \
	189	sarrlen("\r\nffffffffffffffff;chunk-signature=") + SIG_SIZE + sarrlen("\r\n");
	190
	191	/* The metadata size of for the last, empty chunk. */
	192	static constexpr size_t META_MIN_SIZE = \
	193	sarrlen("0;chunk-signature=") + SIG_SIZE + sarrlen("\r\n");
	194
	195	/* Detect whether a given stream_pos fits in boundaries of a chunk. */
	196	bool is_new_chunk_in_stream(size_t stream_pos) const;
	197
	198	/* Get the remaining data size. */
	199	size_t get_data_size(size_t stream_pos) const;
	200
	201	const std::string& get_signature() const {
	202	return signature;
	203	}
	204
	205	/* Factory: create an object representing metadata of first, initial chunk
	206	* in a stream. */
	207	static ChunkMeta create_first(const boost::string_view& seed_signature) {
	208	return ChunkMeta(seed_signature);
	209	}
	210
	211	/* Factory: parse a block of META_MAX_SIZE bytes and creates an object
	212	* representing non-first chunk in a stream. As the process is sequential
	213	* and depends on the previous chunk, caller must pass it. */
	214	static std::pair<ChunkMeta, size_t> create_next(CephContext* cct,
	215	ChunkMeta&& prev,
	216	const char* metabuf,
217	size_t metabuf_len);
218	} chunk_meta;
219
220	size_t stream_pos;
221	boost::container::static_vector<char, ChunkMeta::META_MAX_SIZE> parsing_buf;
222	ceph::crypto::SHA256* sha256_hash;
223	std::string prev_chunk_signature;
224
225	bool is_signature_mismatched();
226	std::string calc_chunk_signature(const std::string& payload_hash) const;
227
228	public:
229	/* We need the constructor to be public because of the std::make_shared that
230	* is employed by the create() method. */
231	AWSv4ComplMulti(const req_state* const s,
232	boost::string_view date,
233	boost::string_view credential_scope,
234	boost::string_view seed_signature,
235	const signing_key_t& signing_key)
236	: io_base_t(nullptr),
237	cct(s->cct),
238	date(std::move(date)),
239	credential_scope(std::move(credential_scope)),
240	signing_key(signing_key),
241
242	/* The evolving state. */
243	chunk_meta(ChunkMeta::create_first(seed_signature)),
244	stream_pos(0),
245	sha256_hash(calc_hash_sha256_open_stream()),
246	prev_chunk_signature(std::move(seed_signature)) {
247	}
248
249	~AWSv4ComplMulti() {
250	if (sha256_hash) {
251	calc_hash_sha256_close_stream(&sha256_hash);
252	}
253	}
254
255	/* rgw::io::DecoratedRestfulClient. */
256	size_t recv_body(char* buf, size_t max) override;
257
258	/* rgw::auth::Completer. */
259	void modify_request_state(req_state* s_rw) override;
260	bool complete() override;
261
262	/* Factories. */
263	static cmplptr_t create(const req_state* s,
264	boost::string_view date,
265	boost::string_view credential_scope,
266	boost::string_view seed_signature,
267	const boost::optional<std::string>& secret_key);
268
269	};
270
271	class AWSv4ComplSingle : public rgw::auth::Completer,
272	public rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>,
273	public std::enable_shared_from_this<AWSv4ComplSingle> {
274	using io_base_t = rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>;
275
276	CephContext* const cct;
277	const char* const expected_request_payload_hash;
278	ceph::crypto::SHA256* sha256_hash = nullptr;
279
280	public:
281	/* Defined in rgw_auth_s3.cc because of get_v4_exp_payload_hash(). We need
282	* the constructor to be public because of the std::make_shared employed by
283	* the create() method. */
284	AWSv4ComplSingle(const req_state* const s);
285
286	~AWSv4ComplSingle() {
287	if (sha256_hash) {
288	calc_hash_sha256_close_stream(&sha256_hash);
289	}
290	}
291
292	/* rgw::io::DecoratedRestfulClient. */
293	size_t recv_body(char* buf, size_t max) override;
294
295	/* rgw::auth::Completer. */
296	void modify_request_state(req_state* s_rw) override;
297	bool complete() override;
298
299	/* Factories. */
300	static cmplptr_t create(const req_state* s,
301	const boost::optional<std::string>&);
302
303	};
304
7c673cae FG	305	} /* namespace s3 */
	306	} /* namespace auth */
	307	} /* namespace rgw */
	308
	309	void rgw_create_s3_canonical_header(
	310	const char *method,
	311	const char *content_md5,
	312	const char *content_type,
	313	const char *date,
	314	const std::map<std::string, std::string>& meta_map,
	315	const char *request_uri,
	316	const std::map<std::string, std::string>& sub_resources,
	317	std::string& dest_str);
	318	bool rgw_create_s3_canonical_header(const req_info& info,
	319	utime_t header_time, / out */
	320	std::string& dest, /* out */
	321	bool qsr);
	322	static inline std::tuple<bool, std::string, utime_t>
	323	rgw_create_s3_canonical_header(const req_info& info, const bool qsr) {
	324	std::string dest;
	325	utime_t header_time;
	326
	327	const bool ok = rgw_create_s3_canonical_header(info, &header_time, dest, qsr);
	328	return std::make_tuple(ok, dest, header_time);
	329	}
	330
31f18b77 FG	331	namespace rgw {
	332	namespace auth {
	333	namespace s3 {
	334
	335	static constexpr char AWS4_HMAC_SHA256_STR[] = "AWS4-HMAC-SHA256";
224ce89b	336	static constexpr char AWS4_HMAC_SHA256_PAYLOAD_STR[] = "AWS4-HMAC-SHA256-PAYLOAD";
31f18b77 FG	337
	338	static constexpr char AWS4_EMPTY_PAYLOAD_HASH[] = \
	339	"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
	340
	341	static constexpr char AWS4_UNSIGNED_PAYLOAD_HASH[] = "UNSIGNED-PAYLOAD";
	342
	343	static constexpr char AWS4_STREAMING_PAYLOAD_HASH[] = \
	344	"STREAMING-AWS4-HMAC-SHA256-PAYLOAD";
	345
	346	int parse_credentials(const req_info& info, /* in */
	347	boost::string_view& access_key_id, /* out */
	348	boost::string_view& credential_scope, /* out */
	349	boost::string_view& signedheaders, /* out */
	350	boost::string_view& signature, /* out */
	351	boost::string_view& date, /* out */
	352	bool& using_qs); /* out */
	353
	354	static inline std::string get_v4_canonical_uri(const req_info& info) {
	355	/* The code should normalize according to RFC 3986 but S3 does NOT do path
	356	* normalization that SigV4 typically does. This code follows the same
	357	* approach that boto library. See auth.py:canonical_uri(...). */
	358
	359	std::string canonical_uri = info.request_uri_aws4;
	360
	361	if (canonical_uri.empty()) {
	362	canonical_uri = "/";
	363	} else {
	364	boost::replace_all(canonical_uri, "+", "%20");
	365	}
	366
	367	return canonical_uri;
	368	}
	369
	370	static inline const char* get_v4_exp_payload_hash(const req_info& info)
	371	{
	372	/* In AWSv4 the hash of real, transfered payload IS NOT necessary to form
	373	* a Canonical Request, and thus verify a Signature. x-amz-content-sha256
	374	* header lets get the information very early -- before seeing first byte
	375	* of HTTP body. As a consequence, we can decouple Signature verification
	376	* from payload's fingerprint check. */
	377	const char *expected_request_payload_hash = \
	378	info.env->get("HTTP_X_AMZ_CONTENT_SHA256");
	379
	380	if (!expected_request_payload_hash) {
	381	/* An HTTP client MUST send x-amz-content-sha256. The single exception
	382	* is the case of using the Query Parameters where "UNSIGNED-PAYLOAD"
	383	* literals are used for crafting Canonical Request:
	384	*
	385	* You don't include a payload hash in the Canonical Request, because
	386	* when you create a presigned URL, you don't know the payload content
	387	* because the URL is used to upload an arbitrary payload. Instead, you
	388	* use a constant string UNSIGNED-PAYLOAD. */
	389	expected_request_payload_hash = AWS4_UNSIGNED_PAYLOAD_HASH;
	390	}
	391
	392	return expected_request_payload_hash;
	393	}
	394
	395	static inline bool is_v4_payload_unsigned(const char* const exp_payload_hash)
	396	{
	397	return boost::equals(exp_payload_hash, AWS4_UNSIGNED_PAYLOAD_HASH);
	398	}
	399
	400	static inline bool is_v4_payload_empty(const req_state* const s)
401	{
402	/* from rfc2616 - 4.3 Message Body
403	*
404	* "The presence of a message-body in a request is signaled by the inclusion
405	* of a Content-Length or Transfer-Encoding header field in the request's
406	* message-headers." */
407	return s->content_length == 0 &&
408	s->info.env->get("HTTP_TRANSFER_ENCODING") == nullptr;
409	}
410
411	static inline bool is_v4_payload_streamed(const char* const exp_payload_hash)
412	{
413	return boost::equals(exp_payload_hash, AWS4_STREAMING_PAYLOAD_HASH);
414	}
415
416	std::string get_v4_canonical_qs(const req_info& info, bool using_qs);
417
418	boost::optional<std::string>
419	get_v4_canonical_headers(const req_info& info,
420	const boost::string_view& signedheaders,
421	bool using_qs,
422	bool force_boto2_compat);
423
424	extern sha256_digest_t
425	get_v4_canon_req_hash(CephContext* cct,
426	const boost::string_view& http_verb,
427	const std::string& canonical_uri,
428	const std::string& canonical_qs,
429	const std::string& canonical_hdrs,
430	const boost::string_view& signed_hdrs,
431	const boost::string_view& request_payload_hash);
432
433	AWSEngine::VersionAbstractor::string_to_sign_t
434	get_v4_string_to_sign(CephContext* cct,
435	const boost::string_view& algorithm,
436	const boost::string_view& request_date,
437	const boost::string_view& credential_scope,
438	const sha256_digest_t& canonreq_hash);
439
440	extern AWSEngine::VersionAbstractor::server_signature_t
441	get_v4_signature(const boost::string_view& credential_scope,
442	CephContext* const cct,
443	const boost::string_view& secret_key,
444	const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign);
445
446	extern AWSEngine::VersionAbstractor::server_signature_t
447	get_v2_signature(CephContext*,
448	const std::string& secret_key,
449	const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign);
450
451	} /* namespace s3 */
452	} /* namespace auth */
453	} /* namespace rgw */
7c673cae FG	454
7c673cae FG	455	#endif