]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_auth_filters.h
projects / ceph.git / blob
? search:


063208fc91209a665c18428bb30865eebb0dce2b
[ceph.git] / ceph / src / rgw / rgw_auth_filters.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
3
4 #ifndef CEPH_RGW_AUTH_FILTERS_H
5 #define CEPH_RGW_AUTH_FILTERS_H
6
7 #include <type_traits>
8
9 #include <boost/logic/tribool.hpp>
10 #include <boost/optional.hpp>
11
12 #include "rgw_service.h"
13 #include "rgw_common.h"
14 #include "rgw_auth.h"
15 #include "rgw_user.h"
16
17 namespace rgw {
18 namespace auth {
19
20 /* Abstract decorator over any implementation of rgw::auth::IdentityApplier
21 * which could be provided both as a pointer-to-object or the object itself. */
22 template <typename DecorateeT>
23 class DecoratedApplier : public rgw::auth::IdentityApplier {
24 typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;
25
26 static_assert(std::is_base_of<rgw::auth::IdentityApplier,
27 DerefedDecorateeT>::value,
28 "DecorateeT must be a subclass of rgw::auth::IdentityApplier");
29
30 DecorateeT decoratee;
31
32 /* There is an indirection layer over accessing decoratee to share the same
33 * code base between dynamic and static decorators. The difference is about
34 * what we store internally: pointer to a decorated object versus the whole
35 * object itself. Googling for "SFINAE" can help to understand the code. */
36 template <typename T = void,
37 typename std::enable_if<
38 std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
39 DerefedDecorateeT& get_decoratee() {
40 return *decoratee;
41 }
42
43 template <typename T = void,
44 typename std::enable_if<
45 ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
46 DerefedDecorateeT& get_decoratee() {
47 return decoratee;
48 }
49
50 template <typename T = void,
51 typename std::enable_if<
52 std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
53 const DerefedDecorateeT& get_decoratee() const {
54 return *decoratee;
55 }
56
57 template <typename T = void,
58 typename std::enable_if<
59 ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
60 const DerefedDecorateeT& get_decoratee() const {
61 return decoratee;
62 }
63
64 public:
65 explicit DecoratedApplier(DecorateeT&& decoratee)
66 : decoratee(std::forward<DecorateeT>(decoratee)) {
67 }
68
69 uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
70 return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
71 }
72
73 bool is_admin_of(const rgw_user& uid) const override {
74 return get_decoratee().is_admin_of(uid);
75 }
76
77 bool is_owner_of(const rgw_user& uid) const override {
78 return get_decoratee().is_owner_of(uid);
79 }
80
81 bool is_anonymous() const override {
82 return get_decoratee().is_anonymous();
83 }
84
85 uint32_t get_perm_mask() const override {
86 return get_decoratee().get_perm_mask();
87 }
88
89 uint32_t get_identity_type() const override {
90 return get_decoratee().get_identity_type();
91 }
92
93 std::string get_acct_name() const override {
94 return get_decoratee().get_acct_name();
95 }
96
97 std::string get_subuser() const override {
98 return get_decoratee().get_subuser();
99 }
100
101 bool is_identity(
102 const boost::container::flat_set<Principal>& ids) const override {
103 return get_decoratee().is_identity(ids);
104 }
105
106 void to_str(std::ostream& out) const override {
107 get_decoratee().to_str(out);
108 }
109
110 std::string get_role_tenant() const override { /* in/out */
111 return get_decoratee().get_role_tenant();
112 }
113
114 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override { /* out */
115 return get_decoratee().load_acct_info(dpp, user_info);
116 }
117
118 void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override { /* in/out */
119 return get_decoratee().modify_request_state(dpp, s);
120 }
121 };
122
123
124 template <typename T>
125 class ThirdPartyAccountApplier : public DecoratedApplier<T> {
126 rgw::sal::Store* store;
127 const rgw_user acct_user_override;
128
129 public:
130 /* A value representing situations where there is no requested account
131 * override. In other words, acct_user_override will be equal to this
132 * constant where the request isn't a cross-tenant one. */
133 static const rgw_user UNKNOWN_ACCT;
134
135 template <typename U>
136 ThirdPartyAccountApplier(rgw::sal::Store* store,
137 const rgw_user &acct_user_override,
138 U&& decoratee)
139 : DecoratedApplier<T>(std::move(decoratee)),
140 store(store),
141 acct_user_override(acct_user_override) {
142 }
143
144 void to_str(std::ostream& out) const override;
145 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
146 };
147
148 /* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
149 * of the default construction. */
150 template <typename T>
151 const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;
152
153 template <typename T>
154 void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
155 {
156 out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
157 << " -> ";
158 DecoratedApplier<T>::to_str(out);
159 }
160
161 template <typename T>
162 void ThirdPartyAccountApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
163 {
164 if (UNKNOWN_ACCT == acct_user_override) {
165 /* There is no override specified by the upper layer. This means that we'll
166 * load the account owned by the authenticated identity (aka auth_user). */
167 DecoratedApplier<T>::load_acct_info(dpp, user_info);
168 } else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
169 /* The override has been specified but the account belongs to the authenticated
170 * identity. We may safely forward the call to a next stage. */
171 DecoratedApplier<T>::load_acct_info(dpp, user_info);
172 } else if (this->is_anonymous()) {
173 /* If the user was authed by the anonymous engine then scope the ANON user
174 * to the correct tenant */
175 if (acct_user_override.tenant.empty())
176 user_info.user_id = rgw_user(acct_user_override.id, RGW_USER_ANON_ID);
177 else
178 user_info.user_id = rgw_user(acct_user_override.tenant, RGW_USER_ANON_ID);
179 } else {
180 /* Compatibility mechanism for multi-tenancy. For more details refer to
181 * load_acct_info method of rgw::auth::RemoteApplier. */
182 std::unique_ptr<rgw::sal::User> user;
183
184 if (acct_user_override.tenant.empty()) {
185 const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);
186 user = store->get_user(tenanted_uid);
187
188 if (user->load_user(dpp, null_yield) >= 0) {
189 user_info = user->get_info();
190 /* Succeeded. */
191 return;
192 }
193 }
194
195 user = store->get_user(acct_user_override);
196 const int ret = user->load_user(dpp, null_yield);
197 if (ret < 0) {
198 /* We aren't trying to recover from ENOENT here. It's supposed that creating
199 * someone else's account isn't a thing we want to support in this filter. */
200 if (ret == -ENOENT) {
201 throw -EACCES;
202 } else {
203 throw ret;
204 }
205 }
206 user_info = user->get_info();
207 }
208 }
209
210 template <typename T> static inline
211 ThirdPartyAccountApplier<T> add_3rdparty(rgw::sal::Store* store,
212 const rgw_user &acct_user_override,
213 T&& t) {
214 return ThirdPartyAccountApplier<T>(store, acct_user_override,
215 std::forward<T>(t));
216 }
217
218
219 template <typename T>
220 class SysReqApplier : public DecoratedApplier<T> {
221 CephContext* const cct;
222 rgw::sal::Store* store;
223 const RGWHTTPArgs& args;
224 mutable boost::tribool is_system;
225
226 public:
227 template <typename U>
228 SysReqApplier(CephContext* const cct,
229 rgw::sal::Store* store,
230 const req_state* const s,
231 U&& decoratee)
232 : DecoratedApplier<T>(std::forward<T>(decoratee)),
233 cct(cct),
234 store(store),
235 args(s->info.args),
236 is_system(boost::logic::indeterminate) {
237 }
238
239 void to_str(std::ostream& out) const override;
240 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
241 void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; /* in/out */
242 };
243
244 template <typename T>
245 void SysReqApplier<T>::to_str(std::ostream& out) const
246 {
247 out << "rgw::auth::SysReqApplier" << " -> ";
248 DecoratedApplier<T>::to_str(out);
249 }
250
251 template <typename T>
252 void SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
253 {
254 DecoratedApplier<T>::load_acct_info(dpp, user_info);
255 is_system = user_info.system;
256
257 if (is_system) {
258 //ldpp_dout(dpp, 20) << "system request" << dendl;
259
260 rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
261 if (! effective_uid.empty()) {
262 /* We aren't writing directly to user_info for consistency and security
263 * reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
264 * calls ::decode instead. */
265 std::unique_ptr<rgw::sal::User> user = store->get_user(effective_uid);
266 if (user->load_user(dpp, null_yield) < 0) {
267 //ldpp_dout(dpp, 0) << "User lookup failed!" << dendl;
268 throw -EACCES;
269 }
270 user_info = user->get_info();
271 }
272 }
273 }
274
275 template <typename T>
276 void SysReqApplier<T>::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s) const
277 {
278 if (boost::logic::indeterminate(is_system)) {
279 RGWUserInfo unused_info;
280 load_acct_info(dpp, unused_info);
281 }
282
283 if (is_system) {
284 s->info.args.set_system();
285 s->system_request = true;
286 }
287 DecoratedApplier<T>::modify_request_state(dpp, s);
288 }
289
290 template <typename T> static inline
291 SysReqApplier<T> add_sysreq(CephContext* const cct,
292 rgw::sal::Store* store,
293 const req_state* const s,
294 T&& t) {
295 return SysReqApplier<T>(cct, store, s, std::forward<T>(t));
296 }
297
298 } /* namespace auth */
299 } /* namespace rgw */
300
301 #endif /* CEPH_RGW_AUTH_FILTERS_H */
Ceph