]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_auth_filters.h
projects / ceph.git / blob
? search:


fbd80e3b90be520d5ccb8350c8c5d1f3e4b860a5
[ceph.git] / ceph / src / rgw / rgw_auth_filters.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
3
4 #ifndef CEPH_RGW_AUTH_FILTERS_H
5 #define CEPH_RGW_AUTH_FILTERS_H
6
7 #include <type_traits>
8
9 #include <boost/logic/tribool.hpp>
10 #include <boost/optional.hpp>
11
12 #include "rgw_service.h"
13 #include "rgw_common.h"
14 #include "rgw_auth.h"
15 #include "rgw_user.h"
16
17 namespace rgw {
18 namespace auth {
19
20 /* Abstract decorator over any implementation of rgw::auth::IdentityApplier
21 * which could be provided both as a pointer-to-object or the object itself. */
22 template <typename DecorateeT>
23 class DecoratedApplier : public rgw::auth::IdentityApplier {
24 typedef typename std::remove_pointer<DecorateeT>::type DerefedDecorateeT;
25
26 static_assert(std::is_base_of<rgw::auth::IdentityApplier,
27 DerefedDecorateeT>::value,
28 "DecorateeT must be a subclass of rgw::auth::IdentityApplier");
29
30 DecorateeT decoratee;
31
32 /* There is an indirection layer over accessing decoratee to share the same
33 * code base between dynamic and static decorators. The difference is about
34 * what we store internally: pointer to a decorated object versus the whole
35 * object itself. Googling for "SFINAE" can help to understand the code. */
36 template <typename T = void,
37 typename std::enable_if<
38 std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
39 DerefedDecorateeT& get_decoratee() {
40 return *decoratee;
41 }
42
43 template <typename T = void,
44 typename std::enable_if<
45 ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
46 DerefedDecorateeT& get_decoratee() {
47 return decoratee;
48 }
49
50 template <typename T = void,
51 typename std::enable_if<
52 std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
53 const DerefedDecorateeT& get_decoratee() const {
54 return *decoratee;
55 }
56
57 template <typename T = void,
58 typename std::enable_if<
59 ! std::is_pointer<DecorateeT>::value, T>::type* = nullptr>
60 const DerefedDecorateeT& get_decoratee() const {
61 return decoratee;
62 }
63
64 public:
65 explicit DecoratedApplier(DecorateeT&& decoratee)
66 : decoratee(std::forward<DecorateeT>(decoratee)) {
67 }
68
69 uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
70 return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
71 }
72
73 bool is_admin_of(const rgw_user& uid) const override {
74 return get_decoratee().is_admin_of(uid);
75 }
76
77 bool is_owner_of(const rgw_user& uid) const override {
78 return get_decoratee().is_owner_of(uid);
79 }
80
81 bool is_anonymous() const override {
82 return get_decoratee().is_anonymous();
83 }
84
85 uint32_t get_perm_mask() const override {
86 return get_decoratee().get_perm_mask();
87 }
88
89 uint32_t get_identity_type() const override {
90 return get_decoratee().get_identity_type();
91 }
92
93 string get_acct_name() const override {
94 return get_decoratee().get_acct_name();
95 }
96
97 string get_subuser() const override {
98 return get_decoratee().get_subuser();
99 }
100
101 bool is_identity(
102 const boost::container::flat_set<Principal>& ids) const override {
103 return get_decoratee().is_identity(ids);
104 }
105
106 void to_str(std::ostream& out) const override {
107 get_decoratee().to_str(out);
108 }
109
110 string get_role_tenant() const override { /* in/out */
111 return get_decoratee().get_role_tenant();
112 }
113
114 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override { /* out */
115 return get_decoratee().load_acct_info(dpp, user_info);
116 }
117
118 void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override { /* in/out */
119 return get_decoratee().modify_request_state(dpp, s);
120 }
121 };
122
123
124 template <typename T>
125 class ThirdPartyAccountApplier : public DecoratedApplier<T> {
126 /* const */RGWCtl* const ctl;
127 const rgw_user acct_user_override;
128
129 public:
130 /* A value representing situations where there is no requested account
131 * override. In other words, acct_user_override will be equal to this
132 * constant where the request isn't a cross-tenant one. */
133 static const rgw_user UNKNOWN_ACCT;
134
135 template <typename U>
136 ThirdPartyAccountApplier(RGWCtl* const ctl,
137 const rgw_user &acct_user_override,
138 U&& decoratee)
139 : DecoratedApplier<T>(std::move(decoratee)),
140 ctl(ctl),
141 acct_user_override(acct_user_override) {
142 }
143
144 void to_str(std::ostream& out) const override;
145 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
146 };
147
148 /* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
149 * of the default construction. */
150 template <typename T>
151 const rgw_user ThirdPartyAccountApplier<T>::UNKNOWN_ACCT;
152
153 template <typename T>
154 void ThirdPartyAccountApplier<T>::to_str(std::ostream& out) const
155 {
156 out << "rgw::auth::ThirdPartyAccountApplier(" + acct_user_override.to_str() + ")"
157 << " -> ";
158 DecoratedApplier<T>::to_str(out);
159 }
160
161 template <typename T>
162 void ThirdPartyAccountApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
163 {
164 if (UNKNOWN_ACCT == acct_user_override) {
165 /* There is no override specified by the upper layer. This means that we'll
166 * load the account owned by the authenticated identity (aka auth_user). */
167 DecoratedApplier<T>::load_acct_info(dpp, user_info);
168 } else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
169 /* The override has been specified but the account belongs to the authenticated
170 * identity. We may safely forward the call to a next stage. */
171 DecoratedApplier<T>::load_acct_info(dpp, user_info);
172 } else if (this->is_anonymous()) {
173 /* If the user was authed by the anonymous engine then scope the ANON user
174 * to the correct tenant */
175 if (acct_user_override.tenant.empty())
176 user_info.user_id = rgw_user(acct_user_override.id, RGW_USER_ANON_ID);
177 else
178 user_info.user_id = rgw_user(acct_user_override.tenant, RGW_USER_ANON_ID);
179 } else {
180 /* Compatibility mechanism for multi-tenancy. For more details refer to
181 * load_acct_info method of rgw::auth::RemoteApplier. */
182 if (acct_user_override.tenant.empty()) {
183 const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id);
184
185 if (ctl->user->get_info_by_uid(tenanted_uid, &user_info, null_yield) >= 0) {
186 /* Succeeded. */
187 return;
188 }
189 }
190
191 const int ret = ctl->user->get_info_by_uid(acct_user_override, &user_info, null_yield);
192 if (ret < 0) {
193 /* We aren't trying to recover from ENOENT here. It's supposed that creating
194 * someone else's account isn't a thing we want to support in this filter. */
195 if (ret == -ENOENT) {
196 throw -EACCES;
197 } else {
198 throw ret;
199 }
200 }
201
202 }
203 }
204
205 template <typename T> static inline
206 ThirdPartyAccountApplier<T> add_3rdparty(RGWCtl* const ctl,
207 const rgw_user &acct_user_override,
208 T&& t) {
209 return ThirdPartyAccountApplier<T>(ctl, acct_user_override,
210 std::forward<T>(t));
211 }
212
213
214 template <typename T>
215 class SysReqApplier : public DecoratedApplier<T> {
216 CephContext* const cct;
217 /*const*/ RGWCtl* const ctl;
218 const RGWHTTPArgs& args;
219 mutable boost::tribool is_system;
220
221 public:
222 template <typename U>
223 SysReqApplier(CephContext* const cct,
224 /*const*/ RGWCtl* const ctl,
225 const req_state* const s,
226 U&& decoratee)
227 : DecoratedApplier<T>(std::forward<T>(decoratee)),
228 cct(cct),
229 ctl(ctl),
230 args(s->info.args),
231 is_system(boost::logic::indeterminate) {
232 }
233
234 void to_str(std::ostream& out) const override;
235 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
236 void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; /* in/out */
237 };
238
239 template <typename T>
240 void SysReqApplier<T>::to_str(std::ostream& out) const
241 {
242 out << "rgw::auth::SysReqApplier" << " -> ";
243 DecoratedApplier<T>::to_str(out);
244 }
245
246 template <typename T>
247 void SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
248 {
249 DecoratedApplier<T>::load_acct_info(dpp, user_info);
250 is_system = user_info.system;
251
252 if (is_system) {
253 //ldpp_dout(dpp, 20) << "system request" << dendl;
254
255 rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
256 if (! effective_uid.empty()) {
257 /* We aren't writing directly to user_info for consistency and security
258 * reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but
259 * calls ::decode instead. */
260 RGWUserInfo euser_info;
261 if (ctl->user->get_info_by_uid(effective_uid, &euser_info, null_yield) < 0) {
262 //ldpp_dout(dpp, 0) << "User lookup failed!" << dendl;
263 throw -EACCES;
264 }
265 user_info = euser_info;
266 }
267 }
268 }
269
270 template <typename T>
271 void SysReqApplier<T>::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s) const
272 {
273 if (boost::logic::indeterminate(is_system)) {
274 RGWUserInfo unused_info;
275 load_acct_info(dpp, unused_info);
276 }
277
278 if (is_system) {
279 s->info.args.set_system();
280 s->system_request = true;
281 }
282 DecoratedApplier<T>::modify_request_state(dpp, s);
283 }
284
285 template <typename T> static inline
286 SysReqApplier<T> add_sysreq(CephContext* const cct,
287 /* const */ RGWCtl* const ctl,
288 const req_state* const s,
289 T&& t) {
290 return SysReqApplier<T>(cct, ctl, s, std::forward<T>(t));
291 }
292
293 } /* namespace auth */
294 } /* namespace rgw */
295
296 #endif /* CEPH_RGW_AUTH_FILTERS_H */
Ceph