ceph/src/rgw/rgw_auth_keystone.h

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3
   4
   5 #ifndef CEPH_RGW_AUTH_KEYSTONE_H
   6 #define CEPH_RGW_AUTH_KEYSTONE_H
   7
   8 #include <utility>
   9 #include <boost/optional.hpp>
  10 #include <boost/utility/string_view.hpp>
  11
  12 #include "rgw_auth.h"
  13 #include "rgw_rest_s3.h"
  14 #include "rgw_common.h"
  15 #include "rgw_keystone.h"
  16
  17 namespace rgw {
  18 namespace auth {
  19 namespace keystone {
  20
  21 /* Dedicated namespace for Keystone-related auth engines. We need it because
  22  * Keystone offers three different authentication mechanisms (token, EC2 and
  23  * regular user/pass). RadosGW actually does support the first two. */
  24
  25 class TokenEngine : public rgw::auth::Engine {
  26   CephContext* const cct;
  27
  28   using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
  29   using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
  30   using result_t = rgw::auth::Engine::result_t;
  31   using token_envelope_t = rgw::keystone::TokenEnvelope;
  32
  33   const rgw::auth::TokenExtractor* const extractor;
  34   const rgw::auth::RemoteApplier::Factory* const apl_factory;
  35   rgw::keystone::Config& config;
  36   rgw::keystone::TokenCache& token_cache;
  37
  38   /* Helper methods. */
  39   bool is_applicable(const std::string& token) const noexcept;
  40   token_envelope_t decode_pki_token(const std::string& token) const;
  41
  42   boost::optional<token_envelope_t>
  43   get_from_keystone(const std::string& token) const;
  44
  45   acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
  46   auth_info_t get_creds_info(const token_envelope_t& token,
  47                              const std::vector<std::string>& admin_roles
  48                             ) const noexcept;
  49   result_t authenticate(const std::string& token,
  50                         const req_state* s) const;
  51
  52 public:
  53   TokenEngine(CephContext* const cct,
  54               const rgw::auth::TokenExtractor* const extractor,
  55               const rgw::auth::RemoteApplier::Factory* const apl_factory,
  56               rgw::keystone::Config& config,
  57               rgw::keystone::TokenCache& token_cache)
  58     : cct(cct),
  59       extractor(extractor),
  60       apl_factory(apl_factory),
  61       config(config),
  62       token_cache(token_cache) {
  63   }
  64
  65   const char* get_name() const noexcept override {
  66     return "rgw::auth::keystone::TokenEngine";
  67   }
  68
  69   result_t authenticate(const req_state* const s) const override {
  70     return authenticate(extractor->get_token(s), s);
  71   }
  72 }; /* class TokenEngine */
  73
  74
  75 class EC2Engine : public rgw::auth::s3::AWSEngine {
  76   using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
  77   using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
  78   using result_t = rgw::auth::Engine::result_t;
  79   using token_envelope_t = rgw::keystone::TokenEnvelope;
  80
  81   const rgw::auth::RemoteApplier::Factory* const apl_factory;
  82   rgw::keystone::Config& config;
  83   rgw::keystone::TokenCache& token_cache;
  84
  85   /* Helper methods. */
  86   acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
  87   auth_info_t get_creds_info(const token_envelope_t& token,
  88                              const std::vector<std::string>& admin_roles
  89                             ) const noexcept;
  90   std::pair<boost::optional<token_envelope_t>, int>
  91   get_from_keystone(const boost::string_view& access_key_id,
  92                     const std::string& string_to_sign,
  93                     const boost::string_view& signature) const;
  94   result_t authenticate(const boost::string_view& access_key_id,
  95                         const boost::string_view& signature,
  96                         const string_to_sign_t& string_to_sign,
  97                         const signature_factory_t&,
  98                         const completer_factory_t& completer_factory,
  99                         const req_state* s) const override;
 100 public:
 101   EC2Engine(CephContext* const cct,
 102             const rgw::auth::s3::AWSEngine::VersionAbstractor* const ver_abstractor,
 103             const rgw::auth::RemoteApplier::Factory* const apl_factory,
 104             rgw::keystone::Config& config,
 105             /* The token cache is used ONLY for the retrieving admin token.
 106              * Due to the architecture of AWS Auth S3 credentials cannot be
 107              * cached at all. */
 108             rgw::keystone::TokenCache& token_cache)
 109     : AWSEngine(cct, *ver_abstractor),
 110       apl_factory(apl_factory),
 111       config(config),
 112       token_cache(token_cache) {
 113   }
 114
 115   using AWSEngine::authenticate;
 116
 117   const char* get_name() const noexcept override {
 118     return "rgw::auth::keystone::EC2Engine";
 119   }
 120
 121 }; /* class EC2Engine */
 122
 123 }; /* namespace keystone */
 124 }; /* namespace auth */
 125 }; /* namespace rgw */
 126
 127 #endif /* CEPH_RGW_AUTH_KEYSTONE_H */