1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 #ifndef CEPH_RGW_REST_S3_H
6 #define CEPH_RGW_REST_S3_H
7 #define TIME_BUF_SIZE 128
11 #include <boost/utility/string_view.hpp>
12 #include <boost/container/static_vector.hpp>
14 #include "common/backport14.h"
15 #include "common/sstring.hh"
18 #include "rgw_http_errors.h"
19 #include "rgw_acl_s3.h"
20 #include "rgw_policy_s3.h"
21 #include "rgw_lc_s3.h"
22 #include "rgw_keystone.h"
23 #include "rgw_rest_conn.h"
27 #include "rgw_token.h"
28 #include "include/assert.h"
31 #include "rgw_auth_filters.h"
33 struct rgw_http_error
{
38 void rgw_get_errno_s3(struct rgw_http_error
*e
, int err_no
);
40 class RGWGetObj_ObjStore_S3
: public RGWGetObj_ObjStore
43 // Serving a custom error page from an object is really a 200 response with
44 // just the status line altered.
45 int custom_http_ret
= 0;
46 std::map
<std::string
, std::string
> crypt_http_responses
;
48 RGWGetObj_ObjStore_S3() {}
49 ~RGWGetObj_ObjStore_S3() override
{}
51 int get_params() override
;
52 int send_response_data_error() override
;
53 int send_response_data(bufferlist
& bl
, off_t ofs
, off_t len
) override
;
54 void set_custom_http_response(int http_ret
) { custom_http_ret
= http_ret
; }
55 int get_decrypt_filter(std::unique_ptr
<RGWGetDataCB
>* filter
,
57 bufferlist
* manifest_bl
) override
;
60 class RGWGetObjTags_ObjStore_S3
: public RGWGetObjTags_ObjStore
64 RGWGetObjTags_ObjStore_S3() {}
65 ~RGWGetObjTags_ObjStore_S3() {}
67 void send_response_data(bufferlist
&bl
) override
;
70 class RGWPutObjTags_ObjStore_S3
: public RGWPutObjTags_ObjStore
73 RGWPutObjTags_ObjStore_S3() {}
74 ~RGWPutObjTags_ObjStore_S3() {}
76 int get_params() override
;
77 void send_response() override
;
80 class RGWDeleteObjTags_ObjStore_S3
: public RGWDeleteObjTags
83 ~RGWDeleteObjTags_ObjStore_S3() override
{}
84 void send_response() override
;
87 class RGWListBuckets_ObjStore_S3
: public RGWListBuckets_ObjStore
{
89 RGWListBuckets_ObjStore_S3() {}
90 ~RGWListBuckets_ObjStore_S3() override
{}
92 int get_params() override
{
93 limit
= -1; /* no limit */
96 void send_response_begin(bool has_buckets
) override
;
97 void send_response_data(RGWUserBuckets
& buckets
) override
;
98 void send_response_end() override
;
101 class RGWGetUsage_ObjStore_S3
: public RGWGetUsage_ObjStore
{
103 RGWGetUsage_ObjStore_S3() {}
104 ~RGWGetUsage_ObjStore_S3() override
{}
106 int get_params() override
;
107 void send_response() override
;
110 class RGWListBucket_ObjStore_S3
: public RGWListBucket_ObjStore
{
113 RGWListBucket_ObjStore_S3() : objs_container(false) {
116 ~RGWListBucket_ObjStore_S3() override
{}
118 int get_params() override
;
119 void send_response() override
;
120 void send_versioned_response();
123 class RGWGetBucketLogging_ObjStore_S3
: public RGWGetBucketLogging
{
125 RGWGetBucketLogging_ObjStore_S3() {}
126 ~RGWGetBucketLogging_ObjStore_S3() override
{}
128 void send_response() override
;
131 class RGWGetBucketLocation_ObjStore_S3
: public RGWGetBucketLocation
{
133 RGWGetBucketLocation_ObjStore_S3() {}
134 ~RGWGetBucketLocation_ObjStore_S3() override
{}
136 void send_response() override
;
139 class RGWGetBucketVersioning_ObjStore_S3
: public RGWGetBucketVersioning
{
141 RGWGetBucketVersioning_ObjStore_S3() {}
142 ~RGWGetBucketVersioning_ObjStore_S3() override
{}
144 void send_response() override
;
147 class RGWSetBucketVersioning_ObjStore_S3
: public RGWSetBucketVersioning
{
149 RGWSetBucketVersioning_ObjStore_S3() {}
150 ~RGWSetBucketVersioning_ObjStore_S3() override
{}
152 int get_params() override
;
153 void send_response() override
;
156 class RGWGetBucketWebsite_ObjStore_S3
: public RGWGetBucketWebsite
{
158 RGWGetBucketWebsite_ObjStore_S3() {}
159 ~RGWGetBucketWebsite_ObjStore_S3() override
{}
161 void send_response() override
;
164 class RGWSetBucketWebsite_ObjStore_S3
: public RGWSetBucketWebsite
{
166 RGWSetBucketWebsite_ObjStore_S3() {}
167 ~RGWSetBucketWebsite_ObjStore_S3() override
{}
169 int get_params() override
;
170 void send_response() override
;
173 class RGWDeleteBucketWebsite_ObjStore_S3
: public RGWDeleteBucketWebsite
{
175 RGWDeleteBucketWebsite_ObjStore_S3() {}
176 ~RGWDeleteBucketWebsite_ObjStore_S3() override
{}
178 void send_response() override
;
181 class RGWStatBucket_ObjStore_S3
: public RGWStatBucket_ObjStore
{
183 RGWStatBucket_ObjStore_S3() {}
184 ~RGWStatBucket_ObjStore_S3() override
{}
186 void send_response() override
;
189 class RGWCreateBucket_ObjStore_S3
: public RGWCreateBucket_ObjStore
{
191 RGWCreateBucket_ObjStore_S3() {}
192 ~RGWCreateBucket_ObjStore_S3() override
{}
194 int get_params() override
;
195 void send_response() override
;
198 class RGWDeleteBucket_ObjStore_S3
: public RGWDeleteBucket_ObjStore
{
200 RGWDeleteBucket_ObjStore_S3() {}
201 ~RGWDeleteBucket_ObjStore_S3() override
{}
203 void send_response() override
;
206 class RGWPutObj_ObjStore_S3
: public RGWPutObj_ObjStore
{
208 std::map
<std::string
, std::string
> crypt_http_responses
;
211 RGWPutObj_ObjStore_S3() {}
212 ~RGWPutObj_ObjStore_S3() override
{}
214 int get_params() override
;
215 int get_data(bufferlist
& bl
) override
;
216 void send_response() override
;
218 int get_encrypt_filter(std::unique_ptr
<RGWPutObjDataProcessor
>* filter
,
219 RGWPutObjDataProcessor
* cb
) override
;
220 int get_decrypt_filter(std::unique_ptr
<RGWGetDataCB
>* filter
,
222 map
<string
, bufferlist
>& attrs
,
223 bufferlist
* manifest_bl
) override
;
226 class RGWPostObj_ObjStore_S3
: public RGWPostObj_ObjStore
{
227 parts_collection_t parts
;
228 std::string filename
;
229 std::string content_type
;
231 RGWPolicy post_policy
;
232 map
<string
, string
> crypt_http_responses
;
234 const rgw::auth::StrategyRegistry
* auth_registry_ptr
= nullptr;
238 void rebuild_key(string
& key
);
240 std::string
get_current_filename() const override
;
241 std::string
get_current_content_type() const override
;
244 RGWPostObj_ObjStore_S3() {}
245 ~RGWPostObj_ObjStore_S3() override
{}
247 int verify_requester(const rgw::auth::StrategyRegistry
& auth_registry
) {
248 auth_registry_ptr
= &auth_registry
;
249 return RGWPostObj_ObjStore::verify_requester(auth_registry
);
252 int get_params() override
;
253 int complete_get_params();
255 void send_response() override
;
256 int get_data(ceph::bufferlist
& bl
, bool& again
) override
;
257 int get_encrypt_filter(std::unique_ptr
<RGWPutObjDataProcessor
>* filter
,
258 RGWPutObjDataProcessor
* cb
) override
;
261 class RGWDeleteObj_ObjStore_S3
: public RGWDeleteObj_ObjStore
{
263 RGWDeleteObj_ObjStore_S3() {}
264 ~RGWDeleteObj_ObjStore_S3() override
{}
266 int get_params() override
;
267 void send_response() override
;
270 class RGWCopyObj_ObjStore_S3
: public RGWCopyObj_ObjStore
{
273 RGWCopyObj_ObjStore_S3() : sent_header(false) {}
274 ~RGWCopyObj_ObjStore_S3() override
{}
276 int init_dest_policy() override
;
277 int get_params() override
;
278 void send_partial_response(off_t ofs
) override
;
279 void send_response() override
;
282 class RGWGetACLs_ObjStore_S3
: public RGWGetACLs_ObjStore
{
284 RGWGetACLs_ObjStore_S3() {}
285 ~RGWGetACLs_ObjStore_S3() override
{}
287 void send_response() override
;
290 class RGWPutACLs_ObjStore_S3
: public RGWPutACLs_ObjStore
{
292 RGWPutACLs_ObjStore_S3() {}
293 ~RGWPutACLs_ObjStore_S3() override
{}
295 int get_policy_from_state(RGWRados
*store
, struct req_state
*s
, stringstream
& ss
) override
;
296 void send_response() override
;
297 int get_params() override
;
300 class RGWGetLC_ObjStore_S3
: public RGWGetLC_ObjStore
{
302 RGWLifecycleConfiguration_S3 config
;
304 RGWGetLC_ObjStore_S3() {}
305 ~RGWGetLC_ObjStore_S3() override
{}
306 void execute() override
;
308 void send_response() override
;
311 class RGWPutLC_ObjStore_S3
: public RGWPutLC_ObjStore
{
313 RGWPutLC_ObjStore_S3() {}
314 ~RGWPutLC_ObjStore_S3() override
{}
316 void send_response() override
;
319 class RGWDeleteLC_ObjStore_S3
: public RGWDeleteLC_ObjStore
{
321 RGWDeleteLC_ObjStore_S3() {}
322 ~RGWDeleteLC_ObjStore_S3() override
{}
324 void send_response() override
;
327 class RGWGetCORS_ObjStore_S3
: public RGWGetCORS_ObjStore
{
329 RGWGetCORS_ObjStore_S3() {}
330 ~RGWGetCORS_ObjStore_S3() override
{}
332 void send_response() override
;
335 class RGWPutCORS_ObjStore_S3
: public RGWPutCORS_ObjStore
{
337 RGWPutCORS_ObjStore_S3() {}
338 ~RGWPutCORS_ObjStore_S3() override
{}
340 int get_params() override
;
341 void send_response() override
;
344 class RGWDeleteCORS_ObjStore_S3
: public RGWDeleteCORS_ObjStore
{
346 RGWDeleteCORS_ObjStore_S3() {}
347 ~RGWDeleteCORS_ObjStore_S3() override
{}
349 void send_response() override
;
352 class RGWOptionsCORS_ObjStore_S3
: public RGWOptionsCORS_ObjStore
{
354 RGWOptionsCORS_ObjStore_S3() {}
355 ~RGWOptionsCORS_ObjStore_S3() override
{}
357 void send_response() override
;
360 class RGWGetRequestPayment_ObjStore_S3
: public RGWGetRequestPayment
{
362 RGWGetRequestPayment_ObjStore_S3() {}
363 ~RGWGetRequestPayment_ObjStore_S3() override
{}
365 void send_response() override
;
368 class RGWSetRequestPayment_ObjStore_S3
: public RGWSetRequestPayment
{
370 RGWSetRequestPayment_ObjStore_S3() {}
371 ~RGWSetRequestPayment_ObjStore_S3() override
{}
373 int get_params() override
;
374 void send_response() override
;
377 class RGWInitMultipart_ObjStore_S3
: public RGWInitMultipart_ObjStore
{
379 std::map
<std::string
, std::string
> crypt_http_responses
;
381 RGWInitMultipart_ObjStore_S3() {}
382 ~RGWInitMultipart_ObjStore_S3() override
{}
384 int get_params() override
;
385 void send_response() override
;
386 int prepare_encryption(map
<string
, bufferlist
>& attrs
) override
;
389 class RGWCompleteMultipart_ObjStore_S3
: public RGWCompleteMultipart_ObjStore
{
391 RGWCompleteMultipart_ObjStore_S3() {}
392 ~RGWCompleteMultipart_ObjStore_S3() override
{}
394 int get_params() override
;
395 void send_response() override
;
398 class RGWAbortMultipart_ObjStore_S3
: public RGWAbortMultipart_ObjStore
{
400 RGWAbortMultipart_ObjStore_S3() {}
401 ~RGWAbortMultipart_ObjStore_S3() override
{}
403 void send_response() override
;
406 class RGWListMultipart_ObjStore_S3
: public RGWListMultipart_ObjStore
{
408 RGWListMultipart_ObjStore_S3() {}
409 ~RGWListMultipart_ObjStore_S3() override
{}
411 void send_response() override
;
414 class RGWListBucketMultiparts_ObjStore_S3
: public RGWListBucketMultiparts_ObjStore
{
416 RGWListBucketMultiparts_ObjStore_S3() {
419 ~RGWListBucketMultiparts_ObjStore_S3() override
{}
421 void send_response() override
;
424 class RGWDeleteMultiObj_ObjStore_S3
: public RGWDeleteMultiObj_ObjStore
{
426 RGWDeleteMultiObj_ObjStore_S3() {}
427 ~RGWDeleteMultiObj_ObjStore_S3() override
{}
429 int get_params() override
;
430 void send_status() override
;
431 void begin_response() override
;
432 void send_partial_response(rgw_obj_key
& key
, bool delete_marker
,
433 const string
& marker_version_id
, int ret
) override
;
434 void end_response() override
;
437 class RGWGetObjLayout_ObjStore_S3
: public RGWGetObjLayout
{
439 RGWGetObjLayout_ObjStore_S3() {}
440 ~RGWGetObjLayout_ObjStore_S3() {}
442 void send_response();
445 class RGWConfigBucketMetaSearch_ObjStore_S3
: public RGWConfigBucketMetaSearch
{
447 RGWConfigBucketMetaSearch_ObjStore_S3() {}
448 ~RGWConfigBucketMetaSearch_ObjStore_S3() {}
450 int get_params() override
;
451 void send_response() override
;
454 class RGWGetBucketMetaSearch_ObjStore_S3
: public RGWGetBucketMetaSearch
{
456 RGWGetBucketMetaSearch_ObjStore_S3() {}
457 ~RGWGetBucketMetaSearch_ObjStore_S3() {}
459 void send_response() override
;
462 class RGWDelBucketMetaSearch_ObjStore_S3
: public RGWDelBucketMetaSearch
{
464 RGWDelBucketMetaSearch_ObjStore_S3() {}
465 ~RGWDelBucketMetaSearch_ObjStore_S3() {}
467 void send_response() override
;
472 static int authorize(RGWRados
*store
,
473 const rgw::auth::StrategyRegistry
& auth_registry
,
474 struct req_state
*s
);
477 class RGWHandler_Auth_S3
: public RGWHandler_REST
{
478 friend class RGWRESTMgr_S3
;
480 const rgw::auth::StrategyRegistry
& auth_registry
;
483 RGWHandler_Auth_S3(const rgw::auth::StrategyRegistry
& auth_registry
)
485 auth_registry(auth_registry
) {
487 ~RGWHandler_Auth_S3() override
= default;
489 static int validate_bucket_name(const string
& bucket
);
490 static int validate_object_name(const string
& bucket
);
492 int init(RGWRados
*store
,
494 rgw::io::BasicClient
*cio
) override
;
495 int authorize() override
{
496 return RGW_Auth_S3::authorize(store
, auth_registry
, s
);
498 int postauth_init() override
{ return 0; }
501 class RGWHandler_REST_S3
: public RGWHandler_REST
{
502 friend class RGWRESTMgr_S3
;
504 const rgw::auth::StrategyRegistry
& auth_registry
;
506 static int init_from_header(struct req_state
*s
, int default_formatter
, bool configurable_format
);
508 RGWHandler_REST_S3(const rgw::auth::StrategyRegistry
& auth_registry
)
510 auth_registry(auth_registry
) {
512 ~RGWHandler_REST_S3() override
= default;
514 int init(RGWRados
*store
,
516 rgw::io::BasicClient
*cio
) override
;
517 int authorize() override
{
518 return RGW_Auth_S3::authorize(store
, auth_registry
, s
);
520 int postauth_init() override
;
523 class RGWHandler_REST_Service_S3
: public RGWHandler_REST_S3
{
526 return s
->info
.args
.exists("usage");
528 RGWOp
*op_get() override
;
529 RGWOp
*op_head() override
;
530 RGWOp
*op_post() override
;
532 using RGWHandler_REST_S3::RGWHandler_REST_S3
;
533 ~RGWHandler_REST_Service_S3() override
= default;
536 class RGWHandler_REST_Bucket_S3
: public RGWHandler_REST_S3
{
539 return s
->info
.args
.exists("acl");
542 return s
->info
.args
.exists("cors");
545 return s
->info
.args
.exists("lifecycle");
547 bool is_obj_update_op() override
{
548 return is_acl_op() || is_cors_op();
550 bool is_request_payment_op() {
551 return s
->info
.args
.exists("requestPayment");
553 bool is_policy_op() {
554 return s
->info
.args
.exists("policy");
556 RGWOp
*get_obj_op(bool get_data
);
558 RGWOp
*op_get() override
;
559 RGWOp
*op_head() override
;
560 RGWOp
*op_put() override
;
561 RGWOp
*op_delete() override
;
562 RGWOp
*op_post() override
;
563 RGWOp
*op_options() override
;
565 using RGWHandler_REST_S3::RGWHandler_REST_S3
;
566 ~RGWHandler_REST_Bucket_S3() override
= default;
569 class RGWHandler_REST_Obj_S3
: public RGWHandler_REST_S3
{
572 return s
->info
.args
.exists("acl");
575 return s
->info
.args
.exists("cors");
577 bool is_tagging_op() {
578 return s
->info
.args
.exists("tagging");
580 bool is_obj_update_op() override
{
581 return is_acl_op() || is_tagging_op() ;
583 RGWOp
*get_obj_op(bool get_data
);
585 RGWOp
*op_get() override
;
586 RGWOp
*op_head() override
;
587 RGWOp
*op_put() override
;
588 RGWOp
*op_delete() override
;
589 RGWOp
*op_post() override
;
590 RGWOp
*op_options() override
;
592 using RGWHandler_REST_S3::RGWHandler_REST_S3
;
593 ~RGWHandler_REST_Obj_S3() override
= default;
596 class RGWRESTMgr_S3
: public RGWRESTMgr
{
598 bool enable_s3website
;
600 explicit RGWRESTMgr_S3(bool enable_s3website
= false)
601 : enable_s3website(enable_s3website
) {
604 ~RGWRESTMgr_S3() override
= default;
606 RGWHandler_REST
*get_handler(struct req_state
* s
,
607 const rgw::auth::StrategyRegistry
& auth_registry
,
608 const std::string
& frontend_prefix
) override
;
611 class RGWHandler_REST_Obj_S3Website
;
613 static inline bool looks_like_ip_address(const char *bucket
)
616 bool expect_period
= false;
617 for (const char *b
= bucket
; *b
; ++b
) {
624 expect_period
= false;
626 else if (isdigit(*b
)) {
627 expect_period
= true;
633 return (num_periods
== 3);
636 static inline int valid_s3_object_name(const string
& name
) {
637 if (name
.size() > 1024) {
638 return -ERR_INVALID_OBJECT_NAME
;
640 if (check_utf8(name
.c_str(), name
.size())) {
641 return -ERR_INVALID_OBJECT_NAME
;
646 static inline int valid_s3_bucket_name(const string
& name
, bool relaxed
=false)
648 // This function enforces Amazon's spec for bucket names.
649 // (The requirements, not the recommendations.)
650 int len
= name
.size();
653 return -ERR_INVALID_BUCKET_NAME
;
654 } else if (len
> 255) {
656 return -ERR_INVALID_BUCKET_NAME
;
659 // bucket names must start with a number, letter, or underscore
660 if (!(isalpha(name
[0]) || isdigit(name
[0]))) {
662 return -ERR_INVALID_BUCKET_NAME
;
663 else if (!(name
[0] == '_' || name
[0] == '.' || name
[0] == '-'))
664 return -ERR_INVALID_BUCKET_NAME
;
667 for (const char *s
= name
.c_str(); *s
; ++s
) {
669 if (isdigit(c
) || (c
== '.'))
673 if ((c
== '-') || (c
== '_'))
676 return -ERR_INVALID_BUCKET_NAME
;
679 if (looks_like_ip_address(name
.c_str()))
680 return -ERR_INVALID_BUCKET_NAME
;
690 class AWSEngine
: public rgw::auth::Engine
{
692 class VersionAbstractor
{
693 static constexpr size_t DIGEST_SIZE_V2
= CEPH_CRYPTO_HMACSHA1_DIGESTSIZE
;
694 static constexpr size_t DIGEST_SIZE_V4
= CEPH_CRYPTO_HMACSHA256_DIGESTSIZE
;
696 /* Knowing the signature max size allows us to employ the sstring, and thus
697 * avoid dynamic allocations. The multiplier comes from representing digest
698 * in the base64-encoded form. */
699 static constexpr size_t SIGNATURE_MAX_SIZE
= \
700 ceph::max(DIGEST_SIZE_V2
, DIGEST_SIZE_V4
) * 2 + sizeof('\0');
703 virtual ~VersionAbstractor() {};
705 using access_key_id_t
= boost::string_view
;
706 using client_signature_t
= boost::string_view
;
707 using server_signature_t
= basic_sstring
<char, uint16_t, SIGNATURE_MAX_SIZE
>;
708 using string_to_sign_t
= std::string
;
710 /* Transformation for crafting the AWS signature at server side which is
711 * used later to compare with the user-provided one. The methodology for
712 * doing that depends on AWS auth version. */
713 using signature_factory_t
= \
714 std::function
<server_signature_t(CephContext
* cct
,
715 const std::string
& secret_key
,
716 const string_to_sign_t
& string_to_sign
)>;
718 /* Return an instance of Completer for verifying the payload's fingerprint
719 * if necessary. Otherwise caller gets nullptr. Caller may provide secret
721 using completer_factory_t
= \
722 std::function
<rgw::auth::Completer::cmplptr_t(
723 const boost::optional
<std::string
>& secret_key
)>;
726 access_key_id_t access_key_id
;
727 client_signature_t client_signature
;
728 string_to_sign_t string_to_sign
;
729 signature_factory_t signature_factory
;
730 completer_factory_t completer_factory
;
733 virtual auth_data_t
get_auth_data(const req_state
* s
) const = 0;
738 const VersionAbstractor
& ver_abstractor
;
740 AWSEngine(CephContext
* const cct
, const VersionAbstractor
& ver_abstractor
)
742 ver_abstractor(ver_abstractor
) {
745 using result_t
= rgw::auth::Engine::result_t
;
746 using string_to_sign_t
= VersionAbstractor::string_to_sign_t
;
747 using signature_factory_t
= VersionAbstractor::signature_factory_t
;
748 using completer_factory_t
= VersionAbstractor::completer_factory_t
;
750 /* TODO(rzarzynski): clean up. We've too many input parameter hee. Also
751 * the signature get_auth_data() of VersionAbstractor is too complicated.
752 * Replace these thing with a simple, dedicated structure. */
753 virtual result_t
authenticate(const boost::string_view
& access_key_id
,
754 const boost::string_view
& signature
,
755 const string_to_sign_t
& string_to_sign
,
756 const signature_factory_t
& signature_factory
,
757 const completer_factory_t
& completer_factory
,
758 const req_state
* s
) const = 0;
761 result_t
authenticate(const req_state
* const s
) const final
;
765 class AWSGeneralAbstractor
: public AWSEngine::VersionAbstractor
{
766 CephContext
* const cct
;
768 virtual boost::optional
<std::string
>
769 get_v4_canonical_headers(const req_info
& info
,
770 const boost::string_view
& signedheaders
,
771 const bool using_qs
) const;
773 auth_data_t
get_auth_data_v2(const req_state
* s
) const;
774 auth_data_t
get_auth_data_v4(const req_state
* s
, bool using_qs
) const;
777 AWSGeneralAbstractor(CephContext
* const cct
)
781 auth_data_t
get_auth_data(const req_state
* s
) const override
;
784 class AWSGeneralBoto2Abstractor
: public AWSGeneralAbstractor
{
785 boost::optional
<std::string
>
786 get_v4_canonical_headers(const req_info
& info
,
787 const boost::string_view
& signedheaders
,
788 const bool using_qs
) const override
;
791 using AWSGeneralAbstractor::AWSGeneralAbstractor
;
794 class AWSBrowserUploadAbstractor
: public AWSEngine::VersionAbstractor
{
795 static std::string
to_string(ceph::bufferlist bl
) {
796 return std::string(bl
.c_str(),
797 static_cast<std::string::size_type
>(bl
.length()));
800 auth_data_t
get_auth_data_v2(const req_state
* s
) const;
801 auth_data_t
get_auth_data_v4(const req_state
* s
) const;
804 AWSBrowserUploadAbstractor(CephContext
*) {
807 auth_data_t
get_auth_data(const req_state
* s
) const override
;
811 class LDAPEngine
: public AWSEngine
{
812 static rgw::LDAPHelper
* ldh
;
813 static std::mutex mtx
;
815 static void init(CephContext
* const cct
);
817 using acl_strategy_t
= rgw::auth::RemoteApplier::acl_strategy_t
;
818 using auth_info_t
= rgw::auth::RemoteApplier::AuthInfo
;
819 using result_t
= rgw::auth::Engine::result_t
;
822 RGWRados
* const store
;
823 const rgw::auth::RemoteApplier::Factory
* const apl_factory
;
825 acl_strategy_t
get_acl_strategy() const;
826 auth_info_t
get_creds_info(const rgw::RGWToken
& token
) const noexcept
;
828 result_t
authenticate(const boost::string_view
& access_key_id
,
829 const boost::string_view
& signature
,
830 const string_to_sign_t
& string_to_sign
,
831 const signature_factory_t
&,
832 const completer_factory_t
& completer_factory
,
833 const req_state
* s
) const override
;
835 LDAPEngine(CephContext
* const cct
,
836 RGWRados
* const store
,
837 const VersionAbstractor
& ver_abstractor
,
838 const rgw::auth::RemoteApplier::Factory
* const apl_factory
)
839 : AWSEngine(cct
, ver_abstractor
),
841 apl_factory(apl_factory
) {
845 using AWSEngine::authenticate
;
847 const char* get_name() const noexcept override
{
848 return "rgw::auth::s3::LDAPEngine";
853 class LocalEngine
: public AWSEngine
{
854 RGWRados
* const store
;
855 const rgw::auth::LocalApplier::Factory
* const apl_factory
;
857 result_t
authenticate(const boost::string_view
& access_key_id
,
858 const boost::string_view
& signature
,
859 const string_to_sign_t
& string_to_sign
,
860 const signature_factory_t
& signature_factory
,
861 const completer_factory_t
& completer_factory
,
862 const req_state
* s
) const override
;
864 LocalEngine(CephContext
* const cct
,
865 RGWRados
* const store
,
866 const VersionAbstractor
& ver_abstractor
,
867 const rgw::auth::LocalApplier::Factory
* const apl_factory
)
868 : AWSEngine(cct
, ver_abstractor
),
870 apl_factory(apl_factory
) {
873 using AWSEngine::authenticate
;
875 const char* get_name() const noexcept override
{
876 return "rgw::auth::s3::LocalEngine";
881 class S3AnonymousEngine
: public rgw::auth::AnonymousEngine
{
882 bool is_applicable(const req_state
* s
) const noexcept override
;
885 /* Let's reuse the parent class' constructor. */
886 using rgw::auth::AnonymousEngine::AnonymousEngine
;
888 const char* get_name() const noexcept override
{
889 return "rgw::auth::s3::S3AnonymousEngine";
895 class S3AuthFactory
: public rgw::auth::RemoteApplier::Factory
,
896 public rgw::auth::LocalApplier::Factory
{
897 typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t
;
898 RGWRados
* const store
;
899 ImplicitTenants
& implicit_tenant_context
;
902 S3AuthFactory(RGWRados
* const store
,
903 ImplicitTenants
& implicit_tenant_context
)
905 implicit_tenant_context(implicit_tenant_context
) {
908 aplptr_t
create_apl_remote(CephContext
* const cct
,
909 const req_state
* const s
,
910 rgw::auth::RemoteApplier::acl_strategy_t
&& acl_alg
,
911 const rgw::auth::RemoteApplier::AuthInfo info
914 new rgw::auth::RemoteApplier(cct
, store
, std::move(acl_alg
), info
,
915 implicit_tenant_context
,
916 rgw::auth::ImplicitTenants::IMPLICIT_TENANTS_S3
));
919 aplptr_t
create_apl_local(CephContext
* const cct
,
920 const req_state
* const s
,
921 const RGWUserInfo
& user_info
,
922 const std::string
& subuser
) const override
{
924 new rgw::auth::LocalApplier(cct
, user_info
, subuser
));
931 } /* namespace auth */
932 } /* namespace rgw */
935 #endif /* CEPH_RGW_REST_S3_H */