rgw: switch from req_state::auth_identity to req_state::auth::identity.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>

diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc
index 9a0d3f33751ea6b17a5c101b49cac211fd37854a..f7bb502fa0060b70184dcf49b6ab9ab2fea51afc 100644 (file)
--- a/src/rgw/librgw.cc
+++ b/src/rgw/librgw.cc
@@ -280,7 +280,7 @@ namespace rgw {
     if (ret < 0) {
       if (s->system_request) {
        dout(2) << "overriding permissions due to system operation" << dendl;
-      } else if (s->auth_identity->is_admin_of(s->user->user_id)) {
+      } else if (s->auth.identity->is_admin_of(s->user->user_id)) {
        dout(2) << "overriding permissions due to admin operation" << dendl;
       } else {
        abort_req(s, op, ret);
@@ -395,7 +395,7 @@ namespace rgw {
     if (ret < 0) {
       if (s->system_request) {
        dout(2) << "overriding permissions due to system operation" << dendl;
-      } else if (s->auth_identity->is_admin_of(s->user->user_id)) {
+      } else if (s->auth.identity->is_admin_of(s->user->user_id)) {
        dout(2) << "overriding permissions due to admin operation" << dendl;
       } else {
        abort_req(s, op, ret);

diff --git a/src/rgw/rgw_acl.cc b/src/rgw/rgw_acl.cc
index 6af5639eb081979d16c280fb9b6b9dee3bded6fb..30e3382a83ac0ed81b27558a22458394a37c56a9 100644 (file)
--- a/src/rgw/rgw_acl.cc
+++ b/src/rgw/rgw_acl.cc
@@ -47,7 +47,7 @@ void RGWAccessControlList::add_grant(ACLGrant *grant)
   _add_grant(grant);
 }
 
-uint32_t RGWAccessControlList::get_perm(const RGWIdentityApplier& auth_identity,
+uint32_t RGWAccessControlList::get_perm(const rgw::auth::Identity& auth_identity,
                                         const uint32_t perm_mask)
 {
   ldout(cct, 5) << "Searching permissions for identity=" << auth_identity
@@ -94,7 +94,7 @@ uint32_t RGWAccessControlList::get_referer_perm(const std::string http_referer,
   }
 }
 
-uint32_t RGWAccessControlPolicy::get_perm(const RGWIdentityApplier& auth_identity,
+uint32_t RGWAccessControlPolicy::get_perm(const rgw::auth::Identity& auth_identity,
                                           const uint32_t perm_mask,
                                           const char * const http_referer)
 {
@@ -130,7 +130,7 @@ uint32_t RGWAccessControlPolicy::get_perm(const RGWIdentityApplier& auth_identit
   return perm;
 }
 
-bool RGWAccessControlPolicy::verify_permission(const RGWIdentityApplier& auth_identity,
+bool RGWAccessControlPolicy::verify_permission(const rgw::auth::Identity& auth_identity,
                                                const uint32_t user_perm_mask,
                                                const uint32_t perm,
                                                const char * const http_referer)

diff --git a/src/rgw/rgw_acl.h b/src/rgw/rgw_acl.h
index ff44004f9add3254e6fc72d9ddf03edbc5aeb963..24567677e8e17058096718baf2b015114967eab0 100644 (file)
--- a/src/rgw/rgw_acl.h
+++ b/src/rgw/rgw_acl.h
@@ -272,7 +272,11 @@ private:
 };
 WRITE_CLASS_ENCODER(ACLReferer)
 
-class RGWIdentityApplier;
+namespace rgw {
+namespace auth {
+  class Identity;
+}
+}
 
 class RGWAccessControlList
 {
@@ -295,7 +299,7 @@ public:
 
   virtual ~RGWAccessControlList() {}
 
-  uint32_t get_perm(const RGWIdentityApplier& auth_identity,
+  uint32_t get_perm(const rgw::auth::Identity& auth_identity,
                     uint32_t perm_mask);
   uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask);
   uint32_t get_referer_perm(const std::string http_referer, uint32_t perm_mask);
@@ -402,11 +406,11 @@ public:
     acl.set_ctx(ctx);
   }
 
-  uint32_t get_perm(const RGWIdentityApplier& auth_identity,
+  uint32_t get_perm(const rgw::auth::Identity& auth_identity,
                     uint32_t perm_mask,
                     const char * http_referer);
   uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask);
-  bool verify_permission(const RGWIdentityApplier& auth_identity,
+  bool verify_permission(const rgw::auth::Identity& auth_identity,
                          uint32_t user_perm_mask,
                          uint32_t perm,
                          const char * http_referer = nullptr);

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index cce203b0faabbe755eca1daae126906b83370b00..7f7f45c45dda4cc6587af58d4d5f29e5af0294e9 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -899,7 +899,7 @@ bool verify_user_permission(struct req_state * const s,
   if ((perm & (int)s->perm_mask) != perm)
     return false;
 
-  return user_acl->verify_permission(*s->auth_identity, perm, perm);
+  return user_acl->verify_permission(*s->auth.identity, perm, perm);
 }
 
 bool verify_user_permission(struct req_state * const s,
@@ -913,10 +913,10 @@ bool verify_requester_payer_permission(struct req_state *s)
   if (!s->bucket_info.requester_pays)
     return true;
 
-  if (s->auth_identity->is_owner_of(s->bucket_info.owner))
+  if (s->auth.identity->is_owner_of(s->bucket_info.owner))
     return true;
   
-  if (s->auth_identity->is_anonymous()) {
+  if (s->auth.identity->is_anonymous()) {
     return false;
   }
 
@@ -950,14 +950,14 @@ bool verify_bucket_permission(struct req_state * const s,
   if (!verify_requester_payer_permission(s))
     return false;
 
-  if (bucket_acl->verify_permission(*s->auth_identity, perm, perm,
+  if (bucket_acl->verify_permission(*s->auth.identity, perm, perm,
                                     s->info.env->get("HTTP_REFERER")))
     return true;
 
   if (!user_acl)
     return false;
 
-  return user_acl->verify_permission(*s->auth_identity, perm, perm);
+  return user_acl->verify_permission(*s->auth.identity, perm, perm);
 }
 
 bool verify_bucket_permission(struct req_state * const s, const int perm)
@@ -996,7 +996,7 @@ bool verify_object_permission(struct req_state * const s,
     return false;
   }
 
-  bool ret = object_acl->verify_permission(*s->auth_identity, s->perm_mask, perm);
+  bool ret = object_acl->verify_permission(*s->auth.identity, s->perm_mask, perm);
   if (ret) {
     return true;
   }
@@ -1018,14 +1018,14 @@ bool verify_object_permission(struct req_state * const s,
 
   /* we already verified the user mask above, so we pass swift_perm as the mask here,
      otherwise the mask might not cover the swift permissions bits */
-  if (bucket_acl->verify_permission(*s->auth_identity, swift_perm, swift_perm,
+  if (bucket_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm,
                                     s->info.env->get("HTTP_REFERER")))
     return true;
 
   if (!user_acl)
     return false;
 
-  return user_acl->verify_permission(*s->auth_identity, swift_perm, swift_perm);
+  return user_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm);
 }
 
 bool verify_object_permission(struct req_state *s, int perm)

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 06e30f2e0523e64a89c335ce1162449e75ff1625..820efc2307d39fd92e2165c63bee7108fdd100a0 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1725,14 +1725,15 @@ struct req_state {
 
   RGWUserInfo *user;
 
-  /* Object having the knowledge about an authenticated identity and allowing
-   * to apply it during the authorization phase (verify_permission() methods
-   * of a given RGWOp). Thus, it bounds authentication and authorization steps
-   * through a well-defined interface. For more details, see rgw_auth.h. */
-  std::unique_ptr<RGWIdentityApplier> auth_identity;
   struct {
-    /* TODO(rzarzynski): switch out to the static_ptr. */
+    /* TODO(rzarzynski): switch out to the static_ptr for both members. */
+
+    /* Object having the knowledge about an authenticated identity and allowing
+     * to apply it during the authorization phase (verify_permission() methods
+     * of a given RGWOp). Thus, it bounds authentication and authorization steps
+     * through a well-defined interface. For more details, see rgw_auth.h. */
     std::unique_ptr<rgw::auth::Identity> identity;
+
     std::unique_ptr<rgw::auth::Completer> completer;
   } auth;
 

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index b7ee0beba238c0147b09cec0c39806543990ce7a..483e344603b869de983399a2ecc2768fb43a02d8 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -362,9 +362,9 @@ static int read_obj_policy(RGWRados *store,
 
     const rgw_user& bucket_owner = bucket_policy.get_owner().get_id();
     if (bucket_owner.compare(s->user->user_id) != 0 &&
-        !s->auth_identity->is_admin_of(bucket_owner) &&
-        !bucket_policy.verify_permission(*s->auth_identity, s->perm_mask,
-                                         RGW_PERM_READ)) {
+        ! s->auth.identity->is_admin_of(bucket_owner) &&
+        ! bucket_policy.verify_permission(*s->auth.identity, s->perm_mask,
+                                          RGW_PERM_READ)) {
       ret = -EACCES;
     } else {
       ret = -ENOENT;
@@ -1544,7 +1544,7 @@ int RGWListBuckets::verify_permission()
 
 int RGWGetUsage::verify_permission()
 {
-  if (s->auth_identity->is_anonymous()) {
+  if (s->auth.identity->is_anonymous()) {
     return -EACCES;
   }
 
@@ -1731,7 +1731,7 @@ void RGWStatAccount::execute()
 
 int RGWGetBucketVersioning::verify_permission()
 {
-  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
+  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
   }
 
@@ -1751,7 +1751,7 @@ void RGWGetBucketVersioning::execute()
 
 int RGWSetBucketVersioning::verify_permission()
 {
-  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
+  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
   }
 
@@ -1981,7 +1981,7 @@ void RGWListBucket::execute()
 
 int RGWGetBucketLogging::verify_permission()
 {
-  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
+  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
   }
 
@@ -1990,7 +1990,7 @@ int RGWGetBucketLogging::verify_permission()
 
 int RGWGetBucketLocation::verify_permission()
 {
-  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
+  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
   }
 
@@ -2002,7 +2002,7 @@ int RGWCreateBucket::verify_permission()
   /* This check is mostly needed for S3 that doesn't support account ACL.
    * Swift doesn't allow to delegate any permission to an anonymous user,
    * so it will become an early exit in such case. */
-  if (s->auth_identity->is_anonymous()) {
+  if (s->auth.identity->is_anonymous()) {
     return -EACCES;
   }
 
@@ -2578,8 +2578,8 @@ int RGWPutObj::verify_permission()
     }
 
     /* admin request overrides permission checks */
-    if (!s->auth_identity->is_admin_of(cs_policy.get_owner().get_id()) &&
-        !cs_policy.verify_permission(*s->auth_identity, s->perm_mask, RGW_PERM_READ)) {
+    if (! s->auth.identity->is_admin_of(cs_policy.get_owner().get_id()) &&
+        ! cs_policy.verify_permission(*s->auth.identity, s->perm_mask, RGW_PERM_READ)) {
       return -EACCES;
     }
 
@@ -3450,7 +3450,7 @@ int RGWPutMetadataAccount::init_processing()
 
 int RGWPutMetadataAccount::verify_permission()
 {
-  if (s->auth_identity->is_anonymous()) {
+  if (s->auth.identity->is_anonymous()) {
     return -EACCES;
   }
 
@@ -3879,9 +3879,9 @@ int RGWCopyObj::verify_permission()
     }
 
     /* admin request overrides permission checks */
-    if (!s->auth_identity->is_admin_of(src_policy.get_owner().get_id()) &&
-        !src_policy.verify_permission(*s->auth_identity, s->perm_mask,
-                                      RGW_PERM_READ)) {
+    if (! s->auth.identity->is_admin_of(src_policy.get_owner().get_id()) &&
+        ! src_policy.verify_permission(*s->auth.identity, s->perm_mask,
+                                       RGW_PERM_READ)) {
       return -EACCES;
     }
   }
@@ -3917,9 +3917,9 @@ int RGWCopyObj::verify_permission()
   }
 
   /* admin request overrides permission checks */
-  if (!s->auth_identity->is_admin_of(dest_policy.get_owner().get_id()) &&
-      !dest_bucket_policy.verify_permission(*s->auth_identity, s->perm_mask,
-                                            RGW_PERM_WRITE)) {
+  if (! s->auth.identity->is_admin_of(dest_policy.get_owner().get_id()) &&
+      ! dest_bucket_policy.verify_permission(*s->auth.identity, s->perm_mask,
+                                             RGW_PERM_WRITE)) {
     return -EACCES;
   }
 
@@ -4372,7 +4372,7 @@ void RGWDeleteLC::execute()
 
 int RGWGetCORS::verify_permission()
 {
-  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
+  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
   }
 
@@ -4394,7 +4394,7 @@ void RGWGetCORS::execute()
 
 int RGWPutCORS::verify_permission()
 {
-  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
+  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
   }
 
@@ -4416,7 +4416,7 @@ void RGWPutCORS::execute()
 
 int RGWDeleteCORS::verify_permission()
 {
-  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
+  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
   }
 
@@ -4528,7 +4528,7 @@ void RGWGetRequestPayment::execute()
 
 int RGWSetRequestPayment::verify_permission()
 {
-  if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
+  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
     return -EACCES;
   }
 

diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc
index c4d2c8dfbc67cf4c1e9a197bc2a6495f7ea3de38..ebc9276d82f4c287f61988cebf6b31434de850f0 100644 (file)
--- a/src/rgw/rgw_process.cc
+++ b/src/rgw/rgw_process.cc
@@ -84,7 +84,7 @@ int rgw_process_authenticated(RGWHandler_REST * const handler,
   if (ret < 0) {
     if (s->system_request) {
       dout(2) << "overriding permissions due to system operation" << dendl;
-    } else if (s->auth_identity->is_admin_of(s->user->user_id)) {
+    } else if (s->auth.identity->is_admin_of(s->user->user_id)) {
       dout(2) << "overriding permissions due to admin operation" << dendl;
     } else {
       return ret;

diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc
index 31d8e996c667b09ee021ded9c70c523f2b709d1c..386504398fefb4f01d0a86e30ecc2d29813f6a63 100644 (file)
--- a/src/rgw/rgw_rest_role.cc
+++ b/src/rgw/rgw_rest_role.cc
@@ -28,7 +28,7 @@ void RGWRestRole::send_response()
 
 int RGWRoleRead::verify_permission()
 {
-  if (s->auth_identity->is_anonymous()) {
+  if (s->auth.identity->is_anonymous()) {
     return -EACCES;
   }
 
@@ -41,7 +41,7 @@ int RGWRoleRead::verify_permission()
 
 int RGWRoleWrite::verify_permission()
 {
-  if (s->auth_identity->is_anonymous()) {
+  if (s->auth.identity->is_anonymous()) {
     return -EACCES;
   }
 

diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc
index 3bcd7bf58bf2203cd332229af2d145ca54b5575c..e1a116999fdbbd8cc754eb66d5f4943d7da70854 100644 (file)
--- a/src/rgw/rgw_rest_swift.cc
+++ b/src/rgw/rgw_rest_swift.cc
@@ -706,7 +706,7 @@ int RGWPutObj_ObjStore_SWIFT::verify_permission()
   /* We have to differentiate error codes depending on whether user is
    * anonymous (401 Unauthorized) or he doesn't have necessary permissions
    * (403 Forbidden). */
-  if (s->auth_identity->is_anonymous() && op_ret == -EACCES) {
+  if (s->auth.identity->is_anonymous() && op_ret == -EACCES) {
     return -EPERM;
   } else {
     return op_ret;
@@ -1010,7 +1010,7 @@ int RGWDeleteObj_ObjStore_SWIFT::verify_permission()
   /* We have to differentiate error codes depending on whether user is
    * anonymous (401 Unauthorized) or he doesn't have necessary permissions
    * (403 Forbidden). */
-  if (s->auth_identity->is_anonymous() && op_ret == -EACCES) {
+  if (s->auth.identity->is_anonymous() && op_ret == -EACCES) {
     return -EPERM;
   } else {
     return op_ret;
@@ -1230,7 +1230,7 @@ int RGWGetObj_ObjStore_SWIFT::verify_permission()
   /* We have to differentiate error codes depending on whether user is
    * anonymous (401 Unauthorized) or he doesn't have necessary permissions
    * (403 Forbidden). */
-  if (s->auth_identity->is_anonymous() && op_ret == -EACCES) {
+  if (s->auth.identity->is_anonymous() && op_ret == -EACCES) {
     return -EPERM;
   } else {
     return op_ret;
@@ -1668,15 +1668,15 @@ bool RGWSwiftWebsiteHandler::can_be_website_req() const
   }
 
   /* We also need to handle early failures from the auth system. In such cases
-   * req_state::auth_identity may be empty. Let's treat that the same way as
+   * req_state::auth.identity may be empty. Let's treat that the same way as
    * the anonymous access. */
-  if (! s->auth_identity) {
+  if (! s->auth.identity) {
     return true;
   }
 
   /* Swift serves websites only for anonymous requests unless client explicitly
    * requested this behaviour by supplying X-Web-Mode HTTP header set to true. */
-  if (s->auth_identity->is_anonymous() || is_web_mode()) {
+  if (s->auth.identity->is_anonymous() || is_web_mode()) {
     return true;
   }