rgw: implement ipv4 aws:SourceIp condition for bucket policy

author yuliyang <yuliyang@cmss.chinamobile.com>

Mon, 27 Nov 2017 06:32:44 +0000 (14:32 +0800)

committer Adam C. Emerson <aemerson@redhat.com>

Sun, 7 Jan 2018 10:11:16 +0000 (05:11 -0500)
author yuliyang <yuliyang@cmss.chinamobile.com>
Mon, 27 Nov 2017 06:32:44 +0000 (14:32 +0800)
committer Adam C. Emerson <aemerson@redhat.com>
Sun, 7 Jan 2018 10:11:16 +0000 (05:11 -0500)
diff --git a/src/rgw/rgw_asio_client.cc b/src/rgw/rgw_asio_client.cc

index 63de2d27e757802aed3856f2badedd6d27107868..1211c8362de4f37bd8a4390b2b282ade6be7d3fc 100644 (file)
--- a/src/rgw/rgw_asio_client.cc
+++ b/src/rgw/rgw_asio_client.cc
@@ -78,6 +78,7 @@ void ClientIO::init_env(CephContext *cct)
    char port_buf[16];
    snprintf(port_buf, sizeof(port_buf), "%d", socket.local_endpoint().port());
    env.set("SERVER_PORT", port_buf);
+  env.set("REMOTE_ADDR", socket.remote_endpoint().address().to_string());
    // TODO: set SERVER_PORT_SECURE if using ssl
    // TODO: set REMOTE_USER if authenticated
  }
diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc

index cff4fa493351373f482e5a40d8d22e1a82499929..745d28afffb78aab5349729e714f923b3d3e9721 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -1059,7 +1059,8 @@ optional<MaskedIP> Condition::as_network(const string& s) {
      return none;
    }
  
-  m.v6 = s.find(':');
+  m.v6 = (s.find(':') == string::npos) ? false : true;
+
    auto slash = s.find('/');
    if (slash == string::npos) {
      m.prefix = m.v6 ? 128 : 32;
@@ -1082,7 +1083,7 @@ optional<MaskedIP> Condition::as_network(const string& s) {
  
    if (m.v6) {
      struct sockaddr_in6 a;
-    if (inet_pton(AF_INET6, p->c_str(), static_cast<void*>(&a)) != 1) {
+    if (inet_pton(AF_INET6, p->c_str(), static_cast<void*>(&a.sin6_addr)) != 1) {
        return none;
      }
  
@@ -1104,13 +1105,13 @@ optional<MaskedIP> Condition::as_network(const string& s) {
      m.addr |= Address(a.sin6_addr.s6_addr[15]) << 120;
    } else {
      struct sockaddr_in a;
-    if (inet_pton(AF_INET, p->c_str(), static_cast<void*>(&a)) != 1) {
+    if (inet_pton(AF_INET, p->c_str(), static_cast<void*>(&a.sin_addr)) != 1) {
        return none;
      }
      m.addr = ntohl(a.sin_addr.s_addr);
    }
  
-  return none;
+  return m;
  }
  
  namespace {
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc

index e951b61cf303ff9d387856703bae9d0d856de4a6..3738dbd074f5fd47c334c60ddd8fc32bb83e74a1 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -603,7 +603,7 @@ rgw::IAM::Environment rgw_build_iam_environment(RGWRados* store,
      e.emplace("aws:SecureTransport", "true");
    }
  
-  i = m.find("HTTP_HOST");
+  i = m.find("REMOTE_ADDR");
    if (i != m.end()) {
      e.emplace("aws:SourceIp", i->second);
    }
author	yuliyang <yuliyang@cmss.chinamobile.com>
	Mon, 27 Nov 2017 06:32:44 +0000 (14:32 +0800)
committer	Adam C. Emerson <aemerson@redhat.com>
	Sun, 7 Jan 2018 10:11:16 +0000 (05:11 -0500)
src/rgw/rgw_asio_client.cc		patch \| blob \| history
src/rgw/rgw_iam_policy.cc		patch \| blob \| history
src/rgw/rgw_op.cc		patch \| blob \| history