}
rgw::auth::Engine::result_t
-rgw::auth::Strategy::authenticate(const req_state* const s) const
+rgw::auth::Strategy::authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const
{
result_t strategy_result = result_t::deny();
const rgw::auth::Engine& engine = kv.first;
const auto& policy = kv.second;
- dout(20) << get_name() << ": trying " << engine.get_name() << dendl;
+ ldpp_dout(dpp, 20) << get_name() << ": trying " << engine.get_name() << dendl;
result_t engine_result = result_t::deny();
try {
- engine_result = engine.authenticate(s);
+ engine_result = engine.authenticate(dpp, s);
} catch (const int err) {
engine_result = result_t::deny(err);
}
bool try_next = true;
switch (engine_result.get_status()) {
case result_t::Status::REJECTED: {
- dout(20) << engine.get_name() << " rejected with reason="
+ ldpp_dout(dpp, 20) << engine.get_name() << " rejected with reason="
<< engine_result.get_reason() << dendl;
std::tie(try_next, strategy_result) = \
break;
}
case result_t::Status::DENIED: {
- dout(20) << engine.get_name() << " denied with reason="
+ ldpp_dout(dpp, 20) << engine.get_name() << " denied with reason="
<< engine_result.get_reason() << dendl;
std::tie(try_next, strategy_result) = \
break;
}
case result_t::Status::GRANTED: {
- dout(20) << engine.get_name() << " granted access" << dendl;
+ ldpp_dout(dpp, 20) << engine.get_name() << " granted access" << dendl;
std::tie(try_next, strategy_result) = \
strategy_handle_granted(std::move(engine_result), policy,
req_state* const s) noexcept
{
try {
- auto result = auth_strategy.authenticate(s);
+ auto result = auth_strategy.authenticate(dpp, s);
if (result.get_status() != decltype(result)::Status::GRANTED) {
/* Access denied is acknowledged by returning a std::unique_ptr with
* nullptr inside. */
}
rgw::auth::Engine::result_t
-rgw::auth::AnonymousEngine::authenticate(const req_state* const s) const
+rgw::auth::AnonymousEngine::authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const
{
if (! is_applicable(s)) {
return result_t::deny(-EPERM);
* interface.
*
* On error throws rgw::auth::Exception containing the reason. */
- virtual result_t authenticate(const req_state* s) const = 0;
+ virtual result_t authenticate(const DoutPrefixProvider* dpp, const req_state* s) const = 0;
};
FALLBACK,
};
- Engine::result_t authenticate(const req_state* s) const override final;
+ Engine::result_t authenticate(const DoutPrefixProvider* dpp, const req_state* s) const override final;
bool is_empty() const {
return auth_stack.empty();
return "rgw::auth::AnonymousEngine";
}
- Engine::result_t authenticate(const req_state* s) const override final;
+ Engine::result_t authenticate(const DoutPrefixProvider* dpp, const req_state* s) const override final;
protected:
virtual bool is_applicable(const req_state*) const noexcept {
}
TokenEngine::result_t
-TokenEngine::authenticate(const std::string& token,
+TokenEngine::authenticate(const DoutPrefixProvider* dpp,
+ const std::string& token,
const req_state* const s) const
{
boost::optional<TokenEngine::token_envelope_t> t;
/* Token ID is a concept that makes dealing with PKI tokens more effective.
* Instead of storing several kilobytes, a short hash can be burried. */
const auto& token_id = rgw_get_token_id(token);
- ldout(cct, 20) << "token_id=" << token_id << dendl;
+ ldpp_dout(dpp, 20) << "token_id=" << token_id << dendl;
/* Check cache first. */
t = token_cache.find(token_id);
if (t) {
- ldout(cct, 20) << "cached token.project.id=" << t->get_project_id()
+ ldpp_dout(dpp, 20) << "cached token.project.id=" << t->get_project_id()
<< dendl;
auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t),
get_creds_info(*t, roles.admin));
/* Verify expiration. */
if (t->expired()) {
- ldout(cct, 0) << "got expired token: " << t->get_project_name()
+ ldpp_dout(dpp, 0) << "got expired token: " << t->get_project_name()
<< ":" << t->get_user_name()
<< " expired: " << t->get_expires() << dendl;
return result_t::deny(-EPERM);
/* Check for necessary roles. */
for (const auto& role : roles.plain) {
if (t->has_role(role) == true) {
- ldout(cct, 0) << "validated token: " << t->get_project_name()
+ ldpp_dout(dpp, 0) << "validated token: " << t->get_project_name()
<< ":" << t->get_user_name()
<< " expires: " << t->get_expires() << dendl;
token_cache.add(token_id, *t);
}
}
- ldout(cct, 0) << "user does not hold a matching role; required roles: "
+ ldpp_dout(dpp, 0) << "user does not hold a matching role; required roles: "
<< g_conf()->rgw_keystone_accepted_roles << dendl;
return result_t::deny(-EPERM);
}
rgw::auth::Engine::result_t EC2Engine::authenticate(
+ const DoutPrefixProvider* dpp,
const boost::string_view& access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
/* Verify expiration. */
if (t->expired()) {
- ldout(cct, 0) << "got expired token: " << t->get_project_name()
+ ldpp_dout(dpp, 0) << "got expired token: " << t->get_project_name()
<< ":" << t->get_user_name()
<< " expired: " << t->get_expires() << dendl;
return result_t::deny();
}
if (! found) {
- ldout(cct, 5) << "s3 keystone: user does not hold a matching role;"
+ ldpp_dout(dpp, 5) << "s3 keystone: user does not hold a matching role;"
" required roles: "
<< cct->_conf->rgw_keystone_accepted_roles << dendl;
return result_t::deny();
} else {
/* everything seems fine, continue with this user */
- ldout(cct, 5) << "s3 keystone: validated token: " << t->get_project_name()
+ ldpp_dout(dpp, 5) << "s3 keystone: validated token: " << t->get_project_name()
<< ":" << t->get_user_name()
<< " expires: " << t->get_expires() << dendl;
auth_info_t get_creds_info(const token_envelope_t& token,
const std::vector<std::string>& admin_roles
) const noexcept;
- result_t authenticate(const std::string& token,
+ result_t authenticate(const DoutPrefixProvider* dpp,
+ const std::string& token,
const req_state* s) const;
public:
return "rgw::auth::keystone::TokenEngine";
}
- result_t authenticate(const req_state* const s) const override {
- return authenticate(extractor->get_token(s), s);
+ result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const override {
+ return authenticate(dpp, extractor->get_token(s), s);
}
}; /* class TokenEngine */
get_from_keystone(const boost::string_view& access_key_id,
const std::string& string_to_sign,
const boost::string_view& signature) const;
- result_t authenticate(const boost::string_view& access_key_id,
+ result_t authenticate(const DoutPrefixProvider* dpp,
+ const boost::string_view& access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
const string_to_sign_t& string_to_sign,
}
AWSEngine::result_t
-AWSEngine::authenticate(const req_state* const s) const
+AWSEngine::authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const
{
/* Small reminder: an ver_abstractor is allowed to throw! */
const auto auth_data = ver_abstractor.get_auth_data(s);
if (auth_data.access_key_id.empty() || auth_data.client_signature.empty()) {
return result_t::deny(-EINVAL);
} else {
- return authenticate(auth_data.access_key_id,
+ return authenticate(dpp,
+ auth_data.access_key_id,
auth_data.client_signature,
auth_data.session_token,
auth_data.string_to_sign,
rgw::auth::Engine::result_t
rgw::auth::s3::LDAPEngine::authenticate(
+ const DoutPrefixProvider* dpp,
const boost::string_view& access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
user_info.user_id = base64_token.id;
if (rgw_get_user_info_by_uid(store, user_info.user_id, user_info) >= 0) {
if (user_info.type != TYPE_LDAP) {
- ldout(cct, 10) << "ERROR: User id of type: " << user_info.type << " is already present" << dendl;
+ ldpp_dout(dpp, 10) << "ERROR: User id of type: " << user_info.type << " is already present" << dendl;
return nullptr;
}
}*/
/* LocalEngine */
rgw::auth::Engine::result_t
rgw::auth::s3::LocalEngine::authenticate(
+ const DoutPrefixProvider* dpp,
const boost::string_view& _access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
/* TODO(rzarzynski): we need to have string-view taking variant. */
const std::string access_key_id = _access_key_id.to_string();
if (rgw_get_user_info_by_access_key(store, access_key_id, user_info) < 0) {
- ldpp_dout(s, 5) << "error reading user info, uid=" << access_key_id
+ ldpp_dout(dpp, 5) << "error reading user info, uid=" << access_key_id
<< " can't authenticate" << dendl;
return result_t::deny(-ERR_INVALID_ACCESS_KEY);
}
//TODO: Uncomment, when we have a migration plan in place.
/*else {
if (s->user->type != TYPE_RGW) {
- ldout(cct, 10) << "ERROR: User id of type: " << s->user->type
+ ldpp_dout(dpp, 10) << "ERROR: User id of type: " << s->user->type
<< " is present" << dendl;
throw -EPERM;
}
const auto iter = user_info.access_keys.find(access_key_id);
if (iter == std::end(user_info.access_keys)) {
- ldpp_dout(s, 0) << "ERROR: access key not encoded in user info" << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: access key not encoded in user info" << dendl;
return result_t::deny(-EPERM);
}
const RGWAccessKey& k = iter->second;
signature_factory(cct, k.key, string_to_sign);
auto compare = signature.compare(server_signature);
- ldout(cct, 15) << "string_to_sign="
+ ldpp_dout(dpp, 15) << "string_to_sign="
<< rgw::crypt_sanitize::log_content{string_to_sign}
<< dendl;
- ldout(cct, 15) << "server signature=" << server_signature << dendl;
- ldout(cct, 15) << "client signature=" << signature << dendl;
- ldout(cct, 15) << "compare=" << compare << dendl;
+ ldpp_dout(dpp, 15) << "server signature=" << server_signature << dendl;
+ ldpp_dout(dpp, 15) << "client signature=" << signature << dendl;
+ ldpp_dout(dpp, 15) << "compare=" << compare << dendl;
if (compare != 0) {
return result_t::deny(-ERR_SIGNATURE_NO_MATCH);
/* TODO(rzarzynski): clean up. We've too many input parameter hee. Also
* the signature get_auth_data() of VersionAbstractor is too complicated.
* Replace these thing with a simple, dedicated structure. */
- virtual result_t authenticate(const boost::string_view& access_key_id,
+ virtual result_t authenticate(const DoutPrefixProvider* dpp,
+ const boost::string_view& access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
const string_to_sign_t& string_to_sign,
const req_state* s) const = 0;
public:
- result_t authenticate(const req_state* const s) const final;
+ result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const final;
};
acl_strategy_t get_acl_strategy() const;
auth_info_t get_creds_info(const rgw::RGWToken& token) const noexcept;
- result_t authenticate(const boost::string_view& access_key_id,
+ result_t authenticate(const DoutPrefixProvider* dpp,
+ const boost::string_view& access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
const string_to_sign_t& string_to_sign,
RGWRados* const store;
const rgw::auth::LocalApplier::Factory* const apl_factory;
- result_t authenticate(const boost::string_view& access_key_id,
+ result_t authenticate(const DoutPrefixProvider* dpp,
+ const boost::string_view& access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
const string_to_sign_t& string_to_sign,
}; /* TempURLEngine::PrefixableSignatureHelper */
TempURLEngine::result_t
-TempURLEngine::authenticate(const req_state* const s) const
+TempURLEngine::authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const
{
if (! is_applicable(s)) {
return result_t::deny();
try {
get_owner_info(s, owner_info);
} catch (...) {
- ldout(cct, 5) << "cannot get user_info of account's owner" << dendl;
+ ldpp_dout(dpp, 5) << "cannot get user_info of account's owner" << dendl;
return result_t::reject();
}
if (owner_info.temp_url_keys.empty()) {
- ldout(cct, 5) << "user does not have temp url key set, aborting" << dendl;
+ ldpp_dout(dpp, 5) << "user does not have temp url key set, aborting" << dendl;
return result_t::reject();
}
if (is_expired(temp_url_expires)) {
- ldout(cct, 5) << "temp url link expired" << dendl;
+ ldpp_dout(dpp, 5) << "temp url link expired" << dendl;
return result_t::reject(-EPERM);
}
const char* const local_sig = sig_helper.calc(temp_url_key, method,
path, temp_url_expires);
- ldout(s->cct, 20) << "temp url signature [" << temp_url_key_num
+ ldpp_dout(dpp, 20) << "temp url signature [" << temp_url_key_num
<< "] (calculated): " << local_sig
<< dendl;
auto apl = apl_factory->create_apl_turl(cct, s, owner_info);
return result_t::grant(std::move(apl));
} else {
- ldout(s->cct, 5) << "temp url signature mismatch: " << local_sig
+ ldpp_dout(dpp, 5) << "temp url signature mismatch: " << local_sig
<< " != " << temp_url_sig << dendl;
}
}
}
ExternalTokenEngine::result_t
-ExternalTokenEngine::authenticate(const std::string& token,
+ExternalTokenEngine::authenticate(const DoutPrefixProvider* dpp,
+ const std::string& token,
const req_state* const s) const
{
if (! is_applicable(token)) {
RGWHTTPHeadersCollector validator(cct, "GET", url_buf, { "X-Auth-Groups", "X-Auth-Ttl" });
- ldout(cct, 10) << "rgw_swift_validate_token url=" << url_buf << dendl;
+ ldpp_dout(dpp, 10) << "rgw_swift_validate_token url=" << url_buf << dendl;
int ret = validator.process();
if (ret < 0) {
return result_t::deny(-EPERM);
}
- ldout(cct, 10) << "swift user=" << swift_user << dendl;
+ ldpp_dout(dpp, 10) << "swift user=" << swift_user << dendl;
RGWUserInfo tmp_uinfo;
ret = rgw_get_user_info_by_swift(store, swift_user, tmp_uinfo);
if (ret < 0) {
- ldout(cct, 0) << "NOTICE: couldn't map swift user" << dendl;
+ ldpp_dout(dpp, 0) << "NOTICE: couldn't map swift user" << dendl;
throw ret;
}
}
SignedTokenEngine::result_t
-SignedTokenEngine::authenticate(const std::string& token,
+SignedTokenEngine::authenticate(const DoutPrefixProvider* dpp,
+ const std::string& token,
const req_state* const s) const
{
if (! is_applicable(token)) {
const size_t etoken_len = etoken.length();
if (etoken_len & 1) {
- ldout(cct, 0) << "NOTICE: failed to verify token: odd token length="
+ ldpp_dout(dpp, 0) << "NOTICE: failed to verify token: odd token length="
<< etoken_len << dendl;
throw -EINVAL;
}
decode(nonce, iter);
decode(expiration, iter);
} catch (buffer::error& err) {
- ldout(cct, 0) << "NOTICE: failed to decode token" << dendl;
+ ldpp_dout(dpp, 0) << "NOTICE: failed to decode token" << dendl;
throw -EINVAL;
}
const utime_t now = ceph_clock_now();
if (expiration < now) {
- ldout(cct, 0) << "NOTICE: old timed out token was used now=" << now
+ ldpp_dout(dpp, 0) << "NOTICE: old timed out token was used now=" << now
<< " token.expiration=" << expiration
<< dendl;
return result_t::deny(-EPERM);
throw ret;
}
- ldout(cct, 10) << "swift_user=" << swift_user << dendl;
+ ldpp_dout(dpp, 10) << "swift_user=" << swift_user << dendl;
const auto siter = user_info.swift_keys.find(swift_user);
if (siter == std::end(user_info.swift_keys)) {
}
if (local_tok_bl.length() != tok_bl.length()) {
- ldout(cct, 0) << "NOTICE: tokens length mismatch:"
+ ldpp_dout(dpp, 0) << "NOTICE: tokens length mismatch:"
<< " tok_bl.length()=" << tok_bl.length()
<< " local_tok_bl.length()=" << local_tok_bl.length()
<< dendl;
buf_to_hex(reinterpret_cast<const unsigned char *>(local_tok_bl.c_str()),
local_tok_bl.length(), buf);
- ldout(cct, 0) << "NOTICE: tokens mismatch tok=" << buf << dendl;
+ ldpp_dout(dpp, 0) << "NOTICE: tokens mismatch tok=" << buf << dendl;
return result_t::deny(-EPERM);
}
return "rgw::auth::swift::TempURLEngine";
}
- result_t authenticate(const req_state* const s) const override;
+ result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const override;
};
const rgw::auth::LocalApplier::Factory* const apl_factory;
bool is_applicable(const std::string& token) const noexcept;
- result_t authenticate(const std::string& token,
+ result_t authenticate(const DoutPrefixProvider* dpp,
+ const std::string& token,
const req_state* s) const;
public:
return "rgw::auth::swift::SignedTokenEngine";
}
- result_t authenticate(const req_state* const s) const override {
- return authenticate(extractor->get_token(s), s);
+ result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const override {
+ return authenticate(dpp, extractor->get_token(s), s);
}
};
const rgw::auth::LocalApplier::Factory* const apl_factory;
bool is_applicable(const std::string& token) const noexcept;
- result_t authenticate(const std::string& token,
+ result_t authenticate(const DoutPrefixProvider* dpp,
+ const std::string& token,
const req_state* s) const;
public:
return "rgw::auth::swift::ExternalTokenEngine";
}
- result_t authenticate(const req_state* const s) const override {
- return authenticate(extractor->get_token(s), s);
+ result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const override {
+ return authenticate(dpp, extractor->get_token(s), s);
}
};
projects / ceph.git / commitdiff