cerr << "ERROR: assume role policy document is empty" << std::endl;
return -EINVAL;
}
- bufferlist bl = bufferlist::static_from_string(assume_role_doc);
try {
const rgw::IAM::Policy p(
- g_ceph_context, tenant, bl,
+ g_ceph_context, tenant, assume_role_doc,
g_ceph_context->_conf.get_val<bool>(
"rgw_policy_reject_invalid_principals"));
} catch (rgw::IAM::PolicyParseException& e) {
return -EINVAL;
}
- bufferlist bl = bufferlist::static_from_string(assume_role_doc);
try {
- const rgw::IAM::Policy p(g_ceph_context, tenant, bl,
+ const rgw::IAM::Policy p(g_ceph_context, tenant, assume_role_doc,
g_ceph_context->_conf.get_val<bool>(
"rgw_policy_reject_invalid_principals"));
} catch (rgw::IAM::PolicyParseException& e) {
return -EINVAL;
}
- bufferlist bl;
if (!infile.empty()) {
+ bufferlist bl;
int ret = read_input(infile, bl);
if (ret < 0) {
cerr << "ERROR: failed to read input policy document: " << cpp_strerror(-ret) << std::endl;
return -ret;
}
perm_policy_doc = bl.to_str();
- } else {
- bl = bufferlist::static_from_string(perm_policy_doc);
}
try {
- const rgw::IAM::Policy p(g_ceph_context, tenant, bl,
+ const rgw::IAM::Policy p(g_ceph_context, tenant, perm_policy_doc,
g_ceph_context->_conf.get_val<bool>(
"rgw_policy_reject_invalid_principals"));
} catch (rgw::IAM::PolicyParseException& e) {
void rgw::auth::RoleApplier::modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const
{
- for (auto it: role.role_policies) {
+ for (const auto& policy : role.role_policies) {
try {
- bufferlist bl = bufferlist::static_from_string(it);
- const rgw::IAM::Policy p(s->cct, role.tenant, bl, false);
+ const rgw::IAM::Policy p(s->cct, role.tenant, policy, false);
s->iam_user_policies.push_back(std::move(p));
} catch (rgw::IAM::PolicyParseException& e) {
//Control shouldn't reach here as the policy has already been
if (!this->token_attrs.token_policy.empty()) {
try {
string policy = this->token_attrs.token_policy;
- bufferlist bl = bufferlist::static_from_string(policy);
- const rgw::IAM::Policy p(s->cct, role.tenant, bl, false);
+ const rgw::IAM::Policy p(s->cct, role.tenant, policy, false);
s->session_policies.push_back(std::move(p));
} catch (rgw::IAM::PolicyParseException& e) {
//Control shouldn't reach here as the policy has already been
}
Policy::Policy(CephContext* cct, const string& tenant,
- const bufferlist& _text,
+ std::string _text,
bool reject_invalid_principals)
- : text(_text.to_str()) {
+ : text(std::move(_text)) {
StringStream ss(text.data());
PolicyParser pp(cct, tenant, *this, reject_invalid_principals);
auto pr = Reader{}.Parse<kParseNumbersAsStringsFlag |
// be false when reading a stored bucket policy so as not to break
// backwards configuration.
Policy(CephContext* cct, const std::string& tenant,
- const bufferlist& text,
+ std::string text,
bool reject_invalid_principals);
Effect eval(const Environment& e,
}
-static boost::optional<Policy> get_iam_policy_from_attr(CephContext* cct,
- map<string, bufferlist>& attrs,
- const string& tenant) {
- auto i = attrs.find(RGW_ATTR_IAM_POLICY);
- if (i != attrs.end()) {
- return Policy(cct, tenant, i->second, false);
+static boost::optional<Policy>
+get_iam_policy_from_attr(CephContext* cct,
+ const map<string, bufferlist>& attrs,
+ const string& tenant)
+{
+ if (auto i = attrs.find(RGW_ATTR_IAM_POLICY); i != attrs.end()) {
+ return Policy(cct, tenant, i->second.to_str(), false);
} else {
return none;
}
}
vector<Policy> get_iam_user_policy_from_attr(CephContext* cct,
- map<string, bufferlist>& attrs,
+ const map<string, bufferlist>& attrs,
const string& tenant) {
vector<Policy> policies;
- if (auto it = attrs.find(RGW_ATTR_USER_POLICY); it != attrs.end()) {
- bufferlist out_bl = attrs[RGW_ATTR_USER_POLICY];
- map<string, string> policy_map;
- decode(policy_map, out_bl);
- for (auto& it : policy_map) {
- bufferlist bl = bufferlist::static_from_string(it.second);
- Policy p(cct, tenant, bl, false);
- policies.push_back(std::move(p));
- }
+ if (auto bl = attrs.find(RGW_ATTR_USER_POLICY); bl != attrs.end()) {
+ map<string, string> policy_map;
+ decode(policy_map, bl->second);
+ for (const auto& [name, policy] : policy_map) {
+ policies.emplace_back(cct, tenant, policy, false);
+ }
}
return policies;
}
try {
const Policy p(
- s->cct, s->bucket_tenant, data,
+ s->cct, s->bucket_tenant, data.to_str(),
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
rgw::sal::Attrs attrs(s->bucket_attrs);
if (s->bucket_access_conf &&
extern void rgw_build_iam_environment(rgw::sal::Driver* driver,
req_state* s);
extern std::vector<rgw::IAM::Policy> get_iam_user_policy_from_attr(CephContext* cct,
- std::map<std::string, bufferlist>& attrs,
+ const std::map<std::string, bufferlist>& attrs,
const std::string& tenant);
inline int get_system_versioning_params(req_state *s,
bl.append(in);
try {
auto p = rgw::IAM::Policy(
- cct, tenant, bl,
+ cct, tenant, bl.to_str(),
cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
} catch (const rgw::IAM::PolicyParseException& e) {
std::cerr << fname << ": " << e.what() << std::endl;
}
std::optional<rgw::IAM::Policy> get_policy_from_text(req_state* const s,
- std::string& policy_text) {
- const auto bl = bufferlist::static_from_string(policy_text);
+ const std::string& policy_text) {
try {
return rgw::IAM::Policy(
- s->cct, s->auth.identity->get_tenant(), bl,
+ s->cct, s->auth.identity->get_tenant(), policy_text,
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
} catch (rgw::IAM::PolicyParseException& e) {
ldout(s->cct, 1) << "failed to parse policy: '" << policy_text
s->err.message = "Topic was created by another user.";
return -EACCES;
}
- // bufferlist::static_from_string wants non const string
- std::string policy_text(topic.policy_text);
- const auto p = get_policy_from_text(s, policy_text);
+ const auto p = get_policy_from_text(s, topic.policy_text);
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
const rgw::ARN arn(rgw::Partition::aws, rgw::Service::sns, zonegroup_name,
s->user->get_tenant(), topic.name);
s->err.message = "Missing required element AssumeRolePolicyDocument";
return -EINVAL;
}
- bufferlist bl = bufferlist::static_from_string(trust_policy);
try {
const rgw::IAM::Policy p(
- s->cct, s->user->get_tenant(), bl,
+ s->cct, s->user->get_tenant(), trust_policy,
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
}
catch (rgw::IAM::PolicyParseException& e) {
s->err.message = "Missing required element PolicyDocument";
return -EINVAL;
}
- bufferlist bl = bufferlist::static_from_string(perm_policy);
try {
const rgw::IAM::Policy p(
- s->cct, s->user->get_tenant(), bl,
+ s->cct, s->user->get_tenant(), perm_policy,
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
}
catch (rgw::IAM::PolicyParseException& e) {
return ret;
}
string policy = role->get_assume_role_policy();
- buffer::list bl = buffer::list::static_from_string(policy);
//Parse the policy
//TODO - This step should be part of Role Creation
try {
- const rgw::IAM::Policy p(s->cct, s->user->get_tenant(), bl, false);
+ const rgw::IAM::Policy p(s->cct, s->user->get_tenant(), policy, false);
if (!s->principal_tags.empty()) {
auto res = p.eval(s->env, *s->auth.identity, rgw::IAM::stsTagSession, boost::none);
if (res != rgw::IAM::Effect::Allow) {
}
if (! policy.empty()) {
- bufferlist bl = bufferlist::static_from_string(policy);
try {
const rgw::IAM::Policy p(
- s->cct, s->user->get_tenant(), bl,
+ s->cct, s->user->get_tenant(), policy,
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
}
catch (rgw::IAM::PolicyParseException& e) {
}
if (! policy.empty()) {
- bufferlist bl = bufferlist::static_from_string(policy);
try {
const rgw::IAM::Policy p(
- s->cct, s->user->get_tenant(), bl,
+ s->cct, s->user->get_tenant(), policy,
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
}
catch (rgw::IAM::PolicyParseException& e) {
void RGWPutUserPolicy::execute(optional_yield y)
{
- bufferlist bl = bufferlist::static_from_string(policy);
-
op_ret = rgw_forward_request_to_master(this, *s->penv.site, s->user->get_id(),
nullptr, nullptr, s->info, y);
if (op_ret < 0) {
try {
const rgw::IAM::Policy p(
- s->cct, s->user->get_tenant(), bl,
+ s->cct, s->user->get_tenant(), policy,
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
std::map<std::string, std::string> policies;
if (auto it = user->get_attrs().find(RGW_ATTR_USER_POLICY); it != user->get_attrs().end()) {
TEST_F(PolicyTest, Parse1) {
boost::optional<Policy> p;
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example1),
- true));
+ ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, example1, true));
ASSERT_TRUE(p);
EXPECT_EQ(p->text, example1);
}
TEST_F(PolicyTest, Eval1) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example1), true);
+ auto p = Policy(cct.get(), arbitrary_tenant, example1, true);
Environment e;
ARN arn1(Partition::aws, Service::s3,
TEST_F(PolicyTest, Parse2) {
boost::optional<Policy> p;
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example2),
- true));
+ ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, example2, true));
ASSERT_TRUE(p);
EXPECT_EQ(p->text, example2);
}
TEST_F(PolicyTest, Eval2) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example2), true);
+ auto p = Policy(cct.get(), arbitrary_tenant, example2, true);
Environment e;
auto trueacct = FakeIdentity(
TEST_F(PolicyTest, Parse3) {
boost::optional<Policy> p;
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example3), true));
+ ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, example3, true));
ASSERT_TRUE(p);
EXPECT_EQ(p->text, example3);
}
TEST_F(PolicyTest, Eval3) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example3), true);
+ auto p = Policy(cct.get(), arbitrary_tenant, example3, true);
Environment em;
Environment tr = { { "aws:MultiFactorAuthPresent", "true" } };
Environment fa = { { "aws:MultiFactorAuthPresent", "false" } };
TEST_F(PolicyTest, Parse4) {
boost::optional<Policy> p;
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example4), true));
+ ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, example4, true));
ASSERT_TRUE(p);
EXPECT_EQ(p->text, example4);
}
TEST_F(PolicyTest, Eval4) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example4), true);
+ auto p = Policy(cct.get(), arbitrary_tenant, example4, true);
Environment e;
ARN arn1(Partition::aws, Service::iam,
TEST_F(PolicyTest, Parse5) {
boost::optional<Policy> p;
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example5), true));
+ ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, example5, true));
ASSERT_TRUE(p);
EXPECT_EQ(p->text, example5);
EXPECT_EQ(p->version, Version::v2012_10_17);
}
TEST_F(PolicyTest, Eval5) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example5), true);
+ auto p = Policy(cct.get(), arbitrary_tenant, example5, true);
Environment e;
ARN arn1(Partition::aws, Service::iam,
TEST_F(PolicyTest, Parse6) {
boost::optional<Policy> p;
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example6), true));
+ ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, example6, true));
ASSERT_TRUE(p);
EXPECT_EQ(p->text, example6);
EXPECT_EQ(p->version, Version::v2012_10_17);
}
TEST_F(PolicyTest, Eval6) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example6), true);
+ auto p = Policy(cct.get(), arbitrary_tenant, example6, true);
Environment e;
ARN arn1(Partition::aws, Service::iam,
TEST_F(PolicyTest, Parse7) {
boost::optional<Policy> p;
- ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example7), true));
+ ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, example7, true));
ASSERT_TRUE(p);
EXPECT_EQ(p->text, example7);
}
TEST_F(PolicyTest, Eval7) {
- auto p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(example7), true);
+ auto p = Policy(cct.get(), arbitrary_tenant, example7, true);
Environment e;
auto subacct = FakeIdentity(
boost::optional<Policy> p;
ASSERT_NO_THROW(
- p = Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(ip_address_full_example), true));
+ p = Policy(cct.get(), arbitrary_tenant, ip_address_full_example, true));
ASSERT_TRUE(p);
EXPECT_EQ(p->text, ip_address_full_example);
TEST_F(IPPolicyTest, EvalIPAddress) {
auto allowp =
- Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(ip_address_allow_example), true);
+ Policy(cct.get(), arbitrary_tenant, ip_address_allow_example, true);
auto denyp =
- Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(ip_address_deny_example), true);
+ Policy(cct.get(), arbitrary_tenant, ip_address_deny_example, true);
auto fullp =
- Policy(cct.get(), arbitrary_tenant,
- bufferlist::static_from_string(ip_address_full_example), true);
+ Policy(cct.get(), arbitrary_tenant, ip_address_full_example, true);
Environment e;
Environment allowedIP, blocklistedIP, allowedIPv6, blocklistedIPv6;
allowedIP.emplace("aws:SourceIp","192.168.1.2");
projects / ceph-ci.git / commitdiff