rgw::auth::Engine::result_t EC2Engine::authenticate(
const boost::string_view& access_key_id,
const boost::string_view& signature,
- const std::string& string_to_sign,
+ const string_to_sign_t& string_to_sign,
const signature_factory_t&,
const completer_factory_t& completer_factory,
/* Passthorugh only! */
const boost::string_view& signature) const;
result_t authenticate(const boost::string_view& access_key_id,
const boost::string_view& signature,
- const std::string& string_to_sign,
+ const string_to_sign_t& string_to_sign,
const signature_factory_t&,
const completer_factory_t& completer_factory,
const req_state* s) const override;
*
* http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
*/
-std::string get_v4_string_to_sign(CephContext* const cct,
- const boost::string_view& algorithm,
- const boost::string_view& request_date,
- const boost::string_view& credential_scope,
- const sha256_digest_t& canonreq_hash)
+AWSEngine::VersionAbstractor::string_to_sign_t
+get_v4_string_to_sign(CephContext* const cct,
+ const boost::string_view& algorithm,
+ const boost::string_view& request_date,
+ const boost::string_view& credential_scope,
+ const sha256_digest_t& canonreq_hash)
{
const auto hexed_cr_hash = buf_to_hex(canonreq_hash);
/*
* calculate the SigningKey of AWS auth version 4
*/
-sha256_digest_t get_v4_signing_key(CephContext* const cct,
- const boost::string_view& credential_scope,
- const boost::string_view& secret_access_key)
+static sha256_digest_t
+get_v4_signing_key(CephContext* const cct,
+ const boost::string_view& credential_scope,
+ const boost::string_view& secret_access_key)
{
boost::string_view date, region, service;
std::tie(date, region, service) = parse_cred_scope(credential_scope);
/*
* calculate the AWS signature version 4
-
+ *
* http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
+ *
+ * srv_signature_t is an alias over Ceph's basic_sstring. We're using
+ * it to keep everything within the stack boundaries instead of doing
+ * dynamic allocations.
*/
AWSEngine::VersionAbstractor::server_signature_t
-get_v4_signature(CephContext* const cct,
- const sha256_digest_t& signing_key,
- const boost::string_view& string_to_sign)
+get_v4_signature(const boost::string_view& credential_scope,
+ CephContext* const cct,
+ const boost::string_view& secret_key,
+ const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign)
{
+ auto signing_key = get_v4_signing_key(cct, credential_scope, secret_key);
+
/* The server-side generated digest for comparison. */
const auto digest = calc_hmac_sha256(signing_key, string_to_sign);
AWSEngine::VersionAbstractor::server_signature_t
get_v2_signature(CephContext* const cct,
const std::string& secret_key,
- const std::string& string_to_sign)
+ const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign)
{
if (secret_key.empty()) {
throw -EINVAL;
const boost::string_view& signed_hdrs,
const boost::string_view& request_payload_hash);
-std::string get_v4_string_to_sign(CephContext* cct,
- const boost::string_view& algorithm,
- const boost::string_view& request_date,
- const boost::string_view& credential_scope,
- const sha256_digest_t& canonreq_hash);
-
-extern sha256_digest_t
-get_v4_signing_key(CephContext* const cct,
- const boost::string_view& credential_scope,
- const boost::string_view& access_key_secret);
+AWSEngine::VersionAbstractor::string_to_sign_t
+get_v4_string_to_sign(CephContext* cct,
+ const boost::string_view& algorithm,
+ const boost::string_view& request_date,
+ const boost::string_view& credential_scope,
+ const sha256_digest_t& canonreq_hash);
extern AWSEngine::VersionAbstractor::server_signature_t
-get_v4_signature(CephContext* cct,
- const sha256_digest_t& signing_key,
- const boost::string_view& string_to_sign);
+get_v4_signature(const boost::string_view& credential_scope,
+ CephContext* const cct,
+ const boost::string_view& secret_key,
+ const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign);
extern AWSEngine::VersionAbstractor::server_signature_t
get_v2_signature(CephContext*,
const std::string& secret_key,
- const std::string& string_to_sign);
+ const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign);
} /* namespace s3 */
} /* namespace auth */
}
}
-/* srv_signature_t is an alias over Ceph's basic_sstring. We're using
- * it to keep everything within the stack boundaries instead of doing
- * dynamic allocations. */
-static inline AWSVerAbstractor::server_signature_t
-v4_signature(const boost::string_view& credential_scope,
-
- CephContext* const cct,
- const boost::string_view& secret_key,
- const boost::string_view& string_to_sign)
-{
- auto signing_key = \
- rgw::auth::s3::get_v4_signing_key(cct, credential_scope, secret_key);
-
- auto server_signature = \
- rgw::auth::s3::get_v4_signature(cct, std::move(signing_key),
- string_to_sign);
- return server_signature;
-}
-
std::tuple<AWSVerAbstractor::access_key_id_t,
AWSVerAbstractor::client_signature_t,
AWSVerAbstractor::string_to_sign_t,
credential_scope,
std::move(canonical_req_hash));
- const auto sig_factory = std::bind(v4_signature,
+ const auto sig_factory = std::bind(rgw::auth::s3::get_v4_signature,
credential_scope,
std::placeholders::_1,
std::placeholders::_2,
const boost::string_view credential_scope = credential.substr(pos + 1);
dout(10) << "credential scope = " << credential_scope << dendl;
- const auto sig_factory = std::bind(v4_signature,
+ const auto sig_factory = std::bind(rgw::auth::s3::get_v4_signature,
credential_scope,
std::placeholders::_1,
std::placeholders::_2,
}
}
+
+AWSEngine::result_t
+AWSEngine::authenticate(const req_state* const s) const
+{
+ boost::string_view access_key_id;
+ boost::string_view signature;
+ VersionAbstractor::string_to_sign_t string_to_sign;
+
+ VersionAbstractor::signature_factory_t signature_factory;
+ VersionAbstractor::completer_factory_t completer_factory;
+
+ /* Small reminder: an ver_abstractor is allowed to throw! */
+ std::tie(access_key_id,
+ signature,
+ string_to_sign,
+ signature_factory,
+ completer_factory) = ver_abstractor.get_auth_data(s);
+
+ if (access_key_id.empty() || signature.empty()) {
+ return result_t::deny(-EINVAL);
+ } else {
+ return authenticate(access_key_id, signature, string_to_sign,
+ signature_factory, completer_factory, s);
+ }
+}
+
} /* namespace s3 */
} /* namespace auth */
} /* namespace rgw */
rgw::auth::s3::LDAPEngine::authenticate(
const boost::string_view& access_key_id,
const boost::string_view& signature,
- const std::string& string_to_sign,
+ const string_to_sign_t& string_to_sign,
const signature_factory_t&,
const completer_factory_t& completer_factory,
const req_state* const s) const
rgw::auth::s3::LocalEngine::authenticate(
const boost::string_view& _access_key_id,
const boost::string_view& signature,
- const std::string& string_to_sign,
+ const string_to_sign_t& string_to_sign,
const signature_factory_t& signature_factory,
const completer_factory_t& completer_factory,
const req_state* const s) const
#include <mutex>
#include <boost/utility/string_view.hpp>
+#include <boost/container/static_vector.hpp>
#include "common/backport14.h"
#include "common/sstring.hh"
using signature_factory_t = \
std::function<server_signature_t(CephContext* cct,
const std::string& secret_key,
- const std::string& string_to_sign)>;
+ const string_to_sign_t& string_to_sign)>;
/* Return an instance of Completer for verifying the payload's fingerprint
* if necessary. Otherwise caller gets nullptr. Caller may provide secret
}
using result_t = rgw::auth::Engine::result_t;
+ using string_to_sign_t = VersionAbstractor::string_to_sign_t;
using signature_factory_t = VersionAbstractor::signature_factory_t;
using completer_factory_t = VersionAbstractor::completer_factory_t;
* Replace these thing with a simple, dedicated structure. */
virtual result_t authenticate(const boost::string_view& access_key_id,
const boost::string_view& signature,
- const std::string& string_to_sign,
+ const string_to_sign_t& string_to_sign,
const signature_factory_t& signature_factory,
const completer_factory_t& completer_factory,
const req_state* s) const = 0;
public:
- result_t authenticate(const req_state* const s) const final {
- boost::string_view access_key_id;
- boost::string_view signature;
- std::string string_to_sign;
-
- VersionAbstractor::signature_factory_t signature_factory;
- VersionAbstractor::completer_factory_t completer_factory;
-
- /* Small reminder: an ver_abstractor is allowed to throw! */
- std::tie(access_key_id,
- signature,
- string_to_sign,
- signature_factory,
- completer_factory) = ver_abstractor.get_auth_data(s);
-
- if (access_key_id.empty() || signature.empty()) {
- return result_t::deny(-EINVAL);
- } else {
- return authenticate(access_key_id, signature, string_to_sign,
- signature_factory, completer_factory, s);
- }
- }
+ result_t authenticate(const req_state* const s) const final;
};
+
class AWSGeneralAbstractor : public AWSEngine::VersionAbstractor {
CephContext* const cct;
result_t authenticate(const boost::string_view& access_key_id,
const boost::string_view& signature,
- const std::string& string_to_sign,
+ const string_to_sign_t& string_to_sign,
const signature_factory_t&,
const completer_factory_t& completer_factory,
const req_state* s) const override;
result_t authenticate(const boost::string_view& access_key_id,
const boost::string_view& signature,
- const std::string& string_to_sign,
+ const string_to_sign_t& string_to_sign,
const signature_factory_t& signature_factory,
const completer_factory_t& completer_factory,
const req_state* s) const override;
projects / ceph.git / commitdiff