From: Radoslaw Zarzynski Date: Tue, 6 Jun 2017 19:15:29 +0000 (+0200) Subject: rgw: introduce rgw::auth::Strategy::apply() to deduplicate code. X-Git-Tag: v12.1.0~155^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=bd81c216d0ef36a66c27180f13430c9702393fb6;p=ceph.git rgw: introduce rgw::auth::Strategy::apply() to deduplicate code. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index c63db0ccec53..2a18afb8afe4 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -252,6 +252,54 @@ rgw::auth::Strategy::authenticate(const req_state* const s) const return strategy_result; } +int +rgw::auth::Strategy::apply(const rgw::auth::Strategy& auth_strategy, + req_state* const s) noexcept +{ + try { + auto result = auth_strategy.authenticate(s); + if (result.get_status() != decltype(result)::Status::GRANTED) { + /* Access denied is acknowledged by returning a std::unique_ptr with + * nullptr inside. */ + ldout(s->cct, 5) << "Failed the auth strategy, reason=" + << result.get_reason() << dendl; + return result.get_reason(); + } + + try { + rgw::auth::IdentityApplier::aplptr_t applier = result.get_applier(); + rgw::auth::Completer::cmplptr_t completer = result.get_completer(); + + /* Account used by a given RGWOp is decoupled from identity employed + * in the authorization phase (RGWOp::verify_permissions). */ + applier->load_acct_info(*s->user); + s->perm_mask = applier->get_perm_mask(); + + /* This is the signle place where we pass req_state as a pointer + * to non-const and thus its modification is allowed. In the time + * of writing only RGWTempURLEngine needed that feature. */ + applier->modify_request_state(s); + if (completer) { + completer->modify_request_state(s); + } + + s->auth.identity = std::move(applier); + s->auth.completer = std::move(completer); + + return 0; + } catch (const int err) { + ldout(s->cct, 5) << "applier throwed err=" << err << dendl; + return err; + } + } catch (const int err) { + ldout(s->cct, 5) << "auth engine throwed err=" << err << dendl; + return err; + } + + /* We never should be here. */ + return -EPERM; +} + void rgw::auth::Strategy::add_engine(const Control ctrl_flag, const Engine& engine) noexcept diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index e38baf31dc00..168498d03331 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -323,6 +323,8 @@ public: return auth_stack.empty(); } + static int apply(const Strategy& auth_strategy, req_state* s) noexcept; + private: /* Using the reference wrapper here to explicitly point out we are not * interested in storing nulls while preserving the dynamic polymorphism. */ diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index c79e4e7ff8c1..84a800daf771 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -1564,43 +1564,16 @@ int RGWPostObj_ObjStore_S3::get_policy() /* FIXME: this is a makeshift solution. The browser upload authentication will be * handled by an instance of rgw::auth::Completer spawned in Handler's authorize() * method. */ - const auto& strategy = auth_registry_ptr->get_s3_post(); - try { - auto result = strategy.authenticate(s); - if (result.get_status() != decltype(result)::Status::GRANTED) { - return -EACCES; - } - - try { - auto applier = result.get_applier(); - auto completer = result.get_completer(); - - applier->load_acct_info(*s->user); - s->perm_mask = applier->get_perm_mask(); - - /* This is the signle place where we pass req_state as a pointer - * to non-const and thus its modification is allowed. In the time - * of writing only RGWTempURLEngine needed that feature. */ - applier->modify_request_state(s); - if (completer) { - completer->modify_request_state(s); - } - - s->auth.identity = std::move(applier); - s->auth.completer = std::move(completer); - - s->owner.set_id(s->user->user_id); - s->owner.set_name(s->user->display_name); - /* OK, fall through. */ - } catch (int err) { - return -EACCES; - } - } catch (int err) { + const int ret = rgw::auth::Strategy::apply(auth_registry_ptr->get_s3_post(), s); + if (ret != 0) { return -EACCES; + } else { + /* Populate the owner info. */ + s->owner.set_id(s->user->user_id); + s->owner.set_name(s->user->display_name); + ldout(s->cct, 0) << "Successful Signature Verification!" << dendl; } - ldout(s->cct, 0) << "Successful Signature Verification!" << dendl; - ceph::bufferlist decoded_policy; try { decoded_policy.decode_base64(s->auth.s3_postobj_creds.encoded_policy); @@ -3192,48 +3165,13 @@ int RGW_Auth_S3::authorize_v2(RGWRados* const store, const rgw::auth::StrategyRegistry& auth_registry, struct req_state* const s) { - const auto& auth_strategy = auth_registry.get_s3_main(); - try { - auto result = auth_strategy.authenticate(s); - if (result.get_status() != decltype(result)::Status::GRANTED) { - ldout(s->cct, 5) << "Failed the S3 auth strategy, reason=" - << result.get_reason() << dendl; - return result.get_reason(); - } - try { - auto applier = result.get_applier(); - auto completer = result.get_completer(); - - applier->load_acct_info(*s->user); - s->perm_mask = applier->get_perm_mask(); - - /* This is the signle place where we pass req_state as a pointer - * to non-const and thus its modification is allowed. In the time - * of writing only RGWTempURLEngine needed that feature. */ - applier->modify_request_state(s); - if (completer) { - completer->modify_request_state(s); - } - - s->auth.identity = std::move(applier); - s->auth.completer = std::move(completer); - - /* Populate the owner info. */ - s->owner.set_id(s->user->user_id); - s->owner.set_name(s->user->display_name); - - /* Success - not throwed. */ - return 0; - } catch (const int err) { - ldout(s->cct, 5) << "applier threw err=" << err << dendl; - return err; - } - } catch (const int err) { - ldout(s->cct, 5) << "local auth engine threw err=" << err << dendl; - return err; + const auto ret = rgw::auth::Strategy::apply(auth_registry.get_s3_main(), s); + if (ret == 0) { + /* Populate the owner info. */ + s->owner.set_id(s->user->user_id); + s->owner.set_name(s->user->display_name); } - - return -ERR_SIGNATURE_NO_MATCH; + return ret; } int RGWHandler_Auth_S3::init(RGWRados *store, struct req_state *state, diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index 8061364e14fb..f5ee94801b62 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -2471,49 +2471,7 @@ RGWOp *RGWHandler_REST_Obj_SWIFT::op_options() int RGWHandler_REST_SWIFT::authorize() { - try { - auto result = auth_strategy.authenticate(s); - - if (result.get_status() != decltype(result)::Status::GRANTED) { - /* Access denied is acknowledged by returning a std::unique_ptr with - * nullptr inside. */ - ldout(s->cct, 5) << "auth engine refused to authenicate" << dendl; - return -EPERM; - } - - try { - rgw::auth::IdentityApplier::aplptr_t applier = result.get_applier(); - rgw::auth::Completer::cmplptr_t completer = result.get_completer(); - - /* Account used by a given RGWOp is decoupled from identity employed - * in the authorization phase (RGWOp::verify_permissions). */ - applier->load_acct_info(*s->user); - s->perm_mask = applier->get_perm_mask(); - - /* This is the signle place where we pass req_state as a pointer - * to non-const and thus its modification is allowed. In the time - * of writing only RGWTempURLEngine needed that feature. */ - applier->modify_request_state(s); - if (completer) { - completer->modify_request_state(s); - } - - s->auth.identity = std::move(applier); - s->auth.completer = std::move(completer); - - return 0; - } catch (int err) { - ldout(s->cct, 5) << "applier throwed err=" << err << dendl; - return err; - } - } catch (int err) { - ldout(s->cct, 5) << "auth engine throwed err=" << err << dendl; - return err; - } - - /* All engines refused to handle this authentication request by - * returning RGWAuthEngine::Status::UNKKOWN. Rather rare case. */ - return -EPERM; + return rgw::auth::Strategy::apply(auth_strategy, s); } int RGWHandler_REST_SWIFT::postauth_init()