From: Radoslaw Zarzynski Date: Mon, 17 Apr 2017 20:45:09 +0000 (+0200) Subject: rgw: all S3 auth engines are able to use AWSv4 now. X-Git-Tag: v12.1.0~155^2~44 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=e9a17ded0fc47aa977918acea586babd709d1099;p=ceph.git rgw: all S3 auth engines are able to use AWSv4 now. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc index a92d1858edfc..99a257178730 100644 --- a/src/rgw/rgw_auth_keystone.cc +++ b/src/rgw/rgw_auth_keystone.cc @@ -413,11 +413,14 @@ EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token, }; } -rgw::auth::Engine::result_t EC2Engine::authenticate(const std::string& access_key_id, - const std::string& signature, - const std::string& string_to_sign, - /* Passthorugh only! */ - const req_state* s) const +rgw::auth::Engine::result_t EC2Engine::authenticate( + const std::string& access_key_id, + const std::string& signature, + const std::string& string_to_sign, + const signature_factory_t& signature_factory, + const completer_factory_t& completer_factory, + /* Passthorugh only! */ + const req_state* s) const { /* This will be initialized on the first call to this method. In C++11 it's * also thread-safe. */ @@ -472,7 +475,7 @@ rgw::auth::Engine::result_t EC2Engine::authenticate(const std::string& access_ke auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), get_creds_info(*t, accepted_roles.admin)); - return result_t::grant(std::move(apl)); + return result_t::grant(std::move(apl), completer_factory()); } } diff --git a/src/rgw/rgw_auth_keystone.h b/src/rgw/rgw_auth_keystone.h index 9bffa4362b30..934fec1cf482 100644 --- a/src/rgw/rgw_auth_keystone.h +++ b/src/rgw/rgw_auth_keystone.h @@ -93,6 +93,8 @@ class EC2Engine : public rgw::auth::s3::AWSEngine { result_t authenticate(const std::string& access_key_id, const std::string& signature, const std::string& string_to_sign, + const signature_factory_t& signature_factory, + const completer_factory_t& completer_factory, const req_state* s) const override; public: EC2Engine(CephContext* const cct, diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index 4b38098302a8..81786dc9c171 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -143,7 +143,9 @@ void rgw_create_s3_canonical_header( dest_str = dest; } -int rgw_get_s3_header_digest(const string& auth_hdr, const string& key, string& dest) +int rgw_get_s3_header_digest(const std::string& auth_hdr, + const std::string& key, + std::string& dest) { if (key.empty()) return -EINVAL; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index f88d91f8c012..048ea222a2a4 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -4201,10 +4201,13 @@ rgw::auth::s3::LDAPEngine::get_creds_info(const rgw::RGWToken& token) const noex } rgw::auth::Engine::result_t -rgw::auth::s3::LDAPEngine::authenticate(const std::string& access_key_id, - const std::string& signature, - const std::string& string_to_sign, - const req_state* const s) const +rgw::auth::s3::LDAPEngine::authenticate( + const std::string& access_key_id, + const std::string& signature, + const std::string& string_to_sign, + const signature_factory_t& signature_factory, + const completer_factory_t& completer_factory, + const req_state* const s) const { /* boost filters and/or string_ref may throw on invalid input */ rgw::RGWToken base64_token; @@ -4236,16 +4239,19 @@ rgw::auth::s3::LDAPEngine::authenticate(const std::string& access_key_id, auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(), get_creds_info(base64_token)); - return result_t::grant(std::move(apl)); + return result_t::grant(std::move(apl), completer_factory()); } /* LocalEndgine */ rgw::auth::Engine::result_t -rgw::auth::s3::LocalEngine::authenticate(const std::string& access_key_id, - const std::string& signature, - const std::string& string_to_sign, - const req_state* const s) const +rgw::auth::s3::LocalEngine::authenticate( + const std::string& access_key_id, + const std::string& signature, + const std::string& string_to_sign, + const signature_factory_t& signature_factory, + const completer_factory_t& completer_factory, + const req_state* const s) const { /* get the user info */ RGWUserInfo user_info; @@ -4269,11 +4275,7 @@ rgw::auth::s3::LocalEngine::authenticate(const std::string& access_key_id, } const RGWAccessKey& k = iter->second; - std::string digest; - int ret = rgw_get_s3_header_digest(string_to_sign, k.key, digest); - if (ret < 0) { - return result_t::deny(-EPERM); - } + std::string digest = signature_factory(cct, k.key, string_to_sign); ldout(cct, 15) << "string_to_sign=" << rgw::crypt_sanitize::log_content{string_to_sign.c_str()} << dendl; ldout(cct, 15) << "calculated digest=" << digest << dendl; @@ -4285,5 +4287,5 @@ rgw::auth::s3::LocalEngine::authenticate(const std::string& access_key_id, } auto apl = apl_factory->create_apl_local(cct, s, user_info, k.subuser); - return result_t::grant(std::move(apl)); + return result_t::grant(std::move(apl), completer_factory()); } diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h index 3c563f0254f0..df23f210a744 100644 --- a/src/rgw/rgw_rest_s3.h +++ b/src/rgw/rgw_rest_s3.h @@ -711,10 +711,17 @@ protected: } using result_t = rgw::auth::Engine::result_t; + using signature_factory_t = VersionAbstractor::signature_factory_t; + using completer_factory_t = VersionAbstractor::completer_factory_t; + /* TODO(rzarzynski): clean up. We've too many input parameter hee. Also + * the signature get_auth_data() of VersionAbstractor is too complicated. + * Replace these thing with a simple, dedicated structure. */ virtual result_t authenticate(const std::string& access_key_id, const std::string& signature, const std::string& string_to_sign, + const signature_factory_t& signature_factory, + const completer_factory_t& completer_factory, const req_state* s) const = 0; public: @@ -736,7 +743,8 @@ public: if (access_key_id.empty() || signature.empty()) { return result_t::deny(-EINVAL); } else { - return authenticate(access_key_id, signature, string_to_sign, s); + return authenticate(access_key_id, signature, string_to_sign, + signature_factory, completer_factory, s); } } }; @@ -800,6 +808,8 @@ protected: result_t authenticate(const std::string& access_key_id, const std::string& signature, const std::string& string_to_sign, + const signature_factory_t& signature_factory, + const completer_factory_t& completer_factory, const req_state* s) const override; public: LDAPEngine(CephContext* const cct, @@ -827,6 +837,8 @@ class LocalEngine : public AWSEngine { result_t authenticate(const std::string& access_key_id, const std::string& signature, const std::string& string_to_sign, + const signature_factory_t& signature_factory, + const completer_factory_t& completer_factory, const req_state* s) const override; public: LocalEngine(CephContext* const cct,