From 38e1af31f97df3dd197bba2c3f6b2eba9328c71b Mon Sep 17 00:00:00 2001 From: Radoslaw Zarzynski Date: Wed, 11 Jan 2017 17:04:24 +0100 Subject: [PATCH] rgw: switch from req_state::auth_identity to req_state::auth::identity. Signed-off-by: Radoslaw Zarzynski --- src/rgw/librgw.cc | 4 ++-- src/rgw/rgw_acl.cc | 6 +++--- src/rgw/rgw_acl.h | 12 +++++++---- src/rgw/rgw_common.cc | 16 +++++++------- src/rgw/rgw_common.h | 13 ++++++------ src/rgw/rgw_op.cc | 44 +++++++++++++++++++-------------------- src/rgw/rgw_process.cc | 2 +- src/rgw/rgw_rest_role.cc | 4 ++-- src/rgw/rgw_rest_swift.cc | 12 +++++------ 9 files changed, 59 insertions(+), 54 deletions(-) diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc index 9a0d3f33751..f7bb502fa00 100644 --- a/src/rgw/librgw.cc +++ b/src/rgw/librgw.cc @@ -280,7 +280,7 @@ namespace rgw { if (ret < 0) { if (s->system_request) { dout(2) << "overriding permissions due to system operation" << dendl; - } else if (s->auth_identity->is_admin_of(s->user->user_id)) { + } else if (s->auth.identity->is_admin_of(s->user->user_id)) { dout(2) << "overriding permissions due to admin operation" << dendl; } else { abort_req(s, op, ret); @@ -395,7 +395,7 @@ namespace rgw { if (ret < 0) { if (s->system_request) { dout(2) << "overriding permissions due to system operation" << dendl; - } else if (s->auth_identity->is_admin_of(s->user->user_id)) { + } else if (s->auth.identity->is_admin_of(s->user->user_id)) { dout(2) << "overriding permissions due to admin operation" << dendl; } else { abort_req(s, op, ret); diff --git a/src/rgw/rgw_acl.cc b/src/rgw/rgw_acl.cc index 6af5639eb08..30e3382a83a 100644 --- a/src/rgw/rgw_acl.cc +++ b/src/rgw/rgw_acl.cc @@ -47,7 +47,7 @@ void RGWAccessControlList::add_grant(ACLGrant *grant) _add_grant(grant); } -uint32_t RGWAccessControlList::get_perm(const RGWIdentityApplier& auth_identity, +uint32_t RGWAccessControlList::get_perm(const rgw::auth::Identity& auth_identity, const uint32_t perm_mask) { ldout(cct, 5) << "Searching permissions for identity=" << auth_identity @@ -94,7 +94,7 @@ uint32_t RGWAccessControlList::get_referer_perm(const std::string http_referer, } } -uint32_t RGWAccessControlPolicy::get_perm(const RGWIdentityApplier& auth_identity, +uint32_t RGWAccessControlPolicy::get_perm(const rgw::auth::Identity& auth_identity, const uint32_t perm_mask, const char * const http_referer) { @@ -130,7 +130,7 @@ uint32_t RGWAccessControlPolicy::get_perm(const RGWIdentityApplier& auth_identit return perm; } -bool RGWAccessControlPolicy::verify_permission(const RGWIdentityApplier& auth_identity, +bool RGWAccessControlPolicy::verify_permission(const rgw::auth::Identity& auth_identity, const uint32_t user_perm_mask, const uint32_t perm, const char * const http_referer) diff --git a/src/rgw/rgw_acl.h b/src/rgw/rgw_acl.h index ff44004f9ad..24567677e8e 100644 --- a/src/rgw/rgw_acl.h +++ b/src/rgw/rgw_acl.h @@ -272,7 +272,11 @@ private: }; WRITE_CLASS_ENCODER(ACLReferer) -class RGWIdentityApplier; +namespace rgw { +namespace auth { + class Identity; +} +} class RGWAccessControlList { @@ -295,7 +299,7 @@ public: virtual ~RGWAccessControlList() {} - uint32_t get_perm(const RGWIdentityApplier& auth_identity, + uint32_t get_perm(const rgw::auth::Identity& auth_identity, uint32_t perm_mask); uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask); uint32_t get_referer_perm(const std::string http_referer, uint32_t perm_mask); @@ -402,11 +406,11 @@ public: acl.set_ctx(ctx); } - uint32_t get_perm(const RGWIdentityApplier& auth_identity, + uint32_t get_perm(const rgw::auth::Identity& auth_identity, uint32_t perm_mask, const char * http_referer); uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask); - bool verify_permission(const RGWIdentityApplier& auth_identity, + bool verify_permission(const rgw::auth::Identity& auth_identity, uint32_t user_perm_mask, uint32_t perm, const char * http_referer = nullptr); diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index cce203b0faa..7f7f45c45dd 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -899,7 +899,7 @@ bool verify_user_permission(struct req_state * const s, if ((perm & (int)s->perm_mask) != perm) return false; - return user_acl->verify_permission(*s->auth_identity, perm, perm); + return user_acl->verify_permission(*s->auth.identity, perm, perm); } bool verify_user_permission(struct req_state * const s, @@ -913,10 +913,10 @@ bool verify_requester_payer_permission(struct req_state *s) if (!s->bucket_info.requester_pays) return true; - if (s->auth_identity->is_owner_of(s->bucket_info.owner)) + if (s->auth.identity->is_owner_of(s->bucket_info.owner)) return true; - if (s->auth_identity->is_anonymous()) { + if (s->auth.identity->is_anonymous()) { return false; } @@ -950,14 +950,14 @@ bool verify_bucket_permission(struct req_state * const s, if (!verify_requester_payer_permission(s)) return false; - if (bucket_acl->verify_permission(*s->auth_identity, perm, perm, + if (bucket_acl->verify_permission(*s->auth.identity, perm, perm, s->info.env->get("HTTP_REFERER"))) return true; if (!user_acl) return false; - return user_acl->verify_permission(*s->auth_identity, perm, perm); + return user_acl->verify_permission(*s->auth.identity, perm, perm); } bool verify_bucket_permission(struct req_state * const s, const int perm) @@ -996,7 +996,7 @@ bool verify_object_permission(struct req_state * const s, return false; } - bool ret = object_acl->verify_permission(*s->auth_identity, s->perm_mask, perm); + bool ret = object_acl->verify_permission(*s->auth.identity, s->perm_mask, perm); if (ret) { return true; } @@ -1018,14 +1018,14 @@ bool verify_object_permission(struct req_state * const s, /* we already verified the user mask above, so we pass swift_perm as the mask here, otherwise the mask might not cover the swift permissions bits */ - if (bucket_acl->verify_permission(*s->auth_identity, swift_perm, swift_perm, + if (bucket_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm, s->info.env->get("HTTP_REFERER"))) return true; if (!user_acl) return false; - return user_acl->verify_permission(*s->auth_identity, swift_perm, swift_perm); + return user_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm); } bool verify_object_permission(struct req_state *s, int perm) diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 06e30f2e052..820efc2307d 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1725,14 +1725,15 @@ struct req_state { RGWUserInfo *user; - /* Object having the knowledge about an authenticated identity and allowing - * to apply it during the authorization phase (verify_permission() methods - * of a given RGWOp). Thus, it bounds authentication and authorization steps - * through a well-defined interface. For more details, see rgw_auth.h. */ - std::unique_ptr auth_identity; struct { - /* TODO(rzarzynski): switch out to the static_ptr. */ + /* TODO(rzarzynski): switch out to the static_ptr for both members. */ + + /* Object having the knowledge about an authenticated identity and allowing + * to apply it during the authorization phase (verify_permission() methods + * of a given RGWOp). Thus, it bounds authentication and authorization steps + * through a well-defined interface. For more details, see rgw_auth.h. */ std::unique_ptr identity; + std::unique_ptr completer; } auth; diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index b7ee0beba23..483e344603b 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -362,9 +362,9 @@ static int read_obj_policy(RGWRados *store, const rgw_user& bucket_owner = bucket_policy.get_owner().get_id(); if (bucket_owner.compare(s->user->user_id) != 0 && - !s->auth_identity->is_admin_of(bucket_owner) && - !bucket_policy.verify_permission(*s->auth_identity, s->perm_mask, - RGW_PERM_READ)) { + ! s->auth.identity->is_admin_of(bucket_owner) && + ! bucket_policy.verify_permission(*s->auth.identity, s->perm_mask, + RGW_PERM_READ)) { ret = -EACCES; } else { ret = -ENOENT; @@ -1544,7 +1544,7 @@ int RGWListBuckets::verify_permission() int RGWGetUsage::verify_permission() { - if (s->auth_identity->is_anonymous()) { + if (s->auth.identity->is_anonymous()) { return -EACCES; } @@ -1731,7 +1731,7 @@ void RGWStatAccount::execute() int RGWGetBucketVersioning::verify_permission() { - if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) { + if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) { return -EACCES; } @@ -1751,7 +1751,7 @@ void RGWGetBucketVersioning::execute() int RGWSetBucketVersioning::verify_permission() { - if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) { + if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) { return -EACCES; } @@ -1981,7 +1981,7 @@ void RGWListBucket::execute() int RGWGetBucketLogging::verify_permission() { - if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) { + if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) { return -EACCES; } @@ -1990,7 +1990,7 @@ int RGWGetBucketLogging::verify_permission() int RGWGetBucketLocation::verify_permission() { - if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) { + if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) { return -EACCES; } @@ -2002,7 +2002,7 @@ int RGWCreateBucket::verify_permission() /* This check is mostly needed for S3 that doesn't support account ACL. * Swift doesn't allow to delegate any permission to an anonymous user, * so it will become an early exit in such case. */ - if (s->auth_identity->is_anonymous()) { + if (s->auth.identity->is_anonymous()) { return -EACCES; } @@ -2578,8 +2578,8 @@ int RGWPutObj::verify_permission() } /* admin request overrides permission checks */ - if (!s->auth_identity->is_admin_of(cs_policy.get_owner().get_id()) && - !cs_policy.verify_permission(*s->auth_identity, s->perm_mask, RGW_PERM_READ)) { + if (! s->auth.identity->is_admin_of(cs_policy.get_owner().get_id()) && + ! cs_policy.verify_permission(*s->auth.identity, s->perm_mask, RGW_PERM_READ)) { return -EACCES; } @@ -3450,7 +3450,7 @@ int RGWPutMetadataAccount::init_processing() int RGWPutMetadataAccount::verify_permission() { - if (s->auth_identity->is_anonymous()) { + if (s->auth.identity->is_anonymous()) { return -EACCES; } @@ -3879,9 +3879,9 @@ int RGWCopyObj::verify_permission() } /* admin request overrides permission checks */ - if (!s->auth_identity->is_admin_of(src_policy.get_owner().get_id()) && - !src_policy.verify_permission(*s->auth_identity, s->perm_mask, - RGW_PERM_READ)) { + if (! s->auth.identity->is_admin_of(src_policy.get_owner().get_id()) && + ! src_policy.verify_permission(*s->auth.identity, s->perm_mask, + RGW_PERM_READ)) { return -EACCES; } } @@ -3917,9 +3917,9 @@ int RGWCopyObj::verify_permission() } /* admin request overrides permission checks */ - if (!s->auth_identity->is_admin_of(dest_policy.get_owner().get_id()) && - !dest_bucket_policy.verify_permission(*s->auth_identity, s->perm_mask, - RGW_PERM_WRITE)) { + if (! s->auth.identity->is_admin_of(dest_policy.get_owner().get_id()) && + ! dest_bucket_policy.verify_permission(*s->auth.identity, s->perm_mask, + RGW_PERM_WRITE)) { return -EACCES; } @@ -4372,7 +4372,7 @@ void RGWDeleteLC::execute() int RGWGetCORS::verify_permission() { - if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) { + if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) { return -EACCES; } @@ -4394,7 +4394,7 @@ void RGWGetCORS::execute() int RGWPutCORS::verify_permission() { - if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) { + if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) { return -EACCES; } @@ -4416,7 +4416,7 @@ void RGWPutCORS::execute() int RGWDeleteCORS::verify_permission() { - if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) { + if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) { return -EACCES; } @@ -4528,7 +4528,7 @@ void RGWGetRequestPayment::execute() int RGWSetRequestPayment::verify_permission() { - if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) { + if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) { return -EACCES; } diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc index c4d2c8dfbc6..ebc9276d82f 100644 --- a/src/rgw/rgw_process.cc +++ b/src/rgw/rgw_process.cc @@ -84,7 +84,7 @@ int rgw_process_authenticated(RGWHandler_REST * const handler, if (ret < 0) { if (s->system_request) { dout(2) << "overriding permissions due to system operation" << dendl; - } else if (s->auth_identity->is_admin_of(s->user->user_id)) { + } else if (s->auth.identity->is_admin_of(s->user->user_id)) { dout(2) << "overriding permissions due to admin operation" << dendl; } else { return ret; diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc index 31d8e996c66..386504398fe 100644 --- a/src/rgw/rgw_rest_role.cc +++ b/src/rgw/rgw_rest_role.cc @@ -28,7 +28,7 @@ void RGWRestRole::send_response() int RGWRoleRead::verify_permission() { - if (s->auth_identity->is_anonymous()) { + if (s->auth.identity->is_anonymous()) { return -EACCES; } @@ -41,7 +41,7 @@ int RGWRoleRead::verify_permission() int RGWRoleWrite::verify_permission() { - if (s->auth_identity->is_anonymous()) { + if (s->auth.identity->is_anonymous()) { return -EACCES; } diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index 3bcd7bf58bf..e1a116999fd 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -706,7 +706,7 @@ int RGWPutObj_ObjStore_SWIFT::verify_permission() /* We have to differentiate error codes depending on whether user is * anonymous (401 Unauthorized) or he doesn't have necessary permissions * (403 Forbidden). */ - if (s->auth_identity->is_anonymous() && op_ret == -EACCES) { + if (s->auth.identity->is_anonymous() && op_ret == -EACCES) { return -EPERM; } else { return op_ret; @@ -1010,7 +1010,7 @@ int RGWDeleteObj_ObjStore_SWIFT::verify_permission() /* We have to differentiate error codes depending on whether user is * anonymous (401 Unauthorized) or he doesn't have necessary permissions * (403 Forbidden). */ - if (s->auth_identity->is_anonymous() && op_ret == -EACCES) { + if (s->auth.identity->is_anonymous() && op_ret == -EACCES) { return -EPERM; } else { return op_ret; @@ -1230,7 +1230,7 @@ int RGWGetObj_ObjStore_SWIFT::verify_permission() /* We have to differentiate error codes depending on whether user is * anonymous (401 Unauthorized) or he doesn't have necessary permissions * (403 Forbidden). */ - if (s->auth_identity->is_anonymous() && op_ret == -EACCES) { + if (s->auth.identity->is_anonymous() && op_ret == -EACCES) { return -EPERM; } else { return op_ret; @@ -1668,15 +1668,15 @@ bool RGWSwiftWebsiteHandler::can_be_website_req() const } /* We also need to handle early failures from the auth system. In such cases - * req_state::auth_identity may be empty. Let's treat that the same way as + * req_state::auth.identity may be empty. Let's treat that the same way as * the anonymous access. */ - if (! s->auth_identity) { + if (! s->auth.identity) { return true; } /* Swift serves websites only for anonymous requests unless client explicitly * requested this behaviour by supplying X-Web-Mode HTTP header set to true. */ - if (s->auth_identity->is_anonymous() || is_web_mode()) { + if (s->auth.identity->is_anonymous() || is_web_mode()) { return true; } -- 2.39.5