From 3b4efd4f00314d0dd86f581e999634d90fef9528 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Sun, 8 May 2022 21:59:20 +0000 Subject: [PATCH] rgw/auth: Implement Keystone service token as separate TokenExtractor This change implements a separate TokenExtractor for the Keystone service token code instead of extending the TokenExtractor with another method to implement. Signed-off-by: Tobias Urdin --- src/rgw/rgw_auth.h | 1 - src/rgw/rgw_auth_keystone.h | 11 +++++++---- src/rgw/rgw_rest_sts.h | 6 ------ src/rgw/rgw_swift_auth.h | 30 +++++++++++++++++------------- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 26151a7e8ca1..f14066592afe 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -308,7 +308,6 @@ class TokenExtractor { public: virtual ~TokenExtractor() = default; virtual std::string get_token(const req_state* s) const = 0; - virtual std::string get_service_token(const req_state* s) const = 0; }; diff --git a/src/rgw/rgw_auth_keystone.h b/src/rgw/rgw_auth_keystone.h index 00d47e02407d..31a4388080a9 100644 --- a/src/rgw/rgw_auth_keystone.h +++ b/src/rgw/rgw_auth_keystone.h @@ -30,7 +30,8 @@ class TokenEngine : public rgw::auth::Engine { using result_t = rgw::auth::Engine::result_t; using token_envelope_t = rgw::keystone::TokenEnvelope; - const rgw::auth::TokenExtractor* const extractor; + const rgw::auth::TokenExtractor* const auth_token_extractor; + const rgw::auth::TokenExtractor* const service_token_extractor; const rgw::auth::RemoteApplier::Factory* const apl_factory; rgw::keystone::Config& config; rgw::keystone::TokenCache& token_cache; @@ -52,12 +53,14 @@ class TokenEngine : public rgw::auth::Engine { public: TokenEngine(CephContext* const cct, - const rgw::auth::TokenExtractor* const extractor, + const rgw::auth::TokenExtractor* const auth_token_extractor, + const rgw::auth::TokenExtractor* const service_token_extractor, const rgw::auth::RemoteApplier::Factory* const apl_factory, rgw::keystone::Config& config, rgw::keystone::TokenCache& token_cache) : cct(cct), - extractor(extractor), + auth_token_extractor(auth_token_extractor), + service_token_extractor(service_token_extractor), apl_factory(apl_factory), config(config), token_cache(token_cache) { @@ -69,7 +72,7 @@ public: result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s, optional_yield y) const override { - return authenticate(dpp, extractor->get_token(s), extractor->get_service_token(s), s); + return authenticate(dpp, auth_token_extractor->get_token(s), service_token_extractor->get_token(s), s); } }; /* class TokenEngine */ diff --git a/src/rgw/rgw_rest_sts.h b/src/rgw/rgw_rest_sts.h index 994296f574cb..a129074b48e9 100644 --- a/src/rgw/rgw_rest_sts.h +++ b/src/rgw/rgw_rest_sts.h @@ -97,12 +97,6 @@ class DefaultStrategy : public rgw::auth::Strategy, return s->info.args.get("WebIdentityToken"); } - /* The method implements TokenExtractor. This method is not used by STS. */ - std::string get_service_token(const req_state* const s) const override { - static std::string empty_val; - return empty_val; - } - aplptr_t create_apl_web_identity( CephContext* cct, const req_state* s, const std::string& role_session, diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h index 596ec1941407..1faf8c9db2ac 100644 --- a/src/rgw/rgw_swift_auth.h +++ b/src/rgw/rgw_swift_auth.h @@ -182,7 +182,6 @@ public: class DefaultStrategy : public rgw::auth::Strategy, - public rgw::auth::TokenExtractor, public rgw::auth::RemoteApplier::Factory, public rgw::auth::LocalApplier::Factory, public rgw::auth::swift::TempURLApplier::Factory { @@ -202,16 +201,20 @@ class DefaultStrategy : public rgw::auth::Strategy, using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t; /* The method implements TokenExtractor for X-Auth-Token present in req_state. */ - std::string get_token(const req_state* const s) const override { - /* Returning a reference here would end in GCC complaining about a reference - * to temporary. */ - return s->info.env->get("HTTP_X_AUTH_TOKEN", ""); - } + struct AuthTokenExtractor : rgw::auth::TokenExtractor { + std::string get_token(const req_state* const s) const override { + /* Returning a reference here would end in GCC complaining about a reference + * to temporary. */ + return s->info.env->get("HTTP_X_AUTH_TOKEN", ""); + } + } auth_token_extractor; /* The method implements TokenExtractor for X-Service-Token present in req_state. */ - std::string get_service_token(const req_state* const s) const override { - return s->info.env->get("HTTP_X_SERVICE_TOKEN", ""); - } + struct ServiceTokenExtractor : rgw::auth::TokenExtractor { + std::string get_token(const req_state* const s) const override { + return s->info.env->get("HTTP_X_SERVICE_TOKEN", ""); + } + } service_token_extractor; aplptr_t create_apl_remote(CephContext* const cct, const req_state* const s, @@ -261,15 +264,15 @@ public: static_cast(this)), signed_engine(cct, store, - static_cast(this), + static_cast(&auth_token_extractor), static_cast(this)), external_engine(cct, store, - static_cast(this), + static_cast(&auth_token_extractor), static_cast(this)), anon_engine(cct, static_cast(this), - static_cast(this)) { + static_cast(&auth_token_extractor)) { /* When the constructor's body is being executed, all member engines * should be initialized. Thus, we can safely add them. */ using Control = rgw::auth::Strategy::Control; @@ -281,7 +284,8 @@ public: * engine is disabled or not. */ if (! cct->_conf->rgw_keystone_url.empty()) { keystone_engine.emplace(cct, - static_cast(this), + static_cast(&auth_token_extractor), + static_cast(&service_token_extractor), static_cast(this), keystone_config_t::get_instance(), keystone_cache_t::get_instance()); -- 2.47.3