From cb577fff79e4e41afd1d80d4a6610689e3858613 Mon Sep 17 00:00:00 2001 From: Radoslaw Zarzynski Date: Sun, 17 Apr 2016 16:26:44 +0200 Subject: [PATCH] rgw: eradicate rgw_swift.{h,cc}. Signed-off-by: Radoslaw Zarzynski --- src/rgw/Makefile.am | 2 - src/rgw/rgw_common.h | 3 +- src/rgw/rgw_main.cc | 8 - src/rgw/rgw_rest_swift.cc | 1 - src/rgw/rgw_swift.cc | 711 -------------------------------------- src/rgw/rgw_swift.h | 84 ----- 6 files changed, 1 insertion(+), 808 deletions(-) delete mode 100644 src/rgw/rgw_swift.cc delete mode 100644 src/rgw/rgw_swift.h diff --git a/src/rgw/Makefile.am b/src/rgw/Makefile.am index 0d8247210d7ae..25931cfefd352 100644 --- a/src/rgw/Makefile.am +++ b/src/rgw/Makefile.am @@ -83,7 +83,6 @@ librgw_la_SOURCES = \ rgw/rgw_rest_usage.cc \ rgw/rgw_rest_user.cc \ rgw/rgw_swift_auth.cc \ - rgw/rgw_swift.cc \ rgw/rgw_usage.cc \ rgw/rgw_user.cc \ rgw/rgw_file.cc \ @@ -230,7 +229,6 @@ noinst_HEADERS += \ rgw/rgw_os_lib.h \ rgw/rgw_orphan.h \ rgw/rgw_http_client.h \ - rgw/rgw_swift.h \ rgw/rgw_swift_auth.h \ rgw/rgw_quota.h \ rgw/rgw_rados.h \ diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index ffb33741b4bb4..ce4ed52d1d1b5 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1298,8 +1298,7 @@ struct req_state { int prot_flags; const char *os_auth_token; - string swift_user; - string swift_groups; + /* Content-Disposition override for TempURL of Swift API. */ struct { string override; diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc index 29e2a04893348..7339c7a581f51 100644 --- a/src/rgw/rgw_main.cc +++ b/src/rgw/rgw_main.cc @@ -46,7 +46,6 @@ #include "rgw_rest_config.h" #include "rgw_rest_realm.h" #include "rgw_swift_auth.h" -#include "rgw_swift.h" #include "rgw_log.h" #include "rgw_tools.h" #include "rgw_resolve.h" @@ -328,7 +327,6 @@ int main(int argc, const char **argv) RGWREST rest; list apis; - bool do_swift = false; get_str_list(g_conf->rgw_enable_apis, apis); @@ -343,8 +341,6 @@ int main(int argc, const char **argv) rest.register_default_mgr(set_logging(new RGWRESTMgr_S3(s3website_enabled))); if (apis_map.count("swift") > 0) { - do_swift = true; - swift_init(g_ceph_context); rest.register_resource(g_conf->rgw_swift_url_prefix, set_logging(new RGWRESTMgr_SWIFT)); } @@ -473,10 +469,6 @@ int main(int argc, const char **argv) unregister_async_signal_handler(SIGUSR1, handle_sigterm); shutdown_async_signal_handler(); - if (do_swift) { - swift_finalize(); - } - rgw_log_usage_finalize(); delete olog; diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index d3f7200782686..b5722e90f12c6 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -7,7 +7,6 @@ #include "common/utf8.h" #include "common/ceph_json.h" -#include "rgw_swift.h" #include "rgw_rest_swift.h" #include "rgw_acl_swift.h" #include "rgw_cors_swift.h" diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc deleted file mode 100644 index 4a835bf452ed7..0000000000000 --- a/src/rgw/rgw_swift.cc +++ /dev/null @@ -1,711 +0,0 @@ -// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- -// vim: ts=8 sw=2 smarttab - -#include -#include -#include - -#include "common/ceph_json.h" -#include "rgw_common.h" -#include "rgw_swift.h" -#include "rgw_swift_auth.h" -#include "rgw_user.h" -#include "rgw_http_client.h" -#include "rgw_keystone.h" - -#include "include/str_list.h" - -#define dout_subsys ceph_subsys_rgw - -static vector accepted_roles; -static vector accepted_admin_roles; - -class RGWValidateSwiftToken : public RGWHTTPClient { - struct rgw_swift_auth_info *info; - -protected: - RGWValidateSwiftToken() : RGWHTTPClient(NULL), info(NULL) {} -public: - RGWValidateSwiftToken(CephContext *_cct, struct rgw_swift_auth_info *_info) : RGWHTTPClient(_cct), info(_info) {} - - int receive_header(void *ptr, size_t len); - int receive_data(void *ptr, size_t len) { - return 0; - } - int send_data(void *ptr, size_t len) { - return 0; - } - - friend class RGWKeystoneTokenCache; -}; - -int RGWValidateSwiftToken::receive_header(void *ptr, size_t len) -{ - char line[len + 1]; - - char *s = (char *)ptr, *end = (char *)ptr + len; - char *p = line; - ldout(cct, 10) << "read_http_header" << dendl; - - while (s != end) { - if (*s == '\r') { - s++; - continue; - } - if (*s == '\n') { - *p = '\0'; - ldout(cct, 10) << "os_auth:" << line << dendl; - // TODO: fill whatever data required here - char *l = line; - char *tok = strsep(&l, " \t:"); - if (tok) { - while (l && *l == ' ') - l++; - - if (strcmp(tok, "HTTP") == 0) { - ; - } else if (strcasecmp(tok, "X-Auth-Groups") == 0) { - info->auth_groups = l; - char *s = strchr(l, ','); - if (s) { - *s = '\0'; - info->user = l; - } - } else if (strcasecmp(tok, "X-Auth-Ttl") == 0) { - info->ttl = atoll(l); - } - } - } - if (s != end) - *p++ = *s++; - } - return 0; -} - -int RGWSwift::validate_token(const char *token, struct rgw_swift_auth_info *info) -{ - if (g_conf->rgw_swift_auth_url.empty()) - return -EINVAL; - - string auth_url = g_conf->rgw_swift_auth_url; - if (auth_url[auth_url.size() - 1] != '/') - auth_url.append("/"); - auth_url.append("token"); - char url_buf[auth_url.size() + 1 + strlen(token) + 1]; - sprintf(url_buf, "%s/%s", auth_url.c_str(), token); - - RGWValidateSwiftToken validate(cct, info); - - ldout(cct, 10) << "rgw_swift_validate_token url=" << url_buf << dendl; - - int ret = validate.process(url_buf); - if (ret < 0) - return ret; - - return 0; -} - - -int RGWSwift::check_revoked() -{ - string url; - string token; - - bufferlist bl; - RGWGetRevokedTokens req(cct, &bl); - - if (KeystoneService::get_keystone_admin_token(cct, token) < 0) { - return -EINVAL; - } - if (KeystoneService::get_keystone_url(cct, url) < 0) { - return -EINVAL; - } - req.append_header("X-Auth-Token", token); - - const auto keystone_version = KeystoneService::get_api_version(); - if (keystone_version == KeystoneApiVersion::VER_2) { - url.append("v2.0/tokens/revoked"); - } else if (keystone_version == KeystoneApiVersion::VER_3) { - url.append("v3/auth/tokens/OS-PKI/revoked"); - } - - req.set_send_length(0); - int ret = req.process(url.c_str()); - if (ret < 0) { - return ret; - } - - bl.append((char)0); // NULL terminate for debug output - - ldout(cct, 10) << "request returned " << bl.c_str() << dendl; - - JSONParser parser; - - if (!parser.parse(bl.c_str(), bl.length())) { - ldout(cct, 0) << "malformed json" << dendl; - return -EINVAL; - } - - JSONObjIter iter = parser.find_first("signed"); - if (iter.end()) { - ldout(cct, 0) << "revoked tokens response is missing signed section" << dendl; - return -EINVAL; - } - - JSONObj *signed_obj = *iter; - - string signed_str = signed_obj->get_data(); - - ldout(cct, 10) << "signed=" << signed_str << dendl; - - string signed_b64; - ret = rgw_open_cms_envelope(cct, signed_str, signed_b64); - if (ret < 0) - return ret; - - ldout(cct, 10) << "content=" << signed_b64 << dendl; - - bufferlist json; - ret = rgw_decode_b64_cms(cct, signed_b64, json); - if (ret < 0) { - return ret; - } - - ldout(cct, 10) << "ceph_decode_cms: decoded: " << json.c_str() << dendl; - - JSONParser list_parser; - if (!list_parser.parse(json.c_str(), json.length())) { - ldout(cct, 0) << "malformed json" << dendl; - return -EINVAL; - } - - JSONObjIter revoked_iter = list_parser.find_first("revoked"); - if (revoked_iter.end()) { - ldout(cct, 0) << "no revoked section in json" << dendl; - return -EINVAL; - } - - JSONObj *revoked_obj = *revoked_iter; - - JSONObjIter tokens_iter = revoked_obj->find_first(); - for (; !tokens_iter.end(); ++tokens_iter) { - JSONObj *o = *tokens_iter; - - JSONObj *token = o->find_obj("id"); - if (!token) { - ldout(cct, 0) << "bad token in array, missing id" << dendl; - continue; - } - - string token_id = token->get_data(); - RGWKeystoneTokenCache::get_instance().invalidate(token_id); - } - - return 0; -} - -static void rgw_set_keystone_token_auth_info(KeystoneToken& token, struct rgw_swift_auth_info *info) -{ - info->user = token.get_project_id(); - info->display_name = token.get_project_name(); -} - -int RGWSwift::parse_keystone_token_response(const string& token, - bufferlist& bl, - struct rgw_swift_auth_info *info, - KeystoneToken& t) -{ - int ret = t.parse(cct, token, bl); - if (ret < 0) { - return ret; - } - - bool found = false; - for (const auto role : accepted_roles) { - if (t.has_role(role) == true) { - found = true; - break; - } - - if (!found) { - ldout(cct, 0) << "user does not hold a matching role; required roles: " - << g_conf->rgw_keystone_accepted_roles << dendl; - return -EPERM; - } - - ldout(cct, 0) << "validated token: " << t.get_project_name() - << ":" << t.get_user_name() - << " expires: " << t.get_expires() << dendl; - - rgw_set_keystone_token_auth_info(t, info); - - return 0; -} - -int RGWSwift::update_user_info(RGWRados *store, struct rgw_swift_auth_info *info, RGWUserInfo& user_info) -{ - ldout(cct, 20) << "updating user=" << info->user << dendl; // P3 XXX - /* - * Normally once someone parsed the token, the tenant and user are set - * in rgw_swift_auth_info. If .tenant is empty in it, the client has - * authenticated with the empty legacy tenant. But when we authenticate - * with Keystone, we have a special compatibility kludge. First, we try - * the same tenant as the user. If that user exists, we use it. This way, - * migrated OpenStack users can get their namespaced containers and - * nobody's the wiser. If that fails, we look up the user in the empty - * tenant. If neither is found, make one, and those migrating can - * set a special configurable rgw_keystone_implicit_tenants to create - * suitable tenantized users. - */ - if (info->user.tenant.empty()) { - rgw_user uid; - uid.tenant = info->user.id; - uid.id = info->user.id; - if (rgw_get_user_info_by_uid(store, uid, user_info) < 0) { - uid.tenant.clear(); - if (rgw_get_user_info_by_uid(store, uid, user_info) < 0) { - ldout(cct, 0) << "NOTICE: couldn't map swift user " << uid << dendl; - if (g_conf->rgw_keystone_implicit_tenants) { - uid.tenant = info->user.id; - } - user_info.user_id = uid; - user_info.display_name = info->display_name; - int ret = rgw_store_user_info(store, user_info, NULL, NULL, real_time(), true); - if (ret < 0) { - ldout(cct, 0) << "ERROR: failed to store new user info: user=" << user_info.user_id << " ret=" << ret << dendl; - return ret; - } - } - } - } else { - if (rgw_get_user_info_by_uid(store, info->user, user_info) < 0) { - ldout(cct, 0) << "NOTICE: couldn't map swift user " << info->user << dendl; - user_info.user_id = info->user; - user_info.display_name = info->display_name; - int ret = rgw_store_user_info(store, user_info, NULL, NULL, real_time(), true); - if (ret < 0) { - ldout(cct, 0) << "ERROR: failed to store new user info: user=" << user_info.user_id << " ret=" << ret << dendl; - return ret; - } - } - } - return 0; -} - -int RGWSwift::validate_keystone_token(RGWRados *store, const string& token, - RGWUserInfo& rgw_user) -{ - KeystoneToken t; - struct rgw_swift_auth_info info; - - string token_id; - rgw_get_token_id(token, token_id); - - ldout(cct, 20) << "token_id=" << token_id << dendl; - - /* check cache first */ - if (RGWKeystoneTokenCache::get_instance().find(token_id, t)) { - rgw_set_keystone_token_auth_info(t, &info); - - ldout(cct, 20) << "cached token.project.id=" << t.get_project_id() << dendl; - - int ret = update_user_info(store, &info, rgw_user); - if (ret < 0) - return ret; - - return 0; - } - - bufferlist bl; - - /* check if that's a self signed token that we can decode */ - if (!rgw_decode_pki_token(cct, token, bl)) { - - /* can't decode, just go to the keystone server for validation */ - - RGWValidateKeystoneToken validate(cct, &bl); - - string url = g_conf->rgw_keystone_url; - if (url.empty()) { - ldout(cct, 0) << "ERROR: keystone url is not configured" << dendl; - return -EINVAL; - } - if (url[url.size() - 1] != '/') - url.append("/"); - std::string admin_token; - if (KeystoneService::get_keystone_admin_token(cct, admin_token) < 0) - return -EINVAL; - if (KeystoneService::get_keystone_url(cct, url) < 0) - return -EINVAL; - - validate.append_header("X-Auth-Token", admin_token); - - const auto keystone_version = KeystoneService::get_api_version(); - if (keystone_version == KeystoneApiVersion::VER_2) { - url.append("v2.0/tokens/"); - url.append(token); - } - if (keystone_version == KeystoneApiVersion::VER_3) { - url.append("v3/auth/tokens"); - validate.append_header("X-Subject-Token", token); - } - - validate.set_send_length(0); - - int ret = validate.process(url.c_str()); - if (ret < 0) - return ret; - } - - bl.append((char)0); // NULL terminate for debug output - - ldout(cct, 20) << "received response: " << bl.c_str() << dendl; - - int ret = parse_keystone_token_response(token, bl, &info, t); - if (ret < 0) - return ret; - - if (t.expired()) { - ldout(cct, 0) << "got expired token: " << t.get_project_name() - << ":" << t.get_user_name() - << " expired: " << t.get_expires() << dendl; - return -EPERM; - } - - RGWKeystoneTokenCache::get_instance().add(token_id, t); - - ret = update_user_info(store, &info, rgw_user); - if (ret < 0) - return ret; - - return 0; -} - -static void temp_url_make_content_disp(req_state * const s) -{ - bool inline_exists = false; - string filename = s->info.args.get("filename"); - - s->info.args.get("inline", &inline_exists); - if (inline_exists) { - s->content_disp.override = "inline"; - } else if (!filename.empty()) { - string fenc; - url_encode(filename, fenc); - s->content_disp.override = "attachment; filename=\"" + fenc + "\""; - } else { - string fenc; - url_encode(s->object.name, fenc); - s->content_disp.fallback = "attachment; filename=\"" + fenc + "\""; - } -} - -static string temp_url_gen_sig(const string& key, - const string& method, - const string& path, - const string& expires) -{ - const string str = method + "\n" + expires + "\n" + path; - //dout(20) << "temp url signature (plain text): " << str << dendl; - - /* unsigned */ char dest[CEPH_CRYPTO_HMACSHA1_DIGESTSIZE]; - calc_hmac_sha1(key.c_str(), key.size(), - str.c_str(), str.size(), - dest); - - char dest_str[CEPH_CRYPTO_HMACSHA1_DIGESTSIZE * 2 + 1]; - buf_to_hex((const unsigned char *)dest, sizeof(dest), dest_str); - - return dest_str; -} - -int authenticate_temp_url(RGWRados * const store, req_state * const s) -{ - /* We cannot use req_state::bucket_name because it isn't available - * now. It will be initialized in RGWHandler_REST_SWIFT::postauth_init(). */ - const string& bucket_name = s->init_state.url_bucket; - - /* temp url requires bucket and object specified in the requets */ - if (bucket_name.empty()) { - return -EPERM; - } - - if (s->object.empty()) { - return -EPERM; - } - - const string temp_url_sig = s->info.args.get("temp_url_sig"); - if (temp_url_sig.empty()) { - return -EPERM; - } - - const string temp_url_expires = s->info.args.get("temp_url_expires"); - if (temp_url_expires.empty()) { - return -EPERM; - } - - /* TempURL case is completely different than the Keystone auth - you may - * get account name only through extraction from URL. In turn, knowledge - * about account is neccessary to obtain its bucket tenant. Without that, - * the access would be limited to accounts with empty tenant. */ - string bucket_tenant; - if (!s->account_name.empty()) { - RGWUserInfo uinfo; - - if (rgw_get_user_info_by_uid(store, s->account_name, uinfo) < 0) { - return -EPERM; - } - - bucket_tenant = uinfo.user_id.tenant; - } - - /* Need to get user info of bucket owner. */ - RGWBucketInfo bucket_info; - int ret = store->get_bucket_info(*static_cast(s->obj_ctx), - bucket_tenant, bucket_name, - bucket_info, NULL); - if (ret < 0) { - return -EPERM; - } - - ldout(s->cct, 20) << "temp url user (bucket owner): " << bucket_info.owner - << dendl; - if (rgw_get_user_info_by_uid(store, bucket_info.owner, *(s->user)) < 0) { - return -EPERM; - } - - if (s->user->temp_url_keys.empty()) { - dout(5) << "user does not have temp url key set, aborting" << dendl; - return -EPERM; - } - - if (!s->info.method) { - return -EPERM; - } - - const utime_t now = ceph_clock_now(g_ceph_context); - - string err; - uint64_t expiration = (uint64_t)strict_strtoll(temp_url_expires.c_str(), - 10, &err); - if (!err.empty()) { - dout(5) << "failed to parse temp_url_expires: " << err << dendl; - return -EPERM; - } - if (expiration <= (uint64_t)now.sec()) { - dout(5) << "temp url expired: " << expiration << " <= " << now.sec() << dendl; - return -EPERM; - } - - /* We need to verify two paths because of compliance with Swift, Tempest - * and old versions of RadosGW. The second item will have the prefix - * of Swift API entry point removed. */ - const size_t pos = g_conf->rgw_swift_url_prefix.find_last_not_of('/') + 1; - const vector allowed_paths = { - s->info.request_uri, - s->info.request_uri.substr(pos + 1) - }; - - vector allowed_methods; - if (strcmp("HEAD", s->info.method) == 0) { - /* HEAD requests are specially handled. */ - allowed_methods = { s->info.method, "PUT", "GET" }; - } else { - allowed_methods = { s->info.method }; - } - - /* Need to try each combination of keys, allowed path and methods. */ - for (const auto kv : s->user->temp_url_keys) { - const int temp_url_key_num = kv.first; - const string& temp_url_key = kv.second; - - if (temp_url_key.empty()) { - continue; - } - - for (const auto path : allowed_paths) { - for (const auto method : allowed_methods) { - const string local_sig = temp_url_gen_sig(temp_url_key, - method, path, - temp_url_expires); - - ldout(s->cct, 20) << "temp url signature [" << temp_url_key_num - << "] (calculated): " << local_sig - << dendl; - - if (local_sig != temp_url_sig) { - ldout(s->cct, 5) << "temp url signature mismatch: " << local_sig - << " != " - << temp_url_sig - << dendl; - } else { - temp_url_make_content_disp(s); - ldout(s->cct, 20) << "temp url signature match: " << local_sig - << " content_disp override " << s->content_disp.override - << " content_disp fallback " << s->content_disp.fallback - << dendl; - return 0; - } - } - } - } - - return -EPERM; -} - -bool RGWSwift::verify_swift_token(RGWRados *store, req_state *s) -{ - if (!do_verify_swift_token(store, s)) { - return false; - } - - if (!s->swift_user.empty()) { - string subuser; - ssize_t pos = s->swift_user.find(':'); - if (pos < 0) { - subuser = s->swift_user; - } else { - subuser = s->swift_user.substr(pos + 1); - } - s->perm_mask = 0; - map::iterator iter = s->user->subusers.find(subuser); - if (iter != s->user->subusers.end()) { - RGWSubUser& subuser_ = iter->second; - s->perm_mask = subuser_.perm_mask; - } - } else { - s->perm_mask = RGW_PERM_FULL_CONTROL; - } - - return true; - -} - -bool RGWSwift::do_verify_swift_token(RGWRados *store, req_state *s) -{ - if (s->info.args.exists("temp_url_sig") || - s->info.args.exists("temp_url_expires")) { - int ret = authenticate_temp_url(store, s); - return (ret >= 0); - } - - if (strncmp(s->os_auth_token, "AUTH_rgwtk", 10) == 0) { - int ret = rgw_swift_verify_signed_token(s->cct, store, s->os_auth_token, - *(s->user), &s->swift_user); - return (ret >= 0); - } - - if (supports_keystone()) { - int ret = validate_keystone_token(store, s->os_auth_token, *(s->user)); - return (ret >= 0); - } - - struct rgw_swift_auth_info info; - int ret; - - ret = validate_token(s->os_auth_token, &info); - if (ret < 0) - return false; - - if (info.user.empty()) { - ldout(cct, 5) << "swift auth didn't authorize a user" << dendl; - return false; - } - - s->swift_user = info.user.to_str(); - s->swift_groups = info.auth_groups; - - string swift_user = s->swift_user; - - ldout(cct, 10) << "swift user=" << s->swift_user << dendl; - - if (rgw_get_user_info_by_swift(store, swift_user, *(s->user)) < 0) { - ldout(cct, 0) << "NOTICE: couldn't map swift user" << dendl; - return false; - } - - ldout(cct, 10) << "user_id=" << s->user->user_id << dendl; - - return true; -} - -void RGWSwift::init() -{ - get_str_vec(cct->_conf->rgw_keystone_accepted_roles, accepted_roles); - get_str_vec(cct->_conf->rgw_keystone_accepted_admin_roles, - accepted_admin_roles); - - accepted_roles.insert(accepted_roles.end(), accepted_admin_roles.begin(), - accepted_admin_roles.end()); - - if (supports_keystone()) { - init_keystone(); - } -} - - -void RGWSwift::init_keystone() -{ - keystone_revoke_thread = new KeystoneRevokeThread(cct, this); - keystone_revoke_thread->create("rgw_swift_k_rev"); -} - - -void RGWSwift::finalize() -{ - if (supports_keystone()) - finalize_keystone(); -} - -void RGWSwift::finalize_keystone() -{ - down_flag.set(1); - if (keystone_revoke_thread) { - keystone_revoke_thread->stop(); - keystone_revoke_thread->join(); - } - delete keystone_revoke_thread; - keystone_revoke_thread = NULL; -} - -RGWSwift *rgw_swift = NULL; - -void swift_init(CephContext *cct) -{ - rgw_swift = new RGWSwift(cct); -} - -void swift_finalize() -{ - delete rgw_swift; -} - -bool RGWSwift::going_down() -{ - return (down_flag.read() != 0); -} - -void *RGWSwift::KeystoneRevokeThread::entry() { - do { - dout(2) << "keystone revoke thread: start" << dendl; - int r = swift->check_revoked(); - if (r < 0) { - dout(0) << "ERROR: keystone revocation processing returned error r=" << r << dendl; - } - - if (swift->going_down()) - break; - - lock.Lock(); - cond.WaitInterval(cct, lock, utime_t(cct->_conf->rgw_keystone_revocation_interval, 0)); - lock.Unlock(); - } while (!swift->going_down()); - - return NULL; -} - -void RGWSwift::KeystoneRevokeThread::stop() -{ - Mutex::Locker l(lock); - cond.Signal(); -} diff --git a/src/rgw/rgw_swift.h b/src/rgw/rgw_swift.h deleted file mode 100644 index 240eba3ba1fe5..0000000000000 --- a/src/rgw/rgw_swift.h +++ /dev/null @@ -1,84 +0,0 @@ -// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- -// vim: ts=8 sw=2 smarttab - - -#ifndef CEPH_RGW_SWIFT_H -#define CEPH_RGW_SWIFT_H - -#include "include/assert.h" - -#include "rgw_common.h" -#include "common/Cond.h" - -#include "rgw_keystone.h" - -class RGWRados; - -struct rgw_swift_auth_info { - string auth_groups; - rgw_user user; - string display_name; - long long ttl; - - rgw_swift_auth_info() : ttl(0) {} -}; - -class RGWSwift { - CephContext *cct; - atomic_t down_flag; - - int validate_token(const char *token, struct rgw_swift_auth_info *info); - int validate_keystone_token(RGWRados *store, const string& token, - RGWUserInfo& rgw_user); - - int parse_keystone_token_response(const string& token, - bufferlist& bl, - struct rgw_swift_auth_info *info, - KeystoneToken& t); - int update_user_info(RGWRados *store, struct rgw_swift_auth_info *info, RGWUserInfo& user_info); - int get_keystone_url(std::string& url); - int get_keystone_admin_token(std::string& token); - - class KeystoneRevokeThread : public Thread { - CephContext *cct; - RGWSwift *swift; - Mutex lock; - Cond cond; - - public: - KeystoneRevokeThread(CephContext *_cct, RGWSwift *_swift) : cct(_cct), swift(_swift), lock("KeystoneRevokeThread") {} - void *entry(); - void stop(); - }; - - KeystoneRevokeThread *keystone_revoke_thread; - - void init(); - void finalize(); - void init_keystone(); - void finalize_keystone(); - bool supports_keystone() { - return !cct->_conf->rgw_keystone_url.empty(); - } - bool do_verify_swift_token(RGWRados *store, req_state *s); -protected: - int check_revoked(); -public: - - explicit RGWSwift(CephContext *_cct) : cct(_cct), keystone_revoke_thread(NULL) { - init(); - } - ~RGWSwift() { - finalize(); - } - - bool verify_swift_token(RGWRados *store, req_state *s); - bool going_down(); -}; - -extern RGWSwift *rgw_swift; -void swift_init(CephContext *cct); -void swift_finalize(); - -#endif - -- 2.39.5