From db7d92df09936d31eb5c5ea9681eb6cf265fd5d7 Mon Sep 17 00:00:00 2001
From: Radoslaw Zarzynski <rzarzynski@mirantis.com>
Date: Sun, 17 Apr 2016 12:11:35 +0200
Subject: [PATCH] rgw: use RGWIdentityApplier across ACL implementation.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
---
 src/rgw/rgw_acl.cc | 42 +++++++++++++++++++++++++-----------------
 src/rgw/rgw_acl.h  | 12 +++++++++---
 2 files changed, 34 insertions(+), 20 deletions(-)

diff --git a/src/rgw/rgw_acl.cc b/src/rgw/rgw_acl.cc
index ef2cb319cf1a4..51f18e96d9779 100644
--- a/src/rgw/rgw_acl.cc
+++ b/src/rgw/rgw_acl.cc
@@ -44,15 +44,13 @@ void RGWAccessControlList::add_grant(ACLGrant *grant)
   _add_grant(grant);
 }
 
-int RGWAccessControlList::get_perm(rgw_user& id, int perm_mask) {
-  ldout(cct, 5) << "Searching permissions for uid=" << id << " mask=" << perm_mask << dendl;
-  map<string, int>::iterator iter = acl_user_map.find(id.to_str());
-  if (iter != acl_user_map.end()) {
-    ldout(cct, 5) << "Found permission: " << iter->second << dendl;
-    return iter->second & perm_mask;
-  }
-  ldout(cct, 5) << "Permissions for user not found" << dendl;
-  return 0;
+int RGWAccessControlList::get_perm(const RGWIdentityApplier& auth_identity,
+                                   const int perm_mask)
+{
+  ldout(cct, 5) << "Searching permissions for identity=" << auth_identity
+                << " mask=" << perm_mask << dendl;
+
+  return perm_mask & auth_identity.get_perms_from_aclspec(acl_user_map);
 }
 
 int RGWAccessControlList::get_group_perm(ACLGroupTypeEnum group, int perm_mask) {
@@ -66,10 +64,12 @@ int RGWAccessControlList::get_group_perm(ACLGroupTypeEnum group, int perm_mask)
   return 0;
 }
 
-int RGWAccessControlPolicy::get_perm(rgw_user& id, int perm_mask) {
-  int perm = acl.get_perm(id, perm_mask);
+int RGWAccessControlPolicy::get_perm(const RGWIdentityApplier& auth_identity,
+                                     const int perm_mask)
+{
+  int perm = acl.get_perm(auth_identity, perm_mask);
 
-  if (id.compare(owner.get_id()) == 0) {
+  if (auth_identity.is_owner_of(owner.get_id())) {
     perm |= perm_mask & (RGW_PERM_READ_ACP | RGW_PERM_WRITE_ACP);
   }
 
@@ -80,22 +80,26 @@ int RGWAccessControlPolicy::get_perm(rgw_user& id, int perm_mask) {
   if ((perm & perm_mask) != perm_mask) {
     perm |= acl.get_group_perm(ACL_GROUP_ALL_USERS, perm_mask);
 
-    if (id.compare(RGW_USER_ANON_ID)) {
+    if (false == auth_identity.is_owner_of(rgw_user(RGW_USER_ANON_ID))) {
       /* this is not the anonymous user */
       perm |= acl.get_group_perm(ACL_GROUP_AUTHENTICATED_USERS, perm_mask);
     }
   }
 
-  ldout(cct, 5) << "Getting permissions id=" << id << " owner=" << owner.get_id() << " perm=" << perm << dendl;
+  ldout(cct, 5) << "Getting permissions identity=" << auth_identity
+                << " owner=" << owner.get_id()
+                << " perm=" << perm << dendl;
 
   return perm;
 }
 
-bool RGWAccessControlPolicy::verify_permission(rgw_user& uid, int user_perm_mask, int perm)
+bool RGWAccessControlPolicy::verify_permission(const RGWIdentityApplier& auth_identity,
+                                               const int user_perm_mask,
+                                               const int perm)
 {
   int test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS;
 
-  int policy_perm = get_perm(uid, test_perm);
+  int policy_perm = get_perm(auth_identity, test_perm);
 
   /* the swift WRITE_OBJS perm is equivalent to the WRITE obj, just
      convert those bits. Note that these bits will only be set on
@@ -110,7 +114,11 @@ bool RGWAccessControlPolicy::verify_permission(rgw_user& uid, int user_perm_mask
    
   int acl_perm = policy_perm & perm & user_perm_mask;
 
-  ldout(cct, 10) << " uid=" << uid << " requested perm (type)=" << perm << ", policy perm=" << policy_perm << ", user_perm_mask=" << user_perm_mask << ", acl perm=" << acl_perm << dendl;
+  ldout(cct, 10) << " identity=" << auth_identity
+                 << " requested perm (type)=" << perm
+                 << ", policy perm=" << policy_perm
+                 << ", user_perm_mask=" << user_perm_mask
+                 << ", acl perm=" << acl_perm << dendl;
 
   return (perm == acl_perm);
 }
diff --git a/src/rgw/rgw_acl.h b/src/rgw/rgw_acl.h
index fe7249c3c1e06..8aca31504c3c9 100644
--- a/src/rgw/rgw_acl.h
+++ b/src/rgw/rgw_acl.h
@@ -186,6 +186,8 @@ public:
 };
 WRITE_CLASS_ENCODER(ACLGrant)
 
+class RGWIdentityApplier;
+
 class RGWAccessControlList
 {
 protected:
@@ -204,7 +206,8 @@ public:
 
   virtual ~RGWAccessControlList() {}
 
-  int get_perm(rgw_user& id, int perm_mask);
+  int get_perm(const RGWIdentityApplier& auth_identity,
+               int perm_mask);
   int get_group_perm(ACLGroupTypeEnum group, int perm_mask);
   void encode(bufferlist& bl) const {
     ENCODE_START(3, 3, bl);
@@ -302,9 +305,12 @@ public:
     acl.set_ctx(ctx);
   }
 
-  int get_perm(rgw_user& id, int perm_mask);
+  int get_perm(const RGWIdentityApplier& auth_identity,
+               int perm_mask);
   int get_group_perm(ACLGroupTypeEnum group, int perm_mask);
-  bool verify_permission(rgw_user& uid, int user_perm_mask, int perm);
+  bool verify_permission(const RGWIdentityApplier& auth_identity,
+                         int user_perm_mask,
+                         int perm);
 
   void encode(bufferlist& bl) const {
     ENCODE_START(2, 2, bl);
-- 
2.39.5