1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
10 #include <boost/regex.hpp>
12 #include "rapidjson/reader.h"
14 #include "common/backport14.h"
16 #include <arpa/inet.h>
17 #include "rgw_iam_policy.h"
20 constexpr int dout_subsys = ceph_subsys_rgw;
30 using std::stringstream;
34 using std::unordered_map;
36 using boost::container::flat_set;
38 using boost::optional;
40 using boost::regex_constants::ECMAScript;
41 using boost::regex_constants::optimize;
42 using boost::regex_match;
45 using rapidjson::BaseReaderHandler;
46 using rapidjson::UTF8;
47 using rapidjson::SizeType;
48 using rapidjson::Reader;
49 using rapidjson::kParseCommentsFlag;
50 using rapidjson::kParseNumbersAsStringsFlag;
51 using rapidjson::StringStream;
52 using rapidjson::ParseResult;
54 using rgw::auth::Principal;
58 #include "rgw_iam_policy_keywords.frag.cc"
66 optional<Partition> to_partition(const smatch::value_type& p,
69 return Partition::aws;
70 } else if (p == "aws-cn") {
71 return Partition::aws_cn;
72 } else if (p == "aws-us-gov") {
73 return Partition::aws_us_gov;
74 } else if (p == "*" && wildcards) {
75 return Partition::wildcard;
83 optional<Service> to_service(const smatch::value_type& s,
85 static const unordered_map<string, Service> services = {
86 { "acm", Service::acm },
87 { "apigateway", Service::apigateway },
88 { "appstream", Service::appstream },
89 { "artifact", Service::artifact },
90 { "autoscaling", Service::autoscaling },
91 { "aws-marketplace", Service::aws_marketplace },
92 { "aws-marketplace-management",
93 Service::aws_marketplace_management },
94 { "aws-portal", Service::aws_portal },
95 { "cloudformation", Service::cloudformation },
96 { "cloudfront", Service::cloudfront },
97 { "cloudhsm", Service::cloudhsm },
98 { "cloudsearch", Service::cloudsearch },
99 { "cloudtrail", Service::cloudtrail },
100 { "cloudwatch", Service::cloudwatch },
101 { "codebuild", Service::codebuild },
102 { "codecommit", Service::codecommit },
103 { "codedeploy", Service::codedeploy },
104 { "codepipeline", Service::codepipeline },
105 { "cognito-identity", Service::cognito_identity },
106 { "cognito-idp", Service::cognito_idp },
107 { "cognito-sync", Service::cognito_sync },
108 { "config", Service::config },
109 { "datapipeline", Service::datapipeline },
110 { "devicefarm", Service::devicefarm },
111 { "directconnect", Service::directconnect },
112 { "dms", Service::dms },
113 { "ds", Service::ds },
114 { "dynamodb", Service::dynamodb },
115 { "ec2", Service::ec2 },
116 { "ecr", Service::ecr },
117 { "ecs", Service::ecs },
118 { "elasticache", Service::elasticache },
119 { "elasticbeanstalk", Service::elasticbeanstalk },
120 { "elasticfilesystem", Service::elasticfilesystem },
121 { "elasticloadbalancing", Service::elasticloadbalancing },
122 { "elasticmapreduce", Service::elasticmapreduce },
123 { "elastictranscoder", Service::elastictranscoder },
124 { "es", Service::es },
125 { "events", Service::events },
126 { "firehose", Service::firehose },
127 { "gamelift", Service::gamelift },
128 { "glacier", Service::glacier },
129 { "health", Service::health },
130 { "iam", Service::iam },
131 { "importexport", Service::importexport },
132 { "inspector", Service::inspector },
133 { "iot", Service::iot },
134 { "kinesis", Service::kinesis },
135 { "kinesisanalytics", Service::kinesisanalytics },
136 { "kms", Service::kms },
137 { "lambda", Service::lambda },
138 { "lightsail", Service::lightsail },
139 { "logs", Service::logs },
140 { "machinelearning", Service::machinelearning },
141 { "mobileanalytics", Service::mobileanalytics },
142 { "mobilehub", Service::mobilehub },
143 { "opsworks", Service::opsworks },
144 { "opsworks-cm", Service::opsworks_cm },
145 { "polly", Service::polly },
146 { "rds", Service::rds },
147 { "redshift", Service::redshift },
148 { "route53", Service::route53 },
149 { "route53domains", Service::route53domains },
150 { "s3", Service::s3 },
151 { "sdb", Service::sdb },
152 { "servicecatalog", Service::servicecatalog },
153 { "ses", Service::ses },
154 { "sns", Service::sns },
155 { "sqs", Service::sqs },
156 { "ssm", Service::ssm },
157 { "states", Service::states },
158 { "storagegateway", Service::storagegateway },
159 { "sts", Service::sts },
160 { "support", Service::support },
161 { "swf", Service::swf },
162 { "trustedadvisor", Service::trustedadvisor },
163 { "waf", Service::waf },
164 { "workmail", Service::workmail },
165 { "workspaces", Service::workspaces }};
167 if (wildcards && s == "*") {
168 return Service::wildcard;
171 auto i = services.find(s);
172 if (i == services.end()) {
180 ARN::ARN(const rgw_obj& o)
181 : partition(Partition::aws),
182 service(Service::s3),
184 account(o.bucket.tenant),
185 resource(o.bucket.name)
187 resource.push_back('/');
188 resource.append(o.key.name);
191 ARN::ARN(const rgw_bucket& b)
192 : partition(Partition::aws),
193 service(Service::s3),
198 ARN::ARN(const rgw_bucket& b, const string& o)
199 : partition(Partition::aws),
200 service(Service::s3),
204 resource.push_back('/');
208 optional<ARN> ARN::parse(const string& s, bool wildcards) {
209 static const char str_wild[] = "arn:([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)";
210 static const regex rx_wild(str_wild,
211 sizeof(str_wild) - 1,
212 ECMAScript | optimize);
213 static const char str_no_wild[]
214 = "arn:([^:*]*):([^:*]*):([^:*]*):([^:*]*):([^:*]*)";
215 static const regex rx_no_wild(str_no_wild,
216 sizeof(str_no_wild) - 1,
217 ECMAScript | optimize);
221 if ((s == "*") && wildcards) {
222 return ARN(Partition::wildcard, Service::wildcard, "*", "*", "*");
223 } else if (regex_match(s, match, wildcards ? rx_wild : rx_no_wild)) {
224 if (match.size() != 6) {
230 auto p = to_partition(match[1], wildcards);
237 auto s = to_service(match[2], wildcards);
245 a.account = match[4];
246 a.resource = match[5];
253 string ARN::to_string() const {
256 if (partition == Partition::aws) {
258 } else if (partition == Partition::aws_cn) {
260 } else if (partition == Partition::aws_us_gov) {
261 s.append("aws-us-gov:");
266 static const unordered_map<Service, string> services = {
267 { Service::acm, "acm" },
268 { Service::apigateway, "apigateway" },
269 { Service::appstream, "appstream" },
270 { Service::artifact, "artifact" },
271 { Service::autoscaling, "autoscaling" },
272 { Service::aws_marketplace, "aws-marketplace" },
273 { Service::aws_marketplace_management, "aws-marketplace-management" },
274 { Service::aws_portal, "aws-portal" },
275 { Service::cloudformation, "cloudformation" },
276 { Service::cloudfront, "cloudfront" },
277 { Service::cloudhsm, "cloudhsm" },
278 { Service::cloudsearch, "cloudsearch" },
279 { Service::cloudtrail, "cloudtrail" },
280 { Service::cloudwatch, "cloudwatch" },
281 { Service::codebuild, "codebuild" },
282 { Service::codecommit, "codecommit" },
283 { Service::codedeploy, "codedeploy" },
284 { Service::codepipeline, "codepipeline" },
285 { Service::cognito_identity, "cognito-identity" },
286 { Service::cognito_idp, "cognito-idp" },
287 { Service::cognito_sync, "cognito-sync" },
288 { Service::config, "config" },
289 { Service::datapipeline, "datapipeline" },
290 { Service::devicefarm, "devicefarm" },
291 { Service::directconnect, "directconnect" },
292 { Service::dms, "dms" },
293 { Service::ds, "ds" },
294 { Service::dynamodb, "dynamodb" },
295 { Service::ec2, "ec2" },
296 { Service::ecr, "ecr" },
297 { Service::ecs, "ecs" },
298 { Service::elasticache, "elasticache" },
299 { Service::elasticbeanstalk, "elasticbeanstalk" },
300 { Service::elasticfilesystem, "elasticfilesystem" },
301 { Service::elasticloadbalancing, "elasticloadbalancing" },
302 { Service::elasticmapreduce, "elasticmapreduce" },
303 { Service::elastictranscoder, "elastictranscoder" },
304 { Service::es, "es" },
305 { Service::events, "events" },
306 { Service::firehose, "firehose" },
307 { Service::gamelift, "gamelift" },
308 { Service::glacier, "glacier" },
309 { Service::health, "health" },
310 { Service::iam, "iam" },
311 { Service::importexport, "importexport" },
312 { Service::inspector, "inspector" },
313 { Service::iot, "iot" },
314 { Service::kinesis, "kinesis" },
315 { Service::kinesisanalytics, "kinesisanalytics" },
316 { Service::kms, "kms" },
317 { Service::lambda, "lambda" },
318 { Service::lightsail, "lightsail" },
319 { Service::logs, "logs" },
320 { Service::machinelearning, "machinelearning" },
321 { Service::mobileanalytics, "mobileanalytics" },
322 { Service::mobilehub, "mobilehub" },
323 { Service::opsworks, "opsworks" },
324 { Service::opsworks_cm, "opsworks-cm" },
325 { Service::polly, "polly" },
326 { Service::rds, "rds" },
327 { Service::redshift, "redshift" },
328 { Service::route53, "route53" },
329 { Service::route53domains, "route53domains" },
330 { Service::s3, "s3" },
331 { Service::sdb, "sdb" },
332 { Service::servicecatalog, "servicecatalog" },
333 { Service::ses, "ses" },
334 { Service::sns, "sns" },
335 { Service::sqs, "sqs" },
336 { Service::ssm, "ssm" },
337 { Service::states, "states" },
338 { Service::storagegateway, "storagegateway" },
339 { Service::sts, "sts" },
340 { Service::support, "support" },
341 { Service::swf, "swf" },
342 { Service::trustedadvisor, "trustedadvisor" },
343 { Service::waf, "waf" },
344 { Service::workmail, "workmail" },
345 { Service::workspaces, "workspaces" }};
347 auto i = services.find(service);
348 if (i != services.end()) {
366 bool operator ==(const ARN& l, const ARN& r) {
367 return ((l.partition == r.partition) &&
368 (l.service == r.service) &&
369 (l.region == r.region) &&
370 (l.account == r.account) &&
371 (l.resource == r.resource));
373 bool operator <(const ARN& l, const ARN& r) {
374 return ((l.partition < r.partition) ||
375 (l.service < r.service) ||
376 (l.region < r.region) ||
377 (l.account < r.account) ||
378 (l.resource < r.resource));
381 // The candidate is not allowed to have wildcards. The only way to
382 // do that sanely would be to use unification rather than matching.
383 bool ARN::match(const ARN& candidate) const {
384 if ((candidate.partition == Partition::wildcard) ||
385 (partition != candidate.partition && partition
386 != Partition::wildcard)) {
390 if ((candidate.service == Service::wildcard) ||
391 (service != candidate.service && service != Service::wildcard)) {
395 if (!match_policy(region, candidate.region, MATCH_POLICY_ARN)) {
399 if (!match_policy(account, candidate.account, MATCH_POLICY_ARN)) {
403 if (!match_policy(resource, candidate.resource, MATCH_POLICY_ARN)) {
410 static const actpair actpairs[] =
411 {{ "s3:AbortMultipartUpload", s3AbortMultipartUpload },
412 { "s3:CreateBucket", s3CreateBucket },
413 { "s3:DeleteBucketPolicy", s3DeleteBucketPolicy },
414 { "s3:DeleteBucket", s3DeleteBucket },
415 { "s3:DeleteBucketWebsite", s3DeleteBucketWebsite },
416 { "s3:DeleteObject", s3DeleteObject },
417 { "s3:DeleteObjectVersion", s3DeleteObjectVersion },
418 { "s3:DeleteObjectTagging", s3DeleteObjectTagging },
419 { "s3:DeleteObjectVersionTagging", s3DeleteObjectVersionTagging },
420 { "s3:DeleteReplicationConfiguration", s3DeleteReplicationConfiguration },
421 { "s3:GetAccelerateConfiguration", s3GetAccelerateConfiguration },
422 { "s3:GetBucketAcl", s3GetBucketAcl },
423 { "s3:GetBucketCORS", s3GetBucketCORS },
424 { "s3:GetBucketLocation", s3GetBucketLocation },
425 { "s3:GetBucketLogging", s3GetBucketLogging },
426 { "s3:GetBucketNotification", s3GetBucketNotification },
427 { "s3:GetBucketPolicy", s3GetBucketPolicy },
428 { "s3:GetBucketRequestPayment", s3GetBucketRequestPayment },
429 { "s3:GetBucketTagging", s3GetBucketTagging },
430 { "s3:GetBucketVersioning", s3GetBucketVersioning },
431 { "s3:GetBucketWebsite", s3GetBucketWebsite },
432 { "s3:GetLifecycleConfiguration", s3GetLifecycleConfiguration },
433 { "s3:GetObjectAcl", s3GetObjectAcl },
434 { "s3:GetObject", s3GetObject },
435 { "s3:GetObjectTorrent", s3GetObjectTorrent },
436 { "s3:GetObjectVersionAcl", s3GetObjectVersionAcl },
437 { "s3:GetObjectVersion", s3GetObjectVersion },
438 { "s3:GetObjectVersionTorrent", s3GetObjectVersionTorrent },
439 { "s3:GetObjectTagging", s3GetObjectTagging },
440 { "s3:GetObjectVersionTagging", s3GetObjectVersionTagging},
441 { "s3:GetReplicationConfiguration", s3GetReplicationConfiguration },
442 { "s3:ListAllMyBuckets", s3ListAllMyBuckets },
443 { "s3:ListBucketMultiPartUploads", s3ListBucketMultiPartUploads },
444 { "s3:ListBucket", s3ListBucket },
445 { "s3:ListBucketVersions", s3ListBucketVersions },
446 { "s3:ListMultipartUploadParts", s3ListMultipartUploadParts },
447 { "s3:PutAccelerateConfiguration", s3PutAccelerateConfiguration },
448 { "s3:PutBucketAcl", s3PutBucketAcl },
449 { "s3:PutBucketCORS", s3PutBucketCORS },
450 { "s3:PutBucketLogging", s3PutBucketLogging },
451 { "s3:PutBucketNotification", s3PutBucketNotification },
452 { "s3:PutBucketPolicy", s3PutBucketPolicy },
453 { "s3:PutBucketRequestPayment", s3PutBucketRequestPayment },
454 { "s3:PutBucketTagging", s3PutBucketTagging },
455 { "s3:PutBucketVersioning", s3PutBucketVersioning },
456 { "s3:PutBucketWebsite", s3PutBucketWebsite },
457 { "s3:PutLifecycleConfiguration", s3PutLifecycleConfiguration },
458 { "s3:PutObjectAcl", s3PutObjectAcl },
459 { "s3:PutObject", s3PutObject },
460 { "s3:PutObjectVersionAcl", s3PutObjectVersionAcl },
461 { "s3:PutObjectTagging", s3PutObjectTagging },
462 { "s3:PutObjectVersionTagging", s3PutObjectVersionTagging },
463 { "s3:PutReplicationConfiguration", s3PutReplicationConfiguration },
464 { "s3:RestoreObject", s3RestoreObject }};
468 const Keyword top[1]{"<Top>", TokenKind::pseudo, TokenID::Top, 0, false,
470 const Keyword cond_key[1]{"<Condition Key>", TokenKind::cond_key,
471 TokenID::CondKey, 0, true, false};
477 bool arraying = false;
478 bool objecting = false;
479 bool cond_ifexists = false;
483 ParseState(PolicyParser* pp, const Keyword* w)
491 if (w->arrayable && !arraying) {
500 bool key(const char* s, size_t l);
501 bool do_string(CephContext* cct, const char* s, size_t l);
502 bool number(const char* str, size_t l);
505 // If this confuses you, look up the Curiously Recurring Template Pattern
506 struct PolicyParser : public BaseReaderHandler<UTF8<>, PolicyParser> {
508 std::vector<ParseState> s;
510 const string& tenant;
516 uint32_t dex(TokenID in) const {
518 case TokenID::Version:
522 case TokenID::Statement:
526 case TokenID::Effect:
528 case TokenID::Principal:
530 case TokenID::NotPrincipal:
532 case TokenID::Action:
534 case TokenID::NotAction:
536 case TokenID::Resource:
538 case TokenID::NotResource:
540 case TokenID::Condition:
544 case TokenID::Federated:
546 case TokenID::Service:
548 case TokenID::CanonicalUser:
554 bool test(TokenID in) {
555 return seen & dex(in);
557 void set(TokenID in) {
559 if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
560 dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
561 dex(TokenID::Action) | dex(TokenID::NotAction) |
562 dex(TokenID::Resource) | dex(TokenID::NotResource) |
563 dex(TokenID::Condition) | dex(TokenID::AWS) |
564 dex(TokenID::Federated) | dex(TokenID::Service) |
565 dex(TokenID::CanonicalUser))) {
569 void set(std::initializer_list<TokenID> l) {
572 if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
573 dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
574 dex(TokenID::Action) | dex(TokenID::NotAction) |
575 dex(TokenID::Resource) | dex(TokenID::NotResource) |
576 dex(TokenID::Condition) | dex(TokenID::AWS) |
577 dex(TokenID::Federated) | dex(TokenID::Service) |
578 dex(TokenID::CanonicalUser))) {
583 void reset(TokenID in) {
585 if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
586 dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
587 dex(TokenID::Action) | dex(TokenID::NotAction) |
588 dex(TokenID::Resource) | dex(TokenID::NotResource) |
589 dex(TokenID::Condition) | dex(TokenID::AWS) |
590 dex(TokenID::Federated) | dex(TokenID::Service) |
591 dex(TokenID::CanonicalUser))) {
595 void reset(std::initializer_list<TokenID> l) {
598 if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
599 dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
600 dex(TokenID::Action) | dex(TokenID::NotAction) |
601 dex(TokenID::Resource) | dex(TokenID::NotResource) |
602 dex(TokenID::Condition) | dex(TokenID::AWS) |
603 dex(TokenID::Federated) | dex(TokenID::Service) |
604 dex(TokenID::CanonicalUser))) {
609 void reset(uint32_t& v) {
614 PolicyParser(CephContext* cct, const string& tenant, Policy& policy)
615 : cct(cct), tenant(tenant), policy(policy) {}
616 PolicyParser(const PolicyParser& policy) = delete;
620 s.push_back({this, top});
621 s.back().objecting = true;
625 return s.back().obj_start();
627 bool EndObject(SizeType memberCount) {
631 return s.back().obj_end();
633 bool Key(const char* str, SizeType length, bool copy) {
637 return s.back().key(str, length);
640 bool String(const char* str, SizeType length, bool copy) {
644 return s.back().do_string(cct, str, length);
646 bool RawNumber(const char* str, SizeType length, bool copy) {
651 return s.back().number(str, length);
658 return s.back().array_start();
660 bool EndArray(SizeType) {
665 return s.back().array_end();
674 // I really despise this misfeature of C++.
676 bool ParseState::obj_end() {
689 bool ParseState::key(const char* s, size_t l) {
691 bool ifexists = false;
692 if (w->id == TokenID::Condition && w->kind == TokenKind::statement) {
693 static constexpr char IfExists[] = "IfExists";
694 if (boost::algorithm::ends_with(boost::string_view{s, l}, IfExists)) {
696 token_len -= sizeof(IfExists)-1;
699 auto k = pp->tokens.lookup(s, token_len);
702 if (w->kind == TokenKind::cond_op) {
704 auto& t = pp->policy.statements.back();
705 auto c_ife = cond_ifexists;
706 pp->s.emplace_back(pp, cond_key);
707 t.conditions.emplace_back(id, s, l, c_ife);
714 // If the token we're going with belongs within the condition at the
715 // top of the stack and we haven't already encountered it, push it
718 if ((((w->id == TokenID::Top) && (k->kind == TokenKind::top)) ||
720 ((w->id == TokenID::Statement) && (k->kind == TokenKind::statement)) ||
723 ((w->id == TokenID::Principal || w->id == TokenID::NotPrincipal) &&
724 (k->kind == TokenKind::princ_type))) &&
726 // Check that it hasn't been encountered. Note that this
727 // conjoins with the run of disjunctions above.
730 pp->s.emplace_back(pp, k);
732 } else if ((w->id == TokenID::Condition) &&
733 (k->kind == TokenKind::cond_op)) {
734 pp->s.emplace_back(pp, k);
735 pp->s.back().cond_ifexists = ifexists;
741 // I should just rewrite a few helper functions to use iterators,
742 // which will make all of this ever so much nicer.
743 static optional<Principal> parse_principal(CephContext* cct, TokenID t,
746 if ((t == TokenID::AWS) && (s == "*")) {
747 return Principal::wildcard();
749 // Do nothing for now.
750 } else if (t == TokenID::CanonicalUser) {
753 } else if (t == TokenID::AWS) {
754 auto a = ARN::parse(s);
756 if (std::none_of(s.begin(), s.end(),
758 return (c == ':') || (c == '/');
760 // Since tenants are simply prefixes, there's no really good
761 // way to see if one exists or not. So we return the thing and
762 // let them try to match against it.
763 return Principal::tenant(std::move(s));
767 if (a->resource == "root") {
768 return Principal::tenant(std::move(a->account));
771 static const char rx_str[] = "([^/]*)/(.*)";
772 static const regex rx(rx_str, sizeof(rx_str) - 1,
773 ECMAScript | optimize);
775 if (regex_match(a->resource, match, rx)) {
776 if (match.size() != 3) {
780 if (match[1] == "user") {
781 return Principal::user(std::move(a->account),
785 if (match[1] == "role") {
786 return Principal::role(std::move(a->account),
792 ldout(cct, 0) << "Supplied principal is discarded: " << s << dendl;
796 bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
797 auto k = pp->tokens.lookup(s, l);
798 Policy& p = pp->policy;
799 Statement* t = p.statements.empty() ? nullptr : &(p.statements.back());
802 if ((w->id == TokenID::Version) && k &&
803 k->kind == TokenKind::version_key) {
804 p.version = static_cast<Version>(k->specific);
805 } else if (w->id == TokenID::Id) {
810 } else if (w->id == TokenID::Sid) {
811 t->sid.emplace(s, l);
812 } else if ((w->id == TokenID::Effect) &&
813 k->kind == TokenKind::effect_key) {
814 t->effect = static_cast<Effect>(k->specific);
815 } else if (w->id == TokenID::Principal && s && *s == '*') {
816 t->princ.emplace(Principal::wildcard());
817 } else if (w->id == TokenID::NotPrincipal && s && *s == '*') {
818 t->noprinc.emplace(Principal::wildcard());
819 } else if ((w->id == TokenID::Action) ||
820 (w->id == TokenID::NotAction)) {
821 for (auto& p : actpairs) {
822 if (match_policy({s, l}, p.name, MATCH_POLICY_ACTION)) {
823 (w->id == TokenID::Action ? t->action : t->notaction) |= p.bit;
826 } else if (w->id == TokenID::Resource || w->id == TokenID::NotResource) {
827 auto a = ARN::parse({s, l}, true);
828 // You can't specify resources for someone ELSE'S account.
829 if (a && (a->account.empty() || a->account == pp->tenant ||
830 a->account == "*")) {
831 if (a->account.empty() || a->account == "*")
832 a->account = pp->tenant;
833 (w->id == TokenID::Resource ? t->resource : t->notresource)
834 .emplace(std::move(*a));
837 ldout(cct, 0) << "Supplied resource is discarded: " << string(s, l)
839 } else if (w->kind == TokenKind::cond_key) {
840 auto& t = pp->policy.statements.back();
841 t.conditions.back().vals.emplace_back(s, l);
845 } else if (w->kind == TokenKind::princ_type) {
846 if (pp->s.size() <= 1) {
849 auto& pri = pp->s[pp->s.size() - 2].w->id == TokenID::Principal ?
850 t->princ : t->noprinc;
852 auto o = parse_principal(pp->cct, w->id, string(s, l));
854 pri.emplace(std::move(*o));
869 bool ParseState::number(const char* s, size_t l) {
871 if (w->kind == TokenKind::cond_key) {
872 auto& t = pp->policy.statements.back();
873 t.conditions.back().vals.emplace_back(s, l);
888 void ParseState::reset() {
892 bool ParseState::obj_start() {
893 if (w->objectable && !objecting) {
895 if (w->id == TokenID::Statement) {
896 pp->policy.statements.push_back({});
906 bool ParseState::array_end() {
907 if (arraying && !objecting) {
915 ostream& operator <<(ostream& m, const MaskedIP& ip) {
916 // I have a theory about why std::bitset is the way it is.
918 for (int i = 15; i >= 0; --i) {
920 for (int j = 7; j >= 0; --j) {
921 b |= (ip.addr[(i * 8) + j] << j);
929 // It involves Satan.
930 for (int i = 3; i >= 0; --i) {
932 for (int j = 7; j >= 0; --j) {
933 b |= (ip.addr[(i * 8) + j] << j);
941 m << "/" << ip.prefix;
942 // It would explain a lot
946 string to_string(const MaskedIP& m) {
952 bool Condition::eval(const Environment& env) const {
953 auto i = env.find(key);
954 if (op == TokenID::Null) {
955 return i == env.end() ? true : false;
958 if (i == env.end()) {
961 const auto& s = i->second;
965 case TokenID::StringEquals:
966 return orrible(std::equal_to<std::string>(), s, vals);
968 case TokenID::StringNotEquals:
969 return orrible(ceph::not_fn(std::equal_to<std::string>()),
972 case TokenID::StringEqualsIgnoreCase:
973 return orrible(ci_equal_to(), s, vals);
975 case TokenID::StringNotEqualsIgnoreCase:
976 return orrible(ceph::not_fn(ci_equal_to()), s, vals);
978 case TokenID::StringLike:
979 return orrible(string_like(), s, vals);
981 case TokenID::StringNotLike:
982 return orrible(ceph::not_fn(string_like()), s, vals);
985 case TokenID::NumericEquals:
986 return shortible(std::equal_to<double>(), as_number, s, vals);
988 case TokenID::NumericNotEquals:
989 return shortible(ceph::not_fn(std::equal_to<double>()),
993 case TokenID::NumericLessThan:
994 return shortible(std::less<double>(), as_number, s, vals);
997 case TokenID::NumericLessThanEquals:
998 return shortible(std::less_equal<double>(), as_number, s, vals);
1000 case TokenID::NumericGreaterThan:
1001 return shortible(std::greater<double>(), as_number, s, vals);
1003 case TokenID::NumericGreaterThanEquals:
1004 return shortible(std::greater_equal<double>(), as_number, s, vals);
1007 case TokenID::DateEquals:
1008 return shortible(std::equal_to<ceph::real_time>(), as_date, s, vals);
1010 case TokenID::DateNotEquals:
1011 return shortible(ceph::not_fn(std::equal_to<ceph::real_time>()),
1014 case TokenID::DateLessThan:
1015 return shortible(std::less<ceph::real_time>(), as_date, s, vals);
1018 case TokenID::DateLessThanEquals:
1019 return shortible(std::less_equal<ceph::real_time>(), as_date, s, vals);
1021 case TokenID::DateGreaterThan:
1022 return shortible(std::greater<ceph::real_time>(), as_date, s, vals);
1024 case TokenID::DateGreaterThanEquals:
1025 return shortible(std::greater_equal<ceph::real_time>(), as_date, s,
1030 return shortible(std::equal_to<bool>(), as_bool, s, vals);
1033 case TokenID::BinaryEquals:
1034 return shortible(std::equal_to<ceph::bufferlist>(), as_binary, s,
1038 case TokenID::IpAddress:
1039 return shortible(std::equal_to<MaskedIP>(), as_network, s, vals);
1041 case TokenID::NotIpAddress:
1042 return shortible(ceph::not_fn(std::equal_to<MaskedIP>()), as_network, s,
1046 // Amazon Resource Names! (Does S3 need this?)
1047 TokenID::ArnEquals, TokenID::ArnNotEquals, TokenID::ArnLike,
1048 TokenID::ArnNotLike,
1056 optional<MaskedIP> Condition::as_network(const string& s) {
1063 auto slash = s.find('/');
1064 if (slash == string::npos) {
1065 m.prefix = m.v6 ? 128 : 32;
1068 m.prefix = strtoul(s.data() + slash + 1, &end, 10);
1069 if (*end != 0 || (m.v6 && m.prefix > 128) ||
1070 (!m.v6 && m.prefix > 32)) {
1078 if (slash != string::npos) {
1079 t.assign(s, 0, slash);
1084 struct sockaddr_in6 a;
1085 if (inet_pton(AF_INET6, p->c_str(), static_cast<void*>(&a)) != 1) {
1089 m.addr |= Address(a.sin6_addr.s6_addr[0]) << 0;
1090 m.addr |= Address(a.sin6_addr.s6_addr[1]) << 8;
1091 m.addr |= Address(a.sin6_addr.s6_addr[2]) << 16;
1092 m.addr |= Address(a.sin6_addr.s6_addr[3]) << 24;
1093 m.addr |= Address(a.sin6_addr.s6_addr[4]) << 32;
1094 m.addr |= Address(a.sin6_addr.s6_addr[5]) << 40;
1095 m.addr |= Address(a.sin6_addr.s6_addr[6]) << 48;
1096 m.addr |= Address(a.sin6_addr.s6_addr[7]) << 56;
1097 m.addr |= Address(a.sin6_addr.s6_addr[8]) << 64;
1098 m.addr |= Address(a.sin6_addr.s6_addr[9]) << 72;
1099 m.addr |= Address(a.sin6_addr.s6_addr[10]) << 80;
1100 m.addr |= Address(a.sin6_addr.s6_addr[11]) << 88;
1101 m.addr |= Address(a.sin6_addr.s6_addr[12]) << 96;
1102 m.addr |= Address(a.sin6_addr.s6_addr[13]) << 104;
1103 m.addr |= Address(a.sin6_addr.s6_addr[14]) << 112;
1104 m.addr |= Address(a.sin6_addr.s6_addr[15]) << 120;
1106 struct sockaddr_in a;
1107 if (inet_pton(AF_INET, p->c_str(), static_cast<void*>(&a)) != 1) {
1110 m.addr = ntohl(a.sin_addr.s_addr);
1117 const char* condop_string(const TokenID t) {
1119 case TokenID::StringEquals:
1120 return "StringEquals";
1122 case TokenID::StringNotEquals:
1123 return "StringNotEquals";
1125 case TokenID::StringEqualsIgnoreCase:
1126 return "StringEqualsIgnoreCase";
1128 case TokenID::StringNotEqualsIgnoreCase:
1129 return "StringNotEqualsIgnoreCase";
1131 case TokenID::StringLike:
1132 return "StringLike";
1134 case TokenID::StringNotLike:
1135 return "StringNotLike";
1138 case TokenID::NumericEquals:
1139 return "NumericEquals";
1141 case TokenID::NumericNotEquals:
1142 return "NumericNotEquals";
1144 case TokenID::NumericLessThan:
1145 return "NumericLessThan";
1147 case TokenID::NumericLessThanEquals:
1148 return "NumericLessThanEquals";
1150 case TokenID::NumericGreaterThan:
1151 return "NumericGreaterThan";
1153 case TokenID::NumericGreaterThanEquals:
1154 return "NumericGreaterThanEquals";
1156 case TokenID::DateEquals:
1157 return "DateEquals";
1159 case TokenID::DateNotEquals:
1160 return "DateNotEquals";
1162 case TokenID::DateLessThan:
1163 return "DateLessThan";
1165 case TokenID::DateLessThanEquals:
1166 return "DateLessThanEquals";
1168 case TokenID::DateGreaterThan:
1169 return "DateGreaterThan";
1171 case TokenID::DateGreaterThanEquals:
1172 return "DateGreaterThanEquals";
1177 case TokenID::BinaryEquals:
1178 return "BinaryEquals";
1180 case TokenID::IpAddress:
1181 return "case TokenID::IpAddress";
1183 case TokenID::NotIpAddress:
1184 return "NotIpAddress";
1186 case TokenID::ArnEquals:
1189 case TokenID::ArnNotEquals:
1190 return "ArnNotEquals";
1192 case TokenID::ArnLike:
1195 case TokenID::ArnNotLike:
1196 return "ArnNotLike";
1202 return "InvalidConditionOperator";
1206 template<typename Iterator>
1207 ostream& print_array(ostream& m, Iterator begin, Iterator end) {
1211 auto beforelast = end - 1;
1213 for (auto i = begin; i != end; ++i) {
1215 if (i != beforelast) {
1227 ostream& operator <<(ostream& m, const Condition& c) {
1228 m << "{ " << condop_string(c.op);
1232 m << ": { " << c.key;
1233 print_array(m, c.vals.cbegin(), c.vals.cend());
1237 string to_string(const Condition& c) {
1243 Effect Statement::eval(const Environment& e,
1244 optional<const rgw::auth::Identity&> ida,
1245 uint64_t act, const ARN& res) const {
1246 if (ida && (!ida->is_identity(princ) || ida->is_identity(noprinc))) {
1247 return Effect::Pass;
1251 if (!std::any_of(resource.begin(), resource.end(),
1252 [&res](const ARN& pattern) {
1253 return pattern.match(res);
1255 (std::any_of(notresource.begin(), notresource.end(),
1256 [&res](const ARN& pattern) {
1257 return pattern.match(res);
1259 return Effect::Pass;
1262 if (!(action & act) || (notaction & act)) {
1263 return Effect::Pass;
1266 if (std::all_of(conditions.begin(),
1268 [&e](const Condition& c) { return c.eval(e);})) {
1272 return Effect::Pass;
1276 const char* action_bit_string(uint64_t action) {
1279 return "s3:GetObject";
1281 case s3GetObjectVersion:
1282 return "s3:GetObjectVersion";
1285 return "s3:PutObject";
1287 case s3GetObjectAcl:
1288 return "s3:GetObjectAcl";
1290 case s3GetObjectVersionAcl:
1291 return "s3:GetObjectVersionAcl";
1293 case s3PutObjectAcl:
1294 return "s3:PutObjectAcl";
1296 case s3PutObjectVersionAcl:
1297 return "s3:PutObjectVersionAcl";
1299 case s3DeleteObject:
1300 return "s3:DeleteObject";
1302 case s3DeleteObjectVersion:
1303 return "s3:DeleteObjectVersion";
1305 case s3ListMultipartUploadParts:
1306 return "s3:ListMultipartUploadParts";
1308 case s3AbortMultipartUpload:
1309 return "s3:AbortMultipartUpload";
1311 case s3GetObjectTorrent:
1312 return "s3:GetObjectTorrent";
1314 case s3GetObjectVersionTorrent:
1315 return "s3:GetObjectVersionTorrent";
1317 case s3RestoreObject:
1318 return "s3:RestoreObject";
1320 case s3CreateBucket:
1321 return "s3:CreateBucket";
1323 case s3DeleteBucket:
1324 return "s3:DeleteBucket";
1327 return "s3:ListBucket";
1329 case s3ListBucketVersions:
1330 return "s3:ListBucketVersions";
1331 case s3ListAllMyBuckets:
1332 return "s3:ListAllMyBuckets";
1334 case s3ListBucketMultiPartUploads:
1335 return "s3:ListBucketMultiPartUploads";
1337 case s3GetAccelerateConfiguration:
1338 return "s3:GetAccelerateConfiguration";
1340 case s3PutAccelerateConfiguration:
1341 return "s3:PutAccelerateConfiguration";
1343 case s3GetBucketAcl:
1344 return "s3:GetBucketAcl";
1346 case s3PutBucketAcl:
1347 return "s3:PutBucketAcl";
1349 case s3GetBucketCORS:
1350 return "s3:GetBucketCORS";
1352 case s3PutBucketCORS:
1353 return "s3:PutBucketCORS";
1355 case s3GetBucketVersioning:
1356 return "s3:GetBucketVersioning";
1358 case s3PutBucketVersioning:
1359 return "s3:PutBucketVersioning";
1361 case s3GetBucketRequestPayment:
1362 return "s3:GetBucketRequestPayment";
1364 case s3PutBucketRequestPayment:
1365 return "s3:PutBucketRequestPayment";
1367 case s3GetBucketLocation:
1368 return "s3:GetBucketLocation";
1370 case s3GetBucketPolicy:
1371 return "s3:GetBucketPolicy";
1373 case s3DeleteBucketPolicy:
1374 return "s3:DeleteBucketPolicy";
1376 case s3PutBucketPolicy:
1377 return "s3:PutBucketPolicy";
1379 case s3GetBucketNotification:
1380 return "s3:GetBucketNotification";
1382 case s3PutBucketNotification:
1383 return "s3:PutBucketNotification";
1385 case s3GetBucketLogging:
1386 return "s3:GetBucketLogging";
1388 case s3PutBucketLogging:
1389 return "s3:PutBucketLogging";
1391 case s3GetBucketTagging:
1392 return "s3:GetBucketTagging";
1394 case s3PutBucketTagging:
1395 return "s3:PutBucketTagging";
1397 case s3GetBucketWebsite:
1398 return "s3:GetBucketWebsite";
1400 case s3PutBucketWebsite:
1401 return "s3:PutBucketWebsite";
1403 case s3DeleteBucketWebsite:
1404 return "s3:DeleteBucketWebsite";
1406 case s3GetLifecycleConfiguration:
1407 return "s3:GetLifecycleConfiguration";
1409 case s3PutLifecycleConfiguration:
1410 return "s3:PutLifecycleConfiguration";
1412 case s3PutReplicationConfiguration:
1413 return "s3:PutReplicationConfiguration";
1415 case s3GetReplicationConfiguration:
1416 return "s3:GetReplicationConfiguration";
1418 case s3DeleteReplicationConfiguration:
1419 return "s3:DeleteReplicationConfiguration";
1421 case s3PutObjectTagging:
1422 return "s3:PutObjectTagging";
1424 case s3PutObjectVersionTagging:
1425 return "s3:PutObjectVersionTagging";
1427 case s3GetObjectTagging:
1428 return "s3:GetObjectTagging";
1430 case s3GetObjectVersionTagging:
1431 return "s3:GetObjectVersionTagging";
1433 case s3DeleteObjectTagging:
1434 return "s3:DeleteObjectTagging";
1436 case s3DeleteObjectVersionTagging:
1437 return "s3:DeleteObjectVersionTagging";
1442 ostream& print_actions(ostream& m, const uint64_t a) {
1445 for (auto i = 0U; i < s3Count; ++i) {
1452 m << action_bit_string(1 << i);
1464 ostream& operator <<(ostream& m, const Statement& s) {
1467 m << "Sid: " << *s.sid << ", ";
1469 if (!s.princ.empty()) {
1471 print_array(m, s.princ.cbegin(), s.princ.cend());
1474 if (!s.noprinc.empty()) {
1475 m << "NotPrincipal: ";
1476 print_array(m, s.noprinc.cbegin(), s.noprinc.cend());
1481 (s.effect == Effect::Allow ?
1482 (const char*) "Allow" :
1483 (const char*) "Deny");
1485 if (s.action || s.notaction || !s.resource.empty() ||
1486 !s.notresource.empty() || !s.conditions.empty()) {
1492 print_actions(m, s.action);
1494 if (s.notaction || !s.resource.empty() ||
1495 !s.notresource.empty() || !s.conditions.empty()) {
1502 print_actions(m, s.notaction);
1504 if (!s.resource.empty() || !s.notresource.empty() ||
1505 !s.conditions.empty()) {
1510 if (!s.resource.empty()) {
1512 print_array(m, s.resource.cbegin(), s.resource.cend());
1514 if (!s.notresource.empty() || !s.conditions.empty()) {
1519 if (!s.notresource.empty()) {
1520 m << "NotResource: ";
1521 print_array(m, s.notresource.cbegin(), s.notresource.cend());
1523 if (!s.conditions.empty()) {
1528 if (!s.conditions.empty()) {
1530 print_array(m, s.conditions.cbegin(), s.conditions.cend());
1536 string to_string(const Statement& s) {
1542 Policy::Policy(CephContext* cct, const string& tenant,
1543 const bufferlist& _text)
1544 : text(_text.to_str()) {
1545 StringStream ss(text.data());
1546 PolicyParser pp(cct, tenant, *this);
1547 auto pr = Reader{}.Parse<kParseNumbersAsStringsFlag |
1548 kParseCommentsFlag>(ss, pp);
1550 throw PolicyParseException(std::move(pr));
1554 Effect Policy::eval(const Environment& e,
1555 optional<const rgw::auth::Identity&> ida,
1556 std::uint64_t action, const ARN& resource) const {
1557 auto allowed = false;
1558 for (auto& s : statements) {
1559 auto g = s.eval(e, ida, action, resource);
1560 if (g == Effect::Deny) {
1562 } else if (g == Effect::Allow) {
1566 return allowed ? Effect::Allow : Effect::Pass;
1569 ostream& operator <<(ostream& m, const Policy& p) {
1571 << (p.version == Version::v2008_10_17 ? "2008-10-17" : "2012-10-17");
1573 if (p.id || !p.statements.empty()) {
1578 m << "Id: " << *p.id;
1579 if (!p.statements.empty()) {
1584 if (!p.statements.empty()) {
1585 m << "Statements: ";
1586 print_array(m, p.statements.cbegin(), p.statements.cend());
1592 string to_string(const Policy& p) {