X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fceph%2Fsrc%2Frgw%2Frgw_acl.h;fp=src%2Fceph%2Fsrc%2Frgw%2Frgw_acl.h;h=0000000000000000000000000000000000000000;hb=7da45d65be36d36b880cc55c5036e96c24b53f00;hp=9931bd531a35417a1b9a0ca52507a8c7cc600fdc;hpb=691462d09d0987b47e112d6ee8740375df3c51b2;p=stor4nfv.git diff --git a/src/ceph/src/rgw/rgw_acl.h b/src/ceph/src/rgw/rgw_acl.h deleted file mode 100644 index 9931bd5..0000000 --- a/src/ceph/src/rgw/rgw_acl.h +++ /dev/null @@ -1,466 +0,0 @@ -// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- -// vim: ts=8 sw=2 smarttab - -#ifndef CEPH_RGW_ACL_H -#define CEPH_RGW_ACL_H - -#include -#include -#include - -#include -#include - -#include "common/debug.h" - -#include "rgw_basic_types.h" - -#define RGW_PERM_NONE 0x00 -#define RGW_PERM_READ 0x01 -#define RGW_PERM_WRITE 0x02 -#define RGW_PERM_READ_ACP 0x04 -#define RGW_PERM_WRITE_ACP 0x08 -#define RGW_PERM_READ_OBJS 0x10 -#define RGW_PERM_WRITE_OBJS 0x20 -#define RGW_PERM_FULL_CONTROL ( RGW_PERM_READ | RGW_PERM_WRITE | \ - RGW_PERM_READ_ACP | RGW_PERM_WRITE_ACP ) -#define RGW_PERM_ALL_S3 RGW_PERM_FULL_CONTROL -#define RGW_PERM_INVALID 0xFF00 - -static constexpr char RGW_REFERER_WILDCARD[] = "*"; - -enum ACLGranteeTypeEnum { -/* numbers are encoded, should not change */ - ACL_TYPE_CANON_USER = 0, - ACL_TYPE_EMAIL_USER = 1, - ACL_TYPE_GROUP = 2, - ACL_TYPE_UNKNOWN = 3, - ACL_TYPE_REFERER = 4, -}; - -enum ACLGroupTypeEnum { -/* numbers are encoded should not change */ - ACL_GROUP_NONE = 0, - ACL_GROUP_ALL_USERS = 1, - ACL_GROUP_AUTHENTICATED_USERS = 2, -}; - -class ACLPermission -{ -protected: - int flags; -public: - ACLPermission() : flags(0) {} - ~ACLPermission() {} - uint32_t get_permissions() const { return flags; } - void set_permissions(uint32_t perm) { flags = perm; } - - void encode(bufferlist& bl) const { - ENCODE_START(2, 2, bl); - ::encode(flags, bl); - ENCODE_FINISH(bl); - } - void decode(bufferlist::iterator& bl) { - DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl); - ::decode(flags, bl); - DECODE_FINISH(bl); - } - void dump(Formatter *f) const; - static void generate_test_instances(list& o); -}; -WRITE_CLASS_ENCODER(ACLPermission) - -class ACLGranteeType -{ -protected: - __u32 type; -public: - ACLGranteeType() : type(ACL_TYPE_UNKNOWN) {} - virtual ~ACLGranteeType() {} -// virtual const char *to_string() = 0; - ACLGranteeTypeEnum get_type() const { return (ACLGranteeTypeEnum)type; } - void set(ACLGranteeTypeEnum t) { type = t; } -// virtual void set(const char *s) = 0; - void encode(bufferlist& bl) const { - ENCODE_START(2, 2, bl); - ::encode(type, bl); - ENCODE_FINISH(bl); - } - void decode(bufferlist::iterator& bl) { - DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl); - ::decode(type, bl); - DECODE_FINISH(bl); - } - void dump(Formatter *f) const; - static void generate_test_instances(list& o); -}; -WRITE_CLASS_ENCODER(ACLGranteeType) - -class ACLGrantee -{ -public: - ACLGrantee() {} - ~ACLGrantee() {} -}; - - -class ACLGrant -{ -protected: - ACLGranteeType type; - rgw_user id; - string email; - ACLPermission permission; - string name; - ACLGroupTypeEnum group; - string url_spec; - -public: - ACLGrant() : group(ACL_GROUP_NONE) {} - virtual ~ACLGrant() {} - - /* there's an assumption here that email/uri/id encodings are - different and there can't be any overlap */ - bool get_id(rgw_user& _id) const { - switch(type.get_type()) { - case ACL_TYPE_EMAIL_USER: - _id = email; // implies from_str() that parses the 't:u' syntax - return true; - case ACL_TYPE_GROUP: - case ACL_TYPE_REFERER: - return false; - default: - _id = id; - return true; - } - } - ACLGranteeType& get_type() { return type; } - const ACLGranteeType& get_type() const { return type; } - ACLPermission& get_permission() { return permission; } - const ACLPermission& get_permission() const { return permission; } - ACLGroupTypeEnum get_group() const { return group; } - const string& get_referer() const { return url_spec; } - - void encode(bufferlist& bl) const { - ENCODE_START(5, 3, bl); - ::encode(type, bl); - string s; - id.to_str(s); - ::encode(s, bl); - string uri; - ::encode(uri, bl); - ::encode(email, bl); - ::encode(permission, bl); - ::encode(name, bl); - __u32 g = (__u32)group; - ::encode(g, bl); - ::encode(url_spec, bl); - ENCODE_FINISH(bl); - } - void decode(bufferlist::iterator& bl) { - DECODE_START_LEGACY_COMPAT_LEN(5, 3, 3, bl); - ::decode(type, bl); - string s; - ::decode(s, bl); - id.from_str(s); - string uri; - ::decode(uri, bl); - ::decode(email, bl); - ::decode(permission, bl); - ::decode(name, bl); - if (struct_v > 1) { - __u32 g; - ::decode(g, bl); - group = (ACLGroupTypeEnum)g; - } else { - group = uri_to_group(uri); - } - if (struct_v >= 5) { - ::decode(url_spec, bl); - } else { - url_spec.clear(); - } - DECODE_FINISH(bl); - } - void dump(Formatter *f) const; - static void generate_test_instances(list& o); - - ACLGroupTypeEnum uri_to_group(string& uri); - - void set_canon(const rgw_user& _id, const string& _name, const uint32_t perm) { - type.set(ACL_TYPE_CANON_USER); - id = _id; - name = _name; - permission.set_permissions(perm); - } - void set_group(ACLGroupTypeEnum _group, const uint32_t perm) { - type.set(ACL_TYPE_GROUP); - group = _group; - permission.set_permissions(perm); - } - void set_referer(const std::string& _url_spec, const uint32_t perm) { - type.set(ACL_TYPE_REFERER); - url_spec = _url_spec; - permission.set_permissions(perm); - } -}; -WRITE_CLASS_ENCODER(ACLGrant) - -struct ACLReferer { - std::string url_spec; - uint32_t perm; - - ACLReferer() : perm(0) {} - ACLReferer(const std::string& url_spec, - const uint32_t perm) - : url_spec(url_spec), - perm(perm) { - } - - bool is_match(boost::string_ref http_referer) const { - const auto http_host = get_http_host(http_referer); - if (!http_host || http_host->length() < url_spec.length()) { - return false; - } - - if ("*" == url_spec) { - return true; - } - - if (http_host->compare(url_spec) == 0) { - return true; - } - - if ('.' == url_spec[0]) { - /* Wildcard support: a referer matches the spec when its last char are - * perfectly equal to spec. */ - return http_host->ends_with(url_spec); - } - - return false; - } - - void encode(bufferlist& bl) const { - ENCODE_START(1, 1, bl); - ::encode(url_spec, bl); - ::encode(perm, bl); - ENCODE_FINISH(bl); - } - void decode(bufferlist::iterator& bl) { - DECODE_START_LEGACY_COMPAT_LEN(1, 1, 1, bl); - ::decode(url_spec, bl); - ::decode(perm, bl); - DECODE_FINISH(bl); - } - void dump(Formatter *f) const; - -private: - boost::optional get_http_host(const boost::string_ref url) const { - size_t pos = url.find("://"); - if (pos == boost::string_ref::npos || url.starts_with("://") || - url.ends_with("://") || url.ends_with('@')) { - return boost::none; - } - boost::string_ref url_sub = url.substr(pos + strlen("://")); - pos = url_sub.find('@'); - if (pos != boost::string_ref::npos) { - url_sub = url_sub.substr(pos + 1); - } - pos = url_sub.find_first_of("/:"); - if (pos == boost::string_ref::npos) { - /* no port or path exists */ - return url_sub; - } - return url_sub.substr(0, pos); - } -}; -WRITE_CLASS_ENCODER(ACLReferer) - -namespace rgw { -namespace auth { - class Identity; -} -} - -class RGWAccessControlList -{ -protected: - CephContext *cct; - /* FIXME: in the feature we should consider switching to uint32_t also - * in data structures. */ - map acl_user_map; - map acl_group_map; - list referer_list; - multimap grant_map; - void _add_grant(ACLGrant *grant); -public: - explicit RGWAccessControlList(CephContext *_cct) : cct(_cct) {} - RGWAccessControlList() : cct(NULL) {} - - void set_ctx(CephContext *ctx) { - cct = ctx; - } - - virtual ~RGWAccessControlList() {} - - uint32_t get_perm(const rgw::auth::Identity& auth_identity, - uint32_t perm_mask); - uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask); - uint32_t get_referer_perm(uint32_t current_perm, - std::string http_referer, - uint32_t perm_mask); - void encode(bufferlist& bl) const { - ENCODE_START(4, 3, bl); - bool maps_initialized = true; - ::encode(maps_initialized, bl); - ::encode(acl_user_map, bl); - ::encode(grant_map, bl); - ::encode(acl_group_map, bl); - ::encode(referer_list, bl); - ENCODE_FINISH(bl); - } - void decode(bufferlist::iterator& bl) { - DECODE_START_LEGACY_COMPAT_LEN(4, 3, 3, bl); - bool maps_initialized; - ::decode(maps_initialized, bl); - ::decode(acl_user_map, bl); - ::decode(grant_map, bl); - if (struct_v >= 2) { - ::decode(acl_group_map, bl); - } else if (!maps_initialized) { - multimap::iterator iter; - for (iter = grant_map.begin(); iter != grant_map.end(); ++iter) { - ACLGrant& grant = iter->second; - _add_grant(&grant); - } - } - if (struct_v >= 4) { - ::decode(referer_list, bl); - } - DECODE_FINISH(bl); - } - void dump(Formatter *f) const; - static void generate_test_instances(list& o); - - void add_grant(ACLGrant *grant); - - multimap& get_grant_map() { return grant_map; } - const multimap& get_grant_map() const { return grant_map; } - - void create_default(const rgw_user& id, string name) { - acl_user_map.clear(); - acl_group_map.clear(); - referer_list.clear(); - - ACLGrant grant; - grant.set_canon(id, name, RGW_PERM_FULL_CONTROL); - add_grant(&grant); - } -}; -WRITE_CLASS_ENCODER(RGWAccessControlList) - -class ACLOwner -{ -protected: - rgw_user id; - string display_name; -public: - ACLOwner() {} - ~ACLOwner() {} - - void encode(bufferlist& bl) const { - ENCODE_START(3, 2, bl); - string s; - id.to_str(s); - ::encode(s, bl); - ::encode(display_name, bl); - ENCODE_FINISH(bl); - } - void decode(bufferlist::iterator& bl) { - DECODE_START_LEGACY_COMPAT_LEN(3, 2, 2, bl); - string s; - ::decode(s, bl); - id.from_str(s); - ::decode(display_name, bl); - DECODE_FINISH(bl); - } - void dump(Formatter *f) const; - void decode_json(JSONObj *obj); - static void generate_test_instances(list& o); - void set_id(const rgw_user& _id) { id = _id; } - void set_name(const string& name) { display_name = name; } - - rgw_user& get_id() { return id; } - const rgw_user& get_id() const { return id; } - string& get_display_name() { return display_name; } -}; -WRITE_CLASS_ENCODER(ACLOwner) - -class RGWAccessControlPolicy -{ -protected: - CephContext *cct; - RGWAccessControlList acl; - ACLOwner owner; - -public: - explicit RGWAccessControlPolicy(CephContext *_cct) : cct(_cct), acl(_cct) {} - RGWAccessControlPolicy() : cct(NULL), acl(NULL) {} - virtual ~RGWAccessControlPolicy() {} - - void set_ctx(CephContext *ctx) { - cct = ctx; - acl.set_ctx(ctx); - } - - uint32_t get_perm(const rgw::auth::Identity& auth_identity, - uint32_t perm_mask, - const char * http_referer); - uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask); - bool verify_permission(const rgw::auth::Identity& auth_identity, - uint32_t user_perm_mask, - uint32_t perm, - const char * http_referer = nullptr); - - void encode(bufferlist& bl) const { - ENCODE_START(2, 2, bl); - ::encode(owner, bl); - ::encode(acl, bl); - ENCODE_FINISH(bl); - } - void decode(bufferlist::iterator& bl) { - DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl); - ::decode(owner, bl); - ::decode(acl, bl); - DECODE_FINISH(bl); - } - void dump(Formatter *f) const; - static void generate_test_instances(list& o); - void decode_owner(bufferlist::iterator& bl) { // sometimes we only need that, should be faster - DECODE_START_LEGACY_COMPAT_LEN(2, 2, 2, bl); - ::decode(owner, bl); - DECODE_FINISH(bl); - } - - void set_owner(ACLOwner& o) { owner = o; } - ACLOwner& get_owner() { - return owner; - } - - void create_default(const rgw_user& id, string& name) { - acl.create_default(id, name); - owner.set_id(id); - owner.set_name(name); - } - RGWAccessControlList& get_acl() { - return acl; - } - const RGWAccessControlList& get_acl() const { - return acl; - } - - virtual bool compare_group_name(string& id, ACLGroupTypeEnum group) { return false; } -}; -WRITE_CLASS_ENCODER(RGWAccessControlPolicy) - -#endif