1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
5 #ifndef CEPH_RGW_AUTH_KEYSTONE_H
6 #define CEPH_RGW_AUTH_KEYSTONE_H
9 #include <boost/optional.hpp>
10 #include <boost/utility/string_view.hpp>
13 #include "rgw_rest_s3.h"
14 #include "rgw_common.h"
15 #include "rgw_keystone.h"
21 /* Dedicated namespace for Keystone-related auth engines. We need it because
22 * Keystone offers three different authentication mechanisms (token, EC2 and
23 * regular user/pass). RadosGW actually does support the first two. */
25 class TokenEngine : public rgw::auth::Engine {
26 CephContext* const cct;
28 using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
29 using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
30 using result_t = rgw::auth::Engine::result_t;
31 using token_envelope_t = rgw::keystone::TokenEnvelope;
33 const rgw::auth::TokenExtractor* const extractor;
34 const rgw::auth::RemoteApplier::Factory* const apl_factory;
35 rgw::keystone::Config& config;
36 rgw::keystone::TokenCache& token_cache;
39 bool is_applicable(const std::string& token) const noexcept;
40 token_envelope_t decode_pki_token(const std::string& token) const;
42 boost::optional<token_envelope_t>
43 get_from_keystone(const std::string& token) const;
45 acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
46 auth_info_t get_creds_info(const token_envelope_t& token,
47 const std::vector<std::string>& admin_roles
49 result_t authenticate(const std::string& token,
50 const req_state* s) const;
53 TokenEngine(CephContext* const cct,
54 const rgw::auth::TokenExtractor* const extractor,
55 const rgw::auth::RemoteApplier::Factory* const apl_factory,
56 rgw::keystone::Config& config,
57 rgw::keystone::TokenCache& token_cache)
60 apl_factory(apl_factory),
62 token_cache(token_cache) {
65 const char* get_name() const noexcept override {
66 return "rgw::auth::keystone::TokenEngine";
69 result_t authenticate(const req_state* const s) const override {
70 return authenticate(extractor->get_token(s), s);
72 }; /* class TokenEngine */
75 class EC2Engine : public rgw::auth::s3::AWSEngine {
76 using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
77 using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
78 using result_t = rgw::auth::Engine::result_t;
79 using token_envelope_t = rgw::keystone::TokenEnvelope;
81 const rgw::auth::RemoteApplier::Factory* const apl_factory;
82 rgw::keystone::Config& config;
83 rgw::keystone::TokenCache& token_cache;
86 acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
87 auth_info_t get_creds_info(const token_envelope_t& token,
88 const std::vector<std::string>& admin_roles
90 std::pair<boost::optional<token_envelope_t>, int>
91 get_from_keystone(const boost::string_view& access_key_id,
92 const std::string& string_to_sign,
93 const boost::string_view& signature) const;
94 result_t authenticate(const boost::string_view& access_key_id,
95 const boost::string_view& signature,
96 const string_to_sign_t& string_to_sign,
97 const signature_factory_t&,
98 const completer_factory_t& completer_factory,
99 const req_state* s) const override;
101 EC2Engine(CephContext* const cct,
102 const rgw::auth::s3::AWSEngine::VersionAbstractor* const ver_abstractor,
103 const rgw::auth::RemoteApplier::Factory* const apl_factory,
104 rgw::keystone::Config& config,
105 /* The token cache is used ONLY for the retrieving admin token.
106 * Due to the architecture of AWS Auth S3 credentials cannot be
108 rgw::keystone::TokenCache& token_cache)
109 : AWSEngine(cct, *ver_abstractor),
110 apl_factory(apl_factory),
112 token_cache(token_cache) {
115 using AWSEngine::authenticate;
117 const char* get_name() const noexcept override {
118 return "rgw::auth::keystone::EC2Engine";
121 }; /* class EC2Engine */
123 }; /* namespace keystone */
124 }; /* namespace auth */
125 }; /* namespace rgw */
127 #endif /* CEPH_RGW_AUTH_KEYSTONE_H */