1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 #ifndef CEPH_RGW_REST_S3_H
6 #define CEPH_RGW_REST_S3_H
7 #define TIME_BUF_SIZE 128
11 #include <boost/utility/string_view.hpp>
12 #include <boost/container/static_vector.hpp>
14 #include "common/backport14.h"
15 #include "common/sstring.hh"
18 #include "rgw_http_errors.h"
19 #include "rgw_acl_s3.h"
20 #include "rgw_policy_s3.h"
21 #include "rgw_lc_s3.h"
22 #include "rgw_keystone.h"
23 #include "rgw_rest_conn.h"
27 #include "rgw_token.h"
28 #include "include/assert.h"
31 #include "rgw_auth_filters.h"
33 #define RGW_AUTH_GRACE_MINS 15
35 struct rgw_http_error {
40 void rgw_get_errno_s3(struct rgw_http_error *e, int err_no);
42 class RGWGetObj_ObjStore_S3 : public RGWGetObj_ObjStore
45 // Serving a custom error page from an object is really a 200 response with
46 // just the status line altered.
47 int custom_http_ret = 0;
48 std::map<std::string, std::string> crypt_http_responses;
50 RGWGetObj_ObjStore_S3() {}
51 ~RGWGetObj_ObjStore_S3() override {}
53 int get_params() override;
54 int send_response_data_error() override;
55 int send_response_data(bufferlist& bl, off_t ofs, off_t len) override;
56 void set_custom_http_response(int http_ret) { custom_http_ret = http_ret; }
57 int get_decrypt_filter(std::unique_ptr<RGWGetDataCB>* filter,
59 bufferlist* manifest_bl) override;
62 class RGWGetObjTags_ObjStore_S3 : public RGWGetObjTags_ObjStore
66 RGWGetObjTags_ObjStore_S3() {}
67 ~RGWGetObjTags_ObjStore_S3() {}
69 void send_response_data(bufferlist &bl) override;
72 class RGWPutObjTags_ObjStore_S3 : public RGWPutObjTags_ObjStore
75 RGWPutObjTags_ObjStore_S3() {}
76 ~RGWPutObjTags_ObjStore_S3() {}
78 int get_params() override;
79 void send_response() override;
82 class RGWDeleteObjTags_ObjStore_S3 : public RGWDeleteObjTags
85 ~RGWDeleteObjTags_ObjStore_S3() override {}
86 void send_response() override;
89 class RGWListBuckets_ObjStore_S3 : public RGWListBuckets_ObjStore {
91 RGWListBuckets_ObjStore_S3() {}
92 ~RGWListBuckets_ObjStore_S3() override {}
94 int get_params() override {
95 limit = -1; /* no limit */
98 void send_response_begin(bool has_buckets) override;
99 void send_response_data(RGWUserBuckets& buckets) override;
100 void send_response_end() override;
103 class RGWGetUsage_ObjStore_S3 : public RGWGetUsage_ObjStore {
105 RGWGetUsage_ObjStore_S3() {}
106 ~RGWGetUsage_ObjStore_S3() override {}
108 int get_params() override ;
109 void send_response() override;
112 class RGWListBucket_ObjStore_S3 : public RGWListBucket_ObjStore {
115 RGWListBucket_ObjStore_S3() : objs_container(false) {
118 ~RGWListBucket_ObjStore_S3() override {}
120 int get_params() override;
121 void send_response() override;
122 void send_versioned_response();
125 class RGWGetBucketLogging_ObjStore_S3 : public RGWGetBucketLogging {
127 RGWGetBucketLogging_ObjStore_S3() {}
128 ~RGWGetBucketLogging_ObjStore_S3() override {}
130 void send_response() override;
133 class RGWGetBucketLocation_ObjStore_S3 : public RGWGetBucketLocation {
135 RGWGetBucketLocation_ObjStore_S3() {}
136 ~RGWGetBucketLocation_ObjStore_S3() override {}
138 void send_response() override;
141 class RGWGetBucketVersioning_ObjStore_S3 : public RGWGetBucketVersioning {
143 RGWGetBucketVersioning_ObjStore_S3() {}
144 ~RGWGetBucketVersioning_ObjStore_S3() override {}
146 void send_response() override;
149 class RGWSetBucketVersioning_ObjStore_S3 : public RGWSetBucketVersioning {
151 RGWSetBucketVersioning_ObjStore_S3() {}
152 ~RGWSetBucketVersioning_ObjStore_S3() override {}
154 int get_params() override;
155 void send_response() override;
158 class RGWGetBucketWebsite_ObjStore_S3 : public RGWGetBucketWebsite {
160 RGWGetBucketWebsite_ObjStore_S3() {}
161 ~RGWGetBucketWebsite_ObjStore_S3() override {}
163 void send_response() override;
166 class RGWSetBucketWebsite_ObjStore_S3 : public RGWSetBucketWebsite {
168 RGWSetBucketWebsite_ObjStore_S3() {}
169 ~RGWSetBucketWebsite_ObjStore_S3() override {}
171 int get_params() override;
172 void send_response() override;
175 class RGWDeleteBucketWebsite_ObjStore_S3 : public RGWDeleteBucketWebsite {
177 RGWDeleteBucketWebsite_ObjStore_S3() {}
178 ~RGWDeleteBucketWebsite_ObjStore_S3() override {}
180 void send_response() override;
183 class RGWStatBucket_ObjStore_S3 : public RGWStatBucket_ObjStore {
185 RGWStatBucket_ObjStore_S3() {}
186 ~RGWStatBucket_ObjStore_S3() override {}
188 void send_response() override;
191 class RGWCreateBucket_ObjStore_S3 : public RGWCreateBucket_ObjStore {
193 RGWCreateBucket_ObjStore_S3() {}
194 ~RGWCreateBucket_ObjStore_S3() override {}
196 int get_params() override;
197 void send_response() override;
200 class RGWDeleteBucket_ObjStore_S3 : public RGWDeleteBucket_ObjStore {
202 RGWDeleteBucket_ObjStore_S3() {}
203 ~RGWDeleteBucket_ObjStore_S3() override {}
205 void send_response() override;
208 class RGWPutObj_ObjStore_S3 : public RGWPutObj_ObjStore {
210 std::map<std::string, std::string> crypt_http_responses;
213 RGWPutObj_ObjStore_S3() {}
214 ~RGWPutObj_ObjStore_S3() override {}
216 int get_params() override;
217 int get_data(bufferlist& bl) override;
218 void send_response() override;
220 int get_encrypt_filter(std::unique_ptr<RGWPutObjDataProcessor>* filter,
221 RGWPutObjDataProcessor* cb) override;
222 int get_decrypt_filter(std::unique_ptr<RGWGetDataCB>* filter,
224 map<string, bufferlist>& attrs,
225 bufferlist* manifest_bl) override;
228 class RGWPostObj_ObjStore_S3 : public RGWPostObj_ObjStore {
229 parts_collection_t parts;
230 std::string filename;
231 std::string content_type;
233 RGWPolicy post_policy;
234 map<string, string> crypt_http_responses;
236 const rgw::auth::StrategyRegistry* auth_registry_ptr = nullptr;
240 void rebuild_key(string& key);
242 std::string get_current_filename() const override;
243 std::string get_current_content_type() const override;
246 RGWPostObj_ObjStore_S3() {}
247 ~RGWPostObj_ObjStore_S3() override {}
249 int verify_requester(const rgw::auth::StrategyRegistry& auth_registry) {
250 auth_registry_ptr = &auth_registry;
251 return RGWPostObj_ObjStore::verify_requester(auth_registry);
254 int get_params() override;
255 int complete_get_params();
257 void send_response() override;
258 int get_data(ceph::bufferlist& bl, bool& again) override;
259 int get_encrypt_filter(std::unique_ptr<RGWPutObjDataProcessor>* filter,
260 RGWPutObjDataProcessor* cb) override;
263 class RGWDeleteObj_ObjStore_S3 : public RGWDeleteObj_ObjStore {
265 RGWDeleteObj_ObjStore_S3() {}
266 ~RGWDeleteObj_ObjStore_S3() override {}
268 int get_params() override;
269 void send_response() override;
272 class RGWCopyObj_ObjStore_S3 : public RGWCopyObj_ObjStore {
275 RGWCopyObj_ObjStore_S3() : sent_header(false) {}
276 ~RGWCopyObj_ObjStore_S3() override {}
278 int init_dest_policy() override;
279 int get_params() override;
280 void send_partial_response(off_t ofs) override;
281 void send_response() override;
284 class RGWGetACLs_ObjStore_S3 : public RGWGetACLs_ObjStore {
286 RGWGetACLs_ObjStore_S3() {}
287 ~RGWGetACLs_ObjStore_S3() override {}
289 void send_response() override;
292 class RGWPutACLs_ObjStore_S3 : public RGWPutACLs_ObjStore {
294 RGWPutACLs_ObjStore_S3() {}
295 ~RGWPutACLs_ObjStore_S3() override {}
297 int get_policy_from_state(RGWRados *store, struct req_state *s, stringstream& ss) override;
298 void send_response() override;
299 int get_params() override;
302 class RGWGetLC_ObjStore_S3 : public RGWGetLC_ObjStore {
304 RGWLifecycleConfiguration_S3 config;
306 RGWGetLC_ObjStore_S3() {}
307 ~RGWGetLC_ObjStore_S3() override {}
308 void execute() override;
310 void send_response() override;
313 class RGWPutLC_ObjStore_S3 : public RGWPutLC_ObjStore {
315 RGWPutLC_ObjStore_S3() {}
316 ~RGWPutLC_ObjStore_S3() override {}
318 void send_response() override;
321 class RGWDeleteLC_ObjStore_S3 : public RGWDeleteLC_ObjStore {
323 RGWDeleteLC_ObjStore_S3() {}
324 ~RGWDeleteLC_ObjStore_S3() override {}
326 void send_response() override;
329 class RGWGetCORS_ObjStore_S3 : public RGWGetCORS_ObjStore {
331 RGWGetCORS_ObjStore_S3() {}
332 ~RGWGetCORS_ObjStore_S3() override {}
334 void send_response() override;
337 class RGWPutCORS_ObjStore_S3 : public RGWPutCORS_ObjStore {
339 RGWPutCORS_ObjStore_S3() {}
340 ~RGWPutCORS_ObjStore_S3() override {}
342 int get_params() override;
343 void send_response() override;
346 class RGWDeleteCORS_ObjStore_S3 : public RGWDeleteCORS_ObjStore {
348 RGWDeleteCORS_ObjStore_S3() {}
349 ~RGWDeleteCORS_ObjStore_S3() override {}
351 void send_response() override;
354 class RGWOptionsCORS_ObjStore_S3 : public RGWOptionsCORS_ObjStore {
356 RGWOptionsCORS_ObjStore_S3() {}
357 ~RGWOptionsCORS_ObjStore_S3() override {}
359 void send_response() override;
362 class RGWGetRequestPayment_ObjStore_S3 : public RGWGetRequestPayment {
364 RGWGetRequestPayment_ObjStore_S3() {}
365 ~RGWGetRequestPayment_ObjStore_S3() override {}
367 void send_response() override;
370 class RGWSetRequestPayment_ObjStore_S3 : public RGWSetRequestPayment {
372 RGWSetRequestPayment_ObjStore_S3() {}
373 ~RGWSetRequestPayment_ObjStore_S3() override {}
375 int get_params() override;
376 void send_response() override;
379 class RGWInitMultipart_ObjStore_S3 : public RGWInitMultipart_ObjStore {
381 std::map<std::string, std::string> crypt_http_responses;
383 RGWInitMultipart_ObjStore_S3() {}
384 ~RGWInitMultipart_ObjStore_S3() override {}
386 int get_params() override;
387 void send_response() override;
388 int prepare_encryption(map<string, bufferlist>& attrs) override;
391 class RGWCompleteMultipart_ObjStore_S3 : public RGWCompleteMultipart_ObjStore {
393 RGWCompleteMultipart_ObjStore_S3() {}
394 ~RGWCompleteMultipart_ObjStore_S3() override {}
396 int get_params() override;
397 void send_response() override;
400 class RGWAbortMultipart_ObjStore_S3 : public RGWAbortMultipart_ObjStore {
402 RGWAbortMultipart_ObjStore_S3() {}
403 ~RGWAbortMultipart_ObjStore_S3() override {}
405 void send_response() override;
408 class RGWListMultipart_ObjStore_S3 : public RGWListMultipart_ObjStore {
410 RGWListMultipart_ObjStore_S3() {}
411 ~RGWListMultipart_ObjStore_S3() override {}
413 void send_response() override;
416 class RGWListBucketMultiparts_ObjStore_S3 : public RGWListBucketMultiparts_ObjStore {
418 RGWListBucketMultiparts_ObjStore_S3() {
421 ~RGWListBucketMultiparts_ObjStore_S3() override {}
423 void send_response() override;
426 class RGWDeleteMultiObj_ObjStore_S3 : public RGWDeleteMultiObj_ObjStore {
428 RGWDeleteMultiObj_ObjStore_S3() {}
429 ~RGWDeleteMultiObj_ObjStore_S3() override {}
431 int get_params() override;
432 void send_status() override;
433 void begin_response() override;
434 void send_partial_response(rgw_obj_key& key, bool delete_marker,
435 const string& marker_version_id, int ret) override;
436 void end_response() override;
439 class RGWGetObjLayout_ObjStore_S3 : public RGWGetObjLayout {
441 RGWGetObjLayout_ObjStore_S3() {}
442 ~RGWGetObjLayout_ObjStore_S3() {}
444 void send_response();
447 class RGWConfigBucketMetaSearch_ObjStore_S3 : public RGWConfigBucketMetaSearch {
449 RGWConfigBucketMetaSearch_ObjStore_S3() {}
450 ~RGWConfigBucketMetaSearch_ObjStore_S3() {}
452 int get_params() override;
453 void send_response() override;
456 class RGWGetBucketMetaSearch_ObjStore_S3 : public RGWGetBucketMetaSearch {
458 RGWGetBucketMetaSearch_ObjStore_S3() {}
459 ~RGWGetBucketMetaSearch_ObjStore_S3() {}
461 void send_response() override;
464 class RGWDelBucketMetaSearch_ObjStore_S3 : public RGWDelBucketMetaSearch {
466 RGWDelBucketMetaSearch_ObjStore_S3() {}
467 ~RGWDelBucketMetaSearch_ObjStore_S3() {}
469 void send_response() override;
474 static int authorize(RGWRados *store,
475 const rgw::auth::StrategyRegistry& auth_registry,
476 struct req_state *s);
479 class RGWHandler_Auth_S3 : public RGWHandler_REST {
480 friend class RGWRESTMgr_S3;
482 const rgw::auth::StrategyRegistry& auth_registry;
485 RGWHandler_Auth_S3(const rgw::auth::StrategyRegistry& auth_registry)
487 auth_registry(auth_registry) {
489 ~RGWHandler_Auth_S3() override = default;
491 static int validate_bucket_name(const string& bucket);
492 static int validate_object_name(const string& bucket);
494 int init(RGWRados *store,
496 rgw::io::BasicClient *cio) override;
497 int authorize() override {
498 return RGW_Auth_S3::authorize(store, auth_registry, s);
500 int postauth_init() override { return 0; }
503 class RGWHandler_REST_S3 : public RGWHandler_REST {
504 friend class RGWRESTMgr_S3;
506 const rgw::auth::StrategyRegistry& auth_registry;
508 static int init_from_header(struct req_state *s, int default_formatter, bool configurable_format);
510 RGWHandler_REST_S3(const rgw::auth::StrategyRegistry& auth_registry)
512 auth_registry(auth_registry) {
514 ~RGWHandler_REST_S3() override = default;
516 int init(RGWRados *store,
518 rgw::io::BasicClient *cio) override;
519 int authorize() override {
520 return RGW_Auth_S3::authorize(store, auth_registry, s);
522 int postauth_init() override;
525 class RGWHandler_REST_Service_S3 : public RGWHandler_REST_S3 {
528 return s->info.args.exists("usage");
530 RGWOp *op_get() override;
531 RGWOp *op_head() override;
532 RGWOp *op_post() override;
534 using RGWHandler_REST_S3::RGWHandler_REST_S3;
535 ~RGWHandler_REST_Service_S3() override = default;
538 class RGWHandler_REST_Bucket_S3 : public RGWHandler_REST_S3 {
541 return s->info.args.exists("acl");
544 return s->info.args.exists("cors");
547 return s->info.args.exists("lifecycle");
549 bool is_obj_update_op() override {
550 return is_acl_op() || is_cors_op();
552 bool is_request_payment_op() {
553 return s->info.args.exists("requestPayment");
555 bool is_policy_op() {
556 return s->info.args.exists("policy");
558 RGWOp *get_obj_op(bool get_data);
560 RGWOp *op_get() override;
561 RGWOp *op_head() override;
562 RGWOp *op_put() override;
563 RGWOp *op_delete() override;
564 RGWOp *op_post() override;
565 RGWOp *op_options() override;
567 using RGWHandler_REST_S3::RGWHandler_REST_S3;
568 ~RGWHandler_REST_Bucket_S3() override = default;
571 class RGWHandler_REST_Obj_S3 : public RGWHandler_REST_S3 {
574 return s->info.args.exists("acl");
577 return s->info.args.exists("cors");
579 bool is_tagging_op() {
580 return s->info.args.exists("tagging");
582 bool is_obj_update_op() override {
583 return is_acl_op() || is_tagging_op() ;
585 RGWOp *get_obj_op(bool get_data);
587 RGWOp *op_get() override;
588 RGWOp *op_head() override;
589 RGWOp *op_put() override;
590 RGWOp *op_delete() override;
591 RGWOp *op_post() override;
592 RGWOp *op_options() override;
594 using RGWHandler_REST_S3::RGWHandler_REST_S3;
595 ~RGWHandler_REST_Obj_S3() override = default;
598 class RGWRESTMgr_S3 : public RGWRESTMgr {
600 bool enable_s3website;
602 explicit RGWRESTMgr_S3(bool enable_s3website = false)
603 : enable_s3website(enable_s3website) {
606 ~RGWRESTMgr_S3() override = default;
608 RGWHandler_REST *get_handler(struct req_state* s,
609 const rgw::auth::StrategyRegistry& auth_registry,
610 const std::string& frontend_prefix) override;
613 class RGWHandler_REST_Obj_S3Website;
615 static inline bool looks_like_ip_address(const char *bucket)
618 bool expect_period = false;
619 for (const char *b = bucket; *b; ++b) {
626 expect_period = false;
628 else if (isdigit(*b)) {
629 expect_period = true;
635 return (num_periods == 3);
638 static inline int valid_s3_object_name(const string& name) {
639 if (name.size() > 1024) {
640 return -ERR_INVALID_OBJECT_NAME;
642 if (check_utf8(name.c_str(), name.size())) {
643 return -ERR_INVALID_OBJECT_NAME;
648 static inline int valid_s3_bucket_name(const string& name, bool relaxed=false)
650 // This function enforces Amazon's spec for bucket names.
651 // (The requirements, not the recommendations.)
652 int len = name.size();
655 return -ERR_INVALID_BUCKET_NAME;
656 } else if (len > 255) {
658 return -ERR_INVALID_BUCKET_NAME;
661 // bucket names must start with a number, letter, or underscore
662 if (!(isalpha(name[0]) || isdigit(name[0]))) {
664 return -ERR_INVALID_BUCKET_NAME;
665 else if (!(name[0] == '_' || name[0] == '.' || name[0] == '-'))
666 return -ERR_INVALID_BUCKET_NAME;
669 for (const char *s = name.c_str(); *s; ++s) {
671 if (isdigit(c) || (c == '.'))
675 if ((c == '-') || (c == '_'))
678 return -ERR_INVALID_BUCKET_NAME;
681 if (looks_like_ip_address(name.c_str()))
682 return -ERR_INVALID_BUCKET_NAME;
692 class AWSEngine : public rgw::auth::Engine {
694 class VersionAbstractor {
695 static constexpr size_t DIGEST_SIZE_V2 = CEPH_CRYPTO_HMACSHA1_DIGESTSIZE;
696 static constexpr size_t DIGEST_SIZE_V4 = CEPH_CRYPTO_HMACSHA256_DIGESTSIZE;
698 /* Knowing the signature max size allows us to employ the sstring, and thus
699 * avoid dynamic allocations. The multiplier comes from representing digest
700 * in the base64-encoded form. */
701 static constexpr size_t SIGNATURE_MAX_SIZE = \
702 ceph::max(DIGEST_SIZE_V2, DIGEST_SIZE_V4) * 2 + sizeof('\0');
705 virtual ~VersionAbstractor() {};
707 using access_key_id_t = boost::string_view;
708 using client_signature_t = boost::string_view;
709 using server_signature_t = basic_sstring<char, uint16_t, SIGNATURE_MAX_SIZE>;
710 using string_to_sign_t = std::string;
712 /* Transformation for crafting the AWS signature at server side which is
713 * used later to compare with the user-provided one. The methodology for
714 * doing that depends on AWS auth version. */
715 using signature_factory_t = \
716 std::function<server_signature_t(CephContext* cct,
717 const std::string& secret_key,
718 const string_to_sign_t& string_to_sign)>;
720 /* Return an instance of Completer for verifying the payload's fingerprint
721 * if necessary. Otherwise caller gets nullptr. Caller may provide secret
723 using completer_factory_t = \
724 std::function<rgw::auth::Completer::cmplptr_t(
725 const boost::optional<std::string>& secret_key)>;
728 access_key_id_t access_key_id;
729 client_signature_t client_signature;
730 string_to_sign_t string_to_sign;
731 signature_factory_t signature_factory;
732 completer_factory_t completer_factory;
735 virtual auth_data_t get_auth_data(const req_state* s) const = 0;
740 const VersionAbstractor& ver_abstractor;
742 AWSEngine(CephContext* const cct, const VersionAbstractor& ver_abstractor)
744 ver_abstractor(ver_abstractor) {
747 using result_t = rgw::auth::Engine::result_t;
748 using string_to_sign_t = VersionAbstractor::string_to_sign_t;
749 using signature_factory_t = VersionAbstractor::signature_factory_t;
750 using completer_factory_t = VersionAbstractor::completer_factory_t;
752 /* TODO(rzarzynski): clean up. We've too many input parameter hee. Also
753 * the signature get_auth_data() of VersionAbstractor is too complicated.
754 * Replace these thing with a simple, dedicated structure. */
755 virtual result_t authenticate(const boost::string_view& access_key_id,
756 const boost::string_view& signature,
757 const string_to_sign_t& string_to_sign,
758 const signature_factory_t& signature_factory,
759 const completer_factory_t& completer_factory,
760 const req_state* s) const = 0;
763 result_t authenticate(const req_state* const s) const final;
767 class AWSGeneralAbstractor : public AWSEngine::VersionAbstractor {
768 CephContext* const cct;
770 bool is_time_skew_ok(const utime_t& header_time,
771 const bool qsr) const;
773 virtual boost::optional<std::string>
774 get_v4_canonical_headers(const req_info& info,
775 const boost::string_view& signedheaders,
776 const bool using_qs) const;
778 auth_data_t get_auth_data_v2(const req_state* s) const;
779 auth_data_t get_auth_data_v4(const req_state* s, bool using_qs) const;
782 AWSGeneralAbstractor(CephContext* const cct)
786 auth_data_t get_auth_data(const req_state* s) const override;
789 class AWSGeneralBoto2Abstractor : public AWSGeneralAbstractor {
790 boost::optional<std::string>
791 get_v4_canonical_headers(const req_info& info,
792 const boost::string_view& signedheaders,
793 const bool using_qs) const override;
796 using AWSGeneralAbstractor::AWSGeneralAbstractor;
799 class AWSBrowserUploadAbstractor : public AWSEngine::VersionAbstractor {
800 static std::string to_string(ceph::bufferlist bl) {
801 return std::string(bl.c_str(),
802 static_cast<std::string::size_type>(bl.length()));
805 auth_data_t get_auth_data_v2(const req_state* s) const;
806 auth_data_t get_auth_data_v4(const req_state* s) const;
809 AWSBrowserUploadAbstractor(CephContext*) {
812 auth_data_t get_auth_data(const req_state* s) const override;
816 class LDAPEngine : public AWSEngine {
817 static rgw::LDAPHelper* ldh;
818 static std::mutex mtx;
820 static void init(CephContext* const cct);
822 using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
823 using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
824 using result_t = rgw::auth::Engine::result_t;
827 RGWRados* const store;
828 const rgw::auth::RemoteApplier::Factory* const apl_factory;
830 acl_strategy_t get_acl_strategy() const;
831 auth_info_t get_creds_info(const rgw::RGWToken& token) const noexcept;
833 result_t authenticate(const boost::string_view& access_key_id,
834 const boost::string_view& signature,
835 const string_to_sign_t& string_to_sign,
836 const signature_factory_t&,
837 const completer_factory_t& completer_factory,
838 const req_state* s) const override;
840 LDAPEngine(CephContext* const cct,
841 RGWRados* const store,
842 const VersionAbstractor& ver_abstractor,
843 const rgw::auth::RemoteApplier::Factory* const apl_factory)
844 : AWSEngine(cct, ver_abstractor),
846 apl_factory(apl_factory) {
850 using AWSEngine::authenticate;
852 const char* get_name() const noexcept override {
853 return "rgw::auth::s3::LDAPEngine";
858 class LocalEngine : public AWSEngine {
859 RGWRados* const store;
860 const rgw::auth::LocalApplier::Factory* const apl_factory;
862 result_t authenticate(const boost::string_view& access_key_id,
863 const boost::string_view& signature,
864 const string_to_sign_t& string_to_sign,
865 const signature_factory_t& signature_factory,
866 const completer_factory_t& completer_factory,
867 const req_state* s) const override;
869 LocalEngine(CephContext* const cct,
870 RGWRados* const store,
871 const VersionAbstractor& ver_abstractor,
872 const rgw::auth::LocalApplier::Factory* const apl_factory)
873 : AWSEngine(cct, ver_abstractor),
875 apl_factory(apl_factory) {
878 using AWSEngine::authenticate;
880 const char* get_name() const noexcept override {
881 return "rgw::auth::s3::LocalEngine";
886 class S3AnonymousEngine : public rgw::auth::AnonymousEngine {
887 bool is_applicable(const req_state* s) const noexcept override;
890 /* Let's reuse the parent class' constructor. */
891 using rgw::auth::AnonymousEngine::AnonymousEngine;
893 const char* get_name() const noexcept override {
894 return "rgw::auth::s3::S3AnonymousEngine";
899 class S3AuthFactory : public rgw::auth::RemoteApplier::Factory,
900 public rgw::auth::LocalApplier::Factory {
901 typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;
902 RGWRados* const store;
905 S3AuthFactory(RGWRados* const store)
909 aplptr_t create_apl_remote(CephContext* const cct,
910 const req_state* const s,
911 rgw::auth::RemoteApplier::acl_strategy_t&& acl_alg,
912 const rgw::auth::RemoteApplier::AuthInfo info
915 new rgw::auth::RemoteApplier(cct, store, std::move(acl_alg), info,
916 cct->_conf->rgw_keystone_implicit_tenants));
919 aplptr_t create_apl_local(CephContext* const cct,
920 const req_state* const s,
921 const RGWUserInfo& user_info,
922 const std::string& subuser) const override {
924 new rgw::auth::LocalApplier(cct, user_info, subuser));
930 } /* namespace auth */
931 } /* namespace rgw */
934 #endif /* CEPH_RGW_REST_S3_H */