rgw: port the TempURL auth engine to the new auth infrastructure.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
This commit is contained in:
Radoslaw Zarzynski 2017-01-26 18:15:21 +01:00
parent c5f8e8c8c0
commit 58f0df7a17
2 changed files with 51 additions and 42 deletions

View File

@ -26,8 +26,12 @@
using namespace ceph::crypto;
namespace rgw {
namespace auth {
namespace swift {
/* TempURL: applier */
void RGWTempURLAuthApplier::modify_request_state(req_state * s) const /* in/out */
void TempURLApplier::modify_request_state(req_state* s) const /* in/out */
{
bool inline_exists = false;
const std::string& filename = s->info.args.get("filename");
@ -53,13 +57,14 @@ void RGWTempURLAuthApplier::modify_request_state(req_state * s) const /* i
}
/* TempURL: engine */
bool RGWTempURLAuthEngine::is_applicable() const noexcept
bool TempURLEngine::is_applicable(const req_state* const s) const noexcept
{
return s->info.args.exists("temp_url_sig") ||
s->info.args.exists("temp_url_expires");
}
void RGWTempURLAuthEngine::get_owner_info(RGWUserInfo& owner_info) const
void TempURLEngine::get_owner_info(const req_state* const s,
RGWUserInfo& owner_info) const
{
/* We cannot use req_state::bucket_name because it isn't available
* now. It will be initialized in RGWHandler_REST_SWIFT::postauth_init(). */
@ -106,7 +111,7 @@ void RGWTempURLAuthEngine::get_owner_info(RGWUserInfo& owner_info) const
throw ret;
}
ldout(s->cct, 20) << "temp url user (bucket owner): " << bucket_info.owner
ldout(cct, 20) << "temp url user (bucket owner): " << bucket_info.owner
<< dendl;
if (rgw_get_user_info_by_uid(store, bucket_info.owner, owner_info) < 0) {
@ -114,7 +119,7 @@ void RGWTempURLAuthEngine::get_owner_info(RGWUserInfo& owner_info) const
}
}
bool RGWTempURLAuthEngine::is_expired(const std::string& expires) const
bool TempURLEngine::is_expired(const std::string& expires) const
{
string err;
const utime_t now = ceph_clock_now();
@ -142,7 +147,7 @@ std::string extract_swift_subuser(const std::string& swift_user_name) {
}
}
class RGWTempURLAuthEngine::SignatureHelper
class TempURLEngine::SignatureHelper
{
private:
static constexpr uint32_t output_size =
@ -183,32 +188,38 @@ public:
return rhs.compare(0 /* pos */, output_size, dest_str) == 0;
}
}; /* RGWTempURLAuthEngine::SignatureHelper */
}; /* TempURLEngine::SignatureHelper */
RGWAuthApplier::aplptr_t RGWTempURLAuthEngine::authenticate() const
TempURLEngine::result_t
TempURLEngine::authenticate(const req_state* const s) const
{
if (! is_applicable(s)) {
return std::make_pair(nullptr, nullptr);
}
const string& temp_url_sig = s->info.args.get("temp_url_sig");
const string& temp_url_expires = s->info.args.get("temp_url_expires");
if (temp_url_sig.empty() || temp_url_expires.empty()) {
return nullptr;
return std::make_pair(nullptr, nullptr);
}
RGWUserInfo owner_info;
try {
get_owner_info(owner_info);
get_owner_info(s, owner_info);
} catch (...) {
ldout(cct, 5) << "cannot get user_info of account's owner" << dendl;
return nullptr;
return std::make_pair(nullptr, nullptr);
}
if (owner_info.temp_url_keys.empty()) {
ldout(cct, 5) << "user does not have temp url key set, aborting" << dendl;
return nullptr;
return std::make_pair(nullptr, nullptr);
}
if (is_expired(temp_url_expires)) {
ldout(cct, 5) << "temp url link expired" << dendl;
return nullptr;
return std::make_pair(nullptr, nullptr);
}
/* We need to verify two paths because of compliance with Swift, Tempest
@ -258,7 +269,8 @@ RGWAuthApplier::aplptr_t RGWTempURLAuthEngine::authenticate() const
<< dendl;
if (sig_helper.is_equal_to(temp_url_sig)) {
return apl_factory->create_apl_turl(cct, owner_info);
auto apl = apl_factory->create_apl_turl(cct, owner_info);
return std::make_pair(std::move(apl), nullptr);
} else {
ldout(s->cct, 5) << "temp url signature mismatch: " << local_sig
<< " != " << temp_url_sig << dendl;
@ -267,14 +279,10 @@ RGWAuthApplier::aplptr_t RGWTempURLAuthEngine::authenticate() const
}
}
return nullptr;
return std::make_pair(nullptr, nullptr);
}
namespace rgw {
namespace auth {
namespace swift {
/* External token */
bool ExternalTokenEngine::is_applicable(const std::string& token) const noexcept
{

View File

@ -12,12 +12,16 @@
#define RGW_SWIFT_TOKEN_EXPIRATION (15 * 60)
namespace rgw {
namespace auth {
namespace swift {
/* TempURL: applier. */
class RGWTempURLAuthApplier : public RGWLocalAuthApplier {
class TempURLApplier : public rgw::auth::LocalApplier {
public:
RGWTempURLAuthApplier(CephContext * const cct,
TempURLApplier(CephContext* const cct,
const RGWUserInfo& user_info)
: RGWLocalAuthApplier(cct, user_info, RGWLocalAuthApplier::NO_SUBUSER) {
: LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER) {
};
void modify_request_state(req_state * s) const override; /* in/out */
@ -30,42 +34,39 @@ public:
};
/* TempURL: engine */
class RGWTempURLAuthEngine : public RGWAuthEngine {
protected:
class TempURLEngine : public rgw::auth::Engine {
using result_t = rgw::auth::Engine::result_t;
CephContext* const cct;
/* const */ RGWRados* const store;
const req_state * const s;
const RGWTempURLAuthApplier::Factory * const apl_factory;
const TempURLApplier::Factory* const apl_factory;
/* Helper methods. */
void get_owner_info(RGWUserInfo& owner_info) const;
void get_owner_info(const req_state* s,
RGWUserInfo& owner_info) const;
bool is_applicable(const req_state* s) const noexcept;
bool is_expired(const std::string& expires) const;
class SignatureHelper;
public:
RGWTempURLAuthEngine(const req_state * const s,
TempURLEngine(CephContext* const cct,
/*const*/ RGWRados* const store,
const RGWTempURLAuthApplier::Factory * const apl_factory)
: RGWAuthEngine(s->cct),
const TempURLApplier::Factory* const apl_factory)
: cct(cct),
store(store),
s(s),
apl_factory(apl_factory) {
}
/* Interface implementations. */
const char* get_name() const noexcept override {
return "RGWTempURLAuthEngine";
return "rgw::auth::swift::TempURLEngine";
}
bool is_applicable() const noexcept override;
RGWAuthApplier::aplptr_t authenticate() const override;
result_t authenticate(const req_state* const s) const override;
};
namespace rgw {
namespace auth {
namespace swift {
/* AUTH_rgwtk */
class SignedTokenEngine : public rgw::auth::Engine {
using result_t = rgw::auth::Engine::result_t;