1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
|
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
#ifndef CEPH_RGW_AUTH_S3_H
#define CEPH_RGW_AUTH_S3_H
#include <array>
#include <memory>
#include <string>
#include <tuple>
#include <boost/algorithm/string.hpp>
#include <boost/container/static_vector.hpp>
#include <boost/utility/string_ref.hpp>
#include <boost/utility/string_view.hpp>
#include "common/sstring.hh"
#include "rgw_common.h"
#include "rgw_rest_s3.h"
#include "rgw_auth.h"
#include "rgw_auth_filters.h"
#include "rgw_auth_keystone.h"
namespace rgw {
namespace auth {
namespace s3 {
static constexpr auto RGW_AUTH_GRACE = std::chrono::minutes{15};
// returns true if the request time is within RGW_AUTH_GRACE of the current time
bool is_time_skew_ok(time_t t);
class STSAuthStrategy : public rgw::auth::Strategy,
public rgw::auth::RemoteApplier::Factory,
public rgw::auth::LocalApplier::Factory,
public rgw::auth::RoleApplier::Factory {
typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;
RGWRados* const store;
rgw::auth::ImplicitTenants& implicit_tenant_context;
STSEngine sts_engine;
aplptr_t create_apl_remote(CephContext* const cct,
const req_state* const s,
rgw::auth::RemoteApplier::acl_strategy_t&& acl_alg,
const rgw::auth::RemoteApplier::AuthInfo &info
) const override {
auto apl = rgw::auth::add_sysreq(cct, store, s,
rgw::auth::RemoteApplier(cct, store, std::move(acl_alg), info,
implicit_tenant_context,
rgw::auth::ImplicitTenants::IMPLICIT_TENANTS_S3));
return aplptr_t(new decltype(apl)(std::move(apl)));
}
aplptr_t create_apl_local(CephContext* const cct,
const req_state* const s,
const RGWUserInfo& user_info,
const std::string& subuser,
const boost::optional<uint32_t>& perm_mask) const override {
auto apl = rgw::auth::add_sysreq(cct, store, s,
rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask));
return aplptr_t(new decltype(apl)(std::move(apl)));
}
aplptr_t create_apl_role(CephContext* const cct,
const req_state* const s,
const string& role_name,
const rgw_user& user_id,
const vector<std::string>& role_policies) const override {
auto apl = rgw::auth::add_sysreq(cct, store, s,
rgw::auth::RoleApplier(cct, role_name, user_id, role_policies));
return aplptr_t(new decltype(apl)(std::move(apl)));
}
public:
STSAuthStrategy(CephContext* const cct,
RGWRados* const store,
rgw::auth::ImplicitTenants& implicit_tenant_context,
AWSEngine::VersionAbstractor* const ver_abstractor)
: store(store),
implicit_tenant_context(implicit_tenant_context),
sts_engine(cct, store, *ver_abstractor,
static_cast<rgw::auth::LocalApplier::Factory*>(this),
static_cast<rgw::auth::RemoteApplier::Factory*>(this),
static_cast<rgw::auth::RoleApplier::Factory*>(this)) {
if (cct->_conf->rgw_s3_auth_use_sts) {
add_engine(Control::SUFFICIENT, sts_engine);
}
}
const char* get_name() const noexcept override {
return "rgw::auth::s3::STSAuthStrategy";
}
};
class ExternalAuthStrategy : public rgw::auth::Strategy,
public rgw::auth::RemoteApplier::Factory {
typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;
RGWRados* const store;
rgw::auth::ImplicitTenants& implicit_tenant_context;
using keystone_config_t = rgw::keystone::CephCtxConfig;
using keystone_cache_t = rgw::keystone::TokenCache;
using EC2Engine = rgw::auth::keystone::EC2Engine;
boost::optional <EC2Engine> keystone_engine;
LDAPEngine ldap_engine;
aplptr_t create_apl_remote(CephContext* const cct,
const req_state* const s,
rgw::auth::RemoteApplier::acl_strategy_t&& acl_alg,
const rgw::auth::RemoteApplier::AuthInfo &info
) const override {
auto apl = rgw::auth::add_sysreq(cct, store, s,
rgw::auth::RemoteApplier(cct, store, std::move(acl_alg), info,
implicit_tenant_context,
rgw::auth::ImplicitTenants::IMPLICIT_TENANTS_S3));
/* TODO(rzarzynski): replace with static_ptr. */
return aplptr_t(new decltype(apl)(std::move(apl)));
}
public:
ExternalAuthStrategy(CephContext* const cct,
RGWRados* const store,
rgw::auth::ImplicitTenants& implicit_tenant_context,
AWSEngine::VersionAbstractor* const ver_abstractor)
: store(store),
implicit_tenant_context(implicit_tenant_context),
ldap_engine(cct, store, *ver_abstractor,
static_cast<rgw::auth::RemoteApplier::Factory*>(this)) {
if (cct->_conf->rgw_s3_auth_use_keystone &&
! cct->_conf->rgw_keystone_url.empty()) {
keystone_engine.emplace(cct, ver_abstractor,
static_cast<rgw::auth::RemoteApplier::Factory*>(this),
keystone_config_t::get_instance(),
keystone_cache_t::get_instance<keystone_config_t>());
add_engine(Control::SUFFICIENT, *keystone_engine);
}
if (ldap_engine.valid()) {
add_engine(Control::SUFFICIENT, ldap_engine);
}
}
const char* get_name() const noexcept override {
return "rgw::auth::s3::AWSv2ExternalAuthStrategy";
}
};
template <class AbstractorT,
bool AllowAnonAccessT = false>
class AWSAuthStrategy : public rgw::auth::Strategy,
public rgw::auth::LocalApplier::Factory {
typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;
static_assert(std::is_base_of<rgw::auth::s3::AWSEngine::VersionAbstractor,
AbstractorT>::value,
"AbstractorT must be a subclass of rgw::auth::s3::VersionAbstractor");
RGWRados* const store;
AbstractorT ver_abstractor;
S3AnonymousEngine anonymous_engine;
ExternalAuthStrategy external_engines;
STSAuthStrategy sts_engine;
LocalEngine local_engine;
aplptr_t create_apl_local(CephContext* const cct,
const req_state* const s,
const RGWUserInfo& user_info,
const std::string& subuser,
const boost::optional<uint32_t>& perm_mask) const override {
auto apl = rgw::auth::add_sysreq(cct, store, s,
rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask));
/* TODO(rzarzynski): replace with static_ptr. */
return aplptr_t(new decltype(apl)(std::move(apl)));
}
public:
using engine_map_t = std::map <std::string, std::reference_wrapper<const Engine>>;
void add_engines(const std::vector <std::string>& auth_order,
engine_map_t eng_map)
{
auto ctrl_flag = Control::SUFFICIENT;
for (const auto &eng : auth_order) {
// fallback to the last engine, in case of multiple engines, since ctrl
// flag is sufficient for others, error from earlier engine is returned
if (&eng == &auth_order.back() && eng_map.size() > 1) {
ctrl_flag = Control::FALLBACK;
}
if (const auto kv = eng_map.find(eng);
kv != eng_map.end()) {
add_engine(ctrl_flag, kv->second);
}
}
}
auto parse_auth_order(CephContext* const cct)
{
std::vector <std::string> result;
const std::set <std::string_view> allowed_auth = { "sts", "external", "local" };
std::vector <std::string> default_order = { "sts", "external", "local" };
// supplied strings may contain a space, so let's bypass that
boost::split(result, cct->_conf->rgw_s3_auth_order,
boost::is_any_of(", "), boost::token_compress_on);
if (std::any_of(result.begin(), result.end(),
[allowed_auth](std::string_view s)
{ return allowed_auth.find(s) == allowed_auth.end();})){
return default_order;
}
return result;
}
AWSAuthStrategy(CephContext* const cct,
rgw::auth::ImplicitTenants& implicit_tenant_context,
RGWRados* const store)
: store(store),
ver_abstractor(cct),
anonymous_engine(cct,
static_cast<rgw::auth::LocalApplier::Factory*>(this)),
external_engines(cct, store, implicit_tenant_context, &ver_abstractor),
sts_engine(cct, store, implicit_tenant_context, &ver_abstractor),
local_engine(cct, store, ver_abstractor,
static_cast<rgw::auth::LocalApplier::Factory*>(this)) {
/* The anonymous auth. */
if (AllowAnonAccessT) {
add_engine(Control::SUFFICIENT, anonymous_engine);
}
auto auth_order = parse_auth_order(cct);
engine_map_t engine_map;
/* STS Auth*/
if (! sts_engine.is_empty()) {
engine_map.insert(std::make_pair("sts", std::cref(sts_engine)));
}
/* The external auth. */
if (! external_engines.is_empty()) {
engine_map.insert(std::make_pair("external", std::cref(external_engines)));
}
/* The local auth. */
if (cct->_conf->rgw_s3_auth_use_rados) {
engine_map.insert(std::make_pair("local", std::cref(local_engine)));
}
add_engines(auth_order, engine_map);
}
const char* get_name() const noexcept override {
return "rgw::auth::s3::AWSAuthStrategy";
}
};
class AWSv4ComplMulti : public rgw::auth::Completer,
public rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>,
public std::enable_shared_from_this<AWSv4ComplMulti> {
using io_base_t = rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>;
using signing_key_t = sha256_digest_t;
CephContext* const cct;
const boost::string_view date;
const boost::string_view credential_scope;
const signing_key_t signing_key;
class ChunkMeta {
size_t data_offset_in_stream = 0;
size_t data_length = 0;
std::string signature;
ChunkMeta(const size_t data_starts_in_stream,
const size_t data_length,
const boost::string_ref signature)
: data_offset_in_stream(data_starts_in_stream),
data_length(data_length),
signature(signature.to_string()) {
}
explicit ChunkMeta(const boost::string_view& signature)
: signature(signature.to_string()) {
}
public:
static constexpr size_t SIG_SIZE = 64;
/* Let's suppose the data length fields can't exceed uint64_t. */
static constexpr size_t META_MAX_SIZE = \
sarrlen("\r\nffffffffffffffff;chunk-signature=") + SIG_SIZE + sarrlen("\r\n");
/* The metadata size of for the last, empty chunk. */
static constexpr size_t META_MIN_SIZE = \
sarrlen("0;chunk-signature=") + SIG_SIZE + sarrlen("\r\n");
/* Detect whether a given stream_pos fits in boundaries of a chunk. */
bool is_new_chunk_in_stream(size_t stream_pos) const;
/* Get the remaining data size. */
size_t get_data_size(size_t stream_pos) const;
const std::string& get_signature() const {
return signature;
}
/* Factory: create an object representing metadata of first, initial chunk
* in a stream. */
static ChunkMeta create_first(const boost::string_view& seed_signature) {
return ChunkMeta(seed_signature);
}
/* Factory: parse a block of META_MAX_SIZE bytes and creates an object
* representing non-first chunk in a stream. As the process is sequential
* and depends on the previous chunk, caller must pass it. */
static std::pair<ChunkMeta, size_t> create_next(CephContext* cct,
ChunkMeta&& prev,
const char* metabuf,
size_t metabuf_len);
} chunk_meta;
size_t stream_pos;
boost::container::static_vector<char, ChunkMeta::META_MAX_SIZE> parsing_buf;
ceph::crypto::SHA256* sha256_hash;
std::string prev_chunk_signature;
bool is_signature_mismatched();
std::string calc_chunk_signature(const std::string& payload_hash) const;
public:
/* We need the constructor to be public because of the std::make_shared that
* is employed by the create() method. */
AWSv4ComplMulti(const req_state* const s,
boost::string_view date,
boost::string_view credential_scope,
boost::string_view seed_signature,
const signing_key_t& signing_key)
: io_base_t(nullptr),
cct(s->cct),
date(std::move(date)),
credential_scope(std::move(credential_scope)),
signing_key(signing_key),
/* The evolving state. */
chunk_meta(ChunkMeta::create_first(seed_signature)),
stream_pos(0),
sha256_hash(calc_hash_sha256_open_stream()),
prev_chunk_signature(std::move(seed_signature)) {
}
~AWSv4ComplMulti() {
if (sha256_hash) {
calc_hash_sha256_close_stream(&sha256_hash);
}
}
/* rgw::io::DecoratedRestfulClient. */
size_t recv_body(char* buf, size_t max) override;
/* rgw::auth::Completer. */
void modify_request_state(const DoutPrefixProvider* dpp, req_state* s_rw) override;
bool complete() override;
/* Factories. */
static cmplptr_t create(const req_state* s,
boost::string_view date,
boost::string_view credential_scope,
boost::string_view seed_signature,
const boost::optional<std::string>& secret_key);
};
class AWSv4ComplSingle : public rgw::auth::Completer,
public rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>,
public std::enable_shared_from_this<AWSv4ComplSingle> {
using io_base_t = rgw::io::DecoratedRestfulClient<rgw::io::RestfulClient*>;
CephContext* const cct;
const char* const expected_request_payload_hash;
ceph::crypto::SHA256* sha256_hash = nullptr;
public:
/* Defined in rgw_auth_s3.cc because of get_v4_exp_payload_hash(). We need
* the constructor to be public because of the std::make_shared employed by
* the create() method. */
explicit AWSv4ComplSingle(const req_state* const s);
~AWSv4ComplSingle() {
if (sha256_hash) {
calc_hash_sha256_close_stream(&sha256_hash);
}
}
/* rgw::io::DecoratedRestfulClient. */
size_t recv_body(char* buf, size_t max) override;
/* rgw::auth::Completer. */
void modify_request_state(const DoutPrefixProvider* dpp, req_state* s_rw) override;
bool complete() override;
/* Factories. */
static cmplptr_t create(const req_state* s,
const boost::optional<std::string>&);
};
} /* namespace s3 */
} /* namespace auth */
} /* namespace rgw */
void rgw_create_s3_canonical_header(
const char *method,
const char *content_md5,
const char *content_type,
const char *date,
const meta_map_t& meta_map,
const meta_map_t& qs_map,
const char *request_uri,
const std::map<std::string, std::string>& sub_resources,
std::string& dest_str);
bool rgw_create_s3_canonical_header(const req_info& info,
utime_t *header_time, /* out */
std::string& dest, /* out */
bool qsr);
static inline std::tuple<bool, std::string, utime_t>
rgw_create_s3_canonical_header(const req_info& info, const bool qsr) {
std::string dest;
utime_t header_time;
const bool ok = rgw_create_s3_canonical_header(info, &header_time, dest, qsr);
return std::make_tuple(ok, dest, header_time);
}
namespace rgw {
namespace auth {
namespace s3 {
static constexpr char AWS4_HMAC_SHA256_STR[] = "AWS4-HMAC-SHA256";
static constexpr char AWS4_HMAC_SHA256_PAYLOAD_STR[] = "AWS4-HMAC-SHA256-PAYLOAD";
static constexpr char AWS4_EMPTY_PAYLOAD_HASH[] = \
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
static constexpr char AWS4_UNSIGNED_PAYLOAD_HASH[] = "UNSIGNED-PAYLOAD";
static constexpr char AWS4_STREAMING_PAYLOAD_HASH[] = \
"STREAMING-AWS4-HMAC-SHA256-PAYLOAD";
int parse_v4_credentials(const req_info& info, /* in */
boost::string_view& access_key_id, /* out */
boost::string_view& credential_scope, /* out */
boost::string_view& signedheaders, /* out */
boost::string_view& signature, /* out */
boost::string_view& date, /* out */
boost::string_view& session_token, /* out */
const bool using_qs); /* in */
static inline bool char_needs_aws4_escaping(const char c, bool encode_slash)
{
if ((c >= 'a' && c <= 'z') ||
(c >= 'A' && c <= 'Z') ||
(c >= '0' && c <= '9')) {
return false;
}
switch (c) {
case '-':
case '_':
case '.':
case '~':
return false;
}
if (c == '/' && !encode_slash)
return false;
return true;
}
static inline std::string aws4_uri_encode(const std::string& src, bool encode_slash)
{
std::string result;
for (const std::string::value_type c : src) {
if (char_needs_aws4_escaping(c, encode_slash)) {
rgw_uri_escape_char(c, result);
} else {
result.push_back(c);
}
}
return result;
}
static inline std::string aws4_uri_recode(const boost::string_view& src, bool encode_slash)
{
std::string decoded = url_decode(src);
return aws4_uri_encode(decoded, encode_slash);
}
static inline std::string get_v4_canonical_uri(const req_info& info) {
/* The code should normalize according to RFC 3986 but S3 does NOT do path
* normalization that SigV4 typically does. This code follows the same
* approach that boto library. See auth.py:canonical_uri(...). */
std::string canonical_uri = aws4_uri_recode(info.request_uri_aws4, false);
if (canonical_uri.empty()) {
canonical_uri = "/";
} else {
boost::replace_all(canonical_uri, "+", "%20");
}
return canonical_uri;
}
static inline const string calc_v4_payload_hash(const string& payload)
{
ceph::crypto::SHA256* sha256_hash = calc_hash_sha256_open_stream();
calc_hash_sha256_update_stream(sha256_hash, payload.c_str(), payload.length());
const auto payload_hash = calc_hash_sha256_close_stream(&sha256_hash);
return payload_hash;
}
static inline const char* get_v4_exp_payload_hash(const req_info& info)
{
/* In AWSv4 the hash of real, transferred payload IS NOT necessary to form
* a Canonical Request, and thus verify a Signature. x-amz-content-sha256
* header lets get the information very early -- before seeing first byte
* of HTTP body. As a consequence, we can decouple Signature verification
* from payload's fingerprint check. */
const char *expected_request_payload_hash = \
info.env->get("HTTP_X_AMZ_CONTENT_SHA256");
if (!expected_request_payload_hash) {
/* An HTTP client MUST send x-amz-content-sha256. The single exception
* is the case of using the Query Parameters where "UNSIGNED-PAYLOAD"
* literals are used for crafting Canonical Request:
*
* You don't include a payload hash in the Canonical Request, because
* when you create a presigned URL, you don't know the payload content
* because the URL is used to upload an arbitrary payload. Instead, you
* use a constant string UNSIGNED-PAYLOAD. */
expected_request_payload_hash = AWS4_UNSIGNED_PAYLOAD_HASH;
}
return expected_request_payload_hash;
}
static inline bool is_v4_payload_unsigned(const char* const exp_payload_hash)
{
return boost::equals(exp_payload_hash, AWS4_UNSIGNED_PAYLOAD_HASH);
}
static inline bool is_v4_payload_empty(const req_state* const s)
{
/* from rfc2616 - 4.3 Message Body
*
* "The presence of a message-body in a request is signaled by the inclusion
* of a Content-Length or Transfer-Encoding header field in the request's
* message-headers." */
return s->content_length == 0 &&
s->info.env->get("HTTP_TRANSFER_ENCODING") == nullptr;
}
static inline bool is_v4_payload_streamed(const char* const exp_payload_hash)
{
return boost::equals(exp_payload_hash, AWS4_STREAMING_PAYLOAD_HASH);
}
std::string get_v4_canonical_qs(const req_info& info, bool using_qs);
boost::optional<std::string>
get_v4_canonical_headers(const req_info& info,
const boost::string_view& signedheaders,
bool using_qs,
bool force_boto2_compat);
extern sha256_digest_t
get_v4_canon_req_hash(CephContext* cct,
const boost::string_view& http_verb,
const std::string& canonical_uri,
const std::string& canonical_qs,
const std::string& canonical_hdrs,
const boost::string_view& signed_hdrs,
const boost::string_view& request_payload_hash);
AWSEngine::VersionAbstractor::string_to_sign_t
get_v4_string_to_sign(CephContext* cct,
const boost::string_view& algorithm,
const boost::string_view& request_date,
const boost::string_view& credential_scope,
const sha256_digest_t& canonreq_hash);
extern AWSEngine::VersionAbstractor::server_signature_t
get_v4_signature(const boost::string_view& credential_scope,
CephContext* const cct,
const boost::string_view& secret_key,
const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign);
extern AWSEngine::VersionAbstractor::server_signature_t
get_v2_signature(CephContext*,
const std::string& secret_key,
const AWSEngine::VersionAbstractor::string_to_sign_t& string_to_sign);
} /* namespace s3 */
} /* namespace auth */
} /* namespace rgw */
#endif
|
