1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
|
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
#ifndef CEPH_RGW_IAM_POLICY_H
#define CEPH_RGW_IAM_POLICY_H
#include <bitset>
#include <chrono>
#include <cstdint>
#include <iostream>
#include <string>
#include <boost/algorithm/string/predicate.hpp>
#include <boost/container/flat_map.hpp>
#include <boost/container/flat_set.hpp>
#include <boost/optional.hpp>
#include <boost/thread/shared_mutex.hpp>
#include <boost/utility/string_ref.hpp>
#include <boost/variant.hpp>
#include "common/ceph_time.h"
#include "common/iso_8601.h"
#include "rapidjson/error/error.h"
#include "rapidjson/error/en.h"
#include "rgw_acl.h"
#include "rgw_basic_types.h"
#include "rgw_iam_policy_keywords.h"
#include "rgw_string.h"
#include "rgw_arn.h"
class RGWRados;
namespace rgw {
namespace auth {
class Identity;
}
}
struct rgw_obj;
struct rgw_bucket;
namespace rgw {
namespace IAM {
static constexpr std::uint64_t s3GetObject = 0;
static constexpr std::uint64_t s3GetObjectVersion = 1;
static constexpr std::uint64_t s3PutObject = 2;
static constexpr std::uint64_t s3GetObjectAcl = 3;
static constexpr std::uint64_t s3GetObjectVersionAcl = 4;
static constexpr std::uint64_t s3PutObjectAcl = 5;
static constexpr std::uint64_t s3PutObjectVersionAcl = 6;
static constexpr std::uint64_t s3DeleteObject = 7;
static constexpr std::uint64_t s3DeleteObjectVersion = 8;
static constexpr std::uint64_t s3ListMultipartUploadParts = 9;
static constexpr std::uint64_t s3AbortMultipartUpload = 10;
static constexpr std::uint64_t s3GetObjectTorrent = 11;
static constexpr std::uint64_t s3GetObjectVersionTorrent = 12;
static constexpr std::uint64_t s3RestoreObject = 13;
static constexpr std::uint64_t s3CreateBucket = 14;
static constexpr std::uint64_t s3DeleteBucket = 15;
static constexpr std::uint64_t s3ListBucket = 16;
static constexpr std::uint64_t s3ListBucketVersions = 17;
static constexpr std::uint64_t s3ListAllMyBuckets = 18;
static constexpr std::uint64_t s3ListBucketMultipartUploads = 19;
static constexpr std::uint64_t s3GetAccelerateConfiguration = 20;
static constexpr std::uint64_t s3PutAccelerateConfiguration = 21;
static constexpr std::uint64_t s3GetBucketAcl = 22;
static constexpr std::uint64_t s3PutBucketAcl = 23;
static constexpr std::uint64_t s3GetBucketCORS = 24;
static constexpr std::uint64_t s3PutBucketCORS = 25;
static constexpr std::uint64_t s3GetBucketVersioning = 26;
static constexpr std::uint64_t s3PutBucketVersioning = 27;
static constexpr std::uint64_t s3GetBucketRequestPayment = 28;
static constexpr std::uint64_t s3PutBucketRequestPayment = 29;
static constexpr std::uint64_t s3GetBucketLocation = 30;
static constexpr std::uint64_t s3GetBucketPolicy = 31;
static constexpr std::uint64_t s3DeleteBucketPolicy = 32;
static constexpr std::uint64_t s3PutBucketPolicy = 33;
static constexpr std::uint64_t s3GetBucketNotification = 34;
static constexpr std::uint64_t s3PutBucketNotification = 35;
static constexpr std::uint64_t s3GetBucketLogging = 36;
static constexpr std::uint64_t s3PutBucketLogging = 37;
static constexpr std::uint64_t s3GetBucketTagging = 38;
static constexpr std::uint64_t s3PutBucketTagging = 39;
static constexpr std::uint64_t s3GetBucketWebsite = 40;
static constexpr std::uint64_t s3PutBucketWebsite = 41;
static constexpr std::uint64_t s3DeleteBucketWebsite = 42;
static constexpr std::uint64_t s3GetLifecycleConfiguration = 43;
static constexpr std::uint64_t s3PutLifecycleConfiguration = 44;
static constexpr std::uint64_t s3PutReplicationConfiguration = 45;
static constexpr std::uint64_t s3GetReplicationConfiguration = 46;
static constexpr std::uint64_t s3DeleteReplicationConfiguration = 47;
static constexpr std::uint64_t s3GetObjectTagging = 48;
static constexpr std::uint64_t s3PutObjectTagging = 49;
static constexpr std::uint64_t s3DeleteObjectTagging = 50;
static constexpr std::uint64_t s3GetObjectVersionTagging = 51;
static constexpr std::uint64_t s3PutObjectVersionTagging = 52;
static constexpr std::uint64_t s3DeleteObjectVersionTagging = 53;
static constexpr std::uint64_t s3PutBucketObjectLockConfiguration = 54;
static constexpr std::uint64_t s3GetBucketObjectLockConfiguration = 55;
static constexpr std::uint64_t s3PutObjectRetention = 56;
static constexpr std::uint64_t s3GetObjectRetention = 57;
static constexpr std::uint64_t s3PutObjectLegalHold = 58;
static constexpr std::uint64_t s3GetObjectLegalHold = 59;
static constexpr std::uint64_t s3BypassGovernanceRetention = 60;
static constexpr std::uint64_t s3All = 61;
static constexpr std::uint64_t iamPutUserPolicy = 62;
static constexpr std::uint64_t iamGetUserPolicy = 63;
static constexpr std::uint64_t iamDeleteUserPolicy = 64;
static constexpr std::uint64_t iamListUserPolicies = 65;
static constexpr std::uint64_t iamCreateRole = 66;
static constexpr std::uint64_t iamDeleteRole = 67;
static constexpr std::uint64_t iamModifyRole = 68;
static constexpr std::uint64_t iamGetRole = 69;
static constexpr std::uint64_t iamListRoles = 70;
static constexpr std::uint64_t iamPutRolePolicy = 71;
static constexpr std::uint64_t iamGetRolePolicy = 72;
static constexpr std::uint64_t iamListRolePolicies = 73;
static constexpr std::uint64_t iamDeleteRolePolicy = 74;
static constexpr std::uint64_t iamAll = 75;
static constexpr std::uint64_t stsAssumeRole = 76;
static constexpr std::uint64_t stsAssumeRoleWithWebIdentity = 77;
static constexpr std::uint64_t stsGetSessionToken = 78;
static constexpr std::uint64_t stsAll = 79;
static constexpr std::uint64_t s3Count = s3BypassGovernanceRetention + 1;
static constexpr std::uint64_t allCount = stsAll + 1;
using Action_t = std::bitset<allCount>;
using NotAction_t = Action_t;
static const Action_t None(0);
static const Action_t s3AllValue("1111111111111111111111111111111111111111111111111111111111111");
static const Action_t iamAllValue("111111111111100000000000000000000000000000000000000000000000000000000000000");
static const Action_t stsAllValue("1110000000000000000000000000000000000000000000000000000000000000000000000000000");
//Modify allValue if more Actions are added
static const Action_t allValue("11111111111111111111111111111111111111111111111111111111111111111111111111111111");
namespace {
// Please update the table in doc/radosgw/s3/authentication.rst if you
// modify this function.
inline int op_to_perm(std::uint64_t op) {
switch (op) {
case s3GetObject:
case s3GetObjectTorrent:
case s3GetObjectVersion:
case s3GetObjectVersionTorrent:
case s3GetObjectTagging:
case s3GetObjectVersionTagging:
case s3GetObjectRetention:
case s3GetObjectLegalHold:
case s3ListAllMyBuckets:
case s3ListBucket:
case s3ListBucketMultipartUploads:
case s3ListBucketVersions:
case s3ListMultipartUploadParts:
return RGW_PERM_READ;
case s3AbortMultipartUpload:
case s3CreateBucket:
case s3DeleteBucket:
case s3DeleteObject:
case s3DeleteObjectVersion:
case s3PutObject:
case s3PutObjectTagging:
case s3PutObjectVersionTagging:
case s3DeleteObjectTagging:
case s3DeleteObjectVersionTagging:
case s3RestoreObject:
case s3PutObjectRetention:
case s3PutObjectLegalHold:
case s3BypassGovernanceRetention:
return RGW_PERM_WRITE;
case s3GetAccelerateConfiguration:
case s3GetBucketAcl:
case s3GetBucketCORS:
case s3GetBucketLocation:
case s3GetBucketLogging:
case s3GetBucketNotification:
case s3GetBucketPolicy:
case s3GetBucketRequestPayment:
case s3GetBucketTagging:
case s3GetBucketVersioning:
case s3GetBucketWebsite:
case s3GetLifecycleConfiguration:
case s3GetObjectAcl:
case s3GetObjectVersionAcl:
case s3GetReplicationConfiguration:
case s3GetBucketObjectLockConfiguration:
return RGW_PERM_READ_ACP;
case s3DeleteBucketPolicy:
case s3DeleteBucketWebsite:
case s3DeleteReplicationConfiguration:
case s3PutAccelerateConfiguration:
case s3PutBucketAcl:
case s3PutBucketCORS:
case s3PutBucketLogging:
case s3PutBucketNotification:
case s3PutBucketPolicy:
case s3PutBucketRequestPayment:
case s3PutBucketTagging:
case s3PutBucketVersioning:
case s3PutBucketWebsite:
case s3PutLifecycleConfiguration:
case s3PutObjectAcl:
case s3PutObjectVersionAcl:
case s3PutReplicationConfiguration:
case s3PutBucketObjectLockConfiguration:
return RGW_PERM_WRITE_ACP;
case s3All:
return RGW_PERM_FULL_CONTROL;
}
return RGW_PERM_INVALID;
}
}
using Environment = boost::container::flat_map<std::string, std::string>;
using Address = std::bitset<128>;
struct MaskedIP {
bool v6;
Address addr;
// Since we're mapping IPv6 to IPv4 addresses, we may want to
// consider making the prefix always be in terms of a v6 address
// and just use the v6 bit to rewrite it as a v4 prefix for
// output.
unsigned int prefix;
};
std::ostream& operator <<(std::ostream& m, const MaskedIP& ip);
inline bool operator ==(const MaskedIP& l, const MaskedIP& r) {
auto shift = std::max((l.v6 ? 128 : 32) - ((int) l.prefix),
(r.v6 ? 128 : 32) - ((int) r.prefix));
ceph_assert(shift >= 0);
return (l.addr >> shift) == (r.addr >> shift);
}
struct Condition {
TokenID op;
// Originally I was going to use a perfect hash table, but Marcus
// says keys are to be added at run-time not compile time.
// In future development, use symbol internment.
std::string key;
bool ifexists = false;
// Much to my annoyance there is no actual way to do this in a
// typed way that is compatible with AWS. I know this because I've
// seen examples where the same value is used as a string in one
// context and a date in another.
std::vector<std::string> vals;
Condition() = default;
Condition(TokenID op, const char* s, std::size_t len, bool ifexists)
: op(op), key(s, len), ifexists(ifexists) {}
bool eval(const Environment& e) const;
static boost::optional<double> as_number(const std::string& s) {
std::size_t p = 0;
try {
double d = std::stod(s, &p);
if (p < s.length()) {
return boost::none;
}
return d;
} catch (const std::logic_error& e) {
return boost::none;
}
}
static boost::optional<ceph::real_time> as_date(const std::string& s) {
std::size_t p = 0;
try {
double d = std::stod(s, &p);
if (p == s.length()) {
return ceph::real_time(
std::chrono::seconds(static_cast<uint64_t>(d)) +
std::chrono::nanoseconds(
static_cast<uint64_t>((d - static_cast<uint64_t>(d))
* 1000000000)));
}
return from_iso_8601(boost::string_ref(s), false);
} catch (const std::logic_error& e) {
return boost::none;
}
}
static boost::optional<bool> as_bool(const std::string& s) {
std::size_t p = 0;
if (s.empty() || boost::iequals(s, "false")) {
return false;
}
try {
double d = std::stod(s, &p);
if (p == s.length()) {
return !((d == +0.0) || (d == -0.0) || std::isnan(d));
}
} catch (const std::logic_error& e) {
// Fallthrough
}
return true;
}
static boost::optional<ceph::bufferlist> as_binary(const std::string& s) {
// In a just world
ceph::bufferlist base64;
// I could populate a bufferlist
base64.push_back(buffer::create_static(
s.length(),
const_cast<char*>(s.data()))); // Yuck
// From a base64 encoded std::string.
ceph::bufferlist bin;
try {
bin.decode_base64(base64);
} catch (const ceph::buffer::malformed_input& e) {
return boost::none;
}
return bin;
}
static boost::optional<MaskedIP> as_network(const std::string& s);
struct ci_equal_to {
bool operator ()(const std::string& s1,
const std::string& s2) const {
return boost::iequals(s1, s2);
}
};
struct string_like {
bool operator ()(const std::string& input,
const std::string& pattern) const {
return match_wildcards(pattern, input, 0);
}
};
struct ci_starts_with {
bool operator()(const std::string& s1,
const std::string& s2) const {
return boost::istarts_with(s1, s2);
}
};
template<typename F>
static bool orrible(F&& f, const std::string& c,
const std::vector<std::string>& v) {
for (const auto& d : v) {
if (std::forward<F>(f)(c, d)) {
return true;
}
}
return false;
}
template<typename F, typename X>
static bool shortible(F&& f, X& x, const std::string& c,
const std::vector<std::string>& v) {
auto xc = std::forward<X>(x)(c);
if (!xc) {
return false;
}
for (const auto& d : v) {
auto xd = std::forward<X>(x)(d);
if (!xd) {
continue;
}
if (std::forward<F>(f)(*xc, *xd)) {
return true;
}
}
return false;
}
template <typename F>
bool has_key_p(const std::string& _key, F p) const {
return p(key, _key);
}
};
std::ostream& operator <<(std::ostream& m, const Condition& c);
struct Statement {
boost::optional<std::string> sid = boost::none;
boost::container::flat_set<rgw::auth::Principal> princ;
boost::container::flat_set<rgw::auth::Principal> noprinc;
// Every statement MUST provide an effect. I just initialize it to
// deny as defensive programming.
Effect effect = Effect::Deny;
Action_t action = 0;
NotAction_t notaction = 0;
boost::container::flat_set<ARN> resource;
boost::container::flat_set<ARN> notresource;
std::vector<Condition> conditions;
Effect eval(const Environment& e,
boost::optional<const rgw::auth::Identity&> ida,
std::uint64_t action, const ARN& resource) const;
Effect eval_principal(const Environment& e,
boost::optional<const rgw::auth::Identity&> ida) const;
Effect eval_conditions(const Environment& e) const;
};
std::ostream& operator <<(ostream& m, const Statement& s);
struct PolicyParseException : public std::exception {
rapidjson::ParseResult pr;
explicit PolicyParseException(rapidjson::ParseResult&& pr)
: pr(pr) { }
const char* what() const noexcept override {
return rapidjson::GetParseError_En(pr.Code());
}
};
struct Policy {
std::string text;
Version version = Version::v2008_10_17;
boost::optional<std::string> id = boost::none;
std::vector<Statement> statements;
Policy(CephContext* cct, const std::string& tenant,
const bufferlist& text);
Effect eval(const Environment& e,
boost::optional<const rgw::auth::Identity&> ida,
std::uint64_t action, const ARN& resource) const;
Effect eval_principal(const Environment& e,
boost::optional<const rgw::auth::Identity&> ida) const;
Effect eval_conditions(const Environment& e) const;
template <typename F>
bool has_conditional(const string& conditional, F p) const {
for (const auto&s: statements){
if (std::any_of(s.conditions.begin(), s.conditions.end(),
[&](const Condition& c) { return c.has_key_p(conditional, p);}))
return true;
}
return false;
}
bool has_conditional(const string& c) const {
return has_conditional(c, Condition::ci_equal_to());
}
bool has_partial_conditional(const string& c) const {
return has_conditional(c, Condition::ci_starts_with());
}
};
std::ostream& operator <<(ostream& m, const Policy& p);
}
}
#endif
|