ceph · mattbenjamin · Jun 13, 2017 · Mar 10, 2017 · Apr 13, 2017 · Apr 13, 2017
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
@@ -103,8 +103,8 @@ class IdentityApplier : public Identity {
   virtual void load_acct_info(RGWUserInfo& user_info) const = 0; /* out */
 
   /* Apply any changes to request state. This method will be most useful for
-   * TempURL of Swift API or AWSv4. */
-  virtual void modify_request_state(req_state * s) const {}      /* in/out */
+   * TempURL of Swift API. */
+  virtual void modify_request_state(req_state* s) const {}      /* in/out */
 };
 
 
@@ -126,14 +126,21 @@ class IdentityApplier : public Identity {
  *  E. execute-commit - commit the modifications from point C. */
 class Completer {
 public:
-  typedef std::unique_ptr<Completer> cmplptr_t;
+  /* It's expected that Completers would tend to implement many interfaces
+   * and be used not only in req_state::auth::completer. Ref counting their
+   * instances woild be helpful. */
+  typedef std::shared_ptr<Completer> cmplptr_t;
 
   virtual ~Completer() = default;
 
   /* Complete the authentication process. Return boolean indicating whether
    * the completion succeeded. On error throws rgw::auth::Exception storing
    * the reason. */
   virtual bool complete() = 0;
+
+  /* Apply any changes to request state. The initial use case was injecting
+   * the AWSv4 filter over rgw::io::RestfulClient in req_state. */
+  virtual void modify_request_state(req_state* s) = 0;     /* in/out */
 };
 
 

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
@@ -289,9 +289,9 @@ TokenEngine::authenticate(const std::string& token,
  * Try to validate S3 auth against keystone s3token interface
  */
 std::pair<boost::optional<rgw::keystone::TokenEnvelope>, int>
-EC2Engine::get_from_keystone(const std::string& access_key_id,
+EC2Engine::get_from_keystone(const boost::string_view& access_key_id,
                              const std::string& string_to_sign,
-                             const std::string& signature) const
+                             const boost::string_view& signature) const
 {
   /* prepare keystone url */
   std::string keystone_url = config.get_endpoint_url();
@@ -335,9 +335,9 @@ EC2Engine::get_from_keystone(const std::string& access_key_id,
   JSONFormatter credentials(false);
   credentials.open_object_section("");
   credentials.open_object_section("credentials");
-  credentials.dump_string("access", access_key_id);
+  credentials.dump_string("access", sview2cstr(access_key_id).data());
   credentials.dump_string("token", rgw::to_base64(string_to_sign));
-  credentials.dump_string("signature", signature);
+  credentials.dump_string("signature", sview2cstr(signature).data());
   credentials.close_section();
   credentials.close_section();
 
@@ -413,11 +413,14 @@ EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token,
   };
 }
 
-rgw::auth::Engine::result_t EC2Engine::authenticate(const std::string& access_key_id,
-                                                    const std::string& signature,
-                                                    const std::string& string_to_sign,
-                                                    /* Passthorugh only! */
-                                                    const req_state* s) const
+rgw::auth::Engine::result_t EC2Engine::authenticate(
+  const boost::string_view& access_key_id,
+  const boost::string_view& signature,
+  const std::string& string_to_sign,
+  const signature_factory_t& signature_factory,
+  const completer_factory_t& completer_factory,
+  /* Passthorugh only! */
+  const req_state* s) const
 {
   /* This will be initialized on the first call to this method. In C++11 it's
    * also thread-safe. */
@@ -472,7 +475,7 @@ rgw::auth::Engine::result_t EC2Engine::authenticate(const std::string& access_ke
 
     auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t),
                                               get_creds_info(*t, accepted_roles.admin));
-    return result_t::grant(std::move(apl));
+    return result_t::grant(std::move(apl), completer_factory(boost::none));
   }
 }
 

diff --git a/src/rgw/rgw_auth_keystone.h b/src/rgw/rgw_auth_keystone.h
@@ -7,6 +7,7 @@
 
 #include <utility>
 #include <boost/optional.hpp>
+#include <boost/utility/string_view.hpp>
 
 #include "rgw_auth.h"
 #include "rgw_rest_s3.h"
@@ -71,7 +72,7 @@ class TokenEngine : public rgw::auth::Engine {
 }; /* class TokenEngine */
 
 
-class EC2Engine : public rgw::auth::s3::Version2ndEngine {
+class EC2Engine : public rgw::auth::s3::AWSEngine {
   using acl_strategy_t = rgw::auth::RemoteApplier::acl_strategy_t;
   using auth_info_t = rgw::auth::RemoteApplier::AuthInfo;
   using result_t = rgw::auth::Engine::result_t;
@@ -87,29 +88,31 @@ class EC2Engine : public rgw::auth::s3::Version2ndEngine {
                              const std::vector<std::string>& admin_roles
                             ) const noexcept;
   std::pair<boost::optional<token_envelope_t>, int>
-  get_from_keystone(const std::string& access_key_id,
+  get_from_keystone(const boost::string_view& access_key_id,
                     const std::string& string_to_sign,
-                    const std::string& signature) const;
-  result_t authenticate(const std::string& access_key_id,
-                        const std::string& signature,
+                    const boost::string_view& signature) const;
+  result_t authenticate(const boost::string_view& access_key_id,
+                        const boost::string_view& signature,
                         const std::string& string_to_sign,
+                        const signature_factory_t& signature_factory,
+                        const completer_factory_t& completer_factory,
                         const req_state* s) const override;
 public:
   EC2Engine(CephContext* const cct,
-            const rgw::auth::s3::Version2ndEngine::Extractor* const extractor,
+            const rgw::auth::s3::AWSEngine::VersionAbstractor* const ver_abstractor,
             const rgw::auth::RemoteApplier::Factory* const apl_factory,
             rgw::keystone::Config& config,
             /* The token cache is used ONLY for the retrieving admin token.
              * Due to the architecture of AWS Auth S3 credentials cannot be
              * cached at all. */
             rgw::keystone::TokenCache& token_cache)
-    : Version2ndEngine(cct, *extractor),
+    : AWSEngine(cct, *ver_abstractor),
       apl_factory(apl_factory),
       config(config),
       token_cache(token_cache) {
   }
 
-  using Version2ndEngine::authenticate;
+  using AWSEngine::authenticate;
 
   const char* get_name() const noexcept override {
     return "rgw::auth::keystone::EC2Engine";

diff --git a/src/rgw/rgw_auth_registry.h b/src/rgw/rgw_auth_registry.h
@@ -25,9 +25,9 @@ class StrategyRegistry {
   using s3_strategy_t = rgw::auth::s3::AWSv2AuthStrategy<ExtractorT>;
 
   using s3_main_strategy_t = \
-    s3_strategy_t<rgw::auth::s3::RGWS3V2Extractor>;
+    s3_strategy_t<rgw::auth::s3::AWSGeneralAbstractor>;
   using s3_post_strategy_t = \
-    s3_strategy_t<rgw::auth::s3::RGWGetPolicyV2Extractor>;
+    s3_strategy_t<rgw::auth::s3::AWSBrowserUploadAbstractor>;
 
   s3_main_strategy_t s3_main_strategy;
   s3_post_strategy_t s3_post_strategy;