]>
Commit | Line | Data |
---|---|---|
7c673cae | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
7c673cae FG |
3 | |
4 | #include <string> | |
5 | #include <vector> | |
6 | ||
7 | #include <errno.h> | |
8 | #include <fnmatch.h> | |
9 | ||
10 | #include "rgw_b64.h" | |
11 | ||
12 | #include "common/errno.h" | |
13 | #include "common/ceph_json.h" | |
14 | #include "include/types.h" | |
15 | #include "include/str_list.h" | |
16 | ||
17 | #include "rgw_common.h" | |
18 | #include "rgw_keystone.h" | |
19 | #include "rgw_auth_keystone.h" | |
7c673cae FG |
20 | #include "rgw_rest_s3.h" |
21 | #include "rgw_auth_s3.h" | |
22 | ||
9f95a23c | 23 | #include "common/ceph_crypto.h" |
7c673cae FG |
24 | #include "common/Cond.h" |
25 | ||
26 | #define dout_subsys ceph_subsys_rgw | |
27 | ||
20effc67 | 28 | using namespace std; |
7c673cae FG |
29 | |
30 | namespace rgw { | |
31 | namespace auth { | |
32 | namespace keystone { | |
33 | ||
34 | bool | |
35 | TokenEngine::is_applicable(const std::string& token) const noexcept | |
36 | { | |
37 | return ! token.empty() && ! cct->_conf->rgw_keystone_url.empty(); | |
38 | } | |
39 | ||
7c673cae | 40 | boost::optional<TokenEngine::token_envelope_t> |
11fdf7f2 | 41 | TokenEngine::get_from_keystone(const DoutPrefixProvider* dpp, const std::string& token) const |
7c673cae FG |
42 | { |
43 | /* Unfortunately, we can't use the short form of "using" here. It's because | |
44 | * we're aliasing a class' member, not namespace. */ | |
45 | using RGWValidateKeystoneToken = \ | |
46 | rgw::keystone::Service::RGWValidateKeystoneToken; | |
47 | ||
48 | /* The container for plain response obtained from Keystone. It will be | |
49 | * parsed token_envelope_t::parse method. */ | |
50 | ceph::bufferlist token_body_bl; | |
11fdf7f2 | 51 | RGWValidateKeystoneToken validate(cct, "GET", "", &token_body_bl); |
7c673cae FG |
52 | |
53 | std::string url = config.get_endpoint_url(); | |
54 | if (url.empty()) { | |
55 | throw -EINVAL; | |
56 | } | |
57 | ||
58 | const auto keystone_version = config.get_api_version(); | |
59 | if (keystone_version == rgw::keystone::ApiVersion::VER_2) { | |
60 | url.append("v2.0/tokens/" + token); | |
61 | } else if (keystone_version == rgw::keystone::ApiVersion::VER_3) { | |
62 | url.append("v3/auth/tokens"); | |
63 | validate.append_header("X-Subject-Token", token); | |
64 | } | |
65 | ||
66 | std::string admin_token; | |
20effc67 | 67 | if (rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, |
7c673cae FG |
68 | admin_token) < 0) { |
69 | throw -EINVAL; | |
70 | } | |
71 | ||
72 | validate.append_header("X-Auth-Token", admin_token); | |
73 | validate.set_send_length(0); | |
74 | ||
11fdf7f2 TL |
75 | validate.set_url(url); |
76 | ||
9f95a23c | 77 | int ret = validate.process(null_yield); |
7c673cae FG |
78 | if (ret < 0) { |
79 | throw ret; | |
80 | } | |
81 | ||
82 | /* NULL terminate for debug output. */ | |
83 | token_body_bl.append(static_cast<char>(0)); | |
7c673cae FG |
84 | |
85 | /* Detect Keystone rejection earlier than during the token parsing. | |
86 | * Although failure at the parsing phase doesn't impose a threat, | |
87 | * this allows to return proper error code (EACCESS instead of EINVAL | |
88 | * or similar) and thus improves logging. */ | |
89 | if (validate.get_http_status() == | |
90 | /* Most likely: wrong admin credentials or admin token. */ | |
91 | RGWValidateKeystoneToken::HTTP_STATUS_UNAUTHORIZED || | |
92 | validate.get_http_status() == | |
93 | /* Most likely: non-existent token supplied by the client. */ | |
94 | RGWValidateKeystoneToken::HTTP_STATUS_NOTFOUND) { | |
11fdf7f2 | 95 | ldpp_dout(dpp, 5) << "Failed keystone auth from " << url << " with " |
b32b8144 | 96 | << validate.get_http_status() << dendl; |
7c673cae FG |
97 | return boost::none; |
98 | } | |
99 | ||
11fdf7f2 | 100 | ldpp_dout(dpp, 20) << "received response status=" << validate.get_http_status() |
b32b8144 FG |
101 | << ", body=" << token_body_bl.c_str() << dendl; |
102 | ||
7c673cae | 103 | TokenEngine::token_envelope_t token_body; |
20effc67 | 104 | ret = token_body.parse(dpp, cct, token, token_body_bl, config.get_api_version()); |
7c673cae FG |
105 | if (ret < 0) { |
106 | throw ret; | |
107 | } | |
108 | ||
109 | return token_body; | |
110 | } | |
111 | ||
112 | TokenEngine::auth_info_t | |
113 | TokenEngine::get_creds_info(const TokenEngine::token_envelope_t& token, | |
114 | const std::vector<std::string>& admin_roles | |
115 | ) const noexcept | |
116 | { | |
117 | using acct_privilege_t = rgw::auth::RemoteApplier::AuthInfo::acct_privilege_t; | |
118 | ||
119 | /* Check whether the user has an admin status. */ | |
120 | acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT; | |
121 | for (const auto& admin_role : admin_roles) { | |
122 | if (token.has_role(admin_role)) { | |
123 | level = acct_privilege_t::IS_ADMIN_ACCT; | |
124 | break; | |
125 | } | |
126 | } | |
127 | ||
128 | return auth_info_t { | |
129 | /* Suggested account name for the authenticated user. */ | |
130 | rgw_user(token.get_project_id()), | |
131 | /* User's display name (aka real name). */ | |
132 | token.get_project_name(), | |
133 | /* Keystone doesn't support RGW's subuser concept, so we cannot cut down | |
134 | * the access rights through the perm_mask. At least at this layer. */ | |
135 | RGW_PERM_FULL_CONTROL, | |
136 | level, | |
137 | TYPE_KEYSTONE, | |
138 | }; | |
139 | } | |
140 | ||
141 | static inline const std::string | |
142 | make_spec_item(const std::string& tenant, const std::string& id) | |
143 | { | |
144 | return tenant + ":" + id; | |
145 | } | |
146 | ||
147 | TokenEngine::acl_strategy_t | |
148 | TokenEngine::get_acl_strategy(const TokenEngine::token_envelope_t& token) const | |
149 | { | |
150 | /* The primary identity is constructed upon UUIDs. */ | |
151 | const auto& tenant_uuid = token.get_project_id(); | |
152 | const auto& user_uuid = token.get_user_id(); | |
153 | ||
154 | /* For Keystone v2 an alias may be also used. */ | |
155 | const auto& tenant_name = token.get_project_name(); | |
156 | const auto& user_name = token.get_user_name(); | |
157 | ||
158 | /* Construct all possible combinations including Swift's wildcards. */ | |
159 | const std::array<std::string, 6> allowed_items = { | |
160 | make_spec_item(tenant_uuid, user_uuid), | |
161 | make_spec_item(tenant_name, user_name), | |
162 | ||
163 | /* Wildcards. */ | |
164 | make_spec_item(tenant_uuid, "*"), | |
165 | make_spec_item(tenant_name, "*"), | |
166 | make_spec_item("*", user_uuid), | |
167 | make_spec_item("*", user_name), | |
168 | }; | |
169 | ||
170 | /* Lambda will obtain a copy of (not a reference to!) allowed_items. */ | |
171 | return [allowed_items](const rgw::auth::Identity::aclspec_t& aclspec) { | |
172 | uint32_t perm = 0; | |
173 | ||
174 | for (const auto& allowed_item : allowed_items) { | |
175 | const auto iter = aclspec.find(allowed_item); | |
176 | ||
177 | if (std::end(aclspec) != iter) { | |
178 | perm |= iter->second; | |
179 | } | |
180 | } | |
181 | ||
182 | return perm; | |
183 | }; | |
184 | } | |
185 | ||
186 | TokenEngine::result_t | |
11fdf7f2 TL |
187 | TokenEngine::authenticate(const DoutPrefixProvider* dpp, |
188 | const std::string& token, | |
7c673cae FG |
189 | const req_state* const s) const |
190 | { | |
191 | boost::optional<TokenEngine::token_envelope_t> t; | |
192 | ||
193 | /* This will be initialized on the first call to this method. In C++11 it's | |
194 | * also thread-safe. */ | |
195 | static const struct RolesCacher { | |
11fdf7f2 | 196 | explicit RolesCacher(CephContext* const cct) { |
7c673cae FG |
197 | get_str_vec(cct->_conf->rgw_keystone_accepted_roles, plain); |
198 | get_str_vec(cct->_conf->rgw_keystone_accepted_admin_roles, admin); | |
199 | ||
200 | /* Let's suppose that having an admin role implies also a regular one. */ | |
201 | plain.insert(std::end(plain), std::begin(admin), std::end(admin)); | |
202 | } | |
203 | ||
204 | std::vector<std::string> plain; | |
205 | std::vector<std::string> admin; | |
206 | } roles(cct); | |
207 | ||
208 | if (! is_applicable(token)) { | |
209 | return result_t::deny(); | |
210 | } | |
211 | ||
9f95a23c TL |
212 | /* Token ID is a legacy of supporting the service-side validation |
213 | * of PKI/PKIz token type which are already-removed-in-OpenStack. | |
214 | * The idea was to bury in cache only a short hash instead of few | |
215 | * kilobytes. RadosGW doesn't do the local validation anymore. */ | |
7c673cae | 216 | const auto& token_id = rgw_get_token_id(token); |
11fdf7f2 | 217 | ldpp_dout(dpp, 20) << "token_id=" << token_id << dendl; |
7c673cae FG |
218 | |
219 | /* Check cache first. */ | |
220 | t = token_cache.find(token_id); | |
221 | if (t) { | |
11fdf7f2 | 222 | ldpp_dout(dpp, 20) << "cached token.project.id=" << t->get_project_id() |
7c673cae FG |
223 | << dendl; |
224 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
225 | get_creds_info(*t, roles.admin)); | |
226 | return result_t::grant(std::move(apl)); | |
227 | } | |
228 | ||
9f95a23c TL |
229 | /* Not in cache. Go to the Keystone for validation. This happens even |
230 | * for the legacy PKI/PKIz token types. That's it, after the PKI/PKIz | |
231 | * RadosGW-side validation has been removed, we always ask Keystone. */ | |
232 | t = get_from_keystone(dpp, token); | |
7c673cae FG |
233 | |
234 | if (! t) { | |
235 | return result_t::deny(-EACCES); | |
236 | } | |
237 | ||
238 | /* Verify expiration. */ | |
239 | if (t->expired()) { | |
11fdf7f2 | 240 | ldpp_dout(dpp, 0) << "got expired token: " << t->get_project_name() |
7c673cae FG |
241 | << ":" << t->get_user_name() |
242 | << " expired: " << t->get_expires() << dendl; | |
31f18b77 | 243 | return result_t::deny(-EPERM); |
7c673cae FG |
244 | } |
245 | ||
246 | /* Check for necessary roles. */ | |
247 | for (const auto& role : roles.plain) { | |
248 | if (t->has_role(role) == true) { | |
11fdf7f2 | 249 | ldpp_dout(dpp, 0) << "validated token: " << t->get_project_name() |
7c673cae FG |
250 | << ":" << t->get_user_name() |
251 | << " expires: " << t->get_expires() << dendl; | |
252 | token_cache.add(token_id, *t); | |
253 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
254 | get_creds_info(*t, roles.admin)); | |
255 | return result_t::grant(std::move(apl)); | |
256 | } | |
257 | } | |
258 | ||
11fdf7f2 TL |
259 | ldpp_dout(dpp, 0) << "user does not hold a matching role; required roles: " |
260 | << g_conf()->rgw_keystone_accepted_roles << dendl; | |
7c673cae | 261 | |
31f18b77 | 262 | return result_t::deny(-EPERM); |
7c673cae FG |
263 | } |
264 | ||
265 | ||
266 | /* | |
267 | * Try to validate S3 auth against keystone s3token interface | |
268 | */ | |
269 | std::pair<boost::optional<rgw::keystone::TokenEnvelope>, int> | |
f67539c2 | 270 | EC2Engine::get_from_keystone(const DoutPrefixProvider* dpp, const std::string_view& access_key_id, |
7c673cae | 271 | const std::string& string_to_sign, |
f67539c2 | 272 | const std::string_view& signature) const |
7c673cae FG |
273 | { |
274 | /* prepare keystone url */ | |
275 | std::string keystone_url = config.get_endpoint_url(); | |
276 | if (keystone_url.empty()) { | |
277 | throw -EINVAL; | |
278 | } | |
279 | ||
280 | const auto api_version = config.get_api_version(); | |
9f95a23c | 281 | if (api_version == rgw::keystone::ApiVersion::VER_3) { |
7c673cae FG |
282 | keystone_url.append("v3/s3tokens"); |
283 | } else { | |
284 | keystone_url.append("v2.0/s3tokens"); | |
285 | } | |
286 | ||
287 | /* get authentication token for Keystone. */ | |
288 | std::string admin_token; | |
20effc67 | 289 | int ret = rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, |
7c673cae FG |
290 | admin_token); |
291 | if (ret < 0) { | |
11fdf7f2 | 292 | ldpp_dout(dpp, 2) << "s3 keystone: cannot get token for keystone access" |
7c673cae FG |
293 | << dendl; |
294 | throw ret; | |
295 | } | |
296 | ||
297 | using RGWValidateKeystoneToken | |
298 | = rgw::keystone::Service::RGWValidateKeystoneToken; | |
299 | ||
300 | /* The container for plain response obtained from Keystone. It will be | |
301 | * parsed token_envelope_t::parse method. */ | |
302 | ceph::bufferlist token_body_bl; | |
11fdf7f2 | 303 | RGWValidateKeystoneToken validate(cct, "POST", keystone_url, &token_body_bl); |
7c673cae FG |
304 | |
305 | /* set required headers for keystone request */ | |
306 | validate.append_header("X-Auth-Token", admin_token); | |
307 | validate.append_header("Content-Type", "application/json"); | |
308 | ||
309 | /* check if we want to verify keystone's ssl certs */ | |
310 | validate.set_verify_ssl(cct->_conf->rgw_keystone_verify_ssl); | |
311 | ||
312 | /* create json credentials request body */ | |
313 | JSONFormatter credentials(false); | |
314 | credentials.open_object_section(""); | |
315 | credentials.open_object_section("credentials"); | |
31f18b77 | 316 | credentials.dump_string("access", sview2cstr(access_key_id).data()); |
7c673cae | 317 | credentials.dump_string("token", rgw::to_base64(string_to_sign)); |
31f18b77 | 318 | credentials.dump_string("signature", sview2cstr(signature).data()); |
7c673cae FG |
319 | credentials.close_section(); |
320 | credentials.close_section(); | |
321 | ||
322 | std::stringstream os; | |
323 | credentials.flush(os); | |
324 | validate.set_post_data(os.str()); | |
325 | validate.set_send_length(os.str().length()); | |
326 | ||
327 | /* send request */ | |
9f95a23c | 328 | ret = validate.process(null_yield); |
7c673cae | 329 | if (ret < 0) { |
11fdf7f2 | 330 | ldpp_dout(dpp, 2) << "s3 keystone: token validation ERROR: " |
7c673cae FG |
331 | << token_body_bl.c_str() << dendl; |
332 | throw ret; | |
333 | } | |
334 | ||
335 | /* if the supplied signature is wrong, we will get 401 from Keystone */ | |
336 | if (validate.get_http_status() == | |
337 | decltype(validate)::HTTP_STATUS_UNAUTHORIZED) { | |
338 | return std::make_pair(boost::none, -ERR_SIGNATURE_NO_MATCH); | |
339 | } else if (validate.get_http_status() == | |
340 | decltype(validate)::HTTP_STATUS_NOTFOUND) { | |
341 | return std::make_pair(boost::none, -ERR_INVALID_ACCESS_KEY); | |
342 | } | |
343 | ||
344 | /* now parse response */ | |
345 | rgw::keystone::TokenEnvelope token_envelope; | |
20effc67 | 346 | ret = token_envelope.parse(dpp, cct, std::string(), token_body_bl, api_version); |
7c673cae | 347 | if (ret < 0) { |
11fdf7f2 | 348 | ldpp_dout(dpp, 2) << "s3 keystone: token parsing failed, ret=0" << ret |
7c673cae FG |
349 | << dendl; |
350 | throw ret; | |
351 | } | |
352 | ||
353 | return std::make_pair(std::move(token_envelope), 0); | |
354 | } | |
355 | ||
9f95a23c TL |
356 | std::pair<boost::optional<std::string>, int> EC2Engine::get_secret_from_keystone(const DoutPrefixProvider* dpp, |
357 | const std::string& user_id, | |
f67539c2 | 358 | const std::string_view& access_key_id) const |
9f95a23c TL |
359 | { |
360 | /* Fetch from /users/{USER_ID}/credentials/OS-EC2/{ACCESS_KEY_ID} */ | |
361 | /* Should return json with response key "credential" which contains entry "secret"*/ | |
362 | ||
363 | /* prepare keystone url */ | |
364 | std::string keystone_url = config.get_endpoint_url(); | |
365 | if (keystone_url.empty()) { | |
366 | return make_pair(boost::none, -EINVAL); | |
367 | } | |
368 | ||
369 | const auto api_version = config.get_api_version(); | |
370 | if (api_version == rgw::keystone::ApiVersion::VER_3) { | |
371 | keystone_url.append("v3/"); | |
372 | } else { | |
373 | keystone_url.append("v2.0/"); | |
374 | } | |
375 | keystone_url.append("users/"); | |
376 | keystone_url.append(user_id); | |
377 | keystone_url.append("/credentials/OS-EC2/"); | |
f67539c2 | 378 | keystone_url.append(std::string(access_key_id)); |
9f95a23c TL |
379 | |
380 | /* get authentication token for Keystone. */ | |
381 | std::string admin_token; | |
20effc67 | 382 | int ret = rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, |
9f95a23c TL |
383 | admin_token); |
384 | if (ret < 0) { | |
385 | ldpp_dout(dpp, 2) << "s3 keystone: cannot get token for keystone access" | |
386 | << dendl; | |
387 | return make_pair(boost::none, ret); | |
388 | } | |
389 | ||
390 | using RGWGetAccessSecret | |
391 | = rgw::keystone::Service::RGWKeystoneHTTPTransceiver; | |
392 | ||
393 | /* The container for plain response obtained from Keystone.*/ | |
394 | ceph::bufferlist token_body_bl; | |
395 | RGWGetAccessSecret secret(cct, "GET", keystone_url, &token_body_bl); | |
396 | ||
397 | /* set required headers for keystone request */ | |
398 | secret.append_header("X-Auth-Token", admin_token); | |
399 | ||
400 | /* check if we want to verify keystone's ssl certs */ | |
401 | secret.set_verify_ssl(cct->_conf->rgw_keystone_verify_ssl); | |
402 | ||
403 | /* send request */ | |
404 | ret = secret.process(null_yield); | |
405 | if (ret < 0) { | |
406 | ldpp_dout(dpp, 2) << "s3 keystone: secret fetching error: " | |
407 | << token_body_bl.c_str() << dendl; | |
408 | return make_pair(boost::none, ret); | |
409 | } | |
410 | ||
411 | /* if the supplied signature is wrong, we will get 401 from Keystone */ | |
412 | if (secret.get_http_status() == | |
413 | decltype(secret)::HTTP_STATUS_NOTFOUND) { | |
414 | return make_pair(boost::none, -EINVAL); | |
415 | } | |
416 | ||
417 | /* now parse response */ | |
418 | ||
419 | JSONParser parser; | |
420 | if (! parser.parse(token_body_bl.c_str(), token_body_bl.length())) { | |
421 | ldpp_dout(dpp, 0) << "Keystone credential parse error: malformed json" << dendl; | |
422 | return make_pair(boost::none, -EINVAL); | |
423 | } | |
424 | ||
425 | JSONObjIter credential_iter = parser.find_first("credential"); | |
426 | std::string secret_string; | |
427 | ||
428 | try { | |
429 | if (!credential_iter.end()) { | |
430 | JSONDecoder::decode_json("secret", secret_string, *credential_iter, true); | |
431 | } else { | |
432 | ldpp_dout(dpp, 0) << "Keystone credential not present in return from server" << dendl; | |
433 | return make_pair(boost::none, -EINVAL); | |
434 | } | |
435 | } catch (const JSONDecoder::err& err) { | |
436 | ldpp_dout(dpp, 0) << "Keystone credential parse error: " << err.what() << dendl; | |
437 | return make_pair(boost::none, -EINVAL); | |
438 | } | |
439 | ||
440 | return make_pair(secret_string, 0); | |
441 | } | |
442 | ||
443 | /* | |
444 | * Try to get a token for S3 authentication, using a secret cache if available | |
445 | */ | |
446 | std::pair<boost::optional<rgw::keystone::TokenEnvelope>, int> | |
447 | EC2Engine::get_access_token(const DoutPrefixProvider* dpp, | |
f67539c2 | 448 | const std::string_view& access_key_id, |
9f95a23c | 449 | const std::string& string_to_sign, |
f67539c2 | 450 | const std::string_view& signature, |
9f95a23c TL |
451 | const signature_factory_t& signature_factory) const |
452 | { | |
453 | using server_signature_t = VersionAbstractor::server_signature_t; | |
454 | boost::optional<rgw::keystone::TokenEnvelope> token; | |
455 | int failure_reason; | |
456 | ||
457 | /* Get a token from the cache if one has already been stored */ | |
458 | boost::optional<boost::tuple<rgw::keystone::TokenEnvelope, std::string>> | |
f67539c2 | 459 | t = secret_cache.find(std::string(access_key_id)); |
9f95a23c TL |
460 | |
461 | /* Check that credentials can correctly be used to sign data */ | |
462 | if (t) { | |
463 | std::string sig(signature); | |
464 | server_signature_t server_signature = signature_factory(cct, t->get<1>(), string_to_sign); | |
465 | if (sig.compare(server_signature) == 0) { | |
466 | return std::make_pair(t->get<0>(), 0); | |
467 | } else { | |
468 | ldpp_dout(dpp, 0) << "Secret string does not correctly sign payload, cache miss" << dendl; | |
469 | } | |
470 | } else { | |
471 | ldpp_dout(dpp, 0) << "No stored secret string, cache miss" << dendl; | |
472 | } | |
473 | ||
474 | /* No cached token, token expired, or secret invalid: fall back to keystone */ | |
475 | std::tie(token, failure_reason) = get_from_keystone(dpp, access_key_id, string_to_sign, signature); | |
476 | ||
477 | if (token) { | |
478 | /* Fetch secret from keystone for the access_key_id */ | |
479 | boost::optional<std::string> secret; | |
480 | std::tie(secret, failure_reason) = get_secret_from_keystone(dpp, token->get_user_id(), access_key_id); | |
481 | ||
482 | if (secret) { | |
483 | /* Add token, secret pair to cache, and set timeout */ | |
f67539c2 | 484 | secret_cache.add(std::string(access_key_id), *token, *secret); |
9f95a23c TL |
485 | } |
486 | } | |
487 | ||
488 | return std::make_pair(token, failure_reason); | |
489 | } | |
490 | ||
7c673cae FG |
491 | EC2Engine::acl_strategy_t |
492 | EC2Engine::get_acl_strategy(const EC2Engine::token_envelope_t&) const | |
493 | { | |
494 | /* This is based on the assumption that the default acl strategy in | |
495 | * get_perms_from_aclspec, will take care. Extra acl spec is not required. */ | |
496 | return nullptr; | |
497 | } | |
498 | ||
499 | EC2Engine::auth_info_t | |
500 | EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token, | |
501 | const std::vector<std::string>& admin_roles | |
502 | ) const noexcept | |
503 | { | |
504 | using acct_privilege_t = \ | |
505 | rgw::auth::RemoteApplier::AuthInfo::acct_privilege_t; | |
506 | ||
507 | /* Check whether the user has an admin status. */ | |
508 | acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT; | |
509 | for (const auto& admin_role : admin_roles) { | |
510 | if (token.has_role(admin_role)) { | |
511 | level = acct_privilege_t::IS_ADMIN_ACCT; | |
512 | break; | |
513 | } | |
514 | } | |
515 | ||
516 | return auth_info_t { | |
517 | /* Suggested account name for the authenticated user. */ | |
518 | rgw_user(token.get_project_id()), | |
519 | /* User's display name (aka real name). */ | |
520 | token.get_project_name(), | |
521 | /* Keystone doesn't support RGW's subuser concept, so we cannot cut down | |
522 | * the access rights through the perm_mask. At least at this layer. */ | |
523 | RGW_PERM_FULL_CONTROL, | |
524 | level, | |
525 | TYPE_KEYSTONE, | |
526 | }; | |
527 | } | |
528 | ||
31f18b77 | 529 | rgw::auth::Engine::result_t EC2Engine::authenticate( |
11fdf7f2 | 530 | const DoutPrefixProvider* dpp, |
f67539c2 TL |
531 | const std::string_view& access_key_id, |
532 | const std::string_view& signature, | |
533 | const std::string_view& session_token, | |
31f18b77 | 534 | const string_to_sign_t& string_to_sign, |
9f95a23c | 535 | const signature_factory_t& signature_factory, |
31f18b77 FG |
536 | const completer_factory_t& completer_factory, |
537 | /* Passthorugh only! */ | |
f67539c2 TL |
538 | const req_state* s, |
539 | optional_yield y) const | |
7c673cae FG |
540 | { |
541 | /* This will be initialized on the first call to this method. In C++11 it's | |
542 | * also thread-safe. */ | |
543 | static const struct RolesCacher { | |
11fdf7f2 | 544 | explicit RolesCacher(CephContext* const cct) { |
7c673cae FG |
545 | get_str_vec(cct->_conf->rgw_keystone_accepted_roles, plain); |
546 | get_str_vec(cct->_conf->rgw_keystone_accepted_admin_roles, admin); | |
547 | ||
548 | /* Let's suppose that having an admin role implies also a regular one. */ | |
549 | plain.insert(std::end(plain), std::begin(admin), std::end(admin)); | |
550 | } | |
551 | ||
552 | std::vector<std::string> plain; | |
553 | std::vector<std::string> admin; | |
554 | } accepted_roles(cct); | |
555 | ||
556 | boost::optional<token_envelope_t> t; | |
557 | int failure_reason; | |
558 | std::tie(t, failure_reason) = \ | |
9f95a23c | 559 | get_access_token(dpp, access_key_id, string_to_sign, signature, signature_factory); |
7c673cae FG |
560 | if (! t) { |
561 | return result_t::deny(failure_reason); | |
562 | } | |
563 | ||
564 | /* Verify expiration. */ | |
565 | if (t->expired()) { | |
11fdf7f2 | 566 | ldpp_dout(dpp, 0) << "got expired token: " << t->get_project_name() |
7c673cae FG |
567 | << ":" << t->get_user_name() |
568 | << " expired: " << t->get_expires() << dendl; | |
569 | return result_t::deny(); | |
570 | } | |
571 | ||
572 | /* check if we have a valid role */ | |
573 | bool found = false; | |
574 | for (const auto& role : accepted_roles.plain) { | |
575 | if (t->has_role(role) == true) { | |
576 | found = true; | |
577 | break; | |
578 | } | |
579 | } | |
580 | ||
581 | if (! found) { | |
11fdf7f2 | 582 | ldpp_dout(dpp, 5) << "s3 keystone: user does not hold a matching role;" |
7c673cae FG |
583 | " required roles: " |
584 | << cct->_conf->rgw_keystone_accepted_roles << dendl; | |
585 | return result_t::deny(); | |
586 | } else { | |
587 | /* everything seems fine, continue with this user */ | |
11fdf7f2 | 588 | ldpp_dout(dpp, 5) << "s3 keystone: validated token: " << t->get_project_name() |
7c673cae FG |
589 | << ":" << t->get_user_name() |
590 | << " expires: " << t->get_expires() << dendl; | |
591 | ||
592 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
593 | get_creds_info(*t, accepted_roles.admin)); | |
31f18b77 | 594 | return result_t::grant(std::move(apl), completer_factory(boost::none)); |
7c673cae FG |
595 | } |
596 | } | |
597 | ||
9f95a23c TL |
598 | bool SecretCache::find(const std::string& token_id, |
599 | SecretCache::token_envelope_t& token, | |
600 | std::string &secret) | |
601 | { | |
602 | std::lock_guard<std::mutex> l(lock); | |
603 | ||
604 | map<std::string, secret_entry>::iterator iter = secrets.find(token_id); | |
605 | if (iter == secrets.end()) { | |
606 | return false; | |
607 | } | |
608 | ||
609 | secret_entry& entry = iter->second; | |
610 | secrets_lru.erase(entry.lru_iter); | |
611 | ||
612 | const utime_t now = ceph_clock_now(); | |
613 | if (entry.token.expired() || now > entry.expires) { | |
614 | secrets.erase(iter); | |
615 | return false; | |
616 | } | |
617 | token = entry.token; | |
618 | secret = entry.secret; | |
619 | ||
620 | secrets_lru.push_front(token_id); | |
621 | entry.lru_iter = secrets_lru.begin(); | |
622 | ||
623 | return true; | |
624 | } | |
625 | ||
626 | void SecretCache::add(const std::string& token_id, | |
627 | const SecretCache::token_envelope_t& token, | |
628 | const std::string& secret) | |
629 | { | |
630 | std::lock_guard<std::mutex> l(lock); | |
631 | ||
632 | map<string, secret_entry>::iterator iter = secrets.find(token_id); | |
633 | if (iter != secrets.end()) { | |
634 | secret_entry& e = iter->second; | |
635 | secrets_lru.erase(e.lru_iter); | |
636 | } | |
637 | ||
638 | const utime_t now = ceph_clock_now(); | |
639 | secrets_lru.push_front(token_id); | |
640 | secret_entry& entry = secrets[token_id]; | |
641 | entry.token = token; | |
642 | entry.secret = secret; | |
643 | entry.expires = now + s3_token_expiry_length; | |
644 | entry.lru_iter = secrets_lru.begin(); | |
645 | ||
646 | while (secrets_lru.size() > max) { | |
647 | list<string>::reverse_iterator riter = secrets_lru.rbegin(); | |
648 | iter = secrets.find(*riter); | |
649 | assert(iter != secrets.end()); | |
650 | secrets.erase(iter); | |
651 | secrets_lru.pop_back(); | |
652 | } | |
653 | } | |
654 | ||
7c673cae FG |
655 | }; /* namespace keystone */ |
656 | }; /* namespace auth */ | |
657 | }; /* namespace rgw */ |