]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab | |
3 | ||
4 | #include <string> | |
5 | #include <vector> | |
6 | ||
7 | #include <errno.h> | |
8 | #include <fnmatch.h> | |
9 | ||
10 | #include "rgw_b64.h" | |
11 | ||
12 | #include "common/errno.h" | |
13 | #include "common/ceph_json.h" | |
14 | #include "include/types.h" | |
15 | #include "include/str_list.h" | |
16 | ||
17 | #include "rgw_common.h" | |
18 | #include "rgw_keystone.h" | |
19 | #include "rgw_auth_keystone.h" | |
20 | #include "rgw_keystone.h" | |
21 | #include "rgw_rest_s3.h" | |
22 | #include "rgw_auth_s3.h" | |
23 | ||
24 | #include "common/ceph_crypto_cms.h" | |
25 | #include "common/armor.h" | |
26 | #include "common/Cond.h" | |
27 | ||
28 | #define dout_subsys ceph_subsys_rgw | |
29 | ||
30 | ||
31 | namespace rgw { | |
32 | namespace auth { | |
33 | namespace keystone { | |
34 | ||
35 | bool | |
36 | TokenEngine::is_applicable(const std::string& token) const noexcept | |
37 | { | |
38 | return ! token.empty() && ! cct->_conf->rgw_keystone_url.empty(); | |
39 | } | |
40 | ||
41 | TokenEngine::token_envelope_t | |
42 | TokenEngine::decode_pki_token(const std::string& token) const | |
43 | { | |
44 | ceph::buffer::list token_body_bl; | |
45 | int ret = rgw_decode_b64_cms(cct, token, token_body_bl); | |
46 | if (ret < 0) { | |
47 | ldout(cct, 20) << "cannot decode pki token" << dendl; | |
48 | throw ret; | |
49 | } else { | |
50 | ldout(cct, 20) << "successfully decoded pki token" << dendl; | |
51 | } | |
52 | ||
53 | TokenEngine::token_envelope_t token_body; | |
54 | ret = token_body.parse(cct, token, token_body_bl, config.get_api_version()); | |
55 | if (ret < 0) { | |
56 | throw ret; | |
57 | } | |
58 | ||
59 | return token_body; | |
60 | } | |
61 | ||
62 | boost::optional<TokenEngine::token_envelope_t> | |
63 | TokenEngine::get_from_keystone(const std::string& token) const | |
64 | { | |
65 | /* Unfortunately, we can't use the short form of "using" here. It's because | |
66 | * we're aliasing a class' member, not namespace. */ | |
67 | using RGWValidateKeystoneToken = \ | |
68 | rgw::keystone::Service::RGWValidateKeystoneToken; | |
69 | ||
70 | /* The container for plain response obtained from Keystone. It will be | |
71 | * parsed token_envelope_t::parse method. */ | |
72 | ceph::bufferlist token_body_bl; | |
73 | RGWValidateKeystoneToken validate(cct, &token_body_bl); | |
74 | ||
75 | std::string url = config.get_endpoint_url(); | |
76 | if (url.empty()) { | |
77 | throw -EINVAL; | |
78 | } | |
79 | ||
80 | const auto keystone_version = config.get_api_version(); | |
81 | if (keystone_version == rgw::keystone::ApiVersion::VER_2) { | |
82 | url.append("v2.0/tokens/" + token); | |
83 | } else if (keystone_version == rgw::keystone::ApiVersion::VER_3) { | |
84 | url.append("v3/auth/tokens"); | |
85 | validate.append_header("X-Subject-Token", token); | |
86 | } | |
87 | ||
88 | std::string admin_token; | |
89 | if (rgw::keystone::Service::get_admin_token(cct, token_cache, config, | |
90 | admin_token) < 0) { | |
91 | throw -EINVAL; | |
92 | } | |
93 | ||
94 | validate.append_header("X-Auth-Token", admin_token); | |
95 | validate.set_send_length(0); | |
96 | ||
97 | int ret = validate.process(url.c_str()); | |
98 | if (ret < 0) { | |
99 | throw ret; | |
100 | } | |
101 | ||
102 | /* NULL terminate for debug output. */ | |
103 | token_body_bl.append(static_cast<char>(0)); | |
7c673cae FG |
104 | |
105 | /* Detect Keystone rejection earlier than during the token parsing. | |
106 | * Although failure at the parsing phase doesn't impose a threat, | |
107 | * this allows to return proper error code (EACCESS instead of EINVAL | |
108 | * or similar) and thus improves logging. */ | |
109 | if (validate.get_http_status() == | |
110 | /* Most likely: wrong admin credentials or admin token. */ | |
111 | RGWValidateKeystoneToken::HTTP_STATUS_UNAUTHORIZED || | |
112 | validate.get_http_status() == | |
113 | /* Most likely: non-existent token supplied by the client. */ | |
114 | RGWValidateKeystoneToken::HTTP_STATUS_NOTFOUND) { | |
b32b8144 FG |
115 | ldout(cct, 5) << "Failed keystone auth from " << url << " with " |
116 | << validate.get_http_status() << dendl; | |
7c673cae FG |
117 | return boost::none; |
118 | } | |
119 | ||
b32b8144 FG |
120 | ldout(cct, 20) << "received response status=" << validate.get_http_status() |
121 | << ", body=" << token_body_bl.c_str() << dendl; | |
122 | ||
7c673cae FG |
123 | TokenEngine::token_envelope_t token_body; |
124 | ret = token_body.parse(cct, token, token_body_bl, config.get_api_version()); | |
125 | if (ret < 0) { | |
126 | throw ret; | |
127 | } | |
128 | ||
129 | return token_body; | |
130 | } | |
131 | ||
132 | TokenEngine::auth_info_t | |
133 | TokenEngine::get_creds_info(const TokenEngine::token_envelope_t& token, | |
134 | const std::vector<std::string>& admin_roles | |
135 | ) const noexcept | |
136 | { | |
137 | using acct_privilege_t = rgw::auth::RemoteApplier::AuthInfo::acct_privilege_t; | |
138 | ||
139 | /* Check whether the user has an admin status. */ | |
140 | acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT; | |
141 | for (const auto& admin_role : admin_roles) { | |
142 | if (token.has_role(admin_role)) { | |
143 | level = acct_privilege_t::IS_ADMIN_ACCT; | |
144 | break; | |
145 | } | |
146 | } | |
147 | ||
148 | return auth_info_t { | |
149 | /* Suggested account name for the authenticated user. */ | |
150 | rgw_user(token.get_project_id()), | |
151 | /* User's display name (aka real name). */ | |
152 | token.get_project_name(), | |
153 | /* Keystone doesn't support RGW's subuser concept, so we cannot cut down | |
154 | * the access rights through the perm_mask. At least at this layer. */ | |
155 | RGW_PERM_FULL_CONTROL, | |
156 | level, | |
157 | TYPE_KEYSTONE, | |
158 | }; | |
159 | } | |
160 | ||
161 | static inline const std::string | |
162 | make_spec_item(const std::string& tenant, const std::string& id) | |
163 | { | |
164 | return tenant + ":" + id; | |
165 | } | |
166 | ||
167 | TokenEngine::acl_strategy_t | |
168 | TokenEngine::get_acl_strategy(const TokenEngine::token_envelope_t& token) const | |
169 | { | |
170 | /* The primary identity is constructed upon UUIDs. */ | |
171 | const auto& tenant_uuid = token.get_project_id(); | |
172 | const auto& user_uuid = token.get_user_id(); | |
173 | ||
174 | /* For Keystone v2 an alias may be also used. */ | |
175 | const auto& tenant_name = token.get_project_name(); | |
176 | const auto& user_name = token.get_user_name(); | |
177 | ||
178 | /* Construct all possible combinations including Swift's wildcards. */ | |
179 | const std::array<std::string, 6> allowed_items = { | |
180 | make_spec_item(tenant_uuid, user_uuid), | |
181 | make_spec_item(tenant_name, user_name), | |
182 | ||
183 | /* Wildcards. */ | |
184 | make_spec_item(tenant_uuid, "*"), | |
185 | make_spec_item(tenant_name, "*"), | |
186 | make_spec_item("*", user_uuid), | |
187 | make_spec_item("*", user_name), | |
188 | }; | |
189 | ||
190 | /* Lambda will obtain a copy of (not a reference to!) allowed_items. */ | |
191 | return [allowed_items](const rgw::auth::Identity::aclspec_t& aclspec) { | |
192 | uint32_t perm = 0; | |
193 | ||
194 | for (const auto& allowed_item : allowed_items) { | |
195 | const auto iter = aclspec.find(allowed_item); | |
196 | ||
197 | if (std::end(aclspec) != iter) { | |
198 | perm |= iter->second; | |
199 | } | |
200 | } | |
201 | ||
202 | return perm; | |
203 | }; | |
204 | } | |
205 | ||
206 | TokenEngine::result_t | |
207 | TokenEngine::authenticate(const std::string& token, | |
208 | const req_state* const s) const | |
209 | { | |
210 | boost::optional<TokenEngine::token_envelope_t> t; | |
211 | ||
212 | /* This will be initialized on the first call to this method. In C++11 it's | |
213 | * also thread-safe. */ | |
214 | static const struct RolesCacher { | |
215 | RolesCacher(CephContext* const cct) { | |
216 | get_str_vec(cct->_conf->rgw_keystone_accepted_roles, plain); | |
217 | get_str_vec(cct->_conf->rgw_keystone_accepted_admin_roles, admin); | |
218 | ||
219 | /* Let's suppose that having an admin role implies also a regular one. */ | |
220 | plain.insert(std::end(plain), std::begin(admin), std::end(admin)); | |
221 | } | |
222 | ||
223 | std::vector<std::string> plain; | |
224 | std::vector<std::string> admin; | |
225 | } roles(cct); | |
226 | ||
227 | if (! is_applicable(token)) { | |
228 | return result_t::deny(); | |
229 | } | |
230 | ||
231 | /* Token ID is a concept that makes dealing with PKI tokens more effective. | |
232 | * Instead of storing several kilobytes, a short hash can be burried. */ | |
233 | const auto& token_id = rgw_get_token_id(token); | |
234 | ldout(cct, 20) << "token_id=" << token_id << dendl; | |
235 | ||
236 | /* Check cache first. */ | |
237 | t = token_cache.find(token_id); | |
238 | if (t) { | |
239 | ldout(cct, 20) << "cached token.project.id=" << t->get_project_id() | |
240 | << dendl; | |
241 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
242 | get_creds_info(*t, roles.admin)); | |
243 | return result_t::grant(std::move(apl)); | |
244 | } | |
245 | ||
246 | /* Retrieve token. */ | |
247 | if (rgw_is_pki_token(token)) { | |
248 | try { | |
249 | t = decode_pki_token(token); | |
250 | } catch (...) { | |
251 | /* Last resort. */ | |
252 | t = get_from_keystone(token); | |
253 | } | |
254 | } else { | |
255 | /* Can't decode, just go to the Keystone server for validation. */ | |
256 | t = get_from_keystone(token); | |
257 | } | |
258 | ||
259 | if (! t) { | |
260 | return result_t::deny(-EACCES); | |
261 | } | |
262 | ||
263 | /* Verify expiration. */ | |
264 | if (t->expired()) { | |
265 | ldout(cct, 0) << "got expired token: " << t->get_project_name() | |
266 | << ":" << t->get_user_name() | |
267 | << " expired: " << t->get_expires() << dendl; | |
31f18b77 | 268 | return result_t::deny(-EPERM); |
7c673cae FG |
269 | } |
270 | ||
271 | /* Check for necessary roles. */ | |
272 | for (const auto& role : roles.plain) { | |
273 | if (t->has_role(role) == true) { | |
274 | ldout(cct, 0) << "validated token: " << t->get_project_name() | |
275 | << ":" << t->get_user_name() | |
276 | << " expires: " << t->get_expires() << dendl; | |
277 | token_cache.add(token_id, *t); | |
278 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
279 | get_creds_info(*t, roles.admin)); | |
280 | return result_t::grant(std::move(apl)); | |
281 | } | |
282 | } | |
283 | ||
284 | ldout(cct, 0) << "user does not hold a matching role; required roles: " | |
285 | << g_conf->rgw_keystone_accepted_roles << dendl; | |
286 | ||
31f18b77 | 287 | return result_t::deny(-EPERM); |
7c673cae FG |
288 | } |
289 | ||
290 | ||
291 | /* | |
292 | * Try to validate S3 auth against keystone s3token interface | |
293 | */ | |
294 | std::pair<boost::optional<rgw::keystone::TokenEnvelope>, int> | |
31f18b77 | 295 | EC2Engine::get_from_keystone(const boost::string_view& access_key_id, |
7c673cae | 296 | const std::string& string_to_sign, |
31f18b77 | 297 | const boost::string_view& signature) const |
7c673cae FG |
298 | { |
299 | /* prepare keystone url */ | |
300 | std::string keystone_url = config.get_endpoint_url(); | |
301 | if (keystone_url.empty()) { | |
302 | throw -EINVAL; | |
303 | } | |
304 | ||
305 | const auto api_version = config.get_api_version(); | |
306 | if (config.get_api_version() == rgw::keystone::ApiVersion::VER_3) { | |
307 | keystone_url.append("v3/s3tokens"); | |
308 | } else { | |
309 | keystone_url.append("v2.0/s3tokens"); | |
310 | } | |
311 | ||
312 | /* get authentication token for Keystone. */ | |
313 | std::string admin_token; | |
314 | int ret = rgw::keystone::Service::get_admin_token(cct, token_cache, config, | |
315 | admin_token); | |
316 | if (ret < 0) { | |
317 | ldout(cct, 2) << "s3 keystone: cannot get token for keystone access" | |
318 | << dendl; | |
319 | throw ret; | |
320 | } | |
321 | ||
322 | using RGWValidateKeystoneToken | |
323 | = rgw::keystone::Service::RGWValidateKeystoneToken; | |
324 | ||
325 | /* The container for plain response obtained from Keystone. It will be | |
326 | * parsed token_envelope_t::parse method. */ | |
327 | ceph::bufferlist token_body_bl; | |
328 | RGWValidateKeystoneToken validate(cct, &token_body_bl); | |
329 | ||
330 | /* set required headers for keystone request */ | |
331 | validate.append_header("X-Auth-Token", admin_token); | |
332 | validate.append_header("Content-Type", "application/json"); | |
333 | ||
334 | /* check if we want to verify keystone's ssl certs */ | |
335 | validate.set_verify_ssl(cct->_conf->rgw_keystone_verify_ssl); | |
336 | ||
337 | /* create json credentials request body */ | |
338 | JSONFormatter credentials(false); | |
339 | credentials.open_object_section(""); | |
340 | credentials.open_object_section("credentials"); | |
31f18b77 | 341 | credentials.dump_string("access", sview2cstr(access_key_id).data()); |
7c673cae | 342 | credentials.dump_string("token", rgw::to_base64(string_to_sign)); |
31f18b77 | 343 | credentials.dump_string("signature", sview2cstr(signature).data()); |
7c673cae FG |
344 | credentials.close_section(); |
345 | credentials.close_section(); | |
346 | ||
347 | std::stringstream os; | |
348 | credentials.flush(os); | |
349 | validate.set_post_data(os.str()); | |
350 | validate.set_send_length(os.str().length()); | |
351 | ||
352 | /* send request */ | |
353 | ret = validate.process("POST", keystone_url.c_str()); | |
354 | if (ret < 0) { | |
355 | ldout(cct, 2) << "s3 keystone: token validation ERROR: " | |
356 | << token_body_bl.c_str() << dendl; | |
357 | throw ret; | |
358 | } | |
359 | ||
360 | /* if the supplied signature is wrong, we will get 401 from Keystone */ | |
361 | if (validate.get_http_status() == | |
362 | decltype(validate)::HTTP_STATUS_UNAUTHORIZED) { | |
363 | return std::make_pair(boost::none, -ERR_SIGNATURE_NO_MATCH); | |
364 | } else if (validate.get_http_status() == | |
365 | decltype(validate)::HTTP_STATUS_NOTFOUND) { | |
366 | return std::make_pair(boost::none, -ERR_INVALID_ACCESS_KEY); | |
367 | } | |
368 | ||
369 | /* now parse response */ | |
370 | rgw::keystone::TokenEnvelope token_envelope; | |
371 | ret = token_envelope.parse(cct, std::string(), token_body_bl, api_version); | |
372 | if (ret < 0) { | |
373 | ldout(cct, 2) << "s3 keystone: token parsing failed, ret=0" << ret | |
374 | << dendl; | |
375 | throw ret; | |
376 | } | |
377 | ||
378 | return std::make_pair(std::move(token_envelope), 0); | |
379 | } | |
380 | ||
381 | EC2Engine::acl_strategy_t | |
382 | EC2Engine::get_acl_strategy(const EC2Engine::token_envelope_t&) const | |
383 | { | |
384 | /* This is based on the assumption that the default acl strategy in | |
385 | * get_perms_from_aclspec, will take care. Extra acl spec is not required. */ | |
386 | return nullptr; | |
387 | } | |
388 | ||
389 | EC2Engine::auth_info_t | |
390 | EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token, | |
391 | const std::vector<std::string>& admin_roles | |
392 | ) const noexcept | |
393 | { | |
394 | using acct_privilege_t = \ | |
395 | rgw::auth::RemoteApplier::AuthInfo::acct_privilege_t; | |
396 | ||
397 | /* Check whether the user has an admin status. */ | |
398 | acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT; | |
399 | for (const auto& admin_role : admin_roles) { | |
400 | if (token.has_role(admin_role)) { | |
401 | level = acct_privilege_t::IS_ADMIN_ACCT; | |
402 | break; | |
403 | } | |
404 | } | |
405 | ||
406 | return auth_info_t { | |
407 | /* Suggested account name for the authenticated user. */ | |
408 | rgw_user(token.get_project_id()), | |
409 | /* User's display name (aka real name). */ | |
410 | token.get_project_name(), | |
411 | /* Keystone doesn't support RGW's subuser concept, so we cannot cut down | |
412 | * the access rights through the perm_mask. At least at this layer. */ | |
413 | RGW_PERM_FULL_CONTROL, | |
414 | level, | |
415 | TYPE_KEYSTONE, | |
416 | }; | |
417 | } | |
418 | ||
31f18b77 FG |
419 | rgw::auth::Engine::result_t EC2Engine::authenticate( |
420 | const boost::string_view& access_key_id, | |
421 | const boost::string_view& signature, | |
422 | const string_to_sign_t& string_to_sign, | |
423 | const signature_factory_t&, | |
424 | const completer_factory_t& completer_factory, | |
425 | /* Passthorugh only! */ | |
426 | const req_state* s) const | |
7c673cae FG |
427 | { |
428 | /* This will be initialized on the first call to this method. In C++11 it's | |
429 | * also thread-safe. */ | |
430 | static const struct RolesCacher { | |
431 | RolesCacher(CephContext* const cct) { | |
432 | get_str_vec(cct->_conf->rgw_keystone_accepted_roles, plain); | |
433 | get_str_vec(cct->_conf->rgw_keystone_accepted_admin_roles, admin); | |
434 | ||
435 | /* Let's suppose that having an admin role implies also a regular one. */ | |
436 | plain.insert(std::end(plain), std::begin(admin), std::end(admin)); | |
437 | } | |
438 | ||
439 | std::vector<std::string> plain; | |
440 | std::vector<std::string> admin; | |
441 | } accepted_roles(cct); | |
442 | ||
443 | boost::optional<token_envelope_t> t; | |
444 | int failure_reason; | |
445 | std::tie(t, failure_reason) = \ | |
446 | get_from_keystone(access_key_id, string_to_sign, signature); | |
447 | if (! t) { | |
448 | return result_t::deny(failure_reason); | |
449 | } | |
450 | ||
451 | /* Verify expiration. */ | |
452 | if (t->expired()) { | |
453 | ldout(cct, 0) << "got expired token: " << t->get_project_name() | |
454 | << ":" << t->get_user_name() | |
455 | << " expired: " << t->get_expires() << dendl; | |
456 | return result_t::deny(); | |
457 | } | |
458 | ||
459 | /* check if we have a valid role */ | |
460 | bool found = false; | |
461 | for (const auto& role : accepted_roles.plain) { | |
462 | if (t->has_role(role) == true) { | |
463 | found = true; | |
464 | break; | |
465 | } | |
466 | } | |
467 | ||
468 | if (! found) { | |
469 | ldout(cct, 5) << "s3 keystone: user does not hold a matching role;" | |
470 | " required roles: " | |
471 | << cct->_conf->rgw_keystone_accepted_roles << dendl; | |
472 | return result_t::deny(); | |
473 | } else { | |
474 | /* everything seems fine, continue with this user */ | |
475 | ldout(cct, 5) << "s3 keystone: validated token: " << t->get_project_name() | |
476 | << ":" << t->get_user_name() | |
477 | << " expires: " << t->get_expires() << dendl; | |
478 | ||
479 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
480 | get_creds_info(*t, accepted_roles.admin)); | |
31f18b77 | 481 | return result_t::grant(std::move(apl), completer_factory(boost::none)); |
7c673cae FG |
482 | } |
483 | } | |
484 | ||
485 | }; /* namespace keystone */ | |
486 | }; /* namespace auth */ | |
487 | }; /* namespace rgw */ |