]>
Commit | Line | Data |
---|---|---|
7c673cae | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
7c673cae FG |
3 | |
4 | #include <string> | |
5 | #include <vector> | |
6 | ||
7 | #include <errno.h> | |
8 | #include <fnmatch.h> | |
9 | ||
10 | #include "rgw_b64.h" | |
11 | ||
12 | #include "common/errno.h" | |
13 | #include "common/ceph_json.h" | |
14 | #include "include/types.h" | |
15 | #include "include/str_list.h" | |
16 | ||
17 | #include "rgw_common.h" | |
18 | #include "rgw_keystone.h" | |
19 | #include "rgw_auth_keystone.h" | |
7c673cae FG |
20 | #include "rgw_rest_s3.h" |
21 | #include "rgw_auth_s3.h" | |
22 | ||
9f95a23c | 23 | #include "common/ceph_crypto.h" |
7c673cae FG |
24 | #include "common/Cond.h" |
25 | ||
26 | #define dout_subsys ceph_subsys_rgw | |
27 | ||
20effc67 | 28 | using namespace std; |
7c673cae FG |
29 | |
30 | namespace rgw { | |
31 | namespace auth { | |
32 | namespace keystone { | |
33 | ||
34 | bool | |
35 | TokenEngine::is_applicable(const std::string& token) const noexcept | |
36 | { | |
37 | return ! token.empty() && ! cct->_conf->rgw_keystone_url.empty(); | |
38 | } | |
39 | ||
7c673cae | 40 | boost::optional<TokenEngine::token_envelope_t> |
1e59de90 | 41 | TokenEngine::get_from_keystone(const DoutPrefixProvider* dpp, const std::string& token, bool allow_expired) const |
7c673cae FG |
42 | { |
43 | /* Unfortunately, we can't use the short form of "using" here. It's because | |
44 | * we're aliasing a class' member, not namespace. */ | |
45 | using RGWValidateKeystoneToken = \ | |
46 | rgw::keystone::Service::RGWValidateKeystoneToken; | |
47 | ||
48 | /* The container for plain response obtained from Keystone. It will be | |
49 | * parsed token_envelope_t::parse method. */ | |
50 | ceph::bufferlist token_body_bl; | |
11fdf7f2 | 51 | RGWValidateKeystoneToken validate(cct, "GET", "", &token_body_bl); |
7c673cae FG |
52 | |
53 | std::string url = config.get_endpoint_url(); | |
54 | if (url.empty()) { | |
55 | throw -EINVAL; | |
56 | } | |
57 | ||
58 | const auto keystone_version = config.get_api_version(); | |
59 | if (keystone_version == rgw::keystone::ApiVersion::VER_2) { | |
60 | url.append("v2.0/tokens/" + token); | |
61 | } else if (keystone_version == rgw::keystone::ApiVersion::VER_3) { | |
62 | url.append("v3/auth/tokens"); | |
1e59de90 TL |
63 | |
64 | if (allow_expired) { | |
65 | url.append("?allow_expired=1"); | |
66 | } | |
67 | ||
7c673cae FG |
68 | validate.append_header("X-Subject-Token", token); |
69 | } | |
70 | ||
71 | std::string admin_token; | |
20effc67 | 72 | if (rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, |
7c673cae FG |
73 | admin_token) < 0) { |
74 | throw -EINVAL; | |
75 | } | |
76 | ||
77 | validate.append_header("X-Auth-Token", admin_token); | |
78 | validate.set_send_length(0); | |
79 | ||
11fdf7f2 TL |
80 | validate.set_url(url); |
81 | ||
9f95a23c | 82 | int ret = validate.process(null_yield); |
7c673cae FG |
83 | |
84 | /* NULL terminate for debug output. */ | |
85 | token_body_bl.append(static_cast<char>(0)); | |
7c673cae FG |
86 | |
87 | /* Detect Keystone rejection earlier than during the token parsing. | |
88 | * Although failure at the parsing phase doesn't impose a threat, | |
89 | * this allows to return proper error code (EACCESS instead of EINVAL | |
90 | * or similar) and thus improves logging. */ | |
91 | if (validate.get_http_status() == | |
92 | /* Most likely: wrong admin credentials or admin token. */ | |
93 | RGWValidateKeystoneToken::HTTP_STATUS_UNAUTHORIZED || | |
94 | validate.get_http_status() == | |
95 | /* Most likely: non-existent token supplied by the client. */ | |
96 | RGWValidateKeystoneToken::HTTP_STATUS_NOTFOUND) { | |
11fdf7f2 | 97 | ldpp_dout(dpp, 5) << "Failed keystone auth from " << url << " with " |
b32b8144 | 98 | << validate.get_http_status() << dendl; |
7c673cae FG |
99 | return boost::none; |
100 | } | |
aee94f69 TL |
101 | // throw any other http or connection errors |
102 | if (ret < 0) { | |
103 | throw ret; | |
104 | } | |
7c673cae | 105 | |
11fdf7f2 | 106 | ldpp_dout(dpp, 20) << "received response status=" << validate.get_http_status() |
b32b8144 FG |
107 | << ", body=" << token_body_bl.c_str() << dendl; |
108 | ||
7c673cae | 109 | TokenEngine::token_envelope_t token_body; |
20effc67 | 110 | ret = token_body.parse(dpp, cct, token, token_body_bl, config.get_api_version()); |
7c673cae FG |
111 | if (ret < 0) { |
112 | throw ret; | |
113 | } | |
114 | ||
115 | return token_body; | |
116 | } | |
117 | ||
118 | TokenEngine::auth_info_t | |
119 | TokenEngine::get_creds_info(const TokenEngine::token_envelope_t& token, | |
120 | const std::vector<std::string>& admin_roles | |
121 | ) const noexcept | |
122 | { | |
123 | using acct_privilege_t = rgw::auth::RemoteApplier::AuthInfo::acct_privilege_t; | |
124 | ||
125 | /* Check whether the user has an admin status. */ | |
126 | acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT; | |
127 | for (const auto& admin_role : admin_roles) { | |
128 | if (token.has_role(admin_role)) { | |
129 | level = acct_privilege_t::IS_ADMIN_ACCT; | |
130 | break; | |
131 | } | |
132 | } | |
133 | ||
134 | return auth_info_t { | |
135 | /* Suggested account name for the authenticated user. */ | |
136 | rgw_user(token.get_project_id()), | |
137 | /* User's display name (aka real name). */ | |
138 | token.get_project_name(), | |
139 | /* Keystone doesn't support RGW's subuser concept, so we cannot cut down | |
140 | * the access rights through the perm_mask. At least at this layer. */ | |
141 | RGW_PERM_FULL_CONTROL, | |
142 | level, | |
2a845540 TL |
143 | rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY, |
144 | rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER, | |
145 | TYPE_KEYSTONE | |
146 | }; | |
7c673cae FG |
147 | } |
148 | ||
149 | static inline const std::string | |
150 | make_spec_item(const std::string& tenant, const std::string& id) | |
151 | { | |
152 | return tenant + ":" + id; | |
153 | } | |
154 | ||
155 | TokenEngine::acl_strategy_t | |
156 | TokenEngine::get_acl_strategy(const TokenEngine::token_envelope_t& token) const | |
157 | { | |
158 | /* The primary identity is constructed upon UUIDs. */ | |
159 | const auto& tenant_uuid = token.get_project_id(); | |
160 | const auto& user_uuid = token.get_user_id(); | |
161 | ||
162 | /* For Keystone v2 an alias may be also used. */ | |
163 | const auto& tenant_name = token.get_project_name(); | |
164 | const auto& user_name = token.get_user_name(); | |
165 | ||
166 | /* Construct all possible combinations including Swift's wildcards. */ | |
167 | const std::array<std::string, 6> allowed_items = { | |
168 | make_spec_item(tenant_uuid, user_uuid), | |
169 | make_spec_item(tenant_name, user_name), | |
170 | ||
171 | /* Wildcards. */ | |
172 | make_spec_item(tenant_uuid, "*"), | |
173 | make_spec_item(tenant_name, "*"), | |
174 | make_spec_item("*", user_uuid), | |
175 | make_spec_item("*", user_name), | |
176 | }; | |
177 | ||
178 | /* Lambda will obtain a copy of (not a reference to!) allowed_items. */ | |
179 | return [allowed_items](const rgw::auth::Identity::aclspec_t& aclspec) { | |
180 | uint32_t perm = 0; | |
181 | ||
182 | for (const auto& allowed_item : allowed_items) { | |
183 | const auto iter = aclspec.find(allowed_item); | |
184 | ||
185 | if (std::end(aclspec) != iter) { | |
186 | perm |= iter->second; | |
187 | } | |
188 | } | |
189 | ||
190 | return perm; | |
191 | }; | |
192 | } | |
193 | ||
194 | TokenEngine::result_t | |
11fdf7f2 TL |
195 | TokenEngine::authenticate(const DoutPrefixProvider* dpp, |
196 | const std::string& token, | |
1e59de90 | 197 | const std::string& service_token, |
7c673cae FG |
198 | const req_state* const s) const |
199 | { | |
1e59de90 | 200 | bool allow_expired = false; |
7c673cae FG |
201 | boost::optional<TokenEngine::token_envelope_t> t; |
202 | ||
203 | /* This will be initialized on the first call to this method. In C++11 it's | |
204 | * also thread-safe. */ | |
205 | static const struct RolesCacher { | |
11fdf7f2 | 206 | explicit RolesCacher(CephContext* const cct) { |
7c673cae FG |
207 | get_str_vec(cct->_conf->rgw_keystone_accepted_roles, plain); |
208 | get_str_vec(cct->_conf->rgw_keystone_accepted_admin_roles, admin); | |
209 | ||
210 | /* Let's suppose that having an admin role implies also a regular one. */ | |
211 | plain.insert(std::end(plain), std::begin(admin), std::end(admin)); | |
212 | } | |
213 | ||
214 | std::vector<std::string> plain; | |
215 | std::vector<std::string> admin; | |
216 | } roles(cct); | |
217 | ||
1e59de90 TL |
218 | static const struct ServiceTokenRolesCacher { |
219 | explicit ServiceTokenRolesCacher(CephContext* const cct) { | |
220 | get_str_vec(cct->_conf->rgw_keystone_service_token_accepted_roles, plain); | |
221 | } | |
222 | ||
223 | std::vector<std::string> plain; | |
224 | } service_token_roles(cct); | |
225 | ||
7c673cae FG |
226 | if (! is_applicable(token)) { |
227 | return result_t::deny(); | |
228 | } | |
229 | ||
9f95a23c TL |
230 | /* Token ID is a legacy of supporting the service-side validation |
231 | * of PKI/PKIz token type which are already-removed-in-OpenStack. | |
232 | * The idea was to bury in cache only a short hash instead of few | |
233 | * kilobytes. RadosGW doesn't do the local validation anymore. */ | |
7c673cae | 234 | const auto& token_id = rgw_get_token_id(token); |
11fdf7f2 | 235 | ldpp_dout(dpp, 20) << "token_id=" << token_id << dendl; |
7c673cae FG |
236 | |
237 | /* Check cache first. */ | |
238 | t = token_cache.find(token_id); | |
239 | if (t) { | |
11fdf7f2 | 240 | ldpp_dout(dpp, 20) << "cached token.project.id=" << t->get_project_id() |
7c673cae FG |
241 | << dendl; |
242 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
243 | get_creds_info(*t, roles.admin)); | |
244 | return result_t::grant(std::move(apl)); | |
245 | } | |
246 | ||
1e59de90 TL |
247 | /* We have a service token and a token so we verify the service |
248 | * token and if it's invalid the request is invalid. If it's valid | |
249 | * we allow an expired token to be used when doing lookup in Keystone. | |
250 | * We never get to this if the token is in the cache. */ | |
251 | if (g_conf()->rgw_keystone_service_token_enabled && ! service_token.empty()) { | |
252 | boost::optional<TokenEngine::token_envelope_t> st; | |
253 | ||
254 | const auto& service_token_id = rgw_get_token_id(service_token); | |
255 | ldpp_dout(dpp, 20) << "service_token_id=" << service_token_id << dendl; | |
256 | ||
257 | /* Check cache for service token first. */ | |
258 | st = token_cache.find_service(service_token_id); | |
259 | if (st) { | |
260 | ldpp_dout(dpp, 20) << "cached service_token.project.id=" << st->get_project_id() | |
261 | << dendl; | |
262 | ||
263 | /* We found the service token in the cache so we allow using an expired | |
264 | * token for this request. */ | |
265 | allow_expired = true; | |
266 | ldpp_dout(dpp, 20) << "allowing expired tokens because service_token_id=" | |
267 | << service_token_id | |
268 | << " was found in cache" << dendl; | |
269 | } else { | |
270 | /* Service token was not found in cache. Go to Keystone for validating | |
271 | * the token. The allow_expired here must always be false. */ | |
272 | ceph_assert(allow_expired == false); | |
273 | st = get_from_keystone(dpp, service_token, allow_expired); | |
274 | ||
275 | if (! st) { | |
276 | return result_t::deny(-EACCES); | |
277 | } | |
278 | ||
279 | /* Verify expiration of service token. */ | |
280 | if (st->expired()) { | |
281 | ldpp_dout(dpp, 0) << "got expired service token: " << st->get_project_name() | |
282 | << ":" << st->get_user_name() | |
283 | << " expired " << st->get_expires() << dendl; | |
284 | return result_t::deny(-EPERM); | |
285 | } | |
286 | ||
287 | /* Check for necessary roles for service token. */ | |
288 | for (const auto& role : service_token_roles.plain) { | |
289 | if (st->has_role(role) == true) { | |
290 | /* Service token is valid so we allow using an expired token for | |
291 | * this request. */ | |
292 | ldpp_dout(dpp, 20) << "allowing expired tokens because service_token_id=" | |
293 | << service_token_id | |
294 | << " is valid, role: " | |
295 | << role << dendl; | |
296 | allow_expired = true; | |
297 | token_cache.add_service(service_token_id, *st); | |
298 | break; | |
299 | } | |
300 | } | |
301 | ||
302 | if (!allow_expired) { | |
303 | ldpp_dout(dpp, 0) << "service token user does not hold a matching role; required roles: " | |
304 | << g_conf()->rgw_keystone_service_token_accepted_roles << dendl; | |
305 | return result_t::deny(-EPERM); | |
306 | } | |
307 | } | |
308 | } | |
309 | ||
310 | /* Token not in cache. Go to the Keystone for validation. This happens even | |
9f95a23c TL |
311 | * for the legacy PKI/PKIz token types. That's it, after the PKI/PKIz |
312 | * RadosGW-side validation has been removed, we always ask Keystone. */ | |
1e59de90 | 313 | t = get_from_keystone(dpp, token, allow_expired); |
7c673cae FG |
314 | |
315 | if (! t) { | |
316 | return result_t::deny(-EACCES); | |
317 | } | |
318 | ||
319 | /* Verify expiration. */ | |
320 | if (t->expired()) { | |
1e59de90 TL |
321 | if (allow_expired) { |
322 | ldpp_dout(dpp, 20) << "allowing expired token: " << t->get_project_name() | |
323 | << ":" << t->get_user_name() | |
324 | << " expired: " << t->get_expires() | |
325 | << " because of valid service token" << dendl; | |
326 | } else { | |
327 | ldpp_dout(dpp, 0) << "got expired token: " << t->get_project_name() | |
328 | << ":" << t->get_user_name() | |
329 | << " expired: " << t->get_expires() << dendl; | |
330 | return result_t::deny(-EPERM); | |
331 | } | |
7c673cae FG |
332 | } |
333 | ||
334 | /* Check for necessary roles. */ | |
335 | for (const auto& role : roles.plain) { | |
336 | if (t->has_role(role) == true) { | |
1e59de90 TL |
337 | /* If this token was an allowed expired token because we got a |
338 | * service token we need to update the expiration before we cache it. */ | |
339 | if (allow_expired) { | |
340 | time_t now = ceph_clock_now().sec(); | |
341 | time_t new_expires = now + g_conf()->rgw_keystone_expired_token_cache_expiration; | |
342 | ldpp_dout(dpp, 20) << "updating expiration of allowed expired token" | |
343 | << " from old " << t->get_expires() << " to now " << now << " + " | |
344 | << g_conf()->rgw_keystone_expired_token_cache_expiration | |
345 | << " secs = " | |
346 | << new_expires << dendl; | |
347 | t->set_expires(new_expires); | |
348 | } | |
11fdf7f2 | 349 | ldpp_dout(dpp, 0) << "validated token: " << t->get_project_name() |
7c673cae FG |
350 | << ":" << t->get_user_name() |
351 | << " expires: " << t->get_expires() << dendl; | |
352 | token_cache.add(token_id, *t); | |
353 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
354 | get_creds_info(*t, roles.admin)); | |
355 | return result_t::grant(std::move(apl)); | |
356 | } | |
357 | } | |
358 | ||
11fdf7f2 TL |
359 | ldpp_dout(dpp, 0) << "user does not hold a matching role; required roles: " |
360 | << g_conf()->rgw_keystone_accepted_roles << dendl; | |
7c673cae | 361 | |
31f18b77 | 362 | return result_t::deny(-EPERM); |
7c673cae FG |
363 | } |
364 | ||
365 | ||
366 | /* | |
367 | * Try to validate S3 auth against keystone s3token interface | |
368 | */ | |
369 | std::pair<boost::optional<rgw::keystone::TokenEnvelope>, int> | |
f67539c2 | 370 | EC2Engine::get_from_keystone(const DoutPrefixProvider* dpp, const std::string_view& access_key_id, |
7c673cae | 371 | const std::string& string_to_sign, |
f67539c2 | 372 | const std::string_view& signature) const |
7c673cae FG |
373 | { |
374 | /* prepare keystone url */ | |
375 | std::string keystone_url = config.get_endpoint_url(); | |
376 | if (keystone_url.empty()) { | |
377 | throw -EINVAL; | |
378 | } | |
379 | ||
380 | const auto api_version = config.get_api_version(); | |
9f95a23c | 381 | if (api_version == rgw::keystone::ApiVersion::VER_3) { |
7c673cae FG |
382 | keystone_url.append("v3/s3tokens"); |
383 | } else { | |
384 | keystone_url.append("v2.0/s3tokens"); | |
385 | } | |
386 | ||
387 | /* get authentication token for Keystone. */ | |
388 | std::string admin_token; | |
20effc67 | 389 | int ret = rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, |
7c673cae FG |
390 | admin_token); |
391 | if (ret < 0) { | |
11fdf7f2 | 392 | ldpp_dout(dpp, 2) << "s3 keystone: cannot get token for keystone access" |
7c673cae FG |
393 | << dendl; |
394 | throw ret; | |
395 | } | |
396 | ||
397 | using RGWValidateKeystoneToken | |
398 | = rgw::keystone::Service::RGWValidateKeystoneToken; | |
399 | ||
400 | /* The container for plain response obtained from Keystone. It will be | |
401 | * parsed token_envelope_t::parse method. */ | |
402 | ceph::bufferlist token_body_bl; | |
11fdf7f2 | 403 | RGWValidateKeystoneToken validate(cct, "POST", keystone_url, &token_body_bl); |
7c673cae FG |
404 | |
405 | /* set required headers for keystone request */ | |
406 | validate.append_header("X-Auth-Token", admin_token); | |
407 | validate.append_header("Content-Type", "application/json"); | |
408 | ||
409 | /* check if we want to verify keystone's ssl certs */ | |
410 | validate.set_verify_ssl(cct->_conf->rgw_keystone_verify_ssl); | |
411 | ||
412 | /* create json credentials request body */ | |
413 | JSONFormatter credentials(false); | |
414 | credentials.open_object_section(""); | |
415 | credentials.open_object_section("credentials"); | |
31f18b77 | 416 | credentials.dump_string("access", sview2cstr(access_key_id).data()); |
7c673cae | 417 | credentials.dump_string("token", rgw::to_base64(string_to_sign)); |
31f18b77 | 418 | credentials.dump_string("signature", sview2cstr(signature).data()); |
7c673cae FG |
419 | credentials.close_section(); |
420 | credentials.close_section(); | |
421 | ||
422 | std::stringstream os; | |
423 | credentials.flush(os); | |
424 | validate.set_post_data(os.str()); | |
425 | validate.set_send_length(os.str().length()); | |
426 | ||
427 | /* send request */ | |
9f95a23c | 428 | ret = validate.process(null_yield); |
7c673cae FG |
429 | |
430 | /* if the supplied signature is wrong, we will get 401 from Keystone */ | |
431 | if (validate.get_http_status() == | |
432 | decltype(validate)::HTTP_STATUS_UNAUTHORIZED) { | |
433 | return std::make_pair(boost::none, -ERR_SIGNATURE_NO_MATCH); | |
434 | } else if (validate.get_http_status() == | |
435 | decltype(validate)::HTTP_STATUS_NOTFOUND) { | |
436 | return std::make_pair(boost::none, -ERR_INVALID_ACCESS_KEY); | |
437 | } | |
aee94f69 TL |
438 | // throw any other http or connection errors |
439 | if (ret < 0) { | |
440 | ldpp_dout(dpp, 2) << "s3 keystone: token validation ERROR: " | |
441 | << token_body_bl.c_str() << dendl; | |
442 | throw ret; | |
443 | } | |
7c673cae FG |
444 | |
445 | /* now parse response */ | |
446 | rgw::keystone::TokenEnvelope token_envelope; | |
20effc67 | 447 | ret = token_envelope.parse(dpp, cct, std::string(), token_body_bl, api_version); |
7c673cae | 448 | if (ret < 0) { |
11fdf7f2 | 449 | ldpp_dout(dpp, 2) << "s3 keystone: token parsing failed, ret=0" << ret |
7c673cae FG |
450 | << dendl; |
451 | throw ret; | |
452 | } | |
453 | ||
454 | return std::make_pair(std::move(token_envelope), 0); | |
455 | } | |
456 | ||
9f95a23c TL |
457 | std::pair<boost::optional<std::string>, int> EC2Engine::get_secret_from_keystone(const DoutPrefixProvider* dpp, |
458 | const std::string& user_id, | |
f67539c2 | 459 | const std::string_view& access_key_id) const |
9f95a23c TL |
460 | { |
461 | /* Fetch from /users/{USER_ID}/credentials/OS-EC2/{ACCESS_KEY_ID} */ | |
462 | /* Should return json with response key "credential" which contains entry "secret"*/ | |
463 | ||
464 | /* prepare keystone url */ | |
465 | std::string keystone_url = config.get_endpoint_url(); | |
466 | if (keystone_url.empty()) { | |
467 | return make_pair(boost::none, -EINVAL); | |
468 | } | |
469 | ||
470 | const auto api_version = config.get_api_version(); | |
471 | if (api_version == rgw::keystone::ApiVersion::VER_3) { | |
472 | keystone_url.append("v3/"); | |
473 | } else { | |
474 | keystone_url.append("v2.0/"); | |
475 | } | |
476 | keystone_url.append("users/"); | |
477 | keystone_url.append(user_id); | |
478 | keystone_url.append("/credentials/OS-EC2/"); | |
f67539c2 | 479 | keystone_url.append(std::string(access_key_id)); |
9f95a23c TL |
480 | |
481 | /* get authentication token for Keystone. */ | |
482 | std::string admin_token; | |
20effc67 | 483 | int ret = rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, |
9f95a23c TL |
484 | admin_token); |
485 | if (ret < 0) { | |
486 | ldpp_dout(dpp, 2) << "s3 keystone: cannot get token for keystone access" | |
487 | << dendl; | |
488 | return make_pair(boost::none, ret); | |
489 | } | |
490 | ||
491 | using RGWGetAccessSecret | |
492 | = rgw::keystone::Service::RGWKeystoneHTTPTransceiver; | |
493 | ||
494 | /* The container for plain response obtained from Keystone.*/ | |
495 | ceph::bufferlist token_body_bl; | |
496 | RGWGetAccessSecret secret(cct, "GET", keystone_url, &token_body_bl); | |
497 | ||
498 | /* set required headers for keystone request */ | |
499 | secret.append_header("X-Auth-Token", admin_token); | |
500 | ||
501 | /* check if we want to verify keystone's ssl certs */ | |
502 | secret.set_verify_ssl(cct->_conf->rgw_keystone_verify_ssl); | |
503 | ||
504 | /* send request */ | |
505 | ret = secret.process(null_yield); | |
aee94f69 TL |
506 | |
507 | /* if the supplied access key isn't found, we will get 404 from Keystone */ | |
508 | if (secret.get_http_status() == | |
509 | decltype(secret)::HTTP_STATUS_NOTFOUND) { | |
510 | return make_pair(boost::none, -ERR_INVALID_ACCESS_KEY); | |
511 | } | |
512 | // return any other http or connection errors | |
9f95a23c TL |
513 | if (ret < 0) { |
514 | ldpp_dout(dpp, 2) << "s3 keystone: secret fetching error: " | |
515 | << token_body_bl.c_str() << dendl; | |
516 | return make_pair(boost::none, ret); | |
517 | } | |
518 | ||
9f95a23c TL |
519 | /* now parse response */ |
520 | ||
521 | JSONParser parser; | |
522 | if (! parser.parse(token_body_bl.c_str(), token_body_bl.length())) { | |
523 | ldpp_dout(dpp, 0) << "Keystone credential parse error: malformed json" << dendl; | |
524 | return make_pair(boost::none, -EINVAL); | |
525 | } | |
526 | ||
527 | JSONObjIter credential_iter = parser.find_first("credential"); | |
528 | std::string secret_string; | |
529 | ||
530 | try { | |
531 | if (!credential_iter.end()) { | |
532 | JSONDecoder::decode_json("secret", secret_string, *credential_iter, true); | |
533 | } else { | |
534 | ldpp_dout(dpp, 0) << "Keystone credential not present in return from server" << dendl; | |
535 | return make_pair(boost::none, -EINVAL); | |
536 | } | |
537 | } catch (const JSONDecoder::err& err) { | |
538 | ldpp_dout(dpp, 0) << "Keystone credential parse error: " << err.what() << dendl; | |
539 | return make_pair(boost::none, -EINVAL); | |
540 | } | |
541 | ||
542 | return make_pair(secret_string, 0); | |
543 | } | |
544 | ||
545 | /* | |
546 | * Try to get a token for S3 authentication, using a secret cache if available | |
547 | */ | |
1e59de90 TL |
548 | auto EC2Engine::get_access_token(const DoutPrefixProvider* dpp, |
549 | const std::string_view& access_key_id, | |
550 | const std::string& string_to_sign, | |
551 | const std::string_view& signature, | |
552 | const signature_factory_t& signature_factory) const | |
553 | -> access_token_result | |
9f95a23c TL |
554 | { |
555 | using server_signature_t = VersionAbstractor::server_signature_t; | |
556 | boost::optional<rgw::keystone::TokenEnvelope> token; | |
1e59de90 | 557 | boost::optional<std::string> secret; |
9f95a23c TL |
558 | int failure_reason; |
559 | ||
560 | /* Get a token from the cache if one has already been stored */ | |
561 | boost::optional<boost::tuple<rgw::keystone::TokenEnvelope, std::string>> | |
f67539c2 | 562 | t = secret_cache.find(std::string(access_key_id)); |
9f95a23c TL |
563 | |
564 | /* Check that credentials can correctly be used to sign data */ | |
565 | if (t) { | |
566 | std::string sig(signature); | |
567 | server_signature_t server_signature = signature_factory(cct, t->get<1>(), string_to_sign); | |
568 | if (sig.compare(server_signature) == 0) { | |
1e59de90 | 569 | return {t->get<0>(), t->get<1>(), 0}; |
9f95a23c TL |
570 | } else { |
571 | ldpp_dout(dpp, 0) << "Secret string does not correctly sign payload, cache miss" << dendl; | |
572 | } | |
573 | } else { | |
574 | ldpp_dout(dpp, 0) << "No stored secret string, cache miss" << dendl; | |
575 | } | |
576 | ||
577 | /* No cached token, token expired, or secret invalid: fall back to keystone */ | |
578 | std::tie(token, failure_reason) = get_from_keystone(dpp, access_key_id, string_to_sign, signature); | |
579 | ||
580 | if (token) { | |
581 | /* Fetch secret from keystone for the access_key_id */ | |
1e59de90 TL |
582 | std::tie(secret, failure_reason) = |
583 | get_secret_from_keystone(dpp, token->get_user_id(), access_key_id); | |
9f95a23c TL |
584 | |
585 | if (secret) { | |
586 | /* Add token, secret pair to cache, and set timeout */ | |
f67539c2 | 587 | secret_cache.add(std::string(access_key_id), *token, *secret); |
9f95a23c TL |
588 | } |
589 | } | |
590 | ||
1e59de90 | 591 | return {token, secret, failure_reason}; |
9f95a23c TL |
592 | } |
593 | ||
7c673cae FG |
594 | EC2Engine::acl_strategy_t |
595 | EC2Engine::get_acl_strategy(const EC2Engine::token_envelope_t&) const | |
596 | { | |
597 | /* This is based on the assumption that the default acl strategy in | |
598 | * get_perms_from_aclspec, will take care. Extra acl spec is not required. */ | |
599 | return nullptr; | |
600 | } | |
601 | ||
602 | EC2Engine::auth_info_t | |
603 | EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token, | |
2a845540 TL |
604 | const std::vector<std::string>& admin_roles, |
605 | const std::string& access_key_id | |
7c673cae FG |
606 | ) const noexcept |
607 | { | |
608 | using acct_privilege_t = \ | |
609 | rgw::auth::RemoteApplier::AuthInfo::acct_privilege_t; | |
610 | ||
611 | /* Check whether the user has an admin status. */ | |
612 | acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT; | |
613 | for (const auto& admin_role : admin_roles) { | |
614 | if (token.has_role(admin_role)) { | |
615 | level = acct_privilege_t::IS_ADMIN_ACCT; | |
616 | break; | |
617 | } | |
618 | } | |
619 | ||
620 | return auth_info_t { | |
621 | /* Suggested account name for the authenticated user. */ | |
622 | rgw_user(token.get_project_id()), | |
623 | /* User's display name (aka real name). */ | |
624 | token.get_project_name(), | |
625 | /* Keystone doesn't support RGW's subuser concept, so we cannot cut down | |
626 | * the access rights through the perm_mask. At least at this layer. */ | |
627 | RGW_PERM_FULL_CONTROL, | |
628 | level, | |
2a845540 TL |
629 | access_key_id, |
630 | rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER, | |
631 | TYPE_KEYSTONE | |
7c673cae FG |
632 | }; |
633 | } | |
634 | ||
31f18b77 | 635 | rgw::auth::Engine::result_t EC2Engine::authenticate( |
11fdf7f2 | 636 | const DoutPrefixProvider* dpp, |
f67539c2 TL |
637 | const std::string_view& access_key_id, |
638 | const std::string_view& signature, | |
639 | const std::string_view& session_token, | |
31f18b77 | 640 | const string_to_sign_t& string_to_sign, |
9f95a23c | 641 | const signature_factory_t& signature_factory, |
31f18b77 FG |
642 | const completer_factory_t& completer_factory, |
643 | /* Passthorugh only! */ | |
f67539c2 TL |
644 | const req_state* s, |
645 | optional_yield y) const | |
7c673cae FG |
646 | { |
647 | /* This will be initialized on the first call to this method. In C++11 it's | |
648 | * also thread-safe. */ | |
649 | static const struct RolesCacher { | |
11fdf7f2 | 650 | explicit RolesCacher(CephContext* const cct) { |
7c673cae FG |
651 | get_str_vec(cct->_conf->rgw_keystone_accepted_roles, plain); |
652 | get_str_vec(cct->_conf->rgw_keystone_accepted_admin_roles, admin); | |
653 | ||
654 | /* Let's suppose that having an admin role implies also a regular one. */ | |
655 | plain.insert(std::end(plain), std::begin(admin), std::end(admin)); | |
656 | } | |
657 | ||
658 | std::vector<std::string> plain; | |
659 | std::vector<std::string> admin; | |
660 | } accepted_roles(cct); | |
661 | ||
1e59de90 | 662 | auto [t, secret_key, failure_reason] = |
9f95a23c | 663 | get_access_token(dpp, access_key_id, string_to_sign, signature, signature_factory); |
7c673cae | 664 | if (! t) { |
aee94f69 TL |
665 | if (failure_reason == -ERR_SIGNATURE_NO_MATCH) { |
666 | // we looked up a secret but it didn't generate the same signature as | |
667 | // the client. since we found this access key in keystone, we should | |
668 | // reject the request instead of trying other engines | |
669 | return result_t::reject(failure_reason); | |
670 | } | |
7c673cae FG |
671 | return result_t::deny(failure_reason); |
672 | } | |
673 | ||
674 | /* Verify expiration. */ | |
675 | if (t->expired()) { | |
11fdf7f2 | 676 | ldpp_dout(dpp, 0) << "got expired token: " << t->get_project_name() |
7c673cae FG |
677 | << ":" << t->get_user_name() |
678 | << " expired: " << t->get_expires() << dendl; | |
679 | return result_t::deny(); | |
680 | } | |
681 | ||
682 | /* check if we have a valid role */ | |
683 | bool found = false; | |
684 | for (const auto& role : accepted_roles.plain) { | |
685 | if (t->has_role(role) == true) { | |
686 | found = true; | |
687 | break; | |
688 | } | |
689 | } | |
690 | ||
691 | if (! found) { | |
11fdf7f2 | 692 | ldpp_dout(dpp, 5) << "s3 keystone: user does not hold a matching role;" |
7c673cae FG |
693 | " required roles: " |
694 | << cct->_conf->rgw_keystone_accepted_roles << dendl; | |
695 | return result_t::deny(); | |
696 | } else { | |
697 | /* everything seems fine, continue with this user */ | |
11fdf7f2 | 698 | ldpp_dout(dpp, 5) << "s3 keystone: validated token: " << t->get_project_name() |
7c673cae FG |
699 | << ":" << t->get_user_name() |
700 | << " expires: " << t->get_expires() << dendl; | |
701 | ||
702 | auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t), | |
2a845540 | 703 | get_creds_info(*t, accepted_roles.admin, std::string(access_key_id))); |
1e59de90 | 704 | return result_t::grant(std::move(apl), completer_factory(secret_key)); |
7c673cae FG |
705 | } |
706 | } | |
707 | ||
9f95a23c TL |
708 | bool SecretCache::find(const std::string& token_id, |
709 | SecretCache::token_envelope_t& token, | |
710 | std::string &secret) | |
711 | { | |
712 | std::lock_guard<std::mutex> l(lock); | |
713 | ||
714 | map<std::string, secret_entry>::iterator iter = secrets.find(token_id); | |
715 | if (iter == secrets.end()) { | |
716 | return false; | |
717 | } | |
718 | ||
719 | secret_entry& entry = iter->second; | |
720 | secrets_lru.erase(entry.lru_iter); | |
721 | ||
722 | const utime_t now = ceph_clock_now(); | |
723 | if (entry.token.expired() || now > entry.expires) { | |
724 | secrets.erase(iter); | |
725 | return false; | |
726 | } | |
727 | token = entry.token; | |
728 | secret = entry.secret; | |
729 | ||
730 | secrets_lru.push_front(token_id); | |
731 | entry.lru_iter = secrets_lru.begin(); | |
732 | ||
733 | return true; | |
734 | } | |
735 | ||
736 | void SecretCache::add(const std::string& token_id, | |
737 | const SecretCache::token_envelope_t& token, | |
738 | const std::string& secret) | |
739 | { | |
740 | std::lock_guard<std::mutex> l(lock); | |
741 | ||
742 | map<string, secret_entry>::iterator iter = secrets.find(token_id); | |
743 | if (iter != secrets.end()) { | |
744 | secret_entry& e = iter->second; | |
745 | secrets_lru.erase(e.lru_iter); | |
746 | } | |
747 | ||
748 | const utime_t now = ceph_clock_now(); | |
749 | secrets_lru.push_front(token_id); | |
750 | secret_entry& entry = secrets[token_id]; | |
751 | entry.token = token; | |
752 | entry.secret = secret; | |
753 | entry.expires = now + s3_token_expiry_length; | |
754 | entry.lru_iter = secrets_lru.begin(); | |
755 | ||
756 | while (secrets_lru.size() > max) { | |
757 | list<string>::reverse_iterator riter = secrets_lru.rbegin(); | |
758 | iter = secrets.find(*riter); | |
759 | assert(iter != secrets.end()); | |
760 | secrets.erase(iter); | |
761 | secrets_lru.pop_back(); | |
762 | } | |
763 | } | |
764 | ||
7c673cae FG |
765 | }; /* namespace keystone */ |
766 | }; /* namespace auth */ | |
767 | }; /* namespace rgw */ |