]>
Commit | Line | Data |
---|---|---|
f91f0fd5 TL |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab ft=cpp | |
3 | ||
4 | #include <errno.h> | |
5 | ||
6 | #include "common/errno.h" | |
7 | #include "common/Formatter.h" | |
8 | #include "common/ceph_json.h" | |
9 | ||
10 | #include "include/types.h" | |
11 | #include "rgw_string.h" | |
12 | ||
13 | #include "rgw_common.h" | |
14 | #include "rgw_op.h" | |
15 | #include "rgw_rest.h" | |
16 | #include "rgw_role.h" | |
17 | #include "rgw_rest_oidc_provider.h" | |
18 | #include "rgw_oidc_provider.h" | |
20effc67 | 19 | #include "rgw_sal.h" |
f91f0fd5 TL |
20 | |
21 | #define dout_subsys ceph_subsys_rgw | |
22 | ||
20effc67 TL |
23 | using namespace std; |
24 | ||
f67539c2 | 25 | int RGWRestOIDCProvider::verify_permission(optional_yield y) |
f91f0fd5 TL |
26 | { |
27 | if (s->auth.identity->is_anonymous()) { | |
28 | return -EACCES; | |
29 | } | |
30 | ||
31 | provider_arn = s->info.args.get("OpenIDConnectProviderArn"); | |
32 | if (provider_arn.empty()) { | |
b3b6e05e | 33 | ldpp_dout(this, 20) << "ERROR: Provider ARN is empty"<< dendl; |
f91f0fd5 TL |
34 | return -EINVAL; |
35 | } | |
36 | ||
37 | auto ret = check_caps(s->user->get_caps()); | |
38 | if (ret == 0) { | |
39 | return ret; | |
40 | } | |
41 | ||
42 | uint64_t op = get_op(); | |
43 | auto rgw_arn = rgw::ARN::parse(provider_arn, true); | |
44 | if (rgw_arn) { | |
45 | if (!verify_user_permission(this, s, *rgw_arn, op)) { | |
46 | return -EACCES; | |
47 | } | |
48 | } else { | |
49 | return -EACCES; | |
50 | } | |
51 | ||
52 | return 0; | |
53 | } | |
54 | ||
55 | void RGWRestOIDCProvider::send_response() | |
56 | { | |
57 | if (op_ret) { | |
58 | set_req_state_err(s, op_ret); | |
59 | } | |
60 | dump_errno(s); | |
61 | end_header(s, this); | |
62 | } | |
63 | ||
64 | int RGWRestOIDCProviderRead::check_caps(const RGWUserCaps& caps) | |
65 | { | |
66 | return caps.check_cap("oidc-provider", RGW_CAP_READ); | |
67 | } | |
68 | ||
69 | int RGWRestOIDCProviderWrite::check_caps(const RGWUserCaps& caps) | |
70 | { | |
71 | return caps.check_cap("oidc-provider", RGW_CAP_WRITE); | |
72 | } | |
73 | ||
f67539c2 | 74 | int RGWCreateOIDCProvider::verify_permission(optional_yield y) |
f91f0fd5 TL |
75 | { |
76 | if (s->auth.identity->is_anonymous()) { | |
77 | return -EACCES; | |
78 | } | |
79 | ||
80 | auto ret = check_caps(s->user->get_caps()); | |
81 | if (ret == 0) { | |
82 | return ret; | |
83 | } | |
84 | ||
85 | string idp_url = url_remove_prefix(provider_url); | |
86 | if (!verify_user_permission(this, | |
87 | s, | |
88 | rgw::ARN(idp_url, | |
89 | "oidc-provider", | |
90 | s->user->get_tenant(), true), | |
91 | get_op())) { | |
92 | return -EACCES; | |
93 | } | |
94 | return 0; | |
95 | } | |
96 | ||
97 | int RGWCreateOIDCProvider::get_params() | |
98 | { | |
99 | provider_url = s->info.args.get("Url"); | |
100 | ||
101 | auto val_map = s->info.args.get_params(); | |
102 | for (auto& it : val_map) { | |
103 | if (it.first.find("ClientIDList.member.") != string::npos) { | |
104 | client_ids.emplace_back(it.second); | |
105 | } | |
106 | if (it.first.find("ThumbprintList.member.") != string::npos) { | |
107 | thumbprints.emplace_back(it.second); | |
108 | } | |
109 | } | |
110 | ||
111 | if (provider_url.empty() || thumbprints.empty()) { | |
b3b6e05e | 112 | ldpp_dout(this, 20) << "ERROR: one of url or thumbprints is empty" << dendl; |
f91f0fd5 TL |
113 | return -EINVAL; |
114 | } | |
115 | ||
116 | return 0; | |
117 | } | |
118 | ||
f67539c2 | 119 | void RGWCreateOIDCProvider::execute(optional_yield y) |
f91f0fd5 TL |
120 | { |
121 | op_ret = get_params(); | |
122 | if (op_ret < 0) { | |
123 | return; | |
124 | } | |
125 | ||
20effc67 TL |
126 | std::unique_ptr<rgw::sal::RGWOIDCProvider> provider = store->get_oidc_provider(); |
127 | provider->set_url(provider_url); | |
128 | provider->set_tenant(s->user->get_tenant()); | |
129 | provider->set_client_ids(client_ids); | |
130 | provider->set_thumbprints(thumbprints); | |
131 | op_ret = provider->create(s, true, y); | |
f91f0fd5 TL |
132 | |
133 | if (op_ret == 0) { | |
134 | s->formatter->open_object_section("CreateOpenIDConnectProviderResponse"); | |
135 | s->formatter->open_object_section("CreateOpenIDConnectProviderResult"); | |
20effc67 | 136 | provider->dump(s->formatter); |
f91f0fd5 TL |
137 | s->formatter->close_section(); |
138 | s->formatter->open_object_section("ResponseMetadata"); | |
139 | s->formatter->dump_string("RequestId", s->trans_id); | |
140 | s->formatter->close_section(); | |
141 | s->formatter->close_section(); | |
142 | } | |
143 | ||
144 | } | |
145 | ||
f67539c2 | 146 | void RGWDeleteOIDCProvider::execute(optional_yield y) |
f91f0fd5 | 147 | { |
20effc67 TL |
148 | std::unique_ptr<rgw::sal::RGWOIDCProvider> provider = store->get_oidc_provider(); |
149 | provider->set_arn(provider_arn); | |
150 | provider->set_tenant(s->user->get_tenant()); | |
151 | op_ret = provider->delete_obj(s, y); | |
f67539c2 | 152 | |
f91f0fd5 TL |
153 | if (op_ret < 0 && op_ret != -ENOENT && op_ret != -EINVAL) { |
154 | op_ret = ERR_INTERNAL_ERROR; | |
155 | } | |
156 | ||
157 | if (op_ret == 0) { | |
158 | s->formatter->open_object_section("DeleteOpenIDConnectProviderResponse"); | |
159 | s->formatter->open_object_section("ResponseMetadata"); | |
160 | s->formatter->dump_string("RequestId", s->trans_id); | |
161 | s->formatter->close_section(); | |
162 | s->formatter->close_section(); | |
163 | } | |
164 | } | |
165 | ||
f67539c2 | 166 | void RGWGetOIDCProvider::execute(optional_yield y) |
f91f0fd5 | 167 | { |
20effc67 TL |
168 | std::unique_ptr<rgw::sal::RGWOIDCProvider> provider = store->get_oidc_provider(); |
169 | provider->set_arn(provider_arn); | |
170 | provider->set_tenant(s->user->get_tenant()); | |
171 | op_ret = provider->get(s); | |
f91f0fd5 TL |
172 | |
173 | if (op_ret < 0 && op_ret != -ENOENT && op_ret != -EINVAL) { | |
174 | op_ret = ERR_INTERNAL_ERROR; | |
175 | } | |
176 | ||
177 | if (op_ret == 0) { | |
178 | s->formatter->open_object_section("GetOpenIDConnectProviderResponse"); | |
179 | s->formatter->open_object_section("ResponseMetadata"); | |
180 | s->formatter->dump_string("RequestId", s->trans_id); | |
181 | s->formatter->close_section(); | |
182 | s->formatter->open_object_section("GetOpenIDConnectProviderResult"); | |
20effc67 | 183 | provider->dump_all(s->formatter); |
f91f0fd5 TL |
184 | s->formatter->close_section(); |
185 | s->formatter->close_section(); | |
186 | } | |
187 | } | |
188 | ||
f67539c2 | 189 | int RGWListOIDCProviders::verify_permission(optional_yield y) |
f91f0fd5 TL |
190 | { |
191 | if (s->auth.identity->is_anonymous()) { | |
192 | return -EACCES; | |
193 | } | |
194 | ||
195 | if (int ret = check_caps(s->user->get_caps()); ret == 0) { | |
196 | return ret; | |
197 | } | |
198 | ||
199 | if (!verify_user_permission(this, | |
200 | s, | |
201 | rgw::ARN(), | |
202 | get_op())) { | |
203 | return -EACCES; | |
204 | } | |
205 | ||
206 | return 0; | |
207 | } | |
208 | ||
f67539c2 | 209 | void RGWListOIDCProviders::execute(optional_yield y) |
f91f0fd5 | 210 | { |
20effc67 TL |
211 | vector<std::unique_ptr<rgw::sal::RGWOIDCProvider>> result; |
212 | op_ret = store->get_oidc_providers(s, s->user->get_tenant(), result); | |
f91f0fd5 TL |
213 | |
214 | if (op_ret == 0) { | |
215 | s->formatter->open_array_section("ListOpenIDConnectProvidersResponse"); | |
216 | s->formatter->open_object_section("ResponseMetadata"); | |
217 | s->formatter->dump_string("RequestId", s->trans_id); | |
218 | s->formatter->close_section(); | |
219 | s->formatter->open_object_section("ListOpenIDConnectProvidersResult"); | |
220 | s->formatter->open_array_section("OpenIDConnectProviderList"); | |
221 | for (const auto& it : result) { | |
222 | s->formatter->open_object_section("Arn"); | |
20effc67 | 223 | auto& arn = it->get_arn(); |
b3b6e05e | 224 | ldpp_dout(s, 0) << "ARN: " << arn << dendl; |
f91f0fd5 TL |
225 | s->formatter->dump_string("Arn", arn); |
226 | s->formatter->close_section(); | |
227 | } | |
228 | s->formatter->close_section(); | |
229 | s->formatter->close_section(); | |
230 | s->formatter->close_section(); | |
231 | } | |
232 | } | |
233 |