]>
Commit | Line | Data |
---|---|---|
31f18b77 FG |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab | |
7c673cae FG |
3 | #include <errno.h> |
4 | ||
5 | #include "common/errno.h" | |
6 | #include "common/Formatter.h" | |
7 | #include "common/ceph_json.h" | |
8 | ||
9 | #include "include/types.h" | |
10 | #include "rgw_string.h" | |
11 | ||
12 | #include "rgw_common.h" | |
13 | #include "rgw_op.h" | |
14 | #include "rgw_rest.h" | |
15 | #include "rgw_role.h" | |
16 | #include "rgw_rest_role.h" | |
17 | ||
18 | #define dout_subsys ceph_subsys_rgw | |
19 | ||
7c673cae FG |
20 | void RGWRestRole::send_response() |
21 | { | |
22 | if (op_ret) { | |
23 | set_req_state_err(s, op_ret); | |
24 | } | |
25 | dump_errno(s); | |
26 | end_header(s); | |
27 | } | |
28 | ||
29 | int RGWRoleRead::verify_permission() | |
30 | { | |
31 | if (s->auth.identity->is_anonymous()) { | |
32 | return -EACCES; | |
33 | } | |
34 | ||
35 | if (!verify_user_permission(s, RGW_PERM_READ)) { | |
36 | return -EACCES; | |
37 | } | |
38 | ||
39 | return 0; | |
40 | } | |
41 | ||
42 | int RGWRoleWrite::verify_permission() | |
43 | { | |
44 | if (s->auth.identity->is_anonymous()) { | |
45 | return -EACCES; | |
46 | } | |
47 | ||
48 | if (!verify_user_permission(s, RGW_PERM_WRITE)) { | |
49 | return -EACCES; | |
50 | } | |
51 | ||
52 | return 0; | |
53 | } | |
54 | ||
55 | int RGWCreateRole::get_params() | |
56 | { | |
57 | role_name = s->info.args.get("RoleName"); | |
58 | role_path = s->info.args.get("Path"); | |
59 | trust_policy = s->info.args.get("AssumeRolePolicyDocument"); | |
60 | ||
61 | if (role_name.empty() || trust_policy.empty()) { | |
62 | ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty" | |
63 | << dendl; | |
64 | return -EINVAL; | |
65 | } | |
66 | JSONParser p; | |
67 | if (!p.parse(trust_policy.c_str(), trust_policy.length())) { | |
68 | ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl; | |
69 | return -ERR_MALFORMED_DOC; | |
70 | } | |
71 | return 0; | |
72 | } | |
73 | ||
74 | void RGWCreateRole::execute() | |
75 | { | |
76 | op_ret = get_params(); | |
77 | if (op_ret < 0) { | |
78 | return; | |
79 | } | |
31f18b77 | 80 | RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->user_id.tenant); |
7c673cae FG |
81 | op_ret = role.create(true); |
82 | ||
83 | if (op_ret == -EEXIST) { | |
84 | op_ret = -ERR_ROLE_EXISTS; | |
85 | } | |
86 | ||
87 | if (op_ret == 0) { | |
88 | s->formatter->open_object_section("role"); | |
89 | role.dump(s->formatter); | |
90 | s->formatter->close_section(); | |
91 | } | |
92 | } | |
93 | ||
94 | int RGWDeleteRole::get_params() | |
95 | { | |
96 | role_name = s->info.args.get("RoleName"); | |
97 | ||
98 | if (role_name.empty()) { | |
99 | ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl; | |
100 | return -EINVAL; | |
101 | } | |
102 | ||
103 | return 0; | |
104 | } | |
105 | ||
106 | void RGWDeleteRole::execute() | |
107 | { | |
108 | op_ret = get_params(); | |
109 | if (op_ret < 0) { | |
110 | return; | |
111 | } | |
31f18b77 | 112 | RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); |
7c673cae FG |
113 | op_ret = role.delete_obj(); |
114 | ||
115 | if (op_ret == -ENOENT) { | |
116 | op_ret = -ERR_NO_ROLE_FOUND; | |
117 | } | |
118 | } | |
119 | ||
120 | int RGWGetRole::get_params() | |
121 | { | |
122 | role_name = s->info.args.get("RoleName"); | |
123 | ||
124 | if (role_name.empty()) { | |
125 | ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl; | |
126 | return -EINVAL; | |
127 | } | |
128 | ||
129 | return 0; | |
130 | } | |
131 | ||
132 | void RGWGetRole::execute() | |
133 | { | |
134 | op_ret = get_params(); | |
135 | if (op_ret < 0) { | |
136 | return; | |
137 | } | |
31f18b77 | 138 | RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); |
7c673cae FG |
139 | op_ret = role.get(); |
140 | ||
141 | if (op_ret == -ENOENT) { | |
142 | op_ret = -ERR_NO_ROLE_FOUND; | |
143 | } | |
144 | ||
145 | if (op_ret == 0) { | |
146 | s->formatter->open_object_section("role"); | |
147 | role.dump(s->formatter); | |
148 | s->formatter->close_section(); | |
149 | } | |
150 | } | |
151 | ||
152 | int RGWModifyRole::get_params() | |
153 | { | |
154 | role_name = s->info.args.get("RoleName"); | |
155 | trust_policy = s->info.args.get("PolicyDocument"); | |
156 | ||
157 | if (role_name.empty() || trust_policy.empty()) { | |
158 | ldout(s->cct, 20) << "ERROR: One of role name or trust policy is empty"<< dendl; | |
159 | return -EINVAL; | |
160 | } | |
161 | JSONParser p; | |
162 | if (!p.parse(trust_policy.c_str(), trust_policy.length())) { | |
163 | ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl; | |
164 | return -ERR_MALFORMED_DOC; | |
165 | } | |
166 | ||
167 | return 0; | |
168 | } | |
169 | ||
170 | void RGWModifyRole::execute() | |
171 | { | |
172 | op_ret = get_params(); | |
173 | if (op_ret < 0) { | |
174 | return; | |
175 | } | |
31f18b77 | 176 | RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); |
7c673cae FG |
177 | op_ret = role.get(); |
178 | if (op_ret == -ENOENT) { | |
179 | op_ret = -ERR_NO_ROLE_FOUND; | |
180 | } | |
181 | ||
182 | if (op_ret == 0) { | |
183 | role.update_trust_policy(trust_policy); | |
184 | op_ret = role.update(); | |
185 | } | |
186 | } | |
187 | ||
188 | int RGWListRoles::get_params() | |
189 | { | |
190 | path_prefix = s->info.args.get("PathPrefix"); | |
191 | ||
192 | return 0; | |
193 | } | |
194 | ||
195 | void RGWListRoles::execute() | |
196 | { | |
197 | op_ret = get_params(); | |
198 | if (op_ret < 0) { | |
199 | return; | |
200 | } | |
201 | vector<RGWRole> result; | |
31f18b77 | 202 | op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, s->user->user_id.tenant, result); |
7c673cae FG |
203 | |
204 | if (op_ret == 0) { | |
205 | s->formatter->open_array_section("Roles"); | |
206 | for (const auto& it : result) { | |
207 | s->formatter->open_object_section("role"); | |
208 | it.dump(s->formatter); | |
209 | s->formatter->close_section(); | |
210 | } | |
211 | s->formatter->close_section(); | |
212 | } | |
213 | } | |
214 | ||
215 | int RGWPutRolePolicy::get_params() | |
216 | { | |
217 | role_name = s->info.args.get("RoleName"); | |
218 | policy_name = s->info.args.get("PolicyName"); | |
219 | perm_policy = s->info.args.get("PolicyDocument"); | |
220 | ||
221 | if (role_name.empty() || policy_name.empty() || perm_policy.empty()) { | |
222 | ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl; | |
223 | return -EINVAL; | |
224 | } | |
225 | JSONParser p; | |
226 | if (!p.parse(perm_policy.c_str(), perm_policy.length())) { | |
227 | ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl; | |
228 | return -ERR_MALFORMED_DOC; | |
229 | } | |
230 | ||
231 | return 0; | |
232 | } | |
233 | ||
234 | void RGWPutRolePolicy::execute() | |
235 | { | |
236 | op_ret = get_params(); | |
237 | if (op_ret < 0) { | |
238 | return; | |
239 | } | |
240 | ||
31f18b77 | 241 | RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); |
7c673cae FG |
242 | op_ret = role.get(); |
243 | if (op_ret == 0) { | |
244 | role.set_perm_policy(policy_name, perm_policy); | |
245 | op_ret = role.update(); | |
246 | } | |
247 | } | |
248 | ||
249 | int RGWGetRolePolicy::get_params() | |
250 | { | |
251 | role_name = s->info.args.get("RoleName"); | |
252 | policy_name = s->info.args.get("PolicyName"); | |
253 | ||
254 | if (role_name.empty() || policy_name.empty()) { | |
255 | ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl; | |
256 | return -EINVAL; | |
257 | } | |
258 | return 0; | |
259 | } | |
260 | ||
261 | void RGWGetRolePolicy::execute() | |
262 | { | |
263 | op_ret = get_params(); | |
264 | if (op_ret < 0) { | |
265 | return; | |
266 | } | |
267 | ||
31f18b77 | 268 | RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); |
7c673cae FG |
269 | op_ret = role.get(); |
270 | ||
271 | if (op_ret == -ENOENT) { | |
272 | op_ret = -ERR_NO_ROLE_FOUND; | |
273 | } | |
274 | ||
275 | if (op_ret == 0) { | |
276 | string perm_policy; | |
277 | op_ret = role.get_role_policy(policy_name, perm_policy); | |
278 | ||
279 | if (op_ret == 0) { | |
280 | s->formatter->open_object_section("GetRolePolicyResult"); | |
281 | s->formatter->dump_string("PolicyName", policy_name); | |
282 | s->formatter->dump_string("RoleName", role_name); | |
283 | s->formatter->dump_string("Permission policy", perm_policy); | |
284 | s->formatter->close_section(); | |
285 | } | |
286 | } | |
287 | } | |
288 | ||
289 | int RGWListRolePolicies::get_params() | |
290 | { | |
291 | role_name = s->info.args.get("RoleName"); | |
292 | ||
293 | if (role_name.empty()) { | |
294 | ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl; | |
295 | return -EINVAL; | |
296 | } | |
297 | return 0; | |
298 | } | |
299 | ||
300 | void RGWListRolePolicies::execute() | |
301 | { | |
302 | op_ret = get_params(); | |
303 | if (op_ret < 0) { | |
304 | return; | |
305 | } | |
306 | ||
31f18b77 | 307 | RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); |
7c673cae FG |
308 | op_ret = role.get(); |
309 | ||
310 | if (op_ret == -ENOENT) { | |
311 | op_ret = -ERR_NO_ROLE_FOUND; | |
312 | } | |
313 | ||
314 | if (op_ret == 0) { | |
315 | std::vector<string> policy_names = role.get_role_policy_names(); | |
316 | s->formatter->open_array_section("PolicyNames"); | |
317 | for (const auto& it : policy_names) { | |
318 | s->formatter->dump_string("member", it); | |
319 | } | |
320 | s->formatter->close_section(); | |
321 | } | |
322 | } | |
323 | ||
324 | int RGWDeleteRolePolicy::get_params() | |
325 | { | |
326 | role_name = s->info.args.get("RoleName"); | |
327 | policy_name = s->info.args.get("PolicyName"); | |
328 | ||
329 | if (role_name.empty() || policy_name.empty()) { | |
330 | ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl; | |
331 | return -EINVAL; | |
332 | } | |
333 | return 0; | |
334 | } | |
335 | ||
336 | void RGWDeleteRolePolicy::execute() | |
337 | { | |
338 | op_ret = get_params(); | |
339 | if (op_ret < 0) { | |
340 | return; | |
341 | } | |
342 | ||
31f18b77 | 343 | RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); |
7c673cae FG |
344 | op_ret = role.get(); |
345 | ||
346 | if (op_ret == -ENOENT) { | |
347 | op_ret = -ERR_NO_ROLE_FOUND; | |
348 | } | |
349 | ||
350 | if (op_ret == 0) { | |
351 | op_ret = role.delete_policy(policy_name); | |
352 | if (op_ret == -ENOENT) { | |
353 | op_ret = -ERR_NO_ROLE_FOUND; | |
354 | } | |
355 | ||
356 | if (op_ret == 0) { | |
357 | op_ret = role.update(); | |
358 | } | |
359 | } | |
360 | } |