]>
Commit | Line | Data |
---|---|---|
11fdf7f2 | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
11fdf7f2 | 3 | |
9f95a23c | 4 | #pragma once |
11fdf7f2 TL |
5 | |
6 | #include "rgw_auth.h" | |
7 | #include "rgw_auth_filters.h" | |
8 | #include "rgw_sts.h" | |
9 | #include "rgw_web_idp.h" | |
10 | ||
9f95a23c | 11 | namespace rgw::auth::sts { |
11fdf7f2 TL |
12 | |
13 | class WebTokenEngine : public rgw::auth::Engine { | |
14 | CephContext* const cct; | |
15 | ||
16 | using result_t = rgw::auth::Engine::result_t; | |
17 | using token_t = rgw::web_idp::WebTokenClaims; | |
18 | ||
19 | const rgw::auth::TokenExtractor* const extractor; | |
20 | const rgw::auth::WebIdentityApplier::Factory* const apl_factory; | |
21 | ||
22 | bool is_applicable(const std::string& token) const noexcept; | |
23 | ||
24 | boost::optional<token_t> | |
25 | get_from_idp(const DoutPrefixProvider* dpp, const std::string& token) const; | |
26 | ||
27 | result_t authenticate(const DoutPrefixProvider* dpp, | |
28 | const std::string& token, | |
29 | const req_state* s) const; | |
30 | ||
31 | public: | |
32 | WebTokenEngine(CephContext* const cct, | |
33 | const rgw::auth::TokenExtractor* const extractor, | |
34 | const rgw::auth::WebIdentityApplier::Factory* const apl_factory) | |
35 | : cct(cct), | |
36 | extractor(extractor), | |
37 | apl_factory(apl_factory) { | |
38 | } | |
39 | ||
40 | const char* get_name() const noexcept override { | |
41 | return "rgw::auth::sts::WebTokenEngine"; | |
42 | } | |
43 | ||
44 | result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const override { | |
45 | return authenticate(dpp, extractor->get_token(s), s); | |
46 | } | |
47 | }; /* class WebTokenEngine */ | |
48 | ||
49 | class DefaultStrategy : public rgw::auth::Strategy, | |
50 | public rgw::auth::TokenExtractor, | |
51 | public rgw::auth::WebIdentityApplier::Factory { | |
9f95a23c TL |
52 | RGWCtl* const ctl; |
53 | ImplicitTenants& implicit_tenant_context; | |
11fdf7f2 TL |
54 | |
55 | /* The engine. */ | |
56 | const WebTokenEngine web_token_engine; | |
57 | ||
58 | using aplptr_t = rgw::auth::IdentityApplier::aplptr_t; | |
59 | ||
60 | /* The method implements TokenExtractor for Web Token in req_state. */ | |
61 | std::string get_token(const req_state* const s) const override { | |
62 | return s->info.args.get("WebIdentityToken"); | |
63 | } | |
64 | ||
65 | aplptr_t create_apl_web_identity( CephContext* cct, | |
66 | const req_state* s, | |
67 | const rgw::web_idp::WebTokenClaims& token) const override { | |
9f95a23c TL |
68 | auto apl = rgw::auth::add_sysreq(cct, ctl, s, |
69 | rgw::auth::WebIdentityApplier(cct, ctl, token)); | |
11fdf7f2 TL |
70 | return aplptr_t(new decltype(apl)(std::move(apl))); |
71 | } | |
72 | ||
73 | public: | |
74 | DefaultStrategy(CephContext* const cct, | |
9f95a23c TL |
75 | ImplicitTenants& implicit_tenant_context, |
76 | RGWCtl* const ctl) | |
77 | : ctl(ctl), | |
78 | implicit_tenant_context(implicit_tenant_context), | |
11fdf7f2 TL |
79 | web_token_engine(cct, |
80 | static_cast<rgw::auth::TokenExtractor*>(this), | |
81 | static_cast<rgw::auth::WebIdentityApplier::Factory*>(this)) { | |
82 | /* When the constructor's body is being executed, all member engines | |
83 | * should be initialized. Thus, we can safely add them. */ | |
84 | using Control = rgw::auth::Strategy::Control; | |
85 | add_engine(Control::SUFFICIENT, web_token_engine); | |
86 | } | |
87 | ||
88 | const char* get_name() const noexcept override { | |
89 | return "rgw::auth::sts::DefaultStrategy"; | |
90 | } | |
91 | }; | |
92 | ||
9f95a23c | 93 | } // namespace rgw::auth::sts |
11fdf7f2 TL |
94 | |
95 | class RGWREST_STS : public RGWRESTOp { | |
96 | protected: | |
97 | STS::STSService sts; | |
98 | public: | |
99 | RGWREST_STS() = default; | |
100 | int verify_permission() override; | |
101 | void send_response() override; | |
102 | }; | |
103 | ||
104 | class RGWSTSAssumeRoleWithWebIdentity : public RGWREST_STS { | |
105 | protected: | |
106 | string duration; | |
107 | string providerId; | |
108 | string policy; | |
109 | string roleArn; | |
110 | string roleSessionName; | |
111 | string sub; | |
112 | string aud; | |
113 | string iss; | |
114 | public: | |
115 | RGWSTSAssumeRoleWithWebIdentity() = default; | |
116 | void execute() override; | |
117 | int get_params(); | |
118 | const char* name() const override { return "assume_role_web_identity"; } | |
119 | RGWOpType get_type() override { return RGW_STS_ASSUME_ROLE_WEB_IDENTITY; } | |
120 | }; | |
121 | ||
122 | class RGWSTSAssumeRole : public RGWREST_STS { | |
123 | protected: | |
124 | string duration; | |
125 | string externalId; | |
126 | string policy; | |
127 | string roleArn; | |
128 | string roleSessionName; | |
129 | string serialNumber; | |
130 | string tokenCode; | |
131 | public: | |
132 | RGWSTSAssumeRole() = default; | |
133 | void execute() override; | |
134 | int get_params(); | |
135 | const char* name() const override { return "assume_role"; } | |
136 | RGWOpType get_type() override { return RGW_STS_ASSUME_ROLE; } | |
137 | }; | |
138 | ||
139 | class RGWSTSGetSessionToken : public RGWREST_STS { | |
140 | protected: | |
141 | string duration; | |
142 | string serialNumber; | |
143 | string tokenCode; | |
144 | public: | |
145 | RGWSTSGetSessionToken() = default; | |
146 | void execute() override; | |
147 | int verify_permission() override; | |
148 | int get_params(); | |
149 | const char* name() const override { return "get_session_token"; } | |
150 | RGWOpType get_type() override { return RGW_STS_GET_SESSION_TOKEN; } | |
151 | }; | |
152 | ||
153 | class RGW_Auth_STS { | |
154 | public: | |
155 | static int authorize(const DoutPrefixProvider *dpp, | |
9f95a23c | 156 | rgw::sal::RGWRadosStore *store, |
11fdf7f2 TL |
157 | const rgw::auth::StrategyRegistry& auth_registry, |
158 | struct req_state *s); | |
159 | }; | |
160 | ||
161 | class RGWHandler_REST_STS : public RGWHandler_REST { | |
162 | const rgw::auth::StrategyRegistry& auth_registry; | |
eafe8130 | 163 | const string& post_body; |
11fdf7f2 TL |
164 | RGWOp *op_post() override; |
165 | void rgw_sts_parse_input(); | |
166 | public: | |
167 | ||
168 | static int init_from_header(struct req_state *s, int default_formatter, bool configurable_format); | |
169 | ||
eafe8130 | 170 | RGWHandler_REST_STS(const rgw::auth::StrategyRegistry& auth_registry, const string& post_body="") |
11fdf7f2 | 171 | : RGWHandler_REST(), |
eafe8130 TL |
172 | auth_registry(auth_registry), |
173 | post_body(post_body) {} | |
11fdf7f2 TL |
174 | ~RGWHandler_REST_STS() override = default; |
175 | ||
9f95a23c | 176 | int init(rgw::sal::RGWRadosStore *store, |
11fdf7f2 TL |
177 | struct req_state *s, |
178 | rgw::io::BasicClient *cio) override; | |
179 | int authorize(const DoutPrefixProvider* dpp) override; | |
180 | int postauth_init() override { return 0; } | |
181 | }; | |
182 | ||
183 | class RGWRESTMgr_STS : public RGWRESTMgr { | |
184 | public: | |
185 | RGWRESTMgr_STS() = default; | |
186 | ~RGWRESTMgr_STS() override = default; | |
187 | ||
188 | RGWRESTMgr *get_resource_mgr(struct req_state* const s, | |
189 | const std::string& uri, | |
190 | std::string* const out_uri) override { | |
191 | return this; | |
192 | } | |
193 | ||
194 | RGWHandler_REST* get_handler(struct req_state*, | |
195 | const rgw::auth::StrategyRegistry&, | |
196 | const std::string&) override; | |
197 | }; |