[ceph.git] / ceph / src / rgw / rgw_rest_sts.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp

#pragma once

#include "rgw_auth.h"
#include "rgw_auth_filters.h"
#include "rgw_sts.h"
#include "rgw_web_idp.h"

namespace rgw::auth::sts {

class WebTokenEngine : public rgw::auth::Engine {
  CephContext* const cct;

  using result_t = rgw::auth::Engine::result_t;
  using token_t = rgw::web_idp::WebTokenClaims;

  const rgw::auth::TokenExtractor* const extractor;
  const rgw::auth::WebIdentityApplier::Factory* const apl_factory;

  bool is_applicable(const std::string& token) const noexcept;

  boost::optional<token_t>
  get_from_idp(const DoutPrefixProvider* dpp, const std::string& token) const;

  result_t authenticate(const DoutPrefixProvider* dpp,
                        const std::string& token,
                        const req_state* s) const;

public:
  WebTokenEngine(CephContext* const cct,
                    const rgw::auth::TokenExtractor* const extractor,
                    const rgw::auth::WebIdentityApplier::Factory* const apl_factory)
    : cct(cct),
      extractor(extractor),
      apl_factory(apl_factory) {
  }

  const char* get_name() const noexcept override {
    return "rgw::auth::sts::WebTokenEngine";
  }

  result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const override {
    return authenticate(dpp, extractor->get_token(s), s);
  }
}; /* class WebTokenEngine */

class DefaultStrategy : public rgw::auth::Strategy,
                        public rgw::auth::TokenExtractor,
                        public rgw::auth::WebIdentityApplier::Factory {
  RGWCtl* const ctl;
  ImplicitTenants& implicit_tenant_context;

  /* The engine. */
  const WebTokenEngine web_token_engine;

  using aplptr_t = rgw::auth::IdentityApplier::aplptr_t;

  /* The method implements TokenExtractor for Web Token in req_state. */
  std::string get_token(const req_state* const s) const override {
    return s->info.args.get("WebIdentityToken");
  }

  aplptr_t create_apl_web_identity( CephContext* cct,
                                    const req_state* s,
                                    const rgw::web_idp::WebTokenClaims& token) const override {
    auto apl = rgw::auth::add_sysreq(cct, ctl, s,
      rgw::auth::WebIdentityApplier(cct, ctl, token));
    return aplptr_t(new decltype(apl)(std::move(apl)));
  }

public:
  DefaultStrategy(CephContext* const cct,
                  ImplicitTenants& implicit_tenant_context,
                  RGWCtl* const ctl)
    : ctl(ctl),
      implicit_tenant_context(implicit_tenant_context),
      web_token_engine(cct,
                        static_cast<rgw::auth::TokenExtractor*>(this),
                        static_cast<rgw::auth::WebIdentityApplier::Factory*>(this)) {
    /* When the constructor's body is being executed, all member engines
     * should be initialized. Thus, we can safely add them. */
    using Control = rgw::auth::Strategy::Control;
    add_engine(Control::SUFFICIENT, web_token_engine);
  }

  const char* get_name() const noexcept override {
    return "rgw::auth::sts::DefaultStrategy";
  }
};

} // namespace rgw::auth::sts

class RGWREST_STS : public RGWRESTOp {
protected:
  STS::STSService sts;
public:
  RGWREST_STS() = default;
  int verify_permission() override;
  void send_response() override;
};

class RGWSTSAssumeRoleWithWebIdentity : public RGWREST_STS {
protected:
  string duration;
  string providerId;
  string policy;
  string roleArn;
  string roleSessionName;
  string sub;
  string aud;
  string iss;
public:
  RGWSTSAssumeRoleWithWebIdentity() = default;
  void execute() override;
  int get_params();
  const char* name() const override { return "assume_role_web_identity"; }
  RGWOpType get_type() override { return RGW_STS_ASSUME_ROLE_WEB_IDENTITY; }
};

class RGWSTSAssumeRole : public RGWREST_STS {
protected:
  string duration;
  string externalId;
  string policy;
  string roleArn;
  string roleSessionName;
  string serialNumber;
  string tokenCode;
public:
  RGWSTSAssumeRole() = default;
  void execute() override;
  int get_params();
  const char* name() const override { return "assume_role"; }
  RGWOpType get_type() override { return RGW_STS_ASSUME_ROLE; }
};

class RGWSTSGetSessionToken : public RGWREST_STS {
protected:
  string duration;
  string serialNumber;
  string tokenCode;
public:
  RGWSTSGetSessionToken() = default;
  void execute() override;
  int verify_permission() override;
  int get_params();
  const char* name() const override { return "get_session_token"; }
  RGWOpType get_type() override { return RGW_STS_GET_SESSION_TOKEN; }
};

class RGW_Auth_STS {
public:
  static int authorize(const DoutPrefixProvider *dpp,
                       rgw::sal::RGWRadosStore *store,
                       const rgw::auth::StrategyRegistry& auth_registry,
                       struct req_state *s);
};

class RGWHandler_REST_STS : public RGWHandler_REST {
  const rgw::auth::StrategyRegistry& auth_registry;
  const string& post_body;
  RGWOp *op_post() override;
  void rgw_sts_parse_input();
public:

  static int init_from_header(struct req_state *s, int default_formatter, bool configurable_format);

  RGWHandler_REST_STS(const rgw::auth::StrategyRegistry& auth_registry, const string& post_body="")
    : RGWHandler_REST(),
      auth_registry(auth_registry),
      post_body(post_body) {}
  ~RGWHandler_REST_STS() override = default;

  int init(rgw::sal::RGWRadosStore *store,
           struct req_state *s,
           rgw::io::BasicClient *cio) override;
  int authorize(const DoutPrefixProvider* dpp) override;
  int postauth_init() override { return 0; }
};

class RGWRESTMgr_STS : public RGWRESTMgr {
public:
  RGWRESTMgr_STS() = default;
  ~RGWRESTMgr_STS() override = default;
  
  RGWRESTMgr *get_resource_mgr(struct req_state* const s,
                               const std::string& uri,
                               std::string* const out_uri) override {
    return this;
  }

  RGWHandler_REST* get_handler(struct req_state*,
                               const rgw::auth::StrategyRegistry&,
                               const std::string&) override;
};
Commit	Line	Data
11fdf7f2	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
9f95a23c	2	// vim: ts=8 sw=2 smarttab ft=cpp
11fdf7f2	3
9f95a23c	4	#pragma once
11fdf7f2 TL	5
	6	#include "rgw_auth.h"
	7	#include "rgw_auth_filters.h"
	8	#include "rgw_sts.h"
	9	#include "rgw_web_idp.h"
	10
9f95a23c	11	namespace rgw::auth::sts {
11fdf7f2 TL	12
	13	class WebTokenEngine : public rgw::auth::Engine {
	14	CephContext* const cct;
	15
	16	using result_t = rgw::auth::Engine::result_t;
	17	using token_t = rgw::web_idp::WebTokenClaims;
	18
	19	const rgw::auth::TokenExtractor* const extractor;
	20	const rgw::auth::WebIdentityApplier::Factory* const apl_factory;
	21
	22	bool is_applicable(const std::string& token) const noexcept;
	23
	24	boost::optional<token_t>
	25	get_from_idp(const DoutPrefixProvider* dpp, const std::string& token) const;
	26
	27	result_t authenticate(const DoutPrefixProvider* dpp,
	28	const std::string& token,
	29	const req_state* s) const;
	30
	31	public:
	32	WebTokenEngine(CephContext* const cct,
	33	const rgw::auth::TokenExtractor* const extractor,
	34	const rgw::auth::WebIdentityApplier::Factory* const apl_factory)
	35	: cct(cct),
	36	extractor(extractor),
	37	apl_factory(apl_factory) {
	38	}
	39
	40	const char* get_name() const noexcept override {
	41	return "rgw::auth::sts::WebTokenEngine";
	42	}
	43
	44	result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const override {
	45	return authenticate(dpp, extractor->get_token(s), s);
	46	}
	47	}; /* class WebTokenEngine */
	48
	49	class DefaultStrategy : public rgw::auth::Strategy,
	50	public rgw::auth::TokenExtractor,
	51	public rgw::auth::WebIdentityApplier::Factory {
9f95a23c TL	52	RGWCtl* const ctl;
9f95a23c TL	53	ImplicitTenants& implicit_tenant_context;
11fdf7f2 TL	54
	55	/* The engine. */
	56	const WebTokenEngine web_token_engine;
	57
	58	using aplptr_t = rgw::auth::IdentityApplier::aplptr_t;
	59
	60	/* The method implements TokenExtractor for Web Token in req_state. */
	61	std::string get_token(const req_state* const s) const override {
	62	return s->info.args.get("WebIdentityToken");
	63	}
	64
	65	aplptr_t create_apl_web_identity( CephContext* cct,
	66	const req_state* s,
	67	const rgw::web_idp::WebTokenClaims& token) const override {
9f95a23c TL	68	auto apl = rgw::auth::add_sysreq(cct, ctl, s,
9f95a23c TL	69	rgw::auth::WebIdentityApplier(cct, ctl, token));
11fdf7f2 TL	70	return aplptr_t(new decltype(apl)(std::move(apl)));
	71	}
	72
	73	public:
	74	DefaultStrategy(CephContext* const cct,
9f95a23c TL	75	ImplicitTenants& implicit_tenant_context,
	76	RGWCtl* const ctl)
	77	: ctl(ctl),
	78	implicit_tenant_context(implicit_tenant_context),
11fdf7f2 TL	79	web_token_engine(cct,
	80	static_cast<rgw::auth::TokenExtractor*>(this),
	81	static_cast<rgw::auth::WebIdentityApplier::Factory*>(this)) {
	82	/* When the constructor's body is being executed, all member engines
	83	* should be initialized. Thus, we can safely add them. */
	84	using Control = rgw::auth::Strategy::Control;
	85	add_engine(Control::SUFFICIENT, web_token_engine);
	86	}
	87
	88	const char* get_name() const noexcept override {
	89	return "rgw::auth::sts::DefaultStrategy";
	90	}
	91	};
	92
9f95a23c	93	} // namespace rgw::auth::sts
11fdf7f2 TL	94
	95	class RGWREST_STS : public RGWRESTOp {
	96	protected:
	97	STS::STSService sts;
	98	public:
	99	RGWREST_STS() = default;
	100	int verify_permission() override;
	101	void send_response() override;
	102	};
	103
	104	class RGWSTSAssumeRoleWithWebIdentity : public RGWREST_STS {
	105	protected:
	106	string duration;
	107	string providerId;
	108	string policy;
	109	string roleArn;
	110	string roleSessionName;
	111	string sub;
	112	string aud;
	113	string iss;
	114	public:
	115	RGWSTSAssumeRoleWithWebIdentity() = default;
	116	void execute() override;
	117	int get_params();
	118	const char* name() const override { return "assume_role_web_identity"; }
	119	RGWOpType get_type() override { return RGW_STS_ASSUME_ROLE_WEB_IDENTITY; }
	120	};
	121
	122	class RGWSTSAssumeRole : public RGWREST_STS {
	123	protected:
	124	string duration;
	125	string externalId;
	126	string policy;
	127	string roleArn;
	128	string roleSessionName;
	129	string serialNumber;
	130	string tokenCode;
	131	public:
	132	RGWSTSAssumeRole() = default;
	133	void execute() override;
	134	int get_params();
	135	const char* name() const override { return "assume_role"; }
	136	RGWOpType get_type() override { return RGW_STS_ASSUME_ROLE; }
	137	};
	138
	139	class RGWSTSGetSessionToken : public RGWREST_STS {
	140	protected:
	141	string duration;
	142	string serialNumber;
	143	string tokenCode;
	144	public:
	145	RGWSTSGetSessionToken() = default;
	146	void execute() override;
	147	int verify_permission() override;
	148	int get_params();
	149	const char* name() const override { return "get_session_token"; }
	150	RGWOpType get_type() override { return RGW_STS_GET_SESSION_TOKEN; }
	151	};
	152
	153	class RGW_Auth_STS {
	154	public:
	155	static int authorize(const DoutPrefixProvider *dpp,
9f95a23c	156	rgw::sal::RGWRadosStore *store,
11fdf7f2 TL	157	const rgw::auth::StrategyRegistry& auth_registry,
	158	struct req_state *s);
	159	};
	160
	161	class RGWHandler_REST_STS : public RGWHandler_REST {
	162	const rgw::auth::StrategyRegistry& auth_registry;
eafe8130	163	const string& post_body;
11fdf7f2 TL	164	RGWOp *op_post() override;
	165	void rgw_sts_parse_input();
	166	public:
	167
	168	static int init_from_header(struct req_state *s, int default_formatter, bool configurable_format);
	169
eafe8130	170	RGWHandler_REST_STS(const rgw::auth::StrategyRegistry& auth_registry, const string& post_body="")
11fdf7f2	171	: RGWHandler_REST(),
eafe8130 TL	172	auth_registry(auth_registry),
eafe8130 TL	173	post_body(post_body) {}
11fdf7f2 TL	174	~RGWHandler_REST_STS() override = default;
11fdf7f2 TL	175
9f95a23c	176	int init(rgw::sal::RGWRadosStore *store,
11fdf7f2 TL	177	struct req_state *s,
	178	rgw::io::BasicClient *cio) override;
	179	int authorize(const DoutPrefixProvider* dpp) override;
	180	int postauth_init() override { return 0; }
	181	};
	182
	183	class RGWRESTMgr_STS : public RGWRESTMgr {
	184	public:
	185	RGWRESTMgr_STS() = default;
	186	~RGWRESTMgr_STS() override = default;
	187
	188	RGWRESTMgr get_resource_mgr(struct req_state const s,
	189	const std::string& uri,
	190	std::string* const out_uri) override {
	191	return this;
	192	}
	193
	194	RGWHandler_REST* get_handler(struct req_state*,
	195	const rgw::auth::StrategyRegistry&,
	196	const std::string&) override;
	197	};