]>
Commit | Line | Data |
---|---|---|
11fdf7f2 TL |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab | |
3 | ||
4 | #ifndef CEPH_RGW_STS_H | |
5 | #define CEPH_RGW_STS_H | |
6 | ||
7 | #include "rgw_role.h" | |
8 | #include "rgw_auth.h" | |
9 | #include "rgw_web_idp.h" | |
10 | ||
11 | namespace STS { | |
12 | ||
13 | class AssumeRoleRequestBase { | |
14 | protected: | |
15 | static constexpr uint64_t MIN_POLICY_SIZE = 1; | |
16 | static constexpr uint64_t MAX_POLICY_SIZE = 2048; | |
17 | static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600; | |
18 | static constexpr uint64_t MIN_DURATION_IN_SECS = 900; | |
19 | static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2; | |
20 | static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048; | |
21 | static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2; | |
22 | static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64; | |
23 | uint64_t MAX_DURATION_IN_SECS; | |
24 | uint64_t duration; | |
25 | string iamPolicy; | |
26 | string roleArn; | |
27 | string roleSessionName; | |
28 | public: | |
29 | AssumeRoleRequestBase(const string& duration, | |
30 | const string& iamPolicy, | |
31 | const string& roleArn, | |
32 | const string& roleSessionName); | |
33 | const string& getRoleARN() const { return roleArn; } | |
34 | const string& getRoleSessionName() const { return roleSessionName; } | |
35 | const string& getPolicy() const {return iamPolicy; } | |
36 | static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; } | |
37 | void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; } | |
38 | const uint64_t& getDuration() const { return duration; } | |
39 | int validate_input() const; | |
40 | }; | |
41 | ||
42 | class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase { | |
43 | static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4; | |
44 | static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048; | |
45 | string providerId; | |
46 | string iamPolicy; | |
47 | string iss; | |
48 | string sub; | |
49 | string aud; | |
50 | public: | |
51 | AssumeRoleWithWebIdentityRequest( const string& duration, | |
52 | const string& providerId, | |
53 | const string& iamPolicy, | |
54 | const string& roleArn, | |
55 | const string& roleSessionName, | |
56 | const string& iss, | |
57 | const string& sub, | |
58 | const string& aud) | |
59 | : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName), | |
60 | providerId(providerId), iss(iss), sub(sub), aud(aud) {} | |
61 | const string& getProviderId() const { return providerId; } | |
62 | const string& getIss() const { return iss; } | |
63 | const string& getAud() const { return aud; } | |
64 | const string& getSub() const { return sub; } | |
65 | int validate_input() const; | |
66 | }; | |
67 | ||
68 | class AssumeRoleRequest : public AssumeRoleRequestBase { | |
69 | static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2; | |
70 | static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224; | |
71 | static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9; | |
72 | static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256; | |
73 | static constexpr uint64_t TOKEN_CODE_SIZE = 6; | |
74 | string externalId; | |
75 | string serialNumber; | |
76 | string tokenCode; | |
77 | public: | |
78 | AssumeRoleRequest(const string& duration, | |
79 | const string& externalId, | |
80 | const string& iamPolicy, | |
81 | const string& roleArn, | |
82 | const string& roleSessionName, | |
83 | const string& serialNumber, | |
84 | const string& tokenCode) | |
85 | : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName), | |
86 | externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){} | |
87 | int validate_input() const; | |
88 | }; | |
89 | ||
90 | class GetSessionTokenRequest { | |
91 | protected: | |
92 | static constexpr uint64_t MIN_DURATION_IN_SECS = 900; | |
93 | static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600; | |
94 | uint64_t duration; | |
95 | string serialNumber; | |
96 | string tokenCode; | |
97 | ||
98 | public: | |
99 | GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode); | |
100 | ||
101 | const uint64_t& getDuration() const { return duration; } | |
102 | static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; } | |
103 | }; | |
104 | ||
105 | class AssumedRoleUser { | |
106 | string arn; | |
107 | string assumeRoleId; | |
108 | public: | |
109 | int generateAssumedRoleUser( CephContext* cct, | |
110 | RGWRados *store, | |
111 | const string& roleId, | |
112 | const rgw::IAM::ARN& roleArn, | |
113 | const string& roleSessionName); | |
114 | const string& getARN() const { return arn; } | |
115 | const string& getAssumeRoleId() const { return assumeRoleId; } | |
116 | void dump(Formatter *f) const; | |
117 | }; | |
118 | ||
119 | struct SessionToken { | |
120 | string access_key_id; | |
121 | string secret_access_key; | |
122 | string expiration; | |
123 | string policy; | |
124 | string roleId; | |
125 | rgw_user user; | |
126 | string acct_name; | |
127 | uint32_t perm_mask; | |
128 | bool is_admin; | |
129 | uint32_t acct_type; | |
130 | ||
131 | SessionToken() {} | |
132 | ||
133 | void encode(bufferlist& bl) const { | |
134 | ENCODE_START(1, 1, bl); | |
135 | encode(access_key_id, bl); | |
136 | encode(secret_access_key, bl); | |
137 | encode(expiration, bl); | |
138 | encode(policy, bl); | |
139 | encode(roleId, bl); | |
140 | encode(user, bl); | |
141 | encode(acct_name, bl); | |
142 | encode(perm_mask, bl); | |
143 | encode(is_admin, bl); | |
144 | encode(acct_type, bl); | |
145 | ENCODE_FINISH(bl); | |
146 | } | |
147 | ||
148 | void decode(bufferlist::const_iterator& bl) { | |
149 | DECODE_START(1, bl); | |
150 | decode(access_key_id, bl); | |
151 | decode(secret_access_key, bl); | |
152 | decode(expiration, bl); | |
153 | decode(policy, bl); | |
154 | decode(roleId, bl); | |
155 | decode(user, bl); | |
156 | decode(acct_name, bl); | |
157 | decode(perm_mask, bl); | |
158 | decode(is_admin, bl); | |
159 | decode(acct_type, bl); | |
160 | DECODE_FINISH(bl); | |
161 | } | |
162 | }; | |
163 | WRITE_CLASS_ENCODER(SessionToken) | |
164 | ||
165 | class Credentials { | |
166 | static constexpr int MAX_ACCESS_KEY_LEN = 20; | |
167 | static constexpr int MAX_SECRET_KEY_LEN = 40; | |
168 | string accessKeyId; | |
169 | string expiration; | |
170 | string secretAccessKey; | |
171 | string sessionToken; | |
172 | public: | |
173 | int generateCredentials(CephContext* cct, | |
174 | const uint64_t& duration, | |
175 | const boost::optional<string>& policy, | |
176 | const boost::optional<string>& roleId, | |
177 | boost::optional<rgw_user> user, | |
178 | rgw::auth::Identity* identity); | |
179 | const string& getAccessKeyId() const { return accessKeyId; } | |
180 | const string& getExpiration() const { return expiration; } | |
181 | const string& getSecretAccessKey() const { return secretAccessKey; } | |
182 | const string& getSessionToken() const { return sessionToken; } | |
183 | void dump(Formatter *f) const; | |
184 | }; | |
185 | ||
186 | struct AssumeRoleResponse { | |
187 | int retCode; | |
188 | AssumedRoleUser user; | |
189 | Credentials creds; | |
190 | uint64_t packedPolicySize; | |
191 | }; | |
192 | ||
193 | struct AssumeRoleWithWebIdentityResponse { | |
194 | AssumeRoleResponse assumeRoleResp; | |
195 | string aud; | |
196 | string providerId; | |
197 | string sub; | |
198 | }; | |
199 | ||
200 | using AssumeRoleResponse = struct AssumeRoleResponse ; | |
201 | using GetSessionTokenResponse = std::tuple<int, Credentials>; | |
202 | using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse; | |
203 | ||
204 | class STSService { | |
205 | CephContext* cct; | |
206 | RGWRados *store; | |
207 | rgw_user user_id; | |
208 | RGWRole role; | |
209 | rgw::auth::Identity* identity; | |
210 | int storeARN(string& arn); | |
211 | public: | |
212 | STSService() = default; | |
213 | STSService(CephContext* cct, RGWRados *store, rgw_user user_id, rgw::auth::Identity* identity) : cct(cct), store(store), user_id(user_id), identity(identity) {} | |
214 | std::tuple<int, RGWRole> getRoleInfo(const string& arn); | |
215 | AssumeRoleResponse assumeRole(AssumeRoleRequest& req); | |
216 | GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req); | |
217 | AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req); | |
218 | }; | |
219 | } | |
220 | #endif /* CEPH_RGW_STS_H */ | |
221 |