]>
Commit | Line | Data |
---|---|---|
11fdf7f2 | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
11fdf7f2 | 3 | |
1e59de90 | 4 | #pragma once |
11fdf7f2 TL |
5 | |
6 | #include "rgw_role.h" | |
7 | #include "rgw_auth.h" | |
8 | #include "rgw_web_idp.h" | |
9 | ||
10 | namespace STS { | |
11 | ||
12 | class AssumeRoleRequestBase { | |
13 | protected: | |
14 | static constexpr uint64_t MIN_POLICY_SIZE = 1; | |
15 | static constexpr uint64_t MAX_POLICY_SIZE = 2048; | |
16 | static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600; | |
11fdf7f2 TL |
17 | static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2; |
18 | static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048; | |
19 | static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2; | |
20 | static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64; | |
f67539c2 | 21 | uint64_t MIN_DURATION_IN_SECS; |
11fdf7f2 | 22 | uint64_t MAX_DURATION_IN_SECS; |
f67539c2 | 23 | CephContext* cct; |
11fdf7f2 | 24 | uint64_t duration; |
20effc67 TL |
25 | std::string err_msg; |
26 | std::string iamPolicy; | |
27 | std::string roleArn; | |
28 | std::string roleSessionName; | |
11fdf7f2 | 29 | public: |
f67539c2 | 30 | AssumeRoleRequestBase(CephContext* cct, |
20effc67 TL |
31 | const std::string& duration, |
32 | const std::string& iamPolicy, | |
33 | const std::string& roleArn, | |
34 | const std::string& roleSessionName); | |
35 | const std::string& getRoleARN() const { return roleArn; } | |
36 | const std::string& getRoleSessionName() const { return roleSessionName; } | |
37 | const std::string& getPolicy() const {return iamPolicy; } | |
11fdf7f2 TL |
38 | static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; } |
39 | void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; } | |
40 | const uint64_t& getDuration() const { return duration; } | |
20effc67 | 41 | int validate_input(const DoutPrefixProvider *dpp) const; |
11fdf7f2 TL |
42 | }; |
43 | ||
44 | class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase { | |
45 | static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4; | |
46 | static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048; | |
20effc67 TL |
47 | std::string providerId; |
48 | std::string iamPolicy; | |
49 | std::string iss; | |
50 | std::string sub; | |
51 | std::string aud; | |
52 | std::vector<std::pair<std::string,std::string>> session_princ_tags; | |
11fdf7f2 | 53 | public: |
f67539c2 | 54 | AssumeRoleWithWebIdentityRequest( CephContext* cct, |
20effc67 TL |
55 | const std::string& duration, |
56 | const std::string& providerId, | |
57 | const std::string& iamPolicy, | |
58 | const std::string& roleArn, | |
59 | const std::string& roleSessionName, | |
60 | const std::string& iss, | |
61 | const std::string& sub, | |
62 | const std::string& aud, | |
63 | std::vector<std::pair<std::string,std::string>> session_princ_tags) | |
f67539c2 | 64 | : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName), |
20effc67 TL |
65 | providerId(providerId), iss(iss), sub(sub), aud(aud), session_princ_tags(session_princ_tags) {} |
66 | const std::string& getProviderId() const { return providerId; } | |
67 | const std::string& getIss() const { return iss; } | |
68 | const std::string& getAud() const { return aud; } | |
69 | const std::string& getSub() const { return sub; } | |
70 | const std::vector<std::pair<std::string,std::string>>& getPrincipalTags() const { return session_princ_tags; } | |
71 | int validate_input(const DoutPrefixProvider *dpp) const; | |
11fdf7f2 TL |
72 | }; |
73 | ||
74 | class AssumeRoleRequest : public AssumeRoleRequestBase { | |
75 | static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2; | |
76 | static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224; | |
77 | static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9; | |
78 | static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256; | |
79 | static constexpr uint64_t TOKEN_CODE_SIZE = 6; | |
20effc67 TL |
80 | std::string externalId; |
81 | std::string serialNumber; | |
82 | std::string tokenCode; | |
11fdf7f2 | 83 | public: |
f67539c2 | 84 | AssumeRoleRequest(CephContext* cct, |
20effc67 TL |
85 | const std::string& duration, |
86 | const std::string& externalId, | |
87 | const std::string& iamPolicy, | |
88 | const std::string& roleArn, | |
89 | const std::string& roleSessionName, | |
90 | const std::string& serialNumber, | |
91 | const std::string& tokenCode) | |
f67539c2 | 92 | : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName), |
11fdf7f2 | 93 | externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){} |
20effc67 | 94 | int validate_input(const DoutPrefixProvider *dpp) const; |
11fdf7f2 TL |
95 | }; |
96 | ||
97 | class GetSessionTokenRequest { | |
98 | protected: | |
99 | static constexpr uint64_t MIN_DURATION_IN_SECS = 900; | |
100 | static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600; | |
101 | uint64_t duration; | |
20effc67 TL |
102 | std::string serialNumber; |
103 | std::string tokenCode; | |
11fdf7f2 TL |
104 | |
105 | public: | |
20effc67 | 106 | GetSessionTokenRequest(const std::string& duration, const std::string& serialNumber, const std::string& tokenCode); |
11fdf7f2 TL |
107 | |
108 | const uint64_t& getDuration() const { return duration; } | |
109 | static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; } | |
110 | }; | |
111 | ||
112 | class AssumedRoleUser { | |
20effc67 TL |
113 | std::string arn; |
114 | std::string assumeRoleId; | |
11fdf7f2 TL |
115 | public: |
116 | int generateAssumedRoleUser( CephContext* cct, | |
1e59de90 | 117 | rgw::sal::Driver* driver, |
20effc67 | 118 | const std::string& roleId, |
eafe8130 | 119 | const rgw::ARN& roleArn, |
20effc67 TL |
120 | const std::string& roleSessionName); |
121 | const std::string& getARN() const { return arn; } | |
122 | const std::string& getAssumeRoleId() const { return assumeRoleId; } | |
11fdf7f2 TL |
123 | void dump(Formatter *f) const; |
124 | }; | |
125 | ||
126 | struct SessionToken { | |
20effc67 TL |
127 | std::string access_key_id; |
128 | std::string secret_access_key; | |
129 | std::string expiration; | |
130 | std::string policy; | |
131 | std::string roleId; | |
11fdf7f2 | 132 | rgw_user user; |
20effc67 | 133 | std::string acct_name; |
11fdf7f2 TL |
134 | uint32_t perm_mask; |
135 | bool is_admin; | |
136 | uint32_t acct_type; | |
20effc67 TL |
137 | std::string role_session; |
138 | std::vector<std::string> token_claims; | |
139 | std::string issued_at; | |
140 | std::vector<std::pair<std::string,std::string>> principal_tags; | |
11fdf7f2 TL |
141 | |
142 | SessionToken() {} | |
143 | ||
144 | void encode(bufferlist& bl) const { | |
20effc67 | 145 | ENCODE_START(5, 1, bl); |
11fdf7f2 TL |
146 | encode(access_key_id, bl); |
147 | encode(secret_access_key, bl); | |
148 | encode(expiration, bl); | |
149 | encode(policy, bl); | |
150 | encode(roleId, bl); | |
151 | encode(user, bl); | |
152 | encode(acct_name, bl); | |
153 | encode(perm_mask, bl); | |
154 | encode(is_admin, bl); | |
155 | encode(acct_type, bl); | |
f91f0fd5 | 156 | encode(role_session, bl); |
adb31ebb | 157 | encode(token_claims, bl); |
f67539c2 | 158 | encode(issued_at, bl); |
20effc67 | 159 | encode(principal_tags, bl); |
11fdf7f2 TL |
160 | ENCODE_FINISH(bl); |
161 | } | |
162 | ||
163 | void decode(bufferlist::const_iterator& bl) { | |
20effc67 | 164 | DECODE_START(5, bl); |
11fdf7f2 TL |
165 | decode(access_key_id, bl); |
166 | decode(secret_access_key, bl); | |
167 | decode(expiration, bl); | |
168 | decode(policy, bl); | |
169 | decode(roleId, bl); | |
170 | decode(user, bl); | |
171 | decode(acct_name, bl); | |
172 | decode(perm_mask, bl); | |
173 | decode(is_admin, bl); | |
174 | decode(acct_type, bl); | |
f91f0fd5 TL |
175 | if (struct_v >= 2) { |
176 | decode(role_session, bl); | |
177 | } | |
adb31ebb TL |
178 | if (struct_v >= 3) { |
179 | decode(token_claims, bl); | |
180 | } | |
f67539c2 TL |
181 | if (struct_v >= 4) { |
182 | decode(issued_at, bl); | |
183 | } | |
20effc67 TL |
184 | if (struct_v >= 5) { |
185 | decode(principal_tags, bl); | |
186 | } | |
11fdf7f2 TL |
187 | DECODE_FINISH(bl); |
188 | } | |
189 | }; | |
190 | WRITE_CLASS_ENCODER(SessionToken) | |
191 | ||
192 | class Credentials { | |
193 | static constexpr int MAX_ACCESS_KEY_LEN = 20; | |
194 | static constexpr int MAX_SECRET_KEY_LEN = 40; | |
20effc67 TL |
195 | std::string accessKeyId; |
196 | std::string expiration; | |
197 | std::string secretAccessKey; | |
198 | std::string sessionToken; | |
11fdf7f2 | 199 | public: |
20effc67 TL |
200 | int generateCredentials(const DoutPrefixProvider *dpp, |
201 | CephContext* cct, | |
11fdf7f2 | 202 | const uint64_t& duration, |
20effc67 TL |
203 | const boost::optional<std::string>& policy, |
204 | const boost::optional<std::string>& roleId, | |
205 | const boost::optional<std::string>& role_session, | |
206 | const boost::optional<std::vector<std::string>>& token_claims, | |
207 | const boost::optional<std::vector<std::pair<std::string,std::string>>>& session_princ_tags, | |
11fdf7f2 TL |
208 | boost::optional<rgw_user> user, |
209 | rgw::auth::Identity* identity); | |
20effc67 TL |
210 | const std::string& getAccessKeyId() const { return accessKeyId; } |
211 | const std::string& getExpiration() const { return expiration; } | |
212 | const std::string& getSecretAccessKey() const { return secretAccessKey; } | |
213 | const std::string& getSessionToken() const { return sessionToken; } | |
11fdf7f2 TL |
214 | void dump(Formatter *f) const; |
215 | }; | |
216 | ||
217 | struct AssumeRoleResponse { | |
218 | int retCode; | |
219 | AssumedRoleUser user; | |
220 | Credentials creds; | |
221 | uint64_t packedPolicySize; | |
222 | }; | |
223 | ||
224 | struct AssumeRoleWithWebIdentityResponse { | |
225 | AssumeRoleResponse assumeRoleResp; | |
20effc67 TL |
226 | std::string aud; |
227 | std::string providerId; | |
228 | std::string sub; | |
11fdf7f2 TL |
229 | }; |
230 | ||
231 | using AssumeRoleResponse = struct AssumeRoleResponse ; | |
232 | using GetSessionTokenResponse = std::tuple<int, Credentials>; | |
233 | using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse; | |
234 | ||
235 | class STSService { | |
236 | CephContext* cct; | |
1e59de90 | 237 | rgw::sal::Driver* driver; |
11fdf7f2 | 238 | rgw_user user_id; |
20effc67 | 239 | std::unique_ptr<rgw::sal::RGWRole> role; |
11fdf7f2 | 240 | rgw::auth::Identity* identity; |
11fdf7f2 TL |
241 | public: |
242 | STSService() = default; | |
1e59de90 | 243 | STSService(CephContext* cct, rgw::sal::Driver* driver, rgw_user user_id, |
f67539c2 | 244 | rgw::auth::Identity* identity) |
1e59de90 | 245 | : cct(cct), driver(driver), user_id(user_id), identity(identity) {} |
20effc67 | 246 | std::tuple<int, rgw::sal::RGWRole*> getRoleInfo(const DoutPrefixProvider *dpp, const std::string& arn, optional_yield y); |
b3b6e05e | 247 | AssumeRoleResponse assumeRole(const DoutPrefixProvider *dpp, AssumeRoleRequest& req, optional_yield y); |
20effc67 TL |
248 | GetSessionTokenResponse getSessionToken(const DoutPrefixProvider *dpp, GetSessionTokenRequest& req); |
249 | AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(const DoutPrefixProvider *dpp, AssumeRoleWithWebIdentityRequest& req); | |
11fdf7f2 TL |
250 | }; |
251 | } |