[ceph.git] / ceph / src / rgw / rgw_sts.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp

#pragma once

#include "rgw_role.h"
#include "rgw_auth.h"
#include "rgw_web_idp.h"

namespace STS {

class AssumeRoleRequestBase {
protected:
  static constexpr uint64_t MIN_POLICY_SIZE = 1;
  static constexpr uint64_t MAX_POLICY_SIZE = 2048;
  static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
  static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
  static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
  static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
  static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
  uint64_t MIN_DURATION_IN_SECS;
  uint64_t MAX_DURATION_IN_SECS;
  CephContext* cct;
  uint64_t duration;
  std::string err_msg;
  std::string iamPolicy;
  std::string roleArn;
  std::string roleSessionName;
public:
  AssumeRoleRequestBase(CephContext* cct,
                        const std::string& duration,
                        const std::string& iamPolicy,
                        const std::string& roleArn,
                        const std::string& roleSessionName);
  const std::string& getRoleARN() const { return roleArn; }
  const std::string& getRoleSessionName() const { return roleSessionName; }
  const std::string& getPolicy() const {return iamPolicy; }
  static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
  void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
  const uint64_t& getDuration() const { return duration; }
  int validate_input(const DoutPrefixProvider *dpp) const;
};

class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
  static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
  static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
  std::string providerId;
  std::string iamPolicy;
  std::string iss;
  std::string sub;
  std::string aud;
  std::vector<std::pair<std::string,std::string>> session_princ_tags;
public:
  AssumeRoleWithWebIdentityRequest( CephContext* cct,
                      const std::string& duration,
                      const std::string& providerId,
                      const std::string& iamPolicy,
                      const std::string& roleArn,
                      const std::string& roleSessionName,
                      const std::string& iss,
                      const std::string& sub,
                      const std::string& aud,
                      std::vector<std::pair<std::string,std::string>> session_princ_tags)
    : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
      providerId(providerId), iss(iss), sub(sub), aud(aud), session_princ_tags(session_princ_tags) {}
  const std::string& getProviderId() const { return providerId; }
  const std::string& getIss() const { return iss; }
  const std::string& getAud() const { return aud; }
  const std::string& getSub() const { return sub; }
  const std::vector<std::pair<std::string,std::string>>& getPrincipalTags() const { return session_princ_tags; }
  int validate_input(const DoutPrefixProvider *dpp) const;
};

class AssumeRoleRequest : public AssumeRoleRequestBase {
  static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
  static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
  static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
  static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
  static constexpr uint64_t TOKEN_CODE_SIZE = 6;
  std::string externalId;
  std::string serialNumber;
  std::string tokenCode;
public:
  AssumeRoleRequest(CephContext* cct,
                    const std::string& duration,
                    const std::string& externalId,
                    const std::string& iamPolicy,
                    const std::string& roleArn,
                    const std::string& roleSessionName,
                    const std::string& serialNumber,
                    const std::string& tokenCode)
    : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
      externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
  int validate_input(const DoutPrefixProvider *dpp) const;
};

class GetSessionTokenRequest {
protected:
  static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
  static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
  uint64_t duration;
  std::string serialNumber;
  std::string tokenCode;

public:
  GetSessionTokenRequest(const std::string& duration, const std::string& serialNumber, const std::string& tokenCode);

  const uint64_t& getDuration() const { return duration; }
  static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
};

class AssumedRoleUser {
  std::string arn;
  std::string assumeRoleId;
public:
  int generateAssumedRoleUser( CephContext* cct,
                                rgw::sal::Driver* driver,
                                const std::string& roleId,
                                const rgw::ARN& roleArn,
                                const std::string& roleSessionName);
  const std::string& getARN() const { return arn; }
  const std::string& getAssumeRoleId() const { return assumeRoleId; }
  void dump(Formatter *f) const;
};

struct SessionToken {
  std::string access_key_id;
  std::string secret_access_key;
  std::string expiration;
  std::string policy;
  std::string roleId;
  rgw_user user;
  std::string acct_name;
  uint32_t perm_mask;
  bool is_admin;
  uint32_t acct_type;
  std::string role_session;
  std::vector<std::string> token_claims;
  std::string issued_at;
  std::vector<std::pair<std::string,std::string>> principal_tags;

  SessionToken() {}

  void encode(bufferlist& bl) const {
    ENCODE_START(5, 1, bl);
    encode(access_key_id, bl);
    encode(secret_access_key, bl);
    encode(expiration, bl);
    encode(policy, bl);
    encode(roleId, bl);
    encode(user, bl);
    encode(acct_name, bl);
    encode(perm_mask, bl);
    encode(is_admin, bl);
    encode(acct_type, bl);
    encode(role_session, bl);
    encode(token_claims, bl);
    encode(issued_at, bl);
    encode(principal_tags, bl);
    ENCODE_FINISH(bl);
  }

  void decode(bufferlist::const_iterator& bl) {
    DECODE_START(5, bl);
    decode(access_key_id, bl);
    decode(secret_access_key, bl);
    decode(expiration, bl);
    decode(policy, bl);
    decode(roleId, bl);
    decode(user, bl);
    decode(acct_name, bl);
    decode(perm_mask, bl);
    decode(is_admin, bl);
    decode(acct_type, bl);
    if (struct_v >= 2) {
      decode(role_session, bl);
    }
    if (struct_v >= 3) {
      decode(token_claims, bl);
    }
    if (struct_v >= 4) {
      decode(issued_at, bl);
    }
    if (struct_v >= 5) {
      decode(principal_tags, bl);
    }
    DECODE_FINISH(bl);
  }
};
WRITE_CLASS_ENCODER(SessionToken)

class Credentials {
  static constexpr int MAX_ACCESS_KEY_LEN = 20;
  static constexpr int MAX_SECRET_KEY_LEN = 40;
  std::string accessKeyId;
  std::string expiration;
  std::string secretAccessKey;
  std::string sessionToken;
public:
  int generateCredentials(const DoutPrefixProvider *dpp,
                          CephContext* cct,
                          const uint64_t& duration,
                          const boost::optional<std::string>& policy,
                          const boost::optional<std::string>& roleId,
                          const boost::optional<std::string>& role_session,
                          const boost::optional<std::vector<std::string>>& token_claims,
                          const boost::optional<std::vector<std::pair<std::string,std::string>>>& session_princ_tags,
                          boost::optional<rgw_user> user,
                          rgw::auth::Identity* identity);
  const std::string& getAccessKeyId() const { return accessKeyId; }
  const std::string& getExpiration() const { return expiration; }
  const std::string& getSecretAccessKey() const { return secretAccessKey; }
  const std::string& getSessionToken() const { return sessionToken; }
  void dump(Formatter *f) const;
};

struct AssumeRoleResponse {
  int retCode;
  AssumedRoleUser user;
  Credentials creds;
  uint64_t packedPolicySize;
};

struct AssumeRoleWithWebIdentityResponse {
  AssumeRoleResponse assumeRoleResp;
  std::string aud;
  std::string providerId;
  std::string sub;
};

using AssumeRoleResponse = struct AssumeRoleResponse ;
using GetSessionTokenResponse = std::tuple<int, Credentials>;
using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;

class STSService {
  CephContext* cct;
  rgw::sal::Driver* driver;
  rgw_user user_id;
  std::unique_ptr<rgw::sal::RGWRole> role;
  rgw::auth::Identity* identity;
public:
  STSService() = default;
  STSService(CephContext* cct, rgw::sal::Driver* driver, rgw_user user_id,
	     rgw::auth::Identity* identity)
    : cct(cct), driver(driver), user_id(user_id), identity(identity) {}
  std::tuple<int, rgw::sal::RGWRole*> getRoleInfo(const DoutPrefixProvider *dpp, const std::string& arn, optional_yield y);
  AssumeRoleResponse assumeRole(const DoutPrefixProvider *dpp, AssumeRoleRequest& req, optional_yield y);
  GetSessionTokenResponse getSessionToken(const DoutPrefixProvider *dpp, GetSessionTokenRequest& req);
  AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(const DoutPrefixProvider *dpp, AssumeRoleWithWebIdentityRequest& req);
};
}
Commit	Line	Data
11fdf7f2	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
9f95a23c	2	// vim: ts=8 sw=2 smarttab ft=cpp
11fdf7f2	3
1e59de90	4	#pragma once
11fdf7f2 TL	5
	6	#include "rgw_role.h"
	7	#include "rgw_auth.h"
	8	#include "rgw_web_idp.h"
	9
	10	namespace STS {
	11
	12	class AssumeRoleRequestBase {
	13	protected:
	14	static constexpr uint64_t MIN_POLICY_SIZE = 1;
	15	static constexpr uint64_t MAX_POLICY_SIZE = 2048;
	16	static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
11fdf7f2 TL	17	static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
	18	static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
	19	static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
	20	static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
f67539c2	21	uint64_t MIN_DURATION_IN_SECS;
11fdf7f2	22	uint64_t MAX_DURATION_IN_SECS;
f67539c2	23	CephContext* cct;
11fdf7f2	24	uint64_t duration;
20effc67 TL	25	std::string err_msg;
	26	std::string iamPolicy;
	27	std::string roleArn;
	28	std::string roleSessionName;
11fdf7f2	29	public:
f67539c2	30	AssumeRoleRequestBase(CephContext* cct,
20effc67 TL	31	const std::string& duration,
	32	const std::string& iamPolicy,
	33	const std::string& roleArn,
	34	const std::string& roleSessionName);
	35	const std::string& getRoleARN() const { return roleArn; }
	36	const std::string& getRoleSessionName() const { return roleSessionName; }
	37	const std::string& getPolicy() const {return iamPolicy; }
11fdf7f2 TL	38	static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
	39	void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
	40	const uint64_t& getDuration() const { return duration; }
20effc67	41	int validate_input(const DoutPrefixProvider *dpp) const;
11fdf7f2 TL	42	};
	43
	44	class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
	45	static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
	46	static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
20effc67 TL	47	std::string providerId;
	48	std::string iamPolicy;
	49	std::string iss;
	50	std::string sub;
	51	std::string aud;
	52	std::vector<std::pair<std::string,std::string>> session_princ_tags;
11fdf7f2	53	public:
f67539c2	54	AssumeRoleWithWebIdentityRequest( CephContext* cct,
20effc67 TL	55	const std::string& duration,
	56	const std::string& providerId,
	57	const std::string& iamPolicy,
	58	const std::string& roleArn,
	59	const std::string& roleSessionName,
	60	const std::string& iss,
	61	const std::string& sub,
	62	const std::string& aud,
	63	std::vector<std::pair<std::string,std::string>> session_princ_tags)
f67539c2	64	: AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
20effc67 TL	65	providerId(providerId), iss(iss), sub(sub), aud(aud), session_princ_tags(session_princ_tags) {}
	66	const std::string& getProviderId() const { return providerId; }
	67	const std::string& getIss() const { return iss; }
	68	const std::string& getAud() const { return aud; }
	69	const std::string& getSub() const { return sub; }
	70	const std::vector<std::pair<std::string,std::string>>& getPrincipalTags() const { return session_princ_tags; }
	71	int validate_input(const DoutPrefixProvider *dpp) const;
11fdf7f2 TL	72	};
	73
	74	class AssumeRoleRequest : public AssumeRoleRequestBase {
	75	static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
	76	static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
	77	static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
	78	static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
	79	static constexpr uint64_t TOKEN_CODE_SIZE = 6;
20effc67 TL	80	std::string externalId;
	81	std::string serialNumber;
	82	std::string tokenCode;
11fdf7f2	83	public:
f67539c2	84	AssumeRoleRequest(CephContext* cct,
20effc67 TL	85	const std::string& duration,
	86	const std::string& externalId,
	87	const std::string& iamPolicy,
	88	const std::string& roleArn,
	89	const std::string& roleSessionName,
	90	const std::string& serialNumber,
	91	const std::string& tokenCode)
f67539c2	92	: AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
11fdf7f2	93	externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
20effc67	94	int validate_input(const DoutPrefixProvider *dpp) const;
11fdf7f2 TL	95	};
	96
	97	class GetSessionTokenRequest {
	98	protected:
	99	static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
	100	static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
	101	uint64_t duration;
20effc67 TL	102	std::string serialNumber;
20effc67 TL	103	std::string tokenCode;
11fdf7f2 TL	104
11fdf7f2 TL	105	public:
20effc67	106	GetSessionTokenRequest(const std::string& duration, const std::string& serialNumber, const std::string& tokenCode);
11fdf7f2 TL	107
	108	const uint64_t& getDuration() const { return duration; }
	109	static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
	110	};
	111
	112	class AssumedRoleUser {
20effc67 TL	113	std::string arn;
20effc67 TL	114	std::string assumeRoleId;
11fdf7f2 TL	115	public:
11fdf7f2 TL	116	int generateAssumedRoleUser( CephContext* cct,
1e59de90	117	rgw::sal::Driver* driver,
20effc67	118	const std::string& roleId,
eafe8130	119	const rgw::ARN& roleArn,
20effc67 TL	120	const std::string& roleSessionName);
	121	const std::string& getARN() const { return arn; }
	122	const std::string& getAssumeRoleId() const { return assumeRoleId; }
11fdf7f2 TL	123	void dump(Formatter *f) const;
	124	};
	125
	126	struct SessionToken {
20effc67 TL	127	std::string access_key_id;
	128	std::string secret_access_key;
	129	std::string expiration;
	130	std::string policy;
	131	std::string roleId;
11fdf7f2	132	rgw_user user;
20effc67	133	std::string acct_name;
11fdf7f2 TL	134	uint32_t perm_mask;
	135	bool is_admin;
	136	uint32_t acct_type;
20effc67 TL	137	std::string role_session;
	138	std::vector<std::string> token_claims;
	139	std::string issued_at;
	140	std::vector<std::pair<std::string,std::string>> principal_tags;
11fdf7f2 TL	141
	142	SessionToken() {}
	143
	144	void encode(bufferlist& bl) const {
20effc67	145	ENCODE_START(5, 1, bl);
11fdf7f2 TL	146	encode(access_key_id, bl);
	147	encode(secret_access_key, bl);
	148	encode(expiration, bl);
	149	encode(policy, bl);
	150	encode(roleId, bl);
	151	encode(user, bl);
	152	encode(acct_name, bl);
	153	encode(perm_mask, bl);
	154	encode(is_admin, bl);
	155	encode(acct_type, bl);
f91f0fd5	156	encode(role_session, bl);
adb31ebb	157	encode(token_claims, bl);
f67539c2	158	encode(issued_at, bl);
20effc67	159	encode(principal_tags, bl);
11fdf7f2 TL	160	ENCODE_FINISH(bl);
	161	}
	162
	163	void decode(bufferlist::const_iterator& bl) {
20effc67	164	DECODE_START(5, bl);
11fdf7f2 TL	165	decode(access_key_id, bl);
	166	decode(secret_access_key, bl);
	167	decode(expiration, bl);
	168	decode(policy, bl);
	169	decode(roleId, bl);
	170	decode(user, bl);
	171	decode(acct_name, bl);
	172	decode(perm_mask, bl);
	173	decode(is_admin, bl);
	174	decode(acct_type, bl);
f91f0fd5 TL	175	if (struct_v >= 2) {
	176	decode(role_session, bl);
	177	}
adb31ebb TL	178	if (struct_v >= 3) {
	179	decode(token_claims, bl);
	180	}
f67539c2 TL	181	if (struct_v >= 4) {
	182	decode(issued_at, bl);
	183	}
20effc67 TL	184	if (struct_v >= 5) {
	185	decode(principal_tags, bl);
	186	}
11fdf7f2 TL	187	DECODE_FINISH(bl);
	188	}
	189	};
	190	WRITE_CLASS_ENCODER(SessionToken)
	191
	192	class Credentials {
	193	static constexpr int MAX_ACCESS_KEY_LEN = 20;
	194	static constexpr int MAX_SECRET_KEY_LEN = 40;
20effc67 TL	195	std::string accessKeyId;
	196	std::string expiration;
	197	std::string secretAccessKey;
	198	std::string sessionToken;
11fdf7f2	199	public:
20effc67 TL	200	int generateCredentials(const DoutPrefixProvider *dpp,
20effc67 TL	201	CephContext* cct,
11fdf7f2	202	const uint64_t& duration,
20effc67 TL	203	const boost::optional<std::string>& policy,
	204	const boost::optional<std::string>& roleId,
	205	const boost::optional<std::string>& role_session,
	206	const boost::optional<std::vector<std::string>>& token_claims,
	207	const boost::optional<std::vector<std::pair<std::string,std::string>>>& session_princ_tags,
11fdf7f2 TL	208	boost::optional<rgw_user> user,
11fdf7f2 TL	209	rgw::auth::Identity* identity);
20effc67 TL	210	const std::string& getAccessKeyId() const { return accessKeyId; }
	211	const std::string& getExpiration() const { return expiration; }
	212	const std::string& getSecretAccessKey() const { return secretAccessKey; }
	213	const std::string& getSessionToken() const { return sessionToken; }
11fdf7f2 TL	214	void dump(Formatter *f) const;
	215	};
	216
	217	struct AssumeRoleResponse {
	218	int retCode;
	219	AssumedRoleUser user;
	220	Credentials creds;
	221	uint64_t packedPolicySize;
	222	};
	223
	224	struct AssumeRoleWithWebIdentityResponse {
	225	AssumeRoleResponse assumeRoleResp;
20effc67 TL	226	std::string aud;
	227	std::string providerId;
	228	std::string sub;
11fdf7f2 TL	229	};
	230
	231	using AssumeRoleResponse = struct AssumeRoleResponse ;
	232	using GetSessionTokenResponse = std::tuple<int, Credentials>;
	233	using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;
	234
	235	class STSService {
	236	CephContext* cct;
1e59de90	237	rgw::sal::Driver* driver;
11fdf7f2	238	rgw_user user_id;
20effc67	239	std::unique_ptr<rgw::sal::RGWRole> role;
11fdf7f2	240	rgw::auth::Identity* identity;
11fdf7f2 TL	241	public:
11fdf7f2 TL	242	STSService() = default;
1e59de90	243	STSService(CephContext* cct, rgw::sal::Driver* driver, rgw_user user_id,
f67539c2	244	rgw::auth::Identity* identity)
1e59de90	245	: cct(cct), driver(driver), user_id(user_id), identity(identity) {}
20effc67	246	std::tuple<int, rgw::sal::RGWRole> getRoleInfo(const DoutPrefixProvider dpp, const std::string& arn, optional_yield y);
b3b6e05e	247	AssumeRoleResponse assumeRole(const DoutPrefixProvider *dpp, AssumeRoleRequest& req, optional_yield y);
20effc67 TL	248	GetSessionTokenResponse getSessionToken(const DoutPrefixProvider *dpp, GetSessionTokenRequest& req);
20effc67 TL	249	AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(const DoutPrefixProvider *dpp, AssumeRoleWithWebIdentityRequest& req);
11fdf7f2 TL	250	};
11fdf7f2 TL	251	}