]>
Commit | Line | Data |
---|---|---|
11fdf7f2 | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
11fdf7f2 TL |
3 | |
4 | #ifndef CEPH_RGW_STS_H | |
5 | #define CEPH_RGW_STS_H | |
6 | ||
7 | #include "rgw_role.h" | |
8 | #include "rgw_auth.h" | |
9 | #include "rgw_web_idp.h" | |
10 | ||
11 | namespace STS { | |
12 | ||
13 | class AssumeRoleRequestBase { | |
14 | protected: | |
15 | static constexpr uint64_t MIN_POLICY_SIZE = 1; | |
16 | static constexpr uint64_t MAX_POLICY_SIZE = 2048; | |
17 | static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600; | |
18 | static constexpr uint64_t MIN_DURATION_IN_SECS = 900; | |
19 | static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2; | |
20 | static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048; | |
21 | static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2; | |
22 | static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64; | |
23 | uint64_t MAX_DURATION_IN_SECS; | |
24 | uint64_t duration; | |
9f95a23c | 25 | string err_msg; |
11fdf7f2 TL |
26 | string iamPolicy; |
27 | string roleArn; | |
28 | string roleSessionName; | |
29 | public: | |
30 | AssumeRoleRequestBase(const string& duration, | |
31 | const string& iamPolicy, | |
32 | const string& roleArn, | |
33 | const string& roleSessionName); | |
34 | const string& getRoleARN() const { return roleArn; } | |
35 | const string& getRoleSessionName() const { return roleSessionName; } | |
36 | const string& getPolicy() const {return iamPolicy; } | |
37 | static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; } | |
38 | void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; } | |
39 | const uint64_t& getDuration() const { return duration; } | |
40 | int validate_input() const; | |
41 | }; | |
42 | ||
43 | class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase { | |
44 | static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4; | |
45 | static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048; | |
46 | string providerId; | |
47 | string iamPolicy; | |
48 | string iss; | |
49 | string sub; | |
50 | string aud; | |
51 | public: | |
52 | AssumeRoleWithWebIdentityRequest( const string& duration, | |
53 | const string& providerId, | |
54 | const string& iamPolicy, | |
55 | const string& roleArn, | |
56 | const string& roleSessionName, | |
57 | const string& iss, | |
58 | const string& sub, | |
59 | const string& aud) | |
60 | : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName), | |
61 | providerId(providerId), iss(iss), sub(sub), aud(aud) {} | |
62 | const string& getProviderId() const { return providerId; } | |
63 | const string& getIss() const { return iss; } | |
64 | const string& getAud() const { return aud; } | |
65 | const string& getSub() const { return sub; } | |
66 | int validate_input() const; | |
67 | }; | |
68 | ||
69 | class AssumeRoleRequest : public AssumeRoleRequestBase { | |
70 | static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2; | |
71 | static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224; | |
72 | static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9; | |
73 | static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256; | |
74 | static constexpr uint64_t TOKEN_CODE_SIZE = 6; | |
75 | string externalId; | |
76 | string serialNumber; | |
77 | string tokenCode; | |
78 | public: | |
79 | AssumeRoleRequest(const string& duration, | |
80 | const string& externalId, | |
81 | const string& iamPolicy, | |
82 | const string& roleArn, | |
83 | const string& roleSessionName, | |
84 | const string& serialNumber, | |
85 | const string& tokenCode) | |
86 | : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName), | |
87 | externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){} | |
88 | int validate_input() const; | |
89 | }; | |
90 | ||
91 | class GetSessionTokenRequest { | |
92 | protected: | |
93 | static constexpr uint64_t MIN_DURATION_IN_SECS = 900; | |
94 | static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600; | |
95 | uint64_t duration; | |
96 | string serialNumber; | |
97 | string tokenCode; | |
98 | ||
99 | public: | |
100 | GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode); | |
101 | ||
102 | const uint64_t& getDuration() const { return duration; } | |
103 | static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; } | |
104 | }; | |
105 | ||
106 | class AssumedRoleUser { | |
107 | string arn; | |
108 | string assumeRoleId; | |
109 | public: | |
110 | int generateAssumedRoleUser( CephContext* cct, | |
9f95a23c | 111 | rgw::sal::RGWRadosStore *store, |
11fdf7f2 | 112 | const string& roleId, |
eafe8130 | 113 | const rgw::ARN& roleArn, |
11fdf7f2 TL |
114 | const string& roleSessionName); |
115 | const string& getARN() const { return arn; } | |
116 | const string& getAssumeRoleId() const { return assumeRoleId; } | |
117 | void dump(Formatter *f) const; | |
118 | }; | |
119 | ||
120 | struct SessionToken { | |
121 | string access_key_id; | |
122 | string secret_access_key; | |
123 | string expiration; | |
124 | string policy; | |
125 | string roleId; | |
126 | rgw_user user; | |
127 | string acct_name; | |
128 | uint32_t perm_mask; | |
129 | bool is_admin; | |
130 | uint32_t acct_type; | |
f91f0fd5 | 131 | string role_session; |
adb31ebb | 132 | std::vector<string> token_claims; |
11fdf7f2 TL |
133 | |
134 | SessionToken() {} | |
135 | ||
136 | void encode(bufferlist& bl) const { | |
adb31ebb | 137 | ENCODE_START(3, 1, bl); |
11fdf7f2 TL |
138 | encode(access_key_id, bl); |
139 | encode(secret_access_key, bl); | |
140 | encode(expiration, bl); | |
141 | encode(policy, bl); | |
142 | encode(roleId, bl); | |
143 | encode(user, bl); | |
144 | encode(acct_name, bl); | |
145 | encode(perm_mask, bl); | |
146 | encode(is_admin, bl); | |
147 | encode(acct_type, bl); | |
f91f0fd5 | 148 | encode(role_session, bl); |
adb31ebb | 149 | encode(token_claims, bl); |
11fdf7f2 TL |
150 | ENCODE_FINISH(bl); |
151 | } | |
152 | ||
153 | void decode(bufferlist::const_iterator& bl) { | |
adb31ebb | 154 | DECODE_START(3, bl); |
11fdf7f2 TL |
155 | decode(access_key_id, bl); |
156 | decode(secret_access_key, bl); | |
157 | decode(expiration, bl); | |
158 | decode(policy, bl); | |
159 | decode(roleId, bl); | |
160 | decode(user, bl); | |
161 | decode(acct_name, bl); | |
162 | decode(perm_mask, bl); | |
163 | decode(is_admin, bl); | |
164 | decode(acct_type, bl); | |
f91f0fd5 TL |
165 | if (struct_v >= 2) { |
166 | decode(role_session, bl); | |
167 | } | |
adb31ebb TL |
168 | if (struct_v >= 3) { |
169 | decode(token_claims, bl); | |
170 | } | |
11fdf7f2 TL |
171 | DECODE_FINISH(bl); |
172 | } | |
173 | }; | |
174 | WRITE_CLASS_ENCODER(SessionToken) | |
175 | ||
176 | class Credentials { | |
177 | static constexpr int MAX_ACCESS_KEY_LEN = 20; | |
178 | static constexpr int MAX_SECRET_KEY_LEN = 40; | |
179 | string accessKeyId; | |
180 | string expiration; | |
181 | string secretAccessKey; | |
182 | string sessionToken; | |
183 | public: | |
184 | int generateCredentials(CephContext* cct, | |
185 | const uint64_t& duration, | |
186 | const boost::optional<string>& policy, | |
187 | const boost::optional<string>& roleId, | |
f91f0fd5 | 188 | const boost::optional<string>& role_session, |
adb31ebb | 189 | const boost::optional<std::vector<string> > token_claims, |
11fdf7f2 TL |
190 | boost::optional<rgw_user> user, |
191 | rgw::auth::Identity* identity); | |
192 | const string& getAccessKeyId() const { return accessKeyId; } | |
193 | const string& getExpiration() const { return expiration; } | |
194 | const string& getSecretAccessKey() const { return secretAccessKey; } | |
195 | const string& getSessionToken() const { return sessionToken; } | |
196 | void dump(Formatter *f) const; | |
197 | }; | |
198 | ||
199 | struct AssumeRoleResponse { | |
200 | int retCode; | |
201 | AssumedRoleUser user; | |
202 | Credentials creds; | |
203 | uint64_t packedPolicySize; | |
204 | }; | |
205 | ||
206 | struct AssumeRoleWithWebIdentityResponse { | |
207 | AssumeRoleResponse assumeRoleResp; | |
208 | string aud; | |
209 | string providerId; | |
210 | string sub; | |
211 | }; | |
212 | ||
213 | using AssumeRoleResponse = struct AssumeRoleResponse ; | |
214 | using GetSessionTokenResponse = std::tuple<int, Credentials>; | |
215 | using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse; | |
216 | ||
217 | class STSService { | |
218 | CephContext* cct; | |
9f95a23c | 219 | rgw::sal::RGWRadosStore *store; |
11fdf7f2 TL |
220 | rgw_user user_id; |
221 | RGWRole role; | |
222 | rgw::auth::Identity* identity; | |
223 | int storeARN(string& arn); | |
224 | public: | |
225 | STSService() = default; | |
9f95a23c | 226 | STSService(CephContext* cct, rgw::sal::RGWRadosStore *store, rgw_user user_id, rgw::auth::Identity* identity) : cct(cct), store(store), user_id(user_id), identity(identity) {} |
11fdf7f2 TL |
227 | std::tuple<int, RGWRole> getRoleInfo(const string& arn); |
228 | AssumeRoleResponse assumeRole(AssumeRoleRequest& req); | |
229 | GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req); | |
230 | AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req); | |
231 | }; | |
232 | } | |
233 | #endif /* CEPH_RGW_STS_H */ | |
234 |