[ceph.git] / ceph / src / rgw / rgw_sts.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp

#ifndef CEPH_RGW_STS_H
#define CEPH_RGW_STS_H

#include "rgw_role.h"
#include "rgw_auth.h"
#include "rgw_web_idp.h"

namespace STS {

class AssumeRoleRequestBase {
protected:
  static constexpr uint64_t MIN_POLICY_SIZE = 1;
  static constexpr uint64_t MAX_POLICY_SIZE = 2048;
  static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
  static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
  static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
  static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
  static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
  static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
  uint64_t MAX_DURATION_IN_SECS;
  uint64_t duration;
  string err_msg;
  string iamPolicy;
  string roleArn;
  string roleSessionName;
public:
  AssumeRoleRequestBase(const string& duration,
                        const string& iamPolicy,
                        const string& roleArn,
                        const string& roleSessionName);
  const string& getRoleARN() const { return roleArn; }
  const string& getRoleSessionName() const { return roleSessionName; }
  const string& getPolicy() const {return iamPolicy; }
  static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
  void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
  const uint64_t& getDuration() const { return duration; }
  int validate_input() const;
};

class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
  static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
  static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
  string providerId;
  string iamPolicy;
  string iss;
  string sub;
  string aud;
public:
  AssumeRoleWithWebIdentityRequest( const string& duration,
                      const string& providerId,
                      const string& iamPolicy,
                      const string& roleArn,
                      const string& roleSessionName,
                      const string& iss,
                      const string& sub,
                      const string& aud)
    : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
      providerId(providerId), iss(iss), sub(sub), aud(aud) {}
  const string& getProviderId() const { return providerId; }
  const string& getIss() const { return iss; }
  const string& getAud() const { return aud; }
  const string& getSub() const { return sub; }
  int validate_input() const;
};

class AssumeRoleRequest : public AssumeRoleRequestBase {
  static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
  static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
  static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
  static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
  static constexpr uint64_t TOKEN_CODE_SIZE = 6;
  string externalId;
  string serialNumber;
  string tokenCode;
public:
  AssumeRoleRequest(const string& duration,
                    const string& externalId,
                    const string& iamPolicy,
                    const string& roleArn,
                    const string& roleSessionName,
                    const string& serialNumber,
                    const string& tokenCode)
    : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
      externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
  int validate_input() const;
};

class GetSessionTokenRequest {
protected:
  static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
  static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
  uint64_t duration;
  string serialNumber;
  string tokenCode;

public:
  GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode);

  const uint64_t& getDuration() const { return duration; }
  static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
};

class AssumedRoleUser {
  string arn;
  string assumeRoleId;
public:
  int generateAssumedRoleUser( CephContext* cct,
                                rgw::sal::RGWRadosStore *store,
                                const string& roleId,
                                const rgw::ARN& roleArn,
                                const string& roleSessionName);
  const string& getARN() const { return arn; }
  const string& getAssumeRoleId() const { return assumeRoleId; }
  void dump(Formatter *f) const;
};

struct SessionToken {
  string access_key_id;
  string secret_access_key;
  string expiration;
  string policy;
  string roleId;
  rgw_user user;
  string acct_name;
  uint32_t perm_mask;
  bool is_admin;
  uint32_t acct_type;
  string role_session;
  std::vector<string> token_claims;

  SessionToken() {}

  void encode(bufferlist& bl) const {
    ENCODE_START(3, 1, bl);
    encode(access_key_id, bl);
    encode(secret_access_key, bl);
    encode(expiration, bl);
    encode(policy, bl);
    encode(roleId, bl);
    encode(user, bl);
    encode(acct_name, bl);
    encode(perm_mask, bl);
    encode(is_admin, bl);
    encode(acct_type, bl);
    encode(role_session, bl);
    encode(token_claims, bl);
    ENCODE_FINISH(bl);
  }

  void decode(bufferlist::const_iterator& bl) {
    DECODE_START(3, bl);
    decode(access_key_id, bl);
    decode(secret_access_key, bl);
    decode(expiration, bl);
    decode(policy, bl);
    decode(roleId, bl);
    decode(user, bl);
    decode(acct_name, bl);
    decode(perm_mask, bl);
    decode(is_admin, bl);
    decode(acct_type, bl);
    if (struct_v >= 2) {
      decode(role_session, bl);
    }
    if (struct_v >= 3) {
      decode(token_claims, bl);
    }
    DECODE_FINISH(bl);
  }
};
WRITE_CLASS_ENCODER(SessionToken)

class Credentials {
  static constexpr int MAX_ACCESS_KEY_LEN = 20;
  static constexpr int MAX_SECRET_KEY_LEN = 40;
  string accessKeyId;
  string expiration;
  string secretAccessKey;
  string sessionToken;
public:
  int generateCredentials(CephContext* cct,
                          const uint64_t& duration,
                          const boost::optional<string>& policy,
                          const boost::optional<string>& roleId,
                          const boost::optional<string>& role_session,
                          const boost::optional<std::vector<string> > token_claims,
                          boost::optional<rgw_user> user,
                          rgw::auth::Identity* identity);
  const string& getAccessKeyId() const { return accessKeyId; }
  const string& getExpiration() const { return expiration; }
  const string& getSecretAccessKey() const { return secretAccessKey; }
  const string& getSessionToken() const { return sessionToken; }
  void dump(Formatter *f) const;
};

struct AssumeRoleResponse {
  int retCode;
  AssumedRoleUser user;
  Credentials creds;
  uint64_t packedPolicySize;
};

struct AssumeRoleWithWebIdentityResponse {
  AssumeRoleResponse assumeRoleResp;
  string aud;
  string providerId;
  string sub;
};

using AssumeRoleResponse = struct AssumeRoleResponse ;
using GetSessionTokenResponse = std::tuple<int, Credentials>;
using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;

class STSService {
  CephContext* cct;
  rgw::sal::RGWRadosStore *store;
  rgw_user user_id;
  RGWRole role;
  rgw::auth::Identity* identity;
  int storeARN(string& arn);
public:
  STSService() = default;
  STSService(CephContext* cct, rgw::sal::RGWRadosStore *store, rgw_user user_id, rgw::auth::Identity* identity) : cct(cct), store(store), user_id(user_id), identity(identity) {}
  std::tuple<int, RGWRole> getRoleInfo(const string& arn);
  AssumeRoleResponse assumeRole(AssumeRoleRequest& req);
  GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req);
  AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req);
};
}
#endif /* CEPH_RGW_STS_H */
Commit	Line	Data
11fdf7f2	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
9f95a23c	2	// vim: ts=8 sw=2 smarttab ft=cpp
11fdf7f2 TL	3
	4	#ifndef CEPH_RGW_STS_H
	5	#define CEPH_RGW_STS_H
	6
	7	#include "rgw_role.h"
	8	#include "rgw_auth.h"
	9	#include "rgw_web_idp.h"
	10
	11	namespace STS {
	12
	13	class AssumeRoleRequestBase {
	14	protected:
	15	static constexpr uint64_t MIN_POLICY_SIZE = 1;
	16	static constexpr uint64_t MAX_POLICY_SIZE = 2048;
	17	static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
	18	static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
	19	static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
	20	static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
	21	static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
	22	static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
	23	uint64_t MAX_DURATION_IN_SECS;
	24	uint64_t duration;
9f95a23c	25	string err_msg;
11fdf7f2 TL	26	string iamPolicy;
	27	string roleArn;
	28	string roleSessionName;
	29	public:
	30	AssumeRoleRequestBase(const string& duration,
	31	const string& iamPolicy,
	32	const string& roleArn,
	33	const string& roleSessionName);
	34	const string& getRoleARN() const { return roleArn; }
	35	const string& getRoleSessionName() const { return roleSessionName; }
	36	const string& getPolicy() const {return iamPolicy; }
	37	static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
	38	void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
	39	const uint64_t& getDuration() const { return duration; }
	40	int validate_input() const;
	41	};
	42
	43	class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
	44	static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
	45	static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
	46	string providerId;
	47	string iamPolicy;
	48	string iss;
	49	string sub;
	50	string aud;
	51	public:
	52	AssumeRoleWithWebIdentityRequest( const string& duration,
	53	const string& providerId,
	54	const string& iamPolicy,
	55	const string& roleArn,
	56	const string& roleSessionName,
	57	const string& iss,
	58	const string& sub,
	59	const string& aud)
	60	: AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
	61	providerId(providerId), iss(iss), sub(sub), aud(aud) {}
	62	const string& getProviderId() const { return providerId; }
	63	const string& getIss() const { return iss; }
	64	const string& getAud() const { return aud; }
	65	const string& getSub() const { return sub; }
	66	int validate_input() const;
	67	};
	68
	69	class AssumeRoleRequest : public AssumeRoleRequestBase {
	70	static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
	71	static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
	72	static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
	73	static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
	74	static constexpr uint64_t TOKEN_CODE_SIZE = 6;
	75	string externalId;
	76	string serialNumber;
	77	string tokenCode;
	78	public:
	79	AssumeRoleRequest(const string& duration,
	80	const string& externalId,
	81	const string& iamPolicy,
	82	const string& roleArn,
	83	const string& roleSessionName,
	84	const string& serialNumber,
	85	const string& tokenCode)
	86	: AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
	87	externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
	88	int validate_input() const;
	89	};
90
91	class GetSessionTokenRequest {
92	protected:
93	static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
94	static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
95	uint64_t duration;
96	string serialNumber;
97	string tokenCode;
98
99	public:
100	GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode);
101
102	const uint64_t& getDuration() const { return duration; }
103	static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
104	};
105
106	class AssumedRoleUser {
107	string arn;
108	string assumeRoleId;
109	public:
110	int generateAssumedRoleUser( CephContext* cct,
9f95a23c	111	rgw::sal::RGWRadosStore *store,
11fdf7f2	112	const string& roleId,
eafe8130	113	const rgw::ARN& roleArn,
11fdf7f2 TL	114	const string& roleSessionName);
	115	const string& getARN() const { return arn; }
	116	const string& getAssumeRoleId() const { return assumeRoleId; }
	117	void dump(Formatter *f) const;
	118	};
	119
	120	struct SessionToken {
	121	string access_key_id;
	122	string secret_access_key;
	123	string expiration;
	124	string policy;
	125	string roleId;
	126	rgw_user user;
	127	string acct_name;
	128	uint32_t perm_mask;
	129	bool is_admin;
	130	uint32_t acct_type;
f91f0fd5	131	string role_session;
adb31ebb	132	std::vector<string> token_claims;
11fdf7f2 TL	133
	134	SessionToken() {}
	135
	136	void encode(bufferlist& bl) const {
adb31ebb	137	ENCODE_START(3, 1, bl);
11fdf7f2 TL	138	encode(access_key_id, bl);
	139	encode(secret_access_key, bl);
	140	encode(expiration, bl);
	141	encode(policy, bl);
	142	encode(roleId, bl);
	143	encode(user, bl);
	144	encode(acct_name, bl);
	145	encode(perm_mask, bl);
	146	encode(is_admin, bl);
	147	encode(acct_type, bl);
f91f0fd5	148	encode(role_session, bl);
adb31ebb	149	encode(token_claims, bl);
11fdf7f2 TL	150	ENCODE_FINISH(bl);
	151	}
	152
	153	void decode(bufferlist::const_iterator& bl) {
adb31ebb	154	DECODE_START(3, bl);
11fdf7f2 TL	155	decode(access_key_id, bl);
	156	decode(secret_access_key, bl);
	157	decode(expiration, bl);
	158	decode(policy, bl);
	159	decode(roleId, bl);
	160	decode(user, bl);
	161	decode(acct_name, bl);
	162	decode(perm_mask, bl);
	163	decode(is_admin, bl);
	164	decode(acct_type, bl);
f91f0fd5 TL	165	if (struct_v >= 2) {
	166	decode(role_session, bl);
	167	}
adb31ebb TL	168	if (struct_v >= 3) {
	169	decode(token_claims, bl);
	170	}
11fdf7f2 TL	171	DECODE_FINISH(bl);
	172	}
	173	};
	174	WRITE_CLASS_ENCODER(SessionToken)
	175
	176	class Credentials {
	177	static constexpr int MAX_ACCESS_KEY_LEN = 20;
	178	static constexpr int MAX_SECRET_KEY_LEN = 40;
	179	string accessKeyId;
	180	string expiration;
	181	string secretAccessKey;
	182	string sessionToken;
	183	public:
	184	int generateCredentials(CephContext* cct,
	185	const uint64_t& duration,
	186	const boost::optional<string>& policy,
	187	const boost::optional<string>& roleId,
f91f0fd5	188	const boost::optional<string>& role_session,
adb31ebb	189	const boost::optional<std::vector<string> > token_claims,
11fdf7f2 TL	190	boost::optional<rgw_user> user,
	191	rgw::auth::Identity* identity);
	192	const string& getAccessKeyId() const { return accessKeyId; }
	193	const string& getExpiration() const { return expiration; }
	194	const string& getSecretAccessKey() const { return secretAccessKey; }
	195	const string& getSessionToken() const { return sessionToken; }
	196	void dump(Formatter *f) const;
	197	};
	198
	199	struct AssumeRoleResponse {
	200	int retCode;
	201	AssumedRoleUser user;
	202	Credentials creds;
	203	uint64_t packedPolicySize;
	204	};
	205
	206	struct AssumeRoleWithWebIdentityResponse {
	207	AssumeRoleResponse assumeRoleResp;
	208	string aud;
	209	string providerId;
	210	string sub;
	211	};
	212
	213	using AssumeRoleResponse = struct AssumeRoleResponse ;
	214	using GetSessionTokenResponse = std::tuple<int, Credentials>;
	215	using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;
	216
	217	class STSService {
	218	CephContext* cct;
9f95a23c	219	rgw::sal::RGWRadosStore *store;
11fdf7f2 TL	220	rgw_user user_id;
	221	RGWRole role;
	222	rgw::auth::Identity* identity;
	223	int storeARN(string& arn);
	224	public:
	225	STSService() = default;
9f95a23c	226	STSService(CephContext* cct, rgw::sal::RGWRadosStore store, rgw_user user_id, rgw::auth::Identity identity) : cct(cct), store(store), user_id(user_id), identity(identity) {}
11fdf7f2 TL	227	std::tuple<int, RGWRole> getRoleInfo(const string& arn);
	228	AssumeRoleResponse assumeRole(AssumeRoleRequest& req);
	229	GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req);
	230	AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req);
	231	};
	232	}
	233	#endif /* CEPH_RGW_STS_H */
	234