]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_opa.cc
68f874a5d724e50f6c93aa817578d71f3fb13024
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
5 #include "rgw_http_client.h"
7 #define dout_context g_ceph_context
8 #define dout_subsys ceph_subsys_rgw
12 int rgw_opa_authorize(RGWOp
*& op
,
16 ldpp_dout(op
, 2) << "authorizing request using OPA" << dendl
;
19 const string
& opa_url
= s
->cct
->_conf
->rgw_opa_url
;
21 ldpp_dout(op
, 2) << "OPA_URL not provided" << dendl
;
22 return -ERR_INVALID_REQUEST
;
24 ldpp_dout(op
, 2) << "OPA URL= " << opa_url
.c_str() << dendl
;
26 /* get authentication token for OPA */
27 const string
& opa_token
= s
->cct
->_conf
->rgw_opa_token
;
31 RGWHTTPTransceiver
req(s
->cct
, "POST", opa_url
.c_str(), &bl
);
33 /* set required headers for OPA request */
34 req
.append_header("X-Auth-Token", opa_token
);
35 req
.append_header("Content-Type", "application/json");
36 req
.append_header("Expect", "100-continue");
38 /* check if we want to verify OPA server SSL certificate */
39 req
.set_verify_ssl(s
->cct
->_conf
->rgw_opa_verify_ssl
);
41 /* create json request body */
43 jf
.open_object_section("");
44 jf
.open_object_section("input");
45 jf
.dump_string("method", s
->info
.env
->get("REQUEST_METHOD"));
46 jf
.dump_string("relative_uri", s
->relative_uri
.c_str());
47 jf
.dump_string("decoded_uri", s
->decoded_uri
.c_str());
48 jf
.dump_string("params", s
->info
.request_params
.c_str());
49 jf
.dump_string("request_uri_aws4", s
->info
.request_uri_aws4
.c_str());
50 jf
.dump_string("object_name", s
->object
->get_name().c_str());
51 jf
.dump_string("subuser", s
->auth
.identity
->get_subuser().c_str());
52 jf
.dump_object("user_info", s
->user
->get_info());
53 jf
.dump_object("bucket_info", s
->bucket
->get_info());
59 req
.set_post_data(ss
.str());
60 req
.set_send_length(ss
.str().length());
63 ret
= req
.process(null_yield
);
65 ldpp_dout(op
, 2) << "OPA process error:" << bl
.c_str() << dendl
;
69 /* check OPA response */
71 if (!parser
.parse(bl
.c_str(), bl
.length())) {
72 ldpp_dout(op
, 2) << "OPA parse error: malformed json" << dendl
;
77 JSONDecoder::decode_json("result", opa_result
, &parser
);
79 if (opa_result
== false) {
80 ldpp_dout(op
, 2) << "OPA rejecting request" << dendl
;
84 ldpp_dout(op
, 2) << "OPA accepting request" << dendl
;