]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_rest_role.cc
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
import ceph 14.2.5
[ceph.git] / ceph / src / rgw / rgw_rest_role.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
3
4 #include <errno.h>
5
6 #include "common/errno.h"
7 #include "common/Formatter.h"
8 #include "common/ceph_json.h"
9
10 #include "include/types.h"
11 #include "rgw_string.h"
12
13 #include "rgw_common.h"
14 #include "rgw_op.h"
15 #include "rgw_rest.h"
16 #include "rgw_role.h"
17 #include "rgw_rest_role.h"
18
19 #define dout_subsys ceph_subsys_rgw
20
21 int RGWRestRole::verify_permission()
22 {
23 if (s->auth.identity->is_anonymous()) {
24 return -EACCES;
25 }
26
27 string role_name = s->info.args.get("RoleName");
28 RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
29 if (op_ret = role.get(); op_ret < 0) {
30 if (op_ret == -ENOENT) {
31 op_ret = -ERR_NO_ROLE_FOUND;
32 }
33 return op_ret;
34 }
35
36 if (int ret = check_caps(s->user->caps); ret == 0) {
37 _role = std::move(role);
38 return ret;
39 }
40
41 string resource_name = role.get_path() + role_name;
42 uint64_t op = get_op();
43 if (!verify_user_permission(this,
44 s,
45 rgw::ARN(resource_name,
46 "role",
47 s->user->user_id.tenant, true),
48 op)) {
49 return -EACCES;
50 }
51
52 _role = std::move(role);
53
54 return 0;
55 }
56
57 void RGWRestRole::send_response()
58 {
59 if (op_ret) {
60 set_req_state_err(s, op_ret);
61 }
62 dump_errno(s);
63 end_header(s);
64 }
65
66 int RGWRoleRead::check_caps(RGWUserCaps& caps)
67 {
68 return caps.check_cap("roles", RGW_CAP_READ);
69 }
70
71 int RGWRoleWrite::check_caps(RGWUserCaps& caps)
72 {
73 return caps.check_cap("roles", RGW_CAP_WRITE);
74 }
75
76 int RGWCreateRole::verify_permission()
77 {
78 if (s->auth.identity->is_anonymous()) {
79 return -EACCES;
80 }
81
82 if (int ret = check_caps(s->user->caps); ret == 0) {
83 return ret;
84 }
85
86 string role_name = s->info.args.get("RoleName");
87 string role_path = s->info.args.get("Path");
88
89 string resource_name = role_path + role_name;
90 if (!verify_user_permission(this,
91 s,
92 rgw::ARN(resource_name,
93 "role",
94 s->user->user_id.tenant, true),
95 get_op())) {
96 return -EACCES;
97 }
98 return 0;
99 }
100
101 int RGWCreateRole::get_params()
102 {
103 role_name = s->info.args.get("RoleName");
104 role_path = s->info.args.get("Path");
105 trust_policy = s->info.args.get("AssumeRolePolicyDocument");
106 max_session_duration = s->info.args.get("MaxSessionDuration");
107
108 if (role_name.empty() || trust_policy.empty()) {
109 ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty"
110 << dendl;
111 return -EINVAL;
112 }
113
114 bufferlist bl = bufferlist::static_from_string(trust_policy);
115 try {
116 const rgw::IAM::Policy p(s->cct, s->user->user_id.tenant, bl);
117 }
118 catch (rgw::IAM::PolicyParseException& e) {
119 ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl;
120 return -ERR_MALFORMED_DOC;
121 }
122
123 return 0;
124 }
125
126 void RGWCreateRole::execute()
127 {
128 op_ret = get_params();
129 if (op_ret < 0) {
130 return;
131 }
132 RGWRole role(s->cct, store, role_name, role_path, trust_policy,
133 s->user->user_id.tenant, max_session_duration);
134 op_ret = role.create(true);
135
136 if (op_ret == -EEXIST) {
137 op_ret = -ERR_ROLE_EXISTS;
138 }
139
140 if (op_ret == 0) {
141 s->formatter->open_object_section("role");
142 role.dump(s->formatter);
143 s->formatter->close_section();
144 }
145 }
146
147 int RGWDeleteRole::get_params()
148 {
149 role_name = s->info.args.get("RoleName");
150
151 if (role_name.empty()) {
152 ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
153 return -EINVAL;
154 }
155
156 return 0;
157 }
158
159 void RGWDeleteRole::execute()
160 {
161 op_ret = get_params();
162 if (op_ret < 0) {
163 return;
164 }
165
166 op_ret = _role.delete_obj();
167
168 if (op_ret == -ENOENT) {
169 op_ret = -ERR_NO_ROLE_FOUND;
170 }
171 }
172
173 int RGWGetRole::verify_permission()
174 {
175 return 0;
176 }
177
178 int RGWGetRole::_verify_permission(const RGWRole& role)
179 {
180 if (s->auth.identity->is_anonymous()) {
181 return -EACCES;
182 }
183
184 if (int ret = check_caps(s->user->caps); ret == 0) {
185 return ret;
186 }
187
188 string resource_name = role.get_path() + role.get_name();
189 if (!verify_user_permission(this,
190 s,
191 rgw::ARN(resource_name,
192 "role",
193 s->user->user_id.tenant, true),
194 get_op())) {
195 return -EACCES;
196 }
197 return 0;
198 }
199
200 int RGWGetRole::get_params()
201 {
202 role_name = s->info.args.get("RoleName");
203
204 if (role_name.empty()) {
205 ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
206 return -EINVAL;
207 }
208
209 return 0;
210 }
211
212 void RGWGetRole::execute()
213 {
214 op_ret = get_params();
215 if (op_ret < 0) {
216 return;
217 }
218 RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
219 op_ret = role.get();
220
221 if (op_ret == -ENOENT) {
222 op_ret = -ERR_NO_ROLE_FOUND;
223 return;
224 }
225
226 op_ret = _verify_permission(role);
227
228 if (op_ret == 0) {
229 s->formatter->open_object_section("role");
230 role.dump(s->formatter);
231 s->formatter->close_section();
232 }
233 }
234
235 int RGWModifyRole::get_params()
236 {
237 role_name = s->info.args.get("RoleName");
238 trust_policy = s->info.args.get("PolicyDocument");
239
240 if (role_name.empty() || trust_policy.empty()) {
241 ldout(s->cct, 20) << "ERROR: One of role name or trust policy is empty"<< dendl;
242 return -EINVAL;
243 }
244 JSONParser p;
245 if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
246 ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
247 return -ERR_MALFORMED_DOC;
248 }
249
250 return 0;
251 }
252
253 void RGWModifyRole::execute()
254 {
255 op_ret = get_params();
256 if (op_ret < 0) {
257 return;
258 }
259
260 _role.update_trust_policy(trust_policy);
261 op_ret = _role.update();
262
263 }
264
265 int RGWListRoles::verify_permission()
266 {
267 if (s->auth.identity->is_anonymous()) {
268 return -EACCES;
269 }
270
271 if (int ret = check_caps(s->user->caps); ret == 0) {
272 return ret;
273 }
274
275 if (!verify_user_permission(this,
276 s,
277 rgw::ARN(),
278 get_op())) {
279 return -EACCES;
280 }
281
282 return 0;
283 }
284
285 int RGWListRoles::get_params()
286 {
287 path_prefix = s->info.args.get("PathPrefix");
288
289 return 0;
290 }
291
292 void RGWListRoles::execute()
293 {
294 op_ret = get_params();
295 if (op_ret < 0) {
296 return;
297 }
298 vector<RGWRole> result;
299 op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, s->user->user_id.tenant, result);
300
301 if (op_ret == 0) {
302 s->formatter->open_array_section("Roles");
303 for (const auto& it : result) {
304 s->formatter->open_object_section("role");
305 it.dump(s->formatter);
306 s->formatter->close_section();
307 }
308 s->formatter->close_section();
309 }
310 }
311
312 int RGWPutRolePolicy::get_params()
313 {
314 role_name = s->info.args.get("RoleName");
315 policy_name = s->info.args.get("PolicyName");
316 perm_policy = s->info.args.get("PolicyDocument");
317
318 if (role_name.empty() || policy_name.empty() || perm_policy.empty()) {
319 ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl;
320 return -EINVAL;
321 }
322 bufferlist bl = bufferlist::static_from_string(perm_policy);
323 try {
324 const rgw::IAM::Policy p(s->cct, s->user->user_id.tenant, bl);
325 }
326 catch (rgw::IAM::PolicyParseException& e) {
327 ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl;
328 return -ERR_MALFORMED_DOC;
329 }
330 return 0;
331 }
332
333 void RGWPutRolePolicy::execute()
334 {
335 op_ret = get_params();
336 if (op_ret < 0) {
337 return;
338 }
339
340 _role.set_perm_policy(policy_name, perm_policy);
341 op_ret = _role.update();
342 }
343
344 int RGWGetRolePolicy::get_params()
345 {
346 role_name = s->info.args.get("RoleName");
347 policy_name = s->info.args.get("PolicyName");
348
349 if (role_name.empty() || policy_name.empty()) {
350 ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
351 return -EINVAL;
352 }
353 return 0;
354 }
355
356 void RGWGetRolePolicy::execute()
357 {
358 op_ret = get_params();
359 if (op_ret < 0) {
360 return;
361 }
362
363 string perm_policy;
364 op_ret = _role.get_role_policy(policy_name, perm_policy);
365 if (op_ret == 0) {
366 s->formatter->open_object_section("GetRolePolicyResult");
367 s->formatter->dump_string("PolicyName", policy_name);
368 s->formatter->dump_string("RoleName", role_name);
369 s->formatter->dump_string("Permission policy", perm_policy);
370 s->formatter->close_section();
371 }
372 }
373
374 int RGWListRolePolicies::get_params()
375 {
376 role_name = s->info.args.get("RoleName");
377
378 if (role_name.empty()) {
379 ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
380 return -EINVAL;
381 }
382 return 0;
383 }
384
385 void RGWListRolePolicies::execute()
386 {
387 op_ret = get_params();
388 if (op_ret < 0) {
389 return;
390 }
391
392 std::vector<string> policy_names = _role.get_role_policy_names();
393 s->formatter->open_array_section("PolicyNames");
394 for (const auto& it : policy_names) {
395 s->formatter->dump_string("member", it);
396 }
397 s->formatter->close_section();
398 }
399
400 int RGWDeleteRolePolicy::get_params()
401 {
402 role_name = s->info.args.get("RoleName");
403 policy_name = s->info.args.get("PolicyName");
404
405 if (role_name.empty() || policy_name.empty()) {
406 ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
407 return -EINVAL;
408 }
409 return 0;
410 }
411
412 void RGWDeleteRolePolicy::execute()
413 {
414 op_ret = get_params();
415 if (op_ret < 0) {
416 return;
417 }
418
419 op_ret = _role.delete_policy(policy_name);
420 if (op_ret == -ENOENT) {
421 op_ret = -ERR_NO_ROLE_FOUND;
422 }
423
424 if (op_ret == 0) {
425 op_ret = _role.update();
426 }
427 }
Ceph