ceph/src/rgw/rgw_rest_role.cc

   1 #include <errno.h>
   2
   3 #include "common/errno.h"
   4 #include "common/Formatter.h"
   5 #include "common/ceph_json.h"
   6
   7 #include "include/types.h"
   8 #include "rgw_string.h"
   9
  10 #include "rgw_common.h"
  11 #include "rgw_op.h"
  12 #include "rgw_rest.h"
  13 #include "rgw_role.h"
  14 #include "rgw_rest_role.h"
  15
  16 #define dout_subsys ceph_subsys_rgw
  17
  18 using namespace std;
  19
  20 void RGWRestRole::send_response()
  21 {
  22   if (op_ret) {
  23     set_req_state_err(s, op_ret);
  24   }
  25   dump_errno(s);
  26   end_header(s);
  27 }
  28
  29 int RGWRoleRead::verify_permission()
  30 {
  31   if (s->auth.identity->is_anonymous()) {
  32     return -EACCES;
  33   }
  34
  35   if (!verify_user_permission(s, RGW_PERM_READ)) {
  36     return -EACCES;
  37   }
  38
  39   return 0;
  40 }
  41
  42 int RGWRoleWrite::verify_permission()
  43 {
  44   if (s->auth.identity->is_anonymous()) {
  45     return -EACCES;
  46   }
  47
  48   if (!verify_user_permission(s, RGW_PERM_WRITE)) {
  49     return -EACCES;
  50   }
  51
  52   return 0;
  53 }
  54
  55 int RGWCreateRole::get_params()
  56 {
  57   role_name = s->info.args.get("RoleName");
  58   role_path = s->info.args.get("Path");
  59   trust_policy = s->info.args.get("AssumeRolePolicyDocument");
  60
  61   if (role_name.empty() || trust_policy.empty()) {
  62     ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty"
  63     << dendl;
  64     return -EINVAL;
  65   }
  66   JSONParser p;
  67   if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
  68     ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
  69     return -ERR_MALFORMED_DOC;
  70   }
  71   return 0;
  72 }
  73
  74 void RGWCreateRole::execute()
  75 {
  76   op_ret = get_params();
  77   if (op_ret < 0) {
  78     return;
  79   }
  80   string uid;
  81   s->user->user_id.to_str(uid);
  82   RGWRole role(s->cct, store, role_name, role_path, trust_policy, uid);
  83   op_ret = role.create(true);
  84
  85   if (op_ret == -EEXIST) {
  86     op_ret = -ERR_ROLE_EXISTS;
  87   }
  88
  89   if (op_ret == 0) {
  90     s->formatter->open_object_section("role");
  91     role.dump(s->formatter);
  92     s->formatter->close_section();
  93   }
  94 }
  95
  96 int RGWDeleteRole::get_params()
  97 {
  98   role_name = s->info.args.get("RoleName");
  99
 100   if (role_name.empty()) {
 101     ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
 102     return -EINVAL;
 103   }
 104
 105   return 0;
 106 }
 107
 108 void RGWDeleteRole::execute()
 109 {
 110   op_ret = get_params();
 111   if (op_ret < 0) {
 112     return;
 113   }
 114   RGWRole role(s->cct, store, role_name);
 115   op_ret = role.delete_obj();
 116
 117   if (op_ret == -ENOENT) {
 118     op_ret = -ERR_NO_ROLE_FOUND;
 119   }
 120 }
 121
 122 int RGWGetRole::get_params()
 123 {
 124   role_name = s->info.args.get("RoleName");
 125
 126   if (role_name.empty()) {
 127     ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
 128     return -EINVAL;
 129   }
 130
 131   return 0;
 132 }
 133
 134 void RGWGetRole::execute()
 135 {
 136   op_ret = get_params();
 137   if (op_ret < 0) {
 138     return;
 139   }
 140   RGWRole role(s->cct, store, role_name);
 141   op_ret = role.get();
 142
 143   if (op_ret == -ENOENT) {
 144     op_ret = -ERR_NO_ROLE_FOUND;
 145   }
 146
 147   if (op_ret == 0) {
 148     s->formatter->open_object_section("role");
 149     role.dump(s->formatter);
 150     s->formatter->close_section();
 151   }
 152 }
 153
 154 int RGWModifyRole::get_params()
 155 {
 156   role_name = s->info.args.get("RoleName");
 157   trust_policy = s->info.args.get("PolicyDocument");
 158
 159   if (role_name.empty() || trust_policy.empty()) {
 160     ldout(s->cct, 20) << "ERROR: One of role name or trust policy is empty"<< dendl;
 161     return -EINVAL;
 162   }
 163   JSONParser p;
 164   if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
 165     ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
 166     return -ERR_MALFORMED_DOC;
 167   }
 168
 169   return 0;
 170 }
 171
 172 void RGWModifyRole::execute()
 173 {
 174   op_ret = get_params();
 175   if (op_ret < 0) {
 176     return;
 177   }
 178   RGWRole role(s->cct, store, role_name);
 179   op_ret = role.get();
 180   if (op_ret == -ENOENT) {
 181     op_ret = -ERR_NO_ROLE_FOUND;
 182   }
 183
 184   if (op_ret == 0) {
 185     role.update_trust_policy(trust_policy);
 186     op_ret = role.update();
 187   }
 188 }
 189
 190 int RGWListRoles::get_params()
 191 {
 192   path_prefix = s->info.args.get("PathPrefix");
 193
 194   return 0;
 195 }
 196
 197 void RGWListRoles::execute()
 198 {
 199   op_ret = get_params();
 200   if (op_ret < 0) {
 201     return;
 202   }
 203   vector<RGWRole> result;
 204   op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, result);
 205
 206   if (op_ret == 0) {
 207     s->formatter->open_array_section("Roles");
 208     for (const auto& it : result) {
 209       s->formatter->open_object_section("role");
 210       it.dump(s->formatter);
 211       s->formatter->close_section();
 212     }
 213     s->formatter->close_section();
 214   }
 215 }
 216
 217 int RGWPutRolePolicy::get_params()
 218 {
 219   role_name = s->info.args.get("RoleName");
 220   policy_name = s->info.args.get("PolicyName");
 221   perm_policy = s->info.args.get("PolicyDocument");
 222
 223   if (role_name.empty() || policy_name.empty() || perm_policy.empty()) {
 224     ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl;
 225     return -EINVAL;
 226   }
 227   JSONParser p;
 228   if (!p.parse(perm_policy.c_str(), perm_policy.length())) {
 229     ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl;
 230     return -ERR_MALFORMED_DOC;
 231   }
 232
 233   return 0;
 234 }
 235
 236 void RGWPutRolePolicy::execute()
 237 {
 238   op_ret = get_params();
 239   if (op_ret < 0) {
 240     return;
 241   }
 242
 243   RGWRole role(s->cct, store, role_name);
 244   op_ret = role.get();
 245   if (op_ret == 0) {
 246     role.set_perm_policy(policy_name, perm_policy);
 247     op_ret = role.update();
 248   }
 249 }
 250
 251 int RGWGetRolePolicy::get_params()
 252 {
 253   role_name = s->info.args.get("RoleName");
 254   policy_name = s->info.args.get("PolicyName");
 255
 256   if (role_name.empty() || policy_name.empty()) {
 257     ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
 258     return -EINVAL;
 259   }
 260   return 0;
 261 }
 262
 263 void RGWGetRolePolicy::execute()
 264 {
 265   op_ret = get_params();
 266   if (op_ret < 0) {
 267     return;
 268   }
 269
 270   RGWRole role(g_ceph_context, store, role_name);
 271   op_ret = role.get();
 272
 273   if (op_ret == -ENOENT) {
 274     op_ret = -ERR_NO_ROLE_FOUND;
 275   }
 276
 277   if (op_ret == 0) {
 278     string perm_policy;
 279     op_ret = role.get_role_policy(policy_name, perm_policy);
 280
 281     if (op_ret == 0) {
 282       s->formatter->open_object_section("GetRolePolicyResult");
 283       s->formatter->dump_string("PolicyName", policy_name);
 284       s->formatter->dump_string("RoleName", role_name);
 285       s->formatter->dump_string("Permission policy", perm_policy);
 286       s->formatter->close_section();
 287     }
 288   }
 289 }
 290
 291 int RGWListRolePolicies::get_params()
 292 {
 293   role_name = s->info.args.get("RoleName");
 294
 295   if (role_name.empty()) {
 296     ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
 297     return -EINVAL;
 298   }
 299   return 0;
 300 }
 301
 302 void RGWListRolePolicies::execute()
 303 {
 304   op_ret = get_params();
 305   if (op_ret < 0) {
 306     return;
 307   }
 308
 309   RGWRole role(g_ceph_context, store, role_name);
 310   op_ret = role.get();
 311
 312   if (op_ret == -ENOENT) {
 313     op_ret = -ERR_NO_ROLE_FOUND;
 314   }
 315
 316   if (op_ret == 0) {
 317     std::vector<string> policy_names = role.get_role_policy_names();
 318     s->formatter->open_array_section("PolicyNames");
 319     for (const auto& it : policy_names) {
 320       s->formatter->dump_string("member", it);
 321     }
 322     s->formatter->close_section();
 323   }
 324 }
 325
 326 int RGWDeleteRolePolicy::get_params()
 327 {
 328   role_name = s->info.args.get("RoleName");
 329   policy_name = s->info.args.get("PolicyName");
 330
 331   if (role_name.empty() || policy_name.empty()) {
 332     ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
 333     return -EINVAL;
 334   }
 335   return 0;
 336 }
 337
 338 void RGWDeleteRolePolicy::execute()
 339 {
 340   op_ret = get_params();
 341   if (op_ret < 0) {
 342     return;
 343   }
 344
 345   RGWRole role(g_ceph_context, store, role_name);
 346   op_ret = role.get();
 347
 348   if (op_ret == -ENOENT) {
 349     op_ret = -ERR_NO_ROLE_FOUND;
 350   }
 351
 352   if (op_ret == 0) {
 353     op_ret = role.delete_policy(policy_name);
 354     if (op_ret == -ENOENT) {
 355       op_ret = -ERR_NO_ROLE_FOUND;
 356     }
 357
 358     if (op_ret == 0) {
 359       op_ret = role.update();
 360     }
 361   }
 362 }