1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
7 #include "rgw_auth_filters.h"
9 #include "rgw_web_idp.h"
11 namespace rgw::auth::sts
{
13 class WebTokenEngine
: public rgw::auth::Engine
{
14 CephContext
* const cct
;
16 using result_t
= rgw::auth::Engine::result_t
;
17 using token_t
= rgw::web_idp::WebTokenClaims
;
19 const rgw::auth::TokenExtractor
* const extractor
;
20 const rgw::auth::WebIdentityApplier::Factory
* const apl_factory
;
22 bool is_applicable(const std::string
& token
) const noexcept
;
24 boost::optional
<token_t
>
25 get_from_idp(const DoutPrefixProvider
* dpp
, const std::string
& token
) const;
27 result_t
authenticate(const DoutPrefixProvider
* dpp
,
28 const std::string
& token
,
29 const req_state
* s
) const;
32 WebTokenEngine(CephContext
* const cct
,
33 const rgw::auth::TokenExtractor
* const extractor
,
34 const rgw::auth::WebIdentityApplier::Factory
* const apl_factory
)
37 apl_factory(apl_factory
) {
40 const char* get_name() const noexcept override
{
41 return "rgw::auth::sts::WebTokenEngine";
44 result_t
authenticate(const DoutPrefixProvider
* dpp
, const req_state
* const s
) const override
{
45 return authenticate(dpp
, extractor
->get_token(s
), s
);
47 }; /* class WebTokenEngine */
49 class DefaultStrategy
: public rgw::auth::Strategy
,
50 public rgw::auth::TokenExtractor
,
51 public rgw::auth::WebIdentityApplier::Factory
{
53 ImplicitTenants
& implicit_tenant_context
;
56 const WebTokenEngine web_token_engine
;
58 using aplptr_t
= rgw::auth::IdentityApplier::aplptr_t
;
60 /* The method implements TokenExtractor for Web Token in req_state. */
61 std::string
get_token(const req_state
* const s
) const override
{
62 return s
->info
.args
.get("WebIdentityToken");
65 aplptr_t
create_apl_web_identity( CephContext
* cct
,
67 const rgw::web_idp::WebTokenClaims
& token
) const override
{
68 auto apl
= rgw::auth::add_sysreq(cct
, ctl
, s
,
69 rgw::auth::WebIdentityApplier(cct
, ctl
, token
));
70 return aplptr_t(new decltype(apl
)(std::move(apl
)));
74 DefaultStrategy(CephContext
* const cct
,
75 ImplicitTenants
& implicit_tenant_context
,
78 implicit_tenant_context(implicit_tenant_context
),
80 static_cast<rgw::auth::TokenExtractor
*>(this),
81 static_cast<rgw::auth::WebIdentityApplier::Factory
*>(this)) {
82 /* When the constructor's body is being executed, all member engines
83 * should be initialized. Thus, we can safely add them. */
84 using Control
= rgw::auth::Strategy::Control
;
85 add_engine(Control::SUFFICIENT
, web_token_engine
);
88 const char* get_name() const noexcept override
{
89 return "rgw::auth::sts::DefaultStrategy";
93 } // namespace rgw::auth::sts
95 class RGWREST_STS
: public RGWRESTOp
{
99 RGWREST_STS() = default;
100 int verify_permission() override
;
101 void send_response() override
;
104 class RGWSTSAssumeRoleWithWebIdentity
: public RGWREST_STS
{
110 string roleSessionName
;
115 RGWSTSAssumeRoleWithWebIdentity() = default;
116 void execute() override
;
118 const char* name() const override
{ return "assume_role_web_identity"; }
119 RGWOpType
get_type() override
{ return RGW_STS_ASSUME_ROLE_WEB_IDENTITY
; }
122 class RGWSTSAssumeRole
: public RGWREST_STS
{
128 string roleSessionName
;
132 RGWSTSAssumeRole() = default;
133 void execute() override
;
135 const char* name() const override
{ return "assume_role"; }
136 RGWOpType
get_type() override
{ return RGW_STS_ASSUME_ROLE
; }
139 class RGWSTSGetSessionToken
: public RGWREST_STS
{
145 RGWSTSGetSessionToken() = default;
146 void execute() override
;
147 int verify_permission() override
;
149 const char* name() const override
{ return "get_session_token"; }
150 RGWOpType
get_type() override
{ return RGW_STS_GET_SESSION_TOKEN
; }
155 static int authorize(const DoutPrefixProvider
*dpp
,
156 rgw::sal::RGWRadosStore
*store
,
157 const rgw::auth::StrategyRegistry
& auth_registry
,
158 struct req_state
*s
);
161 class RGWHandler_REST_STS
: public RGWHandler_REST
{
162 const rgw::auth::StrategyRegistry
& auth_registry
;
163 const string
& post_body
;
164 RGWOp
*op_post() override
;
165 void rgw_sts_parse_input();
168 static int init_from_header(struct req_state
*s
, int default_formatter
, bool configurable_format
);
170 RGWHandler_REST_STS(const rgw::auth::StrategyRegistry
& auth_registry
, const string
& post_body
="")
172 auth_registry(auth_registry
),
173 post_body(post_body
) {}
174 ~RGWHandler_REST_STS() override
= default;
176 int init(rgw::sal::RGWRadosStore
*store
,
178 rgw::io::BasicClient
*cio
) override
;
179 int authorize(const DoutPrefixProvider
* dpp
) override
;
180 int postauth_init() override
{ return 0; }
183 class RGWRESTMgr_STS
: public RGWRESTMgr
{
185 RGWRESTMgr_STS() = default;
186 ~RGWRESTMgr_STS() override
= default;
188 RGWRESTMgr
*get_resource_mgr(struct req_state
* const s
,
189 const std::string
& uri
,
190 std::string
* const out_uri
) override
{
194 RGWHandler_REST
* get_handler(struct req_state
*,
195 const rgw::auth::StrategyRegistry
&,
196 const std::string
&) override
;