ceph/src/rgw/rgw_rest_sts.h

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3
   4 #ifndef CEPH_RGW_REST_STS_H
   5 #define CEPH_RGW_REST_STS_H
   6
   7 #include "rgw_auth.h"
   8 #include "rgw_auth_filters.h"
   9 #include "rgw_sts.h"
  10 #include "rgw_web_idp.h"
  11
  12 namespace rgw {
  13 namespace auth {
  14 namespace sts   {
  15
  16 class WebTokenEngine : public rgw::auth::Engine {
  17   CephContext* const cct;
  18
  19   using result_t = rgw::auth::Engine::result_t;
  20   using token_t = rgw::web_idp::WebTokenClaims;
  21
  22   const rgw::auth::TokenExtractor* const extractor;
  23   const rgw::auth::WebIdentityApplier::Factory* const apl_factory;
  24
  25   bool is_applicable(const std::string& token) const noexcept;
  26
  27   boost::optional<token_t>
  28   get_from_idp(const DoutPrefixProvider* dpp, const std::string& token) const;
  29
  30   result_t authenticate(const DoutPrefixProvider* dpp,
  31                         const std::string& token,
  32                         const req_state* s) const;
  33
  34 public:
  35   WebTokenEngine(CephContext* const cct,
  36                     const rgw::auth::TokenExtractor* const extractor,
  37                     const rgw::auth::WebIdentityApplier::Factory* const apl_factory)
  38     : cct(cct),
  39       extractor(extractor),
  40       apl_factory(apl_factory) {
  41   }
  42
  43   const char* get_name() const noexcept override {
  44     return "rgw::auth::sts::WebTokenEngine";
  45   }
  46
  47   result_t authenticate(const DoutPrefixProvider* dpp, const req_state* const s) const override {
  48     return authenticate(dpp, extractor->get_token(s), s);
  49   }
  50 }; /* class WebTokenEngine */
  51
  52 class DefaultStrategy : public rgw::auth::Strategy,
  53                         public rgw::auth::TokenExtractor,
  54                         public rgw::auth::WebIdentityApplier::Factory {
  55   RGWRados* const store;
  56
  57   /* The engine. */
  58   const WebTokenEngine web_token_engine;
  59
  60   using aplptr_t = rgw::auth::IdentityApplier::aplptr_t;
  61
  62   /* The method implements TokenExtractor for Web Token in req_state. */
  63   std::string get_token(const req_state* const s) const override {
  64     return s->info.args.get("WebIdentityToken");
  65   }
  66
  67   aplptr_t create_apl_web_identity( CephContext* cct,
  68                                     const req_state* s,
  69                                     const rgw::web_idp::WebTokenClaims& token) const override {
  70     auto apl = rgw::auth::add_sysreq(cct, store, s,
  71       rgw::auth::WebIdentityApplier(cct, store, token));
  72     return aplptr_t(new decltype(apl)(std::move(apl)));
  73   }
  74
  75 public:
  76   DefaultStrategy(CephContext* const cct,
  77                   RGWRados* const store)
  78     : store(store),
  79       web_token_engine(cct,
  80                         static_cast<rgw::auth::TokenExtractor*>(this),
  81                         static_cast<rgw::auth::WebIdentityApplier::Factory*>(this)) {
  82     /* When the constructor's body is being executed, all member engines
  83      * should be initialized. Thus, we can safely add them. */
  84     using Control = rgw::auth::Strategy::Control;
  85     add_engine(Control::SUFFICIENT, web_token_engine);
  86   }
  87
  88   const char* get_name() const noexcept override {
  89     return "rgw::auth::sts::DefaultStrategy";
  90   }
  91 };
  92
  93 }; /* namespace sts */
  94 }; /* namespace auth */
  95 };
  96
  97 class RGWREST_STS : public RGWRESTOp {
  98 protected:
  99   STS::STSService sts;
 100 public:
 101   RGWREST_STS() = default;
 102   int verify_permission() override;
 103   void send_response() override;
 104 };
 105
 106 class RGWSTSAssumeRoleWithWebIdentity : public RGWREST_STS {
 107 protected:
 108   string duration;
 109   string providerId;
 110   string policy;
 111   string roleArn;
 112   string roleSessionName;
 113   string sub;
 114   string aud;
 115   string iss;
 116 public:
 117   RGWSTSAssumeRoleWithWebIdentity() = default;
 118   void execute() override;
 119   int get_params();
 120   const char* name() const override { return "assume_role_web_identity"; }
 121   RGWOpType get_type() override { return RGW_STS_ASSUME_ROLE_WEB_IDENTITY; }
 122 };
 123
 124 class RGWSTSAssumeRole : public RGWREST_STS {
 125 protected:
 126   string duration;
 127   string externalId;
 128   string policy;
 129   string roleArn;
 130   string roleSessionName;
 131   string serialNumber;
 132   string tokenCode;
 133 public:
 134   RGWSTSAssumeRole() = default;
 135   void execute() override;
 136   int get_params();
 137   const char* name() const override { return "assume_role"; }
 138   RGWOpType get_type() override { return RGW_STS_ASSUME_ROLE; }
 139 };
 140
 141 class RGWSTSGetSessionToken : public RGWREST_STS {
 142 protected:
 143   string duration;
 144   string serialNumber;
 145   string tokenCode;
 146 public:
 147   RGWSTSGetSessionToken() = default;
 148   void execute() override;
 149   int verify_permission() override;
 150   int get_params();
 151   const char* name() const override { return "get_session_token"; }
 152   RGWOpType get_type() override { return RGW_STS_GET_SESSION_TOKEN; }
 153 };
 154
 155 class RGW_Auth_STS {
 156 public:
 157   static int authorize(const DoutPrefixProvider *dpp,
 158                        RGWRados *store,
 159                        const rgw::auth::StrategyRegistry& auth_registry,
 160                        struct req_state *s);
 161 };
 162
 163 class RGWHandler_REST_STS : public RGWHandler_REST {
 164   const rgw::auth::StrategyRegistry& auth_registry;
 165   const string& post_body;
 166   RGWOp *op_post() override;
 167   void rgw_sts_parse_input();
 168 public:
 169
 170   static int init_from_header(struct req_state *s, int default_formatter, bool configurable_format);
 171
 172   RGWHandler_REST_STS(const rgw::auth::StrategyRegistry& auth_registry, const string& post_body="")
 173     : RGWHandler_REST(),
 174       auth_registry(auth_registry),
 175       post_body(post_body) {}
 176   ~RGWHandler_REST_STS() override = default;
 177
 178   int init(RGWRados *store,
 179            struct req_state *s,
 180            rgw::io::BasicClient *cio) override;
 181   int authorize(const DoutPrefixProvider* dpp) override;
 182   int postauth_init() override { return 0; }
 183 };
 184
 185 class RGWRESTMgr_STS : public RGWRESTMgr {
 186 public:
 187   RGWRESTMgr_STS() = default;
 188   ~RGWRESTMgr_STS() override = default;
 189
 190   RGWRESTMgr *get_resource_mgr(struct req_state* const s,
 191                                const std::string& uri,
 192                                std::string* const out_uri) override {
 193     return this;
 194   }
 195
 196   RGWHandler_REST* get_handler(struct req_state*,
 197                                const rgw::auth::StrategyRegistry&,
 198                                const std::string&) override;
 199 };
 200
 201 #endif /* CEPH_RGW_REST_STS_H */
 202