1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 #ifndef CEPH_RGW_REST_STS_H
5 #define CEPH_RGW_REST_STS_H
8 #include "rgw_auth_filters.h"
10 #include "rgw_web_idp.h"
16 class WebTokenEngine
: public rgw::auth::Engine
{
17 CephContext
* const cct
;
19 using result_t
= rgw::auth::Engine::result_t
;
20 using token_t
= rgw::web_idp::WebTokenClaims
;
22 const rgw::auth::TokenExtractor
* const extractor
;
23 const rgw::auth::WebIdentityApplier::Factory
* const apl_factory
;
25 bool is_applicable(const std::string
& token
) const noexcept
;
27 boost::optional
<token_t
>
28 get_from_idp(const DoutPrefixProvider
* dpp
, const std::string
& token
) const;
30 result_t
authenticate(const DoutPrefixProvider
* dpp
,
31 const std::string
& token
,
32 const req_state
* s
) const;
35 WebTokenEngine(CephContext
* const cct
,
36 const rgw::auth::TokenExtractor
* const extractor
,
37 const rgw::auth::WebIdentityApplier::Factory
* const apl_factory
)
40 apl_factory(apl_factory
) {
43 const char* get_name() const noexcept override
{
44 return "rgw::auth::sts::WebTokenEngine";
47 result_t
authenticate(const DoutPrefixProvider
* dpp
, const req_state
* const s
) const override
{
48 return authenticate(dpp
, extractor
->get_token(s
), s
);
50 }; /* class WebTokenEngine */
52 class DefaultStrategy
: public rgw::auth::Strategy
,
53 public rgw::auth::TokenExtractor
,
54 public rgw::auth::WebIdentityApplier::Factory
{
55 RGWRados
* const store
;
58 const WebTokenEngine web_token_engine
;
60 using aplptr_t
= rgw::auth::IdentityApplier::aplptr_t
;
62 /* The method implements TokenExtractor for Web Token in req_state. */
63 std::string
get_token(const req_state
* const s
) const override
{
64 return s
->info
.args
.get("WebIdentityToken");
67 aplptr_t
create_apl_web_identity( CephContext
* cct
,
69 const rgw::web_idp::WebTokenClaims
& token
) const override
{
70 auto apl
= rgw::auth::add_sysreq(cct
, store
, s
,
71 rgw::auth::WebIdentityApplier(cct
, store
, token
));
72 return aplptr_t(new decltype(apl
)(std::move(apl
)));
76 DefaultStrategy(CephContext
* const cct
,
77 RGWRados
* const store
)
80 static_cast<rgw::auth::TokenExtractor
*>(this),
81 static_cast<rgw::auth::WebIdentityApplier::Factory
*>(this)) {
82 /* When the constructor's body is being executed, all member engines
83 * should be initialized. Thus, we can safely add them. */
84 using Control
= rgw::auth::Strategy::Control
;
85 add_engine(Control::SUFFICIENT
, web_token_engine
);
88 const char* get_name() const noexcept override
{
89 return "rgw::auth::sts::DefaultStrategy";
93 }; /* namespace sts */
94 }; /* namespace auth */
97 class RGWREST_STS
: public RGWRESTOp
{
101 RGWREST_STS() = default;
102 int verify_permission() override
;
103 void send_response() override
;
106 class RGWSTSAssumeRoleWithWebIdentity
: public RGWREST_STS
{
112 string roleSessionName
;
117 RGWSTSAssumeRoleWithWebIdentity() = default;
118 void execute() override
;
120 const char* name() const override
{ return "assume_role_web_identity"; }
121 RGWOpType
get_type() override
{ return RGW_STS_ASSUME_ROLE_WEB_IDENTITY
; }
124 class RGWSTSAssumeRole
: public RGWREST_STS
{
130 string roleSessionName
;
134 RGWSTSAssumeRole() = default;
135 void execute() override
;
137 const char* name() const override
{ return "assume_role"; }
138 RGWOpType
get_type() override
{ return RGW_STS_ASSUME_ROLE
; }
141 class RGWSTSGetSessionToken
: public RGWREST_STS
{
147 RGWSTSGetSessionToken() = default;
148 void execute() override
;
149 int verify_permission() override
;
151 const char* name() const override
{ return "get_session_token"; }
152 RGWOpType
get_type() override
{ return RGW_STS_GET_SESSION_TOKEN
; }
157 static int authorize(const DoutPrefixProvider
*dpp
,
159 const rgw::auth::StrategyRegistry
& auth_registry
,
160 struct req_state
*s
);
163 class RGWHandler_REST_STS
: public RGWHandler_REST
{
164 const rgw::auth::StrategyRegistry
& auth_registry
;
165 const string
& post_body
;
166 RGWOp
*op_post() override
;
167 void rgw_sts_parse_input();
170 static int init_from_header(struct req_state
*s
, int default_formatter
, bool configurable_format
);
172 RGWHandler_REST_STS(const rgw::auth::StrategyRegistry
& auth_registry
, const string
& post_body
="")
174 auth_registry(auth_registry
),
175 post_body(post_body
) {}
176 ~RGWHandler_REST_STS() override
= default;
178 int init(RGWRados
*store
,
180 rgw::io::BasicClient
*cio
) override
;
181 int authorize(const DoutPrefixProvider
* dpp
) override
;
182 int postauth_init() override
{ return 0; }
185 class RGWRESTMgr_STS
: public RGWRESTMgr
{
187 RGWRESTMgr_STS() = default;
188 ~RGWRESTMgr_STS() override
= default;
190 RGWRESTMgr
*get_resource_mgr(struct req_state
* const s
,
191 const std::string
& uri
,
192 std::string
* const out_uri
) override
{
196 RGWHandler_REST
* get_handler(struct req_state
*,
197 const rgw::auth::StrategyRegistry
&,
198 const std::string
&) override
;
201 #endif /* CEPH_RGW_REST_STS_H */