]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_sts.h
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
import ceph 14.2.5
[ceph.git] / ceph / src / rgw / rgw_sts.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
3
4 #ifndef CEPH_RGW_STS_H
5 #define CEPH_RGW_STS_H
6
7 #include "rgw_role.h"
8 #include "rgw_auth.h"
9 #include "rgw_web_idp.h"
10
11 namespace STS {
12
13 class AssumeRoleRequestBase {
14 protected:
15 static constexpr uint64_t MIN_POLICY_SIZE = 1;
16 static constexpr uint64_t MAX_POLICY_SIZE = 2048;
17 static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
18 static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
19 static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
20 static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
21 static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
22 static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
23 uint64_t MAX_DURATION_IN_SECS;
24 uint64_t duration;
25 string iamPolicy;
26 string roleArn;
27 string roleSessionName;
28 public:
29 AssumeRoleRequestBase(const string& duration,
30 const string& iamPolicy,
31 const string& roleArn,
32 const string& roleSessionName);
33 const string& getRoleARN() const { return roleArn; }
34 const string& getRoleSessionName() const { return roleSessionName; }
35 const string& getPolicy() const {return iamPolicy; }
36 static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
37 void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
38 const uint64_t& getDuration() const { return duration; }
39 int validate_input() const;
40 };
41
42 class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
43 static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
44 static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
45 string providerId;
46 string iamPolicy;
47 string iss;
48 string sub;
49 string aud;
50 public:
51 AssumeRoleWithWebIdentityRequest( const string& duration,
52 const string& providerId,
53 const string& iamPolicy,
54 const string& roleArn,
55 const string& roleSessionName,
56 const string& iss,
57 const string& sub,
58 const string& aud)
59 : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
60 providerId(providerId), iss(iss), sub(sub), aud(aud) {}
61 const string& getProviderId() const { return providerId; }
62 const string& getIss() const { return iss; }
63 const string& getAud() const { return aud; }
64 const string& getSub() const { return sub; }
65 int validate_input() const;
66 };
67
68 class AssumeRoleRequest : public AssumeRoleRequestBase {
69 static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
70 static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
71 static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
72 static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
73 static constexpr uint64_t TOKEN_CODE_SIZE = 6;
74 string externalId;
75 string serialNumber;
76 string tokenCode;
77 public:
78 AssumeRoleRequest(const string& duration,
79 const string& externalId,
80 const string& iamPolicy,
81 const string& roleArn,
82 const string& roleSessionName,
83 const string& serialNumber,
84 const string& tokenCode)
85 : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
86 externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
87 int validate_input() const;
88 };
89
90 class GetSessionTokenRequest {
91 protected:
92 static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
93 static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
94 uint64_t duration;
95 string serialNumber;
96 string tokenCode;
97
98 public:
99 GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode);
100
101 const uint64_t& getDuration() const { return duration; }
102 static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
103 };
104
105 class AssumedRoleUser {
106 string arn;
107 string assumeRoleId;
108 public:
109 int generateAssumedRoleUser( CephContext* cct,
110 RGWRados *store,
111 const string& roleId,
112 const rgw::ARN& roleArn,
113 const string& roleSessionName);
114 const string& getARN() const { return arn; }
115 const string& getAssumeRoleId() const { return assumeRoleId; }
116 void dump(Formatter *f) const;
117 };
118
119 struct SessionToken {
120 string access_key_id;
121 string secret_access_key;
122 string expiration;
123 string policy;
124 string roleId;
125 rgw_user user;
126 string acct_name;
127 uint32_t perm_mask;
128 bool is_admin;
129 uint32_t acct_type;
130
131 SessionToken() {}
132
133 void encode(bufferlist& bl) const {
134 ENCODE_START(1, 1, bl);
135 encode(access_key_id, bl);
136 encode(secret_access_key, bl);
137 encode(expiration, bl);
138 encode(policy, bl);
139 encode(roleId, bl);
140 encode(user, bl);
141 encode(acct_name, bl);
142 encode(perm_mask, bl);
143 encode(is_admin, bl);
144 encode(acct_type, bl);
145 ENCODE_FINISH(bl);
146 }
147
148 void decode(bufferlist::const_iterator& bl) {
149 DECODE_START(1, bl);
150 decode(access_key_id, bl);
151 decode(secret_access_key, bl);
152 decode(expiration, bl);
153 decode(policy, bl);
154 decode(roleId, bl);
155 decode(user, bl);
156 decode(acct_name, bl);
157 decode(perm_mask, bl);
158 decode(is_admin, bl);
159 decode(acct_type, bl);
160 DECODE_FINISH(bl);
161 }
162 };
163 WRITE_CLASS_ENCODER(SessionToken)
164
165 class Credentials {
166 static constexpr int MAX_ACCESS_KEY_LEN = 20;
167 static constexpr int MAX_SECRET_KEY_LEN = 40;
168 string accessKeyId;
169 string expiration;
170 string secretAccessKey;
171 string sessionToken;
172 public:
173 int generateCredentials(CephContext* cct,
174 const uint64_t& duration,
175 const boost::optional<string>& policy,
176 const boost::optional<string>& roleId,
177 boost::optional<rgw_user> user,
178 rgw::auth::Identity* identity);
179 const string& getAccessKeyId() const { return accessKeyId; }
180 const string& getExpiration() const { return expiration; }
181 const string& getSecretAccessKey() const { return secretAccessKey; }
182 const string& getSessionToken() const { return sessionToken; }
183 void dump(Formatter *f) const;
184 };
185
186 struct AssumeRoleResponse {
187 int retCode;
188 AssumedRoleUser user;
189 Credentials creds;
190 uint64_t packedPolicySize;
191 };
192
193 struct AssumeRoleWithWebIdentityResponse {
194 AssumeRoleResponse assumeRoleResp;
195 string aud;
196 string providerId;
197 string sub;
198 };
199
200 using AssumeRoleResponse = struct AssumeRoleResponse ;
201 using GetSessionTokenResponse = std::tuple<int, Credentials>;
202 using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;
203
204 class STSService {
205 CephContext* cct;
206 RGWRados *store;
207 rgw_user user_id;
208 RGWRole role;
209 rgw::auth::Identity* identity;
210 int storeARN(string& arn);
211 public:
212 STSService() = default;
213 STSService(CephContext* cct, RGWRados *store, rgw_user user_id, rgw::auth::Identity* identity) : cct(cct), store(store), user_id(user_id), identity(identity) {}
214 std::tuple<int, RGWRole> getRoleInfo(const string& arn);
215 AssumeRoleResponse assumeRole(AssumeRoleRequest& req);
216 GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req);
217 AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req);
218 };
219 }
220 #endif /* CEPH_RGW_STS_H */
221
Ceph