1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
9 #include "rgw_web_idp.h"
13 class AssumeRoleRequestBase
{
15 static constexpr uint64_t MIN_POLICY_SIZE
= 1;
16 static constexpr uint64_t MAX_POLICY_SIZE
= 2048;
17 static constexpr uint64_t DEFAULT_DURATION_IN_SECS
= 3600;
18 static constexpr uint64_t MIN_DURATION_IN_SECS
= 900;
19 static constexpr uint64_t MIN_ROLE_ARN_SIZE
= 2;
20 static constexpr uint64_t MAX_ROLE_ARN_SIZE
= 2048;
21 static constexpr uint64_t MIN_ROLE_SESSION_SIZE
= 2;
22 static constexpr uint64_t MAX_ROLE_SESSION_SIZE
= 64;
23 uint64_t MAX_DURATION_IN_SECS
;
27 string roleSessionName
;
29 AssumeRoleRequestBase(const string
& duration
,
30 const string
& iamPolicy
,
31 const string
& roleArn
,
32 const string
& roleSessionName
);
33 const string
& getRoleARN() const { return roleArn
; }
34 const string
& getRoleSessionName() const { return roleSessionName
; }
35 const string
& getPolicy() const {return iamPolicy
; }
36 static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE
; }
37 void setMaxDuration(const uint64_t& maxDuration
) { MAX_DURATION_IN_SECS
= maxDuration
; }
38 const uint64_t& getDuration() const { return duration
; }
39 int validate_input() const;
42 class AssumeRoleWithWebIdentityRequest
: public AssumeRoleRequestBase
{
43 static constexpr uint64_t MIN_PROVIDER_ID_LEN
= 4;
44 static constexpr uint64_t MAX_PROVIDER_ID_LEN
= 2048;
51 AssumeRoleWithWebIdentityRequest( const string
& duration
,
52 const string
& providerId
,
53 const string
& iamPolicy
,
54 const string
& roleArn
,
55 const string
& roleSessionName
,
59 : AssumeRoleRequestBase(duration
, iamPolicy
, roleArn
, roleSessionName
),
60 providerId(providerId
), iss(iss
), sub(sub
), aud(aud
) {}
61 const string
& getProviderId() const { return providerId
; }
62 const string
& getIss() const { return iss
; }
63 const string
& getAud() const { return aud
; }
64 const string
& getSub() const { return sub
; }
65 int validate_input() const;
68 class AssumeRoleRequest
: public AssumeRoleRequestBase
{
69 static constexpr uint64_t MIN_EXTERNAL_ID_LEN
= 2;
70 static constexpr uint64_t MAX_EXTERNAL_ID_LEN
= 1224;
71 static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE
= 9;
72 static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE
= 256;
73 static constexpr uint64_t TOKEN_CODE_SIZE
= 6;
78 AssumeRoleRequest(const string
& duration
,
79 const string
& externalId
,
80 const string
& iamPolicy
,
81 const string
& roleArn
,
82 const string
& roleSessionName
,
83 const string
& serialNumber
,
84 const string
& tokenCode
)
85 : AssumeRoleRequestBase(duration
, iamPolicy
, roleArn
, roleSessionName
),
86 externalId(externalId
), serialNumber(serialNumber
), tokenCode(tokenCode
){}
87 int validate_input() const;
90 class GetSessionTokenRequest
{
92 static constexpr uint64_t MIN_DURATION_IN_SECS
= 900;
93 static constexpr uint64_t DEFAULT_DURATION_IN_SECS
= 3600;
99 GetSessionTokenRequest(const string
& duration
, const string
& serialNumber
, const string
& tokenCode
);
101 const uint64_t& getDuration() const { return duration
; }
102 static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS
; }
105 class AssumedRoleUser
{
109 int generateAssumedRoleUser( CephContext
* cct
,
111 const string
& roleId
,
112 const rgw::IAM::ARN
& roleArn
,
113 const string
& roleSessionName
);
114 const string
& getARN() const { return arn
; }
115 const string
& getAssumeRoleId() const { return assumeRoleId
; }
116 void dump(Formatter
*f
) const;
119 struct SessionToken
{
120 string access_key_id
;
121 string secret_access_key
;
133 void encode(bufferlist
& bl
) const {
134 ENCODE_START(1, 1, bl
);
135 encode(access_key_id
, bl
);
136 encode(secret_access_key
, bl
);
137 encode(expiration
, bl
);
141 encode(acct_name
, bl
);
142 encode(perm_mask
, bl
);
143 encode(is_admin
, bl
);
144 encode(acct_type
, bl
);
148 void decode(bufferlist::const_iterator
& bl
) {
150 decode(access_key_id
, bl
);
151 decode(secret_access_key
, bl
);
152 decode(expiration
, bl
);
156 decode(acct_name
, bl
);
157 decode(perm_mask
, bl
);
158 decode(is_admin
, bl
);
159 decode(acct_type
, bl
);
163 WRITE_CLASS_ENCODER(SessionToken
)
166 static constexpr int MAX_ACCESS_KEY_LEN
= 20;
167 static constexpr int MAX_SECRET_KEY_LEN
= 40;
170 string secretAccessKey
;
173 int generateCredentials(CephContext
* cct
,
174 const uint64_t& duration
,
175 const boost::optional
<string
>& policy
,
176 const boost::optional
<string
>& roleId
,
177 boost::optional
<rgw_user
> user
,
178 rgw::auth::Identity
* identity
);
179 const string
& getAccessKeyId() const { return accessKeyId
; }
180 const string
& getExpiration() const { return expiration
; }
181 const string
& getSecretAccessKey() const { return secretAccessKey
; }
182 const string
& getSessionToken() const { return sessionToken
; }
183 void dump(Formatter
*f
) const;
186 struct AssumeRoleResponse
{
188 AssumedRoleUser user
;
190 uint64_t packedPolicySize
;
193 struct AssumeRoleWithWebIdentityResponse
{
194 AssumeRoleResponse assumeRoleResp
;
200 using AssumeRoleResponse
= struct AssumeRoleResponse
;
201 using GetSessionTokenResponse
= std::tuple
<int, Credentials
>;
202 using AssumeRoleWithWebIdentityResponse
= struct AssumeRoleWithWebIdentityResponse
;
209 rgw::auth::Identity
* identity
;
210 int storeARN(string
& arn
);
212 STSService() = default;
213 STSService(CephContext
* cct
, RGWRados
*store
, rgw_user user_id
, rgw::auth::Identity
* identity
) : cct(cct
), store(store
), user_id(user_id
), identity(identity
) {}
214 std::tuple
<int, RGWRole
> getRoleInfo(const string
& arn
);
215 AssumeRoleResponse
assumeRole(AssumeRoleRequest
& req
);
216 GetSessionTokenResponse
getSessionToken(GetSessionTokenRequest
& req
);
217 AssumeRoleWithWebIdentityResponse
assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest
& req
);
220 #endif /* CEPH_RGW_STS_H */