1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
9 #include "rgw_web_idp.h"
13 class AssumeRoleRequestBase
{
15 static constexpr uint64_t MIN_POLICY_SIZE
= 1;
16 static constexpr uint64_t MAX_POLICY_SIZE
= 2048;
17 static constexpr uint64_t DEFAULT_DURATION_IN_SECS
= 3600;
18 static constexpr uint64_t MIN_ROLE_ARN_SIZE
= 2;
19 static constexpr uint64_t MAX_ROLE_ARN_SIZE
= 2048;
20 static constexpr uint64_t MIN_ROLE_SESSION_SIZE
= 2;
21 static constexpr uint64_t MAX_ROLE_SESSION_SIZE
= 64;
22 uint64_t MIN_DURATION_IN_SECS
;
23 uint64_t MAX_DURATION_IN_SECS
;
29 string roleSessionName
;
31 AssumeRoleRequestBase(CephContext
* cct
,
32 const string
& duration
,
33 const string
& iamPolicy
,
34 const string
& roleArn
,
35 const string
& roleSessionName
);
36 const string
& getRoleARN() const { return roleArn
; }
37 const string
& getRoleSessionName() const { return roleSessionName
; }
38 const string
& getPolicy() const {return iamPolicy
; }
39 static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE
; }
40 void setMaxDuration(const uint64_t& maxDuration
) { MAX_DURATION_IN_SECS
= maxDuration
; }
41 const uint64_t& getDuration() const { return duration
; }
42 int validate_input() const;
45 class AssumeRoleWithWebIdentityRequest
: public AssumeRoleRequestBase
{
46 static constexpr uint64_t MIN_PROVIDER_ID_LEN
= 4;
47 static constexpr uint64_t MAX_PROVIDER_ID_LEN
= 2048;
54 AssumeRoleWithWebIdentityRequest( CephContext
* cct
,
55 const string
& duration
,
56 const string
& providerId
,
57 const string
& iamPolicy
,
58 const string
& roleArn
,
59 const string
& roleSessionName
,
63 : AssumeRoleRequestBase(cct
, duration
, iamPolicy
, roleArn
, roleSessionName
),
64 providerId(providerId
), iss(iss
), sub(sub
), aud(aud
) {}
65 const string
& getProviderId() const { return providerId
; }
66 const string
& getIss() const { return iss
; }
67 const string
& getAud() const { return aud
; }
68 const string
& getSub() const { return sub
; }
69 int validate_input() const;
72 class AssumeRoleRequest
: public AssumeRoleRequestBase
{
73 static constexpr uint64_t MIN_EXTERNAL_ID_LEN
= 2;
74 static constexpr uint64_t MAX_EXTERNAL_ID_LEN
= 1224;
75 static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE
= 9;
76 static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE
= 256;
77 static constexpr uint64_t TOKEN_CODE_SIZE
= 6;
82 AssumeRoleRequest(CephContext
* cct
,
83 const string
& duration
,
84 const string
& externalId
,
85 const string
& iamPolicy
,
86 const string
& roleArn
,
87 const string
& roleSessionName
,
88 const string
& serialNumber
,
89 const string
& tokenCode
)
90 : AssumeRoleRequestBase(cct
, duration
, iamPolicy
, roleArn
, roleSessionName
),
91 externalId(externalId
), serialNumber(serialNumber
), tokenCode(tokenCode
){}
92 int validate_input() const;
95 class GetSessionTokenRequest
{
97 static constexpr uint64_t MIN_DURATION_IN_SECS
= 900;
98 static constexpr uint64_t DEFAULT_DURATION_IN_SECS
= 3600;
104 GetSessionTokenRequest(const string
& duration
, const string
& serialNumber
, const string
& tokenCode
);
106 const uint64_t& getDuration() const { return duration
; }
107 static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS
; }
110 class AssumedRoleUser
{
114 int generateAssumedRoleUser( CephContext
* cct
,
115 rgw::sal::RGWRadosStore
*store
,
116 const string
& roleId
,
117 const rgw::ARN
& roleArn
,
118 const string
& roleSessionName
);
119 const string
& getARN() const { return arn
; }
120 const string
& getAssumeRoleId() const { return assumeRoleId
; }
121 void dump(Formatter
*f
) const;
124 struct SessionToken
{
125 string access_key_id
;
126 string secret_access_key
;
136 std::vector
<string
> token_claims
;
141 void encode(bufferlist
& bl
) const {
142 ENCODE_START(4, 1, bl
);
143 encode(access_key_id
, bl
);
144 encode(secret_access_key
, bl
);
145 encode(expiration
, bl
);
149 encode(acct_name
, bl
);
150 encode(perm_mask
, bl
);
151 encode(is_admin
, bl
);
152 encode(acct_type
, bl
);
153 encode(role_session
, bl
);
154 encode(token_claims
, bl
);
155 encode(issued_at
, bl
);
159 void decode(bufferlist::const_iterator
& bl
) {
161 decode(access_key_id
, bl
);
162 decode(secret_access_key
, bl
);
163 decode(expiration
, bl
);
167 decode(acct_name
, bl
);
168 decode(perm_mask
, bl
);
169 decode(is_admin
, bl
);
170 decode(acct_type
, bl
);
172 decode(role_session
, bl
);
175 decode(token_claims
, bl
);
178 decode(issued_at
, bl
);
183 WRITE_CLASS_ENCODER(SessionToken
)
186 static constexpr int MAX_ACCESS_KEY_LEN
= 20;
187 static constexpr int MAX_SECRET_KEY_LEN
= 40;
190 string secretAccessKey
;
193 int generateCredentials(CephContext
* cct
,
194 const uint64_t& duration
,
195 const boost::optional
<string
>& policy
,
196 const boost::optional
<string
>& roleId
,
197 const boost::optional
<string
>& role_session
,
198 const boost::optional
<std::vector
<string
> > token_claims
,
199 boost::optional
<rgw_user
> user
,
200 rgw::auth::Identity
* identity
);
201 const string
& getAccessKeyId() const { return accessKeyId
; }
202 const string
& getExpiration() const { return expiration
; }
203 const string
& getSecretAccessKey() const { return secretAccessKey
; }
204 const string
& getSessionToken() const { return sessionToken
; }
205 void dump(Formatter
*f
) const;
208 struct AssumeRoleResponse
{
210 AssumedRoleUser user
;
212 uint64_t packedPolicySize
;
215 struct AssumeRoleWithWebIdentityResponse
{
216 AssumeRoleResponse assumeRoleResp
;
222 using AssumeRoleResponse
= struct AssumeRoleResponse
;
223 using GetSessionTokenResponse
= std::tuple
<int, Credentials
>;
224 using AssumeRoleWithWebIdentityResponse
= struct AssumeRoleWithWebIdentityResponse
;
228 rgw::sal::RGWRadosStore
*store
;
231 rgw::auth::Identity
* identity
;
232 int storeARN(string
& arn
, optional_yield y
);
234 STSService() = default;
235 STSService(CephContext
* cct
, rgw::sal::RGWRadosStore
*store
, rgw_user user_id
,
236 rgw::auth::Identity
* identity
)
237 : cct(cct
), store(store
), user_id(user_id
), identity(identity
) {}
238 std::tuple
<int, RGWRole
> getRoleInfo(const string
& arn
, optional_yield y
);
239 AssumeRoleResponse
assumeRole(AssumeRoleRequest
& req
, optional_yield y
);
240 GetSessionTokenResponse
getSessionToken(GetSessionTokenRequest
& req
);
241 AssumeRoleWithWebIdentityResponse
assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest
& req
);
244 #endif /* CEPH_RGW_STS_H */