]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_sts.h
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
update source to Ceph Pacific 16.2.2
[ceph.git] / ceph / src / rgw / rgw_sts.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
3
4 #ifndef CEPH_RGW_STS_H
5 #define CEPH_RGW_STS_H
6
7 #include "rgw_role.h"
8 #include "rgw_auth.h"
9 #include "rgw_web_idp.h"
10
11 namespace STS {
12
13 class AssumeRoleRequestBase {
14 protected:
15 static constexpr uint64_t MIN_POLICY_SIZE = 1;
16 static constexpr uint64_t MAX_POLICY_SIZE = 2048;
17 static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
18 static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
19 static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
20 static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
21 static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
22 uint64_t MIN_DURATION_IN_SECS;
23 uint64_t MAX_DURATION_IN_SECS;
24 CephContext* cct;
25 uint64_t duration;
26 string err_msg;
27 string iamPolicy;
28 string roleArn;
29 string roleSessionName;
30 public:
31 AssumeRoleRequestBase(CephContext* cct,
32 const string& duration,
33 const string& iamPolicy,
34 const string& roleArn,
35 const string& roleSessionName);
36 const string& getRoleARN() const { return roleArn; }
37 const string& getRoleSessionName() const { return roleSessionName; }
38 const string& getPolicy() const {return iamPolicy; }
39 static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
40 void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
41 const uint64_t& getDuration() const { return duration; }
42 int validate_input() const;
43 };
44
45 class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
46 static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
47 static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
48 string providerId;
49 string iamPolicy;
50 string iss;
51 string sub;
52 string aud;
53 public:
54 AssumeRoleWithWebIdentityRequest( CephContext* cct,
55 const string& duration,
56 const string& providerId,
57 const string& iamPolicy,
58 const string& roleArn,
59 const string& roleSessionName,
60 const string& iss,
61 const string& sub,
62 const string& aud)
63 : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
64 providerId(providerId), iss(iss), sub(sub), aud(aud) {}
65 const string& getProviderId() const { return providerId; }
66 const string& getIss() const { return iss; }
67 const string& getAud() const { return aud; }
68 const string& getSub() const { return sub; }
69 int validate_input() const;
70 };
71
72 class AssumeRoleRequest : public AssumeRoleRequestBase {
73 static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
74 static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
75 static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
76 static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
77 static constexpr uint64_t TOKEN_CODE_SIZE = 6;
78 string externalId;
79 string serialNumber;
80 string tokenCode;
81 public:
82 AssumeRoleRequest(CephContext* cct,
83 const string& duration,
84 const string& externalId,
85 const string& iamPolicy,
86 const string& roleArn,
87 const string& roleSessionName,
88 const string& serialNumber,
89 const string& tokenCode)
90 : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
91 externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
92 int validate_input() const;
93 };
94
95 class GetSessionTokenRequest {
96 protected:
97 static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
98 static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
99 uint64_t duration;
100 string serialNumber;
101 string tokenCode;
102
103 public:
104 GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode);
105
106 const uint64_t& getDuration() const { return duration; }
107 static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
108 };
109
110 class AssumedRoleUser {
111 string arn;
112 string assumeRoleId;
113 public:
114 int generateAssumedRoleUser( CephContext* cct,
115 rgw::sal::RGWRadosStore *store,
116 const string& roleId,
117 const rgw::ARN& roleArn,
118 const string& roleSessionName);
119 const string& getARN() const { return arn; }
120 const string& getAssumeRoleId() const { return assumeRoleId; }
121 void dump(Formatter *f) const;
122 };
123
124 struct SessionToken {
125 string access_key_id;
126 string secret_access_key;
127 string expiration;
128 string policy;
129 string roleId;
130 rgw_user user;
131 string acct_name;
132 uint32_t perm_mask;
133 bool is_admin;
134 uint32_t acct_type;
135 string role_session;
136 std::vector<string> token_claims;
137 string issued_at;
138
139 SessionToken() {}
140
141 void encode(bufferlist& bl) const {
142 ENCODE_START(4, 1, bl);
143 encode(access_key_id, bl);
144 encode(secret_access_key, bl);
145 encode(expiration, bl);
146 encode(policy, bl);
147 encode(roleId, bl);
148 encode(user, bl);
149 encode(acct_name, bl);
150 encode(perm_mask, bl);
151 encode(is_admin, bl);
152 encode(acct_type, bl);
153 encode(role_session, bl);
154 encode(token_claims, bl);
155 encode(issued_at, bl);
156 ENCODE_FINISH(bl);
157 }
158
159 void decode(bufferlist::const_iterator& bl) {
160 DECODE_START(4, bl);
161 decode(access_key_id, bl);
162 decode(secret_access_key, bl);
163 decode(expiration, bl);
164 decode(policy, bl);
165 decode(roleId, bl);
166 decode(user, bl);
167 decode(acct_name, bl);
168 decode(perm_mask, bl);
169 decode(is_admin, bl);
170 decode(acct_type, bl);
171 if (struct_v >= 2) {
172 decode(role_session, bl);
173 }
174 if (struct_v >= 3) {
175 decode(token_claims, bl);
176 }
177 if (struct_v >= 4) {
178 decode(issued_at, bl);
179 }
180 DECODE_FINISH(bl);
181 }
182 };
183 WRITE_CLASS_ENCODER(SessionToken)
184
185 class Credentials {
186 static constexpr int MAX_ACCESS_KEY_LEN = 20;
187 static constexpr int MAX_SECRET_KEY_LEN = 40;
188 string accessKeyId;
189 string expiration;
190 string secretAccessKey;
191 string sessionToken;
192 public:
193 int generateCredentials(CephContext* cct,
194 const uint64_t& duration,
195 const boost::optional<string>& policy,
196 const boost::optional<string>& roleId,
197 const boost::optional<string>& role_session,
198 const boost::optional<std::vector<string> > token_claims,
199 boost::optional<rgw_user> user,
200 rgw::auth::Identity* identity);
201 const string& getAccessKeyId() const { return accessKeyId; }
202 const string& getExpiration() const { return expiration; }
203 const string& getSecretAccessKey() const { return secretAccessKey; }
204 const string& getSessionToken() const { return sessionToken; }
205 void dump(Formatter *f) const;
206 };
207
208 struct AssumeRoleResponse {
209 int retCode;
210 AssumedRoleUser user;
211 Credentials creds;
212 uint64_t packedPolicySize;
213 };
214
215 struct AssumeRoleWithWebIdentityResponse {
216 AssumeRoleResponse assumeRoleResp;
217 string aud;
218 string providerId;
219 string sub;
220 };
221
222 using AssumeRoleResponse = struct AssumeRoleResponse ;
223 using GetSessionTokenResponse = std::tuple<int, Credentials>;
224 using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;
225
226 class STSService {
227 CephContext* cct;
228 rgw::sal::RGWRadosStore *store;
229 rgw_user user_id;
230 RGWRole role;
231 rgw::auth::Identity* identity;
232 int storeARN(string& arn, optional_yield y);
233 public:
234 STSService() = default;
235 STSService(CephContext* cct, rgw::sal::RGWRadosStore *store, rgw_user user_id,
236 rgw::auth::Identity* identity)
237 : cct(cct), store(store), user_id(user_id), identity(identity) {}
238 std::tuple<int, RGWRole> getRoleInfo(const string& arn, optional_yield y);
239 AssumeRoleResponse assumeRole(AssumeRoleRequest& req, optional_yield y);
240 GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req);
241 AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req);
242 };
243 }
244 #endif /* CEPH_RGW_STS_H */
Ceph