[ceph.git] / ceph / src / rgw / rgw_rest_role.cc

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
#include <errno.h>

#include "common/errno.h"
#include "common/Formatter.h"
#include "common/ceph_json.h"

#include "include/types.h"
#include "rgw_string.h"

#include "rgw_common.h"
#include "rgw_op.h"
#include "rgw_rest.h"
#include "rgw_role.h"
#include "rgw_rest_role.h"

#define dout_subsys ceph_subsys_rgw

void RGWRestRole::send_response()
{
  if (op_ret) {
    set_req_state_err(s, op_ret);
  }
  dump_errno(s);
  end_header(s);
}

int RGWRoleRead::verify_permission()
{
  if (s->auth.identity->is_anonymous()) {
    return -EACCES;
  }

  if (!verify_user_permission(s, RGW_PERM_READ)) {
    return -EACCES;
  }

  return 0;
}

int RGWRoleWrite::verify_permission()
{
  if (s->auth.identity->is_anonymous()) {
    return -EACCES;
  }

  if (!verify_user_permission(s, RGW_PERM_WRITE)) {
    return -EACCES;
  }

  return 0;
}

int RGWCreateRole::get_params()
{
  role_name = s->info.args.get("RoleName");
  role_path = s->info.args.get("Path");
  trust_policy = s->info.args.get("AssumeRolePolicyDocument");

  if (role_name.empty() || trust_policy.empty()) {
    ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty"
    << dendl;
    return -EINVAL;
  }
  JSONParser p;
  if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
    ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
    return -ERR_MALFORMED_DOC;
  }
  return 0;
}

void RGWCreateRole::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }
  RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->user_id.tenant);
  op_ret = role.create(true);

  if (op_ret == -EEXIST) {
    op_ret = -ERR_ROLE_EXISTS;
  }

  if (op_ret == 0) {
    s->formatter->open_object_section("role");
    role.dump(s->formatter);
    s->formatter->close_section();
  }
}

int RGWDeleteRole::get_params()
{
  role_name = s->info.args.get("RoleName");

  if (role_name.empty()) {
    ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
    return -EINVAL;
  }

  return 0;
}

void RGWDeleteRole::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }
  RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
  op_ret = role.delete_obj();

  if (op_ret == -ENOENT) {
    op_ret = -ERR_NO_ROLE_FOUND;
  }
}

int RGWGetRole::get_params()
{
  role_name = s->info.args.get("RoleName");

  if (role_name.empty()) {
    ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
    return -EINVAL;
  }

  return 0;
}

void RGWGetRole::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }
  RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
  op_ret = role.get();

  if (op_ret == -ENOENT) {
    op_ret = -ERR_NO_ROLE_FOUND;
  }

  if (op_ret == 0) {
    s->formatter->open_object_section("role");
    role.dump(s->formatter);
    s->formatter->close_section();
  }
}

int RGWModifyRole::get_params()
{
  role_name = s->info.args.get("RoleName");
  trust_policy = s->info.args.get("PolicyDocument");

  if (role_name.empty() || trust_policy.empty()) {
    ldout(s->cct, 20) << "ERROR: One of role name or trust policy is empty"<< dendl;
    return -EINVAL;
  }
  JSONParser p;
  if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
    ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
    return -ERR_MALFORMED_DOC;
  }

  return 0;
}

void RGWModifyRole::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }
  RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
  op_ret = role.get();
  if (op_ret == -ENOENT) {
    op_ret = -ERR_NO_ROLE_FOUND;
  }

  if (op_ret == 0) {
    role.update_trust_policy(trust_policy);
    op_ret = role.update();
  }
}

int RGWListRoles::get_params()
{
  path_prefix = s->info.args.get("PathPrefix");

  return 0;
}

void RGWListRoles::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }
  vector<RGWRole> result;
  op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, s->user->user_id.tenant, result);

  if (op_ret == 0) {
    s->formatter->open_array_section("Roles");
    for (const auto& it : result) {
      s->formatter->open_object_section("role");
      it.dump(s->formatter);
      s->formatter->close_section();
    }
    s->formatter->close_section();
  }
}

int RGWPutRolePolicy::get_params()
{
  role_name = s->info.args.get("RoleName");
  policy_name = s->info.args.get("PolicyName");
  perm_policy = s->info.args.get("PolicyDocument");

  if (role_name.empty() || policy_name.empty() || perm_policy.empty()) {
    ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl;
    return -EINVAL;
  }
  JSONParser p;
  if (!p.parse(perm_policy.c_str(), perm_policy.length())) {
    ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl;
    return -ERR_MALFORMED_DOC;
  }

  return 0;
}

void RGWPutRolePolicy::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }

  RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
  op_ret = role.get();
  if (op_ret == 0) {
    role.set_perm_policy(policy_name, perm_policy);
    op_ret = role.update();
  }
}

int RGWGetRolePolicy::get_params()
{
  role_name = s->info.args.get("RoleName");
  policy_name = s->info.args.get("PolicyName");

  if (role_name.empty() || policy_name.empty()) {
    ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
    return -EINVAL;
  }
  return 0;
}

void RGWGetRolePolicy::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }

  RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
  op_ret = role.get();

  if (op_ret == -ENOENT) {
    op_ret = -ERR_NO_ROLE_FOUND;
  }

  if (op_ret == 0) {
    string perm_policy;
    op_ret = role.get_role_policy(policy_name, perm_policy);

    if (op_ret == 0) {
      s->formatter->open_object_section("GetRolePolicyResult");
      s->formatter->dump_string("PolicyName", policy_name);
      s->formatter->dump_string("RoleName", role_name);
      s->formatter->dump_string("Permission policy", perm_policy);
      s->formatter->close_section();
    }
  }
}

int RGWListRolePolicies::get_params()
{
  role_name = s->info.args.get("RoleName");

  if (role_name.empty()) {
    ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
    return -EINVAL;
  }
  return 0;
}

void RGWListRolePolicies::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }

  RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
  op_ret = role.get();

  if (op_ret == -ENOENT) {
    op_ret = -ERR_NO_ROLE_FOUND;
  }

  if (op_ret == 0) {
    std::vector<string> policy_names = role.get_role_policy_names();
    s->formatter->open_array_section("PolicyNames");
    for (const auto& it : policy_names) {
      s->formatter->dump_string("member", it);
    }
    s->formatter->close_section();
  }
}

int RGWDeleteRolePolicy::get_params()
{
  role_name = s->info.args.get("RoleName");
  policy_name = s->info.args.get("PolicyName");

  if (role_name.empty() || policy_name.empty()) {
    ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
    return -EINVAL;
  }
  return 0;
}

void RGWDeleteRolePolicy::execute()
{
  op_ret = get_params();
  if (op_ret < 0) {
    return;
  }

  RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
  op_ret = role.get();

  if (op_ret == -ENOENT) {
    op_ret = -ERR_NO_ROLE_FOUND;
  }

  if (op_ret == 0) {
    op_ret = role.delete_policy(policy_name);
    if (op_ret == -ENOENT) {
      op_ret = -ERR_NO_ROLE_FOUND;
    }

    if (op_ret == 0) {
      op_ret = role.update();
    }
  }
}
Commit	Line	Data
31f18b77 FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
31f18b77 FG	2	// vim: ts=8 sw=2 smarttab
7c673cae FG	3	#include <errno.h>
	4
	5	#include "common/errno.h"
	6	#include "common/Formatter.h"
	7	#include "common/ceph_json.h"
	8
	9	#include "include/types.h"
	10	#include "rgw_string.h"
	11
	12	#include "rgw_common.h"
	13	#include "rgw_op.h"
	14	#include "rgw_rest.h"
	15	#include "rgw_role.h"
	16	#include "rgw_rest_role.h"
	17
	18	#define dout_subsys ceph_subsys_rgw
	19
7c673cae FG	20	void RGWRestRole::send_response()
	21	{
	22	if (op_ret) {
	23	set_req_state_err(s, op_ret);
	24	}
	25	dump_errno(s);
	26	end_header(s);
	27	}
	28
	29	int RGWRoleRead::verify_permission()
	30	{
	31	if (s->auth.identity->is_anonymous()) {
	32	return -EACCES;
	33	}
	34
	35	if (!verify_user_permission(s, RGW_PERM_READ)) {
	36	return -EACCES;
	37	}
	38
	39	return 0;
	40	}
	41
	42	int RGWRoleWrite::verify_permission()
	43	{
	44	if (s->auth.identity->is_anonymous()) {
	45	return -EACCES;
	46	}
	47
	48	if (!verify_user_permission(s, RGW_PERM_WRITE)) {
	49	return -EACCES;
	50	}
	51
	52	return 0;
	53	}
	54
	55	int RGWCreateRole::get_params()
	56	{
	57	role_name = s->info.args.get("RoleName");
	58	role_path = s->info.args.get("Path");
	59	trust_policy = s->info.args.get("AssumeRolePolicyDocument");
	60
	61	if (role_name.empty() \|\| trust_policy.empty()) {
	62	ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty"
	63	<< dendl;
	64	return -EINVAL;
	65	}
	66	JSONParser p;
	67	if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
	68	ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
	69	return -ERR_MALFORMED_DOC;
	70	}
	71	return 0;
	72	}
	73
	74	void RGWCreateRole::execute()
	75	{
	76	op_ret = get_params();
	77	if (op_ret < 0) {
	78	return;
	79	}
31f18b77	80	RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->user_id.tenant);
7c673cae FG	81	op_ret = role.create(true);
	82
	83	if (op_ret == -EEXIST) {
	84	op_ret = -ERR_ROLE_EXISTS;
	85	}
	86
	87	if (op_ret == 0) {
	88	s->formatter->open_object_section("role");
	89	role.dump(s->formatter);
	90	s->formatter->close_section();
	91	}
	92	}
	93
	94	int RGWDeleteRole::get_params()
	95	{
	96	role_name = s->info.args.get("RoleName");
	97
	98	if (role_name.empty()) {
	99	ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
	100	return -EINVAL;
	101	}
	102
	103	return 0;
	104	}
	105
	106	void RGWDeleteRole::execute()
	107	{
	108	op_ret = get_params();
	109	if (op_ret < 0) {
	110	return;
	111	}
31f18b77	112	RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
7c673cae FG	113	op_ret = role.delete_obj();
	114
	115	if (op_ret == -ENOENT) {
	116	op_ret = -ERR_NO_ROLE_FOUND;
	117	}
	118	}
	119
	120	int RGWGetRole::get_params()
	121	{
	122	role_name = s->info.args.get("RoleName");
	123
	124	if (role_name.empty()) {
	125	ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
	126	return -EINVAL;
	127	}
	128
	129	return 0;
	130	}
	131
	132	void RGWGetRole::execute()
	133	{
	134	op_ret = get_params();
	135	if (op_ret < 0) {
	136	return;
	137	}
31f18b77	138	RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
7c673cae FG	139	op_ret = role.get();
	140
	141	if (op_ret == -ENOENT) {
	142	op_ret = -ERR_NO_ROLE_FOUND;
	143	}
	144
	145	if (op_ret == 0) {
	146	s->formatter->open_object_section("role");
	147	role.dump(s->formatter);
	148	s->formatter->close_section();
	149	}
	150	}
	151
	152	int RGWModifyRole::get_params()
	153	{
	154	role_name = s->info.args.get("RoleName");
	155	trust_policy = s->info.args.get("PolicyDocument");
	156
	157	if (role_name.empty() \|\| trust_policy.empty()) {
	158	ldout(s->cct, 20) << "ERROR: One of role name or trust policy is empty"<< dendl;
	159	return -EINVAL;
	160	}
	161	JSONParser p;
	162	if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
	163	ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
	164	return -ERR_MALFORMED_DOC;
	165	}
	166
	167	return 0;
	168	}
	169
	170	void RGWModifyRole::execute()
	171	{
	172	op_ret = get_params();
	173	if (op_ret < 0) {
	174	return;
	175	}
31f18b77	176	RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
7c673cae FG	177	op_ret = role.get();
	178	if (op_ret == -ENOENT) {
	179	op_ret = -ERR_NO_ROLE_FOUND;
	180	}
	181
	182	if (op_ret == 0) {
	183	role.update_trust_policy(trust_policy);
	184	op_ret = role.update();
	185	}
	186	}
	187
	188	int RGWListRoles::get_params()
	189	{
	190	path_prefix = s->info.args.get("PathPrefix");
	191
	192	return 0;
	193	}
	194
	195	void RGWListRoles::execute()
	196	{
	197	op_ret = get_params();
	198	if (op_ret < 0) {
	199	return;
	200	}
	201	vector<RGWRole> result;
31f18b77	202	op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, s->user->user_id.tenant, result);
7c673cae FG	203
	204	if (op_ret == 0) {
	205	s->formatter->open_array_section("Roles");
	206	for (const auto& it : result) {
	207	s->formatter->open_object_section("role");
	208	it.dump(s->formatter);
	209	s->formatter->close_section();
	210	}
	211	s->formatter->close_section();
	212	}
	213	}
	214
	215	int RGWPutRolePolicy::get_params()
	216	{
	217	role_name = s->info.args.get("RoleName");
	218	policy_name = s->info.args.get("PolicyName");
	219	perm_policy = s->info.args.get("PolicyDocument");
	220
	221	if (role_name.empty() \|\| policy_name.empty() \|\| perm_policy.empty()) {
	222	ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl;
	223	return -EINVAL;
	224	}
	225	JSONParser p;
	226	if (!p.parse(perm_policy.c_str(), perm_policy.length())) {
	227	ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl;
	228	return -ERR_MALFORMED_DOC;
	229	}
	230
	231	return 0;
	232	}
	233
	234	void RGWPutRolePolicy::execute()
	235	{
	236	op_ret = get_params();
	237	if (op_ret < 0) {
	238	return;
	239	}
	240
31f18b77	241	RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
7c673cae FG	242	op_ret = role.get();
	243	if (op_ret == 0) {
	244	role.set_perm_policy(policy_name, perm_policy);
	245	op_ret = role.update();
	246	}
	247	}
	248
	249	int RGWGetRolePolicy::get_params()
	250	{
	251	role_name = s->info.args.get("RoleName");
	252	policy_name = s->info.args.get("PolicyName");
	253
	254	if (role_name.empty() \|\| policy_name.empty()) {
	255	ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
	256	return -EINVAL;
	257	}
	258	return 0;
	259	}
	260
	261	void RGWGetRolePolicy::execute()
	262	{
	263	op_ret = get_params();
	264	if (op_ret < 0) {
	265	return;
	266	}
	267
31f18b77	268	RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
7c673cae FG	269	op_ret = role.get();
	270
	271	if (op_ret == -ENOENT) {
	272	op_ret = -ERR_NO_ROLE_FOUND;
	273	}
	274
	275	if (op_ret == 0) {
	276	string perm_policy;
	277	op_ret = role.get_role_policy(policy_name, perm_policy);
	278
	279	if (op_ret == 0) {
	280	s->formatter->open_object_section("GetRolePolicyResult");
	281	s->formatter->dump_string("PolicyName", policy_name);
	282	s->formatter->dump_string("RoleName", role_name);
	283	s->formatter->dump_string("Permission policy", perm_policy);
	284	s->formatter->close_section();
	285	}
	286	}
	287	}
	288
	289	int RGWListRolePolicies::get_params()
	290	{
	291	role_name = s->info.args.get("RoleName");
	292
	293	if (role_name.empty()) {
	294	ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
	295	return -EINVAL;
	296	}
	297	return 0;
	298	}
	299
	300	void RGWListRolePolicies::execute()
	301	{
	302	op_ret = get_params();
	303	if (op_ret < 0) {
	304	return;
	305	}
	306
31f18b77	307	RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
7c673cae FG	308	op_ret = role.get();
	309
	310	if (op_ret == -ENOENT) {
	311	op_ret = -ERR_NO_ROLE_FOUND;
	312	}
	313
	314	if (op_ret == 0) {
	315	std::vector<string> policy_names = role.get_role_policy_names();
	316	s->formatter->open_array_section("PolicyNames");
	317	for (const auto& it : policy_names) {
	318	s->formatter->dump_string("member", it);
	319	}
	320	s->formatter->close_section();
	321	}
	322	}
	323
	324	int RGWDeleteRolePolicy::get_params()
	325	{
	326	role_name = s->info.args.get("RoleName");
	327	policy_name = s->info.args.get("PolicyName");
	328
	329	if (role_name.empty() \|\| policy_name.empty()) {
	330	ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
	331	return -EINVAL;
	332	}
	333	return 0;
	334	}
	335
	336	void RGWDeleteRolePolicy::execute()
	337	{
	338	op_ret = get_params();
	339	if (op_ret < 0) {
	340	return;
	341	}
	342
31f18b77	343	RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
7c673cae FG	344	op_ret = role.get();
	345
	346	if (op_ret == -ENOENT) {
	347	op_ret = -ERR_NO_ROLE_FOUND;
	348	}
	349
	350	if (op_ret == 0) {
	351	op_ret = role.delete_policy(policy_name);
	352	if (op_ret == -ENOENT) {
	353	op_ret = -ERR_NO_ROLE_FOUND;
	354	}
	355
	356	if (op_ret == 0) {
	357	op_ret = role.update();
	358	}
	359	}
	360	}