]>
Commit | Line | Data |
---|---|---|
11fdf7f2 | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
11fdf7f2 TL |
3 | |
4 | #ifndef CEPH_RGW_STS_H | |
5 | #define CEPH_RGW_STS_H | |
6 | ||
7 | #include "rgw_role.h" | |
8 | #include "rgw_auth.h" | |
9 | #include "rgw_web_idp.h" | |
10 | ||
11 | namespace STS { | |
12 | ||
13 | class AssumeRoleRequestBase { | |
14 | protected: | |
15 | static constexpr uint64_t MIN_POLICY_SIZE = 1; | |
16 | static constexpr uint64_t MAX_POLICY_SIZE = 2048; | |
17 | static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600; | |
11fdf7f2 TL |
18 | static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2; |
19 | static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048; | |
20 | static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2; | |
21 | static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64; | |
f67539c2 | 22 | uint64_t MIN_DURATION_IN_SECS; |
11fdf7f2 | 23 | uint64_t MAX_DURATION_IN_SECS; |
f67539c2 | 24 | CephContext* cct; |
11fdf7f2 | 25 | uint64_t duration; |
9f95a23c | 26 | string err_msg; |
11fdf7f2 TL |
27 | string iamPolicy; |
28 | string roleArn; | |
29 | string roleSessionName; | |
30 | public: | |
f67539c2 TL |
31 | AssumeRoleRequestBase(CephContext* cct, |
32 | const string& duration, | |
11fdf7f2 TL |
33 | const string& iamPolicy, |
34 | const string& roleArn, | |
35 | const string& roleSessionName); | |
36 | const string& getRoleARN() const { return roleArn; } | |
37 | const string& getRoleSessionName() const { return roleSessionName; } | |
38 | const string& getPolicy() const {return iamPolicy; } | |
39 | static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; } | |
40 | void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; } | |
41 | const uint64_t& getDuration() const { return duration; } | |
42 | int validate_input() const; | |
43 | }; | |
44 | ||
45 | class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase { | |
46 | static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4; | |
47 | static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048; | |
48 | string providerId; | |
49 | string iamPolicy; | |
50 | string iss; | |
51 | string sub; | |
52 | string aud; | |
53 | public: | |
f67539c2 TL |
54 | AssumeRoleWithWebIdentityRequest( CephContext* cct, |
55 | const string& duration, | |
11fdf7f2 TL |
56 | const string& providerId, |
57 | const string& iamPolicy, | |
58 | const string& roleArn, | |
59 | const string& roleSessionName, | |
60 | const string& iss, | |
61 | const string& sub, | |
62 | const string& aud) | |
f67539c2 | 63 | : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName), |
11fdf7f2 TL |
64 | providerId(providerId), iss(iss), sub(sub), aud(aud) {} |
65 | const string& getProviderId() const { return providerId; } | |
66 | const string& getIss() const { return iss; } | |
67 | const string& getAud() const { return aud; } | |
68 | const string& getSub() const { return sub; } | |
69 | int validate_input() const; | |
70 | }; | |
71 | ||
72 | class AssumeRoleRequest : public AssumeRoleRequestBase { | |
73 | static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2; | |
74 | static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224; | |
75 | static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9; | |
76 | static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256; | |
77 | static constexpr uint64_t TOKEN_CODE_SIZE = 6; | |
78 | string externalId; | |
79 | string serialNumber; | |
80 | string tokenCode; | |
81 | public: | |
f67539c2 TL |
82 | AssumeRoleRequest(CephContext* cct, |
83 | const string& duration, | |
11fdf7f2 TL |
84 | const string& externalId, |
85 | const string& iamPolicy, | |
86 | const string& roleArn, | |
87 | const string& roleSessionName, | |
88 | const string& serialNumber, | |
89 | const string& tokenCode) | |
f67539c2 | 90 | : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName), |
11fdf7f2 TL |
91 | externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){} |
92 | int validate_input() const; | |
93 | }; | |
94 | ||
95 | class GetSessionTokenRequest { | |
96 | protected: | |
97 | static constexpr uint64_t MIN_DURATION_IN_SECS = 900; | |
98 | static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600; | |
99 | uint64_t duration; | |
100 | string serialNumber; | |
101 | string tokenCode; | |
102 | ||
103 | public: | |
104 | GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode); | |
105 | ||
106 | const uint64_t& getDuration() const { return duration; } | |
107 | static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; } | |
108 | }; | |
109 | ||
110 | class AssumedRoleUser { | |
111 | string arn; | |
112 | string assumeRoleId; | |
113 | public: | |
114 | int generateAssumedRoleUser( CephContext* cct, | |
9f95a23c | 115 | rgw::sal::RGWRadosStore *store, |
11fdf7f2 | 116 | const string& roleId, |
eafe8130 | 117 | const rgw::ARN& roleArn, |
11fdf7f2 TL |
118 | const string& roleSessionName); |
119 | const string& getARN() const { return arn; } | |
120 | const string& getAssumeRoleId() const { return assumeRoleId; } | |
121 | void dump(Formatter *f) const; | |
122 | }; | |
123 | ||
124 | struct SessionToken { | |
125 | string access_key_id; | |
126 | string secret_access_key; | |
127 | string expiration; | |
128 | string policy; | |
129 | string roleId; | |
130 | rgw_user user; | |
131 | string acct_name; | |
132 | uint32_t perm_mask; | |
133 | bool is_admin; | |
134 | uint32_t acct_type; | |
f91f0fd5 | 135 | string role_session; |
adb31ebb | 136 | std::vector<string> token_claims; |
f67539c2 | 137 | string issued_at; |
11fdf7f2 TL |
138 | |
139 | SessionToken() {} | |
140 | ||
141 | void encode(bufferlist& bl) const { | |
f67539c2 | 142 | ENCODE_START(4, 1, bl); |
11fdf7f2 TL |
143 | encode(access_key_id, bl); |
144 | encode(secret_access_key, bl); | |
145 | encode(expiration, bl); | |
146 | encode(policy, bl); | |
147 | encode(roleId, bl); | |
148 | encode(user, bl); | |
149 | encode(acct_name, bl); | |
150 | encode(perm_mask, bl); | |
151 | encode(is_admin, bl); | |
152 | encode(acct_type, bl); | |
f91f0fd5 | 153 | encode(role_session, bl); |
adb31ebb | 154 | encode(token_claims, bl); |
f67539c2 | 155 | encode(issued_at, bl); |
11fdf7f2 TL |
156 | ENCODE_FINISH(bl); |
157 | } | |
158 | ||
159 | void decode(bufferlist::const_iterator& bl) { | |
f67539c2 | 160 | DECODE_START(4, bl); |
11fdf7f2 TL |
161 | decode(access_key_id, bl); |
162 | decode(secret_access_key, bl); | |
163 | decode(expiration, bl); | |
164 | decode(policy, bl); | |
165 | decode(roleId, bl); | |
166 | decode(user, bl); | |
167 | decode(acct_name, bl); | |
168 | decode(perm_mask, bl); | |
169 | decode(is_admin, bl); | |
170 | decode(acct_type, bl); | |
f91f0fd5 TL |
171 | if (struct_v >= 2) { |
172 | decode(role_session, bl); | |
173 | } | |
adb31ebb TL |
174 | if (struct_v >= 3) { |
175 | decode(token_claims, bl); | |
176 | } | |
f67539c2 TL |
177 | if (struct_v >= 4) { |
178 | decode(issued_at, bl); | |
179 | } | |
11fdf7f2 TL |
180 | DECODE_FINISH(bl); |
181 | } | |
182 | }; | |
183 | WRITE_CLASS_ENCODER(SessionToken) | |
184 | ||
185 | class Credentials { | |
186 | static constexpr int MAX_ACCESS_KEY_LEN = 20; | |
187 | static constexpr int MAX_SECRET_KEY_LEN = 40; | |
188 | string accessKeyId; | |
189 | string expiration; | |
190 | string secretAccessKey; | |
191 | string sessionToken; | |
192 | public: | |
193 | int generateCredentials(CephContext* cct, | |
194 | const uint64_t& duration, | |
195 | const boost::optional<string>& policy, | |
196 | const boost::optional<string>& roleId, | |
f91f0fd5 | 197 | const boost::optional<string>& role_session, |
adb31ebb | 198 | const boost::optional<std::vector<string> > token_claims, |
11fdf7f2 TL |
199 | boost::optional<rgw_user> user, |
200 | rgw::auth::Identity* identity); | |
201 | const string& getAccessKeyId() const { return accessKeyId; } | |
202 | const string& getExpiration() const { return expiration; } | |
203 | const string& getSecretAccessKey() const { return secretAccessKey; } | |
204 | const string& getSessionToken() const { return sessionToken; } | |
205 | void dump(Formatter *f) const; | |
206 | }; | |
207 | ||
208 | struct AssumeRoleResponse { | |
209 | int retCode; | |
210 | AssumedRoleUser user; | |
211 | Credentials creds; | |
212 | uint64_t packedPolicySize; | |
213 | }; | |
214 | ||
215 | struct AssumeRoleWithWebIdentityResponse { | |
216 | AssumeRoleResponse assumeRoleResp; | |
217 | string aud; | |
218 | string providerId; | |
219 | string sub; | |
220 | }; | |
221 | ||
222 | using AssumeRoleResponse = struct AssumeRoleResponse ; | |
223 | using GetSessionTokenResponse = std::tuple<int, Credentials>; | |
224 | using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse; | |
225 | ||
226 | class STSService { | |
227 | CephContext* cct; | |
9f95a23c | 228 | rgw::sal::RGWRadosStore *store; |
11fdf7f2 TL |
229 | rgw_user user_id; |
230 | RGWRole role; | |
231 | rgw::auth::Identity* identity; | |
b3b6e05e | 232 | int storeARN(const DoutPrefixProvider *dpp, string& arn, optional_yield y); |
11fdf7f2 TL |
233 | public: |
234 | STSService() = default; | |
f67539c2 TL |
235 | STSService(CephContext* cct, rgw::sal::RGWRadosStore *store, rgw_user user_id, |
236 | rgw::auth::Identity* identity) | |
237 | : cct(cct), store(store), user_id(user_id), identity(identity) {} | |
b3b6e05e TL |
238 | std::tuple<int, RGWRole> getRoleInfo(const DoutPrefixProvider *dpp, const string& arn, optional_yield y); |
239 | AssumeRoleResponse assumeRole(const DoutPrefixProvider *dpp, AssumeRoleRequest& req, optional_yield y); | |
11fdf7f2 TL |
240 | GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req); |
241 | AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req); | |
242 | }; | |
243 | } | |
244 | #endif /* CEPH_RGW_STS_H */ |