[ceph.git] / ceph / src / rgw / rgw_sts.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp

#ifndef CEPH_RGW_STS_H
#define CEPH_RGW_STS_H

#include "rgw_role.h"
#include "rgw_auth.h"
#include "rgw_web_idp.h"

namespace STS {

class AssumeRoleRequestBase {
protected:
  static constexpr uint64_t MIN_POLICY_SIZE = 1;
  static constexpr uint64_t MAX_POLICY_SIZE = 2048;
  static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
  static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
  static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
  static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
  static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
  uint64_t MIN_DURATION_IN_SECS;
  uint64_t MAX_DURATION_IN_SECS;
  CephContext* cct;
  uint64_t duration;
  string err_msg;
  string iamPolicy;
  string roleArn;
  string roleSessionName;
public:
  AssumeRoleRequestBase(CephContext* cct,
                        const string& duration,
                        const string& iamPolicy,
                        const string& roleArn,
                        const string& roleSessionName);
  const string& getRoleARN() const { return roleArn; }
  const string& getRoleSessionName() const { return roleSessionName; }
  const string& getPolicy() const {return iamPolicy; }
  static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
  void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
  const uint64_t& getDuration() const { return duration; }
  int validate_input() const;
};

class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
  static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
  static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
  string providerId;
  string iamPolicy;
  string iss;
  string sub;
  string aud;
public:
  AssumeRoleWithWebIdentityRequest( CephContext* cct,
                      const string& duration,
                      const string& providerId,
                      const string& iamPolicy,
                      const string& roleArn,
                      const string& roleSessionName,
                      const string& iss,
                      const string& sub,
                      const string& aud)
    : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
      providerId(providerId), iss(iss), sub(sub), aud(aud) {}
  const string& getProviderId() const { return providerId; }
  const string& getIss() const { return iss; }
  const string& getAud() const { return aud; }
  const string& getSub() const { return sub; }
  int validate_input() const;
};

class AssumeRoleRequest : public AssumeRoleRequestBase {
  static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
  static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
  static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
  static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
  static constexpr uint64_t TOKEN_CODE_SIZE = 6;
  string externalId;
  string serialNumber;
  string tokenCode;
public:
  AssumeRoleRequest(CephContext* cct,
                    const string& duration,
                    const string& externalId,
                    const string& iamPolicy,
                    const string& roleArn,
                    const string& roleSessionName,
                    const string& serialNumber,
                    const string& tokenCode)
    : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
      externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
  int validate_input() const;
};

class GetSessionTokenRequest {
protected:
  static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
  static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
  uint64_t duration;
  string serialNumber;
  string tokenCode;

public:
  GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode);

  const uint64_t& getDuration() const { return duration; }
  static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
};

class AssumedRoleUser {
  string arn;
  string assumeRoleId;
public:
  int generateAssumedRoleUser( CephContext* cct,
                                rgw::sal::RGWRadosStore *store,
                                const string& roleId,
                                const rgw::ARN& roleArn,
                                const string& roleSessionName);
  const string& getARN() const { return arn; }
  const string& getAssumeRoleId() const { return assumeRoleId; }
  void dump(Formatter *f) const;
};

struct SessionToken {
  string access_key_id;
  string secret_access_key;
  string expiration;
  string policy;
  string roleId;
  rgw_user user;
  string acct_name;
  uint32_t perm_mask;
  bool is_admin;
  uint32_t acct_type;
  string role_session;
  std::vector<string> token_claims;
  string issued_at;

  SessionToken() {}

  void encode(bufferlist& bl) const {
    ENCODE_START(4, 1, bl);
    encode(access_key_id, bl);
    encode(secret_access_key, bl);
    encode(expiration, bl);
    encode(policy, bl);
    encode(roleId, bl);
    encode(user, bl);
    encode(acct_name, bl);
    encode(perm_mask, bl);
    encode(is_admin, bl);
    encode(acct_type, bl);
    encode(role_session, bl);
    encode(token_claims, bl);
    encode(issued_at, bl);
    ENCODE_FINISH(bl);
  }

  void decode(bufferlist::const_iterator& bl) {
    DECODE_START(4, bl);
    decode(access_key_id, bl);
    decode(secret_access_key, bl);
    decode(expiration, bl);
    decode(policy, bl);
    decode(roleId, bl);
    decode(user, bl);
    decode(acct_name, bl);
    decode(perm_mask, bl);
    decode(is_admin, bl);
    decode(acct_type, bl);
    if (struct_v >= 2) {
      decode(role_session, bl);
    }
    if (struct_v >= 3) {
      decode(token_claims, bl);
    }
    if (struct_v >= 4) {
      decode(issued_at, bl);
    }
    DECODE_FINISH(bl);
  }
};
WRITE_CLASS_ENCODER(SessionToken)

class Credentials {
  static constexpr int MAX_ACCESS_KEY_LEN = 20;
  static constexpr int MAX_SECRET_KEY_LEN = 40;
  string accessKeyId;
  string expiration;
  string secretAccessKey;
  string sessionToken;
public:
  int generateCredentials(CephContext* cct,
                          const uint64_t& duration,
                          const boost::optional<string>& policy,
                          const boost::optional<string>& roleId,
                          const boost::optional<string>& role_session,
                          const boost::optional<std::vector<string> > token_claims,
                          boost::optional<rgw_user> user,
                          rgw::auth::Identity* identity);
  const string& getAccessKeyId() const { return accessKeyId; }
  const string& getExpiration() const { return expiration; }
  const string& getSecretAccessKey() const { return secretAccessKey; }
  const string& getSessionToken() const { return sessionToken; }
  void dump(Formatter *f) const;
};

struct AssumeRoleResponse {
  int retCode;
  AssumedRoleUser user;
  Credentials creds;
  uint64_t packedPolicySize;
};

struct AssumeRoleWithWebIdentityResponse {
  AssumeRoleResponse assumeRoleResp;
  string aud;
  string providerId;
  string sub;
};

using AssumeRoleResponse = struct AssumeRoleResponse ;
using GetSessionTokenResponse = std::tuple<int, Credentials>;
using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;

class STSService {
  CephContext* cct;
  rgw::sal::RGWRadosStore *store;
  rgw_user user_id;
  RGWRole role;
  rgw::auth::Identity* identity;
  int storeARN(const DoutPrefixProvider *dpp, string& arn, optional_yield y);
public:
  STSService() = default;
  STSService(CephContext* cct, rgw::sal::RGWRadosStore *store, rgw_user user_id,
	     rgw::auth::Identity* identity)
    : cct(cct), store(store), user_id(user_id), identity(identity) {}
  std::tuple<int, RGWRole> getRoleInfo(const DoutPrefixProvider *dpp, const string& arn, optional_yield y);
  AssumeRoleResponse assumeRole(const DoutPrefixProvider *dpp, AssumeRoleRequest& req, optional_yield y);
  GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req);
  AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req);
};
}
#endif /* CEPH_RGW_STS_H */
Commit	Line	Data
11fdf7f2	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
9f95a23c	2	// vim: ts=8 sw=2 smarttab ft=cpp
11fdf7f2 TL	3
	4	#ifndef CEPH_RGW_STS_H
	5	#define CEPH_RGW_STS_H
	6
	7	#include "rgw_role.h"
	8	#include "rgw_auth.h"
	9	#include "rgw_web_idp.h"
	10
	11	namespace STS {
	12
	13	class AssumeRoleRequestBase {
	14	protected:
	15	static constexpr uint64_t MIN_POLICY_SIZE = 1;
	16	static constexpr uint64_t MAX_POLICY_SIZE = 2048;
	17	static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
11fdf7f2 TL	18	static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
	19	static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
	20	static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
	21	static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
f67539c2	22	uint64_t MIN_DURATION_IN_SECS;
11fdf7f2	23	uint64_t MAX_DURATION_IN_SECS;
f67539c2	24	CephContext* cct;
11fdf7f2	25	uint64_t duration;
9f95a23c	26	string err_msg;
11fdf7f2 TL	27	string iamPolicy;
	28	string roleArn;
	29	string roleSessionName;
	30	public:
f67539c2 TL	31	AssumeRoleRequestBase(CephContext* cct,
f67539c2 TL	32	const string& duration,
11fdf7f2 TL	33	const string& iamPolicy,
	34	const string& roleArn,
	35	const string& roleSessionName);
	36	const string& getRoleARN() const { return roleArn; }
	37	const string& getRoleSessionName() const { return roleSessionName; }
	38	const string& getPolicy() const {return iamPolicy; }
	39	static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
	40	void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
	41	const uint64_t& getDuration() const { return duration; }
	42	int validate_input() const;
	43	};
	44
	45	class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
	46	static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
	47	static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
	48	string providerId;
	49	string iamPolicy;
	50	string iss;
	51	string sub;
	52	string aud;
	53	public:
f67539c2 TL	54	AssumeRoleWithWebIdentityRequest( CephContext* cct,
f67539c2 TL	55	const string& duration,
11fdf7f2 TL	56	const string& providerId,
	57	const string& iamPolicy,
	58	const string& roleArn,
	59	const string& roleSessionName,
	60	const string& iss,
	61	const string& sub,
	62	const string& aud)
f67539c2	63	: AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
11fdf7f2 TL	64	providerId(providerId), iss(iss), sub(sub), aud(aud) {}
	65	const string& getProviderId() const { return providerId; }
	66	const string& getIss() const { return iss; }
	67	const string& getAud() const { return aud; }
	68	const string& getSub() const { return sub; }
	69	int validate_input() const;
	70	};
	71
	72	class AssumeRoleRequest : public AssumeRoleRequestBase {
	73	static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
	74	static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
	75	static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
	76	static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
	77	static constexpr uint64_t TOKEN_CODE_SIZE = 6;
	78	string externalId;
	79	string serialNumber;
	80	string tokenCode;
	81	public:
f67539c2 TL	82	AssumeRoleRequest(CephContext* cct,
f67539c2 TL	83	const string& duration,
11fdf7f2 TL	84	const string& externalId,
	85	const string& iamPolicy,
	86	const string& roleArn,
	87	const string& roleSessionName,
	88	const string& serialNumber,
	89	const string& tokenCode)
f67539c2	90	: AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
11fdf7f2 TL	91	externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
	92	int validate_input() const;
	93	};
	94
	95	class GetSessionTokenRequest {
	96	protected:
	97	static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
	98	static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
	99	uint64_t duration;
	100	string serialNumber;
	101	string tokenCode;
	102
	103	public:
	104	GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode);
	105
	106	const uint64_t& getDuration() const { return duration; }
	107	static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
	108	};
	109
	110	class AssumedRoleUser {
	111	string arn;
	112	string assumeRoleId;
	113	public:
	114	int generateAssumedRoleUser( CephContext* cct,
9f95a23c	115	rgw::sal::RGWRadosStore *store,
11fdf7f2	116	const string& roleId,
eafe8130	117	const rgw::ARN& roleArn,
11fdf7f2 TL	118	const string& roleSessionName);
	119	const string& getARN() const { return arn; }
	120	const string& getAssumeRoleId() const { return assumeRoleId; }
	121	void dump(Formatter *f) const;
	122	};
	123
	124	struct SessionToken {
	125	string access_key_id;
	126	string secret_access_key;
	127	string expiration;
	128	string policy;
	129	string roleId;
	130	rgw_user user;
	131	string acct_name;
	132	uint32_t perm_mask;
	133	bool is_admin;
	134	uint32_t acct_type;
f91f0fd5	135	string role_session;
adb31ebb	136	std::vector<string> token_claims;
f67539c2	137	string issued_at;
11fdf7f2 TL	138
	139	SessionToken() {}
	140
	141	void encode(bufferlist& bl) const {
f67539c2	142	ENCODE_START(4, 1, bl);
11fdf7f2 TL	143	encode(access_key_id, bl);
	144	encode(secret_access_key, bl);
	145	encode(expiration, bl);
	146	encode(policy, bl);
	147	encode(roleId, bl);
	148	encode(user, bl);
	149	encode(acct_name, bl);
	150	encode(perm_mask, bl);
	151	encode(is_admin, bl);
	152	encode(acct_type, bl);
f91f0fd5	153	encode(role_session, bl);
adb31ebb	154	encode(token_claims, bl);
f67539c2	155	encode(issued_at, bl);
11fdf7f2 TL	156	ENCODE_FINISH(bl);
	157	}
	158
	159	void decode(bufferlist::const_iterator& bl) {
f67539c2	160	DECODE_START(4, bl);
11fdf7f2 TL	161	decode(access_key_id, bl);
	162	decode(secret_access_key, bl);
	163	decode(expiration, bl);
	164	decode(policy, bl);
	165	decode(roleId, bl);
	166	decode(user, bl);
	167	decode(acct_name, bl);
	168	decode(perm_mask, bl);
	169	decode(is_admin, bl);
	170	decode(acct_type, bl);
f91f0fd5 TL	171	if (struct_v >= 2) {
	172	decode(role_session, bl);
	173	}
adb31ebb TL	174	if (struct_v >= 3) {
	175	decode(token_claims, bl);
	176	}
f67539c2 TL	177	if (struct_v >= 4) {
	178	decode(issued_at, bl);
	179	}
11fdf7f2 TL	180	DECODE_FINISH(bl);
	181	}
	182	};
	183	WRITE_CLASS_ENCODER(SessionToken)
	184
	185	class Credentials {
	186	static constexpr int MAX_ACCESS_KEY_LEN = 20;
	187	static constexpr int MAX_SECRET_KEY_LEN = 40;
	188	string accessKeyId;
	189	string expiration;
	190	string secretAccessKey;
	191	string sessionToken;
	192	public:
	193	int generateCredentials(CephContext* cct,
	194	const uint64_t& duration,
	195	const boost::optional<string>& policy,
	196	const boost::optional<string>& roleId,
f91f0fd5	197	const boost::optional<string>& role_session,
adb31ebb	198	const boost::optional<std::vector<string> > token_claims,
11fdf7f2 TL	199	boost::optional<rgw_user> user,
	200	rgw::auth::Identity* identity);
	201	const string& getAccessKeyId() const { return accessKeyId; }
	202	const string& getExpiration() const { return expiration; }
	203	const string& getSecretAccessKey() const { return secretAccessKey; }
	204	const string& getSessionToken() const { return sessionToken; }
	205	void dump(Formatter *f) const;
	206	};
	207
	208	struct AssumeRoleResponse {
	209	int retCode;
	210	AssumedRoleUser user;
	211	Credentials creds;
	212	uint64_t packedPolicySize;
	213	};
	214
	215	struct AssumeRoleWithWebIdentityResponse {
	216	AssumeRoleResponse assumeRoleResp;
	217	string aud;
	218	string providerId;
	219	string sub;
	220	};
	221
	222	using AssumeRoleResponse = struct AssumeRoleResponse ;
	223	using GetSessionTokenResponse = std::tuple<int, Credentials>;
	224	using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;
	225
	226	class STSService {
	227	CephContext* cct;
9f95a23c	228	rgw::sal::RGWRadosStore *store;
11fdf7f2 TL	229	rgw_user user_id;
	230	RGWRole role;
	231	rgw::auth::Identity* identity;
b3b6e05e	232	int storeARN(const DoutPrefixProvider *dpp, string& arn, optional_yield y);
11fdf7f2 TL	233	public:
11fdf7f2 TL	234	STSService() = default;
f67539c2 TL	235	STSService(CephContext* cct, rgw::sal::RGWRadosStore *store, rgw_user user_id,
	236	rgw::auth::Identity* identity)
	237	: cct(cct), store(store), user_id(user_id), identity(identity) {}
b3b6e05e TL	238	std::tuple<int, RGWRole> getRoleInfo(const DoutPrefixProvider *dpp, const string& arn, optional_yield y);
b3b6e05e TL	239	AssumeRoleResponse assumeRole(const DoutPrefixProvider *dpp, AssumeRoleRequest& req, optional_yield y);
11fdf7f2 TL	240	GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req);
	241	AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req);
	242	};
	243	}
	244	#endif /* CEPH_RGW_STS_H */