]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_opa.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
5 #include "rgw_http_client.h"
7 #define dout_context g_ceph_context
8 #define dout_subsys ceph_subsys_rgw
12 int rgw_opa_authorize(RGWOp
*& op
,
16 ldpp_dout(op
, 2) << "authorizing request using OPA" << dendl
;
19 const string
& opa_url
= s
->cct
->_conf
->rgw_opa_url
;
21 ldpp_dout(op
, 2) << "OPA_URL not provided" << dendl
;
22 return -ERR_INVALID_REQUEST
;
24 ldpp_dout(op
, 2) << "OPA URL= " << opa_url
.c_str() << dendl
;
26 /* get authentication token for OPA */
27 const string
& opa_token
= s
->cct
->_conf
->rgw_opa_token
;
31 RGWHTTPTransceiver
req(s
->cct
, "POST", opa_url
.c_str(), &bl
);
33 /* set required headers for OPA request */
34 req
.append_header("X-Auth-Token", opa_token
);
35 req
.append_header("Content-Type", "application/json");
36 req
.append_header("Expect", "100-continue");
38 /* check if we want to verify OPA server SSL certificate */
39 req
.set_verify_ssl(s
->cct
->_conf
->rgw_opa_verify_ssl
);
41 /* create json request body */
43 jf
.open_object_section("");
44 jf
.open_object_section("input");
45 const char *request_method
= s
->info
.env
->get("REQUEST_METHOD");
47 jf
.dump_string("method", request_method
);
49 jf
.dump_string("relative_uri", s
->relative_uri
.c_str());
50 jf
.dump_string("decoded_uri", s
->decoded_uri
.c_str());
51 jf
.dump_string("params", s
->info
.request_params
.c_str());
52 jf
.dump_string("request_uri_aws4", s
->info
.request_uri_aws4
.c_str());
54 jf
.dump_string("object_name", s
->object
->get_name().c_str());
56 if (s
->auth
.identity
) {
57 jf
.dump_string("subuser", s
->auth
.identity
->get_subuser().c_str());
60 jf
.dump_object("user_info", s
->user
->get_info());
63 jf
.dump_object("bucket_info", s
->bucket
->get_info());
70 req
.set_post_data(ss
.str());
71 req
.set_send_length(ss
.str().length());
74 ret
= req
.process(null_yield
);
76 ldpp_dout(op
, 2) << "OPA process error:" << bl
.c_str() << dendl
;
80 /* check OPA response */
82 if (!parser
.parse(bl
.c_str(), bl
.length())) {
83 ldpp_dout(op
, 2) << "OPA parse error: malformed json" << dendl
;
88 JSONDecoder::decode_json("result", opa_result
, &parser
);
90 if (opa_result
== false) {
91 ldpp_dout(op
, 2) << "OPA rejecting request" << dendl
;
95 ldpp_dout(op
, 2) << "OPA accepting request" << dendl
;