ceph/src/rgw/rgw_rest_role.cc

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3 #include <errno.h>
   4
   5 #include "common/errno.h"
   6 #include "common/Formatter.h"
   7 #include "common/ceph_json.h"
   8
   9 #include "include/types.h"
  10 #include "rgw_string.h"
  11
  12 #include "rgw_common.h"
  13 #include "rgw_op.h"
  14 #include "rgw_rest.h"
  15 #include "rgw_role.h"
  16 #include "rgw_rest_role.h"
  17
  18 #define dout_subsys ceph_subsys_rgw
  19
  20 void RGWRestRole::send_response()
  21 {
  22   if (op_ret) {
  23     set_req_state_err(s, op_ret);
  24   }
  25   dump_errno(s);
  26   end_header(s);
  27 }
  28
  29 int RGWRoleRead::verify_permission()
  30 {
  31   if (s->auth.identity->is_anonymous()) {
  32     return -EACCES;
  33   }
  34
  35   if (!verify_user_permission(s, RGW_PERM_READ)) {
  36     return -EACCES;
  37   }
  38
  39   return 0;
  40 }
  41
  42 int RGWRoleWrite::verify_permission()
  43 {
  44   if (s->auth.identity->is_anonymous()) {
  45     return -EACCES;
  46   }
  47
  48   if (!verify_user_permission(s, RGW_PERM_WRITE)) {
  49     return -EACCES;
  50   }
  51
  52   return 0;
  53 }
  54
  55 int RGWCreateRole::get_params()
  56 {
  57   role_name = s->info.args.get("RoleName");
  58   role_path = s->info.args.get("Path");
  59   trust_policy = s->info.args.get("AssumeRolePolicyDocument");
  60
  61   if (role_name.empty() || trust_policy.empty()) {
  62     ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty"
  63     << dendl;
  64     return -EINVAL;
  65   }
  66   JSONParser p;
  67   if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
  68     ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
  69     return -ERR_MALFORMED_DOC;
  70   }
  71   return 0;
  72 }
  73
  74 void RGWCreateRole::execute()
  75 {
  76   op_ret = get_params();
  77   if (op_ret < 0) {
  78     return;
  79   }
  80   RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->user_id.tenant);
  81   op_ret = role.create(true);
  82
  83   if (op_ret == -EEXIST) {
  84     op_ret = -ERR_ROLE_EXISTS;
  85   }
  86
  87   if (op_ret == 0) {
  88     s->formatter->open_object_section("role");
  89     role.dump(s->formatter);
  90     s->formatter->close_section();
  91   }
  92 }
  93
  94 int RGWDeleteRole::get_params()
  95 {
  96   role_name = s->info.args.get("RoleName");
  97
  98   if (role_name.empty()) {
  99     ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
 100     return -EINVAL;
 101   }
 102
 103   return 0;
 104 }
 105
 106 void RGWDeleteRole::execute()
 107 {
 108   op_ret = get_params();
 109   if (op_ret < 0) {
 110     return;
 111   }
 112   RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
 113   op_ret = role.delete_obj();
 114
 115   if (op_ret == -ENOENT) {
 116     op_ret = -ERR_NO_ROLE_FOUND;
 117   }
 118 }
 119
 120 int RGWGetRole::get_params()
 121 {
 122   role_name = s->info.args.get("RoleName");
 123
 124   if (role_name.empty()) {
 125     ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
 126     return -EINVAL;
 127   }
 128
 129   return 0;
 130 }
 131
 132 void RGWGetRole::execute()
 133 {
 134   op_ret = get_params();
 135   if (op_ret < 0) {
 136     return;
 137   }
 138   RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
 139   op_ret = role.get();
 140
 141   if (op_ret == -ENOENT) {
 142     op_ret = -ERR_NO_ROLE_FOUND;
 143   }
 144
 145   if (op_ret == 0) {
 146     s->formatter->open_object_section("role");
 147     role.dump(s->formatter);
 148     s->formatter->close_section();
 149   }
 150 }
 151
 152 int RGWModifyRole::get_params()
 153 {
 154   role_name = s->info.args.get("RoleName");
 155   trust_policy = s->info.args.get("PolicyDocument");
 156
 157   if (role_name.empty() || trust_policy.empty()) {
 158     ldout(s->cct, 20) << "ERROR: One of role name or trust policy is empty"<< dendl;
 159     return -EINVAL;
 160   }
 161   JSONParser p;
 162   if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
 163     ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
 164     return -ERR_MALFORMED_DOC;
 165   }
 166
 167   return 0;
 168 }
 169
 170 void RGWModifyRole::execute()
 171 {
 172   op_ret = get_params();
 173   if (op_ret < 0) {
 174     return;
 175   }
 176   RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
 177   op_ret = role.get();
 178   if (op_ret == -ENOENT) {
 179     op_ret = -ERR_NO_ROLE_FOUND;
 180   }
 181
 182   if (op_ret == 0) {
 183     role.update_trust_policy(trust_policy);
 184     op_ret = role.update();
 185   }
 186 }
 187
 188 int RGWListRoles::get_params()
 189 {
 190   path_prefix = s->info.args.get("PathPrefix");
 191
 192   return 0;
 193 }
 194
 195 void RGWListRoles::execute()
 196 {
 197   op_ret = get_params();
 198   if (op_ret < 0) {
 199     return;
 200   }
 201   vector<RGWRole> result;
 202   op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, s->user->user_id.tenant, result);
 203
 204   if (op_ret == 0) {
 205     s->formatter->open_array_section("Roles");
 206     for (const auto& it : result) {
 207       s->formatter->open_object_section("role");
 208       it.dump(s->formatter);
 209       s->formatter->close_section();
 210     }
 211     s->formatter->close_section();
 212   }
 213 }
 214
 215 int RGWPutRolePolicy::get_params()
 216 {
 217   role_name = s->info.args.get("RoleName");
 218   policy_name = s->info.args.get("PolicyName");
 219   perm_policy = s->info.args.get("PolicyDocument");
 220
 221   if (role_name.empty() || policy_name.empty() || perm_policy.empty()) {
 222     ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl;
 223     return -EINVAL;
 224   }
 225   JSONParser p;
 226   if (!p.parse(perm_policy.c_str(), perm_policy.length())) {
 227     ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl;
 228     return -ERR_MALFORMED_DOC;
 229   }
 230
 231   return 0;
 232 }
 233
 234 void RGWPutRolePolicy::execute()
 235 {
 236   op_ret = get_params();
 237   if (op_ret < 0) {
 238     return;
 239   }
 240
 241   RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
 242   op_ret = role.get();
 243   if (op_ret == 0) {
 244     role.set_perm_policy(policy_name, perm_policy);
 245     op_ret = role.update();
 246   }
 247 }
 248
 249 int RGWGetRolePolicy::get_params()
 250 {
 251   role_name = s->info.args.get("RoleName");
 252   policy_name = s->info.args.get("PolicyName");
 253
 254   if (role_name.empty() || policy_name.empty()) {
 255     ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
 256     return -EINVAL;
 257   }
 258   return 0;
 259 }
 260
 261 void RGWGetRolePolicy::execute()
 262 {
 263   op_ret = get_params();
 264   if (op_ret < 0) {
 265     return;
 266   }
 267
 268   RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
 269   op_ret = role.get();
 270
 271   if (op_ret == -ENOENT) {
 272     op_ret = -ERR_NO_ROLE_FOUND;
 273   }
 274
 275   if (op_ret == 0) {
 276     string perm_policy;
 277     op_ret = role.get_role_policy(policy_name, perm_policy);
 278
 279     if (op_ret == 0) {
 280       s->formatter->open_object_section("GetRolePolicyResult");
 281       s->formatter->dump_string("PolicyName", policy_name);
 282       s->formatter->dump_string("RoleName", role_name);
 283       s->formatter->dump_string("Permission policy", perm_policy);
 284       s->formatter->close_section();
 285     }
 286   }
 287 }
 288
 289 int RGWListRolePolicies::get_params()
 290 {
 291   role_name = s->info.args.get("RoleName");
 292
 293   if (role_name.empty()) {
 294     ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
 295     return -EINVAL;
 296   }
 297   return 0;
 298 }
 299
 300 void RGWListRolePolicies::execute()
 301 {
 302   op_ret = get_params();
 303   if (op_ret < 0) {
 304     return;
 305   }
 306
 307   RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
 308   op_ret = role.get();
 309
 310   if (op_ret == -ENOENT) {
 311     op_ret = -ERR_NO_ROLE_FOUND;
 312   }
 313
 314   if (op_ret == 0) {
 315     std::vector<string> policy_names = role.get_role_policy_names();
 316     s->formatter->open_array_section("PolicyNames");
 317     for (const auto& it : policy_names) {
 318       s->formatter->dump_string("member", it);
 319     }
 320     s->formatter->close_section();
 321   }
 322 }
 323
 324 int RGWDeleteRolePolicy::get_params()
 325 {
 326   role_name = s->info.args.get("RoleName");
 327   policy_name = s->info.args.get("PolicyName");
 328
 329   if (role_name.empty() || policy_name.empty()) {
 330     ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
 331     return -EINVAL;
 332   }
 333   return 0;
 334 }
 335
 336 void RGWDeleteRolePolicy::execute()
 337 {
 338   op_ret = get_params();
 339   if (op_ret < 0) {
 340     return;
 341   }
 342
 343   RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
 344   op_ret = role.get();
 345
 346   if (op_ret == -ENOENT) {
 347     op_ret = -ERR_NO_ROLE_FOUND;
 348   }
 349
 350   if (op_ret == 0) {
 351     op_ret = role.delete_policy(policy_name);
 352     if (op_ret == -ENOENT) {
 353       op_ret = -ERR_NO_ROLE_FOUND;
 354     }
 355
 356     if (op_ret == 0) {
 357       op_ret = role.update();
 358     }
 359   }
 360 }