rgw/sts: adding code for "aws:TokenIssueTime" to be used

in condition element of role policy to deny access to
temporary credentials.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 60b01d8588efb2df119bccba14582915827f76e7..8b564ae76adec5884b325e923957234318ffabd1 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -743,6 +743,8 @@ void rgw::auth::RoleApplier::modify_request_state(const DoutPrefixProvider *dpp,
   string value = role.id + ":" + role_session_name;
   s->env.emplace(condition, value);
 
+  s->env.emplace("aws:TokenIssueTime", token_issued_at);
+
   s->token_claims.emplace_back("sts");
   for (auto& it : token_claims) {
     s->token_claims.emplace_back(it);

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 1a6be742a69d99b6c4c4f093a96af75767002c5c..d4b418099da79f1e4fb3e27108d8497b8d3436bb 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -640,6 +640,7 @@ protected:
   string token_policy;
   string role_session_name;
   std::vector<string> token_claims;
+  string token_issued_at;
 
 public:
 
@@ -648,12 +649,14 @@ public:
                const rgw_user& user_id,
                const string& token_policy,
                const string& role_session_name,
-               const std::vector<string>& token_claims)
+               const std::vector<string>& token_claims,
+               const string& token_issued_at)
     : role(role),
       user_id(user_id),
       token_policy(token_policy),
       role_session_name(role_session_name),
-      token_claims(token_claims) {}
+      token_claims(token_claims),
+      token_issued_at(token_issued_at) {}
 
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     return 0;
@@ -679,11 +682,12 @@ public:
     virtual ~Factory() {}
     virtual aplptr_t create_apl_role( CephContext* cct,
                                       const req_state* s,
-                                      const rgw::auth::RoleApplier::Role& role_name,
+                                      const rgw::auth::RoleApplier::Role& role,
                                       const rgw_user& user_id,
                                       const std::string& token_policy,
                                       const std::string& role_session,
-                                      const std::vector<string>& token_claims) const = 0;
+                                      const std::vector<string>& token_claims,
+                                      const std::string& token_issued_at) const = 0;
     };
 };
 

diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h
index 73556a0963c479df29cb66ca2deb67f63c4782c8..210e48a67ffab9e782527686123cb01353feefc7 100644 (file)
--- a/src/rgw/rgw_auth_s3.h
+++ b/src/rgw/rgw_auth_s3.h
@@ -68,9 +68,10 @@ class STSAuthStrategy : public rgw::auth::Strategy,
                             const rgw_user& user_id,
                             const std::string& token_policy,
                             const std::string& role_session_name,
-                            const std::vector<string>& token_claims) const override {
+                            const std::vector<string>& token_claims,
+                            const std::string& token_issued_at) const override {
     auto apl = rgw::auth::add_sysreq(cct, ctl, s,
-      rgw::auth::RoleApplier(cct, role, user_id, token_policy, role_session_name, token_claims));
+      rgw::auth::RoleApplier(cct, role, user_id, token_policy, role_session_name, token_claims, token_issued_at));
     return aplptr_t(new decltype(apl)(std::move(apl)));
   }
 

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index a357476f16215c5bea398acf030eb99cb2fcbb2d..027361804dcc7e1fba4c60352012f9d639df516e 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -5971,7 +5971,7 @@ rgw::auth::s3::STSEngine::authenticate(
                                             get_creds_info(token));
     return result_t::grant(std::move(apl), completer_factory(boost::none));
   } else if (token.acct_type == TYPE_ROLE) {
-    auto apl = role_apl_factory->create_apl_role(cct, s, r, user_id, token.policy, token.role_session, token.token_claims);
+    auto apl = role_apl_factory->create_apl_role(cct, s, r, user_id, token.policy, token.role_session, token.token_claims, token.issued_at);
     return result_t::grant(std::move(apl), completer_factory(token.secret_access_key));
   } else { // This is for all local users of type TYPE_RGW or TYPE_NONE
     string subuser;

diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc
index b4084c086401cf0c9948500bcfe9fd2b83317862..b90e066f51941e680225c6e507d0ab2546facb1f 100644 (file)
--- a/src/rgw/rgw_sts.cc
+++ b/src/rgw/rgw_sts.cc
@@ -89,6 +89,7 @@ int Credentials::generateCredentials(CephContext* cct,
   token.access_key_id = accessKeyId;
   token.secret_access_key = secretAccessKey;
   token.expiration = expiration;
+  token.issued_at = ceph::to_iso_8601(t);
 
   //Authorization info
   if (policy)

diff --git a/src/rgw/rgw_sts.h b/src/rgw/rgw_sts.h
index 37519210efbaffcabd305a25ea499a995727e58e..ed92e7f5f2afbeed3313a809711d30e6e79daea4 100644 (file)
--- a/src/rgw/rgw_sts.h
+++ b/src/rgw/rgw_sts.h
@@ -130,11 +130,12 @@ struct SessionToken {
   uint32_t acct_type;
   string role_session;
   std::vector<string> token_claims;
+  string issued_at;
 
   SessionToken() {}
 
   void encode(bufferlist& bl) const {
-    ENCODE_START(3, 1, bl);
+    ENCODE_START(4, 1, bl);
     encode(access_key_id, bl);
     encode(secret_access_key, bl);
     encode(expiration, bl);
@@ -147,11 +148,12 @@ struct SessionToken {
     encode(acct_type, bl);
     encode(role_session, bl);
     encode(token_claims, bl);
+    encode(issued_at, bl);
     ENCODE_FINISH(bl);
   }
 
   void decode(bufferlist::const_iterator& bl) {
-    DECODE_START(3, bl);
+    DECODE_START(4, bl);
     decode(access_key_id, bl);
     decode(secret_access_key, bl);
     decode(expiration, bl);
@@ -168,6 +170,9 @@ struct SessionToken {
     if (struct_v >= 3) {
       decode(token_claims, bl);
     }
+    if (struct_v >= 4) {
+      decode(issued_at, bl);
+    }
     DECODE_FINISH(bl);
   }
 };