case RGW_OP_DELETE_OIDC_PROVIDER:
case RGW_OP_GET_OIDC_PROVIDER:
case RGW_OP_LIST_OIDC_PROVIDERS:
+ case RGW_OP_ADD_CLIENTID_TO_OIDC_PROVIDER:
+ case RGW_OP_UPDATE_OIDC_PROVIDER_THUMBPRINT:
case RGW_OP_PUBSUB_TOPIC_CREATE:
case RGW_OP_PUBSUB_TOPICS_LIST:
case RGW_OP_PUBSUB_TOPIC_GET:
{ "iam:GetOIDCProvider", iamGetOIDCProvider},
{ "iam:ListOIDCProviders", iamListOIDCProviders},
{ "iam:AddClientIdToOIDCProvider", iamAddClientIdToOIDCProvider},
+ { "iam:UpdateOIDCProviderThumbprint", iamUpdateOIDCProviderThumbprint},
{ "iam:TagRole", iamTagRole},
{ "iam:ListRoleTags", iamListRoleTags},
{ "iam:UntagRole", iamUntagRole},
case iamAddClientIdToOIDCProvider:
return "iam:AddClientIdToOIDCProvider";
+ case iamUpdateOIDCProviderThumbprint:
+ return "iam:UpdateOIDCProviderThumbprint";
+
case iamTagRole:
return "iam:TagRole";
iamGetOIDCProvider,
iamListOIDCProviders,
iamAddClientIdToOIDCProvider,
+ iamUpdateOIDCProviderThumbprint,
iamTagRole,
iamListRoleTags,
iamUntagRole,
RGW_OP_GET_OIDC_PROVIDER,
RGW_OP_LIST_OIDC_PROVIDERS,
RGW_OP_ADD_CLIENTID_TO_OIDC_PROVIDER,
+ RGW_OP_UPDATE_OIDC_PROVIDER_THUMBPRINT,
};
{"GetOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWGetOIDCProvider;}},
{"DeleteOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWDeleteOIDCProvider;}},
{"AddClientIDToOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWAddClientIdToOIDCProvider;}},
+ {"UpdateOpenIDConnectProviderThumbprint", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWUpdateOIDCProviderThumbprint;}},
{"TagRole", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWTagRole(bl_post_body);}},
{"ListRoleTags", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWListRoleTags;}},
{"UntagRole", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWUntagRole(bl_post_body);}},
s->formatter->close_section();
}
}
+
+RGWUpdateOIDCProviderThumbprint::RGWUpdateOIDCProviderThumbprint()
+ : RGWRestOIDCProvider(rgw::IAM::iamUpdateOIDCProviderThumbprint, RGW_CAP_WRITE)
+{
+}
+
+int RGWUpdateOIDCProviderThumbprint::init_processing(optional_yield y)
+{
+ std::string_view account;
+ if (const auto& acc = s->auth.identity->get_account(); acc) {
+ account = acc->id;
+ } else {
+ account = s->user->get_tenant();
+ }
+ std::string provider_arn = s->info.args.get("OpenIDConnectProviderArn");
+ auto ret = validate_provider_arn(provider_arn, account,
+ resource, url, s->err.message);
+ if (ret < 0) {
+ return ret;
+ }
+
+ auto val_map = s->info.args.get_params();
+ /* From AWS documentation here: https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateOpenIDConnectProviderThumbprint.html
+ The list that you pass with this operation completely replaces the existing list of thumbprints. (The lists are not merged.) */
+ for (auto& it : val_map) {
+ if (it.first.find("ThumbprintList.member.") != string::npos) {
+ if (it.second.size() > MAX_OIDC_THUMBPRINT_LEN) {
+ s->err.message = "Thumbprint cannot exceed the maximum length of "
+ + std::to_string(MAX_OIDC_THUMBPRINT_LEN);
+ ldpp_dout(this, 20) << "ERROR: Thumbprint exceeds maximum length of " << MAX_OIDC_THUMBPRINT_LEN << dendl;
+ return -EINVAL;
+ }
+ thumbprints.emplace_back(it.second);
+ }
+ }
+
+ if (thumbprints.empty()) {
+ s->err.message = "Missing required element ThumbprintList";
+ ldpp_dout(this, 20) << "ERROR: Thumbprints list is empty" << dendl;
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+void RGWUpdateOIDCProviderThumbprint::execute(optional_yield y)
+{
+ RGWOIDCProviderInfo info;
+ op_ret = driver->load_oidc_provider(this, y, resource.account, url, info);
+
+ if (op_ret < 0) {
+ if (op_ret != -ENOENT && op_ret != -EINVAL) {
+ op_ret = ERR_INTERNAL_ERROR;
+ }
+ return;
+ }
+
+ info.thumbprints = std::move(thumbprints);
+
+ constexpr bool exclusive = false;
+ op_ret = driver->store_oidc_provider(this, y, info, exclusive);
+ if (op_ret == 0) {
+ s->formatter->open_object_section("AddClientIDToOpenIDConnectProviderResponse");
+ s->formatter->open_object_section("ResponseMetadata");
+ s->formatter->dump_string("RequestId", s->trans_id);
+ s->formatter->close_section();
+ s->formatter->open_object_section("AddClientIDToOpenIDConnectProviderResponse");
+ dump_oidc_provider(info, s->formatter);
+ s->formatter->close_section();
+ s->formatter->close_section();
+ }
+}
void execute(optional_yield y) override;
const char* name() const override { return "add_client_id_to_oidc_provider"; }
RGWOpType get_type() override { return RGW_OP_ADD_CLIENTID_TO_OIDC_PROVIDER; }
-};
\ No newline at end of file
+};
+
+class RGWUpdateOIDCProviderThumbprint : public RGWRestOIDCProvider {
+ std::string url;
+ std::vector<std::string> thumbprints;
+public:
+ RGWUpdateOIDCProviderThumbprint();
+
+ int init_processing(optional_yield y);
+ void execute(optional_yield y) override;
+ const char* name() const override { return "update_oidc_provider_thumbprint"; }
+ RGWOpType get_type() override { return RGW_OP_UPDATE_OIDC_PROVIDER_THUMBPRINT; }
+};
projects / ceph-ci.git / commitdiff