void rgw::auth::RemoteApplier::modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const
{
+ string key = "aws:userid";
+ string value = info.acct_user.id;
+ s->env.emplace(key, value);
+
// copy our identity policies into req_state
s->iam_identity_policies.insert(s->iam_identity_policies.end(),
policies.begin(), policies.end());
}
+std::optional<rgw::ARN> rgw::auth::RemoteApplier::get_caller_identity() const
+{
+ return rgw::ARN(owner_acct_user.id, "user", owner_acct_user.tenant, true);
+}
+
/* rgw::auth::LocalApplier */
/* static declaration */
const std::string rgw::auth::LocalApplier::NO_SUBUSER;
void rgw::auth::LocalApplier::modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const
{
+ string key = "aws:userid";
+ string value = user_info.type == TYPE_ROOT ? user_info.account_id : user_info.user_id.id;
+ s->env.emplace(key, value);
+
// copy our identity policies into req_state
s->iam_identity_policies.insert(s->iam_identity_policies.end(),
policies.begin(), policies.end());
void write_ops_log_entry(rgw_log_entry& entry) const override;
uint32_t get_identity_type() const override { return info.acct_type; }
- std::optional<rgw::ARN> get_caller_identity() const override {
- return std::nullopt;
- }
+ std::optional<rgw::ARN> get_caller_identity() const override;
std::string get_acct_name() const override { return info.acct_name; }
std::string get_subuser() const override { return {}; }
rgw::Partition partition = rgw::Partition::aws;
rgw::Service service = rgw::Service::sts;
std::string acct = role.account->id.empty() ? role.tenant : role.account->id;
- std::string resource = "assumed-role/" + role.name + "/" + token_attrs.role_session_name;
+ std::string resource = "assumed-role" + role.path + role.name + "/" + token_attrs.role_session_name;
return rgw::ARN(partition, service, "", acct, resource);
}
bool is_non_s3_op(RGWOpType op_type)
{
switch (op_type) {
+ case RGW_STS_GET_CALLER_IDENTITY:
case RGW_STS_GET_SESSION_TOKEN:
case RGW_STS_ASSUME_ROLE:
case RGW_STS_ASSUME_ROLE_WEB_IDENTITY:
RGW_OP_SYNC_MDLOG_NOTIFY,
RGW_OP_PERIOD_POST,
/* sts specific*/
+ RGW_STS_GET_CALLER_IDENTITY,
RGW_STS_ASSUME_ROLE,
RGW_STS_GET_SESSION_TOKEN,
RGW_STS_ASSUME_ROLE_WEB_IDENTITY,
case RGW_OP_PUT_BUCKET_OBJ_LOCK:
case RGW_OP_PUT_OBJ_RETENTION:
case RGW_OP_PUT_OBJ_LEGAL_HOLD:
+ case RGW_STS_GET_CALLER_IDENTITY:
case RGW_STS_GET_SESSION_TOKEN:
case RGW_STS_ASSUME_ROLE:
case RGW_OP_PUT_BUCKET_PUBLIC_ACCESS_BLOCK:
}
}
+int RGWSTSGetCallerIdentity::verify_permission(optional_yield y)
+{
+ // https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
+ // Permissions are not required because the same information is returned when access is denied.
+
+ return 0;
+}
+
+void RGWSTSGetCallerIdentity::execute(optional_yield y)
+{
+ std::string account;
+ std::string userid;
+ std::string arn;
+
+ if (const auto& acc = s->auth.identity->get_account(); acc) {
+ account = acc->id;
+ }
+
+ if(account.empty()) {
+ account = s->user->get_tenant();
+ }
+ if (auto it = s->env.find("aws:userid"); it != s->env.end()) {
+ userid = it->second;
+ }
+
+ auto a = s->auth.identity->get_caller_identity();
+ if(a) {
+ arn = a->to_string();
+ }
+
+ s->formatter->open_object_section_in_ns("GetCallerIdentityResponse", RGW_REST_STS_XMLNS);
+ s->formatter->open_object_section("GetCallerIdentityResult");
+ encode_json("Arn", arn, s->formatter);
+ encode_json("UserId", userid, s->formatter);
+ encode_json("Account", account, s->formatter);
+ s->formatter->close_section();
+ s->formatter->close_section();
+}
+
int RGW_Auth_STS::authorize(const DoutPrefixProvider *dpp,
rgw::sal::Driver* driver,
const rgw::auth::StrategyRegistry& auth_registry,
static const std::unordered_map<std::string_view, op_generator> op_generators = {
{"AssumeRole", []() -> RGWOp* {return new RGWSTSAssumeRole;}},
{"GetSessionToken", []() -> RGWOp* {return new RGWSTSGetSessionToken;}},
- {"AssumeRoleWithWebIdentity", []() -> RGWOp* {return new RGWSTSAssumeRoleWithWebIdentity;}}
+ {"AssumeRoleWithWebIdentity", []() -> RGWOp* {return new RGWSTSAssumeRoleWithWebIdentity;}},
+ {"GetCallerIdentity", []() -> RGWOp* {return new RGWSTSGetCallerIdentity;}}
};
bool RGWHandler_REST_STS::action_exists(const req_state* s)
RGWOpType get_type() override { return RGW_STS_GET_SESSION_TOKEN; }
};
+class RGWSTSGetCallerIdentity : public RGWREST_STS {
+public:
+ RGWSTSGetCallerIdentity() = default;
+ void execute(optional_yield y) override;
+ int verify_permission(optional_yield y) override;
+ const char* name() const override { return "get_caller_identity"; }
+ RGWOpType get_type() override { return RGW_STS_GET_CALLER_IDENTITY; }
+};
+
class RGW_Auth_STS {
public:
static int authorize(const DoutPrefixProvider *dpp,
projects / ceph-ci.git / commitdiff