encode_json("SessionToken", sessionToken , f);
}
-int Credentials::generateCredentials(CephContext* cct)
+int Credentials::generateCredentials(CephContext* cct, const uint64_t& duration)
{
uuid_d accessKey, secretKey;
char accessKeyId_str[MAX_ACCESS_KEY_LEN], secretAccessKey_str[MAX_ACCESS_KEY_LEN];
struct timeval tv;
real_clock::to_timeval(t, tv);
- tv.tv_sec += EXPIRATION_TIME_IN_SECS;
+ tv.tv_sec += duration;
struct tm result;
gmtime_r(&tv.tv_sec, &result);
return 0;
}
-AssumeRoleRequest::AssumeRoleRequest(string _duration, string _externalId, string _iamPolicy,
- string _roleArn, string _roleSessionName, string _serialNumber,
- string _tokenCode)
+AssumeRoleRequest::AssumeRoleRequest(string& _duration, string& _externalId, string& _iamPolicy,
+ string& _roleArn, string& _roleSessionName, string& _serialNumber,
+ string& _tokenCode)
: externalId(_externalId), iamPolicy(_iamPolicy),
roleArn(_roleArn), roleSessionName(_roleSessionName),
serialNumber(_serialNumber), tokenCode(_tokenCode)
int AssumeRoleRequest::validate_input() const
{
- if (duration < MIN_DURATION_IN_SECS) {
+ if (duration < MIN_DURATION_IN_SECS ||
+ duration > MAX_DURATION_IN_SECS) {
return -EINVAL;
}
return 0;
}
-AssumeRoleResponse STSService::assumeRole(const AssumeRoleRequest& req)
+std::tuple<int, boost::optional<rgw::IAM::ARN>, RGWRole> STSService::_getRoleInfo(const string& arn)
{
- int ret = 0;
- uint64_t packedPolicySize = 0;
+ if (auto r_arn = rgw::IAM::ARN::parse(arn); r_arn) {
+ auto pos = r_arn->resource.find_last_of('/');
+ string roleName = r_arn->resource.substr(pos + 1);
+ RGWRole role(cct, store, roleName, r_arn->account);
+ if (int ret = role.get(); ret < 0) {
+ return make_tuple(ret, r_arn, role);
+ } else {
+ return make_tuple(0, r_arn, role);
+ }
+ } else {
+ RGWRole dummyRole;
+ return make_tuple(-EINVAL, r_arn, dummyRole);
+ }
+}
+
+AssumeRoleResponse STSService::assumeRole(AssumeRoleRequest& req)
+{
+ uint64_t packedPolicySize = 0, roleMaxSessionDuration = 0;
AssumedRoleUser user;
Credentials cred;
string roleId;
//Get the role info which is being assumed
- auto r_arn = rgw::IAM::ARN::parse(req.getRoleARN());
+ const auto& [ret_val, r_arn, role] = _getRoleInfo(req.getRoleARN());
+ if (ret_val < 0) {
+ return make_tuple(ret_val, user, cred, packedPolicySize);
+ }
+
if (r_arn) {
- auto pos = r_arn->resource.find_last_of('/');
- string roleName = r_arn->resource.substr(pos + 1);
- RGWRole role(cct, store, roleName, r_arn->account);
- if (ret = role.get(); ret < 0) {
- return make_tuple(ret, user, cred, packedPolicySize);
- }
roleId = role.get_id();
- } else {
- return make_tuple(-EINVAL, user, cred, packedPolicySize);
+ roleMaxSessionDuration = role.get_max_session_duration();
+ req.setMaxDuration(roleMaxSessionDuration);
}
//Validate input
+ int ret = 0;
if (ret = req.validate_input(); ret < 0) {
return make_tuple(ret, user, cred, packedPolicySize);
}
}
//Generate Credentials
- if (ret = cred.generateCredentials(cct); ret < 0) {
+ if (ret = cred.generateCredentials(cct, req.getDuration()); ret < 0) {
return make_tuple(ret, user, cred, packedPolicySize);
}
#ifndef CEPH_STS_ASSUME_ROLE_H
#define CEPH_STS_ASSUME_ROLE_H
+#include "rgw_role.h"
+
namespace STS {
class AssumeRoleRequest {
static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
static constexpr uint64_t TOKEN_CODE_SIZE = 6;
+ uint64_t MAX_DURATION_IN_SECS;
uint64_t duration;
string externalId;
string iamPolicy;
string serialNumber;
string tokenCode;
public:
- AssumeRoleRequest( string _duration,
- string _externalId,
- string _iamPolicy,
- string _roleArn,
- string _roleSessionName,
- string _serialNumber,
- string _tokenCode);
+ AssumeRoleRequest( string& _duration,
+ string& _externalId,
+ string& _iamPolicy,
+ string& _roleArn,
+ string& _roleSessionName,
+ string& _serialNumber,
+ string& _tokenCode);
const string& getRoleARN() const { return roleArn; }
const string& getRoleSessionName() const { return roleSessionName; }
const string& getPolicy() const {return iamPolicy; }
- static uint64_t getMaxPolicySize() { return MAX_POLICY_SIZE; }
+ static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
+ void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
+ uint64_t& getDuration() { return duration; }
int validate_input() const;
};
class Credentials {
static constexpr int MAX_ACCESS_KEY_LEN = 64;
- static constexpr int EXPIRATION_TIME_IN_SECS = 86400; // 1 day
string accessKeyId;
string expiration;
string secretAccessKey;
string sessionToken;
public:
- int generateCredentials(CephContext* cct);
+ int generateCredentials(CephContext* cct, const uint64_t& duration);
const string& getAccessKeyId() const { return accessKeyId; }
const string& getExpiration() const { return expiration; }
const string& getSecretAccessKey() const { return secretAccessKey; }
class STSService {
CephContext* cct;
RGWRados *store;
+ std::tuple<int, boost::optional<rgw::IAM::ARN>, RGWRole> _getRoleInfo(const string& arn);
public:
STSService(CephContext* _cct, RGWRados *_store) : cct(_cct), store(_store) {}
- AssumeRoleResponse assumeRole(const AssumeRoleRequest& req);
+ AssumeRoleResponse assumeRole(AssumeRoleRequest& req);
};
}
#endif /* CEPH_STS_ASSUME_ROLE_H */
projects / ceph.git / commitdiff