encode_json("SessionToken", sessionToken , f);
}
-int Credentials::generateCredentials(CephContext* cct,
+int Credentials::generateCredentials(const DoutPrefixProvider *dpp,
+ CephContext* cct,
const uint64_t& duration,
const boost::optional<std::string>& policy,
const boost::optional<std::string>& roleId,
//Session Token - Encrypt using AES
auto* cryptohandler = cct->get_crypto_handler(CEPH_CRYPTO_AES);
if (! cryptohandler) {
- ldout(cct, 0) << "ERROR: No AES cryto handler found !" << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: No AES cryto handler found !" << dendl;
return -EINVAL;
}
string secret_s = cct->_conf->rgw_sts_key;
buffer::ptr secret(secret_s.c_str(), secret_s.length());
int ret = 0;
if (ret = cryptohandler->validate_secret(secret); ret < 0) {
- ldout(cct, 0) << "ERROR: Invalid rgw sts key, please ensure its length is 16" << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Invalid rgw sts key, please ensure its length is 16" << dendl;
return ret;
}
string error;
std::unique_ptr<CryptoKeyHandler> keyhandler(cryptohandler->get_key_handler(secret, error));
if (! keyhandler) {
- ldout(cct, 0) << "ERROR: No Key handler found !" << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: No Key handler found !" << dendl;
return -EINVAL;
}
error.clear();
encode(token, input);
if (ret = keyhandler->encrypt(input, enc_output, &error); ret < 0) {
- ldout(cct, 0) << "ERROR: Encrypting session token returned an error !" << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Encrypting session token returned an error !" << dendl;
return ret;
}
}
}
-int AssumeRoleRequestBase::validate_input() const
+int AssumeRoleRequestBase::validate_input(const DoutPrefixProvider *dpp) const
{
if (!err_msg.empty()) {
- ldout(cct, 0) << "ERROR: error message is empty !" << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: error message is empty !" << dendl;
return -EINVAL;
}
if (duration < MIN_DURATION_IN_SECS ||
duration > MAX_DURATION_IN_SECS) {
- ldout(cct, 0) << "ERROR: Incorrect value of duration: " << duration << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Incorrect value of duration: " << duration << dendl;
return -EINVAL;
}
if (! iamPolicy.empty() &&
(iamPolicy.size() < MIN_POLICY_SIZE || iamPolicy.size() > MAX_POLICY_SIZE)) {
- ldout(cct, 0) << "ERROR: Incorrect size of iamPolicy: " << iamPolicy.size() << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Incorrect size of iamPolicy: " << iamPolicy.size() << dendl;
return -ERR_PACKED_POLICY_TOO_LARGE;
}
if (! roleArn.empty() &&
(roleArn.size() < MIN_ROLE_ARN_SIZE || roleArn.size() > MAX_ROLE_ARN_SIZE)) {
- ldout(cct, 0) << "ERROR: Incorrect size of roleArn: " << roleArn.size() << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Incorrect size of roleArn: " << roleArn.size() << dendl;
return -EINVAL;
}
if (! roleSessionName.empty()) {
if (roleSessionName.size() < MIN_ROLE_SESSION_SIZE || roleSessionName.size() > MAX_ROLE_SESSION_SIZE) {
- ldout(cct, 0) << "ERROR: Either role session name is empty or role session size is incorrect: " << roleSessionName.size() << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Either role session name is empty or role session size is incorrect: " << roleSessionName.size() << dendl;
return -EINVAL;
}
std::regex regex_roleSession("[A-Za-z0-9_=,.@-]+");
if (! std::regex_match(roleSessionName, regex_roleSession)) {
- ldout(cct, 0) << "ERROR: Role session name is incorrect: " << roleSessionName << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Role session name is incorrect: " << roleSessionName << dendl;
return -EINVAL;
}
}
return 0;
}
-int AssumeRoleWithWebIdentityRequest::validate_input() const
+int AssumeRoleWithWebIdentityRequest::validate_input(const DoutPrefixProvider *dpp) const
{
if (! providerId.empty()) {
if (providerId.length() < MIN_PROVIDER_ID_LEN ||
providerId.length() > MAX_PROVIDER_ID_LEN) {
- ldout(cct, 0) << "ERROR: Either provider id is empty or provider id length is incorrect: " << providerId.length() << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Either provider id is empty or provider id length is incorrect: " << providerId.length() << dendl;
return -EINVAL;
}
}
- return AssumeRoleRequestBase::validate_input();
+ return AssumeRoleRequestBase::validate_input(dpp);
}
-int AssumeRoleRequest::validate_input() const
+int AssumeRoleRequest::validate_input(const DoutPrefixProvider *dpp) const
{
if (! externalId.empty()) {
if (externalId.length() < MIN_EXTERNAL_ID_LEN ||
externalId.length() > MAX_EXTERNAL_ID_LEN) {
- ldout(cct, 0) << "ERROR: Either external id is empty or external id length is incorrect: " << externalId.length() << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Either external id is empty or external id length is incorrect: " << externalId.length() << dendl;
return -EINVAL;
}
std::regex regex_externalId("[A-Za-z0-9_=,.@:/-]+");
if (! std::regex_match(externalId, regex_externalId)) {
- ldout(cct, 0) << "ERROR: Invalid external Id: " << externalId << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Invalid external Id: " << externalId << dendl;
return -EINVAL;
}
}
if (! serialNumber.empty()){
if (serialNumber.size() < MIN_SERIAL_NUMBER_SIZE || serialNumber.size() > MAX_SERIAL_NUMBER_SIZE) {
- ldout(cct, 0) << "Either serial number is empty or serial number length is incorrect: " << serialNumber.size() << dendl;
+ ldpp_dout(dpp, 0) << "Either serial number is empty or serial number length is incorrect: " << serialNumber.size() << dendl;
return -EINVAL;
}
std::regex regex_serialNumber("[A-Za-z0-9_=/:,.@-]+");
if (! std::regex_match(serialNumber, regex_serialNumber)) {
- ldout(cct, 0) << "Incorrect serial number: " << serialNumber << dendl;
+ ldpp_dout(dpp, 0) << "Incorrect serial number: " << serialNumber << dendl;
return -EINVAL;
}
}
if (! tokenCode.empty() && tokenCode.size() == TOKEN_CODE_SIZE) {
- ldout(cct, 0) << "Either token code is empty or token code size is invalid: " << tokenCode.size() << dendl;
+ ldpp_dout(dpp, 0) << "Either token code is empty or token code size is invalid: " << tokenCode.size() << dendl;
return -EINVAL;
}
- return AssumeRoleRequestBase::validate_input();
+ return AssumeRoleRequestBase::validate_input(dpp);
}
std::tuple<int, rgw::sal::RGWRole*> STSService::getRoleInfo(const DoutPrefixProvider *dpp,
return ret;
}
-AssumeRoleWithWebIdentityResponse STSService::assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req)
+AssumeRoleWithWebIdentityResponse STSService::assumeRoleWithWebIdentity(const DoutPrefixProvider *dpp, AssumeRoleWithWebIdentityRequest& req)
{
AssumeRoleWithWebIdentityResponse response;
response.assumeRoleResp.packedPolicySize = 0;
//Get the role info which is being assumed
boost::optional<rgw::ARN> r_arn = rgw::ARN::parse(req.getRoleARN());
if (r_arn == boost::none) {
- ldout(cct, 0) << "Error in parsing role arn: " << req.getRoleARN() << dendl;
+ ldpp_dout(dpp, 0) << "Error in parsing role arn: " << req.getRoleARN() << dendl;
response.assumeRoleResp.retCode = -EINVAL;
return response;
}
req.setMaxDuration(roleMaxSessionDuration);
//Validate input
- response.assumeRoleResp.retCode = req.validate_input();
+ response.assumeRoleResp.retCode = req.validate_input(dpp);
if (response.assumeRoleResp.retCode < 0) {
return response;
}
//Generate Credentials
//Role and Policy provide the authorization info, user id and applier info are not needed
- response.assumeRoleResp.retCode = response.assumeRoleResp.creds.generateCredentials(cct, req.getDuration(),
+ response.assumeRoleResp.retCode = response.assumeRoleResp.creds.generateCredentials(dpp, cct, req.getDuration(),
req.getPolicy(), roleId,
req.getRoleSessionName(),
token_claims,
req.setMaxDuration(roleMaxSessionDuration);
//Validate input
- response.retCode = req.validate_input();
+ response.retCode = req.validate_input(dpp);
if (response.retCode < 0) {
return response;
}
//Generate Credentials
//Role and Policy provide the authorization info, user id and applier info are not needed
- response.retCode = response.creds.generateCredentials(cct, req.getDuration(),
+ response.retCode = response.creds.generateCredentials(dpp, cct, req.getDuration(),
req.getPolicy(), roleId,
req.getRoleSessionName(),
boost::none,
this->tokenCode = tokenCode;
}
-GetSessionTokenResponse STSService::getSessionToken(GetSessionTokenRequest& req)
+GetSessionTokenResponse STSService::getSessionToken(const DoutPrefixProvider *dpp, GetSessionTokenRequest& req)
{
int ret;
Credentials cred;
//Generate Credentials
- if (ret = cred.generateCredentials(cct,
+ if (ret = cred.generateCredentials(dpp, cct,
req.getDuration(),
boost::none,
boost::none,
static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
const uint64_t& getDuration() const { return duration; }
- int validate_input() const;
+ int validate_input(const DoutPrefixProvider *dpp) const;
};
class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
const std::string& getAud() const { return aud; }
const std::string& getSub() const { return sub; }
const std::vector<std::pair<std::string,std::string>>& getPrincipalTags() const { return session_princ_tags; }
- int validate_input() const;
+ int validate_input(const DoutPrefixProvider *dpp) const;
};
class AssumeRoleRequest : public AssumeRoleRequestBase {
const std::string& tokenCode)
: AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
- int validate_input() const;
+ int validate_input(const DoutPrefixProvider *dpp) const;
};
class GetSessionTokenRequest {
std::string secretAccessKey;
std::string sessionToken;
public:
- int generateCredentials(CephContext* cct,
+ int generateCredentials(const DoutPrefixProvider *dpp,
+ CephContext* cct,
const uint64_t& duration,
const boost::optional<std::string>& policy,
const boost::optional<std::string>& roleId,
: cct(cct), store(store), user_id(user_id), identity(identity) {}
std::tuple<int, rgw::sal::RGWRole*> getRoleInfo(const DoutPrefixProvider *dpp, const std::string& arn, optional_yield y);
AssumeRoleResponse assumeRole(const DoutPrefixProvider *dpp, AssumeRoleRequest& req, optional_yield y);
- GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req);
- AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req);
+ GetSessionTokenResponse getSessionToken(const DoutPrefixProvider *dpp, GetSessionTokenRequest& req);
+ AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(const DoutPrefixProvider *dpp, AssumeRoleWithWebIdentityRequest& req);
};
}
#endif /* CEPH_RGW_STS_H */
projects / ceph.git / commitdiff