cerr << "ERROR: assume role policy document is empty" << std::endl;
return -EINVAL;
}
- /* The following two calls will be replaced by read_decode_json or something
- similar when the code for AWS Policies is in places */
- bufferlist bl;
- int ret = read_input(assume_role_doc, bl);
- if (ret < 0) {
- cerr << "ERROR: failed to read input: " << cpp_strerror(-ret) << std::endl;
- return ret;
- }
- JSONParser p;
- if (!p.parse(bl.c_str(), bl.length())) {
- cout << "ERROR: failed to parse JSON: " << assume_role_doc << std::endl;
+ bufferlist bl = bufferlist::static_from_string(assume_role_doc);
+ try {
+ const rgw::IAM::Policy p(g_ceph_context, tenant, bl);
+ } catch (rgw::IAM::PolicyParseException& e) {
+ cerr << "failed to parse policy: " << e.what() << std::endl;
return -EINVAL;
}
- string trust_policy = bl.to_str();
- RGWRole role(g_ceph_context, store, role_name, path, trust_policy, tenant);
+ RGWRole role(g_ceph_context, store, role_name, path, assume_role_doc, tenant);
ret = role.create(true);
if (ret < 0) {
return -ret;
return -EINVAL;
}
- /* The following two calls will be replaced by read_decode_json or something
- similar, when code for AWS Policies is in place.*/
- bufferlist bl;
- int ret = read_input(perm_policy_doc, bl);
- if (ret < 0) {
- cerr << "ERROR: failed to read input: " << cpp_strerror(-ret) << std::endl;
- return ret;
- }
- JSONParser p;
- if (!p.parse(bl.c_str(), bl.length())) {
- cout << "ERROR: failed to parse JSON: " << std::endl;
+ bufferlist bl = bufferlist::static_from_string(perm_policy_doc);
+ try {
+ const rgw::IAM::Policy p(g_ceph_context, tenant, bl);
+ } catch (rgw::IAM::PolicyParseException& e) {
+ cerr << "failed to parse perm policy: " << e.what() << std::endl;
return -EINVAL;
}
- string perm_policy;
- perm_policy = bl.c_str();
RGWRole role(g_ceph_context, store, role_name, tenant);
ret = role.get();
if (ret < 0) {
return -ret;
}
- role.set_perm_policy(policy_name, perm_policy);
+ role.set_perm_policy(policy_name, perm_policy_doc);
ret = role.update();
if (ret < 0) {
return -ret;
role_name = s->info.args.get("RoleName");
role_path = s->info.args.get("Path");
trust_policy = s->info.args.get("AssumeRolePolicyDocument");
+ max_session_duration = s->info.args.get("MaxSessionDuration");
if (role_name.empty() || trust_policy.empty()) {
ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty"
<< dendl;
return -EINVAL;
}
- JSONParser p;
- if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
- ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
+
+ bufferlist bl = bufferlist::static_from_string(trust_policy);
+ try {
+ const rgw::IAM::Policy p(s->cct, s->user->user_id.tenant, bl);
+ }
+ catch (rgw::IAM::PolicyParseException& e) {
+ ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl;
return -ERR_MALFORMED_DOC;
}
+
return 0;
}
if (op_ret < 0) {
return;
}
- RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->user_id.tenant);
+ RGWRole role(s->cct, store, role_name, role_path, trust_policy,
+ s->user->user_id.tenant, max_session_duration);
op_ret = role.create(true);
if (op_ret == -EEXIST) {
ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl;
return -EINVAL;
}
- JSONParser p;
- if (!p.parse(perm_policy.c_str(), perm_policy.length())) {
- ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl;
+ bufferlist bl = bufferlist::static_from_string(perm_policy);
+ try {
+ const rgw::IAM::Policy p(s->cct, s->user->user_id.tenant, bl);
+ }
+ catch (rgw::IAM::PolicyParseException& e) {
+ ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl;
return -ERR_MALFORMED_DOC;
}
-
return 0;
}
string policy_name;
string perm_policy;
string path_prefix;
+ string max_session_duration;
RGWRole _role;
public:
int verify_permission() override;
encode_json("path", path, f);
encode_json("arn", arn, f);
encode_json("create_date", creation_date, f);
+ encode_json("max_session_duration", max_session_duration, f);
encode_json("assume_role_policy_document", trust_policy, f);
}
JSONDecoder::decode_json("path", path, obj);
JSONDecoder::decode_json("arn", arn, obj);
JSONDecoder::decode_json("create_date", creation_date, obj);
+ JSONDecoder::decode_json("max_session_duration", max_session_duration, obj);
JSONDecoder::decode_json("assume_role_policy_document", trust_policy, obj);
}
return false;
}
+ if (max_session_duration < SESSION_DURATION_MIN ||
+ max_session_duration > SESSION_DURATION_MAX) {
+ ldout(cct, 0) << "ERROR: Invalid session duration, should be between 3600 and 43200 seconds " << dendl;
+ return false;
+ }
return true;
}
static const string role_arn_prefix;
static constexpr int MAX_ROLE_NAME_LEN = 64;
static constexpr int MAX_PATH_NAME_LEN = 512;
+ static constexpr uint64_t SESSION_DURATION_MIN = 3600; // in seconds
+ static constexpr uint64_t SESSION_DURATION_MAX = 43200; // in seconds
CephContext *cct;
RGWRados *store;
string trust_policy;
map<string, string> perm_policy_map;
string tenant;
+ uint64_t max_session_duration;
int store_info(bool exclusive);
int store_name(bool exclusive);
string name,
string path,
string trust_policy,
- string tenant)
+ string tenant,
+ string max_session_duration_str="")
: cct(cct),
store(store),
name(std::move(name)),
if (this->path.empty())
this->path = "/";
extract_name_tenant(this->name);
+ if (! max_session_duration_str.empty()) {
+ max_session_duration = SESSION_DURATION_MIN;
+ } else {
+ max_session_duration = std::stoull(max_session_duration_str);
+ }
}
RGWRole(CephContext *cct,
~RGWRole() = default;
void encode(bufferlist& bl) const {
- ENCODE_START(2, 1, bl);
+ ENCODE_START(3, 1, bl);
encode(id, bl);
encode(name, bl);
encode(path, bl);
encode(trust_policy, bl);
encode(perm_policy_map, bl);
encode(tenant, bl);
+ encode(max_session_duration, bl);
ENCODE_FINISH(bl);
}
if (struct_v >= 2) {
decode(tenant, bl);
}
+ if (struct_v >= 3) {
+ decode(max_session_duration, bl);
+ }
DECODE_FINISH(bl);
}
const string& get_path() const { return path; }
const string& get_create_date() const { return creation_date; }
const string& get_assume_role_policy() const { return trust_policy;}
+ const uint64_t& get_max_session_duration() const { return max_session_duration; }
int create(bool exclusive);
int delete_obj();
projects / ceph.git / commitdiff