string role_arn = s->info.args.get("RoleArn");
auto provider = get_provider(role_arn, t.iss);
if (! provider) {
+ ldpp_dout(dpp, 0) << "Couldn't get oidc provider info using input iss" << t.iss << dendl;
throw -EACCES;
}
vector<string> client_ids = provider->get_client_ids();
vector<string> thumbprints = provider->get_thumbprints();
if (! client_ids.empty()) {
if (! is_client_id_valid(client_ids, t.client_id) && ! is_client_id_valid(client_ids, t.aud)) {
+ ldpp_dout(dpp, 0) << "Client id in token doesn't match with that registered with oidc provider" << dendl;
throw -EACCES;
}
}
found_valid_cert = true;
}
if (! found_valid_cert) {
+ ldpp_dout(dpp, 0) << "Cert doesn't match that with the thumbprints registered with oidc provider: " << cert.c_str() << dendl;
throw -EINVAL;
}
try {
if (t) {
string role_session = s->info.args.get("RoleSessionName");
if (role_session.empty()) {
+ ldout(s->cct, 0) << "Role Session Name is empty " << dendl;
return result_t::deny(-EACCES);
}
auto apl = apl_factory->create_apl_web_identity(cct, s, role_session, *t);
string rArn = s->info.args.get("RoleArn");
const auto& [ret, role] = sts.getRoleInfo(rArn);
if (ret < 0) {
+ ldout(s->cct, 0) << "failed to get role info using role arn: " << rArn << dendl;
return ret;
}
string policy = role.get_assume_role_policy();
// If yes, then return 0, else -EPERM
auto p_res = p.eval_principal(s->env, *s->auth.identity);
if (p_res == rgw::IAM::Effect::Deny) {
+ ldout(s->cct, 0) << "evaluating principal returned deny" << dendl;
return -EPERM;
}
auto c_res = p.eval_conditions(s->env);
if (c_res == rgw::IAM::Effect::Deny) {
+ ldout(s->cct, 0) << "evaluating condition returned deny" << dendl;
return -EPERM;
}
} catch (rgw::IAM::PolicyParseException& e) {
- ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl;
+ ldout(s->cct, 0) << "failed to parse policy: " << e.what() << dendl;
return -EPERM;
}
s,
rgw::ARN(partition, service, "", s->user->get_tenant(), ""),
rgw::IAM::stsGetSessionToken)) {
+ ldout(s->cct, 0) << "User does not have permssion to perform GetSessionToken" << dendl;
return -EACCES;
}
string err;
uint64_t duration_in_secs = strict_strtoll(duration.c_str(), 10, &err);
if (!err.empty()) {
+ ldout(s->cct, 0) << "Invalid value of input duration: " << duration << dendl;
return -EINVAL;
}
if (duration_in_secs < STS::GetSessionTokenRequest::getMinDuration() ||
duration_in_secs > s->cct->_conf->rgw_sts_max_session_duration)
+ ldout(s->cct, 0) << "Invalid duration in secs: " << duration_in_secs << dendl;
return -EINVAL;
}
aud = s->info.args.get("aud");
if (roleArn.empty() || roleSessionName.empty() || sub.empty() || aud.empty()) {
- ldout(s->cct, 20) << "ERROR: one of role arn or role session name or token is empty" << dendl;
+ ldout(s->cct, 0) << "ERROR: one of role arn or role session name or token is empty" << dendl;
return -EINVAL;
}
return;
}
- STS::AssumeRoleWithWebIdentityRequest req(duration, providerId, policy, roleArn,
+ STS::AssumeRoleWithWebIdentityRequest req(s->cct, duration, providerId, policy, roleArn,
roleSessionName, iss, sub, aud);
STS::AssumeRoleWithWebIdentityResponse response = sts.assumeRoleWithWebIdentity(req);
op_ret = std::move(response.assumeRoleResp.retCode);
tokenCode = s->info.args.get("TokenCode");
if (roleArn.empty() || roleSessionName.empty()) {
- ldout(s->cct, 20) << "ERROR: one of role arn or role session name is empty" << dendl;
+ ldout(s->cct, 0) << "ERROR: one of role arn or role session name is empty" << dendl;
return -EINVAL;
}
const rgw::IAM::Policy p(s->cct, s->user->get_tenant(), bl);
}
catch (rgw::IAM::PolicyParseException& e) {
- ldout(s->cct, 20) << "failed to parse policy: " << e.what() << "policy" << policy << dendl;
+ ldout(s->cct, 0) << "failed to parse policy: " << e.what() << "policy" << policy << dendl;
return -ERR_MALFORMED_DOC;
}
}
return;
}
- STS::AssumeRoleRequest req(duration, externalId, policy, roleArn,
+ STS::AssumeRoleRequest req(s->cct, duration, externalId, policy, roleArn,
roleSessionName, serialNumber, tokenCode);
STS::AssumeRoleResponse response = sts.assumeRole(req);
op_ret = std::move(response.retCode);
//Session Token - Encrypt using AES
auto* cryptohandler = cct->get_crypto_handler(CEPH_CRYPTO_AES);
if (! cryptohandler) {
+ ldout(cct, 0) << "ERROR: No AES cryto handler found !" << dendl;
return -EINVAL;
}
string secret_s = cct->_conf->rgw_sts_key;
buffer::ptr secret(secret_s.c_str(), secret_s.length());
int ret = 0;
if (ret = cryptohandler->validate_secret(secret); ret < 0) {
- ldout(cct, 0) << "ERROR: Invalid secret key" << dendl;
+ ldout(cct, 0) << "ERROR: Invalid rgw sts key, please ensure its length is 16" << dendl;
return ret;
}
string error;
auto* keyhandler = cryptohandler->get_key_handler(secret, error);
if (! keyhandler) {
+ ldout(cct, 0) << "ERROR: No Key handler found !" << dendl;
return -EINVAL;
}
error.clear();
encode(token, input);
if (ret = keyhandler->encrypt(input, enc_output, &error); ret < 0) {
+ ldout(cct, 0) << "ERROR: Encrypting session token returned an error !" << dendl;
return ret;
}
return 0;
}
-AssumeRoleRequestBase::AssumeRoleRequestBase( const string& duration,
+AssumeRoleRequestBase::AssumeRoleRequestBase( CephContext* cct,
+ const string& duration,
const string& iamPolicy,
const string& roleArn,
const string& roleSessionName)
- : iamPolicy(iamPolicy), roleArn(roleArn), roleSessionName(roleSessionName)
+ : cct(cct), iamPolicy(iamPolicy), roleArn(roleArn), roleSessionName(roleSessionName)
{
if (duration.empty()) {
this->duration = DEFAULT_DURATION_IN_SECS;
int AssumeRoleRequestBase::validate_input() const
{
if (!err_msg.empty()) {
+ ldout(cct, 0) << "ERROR: error message is empty !" << dendl;
return -EINVAL;
}
if (duration < MIN_DURATION_IN_SECS ||
duration > MAX_DURATION_IN_SECS) {
+ ldout(cct, 0) << "ERROR: Incorrect value of duration: " << duration << dendl;
return -EINVAL;
}
if (! iamPolicy.empty() &&
(iamPolicy.size() < MIN_POLICY_SIZE || iamPolicy.size() > MAX_POLICY_SIZE)) {
+ ldout(cct, 0) << "ERROR: Incorrect size of iamPolicy: " << iamPolicy.size() << dendl;
return -ERR_PACKED_POLICY_TOO_LARGE;
}
if (! roleArn.empty() &&
(roleArn.size() < MIN_ROLE_ARN_SIZE || roleArn.size() > MAX_ROLE_ARN_SIZE)) {
+ ldout(cct, 0) << "ERROR: Incorrect size of roleArn: " << roleArn.size() << dendl;
return -EINVAL;
}
if (! roleSessionName.empty()) {
if (roleSessionName.size() < MIN_ROLE_SESSION_SIZE || roleSessionName.size() > MAX_ROLE_SESSION_SIZE) {
+ ldout(cct, 0) << "ERROR: Either role session name is empty or role session size is incorrect: " << roleSessionName.size() << dendl;
return -EINVAL;
}
std::regex regex_roleSession("[A-Za-z0-9_=,.@-]+");
if (! std::regex_match(roleSessionName, regex_roleSession)) {
+ ldout(cct, 0) << "ERROR: Role session name is incorrect: " << roleSessionName << dendl;
return -EINVAL;
}
}
if (! providerId.empty()) {
if (providerId.length() < MIN_PROVIDER_ID_LEN ||
providerId.length() > MAX_PROVIDER_ID_LEN) {
+ ldout(cct, 0) << "ERROR: Either provider id is empty or provider id length is incorrect: " << providerId.length() << dendl;
return -EINVAL;
}
}
if (! externalId.empty()) {
if (externalId.length() < MIN_EXTERNAL_ID_LEN ||
externalId.length() > MAX_EXTERNAL_ID_LEN) {
+ ldout(cct, 0) << "ERROR: Either external id is empty or external id length is incorrect: " << externalId.length() << dendl;
return -EINVAL;
}
std::regex regex_externalId("[A-Za-z0-9_=,.@:/-]+");
if (! std::regex_match(externalId, regex_externalId)) {
+ ldout(cct, 0) << "ERROR: Invalid external Id: " << externalId << dendl;
return -EINVAL;
}
}
if (! serialNumber.empty()){
if (serialNumber.size() < MIN_SERIAL_NUMBER_SIZE || serialNumber.size() > MAX_SERIAL_NUMBER_SIZE) {
+ ldout(cct, 0) << "Either serial number is empty or serial number length is incorrect: " << serialNumber.size() << dendl;
return -EINVAL;
}
std::regex regex_serialNumber("[A-Za-z0-9_=/:,.@-]+");
if (! std::regex_match(serialNumber, regex_serialNumber)) {
+ ldout(cct, 0) << "Incorrect serial number: " << serialNumber << dendl;
return -EINVAL;
}
}
if (! tokenCode.empty() && tokenCode.size() == TOKEN_CODE_SIZE) {
+ ldout(cct, 0) << "Either token code is empty or token code size is invalid: " << tokenCode.size() << dendl;
return -EINVAL;
}
RGWRole role(cct, store->getRados()->pctl, roleName, r_arn->account);
if (int ret = role.get(); ret < 0) {
if (ret == -ENOENT) {
+ ldout(cct, 0) << "Role doesn't exist: " << roleName << dendl;
ret = -ERR_NO_ROLE_FOUND;
}
return make_tuple(ret, this->role);
return make_tuple(0, this->role);
}
} else {
+ ldout(cct, 0) << "Invalid role arn: " << arn << dendl;
return make_tuple(-EINVAL, this->role);
}
}
//Get the role info which is being assumed
boost::optional<rgw::ARN> r_arn = rgw::ARN::parse(req.getRoleARN());
if (r_arn == boost::none) {
+ ldout(cct, 0) << "Error in parsing role arn: " << req.getRoleARN() << dendl;
response.assumeRoleResp.retCode = -EINVAL;
return response;
}
//Get the role info which is being assumed
boost::optional<rgw::ARN> r_arn = rgw::ARN::parse(req.getRoleARN());
if (r_arn == boost::none) {
+ ldout(cct, 0) << "Error in parsing role arn: " << req.getRoleARN() << dendl;
response.retCode = -EINVAL;
return response;
}
static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
uint64_t MAX_DURATION_IN_SECS;
+ CephContext* cct;
uint64_t duration;
string err_msg;
string iamPolicy;
string roleArn;
string roleSessionName;
public:
- AssumeRoleRequestBase(const string& duration,
+ AssumeRoleRequestBase(CephContext* cct,
+ const string& duration,
const string& iamPolicy,
const string& roleArn,
const string& roleSessionName);
string sub;
string aud;
public:
- AssumeRoleWithWebIdentityRequest( const string& duration,
+ AssumeRoleWithWebIdentityRequest( CephContext* cct,
+ const string& duration,
const string& providerId,
const string& iamPolicy,
const string& roleArn,
const string& iss,
const string& sub,
const string& aud)
- : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
+ : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
providerId(providerId), iss(iss), sub(sub), aud(aud) {}
const string& getProviderId() const { return providerId; }
const string& getIss() const { return iss; }
string serialNumber;
string tokenCode;
public:
- AssumeRoleRequest(const string& duration,
+ AssumeRoleRequest(CephContext* cct,
+ const string& duration,
const string& externalId,
const string& iamPolicy,
const string& roleArn,
const string& roleSessionName,
const string& serialNumber,
const string& tokenCode)
- : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
+ : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName),
externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
int validate_input() const;
};
projects / ceph.git / commitdiff