From: Pritha Srivastava <prsrivas@redhat.com>
Date: Wed, 24 Oct 2018 16:00:34 +0000 (+0530)
Subject: rgw: Extending Policy Engine for STS Auth Condition Key.
X-Git-Tag: v14.1.0~189^2~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=846ef951de09465a902e30f0f50f82fd70b809e7;p=ceph.git

rgw: Extending Policy Engine for STS Auth Condition Key.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 6084122e5a6e..655d79ee4a3d 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -470,6 +470,7 @@ static const actpair actpairs[] =
  { "iam:DeleteRolePolicy", iamDeleteRolePolicy},
  { "sts:AssumeRole", stsAssumeRole},
  { "sts:AssumeRoleWithWebIdentity", stsAssumeRoleWithWebIdentity},
+ { "sts:GetSessionToken", stsGetSessionToken},
 };
 
 struct PolicyParser;
@@ -1561,6 +1562,9 @@ const char* action_bit_string(uint64_t action) {
 
   case stsAssumeRoleWithWebIdentity:
     return "sts:AssumeRoleWithWebIdentity";
+
+  case stsGetSessionToken:
+    return "sts:GetSessionToken";
   }
   return "s3Invalid";
 }
diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 7911a97de800..f89ef0392717 100644
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -114,7 +114,8 @@ static constexpr std::uint64_t iamDeleteRolePolicy = 67;
 static constexpr std::uint64_t iamAll = 68;
 static constexpr std::uint64_t stsAssumeRole = 69;
 static constexpr std::uint64_t stsAssumeRoleWithWebIdentity = 70;
-static constexpr std::uint64_t stsAll = 71;
+static constexpr std::uint64_t stsGetSessionToken = 71;
+static constexpr std::uint64_t stsAll = 72;
 
 static constexpr std::uint64_t s3Count = s3DeleteObjectVersionTagging + 1;
 static constexpr std::uint64_t allCount = stsAll + 1;
@@ -125,9 +126,9 @@ using NotAction_t = Action_t;
 static const Action_t None(0);
 static const Action_t s3AllValue("111111111111111111111111111111111111111111111111111111");
 static const Action_t iamAllValue("11111111111110000000000000000000000000000000000000000000000000000000");
-static const Action_t stsAllValue("11000000000000000000000000000000000000000000000000000000000000000000000");
+static const Action_t stsAllValue("111000000000000000000000000000000000000000000000000000000000000000000000");
 //Modify allValue if more Actions are added
-static const Action_t allValue("111111111111111111111111111111111111111111111111111111111111111111111111");
+static const Action_t allValue("1111111111111111111111111111111111111111111111111111111111111111111111111");
 
 namespace {
 inline int op_to_perm(std::uint64_t op) {
diff --git a/src/rgw/rgw_iam_policy_keywords.gperf b/src/rgw/rgw_iam_policy_keywords.gperf
index 57a732c02fb3..4f6f22a9b73a 100644
--- a/src/rgw/rgw_iam_policy_keywords.gperf
+++ b/src/rgw/rgw_iam_policy_keywords.gperf
@@ -109,6 +109,8 @@ Null, TokenKind::cond_op, TokenID::Null, (uint64_t) Type::null, true, true
 #s3:authType, TokenKind::cond_key, TokenID::s3authType, (uint64_t) Type::string, true, false
 #s3:signatureAge, TokenKind::cond_key, TokenID::s3signatureAge, (uint64_t) Type::number, true, false
 #s3:x-amz-content-sha256, TokenKind::cond_key, TokenID::s3x_amz_content_sha256, (uint64_t) Type::string, true, false
+# STS
+#sts:authentication, TokenKind::cond_key, TokenID::stsauthentication, (uint64_t) Type::boolean, true, false
 #
 # Version Keywords
 #
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 3b12fffa8b6b..75701a8190e5 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -887,6 +887,13 @@ void rgw_build_iam_environment(RGWRados* store,
     // identifier that can persist through name changes?
     s->env.emplace("aws:username", s->user->user_id.id);
   }
+
+  i = m.find("HTTP_X_AMZ_SECURITY_TOKEN");
+  if (i != m.end()) {
+    s->env.emplace("sts:authentication", "true");
+  } else {
+    s->env.emplace("sts:authentication", "false");
+  }
 }
 
 void rgw_bucket_object_pre_exec(struct req_state *s)