From: Pritha Srivastava <prsrivas@redhat.com>
Date: Wed, 16 May 2018 05:19:24 +0000 (+0530)
Subject: rgw: Added code to store arn and policy passed as part of assume role.
X-Git-Tag: v14.0.1~113^2~20
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a541391c9de8735ff92d188b591b488cf91410ef;p=ceph.git

rgw: Added code to store arn and policy passed as part of assume role.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 795423dd5b5..b6102112a1e 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -653,6 +653,7 @@ struct RGWUserInfo
   RGWQuotaInfo user_quota;
   uint32_t type;
   set<string> mfa_ids;
+  string assumed_role_arn;
 
   RGWUserInfo()
     : suspended(0),
@@ -671,7 +672,7 @@ struct RGWUserInfo
   }
 
   void encode(bufferlist& bl) const {
-     ENCODE_START(20, 9, bl);
+     ENCODE_START(21, 9, bl);
      encode((uint64_t)0, bl); // old auid
      string access_key;
      string secret_key;
@@ -713,6 +714,7 @@ struct RGWUserInfo
      encode(admin, bl);
      encode(type, bl);
      encode(mfa_ids, bl);
+     encode(assumed_role_arn, bl);
      ENCODE_FINISH(bl);
   }
   void decode(bufferlist::const_iterator& bl) {
@@ -794,6 +796,9 @@ struct RGWUserInfo
     if (struct_v >= 20) {
       decode(mfa_ids, bl);
     }
+    if (struct_v >= 21) {
+      decode(assumed_role_arn, bl);
+    }
     DECODE_FINISH(bl);
   }
   void dump(Formatter *f) const;
diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
index a790478e44e..a737a633718 100644
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -35,7 +35,7 @@
 
 int RGWREST_STS::verify_permission()
 {
-  STS::STSService _sts(s->cct, store);
+  STS::STSService _sts(s->cct, store, s->user->user_id);
   sts = std::move(_sts);
 
   string rArn = s->info.args.get("RoleArn");
diff --git a/src/rgw/sts-assume-role.cc b/src/rgw/sts-assume-role.cc
index fe848cc3a3f..0c4c5b0bda9 100644
--- a/src/rgw/sts-assume-role.cc
+++ b/src/rgw/sts-assume-role.cc
@@ -18,6 +18,8 @@
 #include "rgw_common.h"
 #include "rgw_tools.h"
 #include "rgw_role.h"
+#include "rgw_user.h"
+#include "rgw_iam_policy.h"
 #include "sts-assume-role.h"
 
 #define dout_subsys ceph_subsys_rgw
@@ -225,6 +227,47 @@ std::tuple<int, RGWRole> STSService::getRoleInfo(const string& arn)
   }
 }
 
+int STSService::_storeARNandPolicy(string& policy, string& arn)
+{
+  int ret = 0;
+  RGWUserInfo info;
+  if (ret = rgw_get_user_info_by_uid(store, user_id, info); ret < 0) {
+    return -ERR_NO_SUCH_ENTITY;
+  }
+
+  info.assumed_role_arn = arn;
+
+  map<string, bufferlist> uattrs;
+  if (ret = rgw_get_user_attrs_by_uid(store, user_id, uattrs); ret == -ENOENT) {
+    return -ERR_NO_SUCH_ENTITY;
+  }
+  if (! policy.empty()) {
+    bufferlist bl = bufferlist::static_from_string(policy);
+    ldout(cct, 20) << "bufferlist policy: " << bl.c_str() << dendl;
+    try {
+      const rgw::IAM::Policy p(cct, user_id.tenant, bl);
+      map<string, string> policies;
+      if (auto it = uattrs.find(RGW_ATTR_USER_POLICY); it != uattrs.end()) {
+        bufferlist out_bl = uattrs[RGW_ATTR_USER_POLICY];
+        decode(policies, out_bl);
+      }
+      bufferlist in_bl;
+      policies["assumerolepolicy"] = policy;
+      encode(policies, in_bl);
+      uattrs[RGW_ATTR_USER_POLICY] = in_bl;
+    } catch (rgw::IAM::PolicyParseException& e) {
+      ldout(cct, 20) << "failed to parse policy: " << e.what() << dendl;
+      return -ERR_MALFORMED_DOC;
+    }
+  }
+  RGWObjVersionTracker objv_tracker;
+  if (rgw_store_user_info(store, info, &info, &objv_tracker, real_time(),
+          false, &uattrs); ret < 0) {
+    return -ERR_INTERNAL_ERROR;
+  }
+  return ret;
+}
+
 AssumeRoleResponse STSService::assumeRole(AssumeRoleRequest& req)
 {
   uint64_t packedPolicySize = 0, roleMaxSessionDuration = 0;
@@ -262,6 +305,12 @@ AssumeRoleResponse STSService::assumeRole(AssumeRoleRequest& req)
     return make_tuple(ret, user, cred, packedPolicySize);
   }
 
+  //Save ARN and Policy with the user
+  string arn = user.getARN();
+  if (ret = _storeARNandPolicy(policy, arn); ret < 0) {
+    return make_tuple(ret, user, cred, packedPolicySize);
+  }
+
   return make_tuple(0, user, cred, packedPolicySize);
 }
 
diff --git a/src/rgw/sts-assume-role.h b/src/rgw/sts-assume-role.h
index 49620e62326..4f4237ea178 100644
--- a/src/rgw/sts-assume-role.h
+++ b/src/rgw/sts-assume-role.h
@@ -80,10 +80,12 @@ using AssumeRoleResponse = std::tuple<int, AssumedRoleUser, Credentials, uint64_
 class STSService {
   CephContext* cct;
   RGWRados *store;
+  rgw_user user_id;
   RGWRole role;
+  int _storeARNandPolicy(string& policy, string& arn);
 public:
   STSService() = default;
-  STSService(CephContext* _cct, RGWRados *_store) : cct(_cct), store(_store) {}
+  STSService(CephContext* _cct, RGWRados *_store, rgw_user _user_id) : cct(_cct), store(_store), user_id(_user_id) {}
   std::tuple<int, RGWRole> getRoleInfo(const string& arn);
   AssumeRoleResponse assumeRole(AssumeRoleRequest& req);
 };