From: Pritha Srivastava Date: Fri, 3 Jul 2020 15:21:03 +0000 (+0530) Subject: rgw/sts: adding error log messages to STS code. X-Git-Tag: v17.0.0~1116^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F35924%2Fhead;p=ceph.git rgw/sts: adding error log messages to STS code. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc index 0e5c7b76d92d1..90fff490c6044 100644 --- a/src/rgw/rgw_rest_sts.cc +++ b/src/rgw/rgw_rest_sts.cc @@ -151,12 +151,14 @@ WebTokenEngine::get_from_jwt(const DoutPrefixProvider* dpp, const std::string& t string role_arn = s->info.args.get("RoleArn"); auto provider = get_provider(role_arn, t.iss); if (! provider) { + ldpp_dout(dpp, 0) << "Couldn't get oidc provider info using input iss" << t.iss << dendl; throw -EACCES; } vector client_ids = provider->get_client_ids(); vector thumbprints = provider->get_thumbprints(); if (! client_ids.empty()) { if (! is_client_id_valid(client_ids, t.client_id) && ! is_client_id_valid(client_ids, t.aud)) { + ldpp_dout(dpp, 0) << "Client id in token doesn't match with that registered with oidc provider" << dendl; throw -EACCES; } } @@ -230,6 +232,7 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec found_valid_cert = true; } if (! found_valid_cert) { + ldpp_dout(dpp, 0) << "Cert doesn't match that with the thumbprints registered with oidc provider: " << cert.c_str() << dendl; throw -EINVAL; } try { @@ -331,6 +334,7 @@ WebTokenEngine::authenticate( const DoutPrefixProvider* dpp, if (t) { string role_session = s->info.args.get("RoleSessionName"); if (role_session.empty()) { + ldout(s->cct, 0) << "Role Session Name is empty " << dendl; return result_t::deny(-EACCES); } auto apl = apl_factory->create_apl_web_identity(cct, s, role_session, *t); @@ -349,6 +353,7 @@ int RGWREST_STS::verify_permission() string rArn = s->info.args.get("RoleArn"); const auto& [ret, role] = sts.getRoleInfo(rArn); if (ret < 0) { + ldout(s->cct, 0) << "failed to get role info using role arn: " << rArn << dendl; return ret; } string policy = role.get_assume_role_policy(); @@ -362,14 +367,16 @@ int RGWREST_STS::verify_permission() // If yes, then return 0, else -EPERM auto p_res = p.eval_principal(s->env, *s->auth.identity); if (p_res == rgw::IAM::Effect::Deny) { + ldout(s->cct, 0) << "evaluating principal returned deny" << dendl; return -EPERM; } auto c_res = p.eval_conditions(s->env); if (c_res == rgw::IAM::Effect::Deny) { + ldout(s->cct, 0) << "evaluating condition returned deny" << dendl; return -EPERM; } } catch (rgw::IAM::PolicyParseException& e) { - ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl; + ldout(s->cct, 0) << "failed to parse policy: " << e.what() << dendl; return -EPERM; } @@ -393,6 +400,7 @@ int RGWSTSGetSessionToken::verify_permission() s, rgw::ARN(partition, service, "", s->user->get_tenant(), ""), rgw::IAM::stsGetSessionToken)) { + ldout(s->cct, 0) << "User does not have permssion to perform GetSessionToken" << dendl; return -EACCES; } @@ -409,11 +417,13 @@ int RGWSTSGetSessionToken::get_params() string err; uint64_t duration_in_secs = strict_strtoll(duration.c_str(), 10, &err); if (!err.empty()) { + ldout(s->cct, 0) << "Invalid value of input duration: " << duration << dendl; return -EINVAL; } if (duration_in_secs < STS::GetSessionTokenRequest::getMinDuration() || duration_in_secs > s->cct->_conf->rgw_sts_max_session_duration) + ldout(s->cct, 0) << "Invalid duration in secs: " << duration_in_secs << dendl; return -EINVAL; } @@ -455,7 +465,7 @@ int RGWSTSAssumeRoleWithWebIdentity::get_params() aud = s->info.args.get("aud"); if (roleArn.empty() || roleSessionName.empty() || sub.empty() || aud.empty()) { - ldout(s->cct, 20) << "ERROR: one of role arn or role session name or token is empty" << dendl; + ldout(s->cct, 0) << "ERROR: one of role arn or role session name or token is empty" << dendl; return -EINVAL; } @@ -479,7 +489,7 @@ void RGWSTSAssumeRoleWithWebIdentity::execute() return; } - STS::AssumeRoleWithWebIdentityRequest req(duration, providerId, policy, roleArn, + STS::AssumeRoleWithWebIdentityRequest req(s->cct, duration, providerId, policy, roleArn, roleSessionName, iss, sub, aud); STS::AssumeRoleWithWebIdentityResponse response = sts.assumeRoleWithWebIdentity(req); op_ret = std::move(response.assumeRoleResp.retCode); @@ -514,7 +524,7 @@ int RGWSTSAssumeRole::get_params() tokenCode = s->info.args.get("TokenCode"); if (roleArn.empty() || roleSessionName.empty()) { - ldout(s->cct, 20) << "ERROR: one of role arn or role session name is empty" << dendl; + ldout(s->cct, 0) << "ERROR: one of role arn or role session name is empty" << dendl; return -EINVAL; } @@ -524,7 +534,7 @@ int RGWSTSAssumeRole::get_params() const rgw::IAM::Policy p(s->cct, s->user->get_tenant(), bl); } catch (rgw::IAM::PolicyParseException& e) { - ldout(s->cct, 20) << "failed to parse policy: " << e.what() << "policy" << policy << dendl; + ldout(s->cct, 0) << "failed to parse policy: " << e.what() << "policy" << policy << dendl; return -ERR_MALFORMED_DOC; } } @@ -538,7 +548,7 @@ void RGWSTSAssumeRole::execute() return; } - STS::AssumeRoleRequest req(duration, externalId, policy, roleArn, + STS::AssumeRoleRequest req(s->cct, duration, externalId, policy, roleArn, roleSessionName, serialNumber, tokenCode); STS::AssumeRoleResponse response = sts.assumeRole(req); op_ret = std::move(response.retCode); diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc index 2415f59fac3f4..f2953a17f84de 100644 --- a/src/rgw/rgw_sts.cc +++ b/src/rgw/rgw_sts.cc @@ -68,18 +68,20 @@ int Credentials::generateCredentials(CephContext* cct, //Session Token - Encrypt using AES auto* cryptohandler = cct->get_crypto_handler(CEPH_CRYPTO_AES); if (! cryptohandler) { + ldout(cct, 0) << "ERROR: No AES cryto handler found !" << dendl; return -EINVAL; } string secret_s = cct->_conf->rgw_sts_key; buffer::ptr secret(secret_s.c_str(), secret_s.length()); int ret = 0; if (ret = cryptohandler->validate_secret(secret); ret < 0) { - ldout(cct, 0) << "ERROR: Invalid secret key" << dendl; + ldout(cct, 0) << "ERROR: Invalid rgw sts key, please ensure its length is 16" << dendl; return ret; } string error; auto* keyhandler = cryptohandler->get_key_handler(secret, error); if (! keyhandler) { + ldout(cct, 0) << "ERROR: No Key handler found !" << dendl; return -EINVAL; } error.clear(); @@ -130,6 +132,7 @@ int Credentials::generateCredentials(CephContext* cct, encode(token, input); if (ret = keyhandler->encrypt(input, enc_output, &error); ret < 0) { + ldout(cct, 0) << "ERROR: Encrypting session token returned an error !" << dendl; return ret; } @@ -169,11 +172,12 @@ int AssumedRoleUser::generateAssumedRoleUser(CephContext* cct, return 0; } -AssumeRoleRequestBase::AssumeRoleRequestBase( const string& duration, +AssumeRoleRequestBase::AssumeRoleRequestBase( CephContext* cct, + const string& duration, const string& iamPolicy, const string& roleArn, const string& roleSessionName) - : iamPolicy(iamPolicy), roleArn(roleArn), roleSessionName(roleSessionName) + : cct(cct), iamPolicy(iamPolicy), roleArn(roleArn), roleSessionName(roleSessionName) { if (duration.empty()) { this->duration = DEFAULT_DURATION_IN_SECS; @@ -185,31 +189,37 @@ AssumeRoleRequestBase::AssumeRoleRequestBase( const string& duration, int AssumeRoleRequestBase::validate_input() const { if (!err_msg.empty()) { + ldout(cct, 0) << "ERROR: error message is empty !" << dendl; return -EINVAL; } if (duration < MIN_DURATION_IN_SECS || duration > MAX_DURATION_IN_SECS) { + ldout(cct, 0) << "ERROR: Incorrect value of duration: " << duration << dendl; return -EINVAL; } if (! iamPolicy.empty() && (iamPolicy.size() < MIN_POLICY_SIZE || iamPolicy.size() > MAX_POLICY_SIZE)) { + ldout(cct, 0) << "ERROR: Incorrect size of iamPolicy: " << iamPolicy.size() << dendl; return -ERR_PACKED_POLICY_TOO_LARGE; } if (! roleArn.empty() && (roleArn.size() < MIN_ROLE_ARN_SIZE || roleArn.size() > MAX_ROLE_ARN_SIZE)) { + ldout(cct, 0) << "ERROR: Incorrect size of roleArn: " << roleArn.size() << dendl; return -EINVAL; } if (! roleSessionName.empty()) { if (roleSessionName.size() < MIN_ROLE_SESSION_SIZE || roleSessionName.size() > MAX_ROLE_SESSION_SIZE) { + ldout(cct, 0) << "ERROR: Either role session name is empty or role session size is incorrect: " << roleSessionName.size() << dendl; return -EINVAL; } std::regex regex_roleSession("[A-Za-z0-9_=,.@-]+"); if (! std::regex_match(roleSessionName, regex_roleSession)) { + ldout(cct, 0) << "ERROR: Role session name is incorrect: " << roleSessionName << dendl; return -EINVAL; } } @@ -222,6 +232,7 @@ int AssumeRoleWithWebIdentityRequest::validate_input() const if (! providerId.empty()) { if (providerId.length() < MIN_PROVIDER_ID_LEN || providerId.length() > MAX_PROVIDER_ID_LEN) { + ldout(cct, 0) << "ERROR: Either provider id is empty or provider id length is incorrect: " << providerId.length() << dendl; return -EINVAL; } } @@ -233,25 +244,30 @@ int AssumeRoleRequest::validate_input() const if (! externalId.empty()) { if (externalId.length() < MIN_EXTERNAL_ID_LEN || externalId.length() > MAX_EXTERNAL_ID_LEN) { + ldout(cct, 0) << "ERROR: Either external id is empty or external id length is incorrect: " << externalId.length() << dendl; return -EINVAL; } std::regex regex_externalId("[A-Za-z0-9_=,.@:/-]+"); if (! std::regex_match(externalId, regex_externalId)) { + ldout(cct, 0) << "ERROR: Invalid external Id: " << externalId << dendl; return -EINVAL; } } if (! serialNumber.empty()){ if (serialNumber.size() < MIN_SERIAL_NUMBER_SIZE || serialNumber.size() > MAX_SERIAL_NUMBER_SIZE) { + ldout(cct, 0) << "Either serial number is empty or serial number length is incorrect: " << serialNumber.size() << dendl; return -EINVAL; } std::regex regex_serialNumber("[A-Za-z0-9_=/:,.@-]+"); if (! std::regex_match(serialNumber, regex_serialNumber)) { + ldout(cct, 0) << "Incorrect serial number: " << serialNumber << dendl; return -EINVAL; } } if (! tokenCode.empty() && tokenCode.size() == TOKEN_CODE_SIZE) { + ldout(cct, 0) << "Either token code is empty or token code size is invalid: " << tokenCode.size() << dendl; return -EINVAL; } @@ -266,6 +282,7 @@ std::tuple STSService::getRoleInfo(const string& arn) RGWRole role(cct, store->getRados()->pctl, roleName, r_arn->account); if (int ret = role.get(); ret < 0) { if (ret == -ENOENT) { + ldout(cct, 0) << "Role doesn't exist: " << roleName << dendl; ret = -ERR_NO_ROLE_FOUND; } return make_tuple(ret, this->role); @@ -274,6 +291,7 @@ std::tuple STSService::getRoleInfo(const string& arn) return make_tuple(0, this->role); } } else { + ldout(cct, 0) << "Invalid role arn: " << arn << dendl; return make_tuple(-EINVAL, this->role); } } @@ -315,6 +333,7 @@ AssumeRoleWithWebIdentityResponse STSService::assumeRoleWithWebIdentity(AssumeRo //Get the role info which is being assumed boost::optional r_arn = rgw::ARN::parse(req.getRoleARN()); if (r_arn == boost::none) { + ldout(cct, 0) << "Error in parsing role arn: " << req.getRoleARN() << dendl; response.assumeRoleResp.retCode = -EINVAL; return response; } @@ -366,6 +385,7 @@ AssumeRoleResponse STSService::assumeRole(AssumeRoleRequest& req) //Get the role info which is being assumed boost::optional r_arn = rgw::ARN::parse(req.getRoleARN()); if (r_arn == boost::none) { + ldout(cct, 0) << "Error in parsing role arn: " << req.getRoleARN() << dendl; response.retCode = -EINVAL; return response; } diff --git a/src/rgw/rgw_sts.h b/src/rgw/rgw_sts.h index 37519210efbaf..e283e18a02296 100644 --- a/src/rgw/rgw_sts.h +++ b/src/rgw/rgw_sts.h @@ -21,13 +21,15 @@ protected: static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2; static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64; uint64_t MAX_DURATION_IN_SECS; + CephContext* cct; uint64_t duration; string err_msg; string iamPolicy; string roleArn; string roleSessionName; public: - AssumeRoleRequestBase(const string& duration, + AssumeRoleRequestBase(CephContext* cct, + const string& duration, const string& iamPolicy, const string& roleArn, const string& roleSessionName); @@ -49,7 +51,8 @@ class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase { string sub; string aud; public: - AssumeRoleWithWebIdentityRequest( const string& duration, + AssumeRoleWithWebIdentityRequest( CephContext* cct, + const string& duration, const string& providerId, const string& iamPolicy, const string& roleArn, @@ -57,7 +60,7 @@ public: const string& iss, const string& sub, const string& aud) - : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName), + : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName), providerId(providerId), iss(iss), sub(sub), aud(aud) {} const string& getProviderId() const { return providerId; } const string& getIss() const { return iss; } @@ -76,14 +79,15 @@ class AssumeRoleRequest : public AssumeRoleRequestBase { string serialNumber; string tokenCode; public: - AssumeRoleRequest(const string& duration, + AssumeRoleRequest(CephContext* cct, + const string& duration, const string& externalId, const string& iamPolicy, const string& roleArn, const string& roleSessionName, const string& serialNumber, const string& tokenCode) - : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName), + : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName), externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){} int validate_input() const; };