From a60c46ee7564eb24c86c26258478f9db0982abb1 Mon Sep 17 00:00:00 2001 From: Pritha Srivastava Date: Mon, 16 Jul 2018 13:55:42 +0530 Subject: [PATCH] rgw: Changed session token format. Signed-off-by: Pritha Srivastava --- src/rgw/rgw_auth.cc | 20 ++++++++--- src/rgw/rgw_auth.h | 10 ++++++ src/rgw/rgw_auth_filters.h | 8 +++++ src/rgw/rgw_rest_sts.cc | 2 +- src/rgw/rgw_sts.cc | 56 ++++++++++++++++++++++++----- src/rgw/rgw_sts.h | 56 +++++++++++++++++++++++++++-- src/test/rgw/test_rgw_iam_policy.cc | 10 ++++++ 7 files changed, 145 insertions(+), 17 deletions(-) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index d9c4e64ca86..b15620dc697 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -33,15 +33,18 @@ transform_old_authinfo(const req_state* const s) const rgw_user id; const int perm_mask; const bool is_admin; + const uint32_t type; public: DummyIdentityApplier(CephContext* const cct, const rgw_user& auth_id, const int perm_mask, - const bool is_admin) + const bool is_admin, + const uint32_t type) : cct(cct), id(auth_id), perm_mask(perm_mask), - is_admin(is_admin) { + is_admin(is_admin), + type(type) { } uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override { @@ -75,6 +78,14 @@ transform_old_authinfo(const req_state* const s) return perm_mask; } + uint32_t get_identity_type() const override { + return type; + } + + string get_acct_name() const override { + return {}; + } + void to_str(std::ostream& out) const override { out << "RGWDummyIdentityApplier(auth_id=" << id << ", perm_mask=" << perm_mask @@ -88,7 +99,8 @@ transform_old_authinfo(const req_state* const s) s->perm_mask, /* System user has admin permissions by default - it's supposed to pass * through any security check. */ - s->system_request)); + s->system_request, + s->user->type)); } } /* namespace auth */ @@ -449,7 +461,6 @@ void rgw::auth::RemoteApplier::load_acct_info(RGWUserInfo& user_info) const /* Succeeded if we are here (create_account() hasn't throwed). */ } - /* rgw::auth::LocalApplier */ /* static declaration */ const std::string rgw::auth::LocalApplier::NO_SUBUSER; @@ -518,7 +529,6 @@ void rgw::auth::LocalApplier::load_acct_info(RGWUserInfo& user_info) const /* ou user_info = this->user_info; } - rgw::auth::Engine::result_t rgw::auth::AnonymousEngine::authenticate(const req_state* const s) const { diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index bdc0e4c1944..9673087fca1 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -68,6 +68,12 @@ public: /* Verify whether a given identity corresponds to an identity in the provided set */ virtual bool is_identity(const idset_t& ids) const = 0; + + /* Identity Type: RGW/ LDAP/ Keystone */ + virtual uint32_t get_identity_type() const = 0; + + /* Name of Account */ + virtual string get_acct_name() const = 0; }; inline std::ostream& operator<<(std::ostream& out, @@ -422,6 +428,8 @@ public: uint32_t get_perm_mask() const override { return info.perm_mask; } void to_str(std::ostream& out) const override; void load_acct_info(RGWUserInfo& user_info) const override; /* out */ + uint32_t get_identity_type() const override { return info.acct_type; } + string get_acct_name() const override { return info.acct_name; } struct Factory { virtual ~Factory() {} @@ -470,6 +478,8 @@ public: } void to_str(std::ostream& out) const override; void load_acct_info(RGWUserInfo& user_info) const override; /* out */ + uint32_t get_identity_type() const override { return TYPE_RGW; } + string get_acct_name() const override { return {}; } struct Factory { virtual ~Factory() {} diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index 29003040fb7..79f26847e86 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -80,6 +80,14 @@ public: return get_decoratee().get_perm_mask(); } + uint32_t get_identity_type() const override { + return get_decoratee().get_identity_type(); + } + + string get_acct_name() const override { + return get_decoratee().get_acct_name(); + } + bool is_identity( const boost::container::flat_set& ids) const override { return get_decoratee().is_identity(ids); diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc index 4d20690d06b..9cfebd3efa6 100644 --- a/src/rgw/rgw_rest_sts.cc +++ b/src/rgw/rgw_rest_sts.cc @@ -35,7 +35,7 @@ int RGWREST_STS::verify_permission() { - STS::STSService _sts(s->cct, store, s->user->user_id); + STS::STSService _sts(s->cct, store, s->user->user_id, s->auth.identity.get()); sts = std::move(_sts); string rArn = s->info.args.get("RoleArn"); diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc index 47995ef143a..78bd5da7653 100644 --- a/src/rgw/rgw_sts.cc +++ b/src/rgw/rgw_sts.cc @@ -16,6 +16,7 @@ #include "include/types.h" #include "rgw_string.h" +#include "rgw_b64.h" #include "rgw_common.h" #include "rgw_tools.h" #include "rgw_role.h" @@ -37,8 +38,10 @@ void Credentials::dump(Formatter *f) const int Credentials::generateCredentials(CephContext* cct, const uint64_t& duration, - const string& policy, - const string& roleId) + const boost::optional& policy, + const boost::optional& roleId, + boost::optional user, + rgw::auth::Identity* identity) { uuid_d accessKey, secretKey; char accessKeyId_str[MAX_ACCESS_KEY_LEN], secretAccessKey_str[MAX_SECRET_KEY_LEN]; @@ -79,12 +82,46 @@ int Credentials::generateCredentials(CephContext* cct, error.clear(); //Storing policy and roleId as part of token, so that they can be extracted // from the token itself for policy evaluation. - string encrypted_str, input_str = "acess_key_id=" + accessKeyId + "&" + - "secret_access_key=" + secretAccessKey + "&" + - "expiration=" + expiration + "&" + "policy=" + policy + "&" - "roleId=" + roleId; + SessionToken token; + //authentication info + token.access_key_id = accessKeyId; + token.secret_access_key = secretAccessKey; + token.expiration = expiration; + + //Authorization info + if (policy) + token.policy = *policy; + else + token.policy = {}; + + if (roleId) + token.roleId = *roleId; + else + token.roleId = {}; + + if (user) + token.user = *user; + else { + rgw_user u({}, {}); + token.user = u; + } + + if (identity) { + token.acct_name = identity->get_acct_name(); + token.perm_mask = identity->get_perm_mask(); + token.is_admin = identity->is_admin_of(token.user); + token.acct_type = identity->get_identity_type(); + } else { + token.acct_name = {}; + token.perm_mask = 0; + token.is_admin = 0; + token.acct_type = TYPE_NONE; + } + + string encrypted_str; buffer::list input, enc_output; - input.append(input_str); + encode(token, input); + if (ret = keyhandler->encrypt(input, enc_output, &error); ret < 0) { return ret; } @@ -265,7 +302,10 @@ AssumeRoleResponse STSService::assumeRole(AssumeRoleRequest& req) } //Generate Credentials - if (ret = cred.generateCredentials(cct, req.getDuration(), req.getPolicy(), roleId); ret < 0) { + //Role and Policy provide the authorization info, user id and applier info are not needed + if (ret = cred.generateCredentials(cct, req.getDuration(), + req.getPolicy(), roleId, + boost::none, nullptr); ret < 0) { return make_tuple(ret, user, cred, packedPolicySize); } diff --git a/src/rgw/rgw_sts.h b/src/rgw/rgw_sts.h index 0ee8637d561..344e452cc0d 100644 --- a/src/rgw/rgw_sts.h +++ b/src/rgw/rgw_sts.h @@ -2,6 +2,7 @@ #define CEPH_RGW_STS_H #include "rgw_role.h" +#include "rgw_auth.h" namespace STS { @@ -59,6 +60,52 @@ public: void dump(Formatter *f) const; }; +struct SessionToken { + string access_key_id; + string secret_access_key; + string expiration; + string policy; + string roleId; + rgw_user user; + string acct_name; + uint32_t perm_mask; + bool is_admin; + uint32_t acct_type; + + SessionToken() {} + + void encode(bufferlist& bl) const { + ENCODE_START(1, 1, bl); + encode(access_key_id, bl); + encode(secret_access_key, bl); + encode(expiration, bl); + encode(policy, bl); + encode(roleId, bl); + encode(user, bl); + encode(acct_name, bl); + encode(perm_mask, bl); + encode(is_admin, bl); + encode(acct_type, bl); + ENCODE_FINISH(bl); + } + + void decode(bufferlist::const_iterator& bl) { + DECODE_START(1, bl); + decode(access_key_id, bl); + decode(secret_access_key, bl); + decode(expiration, bl); + decode(policy, bl); + decode(roleId, bl); + decode(user, bl); + decode(acct_name, bl); + decode(perm_mask, bl); + decode(is_admin, bl); + decode(acct_type, bl); + DECODE_FINISH(bl); + } +}; +WRITE_CLASS_ENCODER(SessionToken) + class Credentials { static constexpr int MAX_ACCESS_KEY_LEN = 20; static constexpr int MAX_SECRET_KEY_LEN = 40; @@ -69,8 +116,10 @@ class Credentials { public: int generateCredentials(CephContext* cct, const uint64_t& duration, - const string& policy, - const string& roleId); + const boost::optional& policy, + const boost::optional& roleId, + boost::optional user, + rgw::auth::Identity* identity); const string& getAccessKeyId() const { return accessKeyId; } const string& getExpiration() const { return expiration; } const string& getSecretAccessKey() const { return secretAccessKey; } @@ -86,10 +135,11 @@ class STSService { RGWRados *store; rgw_user user_id; RGWRole role; + rgw::auth::Identity* identity; int storeARN(string& arn); public: STSService() = default; - STSService(CephContext* _cct, RGWRados *_store, rgw_user _user_id) : cct(_cct), store(_store), user_id(_user_id) {} + STSService(CephContext* cct, RGWRados *store, rgw_user user_id, rgw::auth::Identity* identity) : cct(cct), store(store), user_id(user_id), identity(identity) {} std::tuple getRoleInfo(const string& arn); AssumeRoleResponse assumeRole(AssumeRoleRequest& req); }; diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index 6717f3f20f4..9b3db3f43cd 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -110,6 +110,16 @@ public: return 0; } + uint32_t get_identity_type() const override { + abort(); + return 0; + } + + string get_acct_name() const override { + abort(); + return 0; + } + void to_str(std::ostream& out) const override { out << id; } -- 2.39.5