From bb043894df0ed96e89b966fd792eaff7c0ca05bb Mon Sep 17 00:00:00 2001
From: Pritha Srivastava <prsrivas@redhat.com>
Date: Thu, 3 May 2018 15:02:09 +0530
Subject: [PATCH] rgw: Added code to determine token expiration time using
 role.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---
 src/rgw/sts-assume-role.cc | 54 ++++++++++++++++++++++++--------------
 src/rgw/sts-assume-role.h  | 27 +++++++++++--------
 2 files changed, 51 insertions(+), 30 deletions(-)

diff --git a/src/rgw/sts-assume-role.cc b/src/rgw/sts-assume-role.cc
index 5fd09755d52..69b8b40d10a 100644
--- a/src/rgw/sts-assume-role.cc
+++ b/src/rgw/sts-assume-role.cc
@@ -32,7 +32,7 @@ void Credentials::dump(Formatter *f) const
   encode_json("SessionToken", sessionToken , f);
 }
 
-int Credentials::generateCredentials(CephContext* cct)
+int Credentials::generateCredentials(CephContext* cct, const uint64_t& duration)
 {
   uuid_d accessKey, secretKey;
   char accessKeyId_str[MAX_ACCESS_KEY_LEN], secretAccessKey_str[MAX_ACCESS_KEY_LEN];
@@ -52,7 +52,7 @@ int Credentials::generateCredentials(CephContext* cct)
 
   struct timeval tv;
   real_clock::to_timeval(t, tv);
-  tv.tv_sec += EXPIRATION_TIME_IN_SECS;
+  tv.tv_sec += duration;
 
   struct tm result;
   gmtime_r(&tv.tv_sec, &result);
@@ -143,9 +143,9 @@ int AssumedRoleUser::generateAssumedRoleUser(CephContext* cct,
   return 0;
 }
 
-AssumeRoleRequest::AssumeRoleRequest(string _duration, string _externalId, string _iamPolicy,
-                    string _roleArn, string _roleSessionName, string _serialNumber,
-                    string _tokenCode)
+AssumeRoleRequest::AssumeRoleRequest(string& _duration, string& _externalId, string& _iamPolicy,
+                    string& _roleArn, string& _roleSessionName, string& _serialNumber,
+                    string& _tokenCode)
     : externalId(_externalId), iamPolicy(_iamPolicy),
       roleArn(_roleArn), roleSessionName(_roleSessionName),
       serialNumber(_serialNumber), tokenCode(_tokenCode)
@@ -159,7 +159,8 @@ AssumeRoleRequest::AssumeRoleRequest(string _duration, string _externalId, strin
 
 int AssumeRoleRequest::validate_input() const
 {
-  if (duration < MIN_DURATION_IN_SECS) {
+  if (duration < MIN_DURATION_IN_SECS ||
+          duration > MAX_DURATION_IN_SECS) {
     return -EINVAL;
   }
 
@@ -211,29 +212,44 @@ int AssumeRoleRequest::validate_input() const
   return 0;
 }
 
-AssumeRoleResponse STSService::assumeRole(const AssumeRoleRequest& req)
+std::tuple<int, boost::optional<rgw::IAM::ARN>, RGWRole> STSService::_getRoleInfo(const string& arn)
 {
-  int ret = 0;
-  uint64_t packedPolicySize = 0;
+  if (auto r_arn = rgw::IAM::ARN::parse(arn); r_arn) {
+    auto pos = r_arn->resource.find_last_of('/');
+    string roleName = r_arn->resource.substr(pos + 1);
+    RGWRole role(cct, store, roleName, r_arn->account);
+    if (int ret = role.get(); ret < 0) {
+      return make_tuple(ret, r_arn, role);
+    } else {
+      return make_tuple(0, r_arn, role);
+    }
+  } else {
+    RGWRole dummyRole;
+    return make_tuple(-EINVAL, r_arn, dummyRole);
+  }
+}
+
+AssumeRoleResponse STSService::assumeRole(AssumeRoleRequest& req)
+{
+  uint64_t packedPolicySize = 0, roleMaxSessionDuration = 0;
   AssumedRoleUser user;
   Credentials cred;
   string roleId;
 
   //Get the role info which is being assumed
-  auto r_arn = rgw::IAM::ARN::parse(req.getRoleARN());
+  const auto& [ret_val, r_arn, role] = _getRoleInfo(req.getRoleARN());
+  if (ret_val < 0) {
+    return make_tuple(ret_val, user, cred, packedPolicySize);
+  }
+
   if (r_arn) {
-    auto pos = r_arn->resource.find_last_of('/');
-    string roleName = r_arn->resource.substr(pos + 1);
-    RGWRole role(cct, store, roleName, r_arn->account);
-    if (ret = role.get(); ret < 0) {
-      return make_tuple(ret, user, cred, packedPolicySize);
-    }
     roleId = role.get_id();
-  } else {
-    return make_tuple(-EINVAL, user, cred, packedPolicySize);
+    roleMaxSessionDuration = role.get_max_session_duration();
+    req.setMaxDuration(roleMaxSessionDuration);
   }
 
   //Validate input
+  int ret = 0;
   if (ret = req.validate_input(); ret < 0) {
     return make_tuple(ret, user, cred, packedPolicySize);
   }
@@ -248,7 +264,7 @@ AssumeRoleResponse STSService::assumeRole(const AssumeRoleRequest& req)
   }
 
   //Generate Credentials
-  if (ret = cred.generateCredentials(cct); ret < 0) {
+  if (ret = cred.generateCredentials(cct, req.getDuration()); ret < 0) {
     return make_tuple(ret, user, cred, packedPolicySize);
   }
 
diff --git a/src/rgw/sts-assume-role.h b/src/rgw/sts-assume-role.h
index f560e2ad0e1..138a4513f4f 100644
--- a/src/rgw/sts-assume-role.h
+++ b/src/rgw/sts-assume-role.h
@@ -1,6 +1,8 @@
 #ifndef CEPH_STS_ASSUME_ROLE_H
 #define CEPH_STS_ASSUME_ROLE_H
 
+#include "rgw_role.h"
+
 namespace STS {
 
 class AssumeRoleRequest {
@@ -17,6 +19,7 @@ class AssumeRoleRequest {
   static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
   static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
   static constexpr uint64_t TOKEN_CODE_SIZE = 6;
+  uint64_t MAX_DURATION_IN_SECS;
   uint64_t duration;
   string externalId;
   string iamPolicy;
@@ -25,17 +28,19 @@ class AssumeRoleRequest {
   string serialNumber;
   string tokenCode;
 public:
-  AssumeRoleRequest( string _duration,
-                      string _externalId,
-                      string _iamPolicy,
-                      string _roleArn,
-                      string _roleSessionName,
-                      string _serialNumber,
-                      string _tokenCode);
+  AssumeRoleRequest( string& _duration,
+                      string& _externalId,
+                      string& _iamPolicy,
+                      string& _roleArn,
+                      string& _roleSessionName,
+                      string& _serialNumber,
+                      string& _tokenCode);
   const string& getRoleARN() const { return roleArn; }
   const string& getRoleSessionName() const { return roleSessionName; }
   const string& getPolicy() const {return iamPolicy; }
-  static uint64_t getMaxPolicySize() { return MAX_POLICY_SIZE; }
+  static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
+  void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
+  uint64_t& getDuration() { return duration; }
   int validate_input() const;
 };
 
@@ -56,13 +61,12 @@ public:
 
 class Credentials {
   static constexpr int MAX_ACCESS_KEY_LEN = 64;
-  static constexpr int EXPIRATION_TIME_IN_SECS = 86400; // 1 day
   string accessKeyId;
   string expiration;
   string secretAccessKey;
   string sessionToken;
 public:
-  int generateCredentials(CephContext* cct);
+  int generateCredentials(CephContext* cct, const uint64_t& duration);
   const string& getAccessKeyId() const { return accessKeyId; }
   const string& getExpiration() const { return expiration; }
   const string& getSecretAccessKey() const { return secretAccessKey; }
@@ -76,9 +80,10 @@ using AssumeRoleResponse = std::tuple<int, AssumedRoleUser, Credentials, uint64_
 class STSService {
   CephContext* cct;
   RGWRados *store;
+  std::tuple<int, boost::optional<rgw::IAM::ARN>, RGWRole> _getRoleInfo(const string& arn);
 public:
   STSService(CephContext* _cct, RGWRados *_store) : cct(_cct), store(_store) {}
-  AssumeRoleResponse assumeRole(const AssumeRoleRequest& req);
+  AssumeRoleResponse assumeRole(AssumeRoleRequest& req);
 };
 }
 #endif /* CEPH_STS_ASSUME_ROLE_H */
-- 
2.39.5