From e66371fad39e526b734f41df82552f61377360b1 Mon Sep 17 00:00:00 2001 From: Kalpesh Pandya Date: Mon, 21 Jun 2021 02:11:25 +0530 Subject: [PATCH] src/rgw: DPP addition to rgw_sts.cc Signed-off-by: Kalpesh Pandya --- src/rgw/rgw_rest_sts.cc | 4 +-- src/rgw/rgw_sts.cc | 61 +++++++++++++++++++++-------------------- src/rgw/rgw_sts.h | 13 +++++---- 3 files changed, 40 insertions(+), 38 deletions(-) diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc index 8f2a0f1d47f15..093c92d3633ea 100644 --- a/src/rgw/rgw_rest_sts.cc +++ b/src/rgw/rgw_rest_sts.cc @@ -611,7 +611,7 @@ void RGWSTSGetSessionToken::execute(optional_yield y) STS::STSService sts(s->cct, store, s->user->get_id(), s->auth.identity.get()); STS::GetSessionTokenRequest req(duration, serialNumber, tokenCode); - const auto& [ret, creds] = sts.getSessionToken(req); + const auto& [ret, creds] = sts.getSessionToken(this, req); op_ret = std::move(ret); //Dump the output if (op_ret == 0) { @@ -663,7 +663,7 @@ void RGWSTSAssumeRoleWithWebIdentity::execute(optional_yield y) STS::AssumeRoleWithWebIdentityRequest req(s->cct, duration, providerId, policy, roleArn, roleSessionName, iss, sub, aud, s->principal_tags); - STS::AssumeRoleWithWebIdentityResponse response = sts.assumeRoleWithWebIdentity(req); + STS::AssumeRoleWithWebIdentityResponse response = sts.assumeRoleWithWebIdentity(this, req); op_ret = std::move(response.assumeRoleResp.retCode); //Dump the output diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc index edfb2ae39c012..4c3d75925fe5e 100644 --- a/src/rgw/rgw_sts.cc +++ b/src/rgw/rgw_sts.cc @@ -42,7 +42,8 @@ void Credentials::dump(Formatter *f) const encode_json("SessionToken", sessionToken , f); } -int Credentials::generateCredentials(CephContext* cct, +int Credentials::generateCredentials(const DoutPrefixProvider *dpp, + CephContext* cct, const uint64_t& duration, const boost::optional& policy, const boost::optional& roleId, @@ -71,20 +72,20 @@ int Credentials::generateCredentials(CephContext* cct, //Session Token - Encrypt using AES auto* cryptohandler = cct->get_crypto_handler(CEPH_CRYPTO_AES); if (! cryptohandler) { - ldout(cct, 0) << "ERROR: No AES cryto handler found !" << dendl; + ldpp_dout(dpp, 0) << "ERROR: No AES cryto handler found !" << dendl; return -EINVAL; } string secret_s = cct->_conf->rgw_sts_key; buffer::ptr secret(secret_s.c_str(), secret_s.length()); int ret = 0; if (ret = cryptohandler->validate_secret(secret); ret < 0) { - ldout(cct, 0) << "ERROR: Invalid rgw sts key, please ensure its length is 16" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Invalid rgw sts key, please ensure its length is 16" << dendl; return ret; } string error; std::unique_ptr keyhandler(cryptohandler->get_key_handler(secret, error)); if (! keyhandler) { - ldout(cct, 0) << "ERROR: No Key handler found !" << dendl; + ldpp_dout(dpp, 0) << "ERROR: No Key handler found !" << dendl; return -EINVAL; } error.clear(); @@ -139,7 +140,7 @@ int Credentials::generateCredentials(CephContext* cct, encode(token, input); if (ret = keyhandler->encrypt(input, enc_output, &error); ret < 0) { - ldout(cct, 0) << "ERROR: Encrypting session token returned an error !" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Encrypting session token returned an error !" << dendl; return ret; } @@ -194,40 +195,40 @@ AssumeRoleRequestBase::AssumeRoleRequestBase( CephContext* cct, } } -int AssumeRoleRequestBase::validate_input() const +int AssumeRoleRequestBase::validate_input(const DoutPrefixProvider *dpp) const { if (!err_msg.empty()) { - ldout(cct, 0) << "ERROR: error message is empty !" << dendl; + ldpp_dout(dpp, 0) << "ERROR: error message is empty !" << dendl; return -EINVAL; } if (duration < MIN_DURATION_IN_SECS || duration > MAX_DURATION_IN_SECS) { - ldout(cct, 0) << "ERROR: Incorrect value of duration: " << duration << dendl; + ldpp_dout(dpp, 0) << "ERROR: Incorrect value of duration: " << duration << dendl; return -EINVAL; } if (! iamPolicy.empty() && (iamPolicy.size() < MIN_POLICY_SIZE || iamPolicy.size() > MAX_POLICY_SIZE)) { - ldout(cct, 0) << "ERROR: Incorrect size of iamPolicy: " << iamPolicy.size() << dendl; + ldpp_dout(dpp, 0) << "ERROR: Incorrect size of iamPolicy: " << iamPolicy.size() << dendl; return -ERR_PACKED_POLICY_TOO_LARGE; } if (! roleArn.empty() && (roleArn.size() < MIN_ROLE_ARN_SIZE || roleArn.size() > MAX_ROLE_ARN_SIZE)) { - ldout(cct, 0) << "ERROR: Incorrect size of roleArn: " << roleArn.size() << dendl; + ldpp_dout(dpp, 0) << "ERROR: Incorrect size of roleArn: " << roleArn.size() << dendl; return -EINVAL; } if (! roleSessionName.empty()) { if (roleSessionName.size() < MIN_ROLE_SESSION_SIZE || roleSessionName.size() > MAX_ROLE_SESSION_SIZE) { - ldout(cct, 0) << "ERROR: Either role session name is empty or role session size is incorrect: " << roleSessionName.size() << dendl; + ldpp_dout(dpp, 0) << "ERROR: Either role session name is empty or role session size is incorrect: " << roleSessionName.size() << dendl; return -EINVAL; } std::regex regex_roleSession("[A-Za-z0-9_=,.@-]+"); if (! std::regex_match(roleSessionName, regex_roleSession)) { - ldout(cct, 0) << "ERROR: Role session name is incorrect: " << roleSessionName << dendl; + ldpp_dout(dpp, 0) << "ERROR: Role session name is incorrect: " << roleSessionName << dendl; return -EINVAL; } } @@ -235,51 +236,51 @@ int AssumeRoleRequestBase::validate_input() const return 0; } -int AssumeRoleWithWebIdentityRequest::validate_input() const +int AssumeRoleWithWebIdentityRequest::validate_input(const DoutPrefixProvider *dpp) const { if (! providerId.empty()) { if (providerId.length() < MIN_PROVIDER_ID_LEN || providerId.length() > MAX_PROVIDER_ID_LEN) { - ldout(cct, 0) << "ERROR: Either provider id is empty or provider id length is incorrect: " << providerId.length() << dendl; + ldpp_dout(dpp, 0) << "ERROR: Either provider id is empty or provider id length is incorrect: " << providerId.length() << dendl; return -EINVAL; } } - return AssumeRoleRequestBase::validate_input(); + return AssumeRoleRequestBase::validate_input(dpp); } -int AssumeRoleRequest::validate_input() const +int AssumeRoleRequest::validate_input(const DoutPrefixProvider *dpp) const { if (! externalId.empty()) { if (externalId.length() < MIN_EXTERNAL_ID_LEN || externalId.length() > MAX_EXTERNAL_ID_LEN) { - ldout(cct, 0) << "ERROR: Either external id is empty or external id length is incorrect: " << externalId.length() << dendl; + ldpp_dout(dpp, 0) << "ERROR: Either external id is empty or external id length is incorrect: " << externalId.length() << dendl; return -EINVAL; } std::regex regex_externalId("[A-Za-z0-9_=,.@:/-]+"); if (! std::regex_match(externalId, regex_externalId)) { - ldout(cct, 0) << "ERROR: Invalid external Id: " << externalId << dendl; + ldpp_dout(dpp, 0) << "ERROR: Invalid external Id: " << externalId << dendl; return -EINVAL; } } if (! serialNumber.empty()){ if (serialNumber.size() < MIN_SERIAL_NUMBER_SIZE || serialNumber.size() > MAX_SERIAL_NUMBER_SIZE) { - ldout(cct, 0) << "Either serial number is empty or serial number length is incorrect: " << serialNumber.size() << dendl; + ldpp_dout(dpp, 0) << "Either serial number is empty or serial number length is incorrect: " << serialNumber.size() << dendl; return -EINVAL; } std::regex regex_serialNumber("[A-Za-z0-9_=/:,.@-]+"); if (! std::regex_match(serialNumber, regex_serialNumber)) { - ldout(cct, 0) << "Incorrect serial number: " << serialNumber << dendl; + ldpp_dout(dpp, 0) << "Incorrect serial number: " << serialNumber << dendl; return -EINVAL; } } if (! tokenCode.empty() && tokenCode.size() == TOKEN_CODE_SIZE) { - ldout(cct, 0) << "Either token code is empty or token code size is invalid: " << tokenCode.size() << dendl; + ldpp_dout(dpp, 0) << "Either token code is empty or token code size is invalid: " << tokenCode.size() << dendl; return -EINVAL; } - return AssumeRoleRequestBase::validate_input(); + return AssumeRoleRequestBase::validate_input(dpp); } std::tuple STSService::getRoleInfo(const DoutPrefixProvider *dpp, @@ -335,7 +336,7 @@ int STSService::storeARN(const DoutPrefixProvider *dpp, string& arn, optional_yi return ret; } -AssumeRoleWithWebIdentityResponse STSService::assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req) +AssumeRoleWithWebIdentityResponse STSService::assumeRoleWithWebIdentity(const DoutPrefixProvider *dpp, AssumeRoleWithWebIdentityRequest& req) { AssumeRoleWithWebIdentityResponse response; response.assumeRoleResp.packedPolicySize = 0; @@ -354,7 +355,7 @@ AssumeRoleWithWebIdentityResponse STSService::assumeRoleWithWebIdentity(AssumeRo //Get the role info which is being assumed boost::optional r_arn = rgw::ARN::parse(req.getRoleARN()); if (r_arn == boost::none) { - ldout(cct, 0) << "Error in parsing role arn: " << req.getRoleARN() << dendl; + ldpp_dout(dpp, 0) << "Error in parsing role arn: " << req.getRoleARN() << dendl; response.assumeRoleResp.retCode = -EINVAL; return response; } @@ -364,7 +365,7 @@ AssumeRoleWithWebIdentityResponse STSService::assumeRoleWithWebIdentity(AssumeRo req.setMaxDuration(roleMaxSessionDuration); //Validate input - response.assumeRoleResp.retCode = req.validate_input(); + response.assumeRoleResp.retCode = req.validate_input(dpp); if (response.assumeRoleResp.retCode < 0) { return response; } @@ -385,7 +386,7 @@ AssumeRoleWithWebIdentityResponse STSService::assumeRoleWithWebIdentity(AssumeRo //Generate Credentials //Role and Policy provide the authorization info, user id and applier info are not needed - response.assumeRoleResp.retCode = response.assumeRoleResp.creds.generateCredentials(cct, req.getDuration(), + response.assumeRoleResp.retCode = response.assumeRoleResp.creds.generateCredentials(dpp, cct, req.getDuration(), req.getPolicy(), roleId, req.getRoleSessionName(), token_claims, @@ -419,7 +420,7 @@ AssumeRoleResponse STSService::assumeRole(const DoutPrefixProvider *dpp, req.setMaxDuration(roleMaxSessionDuration); //Validate input - response.retCode = req.validate_input(); + response.retCode = req.validate_input(dpp); if (response.retCode < 0) { return response; } @@ -436,7 +437,7 @@ AssumeRoleResponse STSService::assumeRole(const DoutPrefixProvider *dpp, //Generate Credentials //Role and Policy provide the authorization info, user id and applier info are not needed - response.retCode = response.creds.generateCredentials(cct, req.getDuration(), + response.retCode = response.creds.generateCredentials(dpp, cct, req.getDuration(), req.getPolicy(), roleId, req.getRoleSessionName(), boost::none, @@ -468,13 +469,13 @@ GetSessionTokenRequest::GetSessionTokenRequest(const string& duration, const str this->tokenCode = tokenCode; } -GetSessionTokenResponse STSService::getSessionToken(GetSessionTokenRequest& req) +GetSessionTokenResponse STSService::getSessionToken(const DoutPrefixProvider *dpp, GetSessionTokenRequest& req) { int ret; Credentials cred; //Generate Credentials - if (ret = cred.generateCredentials(cct, + if (ret = cred.generateCredentials(dpp, cct, req.getDuration(), boost::none, boost::none, diff --git a/src/rgw/rgw_sts.h b/src/rgw/rgw_sts.h index d67cd49975415..05bd328bd1155 100644 --- a/src/rgw/rgw_sts.h +++ b/src/rgw/rgw_sts.h @@ -39,7 +39,7 @@ public: static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; } void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; } const uint64_t& getDuration() const { return duration; } - int validate_input() const; + int validate_input(const DoutPrefixProvider *dpp) const; }; class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase { @@ -69,7 +69,7 @@ public: const std::string& getAud() const { return aud; } const std::string& getSub() const { return sub; } const std::vector>& getPrincipalTags() const { return session_princ_tags; } - int validate_input() const; + int validate_input(const DoutPrefixProvider *dpp) const; }; class AssumeRoleRequest : public AssumeRoleRequestBase { @@ -92,7 +92,7 @@ public: const std::string& tokenCode) : AssumeRoleRequestBase(cct, duration, iamPolicy, roleArn, roleSessionName), externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){} - int validate_input() const; + int validate_input(const DoutPrefixProvider *dpp) const; }; class GetSessionTokenRequest { @@ -198,7 +198,8 @@ class Credentials { std::string secretAccessKey; std::string sessionToken; public: - int generateCredentials(CephContext* cct, + int generateCredentials(const DoutPrefixProvider *dpp, + CephContext* cct, const uint64_t& duration, const boost::optional& policy, const boost::optional& roleId, @@ -246,8 +247,8 @@ public: : cct(cct), store(store), user_id(user_id), identity(identity) {} std::tuple getRoleInfo(const DoutPrefixProvider *dpp, const std::string& arn, optional_yield y); AssumeRoleResponse assumeRole(const DoutPrefixProvider *dpp, AssumeRoleRequest& req, optional_yield y); - GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req); - AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req); + GetSessionTokenResponse getSessionToken(const DoutPrefixProvider *dpp, GetSessionTokenRequest& req); + AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(const DoutPrefixProvider *dpp, AssumeRoleWithWebIdentityRequest& req); }; } #endif /* CEPH_RGW_STS_H */ -- 2.39.5