From ea61dd2c54377ba4a58a6c08ce9156068d36993b Mon Sep 17 00:00:00 2001
From: Pritha Srivastava <prsrivas@redhat.com>
Date: Mon, 7 Jun 2021 20:55:11 +0530
Subject: [PATCH] rgw/sts: adding role name and role session to ops log. Also
 adding authentication type for all ops.

Fixes: https://tracker.ceph.com/issues/51152

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---
 src/rgw/rgw_auth.cc          |  2 ++
 src/rgw/rgw_log.cc           | 23 ++++++++++++++++-
 src/rgw/rgw_log.h            |  9 +++++--
 src/test/rgw/test_rgw_lua.cc | 48 ++++++++++++++++++++++++++++++++++++
 4 files changed, 79 insertions(+), 3 deletions(-)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 9d7ce187673..03026425515 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -829,6 +829,8 @@ void rgw::auth::RoleApplier::modify_request_state(const DoutPrefixProvider *dpp,
   s->env.emplace("aws:TokenIssueTime", token_issued_at);
 
   s->token_claims.emplace_back("sts");
+  s->token_claims.emplace_back("role_name:" + role.tenant + "$" + role.name);
+  s->token_claims.emplace_back("role_session:" + role_session_name);
   for (auto& it : token_claims) {
     s->token_claims.emplace_back(it);
   }
diff --git a/src/rgw/rgw_log.cc b/src/rgw/rgw_log.cc
index 70182f1d79a..b35baf76756 100644
--- a/src/rgw/rgw_log.cc
+++ b/src/rgw/rgw_log.cc
@@ -279,9 +279,28 @@ void rgw_format_ops_log_entry(struct rgw_log_entry& entry, Formatter *formatter)
     formatter->close_section();
   }
   formatter->dump_string("trans_id", entry.trans_id);
+  switch(entry.identity_type) {
+    case TYPE_RGW:
+      formatter->dump_string("authentication_type","Local");
+      break;
+    case TYPE_LDAP:
+      formatter->dump_string("authentication_type","LDAP");
+      break;
+    case TYPE_KEYSTONE:
+      formatter->dump_string("authentication_type","Keystone");
+      break;
+    case TYPE_WEB:
+      formatter->dump_string("authentication_type","OIDC Provider");
+      break;
+    case TYPE_ROLE:
+      formatter->dump_string("authentication_type","STS");
+      break;
+    default:
+      break;
+  }
   if (entry.token_claims.size() > 0) {
     if (entry.token_claims[0] == "sts") {
-      formatter->open_object_section("sts_token_claims");
+      formatter->open_object_section("sts_info");
       for (const auto& iter: entry.token_claims) {
         auto pos = iter.find(":");
         if (pos != string::npos) {
@@ -412,6 +431,8 @@ int rgw_log_op(rgw::sal::Store* store, RGWREST* const rest, struct req_state *s,
 
   entry.op = op_name;
 
+  entry.identity_type = s->auth.identity->get_identity_type();
+
   if (! s->token_claims.empty()) {
     entry.token_claims = std::move(s->token_claims);
   }
diff --git a/src/rgw/rgw_log.h b/src/rgw/rgw_log.h
index 4dc651975aa..dd2454fd2cc 100644
--- a/src/rgw/rgw_log.h
+++ b/src/rgw/rgw_log.h
@@ -38,9 +38,10 @@ struct rgw_log_entry {
   headers_map x_headers;
   string trans_id;
   std::vector<string> token_claims;
+  uint32_t identity_type;
 
   void encode(bufferlist &bl) const {
-    ENCODE_START(11, 5, bl);
+    ENCODE_START(12, 5, bl);
     encode(object_owner.id, bl);
     encode(bucket_owner.id, bl);
     encode(bucket, bl);
@@ -65,10 +66,11 @@ struct rgw_log_entry {
     encode(x_headers, bl);
     encode(trans_id, bl);
     encode(token_claims, bl);
+    encode(identity_type,bl);
     ENCODE_FINISH(bl);
   }
   void decode(bufferlist::const_iterator &p) {
-    DECODE_START_LEGACY_COMPAT_LEN(11, 5, 5, p);
+    DECODE_START_LEGACY_COMPAT_LEN(12, 5, 5, p);
     decode(object_owner.id, p);
     if (struct_v > 3)
       decode(bucket_owner.id, p);
@@ -120,6 +122,9 @@ struct rgw_log_entry {
     if (struct_v >= 11) {
       decode(token_claims, p);
     }
+    if (struct_v >= 12) {
+      decode(identity_type, p);
+    }
     DECODE_FINISH(p);
   }
   void dump(ceph::Formatter *f) const;
diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc
index 63cfacd803b..9908ff8e5e9 100644
--- a/src/test/rgw/test_rgw_lua.cc
+++ b/src/test/rgw/test_rgw_lua.cc
@@ -1,11 +1,15 @@
 #include <gtest/gtest.h>
 #include "common/ceph_context.h"
 #include "rgw/rgw_common.h"
+#include "rgw/rgw_auth.h"
 #include "rgw/rgw_process.h"
 #include "rgw/rgw_sal_rados.h"
 #include "rgw/rgw_lua_request.h"
 
 using namespace rgw;
+using boost::container::flat_set;
+using rgw::auth::Identity;
+using rgw::auth::Principal;
 
 class CctCleaner {
   CephContext* cct;
@@ -20,6 +24,47 @@ public:
   }
 };
 
+class FakeIdentity : public Identity {
+public:
+  FakeIdentity() = default;
+
+  uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
+    return 0;
+  };
+
+  bool is_admin_of(const rgw_user& uid) const override {
+    return false;
+  }
+
+  bool is_owner_of(const rgw_user& uid) const override {
+    return false;
+  }
+
+  virtual uint32_t get_perm_mask() const override {
+    return 0;
+  }
+
+  uint32_t get_identity_type() const override {
+    return TYPE_RGW;
+  }
+
+  string get_acct_name() const override {
+    return "";
+  }
+
+  string get_subuser() const override {
+    return "";
+  }
+
+  void to_str(std::ostream& out) const override {
+    return;
+  }
+
+  bool is_identity(const flat_set<Principal>& ids) const override {
+    return false;
+  }
+};
+
 class TestUser : public sal::User {
 public:
   virtual std::unique_ptr<User> clone() override {
@@ -599,6 +644,9 @@ TEST(TestRGWLua, OpsLog)
   s.cio = &ac; 
 	s.cct->_conf->rgw_ops_log_rados	= false;
 
+  s.auth.identity = std::unique_ptr<rgw::auth::Identity>(
+                        new FakeIdentity());
+
   auto rc = lua::request::execute(store.get(), nullptr, olog.get(), &s, "put_obj", script);
   EXPECT_EQ(rc, 0);
  
-- 
2.39.5