From 5cdbd8f6567f0e8d55d3480caa3b84bdfb22419b Mon Sep 17 00:00:00 2001
From: Raja Sharma <raja@ibm.com>
Date: Tue, 18 Feb 2025 00:07:20 +0530
Subject: [PATCH] rgw/iam: add RemoveClientIDFromOpenIDConnectProvider

Signed-off-by: Raja Sharma <raja@ibm.com>
Fixes : https://tracker.ceph.com/issues/70015
---
 doc/radosgw/oidc.rst              | 25 ++++++++++-
 src/rgw/rgw_auth_s3.cc            |  1 +
 src/rgw/rgw_iam_policy.cc         |  4 ++
 src/rgw/rgw_iam_policy.h          |  1 +
 src/rgw/rgw_op_type.h             |  1 +
 src/rgw/rgw_rest_iam.cc           |  1 +
 src/rgw/rgw_rest_oidc_provider.cc | 71 +++++++++++++++++++++++++++++++
 src/rgw/rgw_rest_oidc_provider.h  | 12 ++++++
 8 files changed, 115 insertions(+), 1 deletion(-)

diff --git a/doc/radosgw/oidc.rst b/doc/radosgw/oidc.rst
index 147789930971..de3725a9b370 100644
--- a/doc/radosgw/oidc.rst
+++ b/doc/radosgw/oidc.rst
@@ -119,6 +119,29 @@ Example::
     &OpenIDConnectProviderArn=arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart
     &ClientID=app-jee-jsp"
 
+RemoveClientIDFromOpenIDConnectProvider
+----------------------------------
+
+Remove a client id from the list of existing client ids registered while creating an OpenIDConnectProvider.
+
+Request Parameters
+~~~~~~~~~~~~~~~~~~
+
+``OpenIDConnectProviderArn``
+
+:Description: ARN of the IDP which is returned by the Create API.
+:Type: String
+
+``ClientID``
+
+:Description: Client ID to remove from the existing OpenIDConnectProvider.
+:Type: String
+
+Example::
+  POST "<hostname>?Action=Action=RemoveClientIDFromOpenIDConnectProvider
+    &OpenIDConnectProviderArn=arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart
+    &ClientID=app-jee-jsp"
+
 UpdateOpenIDConnectProviderThumbprint
 -------------------------------------
 
@@ -141,4 +164,4 @@ Request Parameters
 Example::
   POST "<hostname>?Action=Action=UpdateOpenIDConnectProviderThumbprint
     &OpenIDConnectProviderArn=arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart
-    &&ThumbprintList.list.1=ABCDB3515DD0D319DD219A43A9EA727AD6061234"
\ No newline at end of file
+    &&ThumbprintList.list.1=ABCDB3515DD0D319DD219A43A9EA727AD6061234"
diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc
index 17bbe2b8a3c3..a60aebd48072 100644
--- a/src/rgw/rgw_auth_s3.cc
+++ b/src/rgw/rgw_auth_s3.cc
@@ -499,6 +499,7 @@ bool is_non_s3_op(RGWOpType op_type)
   case RGW_OP_GET_OIDC_PROVIDER:
   case RGW_OP_LIST_OIDC_PROVIDERS:
   case RGW_OP_ADD_CLIENTID_TO_OIDC_PROVIDER:
+  case RGW_OP_REMOVE_CLIENTID_FROM_OIDC_PROVIDER:
   case RGW_OP_UPDATE_OIDC_PROVIDER_THUMBPRINT:
   case RGW_OP_PUBSUB_TOPIC_CREATE:
   case RGW_OP_PUBSUB_TOPICS_LIST:
diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index ef6761d42227..db7d634e4853 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -164,6 +164,7 @@ static const actpair actpairs[] =
  { "iam:GetOIDCProvider", iamGetOIDCProvider},
  { "iam:ListOIDCProviders", iamListOIDCProviders},
  { "iam:AddClientIdToOIDCProvider", iamAddClientIdToOIDCProvider},
+ { "iam:RemoveCientIdFromOIDCProvider", iamRemoveClientIdFromOIDCProvider},
  { "iam:UpdateOIDCProviderThumbprint", iamUpdateOIDCProviderThumbprint},
  { "iam:TagRole", iamTagRole},
  { "iam:ListRoleTags", iamListRoleTags},
@@ -1569,6 +1570,9 @@ const char* action_bit_string(uint64_t action) {
   case iamAddClientIdToOIDCProvider:
     return "iam:AddClientIdToOIDCProvider";
 
+  case iamRemoveClientIdFromOIDCProvider:
+    return "iam:RemoveClientIdFromOIDCProvider";
+
   case iamUpdateOIDCProviderThumbprint:
     return "iam:UpdateOIDCProviderThumbprint";
 
diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index dd323ee4b9c8..fbee04e2acf4 100644
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -147,6 +147,7 @@ enum {
   iamGetOIDCProvider,
   iamListOIDCProviders,
   iamAddClientIdToOIDCProvider,
+  iamRemoveClientIdFromOIDCProvider,
   iamUpdateOIDCProviderThumbprint,
   iamTagRole,
   iamListRoleTags,
diff --git a/src/rgw/rgw_op_type.h b/src/rgw/rgw_op_type.h
index 2c8225d289e0..01f5a432e92e 100644
--- a/src/rgw/rgw_op_type.h
+++ b/src/rgw/rgw_op_type.h
@@ -166,6 +166,7 @@ enum RGWOpType {
   RGW_OP_GET_OIDC_PROVIDER,
   RGW_OP_LIST_OIDC_PROVIDERS,
   RGW_OP_ADD_CLIENTID_TO_OIDC_PROVIDER,
+  RGW_OP_REMOVE_CLIENTID_FROM_OIDC_PROVIDER,
   RGW_OP_UPDATE_OIDC_PROVIDER_THUMBPRINT,
 };
 
diff --git a/src/rgw/rgw_rest_iam.cc b/src/rgw/rgw_rest_iam.cc
index adf79e978af5..04a45203f47c 100644
--- a/src/rgw/rgw_rest_iam.cc
+++ b/src/rgw/rgw_rest_iam.cc
@@ -46,6 +46,7 @@ static const std::unordered_map<std::string_view, op_generator> op_generators =
   {"GetOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWGetOIDCProvider;}},
   {"DeleteOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWDeleteOIDCProvider;}},
   {"AddClientIDToOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWAddClientIdToOIDCProvider;}},
+  {"RemoveClientIDFromOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWRemoveCientIdFromOIDCProvider;}},
   {"UpdateOpenIDConnectProviderThumbprint", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWUpdateOIDCProviderThumbprint;}},
   {"TagRole", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWTagRole(bl_post_body);}},
   {"ListRoleTags", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWListRoleTags;}},
diff --git a/src/rgw/rgw_rest_oidc_provider.cc b/src/rgw/rgw_rest_oidc_provider.cc
index 37b5e7edc263..20547e0eb230 100644
--- a/src/rgw/rgw_rest_oidc_provider.cc
+++ b/src/rgw/rgw_rest_oidc_provider.cc
@@ -406,6 +406,77 @@ void RGWAddClientIdToOIDCProvider::execute(optional_yield y)
   }
 }
 
+RGWRemoveCientIdFromOIDCProvider::RGWRemoveCientIdFromOIDCProvider()
+    : RGWRestOIDCProvider(rgw::IAM::iamRemoveClientIdFromOIDCProvider, RGW_CAP_WRITE)
+{
+}
+
+int RGWRemoveCientIdFromOIDCProvider::init_processing(optional_yield y)
+{
+  std::string_view account;
+  if (const auto& acc = s->auth.identity->get_account(); acc) {
+    account = acc->id;
+  } else {
+    account = s->user->get_tenant();
+  }
+  std::string provider_arn = s->info.args.get("OpenIDConnectProviderArn");
+  auto ret = validate_provider_arn(provider_arn, account,
+                               resource, url, s->err.message);
+  if (ret < 0) {
+    return ret;
+  }
+
+  client_id = s->info.args.get("ClientID");
+
+  if (client_id.empty()) {
+    s->err.message = "Missing required element ClientID";
+    ldpp_dout(this, 20) << "ERROR: ClientID is empty" << dendl;
+    return -EINVAL;
+  }
+
+  if (client_id.size() > MAX_OIDC_CLIENT_ID_LEN) {
+    s->err.message = "ClientID cannot exceed the maximum length of "
+        + std::to_string(MAX_OIDC_CLIENT_ID_LEN);
+    ldpp_dout(this, 20) << "ERROR: ClientID length exceeded " << MAX_OIDC_CLIENT_ID_LEN << dendl;
+    return -EINVAL;
+  }
+
+  return 0;
+}
+
+void RGWRemoveCientIdFromOIDCProvider::execute(optional_yield y)
+{
+  RGWOIDCProviderInfo info;
+  op_ret = driver->load_oidc_provider(this, y, resource.account, url, info);
+
+  if (op_ret < 0) {
+    if (op_ret != -ENOENT && op_ret != -EINVAL) {
+      op_ret = ERR_INTERNAL_ERROR;
+    }
+    return;
+  }
+
+  auto position = std::find(info.client_ids.begin(), info.client_ids.end(), client_id);
+
+  if(position != info.client_ids.end()) {
+    info.client_ids.erase(position);
+    constexpr bool exclusive = false;
+    op_ret = driver->store_oidc_provider(this, y, info, exclusive);
+  }
+
+  if (op_ret == 0) {
+    op_ret = 0;
+    s->formatter->open_object_section("RemoveClientIDFromOpenIDConnectProviderResponse");
+    s->formatter->open_object_section("ResponseMetadata");
+    s->formatter->dump_string("RequestId", s->trans_id);
+    s->formatter->close_section();
+    s->formatter->open_object_section("RemoveClientIDFromOpenIDConnectProviderResponse");
+    dump_oidc_provider(info, s->formatter);
+    s->formatter->close_section();
+    s->formatter->close_section();
+  }
+}
+
 RGWUpdateOIDCProviderThumbprint::RGWUpdateOIDCProviderThumbprint()
   : RGWRestOIDCProvider(rgw::IAM::iamUpdateOIDCProviderThumbprint, RGW_CAP_WRITE)
 {
diff --git a/src/rgw/rgw_rest_oidc_provider.h b/src/rgw/rgw_rest_oidc_provider.h
index e64243a4e727..4ed3208d56f6 100644
--- a/src/rgw/rgw_rest_oidc_provider.h
+++ b/src/rgw/rgw_rest_oidc_provider.h
@@ -75,6 +75,18 @@ public:
   RGWOpType get_type() override { return RGW_OP_ADD_CLIENTID_TO_OIDC_PROVIDER; }
 };
 
+class RGWRemoveCientIdFromOIDCProvider : public RGWRestOIDCProvider {
+  std::string url;
+  std::string client_id;
+public:
+  RGWRemoveCientIdFromOIDCProvider();
+
+  int init_processing(optional_yield y);
+  void execute(optional_yield y) override;
+  const char* name() const override { return "remove_client_id_from_oidc_provider"; }
+  RGWOpType get_type() override { return RGW_OP_REMOVE_CLIENTID_FROM_OIDC_PROVIDER; }
+};
+
 class RGWUpdateOIDCProviderThumbprint : public RGWRestOIDCProvider {
   std::string url;
   std::vector<std::string> thumbprints;
-- 
2.47.3