1 files changed, 222 insertions, 0 deletions

diff --git a/src/rgw/rgw_sts.h b/src/rgw/rgw_sts.h
new file mode 100644
index 00000000..1ad48504
--- /dev/null
+++ b/src/rgw/rgw_sts.h
@@ -0,0 +1,222 @@
+// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
+// vim: ts=8 sw=2 smarttab
+
+#ifndef CEPH_RGW_STS_H
+#define CEPH_RGW_STS_H
+
+#include "rgw_role.h"
+#include "rgw_auth.h"
+#include "rgw_web_idp.h"
+
+namespace STS {
+
+class AssumeRoleRequestBase {
+protected:
+  static constexpr uint64_t MIN_POLICY_SIZE = 1;
+  static constexpr uint64_t MAX_POLICY_SIZE = 2048;
+  static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
+  static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
+  static constexpr uint64_t MIN_ROLE_ARN_SIZE = 2;
+  static constexpr uint64_t MAX_ROLE_ARN_SIZE = 2048;
+  static constexpr uint64_t MIN_ROLE_SESSION_SIZE = 2;
+  static constexpr uint64_t MAX_ROLE_SESSION_SIZE = 64;
+  uint64_t MAX_DURATION_IN_SECS;
+  uint64_t duration;
+  string err_msg;
+  string iamPolicy;
+  string roleArn;
+  string roleSessionName;
+public:
+  AssumeRoleRequestBase(const string& duration,
+                        const string& iamPolicy,
+                        const string& roleArn,
+                        const string& roleSessionName);
+  const string& getRoleARN() const { return roleArn; }
+  const string& getRoleSessionName() const { return roleSessionName; }
+  const string& getPolicy() const {return iamPolicy; }
+  static const uint64_t& getMaxPolicySize() { return MAX_POLICY_SIZE; }
+  void setMaxDuration(const uint64_t& maxDuration) { MAX_DURATION_IN_SECS = maxDuration; }
+  const uint64_t& getDuration() const { return duration; }
+  int validate_input() const;
+};
+
+class AssumeRoleWithWebIdentityRequest : public AssumeRoleRequestBase {
+  static constexpr uint64_t MIN_PROVIDER_ID_LEN = 4;
+  static constexpr uint64_t MAX_PROVIDER_ID_LEN = 2048;
+  string providerId;
+  string iamPolicy;
+  string iss;
+  string sub;
+  string aud;
+public:
+  AssumeRoleWithWebIdentityRequest( const string& duration,
+                      const string& providerId,
+                      const string& iamPolicy,
+                      const string& roleArn,
+                      const string& roleSessionName,
+                      const string& iss,
+                      const string& sub,
+                      const string& aud)
+    : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
+      providerId(providerId), iss(iss), sub(sub), aud(aud) {}
+  const string& getProviderId() const { return providerId; }
+  const string& getIss() const { return iss; }
+  const string& getAud() const { return aud; }
+  const string& getSub() const { return sub; }
+  int validate_input() const;
+};
+
+class AssumeRoleRequest : public AssumeRoleRequestBase {
+  static constexpr uint64_t MIN_EXTERNAL_ID_LEN = 2;
+  static constexpr uint64_t MAX_EXTERNAL_ID_LEN = 1224;
+  static constexpr uint64_t MIN_SERIAL_NUMBER_SIZE = 9;
+  static constexpr uint64_t MAX_SERIAL_NUMBER_SIZE = 256;
+  static constexpr uint64_t TOKEN_CODE_SIZE = 6;
+  string externalId;
+  string serialNumber;
+  string tokenCode;
+public:
+  AssumeRoleRequest(const string& duration,
+                    const string& externalId,
+                    const string& iamPolicy,
+                    const string& roleArn,
+                    const string& roleSessionName,
+                    const string& serialNumber,
+                    const string& tokenCode)
+    : AssumeRoleRequestBase(duration, iamPolicy, roleArn, roleSessionName),
+      externalId(externalId), serialNumber(serialNumber), tokenCode(tokenCode){}
+  int validate_input() const;
+};
+
+class GetSessionTokenRequest {
+protected:
+  static constexpr uint64_t MIN_DURATION_IN_SECS = 900;
+  static constexpr uint64_t DEFAULT_DURATION_IN_SECS = 3600;
+  uint64_t duration;
+  string serialNumber;
+  string tokenCode;
+
+public:
+  GetSessionTokenRequest(const string& duration, const string& serialNumber, const string& tokenCode);
+
+  const uint64_t& getDuration() const { return duration; }
+  static const uint64_t& getMinDuration() { return MIN_DURATION_IN_SECS; }
+};
+
+class AssumedRoleUser {
+  string arn;
+  string assumeRoleId;
+public:
+  int generateAssumedRoleUser( CephContext* cct,
+                                RGWRados *store,
+                                const string& roleId,
+                                const rgw::ARN& roleArn,
+                                const string& roleSessionName);
+  const string& getARN() const { return arn; }
+  const string& getAssumeRoleId() const { return assumeRoleId; }
+  void dump(Formatter *f) const;
+};
+
+struct SessionToken {
+  string access_key_id;
+  string secret_access_key;
+  string expiration;
+  string policy;
+  string roleId;
+  rgw_user user;
+  string acct_name;
+  uint32_t perm_mask;
+  bool is_admin;
+  uint32_t acct_type;
+
+  SessionToken() {}
+
+  void encode(bufferlist& bl) const {
+    ENCODE_START(1, 1, bl);
+    encode(access_key_id, bl);
+    encode(secret_access_key, bl);
+    encode(expiration, bl);
+    encode(policy, bl);
+    encode(roleId, bl);
+    encode(user, bl);
+    encode(acct_name, bl);
+    encode(perm_mask, bl);
+    encode(is_admin, bl);
+    encode(acct_type, bl);
+    ENCODE_FINISH(bl);
+  }
+
+  void decode(bufferlist::const_iterator& bl) {
+    DECODE_START(1, bl);
+    decode(access_key_id, bl);
+    decode(secret_access_key, bl);
+    decode(expiration, bl);
+    decode(policy, bl);
+    decode(roleId, bl);
+    decode(user, bl);
+    decode(acct_name, bl);
+    decode(perm_mask, bl);
+    decode(is_admin, bl);
+    decode(acct_type, bl);
+    DECODE_FINISH(bl);
+  }
+};
+WRITE_CLASS_ENCODER(SessionToken)
+
+class Credentials {
+  static constexpr int MAX_ACCESS_KEY_LEN = 20;
+  static constexpr int MAX_SECRET_KEY_LEN = 40;
+  string accessKeyId;
+  string expiration;
+  string secretAccessKey;
+  string sessionToken;
+public:
+  int generateCredentials(CephContext* cct,
+                          const uint64_t& duration,
+                          const boost::optional<string>& policy,
+                          const boost::optional<string>& roleId,
+                          boost::optional<rgw_user> user,
+                          rgw::auth::Identity* identity);
+  const string& getAccessKeyId() const { return accessKeyId; }
+  const string& getExpiration() const { return expiration; }
+  const string& getSecretAccessKey() const { return secretAccessKey; }
+  const string& getSessionToken() const { return sessionToken; }
+  void dump(Formatter *f) const;
+};
+
+struct AssumeRoleResponse {
+  int retCode;
+  AssumedRoleUser user;
+  Credentials creds;
+  uint64_t packedPolicySize;
+};
+
+struct AssumeRoleWithWebIdentityResponse {
+  AssumeRoleResponse assumeRoleResp;
+  string aud;
+  string providerId;
+  string sub;
+};
+
+using AssumeRoleResponse = struct AssumeRoleResponse ;
+using GetSessionTokenResponse = std::tuple<int, Credentials>;
+using AssumeRoleWithWebIdentityResponse = struct AssumeRoleWithWebIdentityResponse;
+
+class STSService {
+  CephContext* cct;
+  RGWRados *store;
+  rgw_user user_id;
+  RGWRole role;
+  rgw::auth::Identity* identity;
+  int storeARN(string& arn);
+public:
+  STSService() = default;
+  STSService(CephContext* cct, RGWRados *store, rgw_user user_id, rgw::auth::Identity* identity) : cct(cct), store(store), user_id(user_id), identity(identity) {}
+  std::tuple<int, RGWRole> getRoleInfo(const string& arn);
+  AssumeRoleResponse assumeRole(AssumeRoleRequest& req);
+  GetSessionTokenResponse getSessionToken(GetSessionTokenRequest& req);
+  AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest& req);
+};
+}
+#endif /* CEPH_RGW_STS_H */
+