+++ /dev/null
-// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
-// vim: ts=8 sw=2 smarttab
-
-#ifndef CEPH_RGW_KEYSTONE_H
-#define CEPH_RGW_KEYSTONE_H
-
-#include <type_traits>
-
-#include <boost/optional.hpp>
-#include <boost/utility/string_ref.hpp>
-
-#include "rgw_common.h"
-#include "rgw_http_client.h"
-#include "common/Cond.h"
-#include "global/global_init.h"
-
-#include <atomic>
-
-int rgw_open_cms_envelope(CephContext *cct,
- const std::string& src,
- std::string& dst); /* out */
-int rgw_decode_b64_cms(CephContext *cct,
- const string& signed_b64,
- bufferlist& bl);
-bool rgw_is_pki_token(const string& token);
-void rgw_get_token_id(const string& token, string& token_id);
-static inline std::string rgw_get_token_id(const string& token)
-{
- std::string token_id;
- rgw_get_token_id(token, token_id);
-
- return token_id;
-}
-bool rgw_decode_pki_token(CephContext *cct,
- const string& token,
- bufferlist& bl);
-
-namespace rgw {
-namespace keystone {
-
-enum class ApiVersion {
- VER_2,
- VER_3
-};
-
-
-class Config {
-protected:
- Config() = default;
- virtual ~Config() = default;
-
-public:
- virtual std::string get_endpoint_url() const noexcept = 0;
- virtual ApiVersion get_api_version() const noexcept = 0;
-
- virtual boost::string_ref get_admin_token() const noexcept = 0;
- virtual boost::string_ref get_admin_user() const noexcept = 0;
- virtual boost::string_ref get_admin_password() const noexcept = 0;
- virtual boost::string_ref get_admin_tenant() const noexcept = 0;
- virtual boost::string_ref get_admin_project() const noexcept = 0;
- virtual boost::string_ref get_admin_domain() const noexcept = 0;
-};
-
-class CephCtxConfig : public Config {
-protected:
- CephCtxConfig() = default;
- virtual ~CephCtxConfig() = default;
-
-public:
- static CephCtxConfig& get_instance() {
- static CephCtxConfig instance;
- return instance;
- }
-
- std::string get_endpoint_url() const noexcept override;
- ApiVersion get_api_version() const noexcept override;
-
- boost::string_ref get_admin_token() const noexcept override {
- return g_ceph_context->_conf->rgw_keystone_admin_token;
- }
-
- boost::string_ref get_admin_user() const noexcept override {
- return g_ceph_context->_conf->rgw_keystone_admin_user;
- }
-
- boost::string_ref get_admin_password() const noexcept override {
- return g_ceph_context->_conf->rgw_keystone_admin_password;
- }
-
- boost::string_ref get_admin_tenant() const noexcept override {
- return g_ceph_context->_conf->rgw_keystone_admin_tenant;
- }
-
- boost::string_ref get_admin_project() const noexcept override {
- return g_ceph_context->_conf->rgw_keystone_admin_project;
- }
-
- boost::string_ref get_admin_domain() const noexcept override {
- return g_ceph_context->_conf->rgw_keystone_admin_domain;
- }
-};
-
-
-class TokenEnvelope;
-class TokenCache;
-
-class Service {
-public:
- class RGWKeystoneHTTPTransceiver : public RGWHTTPTransceiver {
- public:
- RGWKeystoneHTTPTransceiver(CephContext * const cct,
- bufferlist * const token_body_bl)
- : RGWHTTPTransceiver(cct, token_body_bl,
- cct->_conf->rgw_keystone_verify_ssl,
- { "X-Subject-Token" }) {
- }
-
- const header_value_t& get_subject_token() const {
- try {
- return get_header_value("X-Subject-Token");
- } catch (std::out_of_range&) {
- static header_value_t empty_val;
- return empty_val;
- }
- }
- };
-
- typedef RGWKeystoneHTTPTransceiver RGWValidateKeystoneToken;
- typedef RGWKeystoneHTTPTransceiver RGWGetKeystoneAdminToken;
- typedef RGWKeystoneHTTPTransceiver RGWGetRevokedTokens;
-
- static int get_admin_token(CephContext* const cct,
- TokenCache& token_cache,
- const Config& config,
- std::string& token);
- static int issue_admin_token_request(CephContext* const cct,
- const Config& config,
- TokenEnvelope& token);
- static int get_keystone_barbican_token(CephContext * const cct,
- std::string& token);
-};
-
-
-class TokenEnvelope {
-public:
- class Domain {
- public:
- string id;
- string name;
- void decode_json(JSONObj *obj);
- };
- class Project {
- public:
- Domain domain;
- string id;
- string name;
- void decode_json(JSONObj *obj);
- };
-
- class Token {
- public:
- Token() : expires(0) { }
- string id;
- time_t expires;
- Project tenant_v2;
- void decode_json(JSONObj *obj);
- };
-
- class Role {
- public:
- string id;
- string name;
- void decode_json(JSONObj *obj);
- };
-
- class User {
- public:
- string id;
- string name;
- Domain domain;
- list<Role> roles_v2;
- void decode_json(JSONObj *obj);
- };
-
- Token token;
- Project project;
- User user;
- list<Role> roles;
-
- void decode_v3(JSONObj* obj);
- void decode_v2(JSONObj* obj);
-
-public:
- /* We really need the default ctor because of the internals of TokenCache. */
- TokenEnvelope() = default;
-
- time_t get_expires() const { return token.expires; }
- const std::string& get_domain_id() const {return project.domain.id;};
- const std::string& get_domain_name() const {return project.domain.name;};
- const std::string& get_project_id() const {return project.id;};
- const std::string& get_project_name() const {return project.name;};
- const std::string& get_user_id() const {return user.id;};
- const std::string& get_user_name() const {return user.name;};
- bool has_role(const string& r) const;
- bool expired() const {
- const uint64_t now = ceph_clock_now().sec();
- return now >= static_cast<uint64_t>(get_expires());
- }
- int parse(CephContext* cct,
- const std::string& token_str,
- ceph::buffer::list& bl /* in */,
- ApiVersion version);
-};
-
-
-class TokenCache {
- struct token_entry {
- TokenEnvelope token;
- list<string>::iterator lru_iter;
- };
-
- std::atomic<bool> down_flag = { false };
-
- class RevokeThread : public Thread {
- friend class TokenCache;
- typedef RGWPostHTTPData RGWGetRevokedTokens;
-
- CephContext* const cct;
- TokenCache* const cache;
- const rgw::keystone::Config& config;
-
- Mutex lock;
- Cond cond;
-
- RevokeThread(CephContext* const cct,
- TokenCache* const cache,
- const rgw::keystone::Config& config)
- : cct(cct),
- cache(cache),
- config(config),
- lock("rgw::keystone::TokenCache::RevokeThread") {
- }
-
- void *entry() override;
- void stop();
- int check_revoked();
- } revocator;
-
- const boost::intrusive_ptr<CephContext> cct;
-
- std::string admin_token_id;
- std::string barbican_token_id;
- std::map<std::string, token_entry> tokens;
- std::list<std::string> tokens_lru;
-
- Mutex lock;
-
- const size_t max;
-
- TokenCache(const rgw::keystone::Config& config)
- : revocator(g_ceph_context, this, config),
- cct(g_ceph_context),
- lock("rgw::keystone::TokenCache"),
- max(cct->_conf->rgw_keystone_token_cache_size) {
- /* revocation logic needs to be smarter, but meanwhile,
- * make it optional.
- * see http://tracker.ceph.com/issues/9493
- * http://tracker.ceph.com/issues/19499
- */
- if (cct->_conf->rgw_keystone_revocation_interval > 0
- && cct->_conf->rgw_keystone_token_cache_size ) {
- /* The thread name has been kept for backward compliance. */
- revocator.create("rgw_swift_k_rev");
- }
- }
-
- ~TokenCache() {
- down_flag = true;
-
- // Only stop and join if revocator thread is started.
- if (revocator.is_started()) {
- revocator.stop();
- revocator.join();
- }
- }
-
-public:
- TokenCache(const TokenCache&) = delete;
- void operator=(const TokenCache&) = delete;
-
- template<class ConfigT>
- static TokenCache& get_instance() {
- static_assert(std::is_base_of<rgw::keystone::Config, ConfigT>::value,
- "ConfigT must be a subclass of rgw::keystone::Config");
-
- /* In C++11 this is thread safe. */
- static TokenCache instance(ConfigT::get_instance());
- return instance;
- }
-
- bool find(const std::string& token_id, TokenEnvelope& token);
- boost::optional<TokenEnvelope> find(const std::string& token_id) {
- TokenEnvelope token_envlp;
- if (find(token_id, token_envlp)) {
- return token_envlp;
- }
- return boost::none;
- }
- bool find_admin(TokenEnvelope& token);
- bool find_barbican(TokenEnvelope& token);
- void add(const std::string& token_id, const TokenEnvelope& token);
- void add_admin(const TokenEnvelope& token);
- void add_barbican(const TokenEnvelope& token);
- void invalidate(const std::string& token_id);
- bool going_down() const;
-private:
- void add_locked(const std::string& token_id, const TokenEnvelope& token);
- bool find_locked(const std::string& token_id, TokenEnvelope& token);
-
-};
-
-
-class AdminTokenRequest {
-public:
- virtual ~AdminTokenRequest() = default;
- virtual void dump(Formatter* f) const = 0;
-};
-
-class AdminTokenRequestVer2 : public AdminTokenRequest {
- const Config& conf;
-
-public:
- AdminTokenRequestVer2(const Config& conf)
- : conf(conf) {
- }
- void dump(Formatter *f) const override;
-};
-
-class AdminTokenRequestVer3 : public AdminTokenRequest {
- const Config& conf;
-
-public:
- AdminTokenRequestVer3(const Config& conf)
- : conf(conf) {
- }
- void dump(Formatter *f) const override;
-};
-
-class BarbicanTokenRequestVer2 : public AdminTokenRequest {
- CephContext *cct;
-
-public:
- BarbicanTokenRequestVer2(CephContext * const _cct)
- : cct(_cct) {
- }
- void dump(Formatter *f) const;
-};
-
-class BarbicanTokenRequestVer3 : public AdminTokenRequest {
- CephContext *cct;
-
-public:
- BarbicanTokenRequestVer3(CephContext * const _cct)
- : cct(_cct) {
- }
- void dump(Formatter *f) const;
-};
-
-
-}; /* namespace keystone */
-}; /* namespace rgw */
-
-#endif