--- /dev/null
+#include <errno.h>
+#include <ctime>
+
+#include <boost/regex.hpp>
+
+#include "common/errno.h"
+#include "common/Formatter.h"
+#include "common/ceph_json.h"
+#include "common/ceph_time.h"
+#include "rgw_rados.h"
+
+#include "include/types.h"
+#include "rgw_string.h"
+
+#include "rgw_common.h"
+#include "rgw_tools.h"
+#include "rgw_role.h"
+
+#define dout_subsys ceph_subsys_rgw
+
+using namespace std;
+
+const string RGWRole::role_name_oid_prefix = "role_names.";
+const string RGWRole::role_oid_prefix = "roles.";
+const string RGWRole::role_path_oid_prefix = "role_paths.";
+const string RGWRole::role_arn_prefix = "arn:aws:iam::";
+
+int RGWRole::store_info(bool exclusive)
+{
+ string oid = get_info_oid_prefix() + id;
+
+ bufferlist bl;
+ ::encode(*this, bl);
+ return rgw_put_system_obj(store, store->get_zone_params().roles_pool, oid,
+ bl.c_str(), bl.length(), exclusive, NULL, real_time(), NULL);
+}
+
+int RGWRole::store_name(bool exclusive)
+{
+ RGWNameToId nameToId;
+ nameToId.obj_id = id;
+
+ string oid = tenant + get_names_oid_prefix() + name;
+
+ bufferlist bl;
+ ::encode(nameToId, bl);
+ return rgw_put_system_obj(store, store->get_zone_params().roles_pool, oid,
+ bl.c_str(), bl.length(), exclusive, NULL, real_time(), NULL);
+}
+
+int RGWRole::store_path(bool exclusive)
+{
+ string oid = tenant + get_path_oid_prefix() + path + get_info_oid_prefix() + id;
+
+ return rgw_put_system_obj(store, store->get_zone_params().roles_pool, oid,
+ NULL, 0, exclusive, NULL, real_time(), NULL);
+}
+
+int RGWRole::create(bool exclusive)
+{
+ int ret;
+
+ if (! validate_input()) {
+ return -EINVAL;
+ }
+
+ /* check to see the name is not used */
+ ret = read_id(name, tenant, id);
+ if (exclusive && ret == 0) {
+ ldout(cct, 0) << "ERROR: name " << name << " already in use for role id "
+ << id << dendl;
+ return -EEXIST;
+ } else if ( ret < 0 && ret != -ENOENT) {
+ ldout(cct, 0) << "failed reading role id " << id << ": "
+ << cpp_strerror(-ret) << dendl;
+ return ret;
+ }
+
+ /* create unique id */
+ uuid_d new_uuid;
+ char uuid_str[37];
+ new_uuid.generate_random();
+ new_uuid.print(uuid_str);
+ id = uuid_str;
+
+ //arn
+ arn = role_arn_prefix + tenant + ":role" + path + name;
+
+ // Creation time
+ real_clock::time_point t = real_clock::now();
+
+ struct timeval tv;
+ real_clock::to_timeval(t, tv);
+
+ char buf[30];
+ struct tm result;
+ gmtime_r(&tv.tv_sec, &result);
+ strftime(buf,30,"%Y-%m-%dT%H:%M:%S", &result);
+ sprintf(buf + strlen(buf),".%dZ",(int)tv.tv_usec/1000);
+ creation_date.assign(buf, strlen(buf));
+
+ auto& pool = store->get_zone_params().roles_pool;
+ ret = store_info(exclusive);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: storing role info in pool: " << pool.name << ": "
+ << id << ": " << cpp_strerror(-ret) << dendl;
+ return ret;
+ }
+
+ ret = store_name(exclusive);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: storing role name in pool: " << pool.name << ": "
+ << name << ": " << cpp_strerror(-ret) << dendl;
+
+ //Delete the role info that was stored in the previous call
+ string oid = get_info_oid_prefix() + id;
+ int info_ret = rgw_delete_system_obj(store, pool, oid, NULL);
+ if (info_ret < 0) {
+ ldout(cct, 0) << "ERROR: cleanup of role id from pool: " << pool.name << ": "
+ << id << ": " << cpp_strerror(-info_ret) << dendl;
+ }
+ return ret;
+ }
+
+ ret = store_path(exclusive);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: storing role path in pool: " << pool.name << ": "
+ << path << ": " << cpp_strerror(-ret) << dendl;
+ //Delete the role info that was stored in the previous call
+ string oid = get_info_oid_prefix() + id;
+ int info_ret = rgw_delete_system_obj(store, pool, oid, NULL);
+ if (info_ret < 0) {
+ ldout(cct, 0) << "ERROR: cleanup of role id from pool: " << pool.name << ": "
+ << id << ": " << cpp_strerror(-info_ret) << dendl;
+ }
+ //Delete role name that was stored in previous call
+ oid = tenant + get_names_oid_prefix() + name;
+ int name_ret = rgw_delete_system_obj(store, pool, oid, NULL);
+ if (name_ret < 0) {
+ ldout(cct, 0) << "ERROR: cleanup of role name from pool: " << pool.name << ": "
+ << name << ": " << cpp_strerror(-name_ret) << dendl;
+ }
+ return ret;
+ }
+ return 0;
+}
+
+int RGWRole::delete_obj()
+{
+ auto& pool = store->get_zone_params().roles_pool;
+
+ int ret = read_name();
+ if (ret < 0) {
+ return ret;
+ }
+
+ ret = read_info();
+ if (ret < 0) {
+ return ret;
+ }
+
+ if (! perm_policy_map.empty()) {
+ return -ERR_DELETE_CONFLICT;
+ }
+
+ // Delete id
+ string oid = get_info_oid_prefix() + id;
+ ret = rgw_delete_system_obj(store, pool, oid, NULL);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: deleting role id from pool: " << pool.name << ": "
+ << id << ": " << cpp_strerror(-ret) << dendl;
+ }
+
+ // Delete name
+ oid = tenant + get_names_oid_prefix() + name;
+ ret = rgw_delete_system_obj(store, pool, oid, NULL);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: deleting role name from pool: " << pool.name << ": "
+ << name << ": " << cpp_strerror(-ret) << dendl;
+ }
+
+ // Delete path
+ oid = tenant + get_path_oid_prefix() + path + get_info_oid_prefix() + id;
+ ret = rgw_delete_system_obj(store, pool, oid, NULL);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: deleting role path from pool: " << pool.name << ": "
+ << path << ": " << cpp_strerror(-ret) << dendl;
+ }
+ return ret;
+}
+
+int RGWRole::get()
+{
+ int ret = read_name();
+ if (ret < 0) {
+ return ret;
+ }
+
+ ret = read_info();
+ if (ret < 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+int RGWRole::get_by_id()
+{
+ int ret = read_info();
+ if (ret < 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+int RGWRole::update()
+{
+ auto& pool = store->get_zone_params().roles_pool;
+
+ int ret = store_info(false);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: storing info in pool: " << pool.name << ": "
+ << id << ": " << cpp_strerror(-ret) << dendl;
+ return ret;
+ }
+
+ return 0;
+}
+
+void RGWRole::set_perm_policy(const string& policy_name, const string& perm_policy)
+{
+ perm_policy_map[policy_name] = perm_policy;
+}
+
+vector<string> RGWRole::get_role_policy_names()
+{
+ vector<string> policy_names;
+ for (const auto& it : perm_policy_map)
+ {
+ policy_names.push_back(std::move(it.first));
+ }
+
+ return policy_names;
+}
+
+int RGWRole::get_role_policy(const string& policy_name, string& perm_policy)
+{
+ const auto it = perm_policy_map.find(policy_name);
+ if (it == perm_policy_map.end()) {
+ ldout(cct, 0) << "ERROR: Policy name: " << policy_name << " not found" << dendl;
+ return -EINVAL;
+ } else {
+ perm_policy = it->second;
+ }
+ return 0;
+}
+
+int RGWRole::delete_policy(const string& policy_name)
+{
+ const auto& it = perm_policy_map.find(policy_name);
+ if (it == perm_policy_map.end()) {
+ ldout(cct, 0) << "ERROR: Policy name: " << policy_name << " not found" << dendl;
+ return -ENOENT;
+ } else {
+ perm_policy_map.erase(it);
+ }
+ return 0;
+}
+
+void RGWRole::dump(Formatter *f) const
+{
+ encode_json("id", id , f);
+ encode_json("name", name , f);
+ encode_json("path", path, f);
+ encode_json("arn", arn, f);
+ encode_json("create_date", creation_date, f);
+ encode_json("assume_role_policy_document", trust_policy, f);
+}
+
+void RGWRole::decode_json(JSONObj *obj)
+{
+ JSONDecoder::decode_json("id", id, obj);
+ JSONDecoder::decode_json("name", name, obj);
+ JSONDecoder::decode_json("path", path, obj);
+ JSONDecoder::decode_json("arn", arn, obj);
+ JSONDecoder::decode_json("create_date", creation_date, obj);
+ JSONDecoder::decode_json("assume_role_policy_document", trust_policy, obj);
+}
+
+int RGWRole::read_id(const string& role_name, const string& tenant, string& role_id)
+{
+ auto& pool = store->get_zone_params().roles_pool;
+ string oid = tenant + get_names_oid_prefix() + role_name;
+ bufferlist bl;
+ RGWObjectCtx obj_ctx(store);
+
+ int ret = rgw_get_system_obj(store, obj_ctx, pool, oid, bl, NULL, NULL);
+ if (ret < 0) {
+ return ret;
+ }
+
+ RGWNameToId nameToId;
+ try {
+ bufferlist::iterator iter = bl.begin();
+ ::decode(nameToId, iter);
+ } catch (buffer::error& err) {
+ ldout(cct, 0) << "ERROR: failed to decode role from pool: " << pool.name << ": "
+ << role_name << dendl;
+ return -EIO;
+ }
+ role_id = nameToId.obj_id;
+ return 0;
+}
+
+int RGWRole::read_info()
+{
+ auto& pool = store->get_zone_params().roles_pool;
+ string oid = get_info_oid_prefix() + id;
+ bufferlist bl;
+ RGWObjectCtx obj_ctx(store);
+
+ int ret = rgw_get_system_obj(store, obj_ctx, pool, oid, bl, NULL, NULL);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: failed reading role info from pool: " << pool.name <<
+ ": " << id << ": " << cpp_strerror(-ret) << dendl;
+ return ret;
+ }
+
+ try {
+ bufferlist::iterator iter = bl.begin();
+ ::decode(*this, iter);
+ } catch (buffer::error& err) {
+ ldout(cct, 0) << "ERROR: failed to decode role info from pool: " << pool.name <<
+ ": " << id << dendl;
+ return -EIO;
+ }
+
+ return 0;
+}
+
+int RGWRole::read_name()
+{
+ auto& pool = store->get_zone_params().roles_pool;
+ string oid = tenant + get_names_oid_prefix() + name;
+ bufferlist bl;
+ RGWObjectCtx obj_ctx(store);
+
+ int ret = rgw_get_system_obj(store, obj_ctx, pool, oid, bl, NULL, NULL);
+ if (ret < 0) {
+ ldout(cct, 0) << "ERROR: failed reading role name from pool: " << pool.name << ": "
+ << name << ": " << cpp_strerror(-ret) << dendl;
+ return ret;
+ }
+
+ RGWNameToId nameToId;
+ try {
+ bufferlist::iterator iter = bl.begin();
+ ::decode(nameToId, iter);
+ } catch (buffer::error& err) {
+ ldout(cct, 0) << "ERROR: failed to decode role name from pool: " << pool.name << ": "
+ << name << dendl;
+ return -EIO;
+ }
+ id = nameToId.obj_id;
+ return 0;
+}
+
+bool RGWRole::validate_input()
+{
+ if (name.length() > MAX_ROLE_NAME_LEN) {
+ ldout(cct, 0) << "ERROR: Invalid name length " << dendl;
+ return false;
+ }
+
+ if (path.length() > MAX_PATH_NAME_LEN) {
+ ldout(cct, 0) << "ERROR: Invalid path length " << dendl;
+ return false;
+ }
+
+ boost::regex regex_name("[A-Za-z0-9:=,.@-]+");
+ if (! boost::regex_match(name, regex_name)) {
+ ldout(cct, 0) << "ERROR: Invalid chars in name " << dendl;
+ return false;
+ }
+
+ boost::regex regex_path("(/[!-~]+/)|(/)");
+ if (! boost::regex_match(path,regex_path)) {
+ ldout(cct, 0) << "ERROR: Invalid chars in path " << dendl;
+ return false;
+ }
+
+ return true;
+}
+
+void RGWRole::extract_name_tenant(const std::string& str)
+{
+ size_t pos = str.find('$');
+ if (pos != std::string::npos) {
+ tenant = str.substr(0, pos);
+ name = str.substr(pos + 1);
+ }
+}
+
+void RGWRole::update_trust_policy(string& trust_policy)
+{
+ this->trust_policy = trust_policy;
+}
+
+int RGWRole::get_roles_by_path_prefix(RGWRados *store,
+ CephContext *cct,
+ const string& path_prefix,
+ const string& tenant,
+ vector<RGWRole>& roles)
+{
+ auto pool = store->get_zone_params().roles_pool;
+ string prefix;
+
+ // List all roles if path prefix is empty
+ if (! path_prefix.empty()) {
+ prefix = tenant + role_path_oid_prefix + path_prefix;
+ } else {
+ prefix = tenant + role_path_oid_prefix;
+ }
+
+ //Get the filtered objects
+ list<string> result;
+ bool is_truncated;
+ RGWListRawObjsCtx ctx;
+ do {
+ list<string> oids;
+ int r = store->list_raw_objects(pool, prefix, 1000, ctx, oids, &is_truncated);
+ if (r < 0) {
+ ldout(cct, 0) << "ERROR: listing filtered objects failed: " << pool.name << ": "
+ << prefix << ": " << cpp_strerror(-r) << dendl;
+ return r;
+ }
+ for (const auto& iter : oids) {
+ result.push_back(iter.substr(role_path_oid_prefix.size()));
+ }
+ } while (is_truncated);
+
+ for (const auto& it : result) {
+ //Find the role oid prefix from the end
+ size_t pos = it.rfind(role_oid_prefix);
+ if (pos == string::npos) {
+ continue;
+ }
+ // Split the result into path and info_oid + id
+ string path = it.substr(0, pos);
+
+ /*Make sure that prefix is part of path (False results could've been returned)
+ because of the role info oid + id appended to the path)*/
+ if(path_prefix.empty() || path.find(path_prefix) != string::npos) {
+ //Get id from info oid prefix + id
+ string id = it.substr(pos + role_oid_prefix.length());
+
+ RGWRole role(cct, store);
+ role.set_id(id);
+ int ret = role.read_info();
+ if (ret < 0) {
+ return ret;
+ }
+ roles.push_back(std::move(role));
+ }
+ }
+
+ return 0;
+}
+
+const string& RGWRole::get_names_oid_prefix()
+{
+ return role_name_oid_prefix;
+}
+
+const string& RGWRole::get_info_oid_prefix()
+{
+ return role_oid_prefix;
+}
+
+const string& RGWRole::get_path_oid_prefix()
+{
+ return role_path_oid_prefix;
+}
Code Review / stor4nfv.git / blobdiff