impersonate

Author: StekPerepolnen

ydb/mvp/oidc_proxy/oidc_client.cpp

@@ -14,6 +14,18 @@ void InitOIDC(NActors::TActorSystem& actorSystem,
                          )
                      );
 
+    actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
+                         "/impersonate/start",
+                         actorSystem.Register(new THandlerImpersonateStart(httpProxyId, settings))
+                         )
+                     );
+
+    actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
+                         "/impersonate/stop",
+                         actorSystem.Register(new THandlerImpersonateStop(httpProxyId, settings))
+                         )
+                     );
+
     actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
                         "/",
                         actorSystem.Register(new TProtectedPageHandler(httpProxyId, settings))

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp

@@ -0,0 +1,149 @@
+#include <library/cpp/json/json_reader.h>
+#include <library/cpp/string_utils/base64/base64.h>
+#include <ydb/library/actors/http/http.h>
+#include <ydb/mvp/core/mvp_log.h>
+#include "openid_connect.h"
+#include "oidc_session_create.h"
+#include "oidc_settings.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+THandlerImpersonateStart::THandlerImpersonateStart(const NActors::TActorId& sender,
+                                             const NHttp::THttpIncomingRequestPtr& request,
+                                             const NActors::TActorId& httpProxyId,
+                                             const TOpenIdConnectSettings& settings)
+    : Sender(sender)
+    , Request(request)
+    , HttpProxyId(httpProxyId)
+    , Settings(settings)
+{}
+
+void THandlerImpersonateStart::Bootstrap(const NActors::TActorContext& ctx) {
+    NHttp::TUrlParameters urlParameters(Request->URL);
+    TString serviceAccountId = urlParameters["service_accound_id"];
+
+    NHttp::THeaders headers(Request->Headers);
+    LOG_DEBUG_S(ctx, EService::MVP, "Start impersonation process");
+    NHttp::TCookies cookies(headers.Get("Cookie"));
+    TString sessionToken = DecodeToken(cookies, CreateNameSessionCookie(Settings.ClientId));
+
+    if (sessionToken && serviceAccountId) {
+        RequestImpersonatedToken(sessionToken, serviceAccountId, ctx);
+    } else {
+        NHttp::THeadersBuilder responseHeaders;
+        responseHeaders.Set("Content-Type", "text/plain");
+        httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error);
+    }
+}
+
+void THandlerImpersonateStart::RequestImpersonatedToken(const TString sessionToken, const TString serviceAccountId, const NActors::TActorContext& ctx) {
+    LOG_DEBUG_S(ctx, EService::MVP, "Request impersonated token");
+    NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetExchangeEndpointURL());
+    httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
+
+    TMvpTokenator* tokenator = MVPAppData()->Tokenator;
+    TString token = "";
+    if (tokenator) {
+        token = tokenator->GetToken(Settings.SessionServiceTokenName);
+    }
+    httpRequest->Set("Authorization", token); // Bearer included
+    TStringBuilder body;
+    body << "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
+            << "&requested_token_type=urn:ietf:params:oauth:token-type:access_token"
+            << "&subject_token_type=urn:ietf:params:oauth:token-type:session_token"
+            << "&subject_token=" << sessionToken;
+    httpRequest->Set<&NHttp::THttpRequest::Body>(body);
+
+    ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
+
+    Become(&THandlerSessionServiceCheckNebius::StateExchange);
+}
+
+void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {
+    NHttp::THttpOutgoingResponsePtr httpResponse;
+    if (event->Get()->Error.empty() && event->Get()->Response) {
+        NHttp::THttpIncomingResponsePtr response = event->Get()->Response;
+        LOG_DEBUG_S(ctx, EService::MVP, "Incoming response from authorization server: " << response->Status);
+        if (response->Status == "200") {
+            TStringBuf jsonError;
+            NJson::TJsonValue jsonValue;
+            NJson::TJsonReaderConfig jsonConfig;
+            if (NJson::ReadJsonTree(response->Body, &jsonConfig, &jsonValue)) {
+                const NJson::TJsonValue* jsonAccessToken;
+                if (jsonValue.GetValuePointer("access_token", &jsonAccessToken)) {
+                    TString sessionToken = jsonAccessToken->GetStringRobust();
+                    ProcessSessionToken(sessionToken, ctx);
+                    return;
+                } else {
+                    jsonError = "Wrong OIDC provider response: access_token not found";
+                }
+            } else {
+                jsonError =  "Wrong OIDC response";
+            }
+            NHttp::THeadersBuilder responseHeaders;
+            responseHeaders.Set("Content-Type", "text/plain");
+            httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, jsonError);
+        } else {
+            NHttp::THeadersBuilder responseHeaders;
+            responseHeaders.Parse(response->Headers);
+            httpResponse = Request->CreateResponse(response->Status, response->Message, responseHeaders, response->Body);
+        }
+    } else {
+        NHttp::THeadersBuilder responseHeaders;
+        responseHeaders.Set("Content-Type", "text/plain");
+        httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error);
+    }
+    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+    Die(ctx);
+}
+
+TString THandlerImpersonateStart::ChangeSameSiteFieldInSessionCookie(const TString& cookie) {
+    const static TStringBuf SameSiteParameter {"SameSite=Lax"};
+    size_t n = cookie.find(SameSiteParameter);
+    if (n == TString::npos) {
+        return cookie;
+    }
+    TStringBuilder cookieBuilder;
+    cookieBuilder << cookie.substr(0, n);
+    cookieBuilder << "SameSite=None";
+    cookieBuilder << cookie.substr(n + SameSiteParameter.size());
+    return cookieBuilder;
+}
+
+void THandlerImpersonateStart::RetryRequestToProtectedResourceAndDie(const NActors::TActorContext& ctx) {
+    NHttp::THeadersBuilder responseHeaders;
+    RetryRequestToProtectedResourceAndDie(&responseHeaders, ctx);
+}
+
+void THandlerImpersonateStart::RetryRequestToProtectedResourceAndDie(NHttp::THeadersBuilder* responseHeaders, const NActors::TActorContext& ctx) {
+    SetCORS(Request, responseHeaders);
+    responseHeaders->Set("Location", Context.GetRequestedAddress());
+    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(Request->CreateResponse("302", "Found", *responseHeaders)));
+    Die(ctx);
+}
+
+void THandlerImpersonateStart::SendUnknownErrorResponseAndDie(const NActors::TActorContext& ctx) {
+    NHttp::THeadersBuilder responseHeaders;
+    responseHeaders.Set("Content-Type", "text/html");
+    SetCORS(Request, &responseHeaders);
+    const static TStringBuf BAD_REQUEST_HTML_PAGE = "<html>"
+                                                        "<head>"
+                                                            "<title>"
+                                                                "400 Bad Request"
+                                                            "</title>"
+                                                        "</head>"
+                                                        "<body bgcolor=\"white\">"
+                                                            "<center>"
+                                                                "<h1>"
+                                                                    "Unknown error has occurred. Please open the page again"
+                                                                "</h1>"
+                                                            "</center>"
+                                                        "</body>"
+                                                    "</html>";
+    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(Request->CreateResponse("400", "Bad Request", responseHeaders, BAD_REQUEST_HTML_PAGE)));
+    Die(ctx);
+}
+
+} // NOIDC
+} // NMVP

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h

@@ -0,0 +1,48 @@
+#pragma once
+
+#include <util/generic/string.h>
+#include <util/generic/strbuf.h>
+#include <ydb/library/actors/core/actor_bootstrapped.h>
+#include <ydb/library/actors/core/actorid.h>
+#include <ydb/library/actors/http/http.h>
+#include <ydb/library/actors/http/http_proxy.h>
+#include "oidc_settings.h"
+#include "context.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+class THandlerImpersonateStart : public NActors::TActorBootstrapped<THandlerImpersonateStart> {
+private:
+    using TBase = NActors::TActorBootstrapped<THandlerImpersonateStart>;
+
+protected:
+    const NActors::TActorId Sender;
+    const NHttp::THttpIncomingRequestPtr Request;
+    NActors::TActorId HttpProxyId;
+    const TOpenIdConnectSettings Settings;
+    TContext Context;
+
+public:
+    THandlerImpersonateStart(const NActors::TActorId& sender,
+                          const NHttp::THttpIncomingRequestPtr& request,
+                          const NActors::TActorId& httpProxyId,
+                          const TOpenIdConnectSettings& settings);
+
+    virtual void RequestSessionToken(const TString&, const NActors::TActorContext&) = 0;
+    virtual void ProcessSessionToken(const TString& accessToken, const NActors::TActorContext&) = 0;
+
+    void Bootstrap(const NActors::TActorContext& ctx);
+    void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
+
+protected:
+    TString ChangeSameSiteFieldInSessionCookie(const TString& cookie);
+    void RetryRequestToProtectedResourceAndDie(const NActors::TActorContext& ctx);
+    void RetryRequestToProtectedResourceAndDie(NHttp::THeadersBuilder* responseHeaders, const NActors::TActorContext& ctx);
+
+private:
+    void SendUnknownErrorResponseAndDie(const NActors::TActorContext& ctx);
+};
+
+}  // NOIDC
+}  // NMVP

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp

@@ -0,0 +1,34 @@
+#include <library/cpp/json/json_reader.h>
+#include <library/cpp/string_utils/base64/base64.h>
+#include <ydb/library/actors/http/http.h>
+#include <ydb/mvp/core/mvp_log.h>
+#include "openid_connect.h"
+#include "oidc_session_create.h"
+#include "oidc_settings.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+THandlerImpersonateStop::THandlerSessionCreate(const NActors::TActorId& sender,
+                                             const NHttp::THttpIncomingRequestPtr& request,
+                                             const NActors::TActorId& httpProxyId,
+                                             const TOpenIdConnectSettings& settings)
+    : Sender(sender)
+    , Request(request)
+    , HttpProxyId(httpProxyId)
+    , Settings(settings)
+{}
+
+void THandlerImpersonateStop::Bootstrap(const NActors::TActorContext& ctx) {
+    NHttp::THeadersBuilder responseHeaders;responseHeaders
+    SetCORS(Request, &responseHeaders);
+    responseHeaders.Set("Set-Cookie", CreateSecureCookie(Settings.ClientId, sessionToken));
+
+    NHttp::THttpOutgoingResponsePtr httpResponse;
+    httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
+    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+    Die(ctx);
+}
+
+} // NOIDC
+} // NMVP

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.h

@@ -0,0 +1,36 @@
+#pragma once
+
+#include <util/generic/string.h>
+#include <util/generic/strbuf.h>
+#include <ydb/library/actors/core/actor_bootstrapped.h>
+#include <ydb/library/actors/core/actorid.h>
+#include <ydb/library/actors/http/http.h>
+#include <ydb/library/actors/http/http_proxy.h>
+#include "oidc_settings.h"
+#include "context.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+class THandlerImpersonateStop : public NActors::TActorBootstrapped<THandlerImpersonateStop> {
+private:
+    using TBase = NActors::TActorBootstrapped<THandlerImpersonateStop>;
+
+protected:
+    const NActors::TActorId Sender;
+    const NHttp::THttpIncomingRequestPtr Request;
+    NActors::TActorId HttpProxyId;
+    const TOpenIdConnectSettings Settings;
+    TContext Context;
+
+public:
+    THandlerImpersonateStop(const NActors::TActorId& sender,
+                          const NHttp::THttpIncomingRequestPtr& request,
+                          const NActors::TActorId& httpProxyId,
+                          const TOpenIdConnectSettings& settings);
+
+    void Bootstrap(const NActors::TActorContext& ctx);
+};
+
+}  // NOIDC
+}  // NMVP

ydb/mvp/oidc_proxy/oidc_protected_page_nebius.cpp

@@ -19,6 +19,17 @@ THandlerSessionServiceCheckNebius::THandlerSessionServiceCheckNebius(const NActo
     : THandlerSessionServiceCheck(sender, request, httpProxyId, settings)
 {}
 
+TString DecodeToken(NHttp::TCookies& cookies, const TString& name) {
+    TString token;
+    try {
+        Base64StrictDecode(cookies.Get(name), value);
+    } catch (std::exception& e) {
+        LOG_DEBUG("Base64Decode " << name << " cookie: " << e.what());
+        token.clear();
+    }
+    return token;
+}
+
 void THandlerSessionServiceCheckNebius::StartOidcProcess(const NActors::TActorContext& ctx) {
     NHttp::THeaders headers(Request->Headers);
     LOG_DEBUG_S(ctx, EService::MVP, "Start OIDC process");
@@ -30,18 +41,15 @@ void THandlerSessionServiceCheckNebius::StartOidcProcess(const NActors::TActorCo
         LOG_DEBUG_S(ctx, EService::MVP, "Using session cookie (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
     }
 
-
-    TString sessionToken;
-    try {
-        Base64StrictDecode(sessionCookieValue, sessionToken);
-    } catch (std::exception& e) {
-        LOG_DEBUG_S(ctx, EService::MVP, "Base64Decode session cookie: " << e.what());
-        sessionToken.clear();
-    }
-
+    TString sessionToken = DecodeToken(cookies, CreateNameSessionCookie(Settings.ClientId));
     if (sessionToken) {
-        ExchangeSessionToken(sessionToken, ctx);
-    } else {
+        TString impersonatedToken = DecodeToken(cookies, CreateNameImpersonatedCookie(Settings.ClientId));
+        if (impersonatedToken) {
+            ExchangeImpersonatedToken(impersonatedToken, sessionToken, ctx);
+        } else {
+            ExchangeSessionToken(sessionToken, ctx);
+        }
+    } else{
         RequestAuthorizationCode(ctx);
     }
 }
@@ -105,6 +113,31 @@ void THandlerSessionServiceCheckNebius::ExchangeSessionToken(const TString sessi
     Become(&THandlerSessionServiceCheckNebius::StateExchange);
 }
 
+void THandlerSessionServiceCheckNebius::ExchangeImpersonatedToken(const TString sessionToken, const TString impersonatedToken, const NActors::TActorContext& ctx) {
+    LOG_DEBUG_S(ctx, EService::MVP, "Exchange session token");
+    NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetExchangeEndpointURL());
+    httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
+
+    TMvpTokenator* tokenator = MVPAppData()->Tokenator;
+    TString token = "";
+    if (tokenator) {
+        token = tokenator->GetToken(Settings.SessionServiceTokenName);
+    }
+    httpRequest->Set("Authorization", token); // Bearer included
+    TStringBuilder body;
+    body << "grant_type=urn:ietf:params:oauth:grant-type:impersonation"
+            << "&requested_token_type=urn:ietf:params:oauth:token-type:access_token"
+            << "&subject_token_type=urn:ietf:params:oauth:token-type:jwt"
+            << "&subject_token=" << impersonatedToken
+            << "&actor_token=" << sessionToken
+            << "&actor_token_type=urn:ietf:params:oauth:token-type:session_token";
+    httpRequest->Set<&NHttp::THttpRequest::Body>(body);
+
+    ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
+
+    Become(&THandlerSessionServiceCheckNebius::StateExchange);
+}
+
 void THandlerSessionServiceCheckNebius::RequestAuthorizationCode(const NActors::TActorContext& ctx) {
     LOG_DEBUG_S(ctx, EService::MVP, "Request authorization code");
     NHttp::THttpOutgoingResponsePtr httpResponse = GetHttpOutgoingResponsePtr(Request, Settings);

ydb/mvp/oidc_proxy/oidc_session_create.cpp

@@ -56,7 +56,6 @@ void THandlerSessionCreate::Bootstrap(const NActors::TActorContext& ctx) {
             SendUnknownErrorResponseAndDie(ctx);
         }
     }
-
 }
 
 void THandlerSessionCreate::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {

ydb/mvp/oidc_proxy/oidc_settings.h

@@ -9,6 +9,7 @@ namespace NOIDC {
 struct TOpenIdConnectSettings {
     static const inline TString YDB_OIDC_COOKIE = "ydb_oidc_cookie";
     static const inline TString SESSION_COOKIE = "session_cookie";
+    static const inline TString IMPERSONATED_COOKIE = "impersonated_cookie";
 
     static const inline TString DEFAULT_CLIENT_ID = "yc.oauth.ydb-viewer";
     static const inline TString DEFAULT_AUTH_URL_PATH = "/oauth/authorize";

ydb/mvp/oidc_proxy/openid_connect.cpp

@@ -111,6 +111,10 @@ TString CreateNameSessionCookie(TStringBuf key) {
     return "__Host_" + TOpenIdConnectSettings::SESSION_COOKIE + "_" + HexEncode(key);
 }
 
+TString CreateNameImpersonatedCookie(TStringBuf key) {
+    return "__Host_" + TOpenIdConnectSettings::IMPERSONATED_COOKIE + "_" + HexEncode(key);
+}
+
 const TString& GetAuthCallbackUrl() {
     static const TString callbackUrl = "/auth/callback";
     return callbackUrl;