Skip to content

Commit 45733eb

Browse files
StekPerepolnenStekPerepolnen
authored
oidc impersonation (#11449)
1 parent 6fc18f8 commit 45733eb

32 files changed

+931
-332
lines changed

ydb/mvp/oidc_proxy/context.cpp

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,7 @@
77
#include "oidc_settings.h"
88
#include "context.h"
99

10-
namespace NMVP {
11-
namespace NOIDC {
10+
namespace NMVP::NOIDC {
1211

1312
TContext::TContext(const TInitializer& initializer)
1413
: State(initializer.State)
@@ -94,5 +93,4 @@ TStringBuf TContext::GetRequestedUrl(const NHttp::THttpIncomingRequestPtr& reque
9493
return requestedUrl;
9594
}
9695

97-
} // NOIDC
98-
} // NMVP
96+
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/context.h

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,7 @@ using THttpIncomingRequestPtr = TIntrusivePtr<THttpIncomingRequest>;
1010

1111
}
1212

13-
namespace NMVP {
14-
namespace NOIDC {
13+
namespace NMVP::NOIDC {
1514

1615
class TContext {
1716
public:
@@ -45,5 +44,4 @@ class TContext {
4544
TString GenerateCookie(const TString& key) const;
4645
};
4746

48-
} // NOIDC
49-
} // NMVP
47+
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/mvp.cpp

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,8 +28,7 @@
2828

2929
NActors::IActor* CreateMemProfiler();
3030

31-
namespace NMVP {
32-
namespace NOIDC {
31+
namespace NMVP::NOIDC {
3332

3433
namespace {
3534

@@ -233,6 +232,7 @@ void TMVP::TryGetOidcOptionsFromConfig(const YAML::Node& config) {
233232
OpenIdConnectSettings.AuthUrlPath = oidc["auth_url_path"].as<std::string>(OpenIdConnectSettings.DEFAULT_AUTH_URL_PATH);
234233
OpenIdConnectSettings.TokenUrlPath = oidc["token_url_path"].as<std::string>(OpenIdConnectSettings.DEFAULT_TOKEN_URL_PATH);
235234
OpenIdConnectSettings.ExchangeUrlPath = oidc["exchange_url_path"].as<std::string>(OpenIdConnectSettings.DEFAULT_EXCHANGE_URL_PATH);
235+
OpenIdConnectSettings.ImpersonateUrlPath = oidc["impersonate_url_path"].as<std::string>(OpenIdConnectSettings.DEFAULT_IMPERSONATE_URL_PATH);
236236
Cout << "Started processing allowed_proxy_hosts..." << Endl;
237237
for (const std::string& host : oidc["allowed_proxy_hosts"].as<std::vector<std::string>>()) {
238238
Cout << host << " added to allowed_proxy_hosts" << Endl;
@@ -417,5 +417,4 @@ THolder<NActors::TActorSystemSetup> TMVP::BuildActorSystemSetup(int argc, char**
417417

418418
TAtomic TMVP::Quit = false;
419419

420-
} // NOIDC
421-
} // NMVP
420+
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/mvp.h

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,7 @@
1212
#include <contrib/libs/yaml-cpp/include/yaml-cpp/yaml.h>
1313
#include "oidc_settings.h"
1414

15-
namespace NMVP {
16-
namespace NOIDC {
15+
namespace NMVP::NOIDC {
1716

1817
const TString& GetEServiceName(NActors::NLog::EComponent component);
1918

@@ -72,5 +71,4 @@ class TMVP {
7271
int Shutdown();
7372
};
7473

75-
} // namespace NOIDC
76-
} // namespace NMVP
74+
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/oidc_client.cpp

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,10 @@
11
#include "oidc_client.h"
22
#include "oidc_protected_page_handler.h"
33
#include "oidc_session_create_handler.h"
4+
#include "oidc_impersonate_start_page_nebius.h"
5+
#include "oidc_impersonate_stop_page_nebius.h"
46

5-
namespace NMVP {
6-
namespace NOIDC {
7+
namespace NMVP::NOIDC {
78

89
void InitOIDC(NActors::TActorSystem& actorSystem,
910
const NActors::TActorId& httpProxyId,
@@ -14,12 +15,25 @@ void InitOIDC(NActors::TActorSystem& actorSystem,
1415
)
1516
);
1617

18+
if (settings.AccessServiceType == NMvp::nebius_v1) {
19+
actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
20+
"/impersonate/start",
21+
actorSystem.Register(new TImpersonateStartPageHandler(httpProxyId, settings))
22+
)
23+
);
24+
25+
actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
26+
"/impersonate/stop",
27+
actorSystem.Register(new TImpersonateStopPageHandler(httpProxyId, settings))
28+
)
29+
);
30+
}
31+
1732
actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
1833
"/",
1934
actorSystem.Register(new TProtectedPageHandler(httpProxyId, settings))
2035
)
2136
);
2237
}
2338

24-
} // NOIDC
25-
} // NMVP
39+
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/oidc_client.h

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,10 @@ class TActorSystem;
55
struct TActorId;
66

77
} // NActors
8-
namespace NMVP {
9-
namespace NOIDC {
8+
namespace NMVP::NOIDC {
109

1110
struct TOpenIdConnectSettings;
1211

1312
void InitOIDC(NActors::TActorSystem& actorSystem, const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings);
1413

15-
} // NOIDC
16-
} // NMVP
14+
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp

Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,143 @@
1+
#include <library/cpp/string_utils/base64/base64.h>
2+
#include <ydb/library/actors/http/http.h>
3+
#include <ydb/library/security/util.h>
4+
#include <ydb/mvp/core/mvp_log.h>
5+
#include <ydb/mvp/core/mvp_tokens.h>
6+
#include "openid_connect.h"
7+
#include "oidc_session_create.h"
8+
#include "oidc_impersonate_start_page_nebius.h"
9+
10+
namespace NMVP::NOIDC {
11+
12+
THandlerImpersonateStart::THandlerImpersonateStart(const NActors::TActorId& sender,
13+
const NHttp::THttpIncomingRequestPtr& request,
14+
const NActors::TActorId& httpProxyId,
15+
const TOpenIdConnectSettings& settings)
16+
: Sender(sender)
17+
, Request(request)
18+
, HttpProxyId(httpProxyId)
19+
, Settings(settings)
20+
{}
21+
22+
void THandlerImpersonateStart::Bootstrap() {
23+
BLOG_D("Start impersonation process");
24+
25+
NHttp::TUrlParameters urlParameters(Request->URL);
26+
TString serviceAccountId = urlParameters["service_account_id"];
27+
28+
NHttp::THeaders headers(Request->Headers);
29+
NHttp::TCookies cookies(headers.Get("Cookie"));
30+
31+
TStringBuf sessionCookieValue = GetCookie(cookies, CreateNameSessionCookie(Settings.ClientId));
32+
TString sessionToken = DecodeToken(sessionCookieValue);
33+
TStringBuf impersonatedCookieValue = GetCookie(cookies, CreateNameImpersonatedCookie(Settings.ClientId));
34+
35+
if (sessionToken.empty()) {
36+
return ReplyBadRequestAndPassAway("Wrong impersonate parameter: session cookie not found");
37+
}
38+
if (!impersonatedCookieValue.empty()) {
39+
return ReplyBadRequestAndPassAway("Wrong impersonate parameter: impersonated cookie already exists");
40+
}
41+
if (serviceAccountId.empty()) {
42+
return ReplyBadRequestAndPassAway("Wrong impersonate parameter: service_account_id not found");
43+
}
44+
45+
RequestImpersonatedToken(sessionToken, serviceAccountId);
46+
}
47+
48+
void THandlerImpersonateStart::RequestImpersonatedToken(TString& sessionToken, TString& serviceAccountId) {
49+
BLOG_D("Request impersonated token");
50+
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetImpersonateEndpointURL());
51+
httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
52+
53+
TMvpTokenator* tokenator = MVPAppData()->Tokenator;
54+
TString token = "";
55+
if (tokenator) {
56+
token = tokenator->GetToken(Settings.SessionServiceTokenName);
57+
}
58+
httpRequest->Set("Authorization", token); // Bearer included
59+
60+
TCgiParameters params;
61+
params.emplace("session", sessionToken);
62+
params.emplace("service_account_id", serviceAccountId);
63+
httpRequest->Set<&NHttp::THttpRequest::Body>(params());
64+
65+
Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
66+
Become(&THandlerImpersonateStart::StateWork);
67+
}
68+
69+
void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersonatedToken) {
70+
TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
71+
TString impersonatedCookieValue = Base64Encode(impersonatedToken);
72+
BLOG_D("Set impersonated cookie: (" << impersonatedCookieName << ": " << NKikimr::MaskTicket(impersonatedCookieValue) << ")");
73+
74+
NHttp::THeadersBuilder responseHeaders;
75+
responseHeaders.Set("Set-Cookie", CreateSecureCookie(impersonatedCookieName, impersonatedCookieValue));
76+
SetCORS(Request, &responseHeaders);
77+
ReplyAndPassAway(Request->CreateResponse("200", "OK", responseHeaders));
78+
}
79+
80+
void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event) {
81+
if (event->Get()->Error.empty() && event->Get()->Response) {
82+
NHttp::THttpIncomingResponsePtr response = std::move(event->Get()->Response);
83+
BLOG_D("Incoming response from authorization server: " << response->Status);
84+
if (response->Status == "200") {
85+
TStringBuf errorMessage;
86+
NJson::TJsonValue jsonValue;
87+
NJson::TJsonReaderConfig jsonConfig;
88+
if (NJson::ReadJsonTree(response->Body, &jsonConfig, &jsonValue)) {
89+
const NJson::TJsonValue* jsonImpersonatedToken;
90+
if (jsonValue.GetValuePointer("impersonation", &jsonImpersonatedToken)) {
91+
TString impersonatedToken = jsonImpersonatedToken->GetStringRobust();
92+
ProcessImpersonatedToken(impersonatedToken);
93+
return;
94+
} else {
95+
errorMessage = "Wrong OIDC provider response: impersonated token not found";
96+
}
97+
} else {
98+
errorMessage = "Wrong OIDC response";
99+
}
100+
NHttp::THeadersBuilder responseHeaders;
101+
responseHeaders.Set("Content-Type", "text/plain");
102+
SetCORS(Request, &responseHeaders);
103+
return ReplyAndPassAway(Request->CreateResponse("400", "Bad Request", responseHeaders, errorMessage));
104+
} else {
105+
NHttp::THeadersBuilder responseHeaders;
106+
NHttp::THeaders headers(response->Headers);
107+
if (headers.Has("Content-Type")) {
108+
responseHeaders.Set("Content-Type", headers.Get("Content-Type"));
109+
}
110+
SetCORS(Request, &responseHeaders);
111+
return ReplyAndPassAway(Request->CreateResponse(response->Status, response->Message, responseHeaders, response->Body));
112+
}
113+
} else {
114+
NHttp::THeadersBuilder responseHeaders;
115+
responseHeaders.Set("Content-Type", "text/plain");
116+
SetCORS(Request, &responseHeaders);
117+
return ReplyAndPassAway(Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error));
118+
}
119+
}
120+
121+
void THandlerImpersonateStart::ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse) {
122+
Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(std::move(httpResponse)));
123+
PassAway();
124+
}
125+
126+
void THandlerImpersonateStart::ReplyBadRequestAndPassAway(const TString& errorMessage) {
127+
NHttp::THeadersBuilder responseHeaders;
128+
responseHeaders.Set("Content-Type", "text/plain");
129+
SetCORS(Request, &responseHeaders);
130+
ReplyAndPassAway(Request->CreateResponse("400", "Bad Request", responseHeaders, errorMessage));
131+
}
132+
133+
TImpersonateStartPageHandler::TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)
134+
: TBase(&TImpersonateStartPageHandler::StateWork)
135+
, HttpProxyId(httpProxyId)
136+
, Settings(settings)
137+
{}
138+
139+
void TImpersonateStartPageHandler::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event) {
140+
Register(new THandlerImpersonateStart(event->Sender, event->Get()->Request, HttpProxyId, Settings));
141+
}
142+
143+
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
#pragma once
2+
3+
#include "oidc_settings.h"
4+
#include "context.h"
5+
#include <ydb/library/actors/core/events.h>
6+
7+
namespace NMVP::NOIDC {
8+
9+
class THandlerImpersonateStart : public NActors::TActorBootstrapped<THandlerImpersonateStart> {
10+
private:
11+
using TBase = NActors::TActorBootstrapped<THandlerImpersonateStart>;
12+
13+
protected:
14+
const NActors::TActorId Sender;
15+
const NHttp::THttpIncomingRequestPtr Request;
16+
const NActors::TActorId HttpProxyId;
17+
const TOpenIdConnectSettings Settings;
18+
19+
public:
20+
THandlerImpersonateStart(const NActors::TActorId& sender,
21+
const NHttp::THttpIncomingRequestPtr& request,
22+
const NActors::TActorId& httpProxyId,
23+
const TOpenIdConnectSettings& settings);
24+
void Bootstrap();
25+
void RequestImpersonatedToken(TString&, TString&);
26+
void ProcessImpersonatedToken(const TString& impersonatedToken);
27+
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event);
28+
void ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse);
29+
void ReplyBadRequestAndPassAway(const TString& errorMessage);
30+
31+
STFUNC(StateWork) {
32+
switch (ev->GetTypeRewrite()) {
33+
hFunc(NHttp::TEvHttpProxy::TEvHttpIncomingResponse, Handle);
34+
}
35+
}
36+
};
37+
38+
class TImpersonateStartPageHandler : public NActors::TActor<TImpersonateStartPageHandler> {
39+
using TBase = NActors::TActor<TImpersonateStartPageHandler>;
40+
41+
const NActors::TActorId HttpProxyId;
42+
const TOpenIdConnectSettings Settings;
43+
44+
public:
45+
TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings);
46+
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event);
47+
48+
STFUNC(StateWork) {
49+
switch (ev->GetTypeRewrite()) {
50+
hFunc(NHttp::TEvHttpProxy::TEvHttpIncomingRequest, Handle);
51+
cFunc(NActors::TEvents::TEvPoisonPill::EventType, PassAway);
52+
}
53+
}
54+
};
55+
56+
} // NMVP::NOIDC

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
#include "openid_connect.h"
2+
#include "oidc_session_create.h"
3+
#include "oidc_impersonate_stop_page_nebius.h"
4+
5+
namespace NMVP::NOIDC {
6+
7+
THandlerImpersonateStop::THandlerImpersonateStop(const NActors::TActorId& sender,
8+
const NHttp::THttpIncomingRequestPtr& request,
9+
const NActors::TActorId& httpProxyId,
10+
const TOpenIdConnectSettings& settings)
11+
: Sender(sender)
12+
, Request(request)
13+
, HttpProxyId(httpProxyId)
14+
, Settings(settings)
15+
{}
16+
17+
void THandlerImpersonateStop::Bootstrap() {
18+
TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
19+
BLOG_D("Clear impersonated cookie: (" << impersonatedCookieName << ")");
20+
21+
NHttp::THeadersBuilder responseHeaders;
22+
responseHeaders.Set("Set-Cookie", ClearSecureCookie(impersonatedCookieName));
23+
SetCORS(Request, &responseHeaders);
24+
25+
ReplyAndPassAway(Request->CreateResponse("200", "OK", responseHeaders));
26+
}
27+
28+
void THandlerImpersonateStop::ReplyAndPassAway(NHttp::THttpOutgoingResponsePtr httpResponse) {
29+
Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(std::move(httpResponse)));
30+
PassAway();
31+
}
32+
33+
TImpersonateStopPageHandler::TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)
34+
: TBase(&TImpersonateStopPageHandler::StateWork)
35+
, HttpProxyId(httpProxyId)
36+
, Settings(settings)
37+
{}
38+
39+
void TImpersonateStopPageHandler::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event) {
40+
Register(new THandlerImpersonateStop(event->Sender, event->Get()->Request, HttpProxyId, Settings));
41+
}
42+
43+
} // NMVP::NOIDC

0 commit comments

Comments
 (0)