Skip to content

Commit 6964f88

Browse files
StekPerepolnenStekPerepolnen
committed
impersonate
1 parent 1f3ddfb commit 6964f88

12 files changed

+185
-101
lines changed

ydb/mvp/oidc_proxy/oidc_client.cpp

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
#include "oidc_client.h"
22
#include "oidc_protected_page_handler.h"
33
#include "oidc_session_create_handler.h"
4+
#include "oidc_impersonate_start_page_nebius.h"
5+
#include "oidc_impersonate_stop_page_nebius.h"
46

57
namespace NMVP {
68
namespace NOIDC {
@@ -16,13 +18,13 @@ void InitOIDC(NActors::TActorSystem& actorSystem,
1618

1719
actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
1820
"/impersonate/start",
19-
actorSystem.Register(new THandlerImpersonateStart(httpProxyId, settings))
21+
actorSystem.Register(new TImpersonateStartPageHandler(httpProxyId, settings))
2022
)
2123
);
2224

2325
actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
2426
"/impersonate/stop",
25-
actorSystem.Register(new THandlerImpersonateStop(httpProxyId, settings))
27+
actorSystem.Register(new TImpersonateStopPageHandler(httpProxyId, settings))
2628
)
2729
);
2830

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp

Lines changed: 80 additions & 72 deletions
Original file line numberDiff line numberDiff line change
@@ -1,63 +1,106 @@
11
#include <library/cpp/json/json_reader.h>
22
#include <library/cpp/string_utils/base64/base64.h>
33
#include <ydb/library/actors/http/http.h>
4+
#include <ydb/library/security/util.h>
45
#include <ydb/mvp/core/mvp_log.h>
6+
#include <ydb/mvp/core/mvp_tokens.h>
57
#include "openid_connect.h"
68
#include "oidc_session_create.h"
79
#include "oidc_settings.h"
10+
#include "oidc_impersonate_start_page_nebius.h"
811

912
namespace NMVP {
1013
namespace NOIDC {
1114

1215
THandlerImpersonateStart::THandlerImpersonateStart(const NActors::TActorId& sender,
13-
const NHttp::THttpIncomingRequestPtr& request,
14-
const NActors::TActorId& httpProxyId,
15-
const TOpenIdConnectSettings& settings)
16+
const NHttp::THttpIncomingRequestPtr& request,
17+
const NActors::TActorId& httpProxyId,
18+
const TOpenIdConnectSettings& settings)
1619
: Sender(sender)
1720
, Request(request)
1821
, HttpProxyId(httpProxyId)
1922
, Settings(settings)
2023
{}
2124

25+
TString THandlerImpersonateStart::DecodeToken(const TStringBuf& cookie, const NActors::TActorContext& ctx) {
26+
TString token;
27+
try {
28+
Base64StrictDecode(cookie, token);
29+
} catch (std::exception& e) {
30+
LOG_DEBUG_S(ctx, EService::MVP, "Base64Decode " << cookie << " cookie: " << e.what());
31+
token.clear();
32+
}
33+
return token;
34+
}
35+
2236
void THandlerImpersonateStart::Bootstrap(const NActors::TActorContext& ctx) {
2337
NHttp::TUrlParameters urlParameters(Request->URL);
2438
TString serviceAccountId = urlParameters["service_accound_id"];
2539

2640
NHttp::THeaders headers(Request->Headers);
2741
LOG_DEBUG_S(ctx, EService::MVP, "Start impersonation process");
2842
NHttp::TCookies cookies(headers.Get("Cookie"));
29-
TString sessionToken = DecodeToken(cookies, CreateNameSessionCookie(Settings.ClientId));
3043

31-
if (sessionToken && serviceAccountId) {
32-
RequestImpersonatedToken(sessionToken, serviceAccountId, ctx);
33-
} else {
44+
TString sessionCookieName = CreateNameSessionCookie(Settings.ClientId);
45+
TStringBuf sessionCookieValue = cookies.Get(sessionCookieName);
46+
if (!sessionCookieValue.Empty()) {
47+
LOG_DEBUG_S(ctx, EService::MVP, "Using session cookie (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
48+
}
49+
50+
TString sessionToken = DecodeToken(sessionCookieValue, ctx);
51+
52+
TStringBuf jsonError;
53+
if (sessionToken.empty()) {
54+
jsonError = "Wrong impersonate parameter: session cookie not found";
55+
} else if (serviceAccountId.empty()) {
56+
jsonError = "Wrong impersonate parameter: account_id not found";
57+
}
58+
59+
if (jsonError) {
3460
NHttp::THeadersBuilder responseHeaders;
3561
responseHeaders.Set("Content-Type", "text/plain");
36-
httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error);
62+
NHttp::THttpOutgoingResponsePtr httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, "Wrong impersonate parameter: access_token not found");
63+
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
64+
Die(ctx);
65+
} else {
66+
RequestImpersonatedToken(sessionToken, serviceAccountId, ctx);
3767
}
3868
}
3969

40-
void THandlerImpersonateStart::RequestImpersonatedToken(const TString sessionToken, const TString serviceAccountId, const NActors::TActorContext& ctx) {
41-
LOG_DEBUG_S(ctx, EService::MVP, "Request impersonated token");
42-
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetExchangeEndpointURL());
43-
httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
70+
void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionToken, const TString& serviceAccountId, const NActors::TActorContext& ctx) {
71+
// TMvpTokenator* tokenator = MVPAppData()->Tokenator;
72+
// TString token = "";
73+
// if (tokenator) {
74+
// token = tokenator->GetToken(Settings.SessionServiceTokenName);
75+
// }
76+
// httpRequest->Set("Authorization", token); // Bearer included
4477

45-
TMvpTokenator* tokenator = MVPAppData()->Tokenator;
46-
TString token = "";
47-
if (tokenator) {
48-
token = tokenator->GetToken(Settings.SessionServiceTokenName);
49-
}
50-
httpRequest->Set("Authorization", token); // Bearer included
78+
LOG_DEBUG_S(ctx, EService::MVP, "Request impersonated token");
5179
TStringBuilder body;
52-
body << "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
53-
<< "&requested_token_type=urn:ietf:params:oauth:token-type:access_token"
54-
<< "&subject_token_type=urn:ietf:params:oauth:token-type:session_token"
55-
<< "&subject_token=" << sessionToken;
80+
body << "session=" << sessionToken
81+
<< "&service_account_id=" << serviceAccountId;
82+
83+
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetImpersonateEndpointURL());
84+
httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
85+
httpRequest->Set("Authorization", Settings.GetAuthorizationString());
5686
httpRequest->Set<&NHttp::THttpRequest::Body>(body);
5787

5888
ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
89+
Become(&THandlerImpersonateStart::StateWork);
90+
}
5991

60-
Become(&THandlerSessionServiceCheckNebius::StateExchange);
92+
void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx) {
93+
TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
94+
TString impersonatedCookieValue = Base64Encode(impersonatedToken);
95+
LOG_DEBUG_S(ctx, EService::MVP, "Set impersonated cookie: (" << impersonatedCookieName << ": " << NKikimr::MaskTicket(impersonatedCookieValue) << ")");
96+
97+
NHttp::THeadersBuilder responseHeaders;
98+
responseHeaders.Set("Set-Cookie", CreateSecureCookie(impersonatedCookieName, impersonatedCookieValue));
99+
responseHeaders.Set("Location", Context.GetRequestedAddress());
100+
NHttp::THttpOutgoingResponsePtr httpResponse;
101+
httpResponse = Request->CreateResponse("302", "Cookie set", responseHeaders);
102+
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
103+
Die(ctx);
61104
}
62105

63106
void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {
@@ -70,13 +113,13 @@ void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRespon
70113
NJson::TJsonValue jsonValue;
71114
NJson::TJsonReaderConfig jsonConfig;
72115
if (NJson::ReadJsonTree(response->Body, &jsonConfig, &jsonValue)) {
73-
const NJson::TJsonValue* jsonAccessToken;
74-
if (jsonValue.GetValuePointer("access_token", &jsonAccessToken)) {
75-
TString sessionToken = jsonAccessToken->GetStringRobust();
76-
ProcessSessionToken(sessionToken, ctx);
116+
const NJson::TJsonValue* jsonImpersonatedToken;
117+
if (jsonValue.GetValuePointer("impersonation", &jsonImpersonatedToken)) {
118+
TString impersonatedToken = jsonImpersonatedToken->GetStringRobust();
119+
ProcessImpersonatedToken(impersonatedToken, ctx);
77120
return;
78121
} else {
79-
jsonError = "Wrong OIDC provider response: access_token not found";
122+
jsonError = "Wrong OIDC provider response: impersonated token not found";
80123
}
81124
} else {
82125
jsonError = "Wrong OIDC response";
@@ -98,51 +141,16 @@ void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRespon
98141
Die(ctx);
99142
}
100143

101-
TString THandlerImpersonateStart::ChangeSameSiteFieldInSessionCookie(const TString& cookie) {
102-
const static TStringBuf SameSiteParameter {"SameSite=Lax"};
103-
size_t n = cookie.find(SameSiteParameter);
104-
if (n == TString::npos) {
105-
return cookie;
106-
}
107-
TStringBuilder cookieBuilder;
108-
cookieBuilder << cookie.substr(0, n);
109-
cookieBuilder << "SameSite=None";
110-
cookieBuilder << cookie.substr(n + SameSiteParameter.size());
111-
return cookieBuilder;
112-
}
113-
114-
void THandlerImpersonateStart::RetryRequestToProtectedResourceAndDie(const NActors::TActorContext& ctx) {
115-
NHttp::THeadersBuilder responseHeaders;
116-
RetryRequestToProtectedResourceAndDie(&responseHeaders, ctx);
117-
}
118-
119-
void THandlerImpersonateStart::RetryRequestToProtectedResourceAndDie(NHttp::THeadersBuilder* responseHeaders, const NActors::TActorContext& ctx) {
120-
SetCORS(Request, responseHeaders);
121-
responseHeaders->Set("Location", Context.GetRequestedAddress());
122-
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(Request->CreateResponse("302", "Found", *responseHeaders)));
123-
Die(ctx);
124-
}
144+
TImpersonateStartPageHandler::TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)
145+
: TBase(&TImpersonateStartPageHandler::StateWork)
146+
, HttpProxyId(httpProxyId)
147+
, Settings(settings)
148+
{}
125149

126-
void THandlerImpersonateStart::SendUnknownErrorResponseAndDie(const NActors::TActorContext& ctx) {
127-
NHttp::THeadersBuilder responseHeaders;
128-
responseHeaders.Set("Content-Type", "text/html");
129-
SetCORS(Request, &responseHeaders);
130-
const static TStringBuf BAD_REQUEST_HTML_PAGE = "<html>"
131-
"<head>"
132-
"<title>"
133-
"400 Bad Request"
134-
"</title>"
135-
"</head>"
136-
"<body bgcolor=\"white\">"
137-
"<center>"
138-
"<h1>"
139-
"Unknown error has occurred. Please open the page again"
140-
"</h1>"
141-
"</center>"
142-
"</body>"
143-
"</html>";
144-
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(Request->CreateResponse("400", "Bad Request", responseHeaders, BAD_REQUEST_HTML_PAGE)));
145-
Die(ctx);
150+
void TImpersonateStartPageHandler::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx) {
151+
if (Settings.AccessServiceType == NMvp::nebius_v1) {
152+
ctx.Register(new THandlerImpersonateStart(event->Sender, event->Get()->Request, HttpProxyId, Settings));
153+
}
146154
}
147155

148156
} // NOIDC

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h

Lines changed: 27 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -24,24 +24,39 @@ class THandlerImpersonateStart : public NActors::TActorBootstrapped<THandlerImpe
2424
TContext Context;
2525

2626
public:
27+
TString DecodeToken(const TStringBuf& cookie, const NActors::TActorContext& ctx);
2728
THandlerImpersonateStart(const NActors::TActorId& sender,
28-
const NHttp::THttpIncomingRequestPtr& request,
29-
const NActors::TActorId& httpProxyId,
30-
const TOpenIdConnectSettings& settings);
31-
32-
virtual void RequestSessionToken(const TString&, const NActors::TActorContext&) = 0;
33-
virtual void ProcessSessionToken(const TString& accessToken, const NActors::TActorContext&) = 0;
29+
const NHttp::THttpIncomingRequestPtr& request,
30+
const NActors::TActorId& httpProxyId,
31+
const TOpenIdConnectSettings& settings);
32+
void RequestImpersonatedToken(const TString&, const TString&, const NActors::TActorContext&);
33+
void ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx);
3434

3535
void Bootstrap(const NActors::TActorContext& ctx);
3636
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
3737

38-
protected:
39-
TString ChangeSameSiteFieldInSessionCookie(const TString& cookie);
40-
void RetryRequestToProtectedResourceAndDie(const NActors::TActorContext& ctx);
41-
void RetryRequestToProtectedResourceAndDie(NHttp::THeadersBuilder* responseHeaders, const NActors::TActorContext& ctx);
38+
STFUNC(StateWork) {
39+
switch (ev->GetTypeRewrite()) {
40+
HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingResponse, Handle);
41+
}
42+
}
43+
};
4244

43-
private:
44-
void SendUnknownErrorResponseAndDie(const NActors::TActorContext& ctx);
45+
class TImpersonateStartPageHandler : public NActors::TActor<TImpersonateStartPageHandler> {
46+
using TBase = NActors::TActor<TImpersonateStartPageHandler>;
47+
48+
const NActors::TActorId HttpProxyId;
49+
const TOpenIdConnectSettings Settings;
50+
51+
public:
52+
TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings);
53+
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx);
54+
55+
STFUNC(StateWork) {
56+
switch (ev->GetTypeRewrite()) {
57+
HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingRequest, Handle);
58+
}
59+
}
4560
};
4661

4762
} // NOIDC

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,30 +5,46 @@
55
#include "openid_connect.h"
66
#include "oidc_session_create.h"
77
#include "oidc_settings.h"
8+
#include "oidc_impersonate_stop_page_nebius.h"
89

910
namespace NMVP {
1011
namespace NOIDC {
1112

12-
THandlerImpersonateStop::THandlerSessionCreate(const NActors::TActorId& sender,
13-
const NHttp::THttpIncomingRequestPtr& request,
14-
const NActors::TActorId& httpProxyId,
15-
const TOpenIdConnectSettings& settings)
13+
THandlerImpersonateStop::THandlerImpersonateStop(const NActors::TActorId& sender,
14+
const NHttp::THttpIncomingRequestPtr& request,
15+
const NActors::TActorId& httpProxyId,
16+
const TOpenIdConnectSettings& settings)
1617
: Sender(sender)
1718
, Request(request)
1819
, HttpProxyId(httpProxyId)
1920
, Settings(settings)
2021
{}
2122

2223
void THandlerImpersonateStop::Bootstrap(const NActors::TActorContext& ctx) {
23-
NHttp::THeadersBuilder responseHeaders;responseHeaders
24+
TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
25+
LOG_DEBUG_S(ctx, EService::MVP, "Clear impersonated cookie: (" << impersonatedCookieName << ")");
26+
27+
NHttp::THeadersBuilder responseHeaders;
2428
SetCORS(Request, &responseHeaders);
25-
responseHeaders.Set("Set-Cookie", CreateSecureCookie(Settings.ClientId, sessionToken));
29+
responseHeaders.Set("Set-Cookie", ClearSecureCookie(impersonatedCookieName));
2630

2731
NHttp::THttpOutgoingResponsePtr httpResponse;
2832
httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
2933
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
3034
Die(ctx);
3135
}
3236

37+
TImpersonateStopPageHandler::TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)
38+
: TBase(&TImpersonateStopPageHandler::StateWork)
39+
, HttpProxyId(httpProxyId)
40+
, Settings(settings)
41+
{}
42+
43+
void TImpersonateStopPageHandler::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx) {
44+
if (Settings.AccessServiceType == NMvp::nebius_v1) {
45+
ctx.Register(new THandlerImpersonateStop(event->Sender, event->Get()->Request, HttpProxyId, Settings));
46+
}
47+
}
48+
3349
} // NOIDC
3450
} // NMVP

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.h

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,29 @@ class THandlerImpersonateStop : public NActors::TActorBootstrapped<THandlerImper
2525

2626
public:
2727
THandlerImpersonateStop(const NActors::TActorId& sender,
28-
const NHttp::THttpIncomingRequestPtr& request,
29-
const NActors::TActorId& httpProxyId,
30-
const TOpenIdConnectSettings& settings);
28+
const NHttp::THttpIncomingRequestPtr& request,
29+
const NActors::TActorId& httpProxyId,
30+
const TOpenIdConnectSettings& settings);
3131

3232
void Bootstrap(const NActors::TActorContext& ctx);
3333
};
3434

35+
class TImpersonateStopPageHandler : public NActors::TActor<TImpersonateStopPageHandler> {
36+
using TBase = NActors::TActor<TImpersonateStopPageHandler>;
37+
38+
const NActors::TActorId HttpProxyId;
39+
const TOpenIdConnectSettings Settings;
40+
41+
public:
42+
TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings);
43+
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx);
44+
45+
STFUNC(StateWork) {
46+
switch (ev->GetTypeRewrite()) {
47+
HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingRequest, Handle);
48+
}
49+
}
50+
};
51+
3552
} // NOIDC
3653
} // NMVP

0 commit comments

Comments
 (0)