Skip to content

Commit 72da77d

Browse files
StekPerepolnenStekPerepolnen
authored
Merge 09ddc18 into 071fc9a 
2 parents 071fc9a + 09ddc18 commit 72da77d

15 files changed

+626
-17
lines changed

ydb/mvp/oidc_proxy/mvp.cpp

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -233,6 +233,7 @@ void TMVP::TryGetOidcOptionsFromConfig(const YAML::Node& config) {
233233
OpenIdConnectSettings.AuthUrlPath = oidc["auth_url_path"].as<std::string>(OpenIdConnectSettings.DEFAULT_AUTH_URL_PATH);
234234
OpenIdConnectSettings.TokenUrlPath = oidc["token_url_path"].as<std::string>(OpenIdConnectSettings.DEFAULT_TOKEN_URL_PATH);
235235
OpenIdConnectSettings.ExchangeUrlPath = oidc["exchange_url_path"].as<std::string>(OpenIdConnectSettings.DEFAULT_EXCHANGE_URL_PATH);
236+
OpenIdConnectSettings.ImpersonateUrlPath = oidc["impersonate_url_path"].as<std::string>(OpenIdConnectSettings.DEFAULT_IMPERSONATE_URL_PATH);
236237
Cout << "Started processing allowed_proxy_hosts..." << Endl;
237238
for (const std::string& host : oidc["allowed_proxy_hosts"].as<std::vector<std::string>>()) {
238239
Cout << host << " added to allowed_proxy_hosts" << Endl;

ydb/mvp/oidc_proxy/oidc_client.cpp

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
#include "oidc_client.h"
22
#include "oidc_protected_page_handler.h"
33
#include "oidc_session_create_handler.h"
4+
#include "oidc_impersonate_start_page_nebius.h"
5+
#include "oidc_impersonate_stop_page_nebius.h"
46

57
namespace NMVP {
68
namespace NOIDC {
@@ -14,6 +16,20 @@ void InitOIDC(NActors::TActorSystem& actorSystem,
1416
)
1517
);
1618

19+
if (settings.AccessServiceType == NMvp::nebius_v1) {
20+
actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
21+
"/impersonate/start",
22+
actorSystem.Register(new TImpersonateStartPageHandler(httpProxyId, settings))
23+
)
24+
);
25+
26+
actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
27+
"/impersonate/stop",
28+
actorSystem.Register(new TImpersonateStopPageHandler(httpProxyId, settings))
29+
)
30+
);
31+
}
32+
1733
actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
1834
"/",
1935
actorSystem.Register(new TProtectedPageHandler(httpProxyId, settings))

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp

Lines changed: 153 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,153 @@
1+
#include <library/cpp/json/json_reader.h>
2+
#include <library/cpp/string_utils/base64/base64.h>
3+
#include <ydb/library/actors/http/http.h>
4+
#include <ydb/library/security/util.h>
5+
#include <ydb/mvp/core/mvp_log.h>
6+
#include <ydb/mvp/core/mvp_tokens.h>
7+
#include "openid_connect.h"
8+
#include "oidc_session_create.h"
9+
#include "oidc_settings.h"
10+
#include "oidc_impersonate_start_page_nebius.h"
11+
12+
namespace NMVP {
13+
namespace NOIDC {
14+
15+
THandlerImpersonateStart::THandlerImpersonateStart(const NActors::TActorId& sender,
16+
const NHttp::THttpIncomingRequestPtr& request,
17+
const NActors::TActorId& httpProxyId,
18+
const TOpenIdConnectSettings& settings)
19+
: Sender(sender)
20+
, Request(request)
21+
, HttpProxyId(httpProxyId)
22+
, Settings(settings)
23+
{}
24+
25+
TString THandlerImpersonateStart::DecodeToken(const TStringBuf& cookie, const NActors::TActorContext& ctx) {
26+
TString token;
27+
try {
28+
Base64StrictDecode(cookie, token);
29+
} catch (std::exception& e) {
30+
LOG_DEBUG_S(ctx, EService::MVP, "Base64Decode " << cookie << " cookie: " << e.what());
31+
token.clear();
32+
}
33+
return token;
34+
}
35+
36+
void THandlerImpersonateStart::Bootstrap(const NActors::TActorContext& ctx) {
37+
LOG_DEBUG_S(ctx, EService::MVP, "Start impersonation process");
38+
NHttp::TUrlParameters urlParameters(Request->URL);
39+
TString serviceAccountId = urlParameters["service_account_id"];
40+
41+
NHttp::THeaders headers(Request->Headers);
42+
NHttp::TCookies cookies(headers.Get("Cookie"));
43+
44+
TString sessionCookieName = CreateNameSessionCookie(Settings.ClientId);
45+
TStringBuf sessionCookieValue = cookies.Get(sessionCookieName);
46+
if (!sessionCookieValue.Empty()) {
47+
LOG_DEBUG_S(ctx, EService::MVP, "Using session cookie (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
48+
}
49+
50+
TString sessionToken = DecodeToken(sessionCookieValue, ctx);
51+
52+
TString jsonError;
53+
if (sessionToken.empty()) {
54+
jsonError = "Wrong impersonate parameter: session cookie not found";
55+
} else if (serviceAccountId.empty()) {
56+
jsonError = "Wrong impersonate parameter: account_id not found";
57+
}
58+
59+
if (jsonError) {
60+
NHttp::THeadersBuilder responseHeaders;
61+
responseHeaders.Set("Content-Type", "text/plain");
62+
NHttp::THttpOutgoingResponsePtr httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, jsonError);
63+
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
64+
Die(ctx);
65+
} else {
66+
RequestImpersonatedToken(sessionToken, serviceAccountId, ctx);
67+
}
68+
}
69+
70+
void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionToken, const TString& serviceAccountId, const NActors::TActorContext& ctx) {
71+
LOG_DEBUG_S(ctx, EService::MVP, "Request impersonated token");
72+
NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetImpersonateEndpointURL());
73+
httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
74+
75+
TMvpTokenator* tokenator = MVPAppData()->Tokenator;
76+
TString token = "";
77+
if (tokenator) {
78+
token = tokenator->GetToken(Settings.SessionServiceTokenName);
79+
}
80+
httpRequest->Set("Authorization", token); // Bearer included
81+
82+
TStringBuilder body;
83+
body << "session=" << sessionToken
84+
<< "&service_account_id=" << serviceAccountId;
85+
httpRequest->Set<&NHttp::THttpRequest::Body>(body);
86+
87+
ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
88+
Become(&THandlerImpersonateStart::StateWork);
89+
}
90+
91+
void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx) {
92+
TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
93+
TString impersonatedCookieValue = Base64Encode(impersonatedToken);
94+
LOG_DEBUG_S(ctx, EService::MVP, "Set impersonated cookie: (" << impersonatedCookieName << ": " << NKikimr::MaskTicket(impersonatedCookieValue) << ")");
95+
96+
NHttp::THeadersBuilder responseHeaders;
97+
responseHeaders.Set("Set-Cookie", CreateSecureCookie(impersonatedCookieName, impersonatedCookieValue));
98+
NHttp::THttpOutgoingResponsePtr httpResponse;
99+
httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
100+
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
101+
Die(ctx);
102+
}
103+
104+
void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {
105+
NHttp::THttpOutgoingResponsePtr httpResponse;
106+
if (event->Get()->Error.empty() && event->Get()->Response) {
107+
NHttp::THttpIncomingResponsePtr response = event->Get()->Response;
108+
LOG_DEBUG_S(ctx, EService::MVP, "Incoming response from authorization server: " << response->Status);
109+
if (response->Status == "200") {
110+
TStringBuf jsonError;
111+
NJson::TJsonValue jsonValue;
112+
NJson::TJsonReaderConfig jsonConfig;
113+
if (NJson::ReadJsonTree(response->Body, &jsonConfig, &jsonValue)) {
114+
const NJson::TJsonValue* jsonImpersonatedToken;
115+
if (jsonValue.GetValuePointer("impersonation", &jsonImpersonatedToken)) {
116+
TString impersonatedToken = jsonImpersonatedToken->GetStringRobust();
117+
ProcessImpersonatedToken(impersonatedToken, ctx);
118+
return;
119+
} else {
120+
jsonError = "Wrong OIDC provider response: impersonated token not found";
121+
}
122+
} else {
123+
jsonError = "Wrong OIDC response";
124+
}
125+
NHttp::THeadersBuilder responseHeaders;
126+
responseHeaders.Set("Content-Type", "text/plain");
127+
httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, jsonError);
128+
} else {
129+
NHttp::THeadersBuilder responseHeaders;
130+
responseHeaders.Parse(response->Headers);
131+
httpResponse = Request->CreateResponse(response->Status, response->Message, responseHeaders, response->Body);
132+
}
133+
} else {
134+
NHttp::THeadersBuilder responseHeaders;
135+
responseHeaders.Set("Content-Type", "text/plain");
136+
httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error);
137+
}
138+
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
139+
Die(ctx);
140+
}
141+
142+
TImpersonateStartPageHandler::TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)
143+
: TBase(&TImpersonateStartPageHandler::StateWork)
144+
, HttpProxyId(httpProxyId)
145+
, Settings(settings)
146+
{}
147+
148+
void TImpersonateStartPageHandler::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx) {
149+
ctx.Register(new THandlerImpersonateStart(event->Sender, event->Get()->Request, HttpProxyId, Settings));
150+
}
151+
152+
} // NOIDC
153+
} // NMVP

ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
#pragma once
2+
3+
#include <util/generic/string.h>
4+
#include <util/generic/strbuf.h>
5+
#include <ydb/library/actors/core/actor_bootstrapped.h>
6+
#include <ydb/library/actors/core/actorid.h>
7+
#include <ydb/library/actors/http/http.h>
8+
#include <ydb/library/actors/http/http_proxy.h>
9+
#include "oidc_settings.h"
10+
#include "context.h"
11+
12+
namespace NMVP {
13+
namespace NOIDC {
14+
15+
class THandlerImpersonateStart : public NActors::TActorBootstrapped<THandlerImpersonateStart> {
16+
private:
17+
using TBase = NActors::TActorBootstrapped<THandlerImpersonateStart>;
18+
19+
protected:
20+
const NActors::TActorId Sender;
21+
const NHttp::THttpIncomingRequestPtr Request;
22+
NActors::TActorId HttpProxyId;
23+
const TOpenIdConnectSettings Settings;
24+
TContext Context;
25+
26+
public:
27+
TString DecodeToken(const TStringBuf& cookie, const NActors::TActorContext& ctx);
28+
THandlerImpersonateStart(const NActors::TActorId& sender,
29+
const NHttp::THttpIncomingRequestPtr& request,
30+
const NActors::TActorId& httpProxyId,
31+
const TOpenIdConnectSettings& settings);
32+
void RequestImpersonatedToken(const TString&, const TString&, const NActors::TActorContext&);
33+
void ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx);
34+
35+
void Bootstrap(const NActors::TActorContext& ctx);
36+
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
37+
38+
STFUNC(StateWork) {
39+
switch (ev->GetTypeRewrite()) {
40+
HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingResponse, Handle);
41+
}
42+
}
43+
};
44+
45+
class TImpersonateStartPageHandler : public NActors::TActor<TImpersonateStartPageHandler> {
46+
using TBase = NActors::TActor<TImpersonateStartPageHandler>;
47+
48+
const NActors::TActorId HttpProxyId;
49+
const TOpenIdConnectSettings Settings;
50+
51+
public:
52+
TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings);
53+
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx);
54+
55+
STFUNC(StateWork) {
56+
switch (ev->GetTypeRewrite()) {
57+
HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingRequest, Handle);
58+
}
59+
}
60+
};
61+
62+
} // NOIDC
63+
} // NMVP

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
#include <library/cpp/json/json_reader.h>
2+
#include <library/cpp/string_utils/base64/base64.h>
3+
#include <ydb/library/actors/http/http.h>
4+
#include <ydb/mvp/core/mvp_log.h>
5+
#include "openid_connect.h"
6+
#include "oidc_session_create.h"
7+
#include "oidc_settings.h"
8+
#include "oidc_impersonate_stop_page_nebius.h"
9+
10+
namespace NMVP {
11+
namespace NOIDC {
12+
13+
THandlerImpersonateStop::THandlerImpersonateStop(const NActors::TActorId& sender,
14+
const NHttp::THttpIncomingRequestPtr& request,
15+
const NActors::TActorId& httpProxyId,
16+
const TOpenIdConnectSettings& settings)
17+
: Sender(sender)
18+
, Request(request)
19+
, HttpProxyId(httpProxyId)
20+
, Settings(settings)
21+
{}
22+
23+
void THandlerImpersonateStop::Bootstrap(const NActors::TActorContext& ctx) {
24+
TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
25+
LOG_DEBUG_S(ctx, EService::MVP, "Clear impersonated cookie: (" << impersonatedCookieName << ")");
26+
27+
NHttp::THeadersBuilder responseHeaders;
28+
SetCORS(Request, &responseHeaders);
29+
responseHeaders.Set("Set-Cookie", ClearSecureCookie(impersonatedCookieName));
30+
31+
NHttp::THttpOutgoingResponsePtr httpResponse;
32+
httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
33+
ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
34+
Die(ctx);
35+
}
36+
37+
TImpersonateStopPageHandler::TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)
38+
: TBase(&TImpersonateStopPageHandler::StateWork)
39+
, HttpProxyId(httpProxyId)
40+
, Settings(settings)
41+
{}
42+
43+
void TImpersonateStopPageHandler::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx) {
44+
ctx.Register(new THandlerImpersonateStop(event->Sender, event->Get()->Request, HttpProxyId, Settings));
45+
}
46+
47+
} // NOIDC
48+
} // NMVP

ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.h

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
#pragma once
2+
3+
#include <util/generic/string.h>
4+
#include <util/generic/strbuf.h>
5+
#include <ydb/library/actors/core/actor_bootstrapped.h>
6+
#include <ydb/library/actors/core/actorid.h>
7+
#include <ydb/library/actors/http/http.h>
8+
#include <ydb/library/actors/http/http_proxy.h>
9+
#include "oidc_settings.h"
10+
#include "context.h"
11+
12+
namespace NMVP {
13+
namespace NOIDC {
14+
15+
class THandlerImpersonateStop : public NActors::TActorBootstrapped<THandlerImpersonateStop> {
16+
private:
17+
using TBase = NActors::TActorBootstrapped<THandlerImpersonateStop>;
18+
19+
protected:
20+
const NActors::TActorId Sender;
21+
const NHttp::THttpIncomingRequestPtr Request;
22+
NActors::TActorId HttpProxyId;
23+
const TOpenIdConnectSettings Settings;
24+
TContext Context;
25+
26+
public:
27+
THandlerImpersonateStop(const NActors::TActorId& sender,
28+
const NHttp::THttpIncomingRequestPtr& request,
29+
const NActors::TActorId& httpProxyId,
30+
const TOpenIdConnectSettings& settings);
31+
32+
void Bootstrap(const NActors::TActorContext& ctx);
33+
};
34+
35+
class TImpersonateStopPageHandler : public NActors::TActor<TImpersonateStopPageHandler> {
36+
using TBase = NActors::TActor<TImpersonateStopPageHandler>;
37+
38+
const NActors::TActorId HttpProxyId;
39+
const TOpenIdConnectSettings Settings;
40+
41+
public:
42+
TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings);
43+
void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx);
44+
45+
STFUNC(StateWork) {
46+
switch (ev->GetTypeRewrite()) {
47+
HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingRequest, Handle);
48+
}
49+
}
50+
};
51+
52+
} // NOIDC
53+
} // NMVP

0 commit comments

Comments
 (0)