Merge 7d5bcd2 into e2103f9

ydb-platform · Nov 11, 2024 · ecfceac · ecfceac
2 parents e2103f9 + 7d5bcd2
commit ecfceac
Show file tree

Hide file tree

Showing 13 changed files with 411 additions and 11 deletions.
diff --git a/ydb/mvp/oidc_proxy/oidc_client.cpp b/ydb/mvp/oidc_proxy/oidc_client.cpp
@@ -1,6 +1,8 @@
 #include "oidc_client.h"
 #include "oidc_protected_page_handler.h"
 #include "oidc_session_create_handler.h"
+#include "oidc_impersonate_start_page_nebius.h"
+#include "oidc_impersonate_stop_page_nebius.h"
 
 namespace NMVP {
 namespace NOIDC {
@@ -14,6 +16,18 @@ void InitOIDC(NActors::TActorSystem& actorSystem,
                          )
                      );
 
+    actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
+                         "/impersonate/start",
+                         actorSystem.Register(new TImpersonateStartPageHandler(httpProxyId, settings))
+                         )
+                     );
+
+    actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
+                         "/impersonate/stop",
+                         actorSystem.Register(new TImpersonateStopPageHandler(httpProxyId, settings))
+                         )
+                     );
+
     actorSystem.Send(httpProxyId, new NHttp::TEvHttpProxy::TEvRegisterHandler(
                         "/",
                         actorSystem.Register(new TProtectedPageHandler(httpProxyId, settings))

diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp
@@ -0,0 +1,157 @@
+#include <library/cpp/json/json_reader.h>
+#include <library/cpp/string_utils/base64/base64.h>
+#include <ydb/library/actors/http/http.h>
+#include <ydb/library/security/util.h>
+#include <ydb/mvp/core/mvp_log.h>
+#include <ydb/mvp/core/mvp_tokens.h>
+#include "openid_connect.h"
+#include "oidc_session_create.h"
+#include "oidc_settings.h"
+#include "oidc_impersonate_start_page_nebius.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+THandlerImpersonateStart::THandlerImpersonateStart(const NActors::TActorId& sender,
+                                                const NHttp::THttpIncomingRequestPtr& request,
+                                                const NActors::TActorId& httpProxyId,
+                                                const TOpenIdConnectSettings& settings)
+    : Sender(sender)
+    , Request(request)
+    , HttpProxyId(httpProxyId)
+    , Settings(settings)
+{}
+
+TString THandlerImpersonateStart::DecodeToken(const TStringBuf& cookie, const NActors::TActorContext& ctx) {
+    TString token;
+    try {
+        Base64StrictDecode(cookie, token);
+    } catch (std::exception& e) {
+        LOG_DEBUG_S(ctx, EService::MVP, "Base64Decode " << cookie << " cookie: " << e.what());
+        token.clear();
+    }
+    return token;
+}
+
+void THandlerImpersonateStart::Bootstrap(const NActors::TActorContext& ctx) {
+    NHttp::TUrlParameters urlParameters(Request->URL);
+    TString serviceAccountId = urlParameters["service_accound_id"];
+
+    NHttp::THeaders headers(Request->Headers);
+    LOG_DEBUG_S(ctx, EService::MVP, "Start impersonation process");
+    NHttp::TCookies cookies(headers.Get("Cookie"));
+
+    TString sessionCookieName = CreateNameSessionCookie(Settings.ClientId);
+    TStringBuf sessionCookieValue = cookies.Get(sessionCookieName);
+    if (!sessionCookieValue.Empty()) {
+        LOG_DEBUG_S(ctx, EService::MVP, "Using session cookie (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");
+    }
+
+    TString sessionToken = DecodeToken(sessionCookieValue, ctx);
+
+    TStringBuf jsonError;
+    if (sessionToken.empty()) {
+        jsonError = "Wrong impersonate parameter: session cookie not found";
+    } else if (serviceAccountId.empty()) {
+        jsonError = "Wrong impersonate parameter: account_id not found";
+    }
+
+    if (jsonError) {
+        NHttp::THeadersBuilder responseHeaders;
+        responseHeaders.Set("Content-Type", "text/plain");
+        NHttp::THttpOutgoingResponsePtr httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, "Wrong impersonate parameter: access_token not found");
+        ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+        Die(ctx);
+    } else {
+        RequestImpersonatedToken(sessionToken, serviceAccountId, ctx);
+    }
+}
+
+void THandlerImpersonateStart::RequestImpersonatedToken(const TString& sessionToken, const TString& serviceAccountId, const NActors::TActorContext& ctx) {
+    // TMvpTokenator* tokenator = MVPAppData()->Tokenator;
+    // TString token = "";
+    // if (tokenator) {
+    //     token = tokenator->GetToken(Settings.SessionServiceTokenName);
+    // }
+    // httpRequest->Set("Authorization", token); // Bearer included
+
+    LOG_DEBUG_S(ctx, EService::MVP, "Request impersonated token");
+    TStringBuilder body;
+    body << "session=" << sessionToken
+         << "&service_account_id=" << serviceAccountId;
+
+    NHttp::THttpOutgoingRequestPtr httpRequest = NHttp::THttpOutgoingRequest::CreateRequestPost(Settings.GetImpersonateEndpointURL());
+    httpRequest->Set<&NHttp::THttpRequest::ContentType>("application/x-www-form-urlencoded");
+    httpRequest->Set("Authorization", Settings.GetAuthorizationString());
+    httpRequest->Set<&NHttp::THttpRequest::Body>(body);
+
+    ctx.Send(HttpProxyId, new NHttp::TEvHttpProxy::TEvHttpOutgoingRequest(httpRequest));
+    Become(&THandlerImpersonateStart::StateWork);
+}
+
+void THandlerImpersonateStart::ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx) {
+    TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
+    TString impersonatedCookieValue = Base64Encode(impersonatedToken);
+    LOG_DEBUG_S(ctx, EService::MVP, "Set impersonated cookie: (" << impersonatedCookieName << ": " << NKikimr::MaskTicket(impersonatedCookieValue) << ")");
+
+    NHttp::THeadersBuilder responseHeaders;
+    responseHeaders.Set("Set-Cookie", CreateSecureCookie(impersonatedCookieName, impersonatedCookieValue));
+    responseHeaders.Set("Location", Context.GetRequestedAddress());
+    NHttp::THttpOutgoingResponsePtr httpResponse;
+    httpResponse = Request->CreateResponse("302", "Cookie set", responseHeaders);
+    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+    Die(ctx);
+}
+
+void THandlerImpersonateStart::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx) {
+    NHttp::THttpOutgoingResponsePtr httpResponse;
+    if (event->Get()->Error.empty() && event->Get()->Response) {
+        NHttp::THttpIncomingResponsePtr response = event->Get()->Response;
+        LOG_DEBUG_S(ctx, EService::MVP, "Incoming response from authorization server: " << response->Status);
+        if (response->Status == "200") {
+            TStringBuf jsonError;
+            NJson::TJsonValue jsonValue;
+            NJson::TJsonReaderConfig jsonConfig;
+            if (NJson::ReadJsonTree(response->Body, &jsonConfig, &jsonValue)) {
+                const NJson::TJsonValue* jsonImpersonatedToken;
+                if (jsonValue.GetValuePointer("impersonation", &jsonImpersonatedToken)) {
+                    TString impersonatedToken = jsonImpersonatedToken->GetStringRobust();
+                    ProcessImpersonatedToken(impersonatedToken, ctx);
+                    return;
+                } else {
+                    jsonError = "Wrong OIDC provider response: impersonated token not found";
+                }
+            } else {
+                jsonError =  "Wrong OIDC response";
+            }
+            NHttp::THeadersBuilder responseHeaders;
+            responseHeaders.Set("Content-Type", "text/plain");
+            httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, jsonError);
+        } else {
+            NHttp::THeadersBuilder responseHeaders;
+            responseHeaders.Parse(response->Headers);
+            httpResponse = Request->CreateResponse(response->Status, response->Message, responseHeaders, response->Body);
+        }
+    } else {
+        NHttp::THeadersBuilder responseHeaders;
+        responseHeaders.Set("Content-Type", "text/plain");
+        httpResponse = Request->CreateResponse("400", "Bad Request", responseHeaders, event->Get()->Error);
+    }
+    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+    Die(ctx);
+}
+
+TImpersonateStartPageHandler::TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)
+    : TBase(&TImpersonateStartPageHandler::StateWork)
+    , HttpProxyId(httpProxyId)
+    , Settings(settings)
+{}
+
+void TImpersonateStartPageHandler::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx) {
+    if (Settings.AccessServiceType == NMvp::nebius_v1) {
+        ctx.Register(new THandlerImpersonateStart(event->Sender, event->Get()->Request, HttpProxyId, Settings));
+    }
+}
+
+} // NOIDC
+} // NMVP
diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h b/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.h
@@ -0,0 +1,63 @@
+#pragma once
+
+#include <util/generic/string.h>
+#include <util/generic/strbuf.h>
+#include <ydb/library/actors/core/actor_bootstrapped.h>
+#include <ydb/library/actors/core/actorid.h>
+#include <ydb/library/actors/http/http.h>
+#include <ydb/library/actors/http/http_proxy.h>
+#include "oidc_settings.h"
+#include "context.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+class THandlerImpersonateStart : public NActors::TActorBootstrapped<THandlerImpersonateStart> {
+private:
+    using TBase = NActors::TActorBootstrapped<THandlerImpersonateStart>;
+
+protected:
+    const NActors::TActorId Sender;
+    const NHttp::THttpIncomingRequestPtr Request;
+    NActors::TActorId HttpProxyId;
+    const TOpenIdConnectSettings Settings;
+    TContext Context;
+
+public:
+    TString DecodeToken(const TStringBuf& cookie, const NActors::TActorContext& ctx);
+    THandlerImpersonateStart(const NActors::TActorId& sender,
+                             const NHttp::THttpIncomingRequestPtr& request,
+                             const NActors::TActorId& httpProxyId,
+                             const TOpenIdConnectSettings& settings);
+    void RequestImpersonatedToken(const TString&, const TString&, const NActors::TActorContext&);
+    void ProcessImpersonatedToken(const TString& impersonatedToken, const NActors::TActorContext& ctx);
+
+    void Bootstrap(const NActors::TActorContext& ctx);
+    void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingResponse::TPtr event, const NActors::TActorContext& ctx);
+
+    STFUNC(StateWork) {
+        switch (ev->GetTypeRewrite()) {
+            HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingResponse, Handle);
+        }
+    }
+};
+
+class TImpersonateStartPageHandler : public NActors::TActor<TImpersonateStartPageHandler> {
+    using TBase = NActors::TActor<TImpersonateStartPageHandler>;
+
+    const NActors::TActorId HttpProxyId;
+    const TOpenIdConnectSettings Settings;
+
+public:
+    TImpersonateStartPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings);
+    void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx);
+
+    STFUNC(StateWork) {
+        switch (ev->GetTypeRewrite()) {
+            HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingRequest, Handle);
+        }
+    }
+};
+
+}  // NOIDC
+}  // NMVP
diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.cpp
@@ -0,0 +1,50 @@
+#include <library/cpp/json/json_reader.h>
+#include <library/cpp/string_utils/base64/base64.h>
+#include <ydb/library/actors/http/http.h>
+#include <ydb/mvp/core/mvp_log.h>
+#include "openid_connect.h"
+#include "oidc_session_create.h"
+#include "oidc_settings.h"
+#include "oidc_impersonate_stop_page_nebius.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+THandlerImpersonateStop::THandlerImpersonateStop(const NActors::TActorId& sender,
+                                                const NHttp::THttpIncomingRequestPtr& request,
+                                                const NActors::TActorId& httpProxyId,
+                                                const TOpenIdConnectSettings& settings)
+    : Sender(sender)
+    , Request(request)
+    , HttpProxyId(httpProxyId)
+    , Settings(settings)
+{}
+
+void THandlerImpersonateStop::Bootstrap(const NActors::TActorContext& ctx) {
+    TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
+    LOG_DEBUG_S(ctx, EService::MVP, "Clear impersonated cookie: (" << impersonatedCookieName << ")");
+
+    NHttp::THeadersBuilder responseHeaders;
+    SetCORS(Request, &responseHeaders);
+    responseHeaders.Set("Set-Cookie", ClearSecureCookie(impersonatedCookieName));
+
+    NHttp::THttpOutgoingResponsePtr httpResponse;
+    httpResponse = Request->CreateResponse("200", "OK", responseHeaders);
+    ctx.Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(httpResponse));
+    Die(ctx);
+}
+
+TImpersonateStopPageHandler::TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings)
+    : TBase(&TImpersonateStopPageHandler::StateWork)
+    , HttpProxyId(httpProxyId)
+    , Settings(settings)
+{}
+
+void TImpersonateStopPageHandler::Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx) {
+    if (Settings.AccessServiceType == NMvp::nebius_v1) {
+        ctx.Register(new THandlerImpersonateStop(event->Sender, event->Get()->Request, HttpProxyId, Settings));
+    }
+}
+
+} // NOIDC
+} // NMVP
diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.h b/ydb/mvp/oidc_proxy/oidc_impersonate_stop_page_nebius.h
@@ -0,0 +1,53 @@
+#pragma once
+
+#include <util/generic/string.h>
+#include <util/generic/strbuf.h>
+#include <ydb/library/actors/core/actor_bootstrapped.h>
+#include <ydb/library/actors/core/actorid.h>
+#include <ydb/library/actors/http/http.h>
+#include <ydb/library/actors/http/http_proxy.h>
+#include "oidc_settings.h"
+#include "context.h"
+
+namespace NMVP {
+namespace NOIDC {
+
+class THandlerImpersonateStop : public NActors::TActorBootstrapped<THandlerImpersonateStop> {
+private:
+    using TBase = NActors::TActorBootstrapped<THandlerImpersonateStop>;
+
+protected:
+    const NActors::TActorId Sender;
+    const NHttp::THttpIncomingRequestPtr Request;
+    NActors::TActorId HttpProxyId;
+    const TOpenIdConnectSettings Settings;
+    TContext Context;
+
+public:
+    THandlerImpersonateStop(const NActors::TActorId& sender,
+                            const NHttp::THttpIncomingRequestPtr& request,
+                            const NActors::TActorId& httpProxyId,
+                            const TOpenIdConnectSettings& settings);
+
+    void Bootstrap(const NActors::TActorContext& ctx);
+};
+
+class TImpersonateStopPageHandler : public NActors::TActor<TImpersonateStopPageHandler> {
+    using TBase = NActors::TActor<TImpersonateStopPageHandler>;
+
+    const NActors::TActorId HttpProxyId;
+    const TOpenIdConnectSettings Settings;
+
+public:
+    TImpersonateStopPageHandler(const NActors::TActorId& httpProxyId, const TOpenIdConnectSettings& settings);
+    void Handle(NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr event, const NActors::TActorContext& ctx);
+
+    STFUNC(StateWork) {
+        switch (ev->GetTypeRewrite()) {
+            HFunc(NHttp::TEvHttpProxy::TEvHttpIncomingRequest, Handle);
+        }
+    }
+};
+
+}  // NOIDC
+}  // NMVP