seaweedfs/weed/security/guard.go

127 lines
2.9 KiB
Go
Raw Permalink Normal View History

2015-01-05 22:20:04 +00:00
package security
import (
"errors"
"fmt"
"net"
"net/http"
"strings"
2015-01-05 22:20:04 +00:00
"github.com/seaweedfs/seaweedfs/weed/glog"
2015-01-05 22:20:04 +00:00
)
var (
ErrUnauthorized = errors.New("unauthorized token")
)
/*
Guard is to ensure data access security.
There are 2 ways to check access:
2022-09-15 06:06:44 +00:00
1. white list. It's checking request ip address.
2. JSON Web Token(JWT) generated from secretKey.
The jwt can come from:
1. url parameter jwt=...
2. request header "Authorization"
3. cookie with the name "jwt"
2015-01-05 22:20:04 +00:00
The white list is checked first because it is easy.
Then the JWT is checked.
The Guard will also check these claims if provided:
1. "exp" Expiration Time
2. "nbf" Not Before
Generating JWT:
2022-09-15 06:06:44 +00:00
1. use HS256 to sign
2. optionally set "exp", "nbf" fields, in Unix time,
the number of seconds elapsed since January 1, 1970 UTC.
2015-01-05 22:20:04 +00:00
Referenced:
https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
*/
type Guard struct {
2019-06-06 07:29:02 +00:00
whiteList []string
SigningKey SigningKey
ExpiresAfterSec int
ReadSigningKey SigningKey
ReadExpiresAfterSec int
2015-01-05 22:20:04 +00:00
2019-06-06 07:29:02 +00:00
isWriteActive bool
2015-01-05 22:20:04 +00:00
}
2019-06-06 07:29:02 +00:00
func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard {
g := &Guard{
whiteList: whiteList,
SigningKey: SigningKey(signingKey),
ExpiresAfterSec: expiresAfterSec,
ReadSigningKey: SigningKey(readSigningKey),
ReadExpiresAfterSec: readExpiresAfterSec,
}
g.isWriteActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0
2015-01-05 22:20:04 +00:00
return g
}
func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc {
2019-06-06 07:29:02 +00:00
if !g.isWriteActive {
//if no security needed, just skip all checking
2015-01-05 22:20:04 +00:00
return f
}
return func(w http.ResponseWriter, r *http.Request) {
2015-02-07 23:35:28 +00:00
if err := g.checkWhiteList(w, r); err != nil {
2015-01-05 22:20:04 +00:00
w.WriteHeader(http.StatusUnauthorized)
return
}
f(w, r)
}
}
func GetActualRemoteHost(r *http.Request) (host string, err error) {
host = r.Header.Get("HTTP_X_FORWARDED_FOR")
if host == "" {
host = r.Header.Get("X-FORWARDED-FOR")
}
if strings.Contains(host, ",") {
host = host[0:strings.Index(host, ",")]
}
if host == "" {
host, _, err = net.SplitHostPort(r.RemoteAddr)
}
return
}
2015-02-07 23:35:28 +00:00
func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
if len(g.whiteList) == 0 {
return nil
}
2015-01-05 22:20:04 +00:00
host, err := GetActualRemoteHost(r)
2015-02-07 23:35:28 +00:00
if err == nil {
for _, ip := range g.whiteList {
2015-10-20 05:03:18 +00:00
// If the whitelist entry contains a "/" it
// is a CIDR range, and we should check the
// remote host is within it
if strings.Contains(ip, "/") {
2015-10-20 05:03:18 +00:00
_, cidrnet, err := net.ParseCIDR(ip)
if err != nil {
panic(err)
}
remote := net.ParseIP(host)
if cidrnet.Contains(remote) {
return nil
}
}
//
// Otherwise we're looking for a literal match.
//
2015-02-07 23:35:28 +00:00
if ip == host {
return nil
2015-01-05 22:20:04 +00:00
}
}
}
2016-06-26 19:49:08 +00:00
glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr)
2021-12-29 11:38:14 +00:00
return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr)
2015-02-07 23:35:28 +00:00
}