seaweedfs/weed/s3api/auth_credentials.go

package s3api

import (
	"bytes"
	"fmt"
	"io/ioutil"
	"net/http"

	"github.com/golang/protobuf/jsonpb"
	"github.com/gorilla/mux"

	"github.com/chrislusf/seaweedfs/weed/glog"
	"github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
)

type Action string

const (
	ACTION_READ  = "Read"
	ACTION_WRITE = "Write"
	ACTION_ADMIN = "Admin"
)

type Iam interface {
	Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
}

type IdentityAccessManagement struct {
	identities []*Identity
	domain     string
}

type Identity struct {
	Name        string
	Credentials []*Credential
	Actions     []Action
}

type Credential struct {
	AccessKey string
	SecretKey string
}

func NewIdentityAccessManagement(fileName string, domain string) *IdentityAccessManagement {
	iam := &IdentityAccessManagement{
		domain: domain,
	}
	if fileName == "" {
		return iam
	}
	if err := iam.loadS3ApiConfiguration(fileName); err != nil {
		glog.Fatalf("fail to load config file %s: %v", fileName, err)
	}
	return iam
}

func (iam *IdentityAccessManagement) loadS3ApiConfiguration(fileName string) error {

	s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}

	rawData, readErr := ioutil.ReadFile(fileName)
	if readErr != nil {
		glog.Warningf("fail to read %s : %v", fileName, readErr)
		return fmt.Errorf("fail to read %s : %v", fileName, readErr)
	}

	glog.V(1).Infof("maybeLoadVolumeInfo Unmarshal volume info %v", fileName)
	if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {
		glog.Warningf("unmarshal error: %v", err)
		return fmt.Errorf("unmarshal %s error: %v", fileName, err)
	}

	for _, ident := range s3ApiConfiguration.Identities {
		t := &Identity{
			Name:        ident.Name,
			Credentials: nil,
			Actions:     nil,
		}
		for _, action := range ident.Actions {
			t.Actions = append(t.Actions, Action(action))
		}
		for _, cred := range ident.Credentials {
			t.Credentials = append(t.Credentials, &Credential{
				AccessKey: cred.AccessKey,
				SecretKey: cred.SecretKey,
			})
		}
		iam.identities = append(iam.identities, t)
	}

	return nil
}

func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
	for _, ident := range iam.identities {
		for _, cred := range ident.Credentials {
			if cred.AccessKey == accessKey {
				return ident, cred, true
			}
		}
	}
	return nil, nil, false
}

func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {

	if len(iam.identities) == 0 {
		return f
	}

	return func(w http.ResponseWriter, r *http.Request) {
		errCode := iam.authRequest(r, action)
		if errCode == ErrNone {
			f(w, r)
			return
		}
		writeErrorResponse(w, errCode, r.URL)
	}
}

// check whether the request has valid access keys
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) ErrorCode {
	var identity *Identity
	var s3Err ErrorCode
	switch getRequestAuthType(r) {
	case authTypeStreamingSigned:
		return ErrNone
	case authTypeUnknown:
		glog.V(3).Infof("unknown auth type")
		return ErrAccessDenied
	case authTypePresignedV2, authTypeSignedV2:
		glog.V(3).Infof("v2 auth type")
		identity, s3Err = iam.isReqAuthenticatedV2(r)
	case authTypeSigned, authTypePresigned:
		glog.V(3).Infof("v4 auth type")
		identity, s3Err = iam.reqSignatureV4Verify(r)
	case authTypePostPolicy:
		glog.V(3).Infof("post policy auth type")
		return ErrNotImplemented
	case authTypeJWT:
		glog.V(3).Infof("jwt auth type")
		return ErrNotImplemented
	case authTypeAnonymous:
		return ErrAccessDenied
	default:
		return ErrNotImplemented
	}

	glog.V(3).Infof("auth error: %v", s3Err)
	if s3Err != ErrNone {
		return s3Err
	}

	glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)

	vars := mux.Vars(r)
	bucket := vars["bucket"]

	if !identity.canDo(action, bucket) {
		return ErrAccessDenied
	}

	return ErrNone

}

func (identity *Identity) canDo(action Action, bucket string) bool {
	for _, a := range identity.Actions {
		if a == "Admin" {
			return true
		}
	}
	for _, a := range identity.Actions {
		if a == action {
			return true
		}
	}
	if bucket == "" {
		return false
	}
	limitedByBucket := string(action) + ":" + bucket
	for _, a := range identity.Actions {
		if string(a) == limitedByBucket {
			return true
		}
	}
	return false
}
support acl 2020-02-09 22:30:02 +00:00			`package s3api`

			`import (`
			`"bytes"`
			`"fmt"`
			`"io/ioutil"`
			`"net/http"`

			`"github.com/golang/protobuf/jsonpb"`
s3: access control limited by bucket 2020-02-23 05:34:18 +00:00			`"github.com/gorilla/mux"`
support acl 2020-02-09 22:30:02 +00:00
			`"github.com/chrislusf/seaweedfs/weed/glog"`
			`"github.com/chrislusf/seaweedfs/weed/pb/iam_pb"`
			`)`

			`type Action string`

			`const (`
			`ACTION_READ = "Read"`
			`ACTION_WRITE = "Write"`
			`ACTION_ADMIN = "Admin"`
			`)`

			`type Iam interface {`
			`Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc`
			`}`

			`type IdentityAccessManagement struct {`
			`identities []*Identity`
add v2 support 2020-02-10 00:02:05 +00:00			`domain string`
support acl 2020-02-09 22:30:02 +00:00			`}`

			`type Identity struct {`
			`Name string`
			`Credentials []*Credential`
			`Actions []Action`
			`}`

			`type Credential struct {`
			`AccessKey string`
			`SecretKey string`
			`}`

add v2 support 2020-02-10 00:02:05 +00:00			`func NewIdentityAccessManagement(fileName string, domain string) *IdentityAccessManagement {`
			`iam := &IdentityAccessManagement{`
			`domain: domain,`
			`}`
support acl 2020-02-09 22:30:02 +00:00			`if fileName == "" {`
			`return iam`
			`}`
configuration stores the identity list 2020-02-17 20:31:59 +00:00			`if err := iam.loadS3ApiConfiguration(fileName); err != nil {`
support acl 2020-02-09 22:30:02 +00:00			`glog.Fatalf("fail to load config file %s: %v", fileName, err)`
			`}`
			`return iam`
			`}`

configuration stores the identity list 2020-02-17 20:31:59 +00:00			`func (iam *IdentityAccessManagement) loadS3ApiConfiguration(fileName string) error {`
support acl 2020-02-09 22:30:02 +00:00
configuration stores the identity list 2020-02-17 20:31:59 +00:00			`s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}`
support acl 2020-02-09 22:30:02 +00:00
			`rawData, readErr := ioutil.ReadFile(fileName)`
			`if readErr != nil {`
			`glog.Warningf("fail to read %s : %v", fileName, readErr)`
			`return fmt.Errorf("fail to read %s : %v", fileName, readErr)`
			`}`

			`glog.V(1).Infof("maybeLoadVolumeInfo Unmarshal volume info %v", fileName)`
configuration stores the identity list 2020-02-17 20:31:59 +00:00			`if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {`
support acl 2020-02-09 22:30:02 +00:00			`glog.Warningf("unmarshal error: %v", err)`
			`return fmt.Errorf("unmarshal %s error: %v", fileName, err)`
			`}`

configuration stores the identity list 2020-02-17 20:31:59 +00:00			`for _, ident := range s3ApiConfiguration.Identities {`
support acl 2020-02-09 22:30:02 +00:00			`t := &Identity{`
			`Name: ident.Name,`
			`Credentials: nil,`
			`Actions: nil,`
			`}`
			`for _, action := range ident.Actions {`
			`t.Actions = append(t.Actions, Action(action))`
			`}`
			`for _, cred := range ident.Credentials {`
			`t.Credentials = append(t.Credentials, &Credential{`
			`AccessKey: cred.AccessKey,`
			`SecretKey: cred.SecretKey,`
			`})`
			`}`
			`iam.identities = append(iam.identities, t)`
			`}`

			`return nil`
			`}`

			`func (iam IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity Identity, cred *Credential, found bool) {`
			`for _, ident := range iam.identities {`
			`for _, cred := range ident.Credentials {`
			`if cred.AccessKey == accessKey {`
			`return ident, cred, true`
			`}`
			`}`
			`}`
			`return nil, nil, false`
			`}`

s3: access control limited by bucket 2020-02-23 05:34:18 +00:00			`func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {`
support acl 2020-02-09 22:30:02 +00:00
			`if len(iam.identities) == 0 {`
			`return f`
			`}`

			`return func(w http.ResponseWriter, r *http.Request) {`
s3: access control limited by bucket 2020-02-23 05:34:18 +00:00			`errCode := iam.authRequest(r, action)`
support acl 2020-02-09 22:30:02 +00:00			`if errCode == ErrNone {`
			`f(w, r)`
			`return`
			`}`
			`writeErrorResponse(w, errCode, r.URL)`
			`}`
			`}`

			`// check whether the request has valid access keys`
s3: access control limited by bucket 2020-02-23 05:34:18 +00:00			`func (iam IdentityAccessManagement) authRequest(r http.Request, action Action) ErrorCode {`
support acl 2020-02-09 22:30:02 +00:00			`var identity *Identity`
			`var s3Err ErrorCode`
			`switch getRequestAuthType(r) {`
add v2 support 2020-02-10 00:02:05 +00:00			`case authTypeStreamingSigned:`
			`return ErrNone`
			`case authTypeUnknown:`
			`glog.V(3).Infof("unknown auth type")`
support acl 2020-02-09 22:30:02 +00:00			`return ErrAccessDenied`
			`case authTypePresignedV2, authTypeSignedV2:`
add v2 support 2020-02-10 00:02:05 +00:00			`glog.V(3).Infof("v2 auth type")`
			`identity, s3Err = iam.isReqAuthenticatedV2(r)`
support acl 2020-02-09 22:30:02 +00:00			`case authTypeSigned, authTypePresigned:`
add v2 support 2020-02-10 00:02:05 +00:00			`glog.V(3).Infof("v4 auth type")`
support acl 2020-02-09 22:30:02 +00:00			`identity, s3Err = iam.reqSignatureV4Verify(r)`
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I \| http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390 2020-02-18 17:16:04 +00:00			`case authTypePostPolicy:`
s3: deny anonymous type 2020-02-22 22:01:04 +00:00			`glog.V(3).Infof("post policy auth type")`
			`return ErrNotImplemented`
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I \| http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390 2020-02-18 17:16:04 +00:00			`case authTypeJWT:`
s3: deny anonymous type 2020-02-22 22:01:04 +00:00			`glog.V(3).Infof("jwt auth type")`
			`return ErrNotImplemented`
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I \| http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390 2020-02-18 17:16:04 +00:00			`case authTypeAnonymous:`
s3: deny anonymous type 2020-02-22 22:01:04 +00:00			`return ErrAccessDenied`
			`default:`
add unhandled request auth type fix 2020-02-18 11:43:57.396699 I \| http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference goroutine 595 [running]: net/http.(conn).serve.func1(0xc0001fe3c0) /usr/lib/go/src/net/http/server.go:1767 +0x13b panic(0x55c4e35f3820, 0x55c4e48b3c40) /usr/lib/go/src/runtime/panic.go:679 +0x1b6 github.com/chrislusf/seaweedfs/weed/s3api.(IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c github.com/chrislusf/seaweedfs/weed/s3api.(IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900) /usr/lib/go/src/net/http/server.go:2007 +0x46 github.com/gorilla/mux.(Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4 net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700) /usr/lib/go/src/net/http/server.go:2802 +0xa6 net/http.(conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180) /usr/lib/go/src/net/http/server.go:1890 +0x877 created by net/http.(Server).Serve /usr/lib/go/src/net/http/server.go:2927 +0x390 2020-02-18 17:16:04 +00:00			`return ErrNotImplemented`
support acl 2020-02-09 22:30:02 +00:00			`}`

add v2 support 2020-02-10 00:02:05 +00:00			`glog.V(3).Infof("auth error: %v", s3Err)`
			`if s3Err != ErrNone {`
			`return s3Err`
			`}`

			`glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)`

s3: access control limited by bucket 2020-02-23 05:34:18 +00:00			`vars := mux.Vars(r)`
			`bucket := vars["bucket"]`

			`if !identity.canDo(action, bucket) {`
support acl 2020-02-09 22:30:02 +00:00			`return ErrAccessDenied`
			`}`

			`return ErrNone`

			`}`

s3: access control limited by bucket 2020-02-23 05:34:18 +00:00			`func (identity *Identity) canDo(action Action, bucket string) bool {`
support acl 2020-02-09 22:30:02 +00:00			`for _, a := range identity.Actions {`
s3: access control limited by bucket 2020-02-23 05:34:18 +00:00			`if a == "Admin" {`
			`return true`
			`}`
			`}`
			`for _, a := range identity.Actions {`
			`if a == action {`
			`return true`
			`}`
			`}`
			`if bucket == "" {`
			`return false`
			`}`
			`limitedByBucket := string(action) + ":" + bucket`
			`for _, a := range identity.Actions {`
			`if string(a) == limitedByBucket {`
			`return true`
support acl 2020-02-09 22:30:02 +00:00			`}`
			`}`
			`return false`
			`}`