seaweedfs/weed/security/guard.go

package security

import (
	"errors"
	"fmt"
	"net"
	"net/http"
	"strings"

	"github.com/chrislusf/seaweedfs/weed/glog"
)

var (
	ErrUnauthorized = errors.New("unauthorized token")
)

/*
Guard is to ensure data access security.
There are 2 ways to check access:
1. white list. It's checking request ip address.
2. JSON Web Token(JWT) generated from secretKey.
  The jwt can come from:
  1. url parameter jwt=...
  2. request header "Authorization"
  3. cookie with the name "jwt"

The white list is checked first because it is easy.
Then the JWT is checked.

The Guard will also check these claims if provided:
1. "exp" Expiration Time
2. "nbf" Not Before

Generating JWT:
1. use HS256 to sign
2. optionally set "exp", "nbf" fields, in Unix time,
   the number of seconds elapsed since January 1, 1970 UTC.

Referenced:
https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go

*/
type Guard struct {
	whiteList           []string
	SigningKey          SigningKey
	ExpiresAfterSec     int
	ReadSigningKey      SigningKey
	ReadExpiresAfterSec int

	isWriteActive bool
}

func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard {
	g := &Guard{
		whiteList:           whiteList,
		SigningKey:          SigningKey(signingKey),
		ExpiresAfterSec:     expiresAfterSec,
		ReadSigningKey:      SigningKey(readSigningKey),
		ReadExpiresAfterSec: readExpiresAfterSec,
	}
	g.isWriteActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0
	return g
}

func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc {
	if !g.isWriteActive {
		//if no security needed, just skip all checking
		return f
	}
	return func(w http.ResponseWriter, r *http.Request) {
		if err := g.checkWhiteList(w, r); err != nil {
			w.WriteHeader(http.StatusUnauthorized)
			return
		}
		f(w, r)
	}
}

func GetActualRemoteHost(r *http.Request) (host string, err error) {
	host = r.Header.Get("HTTP_X_FORWARDED_FOR")
	if host == "" {
		host = r.Header.Get("X-FORWARDED-FOR")
	}
	if strings.Contains(host, ",") {
		host = host[0:strings.Index(host, ",")]
	}
	if host == "" {
		host, _, err = net.SplitHostPort(r.RemoteAddr)
	}
	return
}

func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
	if len(g.whiteList) == 0 {
		return nil
	}

	host, err := GetActualRemoteHost(r)
	if err == nil {
		for _, ip := range g.whiteList {

			// If the whitelist entry contains a "/" it
			// is a CIDR range, and we should check the
			// remote host is within it
			if strings.Contains(ip, "/") {
				_, cidrnet, err := net.ParseCIDR(ip)
				if err != nil {
					panic(err)
				}
				remote := net.ParseIP(host)
				if cidrnet.Contains(remote) {
					return nil
				}
			}

			//
			// Otherwise we're looking for a literal match.
			//
			if ip == host {
				return nil
			}
		}
	}

	glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr)
	return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr)
}
refactoring for later security changes 2015-01-05 22:20:04 +00:00			`package security`

			`import (`
			`"errors"`
			`"fmt"`
			`"net"`
			`"net/http"`
fix set HTTP_X_FORWARDED_FOR when proxying https://github.com/chrislusf/seaweedfs/issues/214 2015-11-22 17:31:39 +00:00			`"strings"`
refactoring for later security changes 2015-01-05 22:20:04 +00:00
directory structure change to work with glide glide has its own requirements. My previous workaround caused me some code checkin errors. Need to fix this. 2016-06-03 01:09:14 +00:00			`"github.com/chrislusf/seaweedfs/weed/glog"`
refactoring for later security changes 2015-01-05 22:20:04 +00:00			`)`

			`var (`
			`ErrUnauthorized = errors.New("unauthorized token")`
			`)`

			`/*`
			`Guard is to ensure data access security.`
			`There are 2 ways to check access:`
			`1. white list. It's checking request ip address.`
			`2. JSON Web Token(JWT) generated from secretKey.`
			`The jwt can come from:`
			`1. url parameter jwt=...`
			`2. request header "Authorization"`
			`3. cookie with the name "jwt"`

			`The white list is checked first because it is easy.`
			`Then the JWT is checked.`

			`The Guard will also check these claims if provided:`
			`1. "exp" Expiration Time`
			`2. "nbf" Not Before`

			`Generating JWT:`
			`1. use HS256 to sign`
			`2. optionally set "exp", "nbf" fields, in Unix time,`
			`the number of seconds elapsed since January 1, 1970 UTC.`

			`Referenced:`
			`https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go`

			`*/`
			`type Guard struct {`
jwt for read access control 2019-06-06 07:29:02 +00:00			`whiteList []string`
			`SigningKey SigningKey`
			`ExpiresAfterSec int`
			`ReadSigningKey SigningKey`
			`ReadExpiresAfterSec int`
refactoring for later security changes 2015-01-05 22:20:04 +00:00
jwt for read access control 2019-06-06 07:29:02 +00:00			`isWriteActive bool`
refactoring for later security changes 2015-01-05 22:20:04 +00:00			`}`

jwt for read access control 2019-06-06 07:29:02 +00:00			`func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard {`
			`g := &Guard{`
			`whiteList: whiteList,`
			`SigningKey: SigningKey(signingKey),`
			`ExpiresAfterSec: expiresAfterSec,`
			`ReadSigningKey: SigningKey(readSigningKey),`
			`ReadExpiresAfterSec: readExpiresAfterSec,`
			`}`
			`g.isWriteActive = len(g.whiteList) != 0 \|\| len(g.SigningKey) != 0`
refactoring for later security changes 2015-01-05 22:20:04 +00:00			`return g`
			`}`

simplify func(w http.ResponseWriter, r *http.Request) to http.HandlerFunc 2020-05-25 13:00:12 +00:00			`func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc {`
jwt for read access control 2019-06-06 07:29:02 +00:00			`if !g.isWriteActive {`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`//if no security needed, just skip all checking`
refactoring for later security changes 2015-01-05 22:20:04 +00:00			`return f`
			`}`
			`return func(w http.ResponseWriter, r *http.Request) {`
merge conflicts 2015-02-07 23:35:28 +00:00			`if err := g.checkWhiteList(w, r); err != nil {`
refactoring for later security changes 2015-01-05 22:20:04 +00:00			`w.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`
			`f(w, r)`
			`}`
			`}`

fix set HTTP_X_FORWARDED_FOR when proxying https://github.com/chrislusf/seaweedfs/issues/214 2015-11-22 17:31:39 +00:00			`func GetActualRemoteHost(r *http.Request) (host string, err error) {`
			`host = r.Header.Get("HTTP_X_FORWARDED_FOR")`
			`if host == "" {`
			`host = r.Header.Get("X-FORWARDED-FOR")`
			`}`
			`if strings.Contains(host, ",") {`
			`host = host[0:strings.Index(host, ",")]`
			`}`
			`if host == "" {`
			`host, _, err = net.SplitHostPort(r.RemoteAddr)`
			`}`
			`return`
			`}`

merge conflicts 2015-02-07 23:35:28 +00:00			`func (g Guard) checkWhiteList(w http.ResponseWriter, r http.Request) error {`
			`if len(g.whiteList) == 0 {`
			`return nil`
			`}`
refactoring for later security changes 2015-01-05 22:20:04 +00:00
fix set HTTP_X_FORWARDED_FOR when proxying https://github.com/chrislusf/seaweedfs/issues/214 2015-11-22 17:31:39 +00:00			`host, err := GetActualRemoteHost(r)`
merge conflicts 2015-02-07 23:35:28 +00:00			`if err == nil {`
			`for _, ip := range g.whiteList {`
Allow whitelisting by CIDR range, not just literally. This allows you to write something like this: /usr/local/bin/weed master -mdir /srv/weed/master -whiteList=192.168.0.0/24,127.0.0.1 This will whitelist all the 192.168.0.XX hosts, as well as localhost. 2015-09-05 07:00:13 +00:00
go fmt 2015-10-20 05:03:18 +00:00			`// If the whitelist entry contains a "/" it`
			`// is a CIDR range, and we should check the`
			`// remote host is within it`
improve performance a little bit when having white list 2016-04-14 21:42:19 +00:00			`if strings.Contains(ip, "/") {`
go fmt 2015-10-20 05:03:18 +00:00			`_, cidrnet, err := net.ParseCIDR(ip)`
			`if err != nil {`
			`panic(err)`
			`}`
			`remote := net.ParseIP(host)`
			`if cidrnet.Contains(remote) {`
			`return nil`
			`}`
			`}`

			`//`
			`// Otherwise we're looking for a literal match.`
			`//`
merge conflicts 2015-02-07 23:35:28 +00:00			`if ip == host {`
			`return nil`
refactoring for later security changes 2015-01-05 22:20:04 +00:00			`}`
			`}`
			`}`

adjust logging 2016-06-26 19:49:08 +00:00			`glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr)`
fix typo in error message 2021-12-29 11:38:14 +00:00			`return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr)`
merge conflicts 2015-02-07 23:35:28 +00:00			`}`