2011-12-25 05:30:57 +00:00
|
|
|
package util
|
|
|
|
|
|
|
|
import (
|
2018-12-07 09:57:55 +00:00
|
|
|
"compress/gzip"
|
2015-12-15 06:38:58 +00:00
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
2014-03-12 17:30:57 +00:00
|
|
|
"fmt"
|
2015-05-26 07:58:41 +00:00
|
|
|
"io"
|
2012-06-29 07:53:47 +00:00
|
|
|
"net/http"
|
|
|
|
"net/url"
|
2014-03-30 18:28:04 +00:00
|
|
|
"strings"
|
2020-01-09 02:07:07 +00:00
|
|
|
|
|
|
|
"github.com/chrislusf/seaweedfs/weed/glog"
|
2011-12-25 05:30:57 +00:00
|
|
|
)
|
|
|
|
|
2014-03-12 17:30:57 +00:00
|
|
|
var (
|
|
|
|
client *http.Client
|
|
|
|
Transport *http.Transport
|
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
Transport = &http.Transport{
|
2021-02-12 11:47:15 +00:00
|
|
|
MaxIdleConns: 1024,
|
2014-03-12 17:30:57 +00:00
|
|
|
MaxIdleConnsPerHost: 1024,
|
|
|
|
}
|
2019-01-10 11:42:31 +00:00
|
|
|
client = &http.Client{
|
|
|
|
Transport: Transport,
|
|
|
|
}
|
2014-03-12 17:30:57 +00:00
|
|
|
}
|
|
|
|
|
2012-09-17 00:31:15 +00:00
|
|
|
func Post(url string, values url.Values) ([]byte, error) {
|
2014-03-12 17:30:57 +00:00
|
|
|
r, err := client.PostForm(url, values)
|
2012-06-29 07:53:47 +00:00
|
|
|
if err != nil {
|
2012-09-17 00:31:15 +00:00
|
|
|
return nil, err
|
2012-06-29 07:53:47 +00:00
|
|
|
}
|
|
|
|
defer r.Body.Close()
|
2021-10-14 04:27:58 +00:00
|
|
|
b, err := io.ReadAll(r.Body)
|
2016-07-21 06:45:55 +00:00
|
|
|
if r.StatusCode >= 400 {
|
2017-07-28 08:11:23 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("%s: %d - %s", url, r.StatusCode, string(b))
|
|
|
|
} else {
|
|
|
|
return nil, fmt.Errorf("%s: %s", url, r.Status)
|
|
|
|
}
|
2016-07-21 06:45:55 +00:00
|
|
|
}
|
2012-06-29 07:53:47 +00:00
|
|
|
if err != nil {
|
2012-09-17 00:31:15 +00:00
|
|
|
return nil, err
|
2012-06-29 07:53:47 +00:00
|
|
|
}
|
2012-09-17 00:31:15 +00:00
|
|
|
return b, nil
|
2011-12-25 05:30:57 +00:00
|
|
|
}
|
2014-02-15 01:10:49 +00:00
|
|
|
|
2019-01-10 11:42:31 +00:00
|
|
|
// github.com/chrislusf/seaweedfs/unmaintained/repeated_vacuum/repeated_vacuum.go
|
|
|
|
// may need increasing http.Client.Timeout
|
2020-10-13 07:29:46 +00:00
|
|
|
func Get(url string) ([]byte, bool, error) {
|
2020-08-01 20:20:52 +00:00
|
|
|
|
|
|
|
request, err := http.NewRequest("GET", url, nil)
|
|
|
|
request.Header.Add("Accept-Encoding", "gzip")
|
|
|
|
|
|
|
|
response, err := client.Do(request)
|
2014-02-15 01:10:49 +00:00
|
|
|
if err != nil {
|
2020-10-13 07:29:46 +00:00
|
|
|
return nil, true, err
|
2014-02-15 01:10:49 +00:00
|
|
|
}
|
2020-08-01 20:20:52 +00:00
|
|
|
defer response.Body.Close()
|
|
|
|
|
|
|
|
var reader io.ReadCloser
|
|
|
|
switch response.Header.Get("Content-Encoding") {
|
|
|
|
case "gzip":
|
|
|
|
reader, err = gzip.NewReader(response.Body)
|
|
|
|
defer reader.Close()
|
|
|
|
default:
|
|
|
|
reader = response.Body
|
|
|
|
}
|
|
|
|
|
2021-10-14 04:27:58 +00:00
|
|
|
b, err := io.ReadAll(reader)
|
2020-08-01 20:20:52 +00:00
|
|
|
if response.StatusCode >= 400 {
|
2020-10-13 07:29:46 +00:00
|
|
|
retryable := response.StatusCode >= 500
|
|
|
|
return nil, retryable, fmt.Errorf("%s: %s", url, response.Status)
|
2014-03-12 17:30:57 +00:00
|
|
|
}
|
2014-02-15 01:10:49 +00:00
|
|
|
if err != nil {
|
2020-10-13 07:29:46 +00:00
|
|
|
return nil, false, err
|
2014-02-15 01:10:49 +00:00
|
|
|
}
|
2020-10-13 07:29:46 +00:00
|
|
|
return b, false, nil
|
2014-02-15 01:10:49 +00:00
|
|
|
}
|
2014-03-20 20:30:34 +00:00
|
|
|
|
2020-02-10 21:43:53 +00:00
|
|
|
func Head(url string) (http.Header, error) {
|
|
|
|
r, err := client.Head(url)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2017-03-17 07:02:27 +00:00
|
|
|
}
|
2020-02-14 17:46:36 +00:00
|
|
|
defer CloseResponse(r)
|
2020-02-10 21:43:53 +00:00
|
|
|
if r.StatusCode >= 400 {
|
|
|
|
return nil, fmt.Errorf("%s: %s", url, r.Status)
|
2017-03-17 07:02:27 +00:00
|
|
|
}
|
2020-02-10 21:43:53 +00:00
|
|
|
return r.Header, nil
|
2017-03-17 07:02:27 +00:00
|
|
|
}
|
|
|
|
|
2019-02-16 20:23:35 +00:00
|
|
|
func Delete(url string, jwt string) error {
|
2014-03-20 20:30:34 +00:00
|
|
|
req, err := http.NewRequest("DELETE", url, nil)
|
2015-02-07 23:35:28 +00:00
|
|
|
if jwt != "" {
|
|
|
|
req.Header.Set("Authorization", "BEARER "+string(jwt))
|
|
|
|
}
|
2014-03-20 20:30:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
resp, e := client.Do(req)
|
|
|
|
if e != nil {
|
|
|
|
return e
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
2021-10-14 04:27:58 +00:00
|
|
|
body, err := io.ReadAll(resp.Body)
|
2015-12-03 08:27:02 +00:00
|
|
|
if err != nil {
|
2014-03-20 20:30:34 +00:00
|
|
|
return err
|
|
|
|
}
|
2015-12-03 08:27:02 +00:00
|
|
|
switch resp.StatusCode {
|
|
|
|
case http.StatusNotFound, http.StatusAccepted, http.StatusOK:
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
m := make(map[string]interface{})
|
2020-04-17 17:04:41 +00:00
|
|
|
if e := json.Unmarshal(body, &m); e == nil {
|
2015-12-03 08:27:02 +00:00
|
|
|
if s, ok := m["error"].(string); ok {
|
|
|
|
return errors.New(s)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return errors.New(string(body))
|
2014-03-20 20:30:34 +00:00
|
|
|
}
|
2014-03-30 18:28:04 +00:00
|
|
|
|
2021-04-11 06:47:47 +00:00
|
|
|
func DeleteProxied(url string, jwt string) (body []byte, httpStatus int, err error) {
|
|
|
|
req, err := http.NewRequest("DELETE", url, nil)
|
|
|
|
if jwt != "" {
|
|
|
|
req.Header.Set("Authorization", "BEARER "+string(jwt))
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
resp, err := client.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
2021-10-14 04:27:58 +00:00
|
|
|
body, err = io.ReadAll(resp.Body)
|
2021-04-11 06:47:47 +00:00
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
httpStatus = resp.StatusCode
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-05-26 07:58:41 +00:00
|
|
|
func GetBufferStream(url string, values url.Values, allocatedBytes []byte, eachBuffer func([]byte)) error {
|
|
|
|
r, err := client.PostForm(url, values)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-02-14 17:46:36 +00:00
|
|
|
defer CloseResponse(r)
|
2015-05-26 07:58:41 +00:00
|
|
|
if r.StatusCode != 200 {
|
|
|
|
return fmt.Errorf("%s: %s", url, r.Status)
|
|
|
|
}
|
|
|
|
for {
|
|
|
|
n, err := r.Body.Read(allocatedBytes)
|
2018-09-17 07:27:40 +00:00
|
|
|
if n > 0 {
|
|
|
|
eachBuffer(allocatedBytes[:n])
|
2015-05-26 07:58:41 +00:00
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
if err == io.EOF {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func GetUrlStream(url string, values url.Values, readFn func(io.Reader) error) error {
|
|
|
|
r, err := client.PostForm(url, values)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-02-14 17:46:36 +00:00
|
|
|
defer CloseResponse(r)
|
2015-05-26 07:58:41 +00:00
|
|
|
if r.StatusCode != 200 {
|
|
|
|
return fmt.Errorf("%s: %s", url, r.Status)
|
|
|
|
}
|
|
|
|
return readFn(r.Body)
|
|
|
|
}
|
|
|
|
|
2021-08-13 04:40:33 +00:00
|
|
|
func DownloadFile(fileUrl string, jwt string) (filename string, header http.Header, resp *http.Response, e error) {
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-29 18:47:53 +00:00
|
|
|
req, err := http.NewRequest("GET", fileUrl, nil)
|
|
|
|
if err != nil {
|
|
|
|
return "", nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(jwt) > 0 {
|
2021-12-31 21:06:18 +00:00
|
|
|
req.Header.Set("Authorization", "BEARER "+jwt)
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-29 18:47:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
response, err := client.Do(req)
|
2014-03-30 18:28:04 +00:00
|
|
|
if err != nil {
|
2018-09-21 08:54:29 +00:00
|
|
|
return "", nil, nil, err
|
2014-03-30 18:28:04 +00:00
|
|
|
}
|
2018-09-21 08:54:29 +00:00
|
|
|
header = response.Header
|
2014-03-30 18:28:04 +00:00
|
|
|
contentDisposition := response.Header["Content-Disposition"]
|
|
|
|
if len(contentDisposition) > 0 {
|
2017-01-09 06:55:21 +00:00
|
|
|
idx := strings.Index(contentDisposition[0], "filename=")
|
|
|
|
if idx != -1 {
|
|
|
|
filename = contentDisposition[0][idx+len("filename="):]
|
2014-05-13 05:59:00 +00:00
|
|
|
filename = strings.Trim(filename, "\"")
|
2014-03-30 18:28:04 +00:00
|
|
|
}
|
|
|
|
}
|
2020-09-09 10:53:09 +00:00
|
|
|
resp = response
|
2014-03-30 18:28:04 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func Do(req *http.Request) (resp *http.Response, err error) {
|
|
|
|
return client.Do(req)
|
|
|
|
}
|
2015-04-16 17:02:53 +00:00
|
|
|
|
|
|
|
func NormalizeUrl(url string) string {
|
|
|
|
if strings.HasPrefix(url, "http://") || strings.HasPrefix(url, "https://") {
|
|
|
|
return url
|
|
|
|
}
|
|
|
|
return "http://" + url
|
|
|
|
}
|
2018-05-24 08:22:37 +00:00
|
|
|
|
2020-06-20 05:45:27 +00:00
|
|
|
func ReadUrl(fileUrl string, cipherKey []byte, isContentCompressed bool, isFullChunk bool, offset int64, size int, buf []byte) (int64, error) {
|
2020-03-06 08:49:47 +00:00
|
|
|
|
|
|
|
if cipherKey != nil {
|
|
|
|
var n int
|
2020-10-13 07:29:46 +00:00
|
|
|
_, err := readEncryptedUrl(fileUrl, cipherKey, isContentCompressed, isFullChunk, offset, size, func(data []byte) {
|
2020-03-06 08:49:47 +00:00
|
|
|
n = copy(buf, data)
|
|
|
|
})
|
|
|
|
return int64(n), err
|
|
|
|
}
|
2018-05-24 08:22:37 +00:00
|
|
|
|
2019-12-26 02:03:06 +00:00
|
|
|
req, err := http.NewRequest("GET", fileUrl, nil)
|
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
2020-03-06 08:49:47 +00:00
|
|
|
if !isFullChunk {
|
2020-01-23 06:59:12 +00:00
|
|
|
req.Header.Add("Range", fmt.Sprintf("bytes=%d-%d", offset, offset+int64(size)-1))
|
2018-12-07 09:57:55 +00:00
|
|
|
} else {
|
|
|
|
req.Header.Set("Accept-Encoding", "gzip")
|
|
|
|
}
|
2018-05-24 08:22:37 +00:00
|
|
|
|
|
|
|
r, err := client.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
2018-12-07 09:57:55 +00:00
|
|
|
|
2018-05-24 08:22:37 +00:00
|
|
|
defer r.Body.Close()
|
|
|
|
if r.StatusCode >= 400 {
|
|
|
|
return 0, fmt.Errorf("%s: %s", fileUrl, r.Status)
|
|
|
|
}
|
|
|
|
|
2018-12-07 09:57:55 +00:00
|
|
|
var reader io.ReadCloser
|
2020-01-09 02:07:07 +00:00
|
|
|
contentEncoding := r.Header.Get("Content-Encoding")
|
|
|
|
switch contentEncoding {
|
2018-12-07 09:57:55 +00:00
|
|
|
case "gzip":
|
|
|
|
reader, err = gzip.NewReader(r.Body)
|
|
|
|
defer reader.Close()
|
|
|
|
default:
|
|
|
|
reader = r.Body
|
|
|
|
}
|
|
|
|
|
2019-12-26 02:03:06 +00:00
|
|
|
var (
|
|
|
|
i, m int
|
|
|
|
n int64
|
|
|
|
)
|
2018-05-24 08:22:37 +00:00
|
|
|
|
2019-12-26 02:03:06 +00:00
|
|
|
// refers to https://github.com/golang/go/blob/master/src/bytes/buffer.go#L199
|
|
|
|
// commit id c170b14c2c1cfb2fd853a37add92a82fd6eb4318
|
2018-05-24 08:22:37 +00:00
|
|
|
for {
|
2018-12-07 09:57:55 +00:00
|
|
|
m, err = reader.Read(buf[i:])
|
2018-05-24 08:22:37 +00:00
|
|
|
i += m
|
|
|
|
n += int64(m)
|
|
|
|
if err == io.EOF {
|
|
|
|
return n, nil
|
|
|
|
}
|
2019-12-26 02:03:06 +00:00
|
|
|
if err != nil {
|
|
|
|
return n, err
|
2018-05-24 08:22:37 +00:00
|
|
|
}
|
2019-12-26 03:28:43 +00:00
|
|
|
if n == int64(len(buf)) {
|
|
|
|
break
|
|
|
|
}
|
2018-05-24 08:22:37 +00:00
|
|
|
}
|
2019-12-26 03:28:43 +00:00
|
|
|
// drains the response body to avoid memory leak
|
2021-10-14 04:27:58 +00:00
|
|
|
data, _ := io.ReadAll(reader)
|
2019-12-26 03:28:43 +00:00
|
|
|
if len(data) != 0 {
|
2020-01-09 02:07:07 +00:00
|
|
|
glog.V(1).Infof("%s reader has remaining %d bytes", contentEncoding, len(data))
|
2019-12-26 03:28:43 +00:00
|
|
|
}
|
|
|
|
return n, err
|
2018-05-24 08:22:37 +00:00
|
|
|
}
|
2018-05-28 12:39:12 +00:00
|
|
|
|
2020-10-13 07:29:46 +00:00
|
|
|
func ReadUrlAsStream(fileUrl string, cipherKey []byte, isContentGzipped bool, isFullChunk bool, offset int64, size int, fn func(data []byte)) (retryable bool, err error) {
|
2020-03-06 08:49:47 +00:00
|
|
|
|
|
|
|
if cipherKey != nil {
|
2020-03-29 07:54:39 +00:00
|
|
|
return readEncryptedUrl(fileUrl, cipherKey, isContentGzipped, isFullChunk, offset, size, fn)
|
2020-03-06 08:49:47 +00:00
|
|
|
}
|
2018-05-28 12:39:12 +00:00
|
|
|
|
2019-12-26 02:03:06 +00:00
|
|
|
req, err := http.NewRequest("GET", fileUrl, nil)
|
|
|
|
if err != nil {
|
2020-10-13 07:29:46 +00:00
|
|
|
return false, err
|
2020-03-06 08:49:47 +00:00
|
|
|
}
|
|
|
|
|
2020-08-01 20:20:52 +00:00
|
|
|
if isFullChunk {
|
|
|
|
req.Header.Add("Accept-Encoding", "gzip")
|
|
|
|
} else {
|
2020-03-06 08:49:47 +00:00
|
|
|
req.Header.Add("Range", fmt.Sprintf("bytes=%d-%d", offset, offset+int64(size)-1))
|
2019-12-26 02:03:06 +00:00
|
|
|
}
|
2018-05-28 12:39:12 +00:00
|
|
|
|
|
|
|
r, err := client.Do(req)
|
|
|
|
if err != nil {
|
2020-10-13 07:29:46 +00:00
|
|
|
return true, err
|
2018-05-28 12:39:12 +00:00
|
|
|
}
|
2020-02-14 17:46:36 +00:00
|
|
|
defer CloseResponse(r)
|
2018-05-28 12:39:12 +00:00
|
|
|
if r.StatusCode >= 400 {
|
2020-10-13 07:29:46 +00:00
|
|
|
retryable = r.StatusCode >= 500
|
|
|
|
return retryable, fmt.Errorf("%s: %s", fileUrl, r.Status)
|
2018-05-28 12:39:12 +00:00
|
|
|
}
|
|
|
|
|
2020-08-01 20:20:52 +00:00
|
|
|
var reader io.ReadCloser
|
|
|
|
contentEncoding := r.Header.Get("Content-Encoding")
|
|
|
|
switch contentEncoding {
|
|
|
|
case "gzip":
|
|
|
|
reader, err = gzip.NewReader(r.Body)
|
|
|
|
defer reader.Close()
|
|
|
|
default:
|
|
|
|
reader = r.Body
|
|
|
|
}
|
|
|
|
|
2019-12-26 02:03:06 +00:00
|
|
|
var (
|
|
|
|
m int
|
|
|
|
)
|
2018-05-28 12:39:12 +00:00
|
|
|
buf := make([]byte, 64*1024)
|
|
|
|
|
|
|
|
for {
|
2020-08-01 20:20:52 +00:00
|
|
|
m, err = reader.Read(buf)
|
2018-05-28 12:39:12 +00:00
|
|
|
fn(buf[:m])
|
|
|
|
if err == io.EOF {
|
2020-10-13 07:29:46 +00:00
|
|
|
return false, nil
|
2018-05-28 12:39:12 +00:00
|
|
|
}
|
2019-12-26 02:03:06 +00:00
|
|
|
if err != nil {
|
2021-12-03 05:54:20 +00:00
|
|
|
return true, err
|
2018-05-28 12:39:12 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
2020-01-31 08:11:08 +00:00
|
|
|
|
2020-10-13 07:29:46 +00:00
|
|
|
func readEncryptedUrl(fileUrl string, cipherKey []byte, isContentCompressed bool, isFullChunk bool, offset int64, size int, fn func(data []byte)) (bool, error) {
|
2021-03-16 07:33:14 +00:00
|
|
|
encryptedData, retryable, err := Get(fileUrl)
|
2020-03-06 08:49:47 +00:00
|
|
|
if err != nil {
|
2020-10-13 07:29:46 +00:00
|
|
|
return retryable, fmt.Errorf("fetch %s: %v", fileUrl, err)
|
2020-03-06 08:49:47 +00:00
|
|
|
}
|
|
|
|
decryptedData, err := Decrypt(encryptedData, CipherKey(cipherKey))
|
|
|
|
if err != nil {
|
2020-10-13 07:29:46 +00:00
|
|
|
return false, fmt.Errorf("decrypt %s: %v", fileUrl, err)
|
2020-03-06 08:49:47 +00:00
|
|
|
}
|
2020-06-20 05:45:27 +00:00
|
|
|
if isContentCompressed {
|
2020-06-20 15:16:16 +00:00
|
|
|
decryptedData, err = DecompressData(decryptedData)
|
2020-03-09 04:39:33 +00:00
|
|
|
if err != nil {
|
2020-08-01 20:46:52 +00:00
|
|
|
glog.V(0).Infof("unzip decrypt %s: %v", fileUrl, err)
|
2020-03-09 04:39:33 +00:00
|
|
|
}
|
|
|
|
}
|
2020-03-06 08:49:47 +00:00
|
|
|
if len(decryptedData) < int(offset)+size {
|
2020-10-13 07:29:46 +00:00
|
|
|
return false, fmt.Errorf("read decrypted %s size %d [%d, %d)", fileUrl, len(decryptedData), offset, int(offset)+size)
|
2020-03-06 08:49:47 +00:00
|
|
|
}
|
2020-03-29 07:54:39 +00:00
|
|
|
if isFullChunk {
|
|
|
|
fn(decryptedData)
|
|
|
|
} else {
|
|
|
|
fn(decryptedData[int(offset) : int(offset)+size])
|
|
|
|
}
|
2020-10-13 07:29:46 +00:00
|
|
|
return false, nil
|
2020-03-06 08:49:47 +00:00
|
|
|
}
|
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-29 18:47:53 +00:00
|
|
|
func ReadUrlAsReaderCloser(fileUrl string, jwt string, rangeHeader string) (io.ReadCloser, error) {
|
2020-01-31 08:11:08 +00:00
|
|
|
|
|
|
|
req, err := http.NewRequest("GET", fileUrl, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if rangeHeader != "" {
|
|
|
|
req.Header.Add("Range", rangeHeader)
|
2020-08-01 20:20:52 +00:00
|
|
|
} else {
|
|
|
|
req.Header.Add("Accept-Encoding", "gzip")
|
2020-01-31 08:11:08 +00:00
|
|
|
}
|
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-29 18:47:53 +00:00
|
|
|
if len(jwt) > 0 {
|
2021-12-31 21:06:18 +00:00
|
|
|
req.Header.Set("Authorization", "BEARER "+jwt)
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-29 18:47:53 +00:00
|
|
|
}
|
|
|
|
|
2020-01-31 08:11:08 +00:00
|
|
|
r, err := client.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if r.StatusCode >= 400 {
|
|
|
|
return nil, fmt.Errorf("%s: %s", fileUrl, r.Status)
|
|
|
|
}
|
|
|
|
|
2020-08-01 20:20:52 +00:00
|
|
|
var reader io.ReadCloser
|
|
|
|
contentEncoding := r.Header.Get("Content-Encoding")
|
|
|
|
switch contentEncoding {
|
|
|
|
case "gzip":
|
|
|
|
reader, err = gzip.NewReader(r.Body)
|
|
|
|
defer reader.Close()
|
|
|
|
default:
|
|
|
|
reader = r.Body
|
|
|
|
}
|
|
|
|
|
|
|
|
return reader, nil
|
2020-01-31 08:11:08 +00:00
|
|
|
}
|
2020-02-14 17:09:15 +00:00
|
|
|
|
2020-02-14 17:46:36 +00:00
|
|
|
func CloseResponse(resp *http.Response) {
|
2021-12-30 06:21:02 +00:00
|
|
|
reader := &CountingReader{reader: resp.Body}
|
|
|
|
io.Copy(io.Discard, reader)
|
2020-02-14 17:09:15 +00:00
|
|
|
resp.Body.Close()
|
2021-12-30 06:21:02 +00:00
|
|
|
if reader.BytesRead > 0 {
|
|
|
|
glog.V(1).Infof("response leftover %d bytes", reader.BytesRead)
|
|
|
|
}
|
2020-02-14 17:09:15 +00:00
|
|
|
}
|
2020-11-30 10:45:00 +00:00
|
|
|
|
|
|
|
func CloseRequest(req *http.Request) {
|
2021-12-30 06:21:02 +00:00
|
|
|
reader := &CountingReader{reader: req.Body}
|
|
|
|
io.Copy(io.Discard, reader)
|
2020-11-30 10:45:00 +00:00
|
|
|
req.Body.Close()
|
2021-12-30 06:21:02 +00:00
|
|
|
if reader.BytesRead > 0 {
|
|
|
|
glog.V(1).Infof("request leftover %d bytes", reader.BytesRead)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
type CountingReader struct {
|
|
|
|
reader io.Reader
|
|
|
|
BytesRead int
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *CountingReader) Read(p []byte) (n int, err error) {
|
|
|
|
n, err = r.reader.Read(p)
|
|
|
|
r.BytesRead += n
|
|
|
|
return n, err
|
2020-11-30 10:45:00 +00:00
|
|
|
}
|