seaweedfs/weed/server/volume_server_handlers.go

package weed_server

import (
	"github.com/chrislusf/seaweedfs/weed/util"
	"net/http"
	"strings"

	"github.com/chrislusf/seaweedfs/weed/glog"
	"github.com/chrislusf/seaweedfs/weed/security"
	"github.com/chrislusf/seaweedfs/weed/stats"
)

/*

If volume server is started with a separated public port, the public port will
be more "secure".

Public port currently only supports reads.

Later writes on public port can have one of the 3
security settings:
1. not secured
2. secured by white list
3. secured by JWT(Json Web Token)

*/

func (vs *VolumeServer) privateStoreHandler(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Server", "SeaweedFS Volume "+util.VERSION)
	switch r.Method {
	case "GET", "HEAD":
		stats.ReadRequest()
		vs.GetOrHeadHandler(w, r)
	case "DELETE":
		stats.DeleteRequest()
		vs.guard.WhiteList(vs.DeleteHandler)(w, r)
	case "PUT", "POST":
		stats.WriteRequest()
		vs.guard.WhiteList(vs.PostHandler)(w, r)
	}
}

func (vs *VolumeServer) publicReadOnlyHandler(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Server", "SeaweedFS Volume "+util.VERSION)
	switch r.Method {
	case "GET":
		stats.ReadRequest()
		vs.GetOrHeadHandler(w, r)
	case "HEAD":
		stats.ReadRequest()
		vs.GetOrHeadHandler(w, r)
	}
}

func (vs *VolumeServer) maybeCheckJwtAuthorization(r *http.Request, vid, fid string, isWrite bool) bool {

	var signingKey security.SigningKey

	if isWrite {
		if len(vs.guard.SigningKey) == 0 {
			return true
		} else {
			signingKey = vs.guard.SigningKey
		}
	} else {
		if len(vs.guard.ReadSigningKey) == 0 {
			return true
		} else {
			signingKey = vs.guard.ReadSigningKey
		}
	}

	tokenStr := security.GetJwt(r)
	if tokenStr == "" {
		glog.V(1).Infof("missing jwt from %s", r.RemoteAddr)
		return false
	}

	token, err := security.DecodeJwt(signingKey, tokenStr)
	if err != nil {
		glog.V(1).Infof("jwt verification error from %s: %v", r.RemoteAddr, err)
		return false
	}
	if !token.Valid {
		glog.V(1).Infof("jwt invalid from %s: %v", r.RemoteAddr, tokenStr)
		return false
	}

	if sc, ok := token.Claims.(*security.SeaweedFileIdClaims); ok {
		if sepIndex := strings.LastIndex(fid, "_"); sepIndex > 0 {
			fid = fid[:sepIndex]
		}
		return sc.Fid == vid+","+fid
	}
	glog.V(1).Infof("unexpected jwt from %s: %v", r.RemoteAddr, tokenStr)
	return false
}
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`package weed_server`

			`import (`
refactoring 2020-09-20 23:00:01 +00:00			`"github.com/chrislusf/seaweedfs/weed/util"`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`"net/http"`
jwt check the base file id fix https://github.com/chrislusf/seaweedfs/issues/867 2019-03-03 18:17:44 +00:00			`"strings"`
formatting code by: goimports -w=true . 2014-10-26 18:34:55 +00:00
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`"github.com/chrislusf/seaweedfs/weed/glog"`
			`"github.com/chrislusf/seaweedfs/weed/security"`
directory structure change to work with glide glide has its own requirements. My previous workaround caused me some code checkin errors. Need to fix this. 2016-06-03 01:09:14 +00:00			`"github.com/chrislusf/seaweedfs/weed/stats"`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`)`

Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`/*`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00
Add read only public port on volume server Add read only public port on volume server 2015-03-09 08:10:01 +00:00			`If volume server is started with a separated public port, the public port will`
			`be more "secure".`

			`Public port currently only supports reads.`

			`Later writes on public port can have one of the 3`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`security settings:`
			`1. not secured`
			`2. secured by white list`
			`3. secured by JWT(Json Web Token)`

			`*/`

			`func (vs VolumeServer) privateStoreHandler(w http.ResponseWriter, r http.Request) {`
adjust printout 2020-09-20 23:01:56 +00:00			`w.Header().Set("Server", "SeaweedFS Volume "+util.VERSION)`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`switch r.Method {`
better way to handler switch case 2018-07-22 17:27:10 +00:00			`case "GET", "HEAD":`
1. adding statistics reporting 2. refactor version to util package 2014-03-25 20:46:59 +00:00			`stats.ReadRequest()`
Add partial content request support. 2014-05-27 04:15:05 +00:00			`vs.GetOrHeadHandler(w, r)`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`case "DELETE":`
1. adding statistics reporting 2. refactor version to util package 2014-03-25 20:46:59 +00:00			`stats.DeleteRequest()`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`vs.guard.WhiteList(vs.DeleteHandler)(w, r)`
better way to handler switch case 2018-07-22 17:27:10 +00:00			`case "PUT", "POST":`
1. adding statistics reporting 2. refactor version to util package 2014-03-25 20:46:59 +00:00			`stats.WriteRequest()`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`vs.guard.WhiteList(vs.PostHandler)(w, r)`
refactoring to separate master and volume server, so that these servers can be embedded into other applications 2013-12-02 09:37:36 +00:00			`}`
			`}`
refactor: split volume handlers into 3 files 2014-04-14 07:13:18 +00:00
Add read only public port on volume server Add read only public port on volume server 2015-03-09 08:10:01 +00:00			`func (vs VolumeServer) publicReadOnlyHandler(w http.ResponseWriter, r http.Request) {`
adjust printout 2020-09-20 23:01:56 +00:00			`w.Header().Set("Server", "SeaweedFS Volume "+util.VERSION)`
Separate read and write volume handlers. 2015-02-26 07:59:07 +00:00			`switch r.Method {`
			`case "GET":`
			`stats.ReadRequest()`
			`vs.GetOrHeadHandler(w, r)`
			`case "HEAD":`
			`stats.ReadRequest()`
			`vs.GetOrHeadHandler(w, r)`
batch delete on volume servers 2014-04-14 08:00:09 +00:00			`}`
			`}`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00
jwt for read access control 2019-06-06 07:29:02 +00:00			`func (vs VolumeServer) maybeCheckJwtAuthorization(r http.Request, vid, fid string, isWrite bool) bool {`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00
jwt for read access control 2019-06-06 07:29:02 +00:00			`var signingKey security.SigningKey`

			`if isWrite {`
			`if len(vs.guard.SigningKey) == 0 {`
			`return true`
			`} else {`
			`signingKey = vs.guard.SigningKey`
			`}`
go fmt 2019-06-11 04:33:32 +00:00			`} else {`
jwt for read access control 2019-06-06 07:29:02 +00:00			`if len(vs.guard.ReadSigningKey) == 0 {`
			`return true`
			`} else {`
			`signingKey = vs.guard.ReadSigningKey`
			`}`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`}`

			`tokenStr := security.GetJwt(r)`
			`if tokenStr == "" {`
			`glog.V(1).Infof("missing jwt from %s", r.RemoteAddr)`
			`return false`
			`}`

jwt for read access control 2019-06-06 07:29:02 +00:00			`token, err := security.DecodeJwt(signingKey, tokenStr)`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`if err != nil {`
			`glog.V(1).Infof("jwt verification error from %s: %v", r.RemoteAddr, err)`
			`return false`
			`}`
			`if !token.Valid {`
			`glog.V(1).Infof("jwt invalid from %s: %v", r.RemoteAddr, tokenStr)`
			`return false`
			`}`

			`if sc, ok := token.Claims.(*security.SeaweedFileIdClaims); ok {`
jwt check the base file id fix https://github.com/chrislusf/seaweedfs/issues/867 2019-03-03 18:17:44 +00:00			`if sepIndex := strings.LastIndex(fid, "_"); sepIndex > 0 {`
			`fid = fid[:sepIndex]`
			`}`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`return sc.Fid == vid+","+fid`
			`}`
			`glog.V(1).Infof("unexpected jwt from %s: %v", r.RemoteAddr, tokenStr)`
			`return false`
			`}`