2020-02-09 22:30:02 +00:00
|
|
|
package s3api
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"net/http"
|
|
|
|
|
2020-11-11 08:20:59 +00:00
|
|
|
xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
|
|
|
|
"github.com/chrislusf/seaweedfs/weed/s3api/s3err"
|
2020-02-09 22:30:02 +00:00
|
|
|
"github.com/golang/protobuf/jsonpb"
|
|
|
|
|
|
|
|
"github.com/chrislusf/seaweedfs/weed/glog"
|
|
|
|
"github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
|
|
|
|
)
|
|
|
|
|
|
|
|
type Action string
|
|
|
|
|
|
|
|
const (
|
2020-10-08 06:22:35 +00:00
|
|
|
ACTION_READ = "Read"
|
|
|
|
ACTION_WRITE = "Write"
|
|
|
|
ACTION_ADMIN = "Admin"
|
|
|
|
ACTION_TAGGING = "Tagging"
|
|
|
|
ACTION_LIST = "List"
|
2020-02-09 22:30:02 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type Iam interface {
|
|
|
|
Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
|
|
|
|
}
|
|
|
|
|
|
|
|
type IdentityAccessManagement struct {
|
|
|
|
identities []*Identity
|
2020-02-10 00:02:05 +00:00
|
|
|
domain string
|
2020-02-09 22:30:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type Identity struct {
|
|
|
|
Name string
|
|
|
|
Credentials []*Credential
|
|
|
|
Actions []Action
|
|
|
|
}
|
|
|
|
|
|
|
|
type Credential struct {
|
|
|
|
AccessKey string
|
|
|
|
SecretKey string
|
|
|
|
}
|
|
|
|
|
2020-02-10 00:02:05 +00:00
|
|
|
func NewIdentityAccessManagement(fileName string, domain string) *IdentityAccessManagement {
|
|
|
|
iam := &IdentityAccessManagement{
|
|
|
|
domain: domain,
|
|
|
|
}
|
2020-02-09 22:30:02 +00:00
|
|
|
if fileName == "" {
|
|
|
|
return iam
|
|
|
|
}
|
2020-02-17 20:31:59 +00:00
|
|
|
if err := iam.loadS3ApiConfiguration(fileName); err != nil {
|
2020-02-09 22:30:02 +00:00
|
|
|
glog.Fatalf("fail to load config file %s: %v", fileName, err)
|
|
|
|
}
|
|
|
|
return iam
|
|
|
|
}
|
|
|
|
|
2020-02-17 20:31:59 +00:00
|
|
|
func (iam *IdentityAccessManagement) loadS3ApiConfiguration(fileName string) error {
|
2020-02-09 22:30:02 +00:00
|
|
|
|
2020-02-17 20:31:59 +00:00
|
|
|
s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
|
2020-02-09 22:30:02 +00:00
|
|
|
|
|
|
|
rawData, readErr := ioutil.ReadFile(fileName)
|
|
|
|
if readErr != nil {
|
|
|
|
glog.Warningf("fail to read %s : %v", fileName, readErr)
|
|
|
|
return fmt.Errorf("fail to read %s : %v", fileName, readErr)
|
|
|
|
}
|
|
|
|
|
2020-09-20 22:38:59 +00:00
|
|
|
glog.V(1).Infof("load s3 config: %v", fileName)
|
2020-02-17 20:31:59 +00:00
|
|
|
if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {
|
2020-02-09 22:30:02 +00:00
|
|
|
glog.Warningf("unmarshal error: %v", err)
|
|
|
|
return fmt.Errorf("unmarshal %s error: %v", fileName, err)
|
|
|
|
}
|
|
|
|
|
2020-02-17 20:31:59 +00:00
|
|
|
for _, ident := range s3ApiConfiguration.Identities {
|
2020-02-09 22:30:02 +00:00
|
|
|
t := &Identity{
|
|
|
|
Name: ident.Name,
|
|
|
|
Credentials: nil,
|
|
|
|
Actions: nil,
|
|
|
|
}
|
|
|
|
for _, action := range ident.Actions {
|
|
|
|
t.Actions = append(t.Actions, Action(action))
|
|
|
|
}
|
|
|
|
for _, cred := range ident.Credentials {
|
|
|
|
t.Credentials = append(t.Credentials, &Credential{
|
|
|
|
AccessKey: cred.AccessKey,
|
|
|
|
SecretKey: cred.SecretKey,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
iam.identities = append(iam.identities, t)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-07-11 16:11:15 +00:00
|
|
|
func (iam *IdentityAccessManagement) isEnabled() bool {
|
|
|
|
|
|
|
|
return len(iam.identities) > 0
|
|
|
|
}
|
|
|
|
|
2020-02-09 22:30:02 +00:00
|
|
|
func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
|
2020-07-11 16:11:15 +00:00
|
|
|
|
2020-02-09 22:30:02 +00:00
|
|
|
for _, ident := range iam.identities {
|
|
|
|
for _, cred := range ident.Credentials {
|
|
|
|
if cred.AccessKey == accessKey {
|
|
|
|
return ident, cred, true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, nil, false
|
|
|
|
}
|
|
|
|
|
2020-08-06 10:41:34 +00:00
|
|
|
func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
|
|
|
|
|
|
|
|
for _, ident := range iam.identities {
|
|
|
|
if ident.Name == "anonymous" {
|
|
|
|
return ident, true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
|
2020-02-23 05:34:18 +00:00
|
|
|
func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
|
2020-02-09 22:30:02 +00:00
|
|
|
|
2020-07-25 09:14:49 +00:00
|
|
|
if !iam.isEnabled() {
|
2020-02-09 22:30:02 +00:00
|
|
|
return f
|
|
|
|
}
|
|
|
|
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2020-11-11 08:20:59 +00:00
|
|
|
identity, errCode := iam.authRequest(r, action)
|
2020-09-19 21:09:58 +00:00
|
|
|
if errCode == s3err.ErrNone {
|
2020-11-11 08:20:59 +00:00
|
|
|
if identity != nil && identity.Name != "" {
|
|
|
|
r.Header.Set(xhttp.AmzIdentityId, identity.Name)
|
2020-11-12 21:57:54 +00:00
|
|
|
if identity.isAdmin() {
|
|
|
|
r.Header.Set(xhttp.AmzIsAdmin, "true")
|
|
|
|
}
|
2020-11-11 08:20:59 +00:00
|
|
|
}
|
2020-02-09 22:30:02 +00:00
|
|
|
f(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
writeErrorResponse(w, errCode, r.URL)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// check whether the request has valid access keys
|
2020-11-11 08:20:59 +00:00
|
|
|
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
|
2020-02-09 22:30:02 +00:00
|
|
|
var identity *Identity
|
2020-09-19 21:09:58 +00:00
|
|
|
var s3Err s3err.ErrorCode
|
2020-08-06 10:41:34 +00:00
|
|
|
var found bool
|
2020-02-09 22:30:02 +00:00
|
|
|
switch getRequestAuthType(r) {
|
2020-02-10 00:02:05 +00:00
|
|
|
case authTypeStreamingSigned:
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3err.ErrNone
|
2020-02-10 00:02:05 +00:00
|
|
|
case authTypeUnknown:
|
|
|
|
glog.V(3).Infof("unknown auth type")
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3err.ErrAccessDenied
|
2020-02-09 22:30:02 +00:00
|
|
|
case authTypePresignedV2, authTypeSignedV2:
|
2020-02-10 00:02:05 +00:00
|
|
|
glog.V(3).Infof("v2 auth type")
|
|
|
|
identity, s3Err = iam.isReqAuthenticatedV2(r)
|
2020-02-09 22:30:02 +00:00
|
|
|
case authTypeSigned, authTypePresigned:
|
2020-02-10 00:02:05 +00:00
|
|
|
glog.V(3).Infof("v4 auth type")
|
2020-02-09 22:30:02 +00:00
|
|
|
identity, s3Err = iam.reqSignatureV4Verify(r)
|
add unhandled request auth type
fix
2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference
goroutine 595 [running]:
net/http.(*conn).serve.func1(0xc0001fe3c0)
/usr/lib/go/src/net/http/server.go:1767 +0x13b
panic(0x55c4e35f3820, 0x55c4e48b3c40)
/usr/lib/go/src/runtime/panic.go:679 +0x1b6
github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740)
/go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c
github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900)
/go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e
net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900)
/usr/lib/go/src/net/http/server.go:2007 +0x46
github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700)
/root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4
net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700)
/usr/lib/go/src/net/http/server.go:2802 +0xa6
net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180)
/usr/lib/go/src/net/http/server.go:1890 +0x877
created by net/http.(*Server).Serve
/usr/lib/go/src/net/http/server.go:2927 +0x390
2020-02-18 17:16:04 +00:00
|
|
|
case authTypePostPolicy:
|
2020-02-22 22:01:04 +00:00
|
|
|
glog.V(3).Infof("post policy auth type")
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3err.ErrNone
|
add unhandled request auth type
fix
2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference
goroutine 595 [running]:
net/http.(*conn).serve.func1(0xc0001fe3c0)
/usr/lib/go/src/net/http/server.go:1767 +0x13b
panic(0x55c4e35f3820, 0x55c4e48b3c40)
/usr/lib/go/src/runtime/panic.go:679 +0x1b6
github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740)
/go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c
github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900)
/go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e
net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900)
/usr/lib/go/src/net/http/server.go:2007 +0x46
github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700)
/root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4
net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700)
/usr/lib/go/src/net/http/server.go:2802 +0xa6
net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180)
/usr/lib/go/src/net/http/server.go:1890 +0x877
created by net/http.(*Server).Serve
/usr/lib/go/src/net/http/server.go:2927 +0x390
2020-02-18 17:16:04 +00:00
|
|
|
case authTypeJWT:
|
2020-02-22 22:01:04 +00:00
|
|
|
glog.V(3).Infof("jwt auth type")
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3err.ErrNotImplemented
|
add unhandled request auth type
fix
2020-02-18 11:43:57.396699 I | http: panic serving 172.28.0.43:50658: runtime error: invalid memory address or nil pointer dereference
goroutine 595 [running]:
net/http.(*conn).serve.func1(0xc0001fe3c0)
/usr/lib/go/src/net/http/server.go:1767 +0x13b
panic(0x55c4e35f3820, 0x55c4e48b3c40)
/usr/lib/go/src/runtime/panic.go:679 +0x1b6
github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).authRequest(0xc0004b84e0, 0xc000115900, 0xc0000bb650, 0x1, 0x1, 0x55c4e399d740)
/go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:143 +0x11c
github.com/chrislusf/seaweedfs/weed/s3api.(*IdentityAccessManagement).Auth.func1(0x55c4e3994c40, 0xc0007808c0, 0xc000115900)
/go/src/github.com/chrislusf/seaweedfs/weed/s3api/auth_credentials.go:111 +0x5e
net/http.HandlerFunc.ServeHTTP(0xc0004b87e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115900)
/usr/lib/go/src/net/http/server.go:2007 +0x46
github.com/gorilla/mux.(*Router).ServeHTTP(0xc0004ba000, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700)
/root/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe4
net/http.serverHandler.ServeHTTP(0xc00011e0e0, 0x55c4e3994c40, 0xc0007808c0, 0xc000115700)
/usr/lib/go/src/net/http/server.go:2802 +0xa6
net/http.(*conn).serve(0xc0001fe3c0, 0x55c4e399d680, 0xc000894180)
/usr/lib/go/src/net/http/server.go:1890 +0x877
created by net/http.(*Server).Serve
/usr/lib/go/src/net/http/server.go:2927 +0x390
2020-02-18 17:16:04 +00:00
|
|
|
case authTypeAnonymous:
|
2020-08-06 10:41:34 +00:00
|
|
|
identity, found = iam.lookupAnonymous()
|
|
|
|
if !found {
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3err.ErrAccessDenied
|
2020-08-06 10:41:34 +00:00
|
|
|
}
|
2020-02-22 22:01:04 +00:00
|
|
|
default:
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3err.ErrNotImplemented
|
2020-02-09 22:30:02 +00:00
|
|
|
}
|
|
|
|
|
2020-02-10 00:02:05 +00:00
|
|
|
glog.V(3).Infof("auth error: %v", s3Err)
|
2020-09-19 21:09:58 +00:00
|
|
|
if s3Err != s3err.ErrNone {
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3Err
|
2020-02-10 00:02:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
|
|
|
|
|
2020-07-26 19:58:58 +00:00
|
|
|
bucket, _ := getBucketAndObject(r)
|
2020-02-23 05:34:18 +00:00
|
|
|
|
|
|
|
if !identity.canDo(action, bucket) {
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3err.ErrAccessDenied
|
2020-02-09 22:30:02 +00:00
|
|
|
}
|
|
|
|
|
2020-11-11 08:20:59 +00:00
|
|
|
return identity, s3err.ErrNone
|
2020-02-09 22:30:02 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
2020-02-23 05:34:18 +00:00
|
|
|
func (identity *Identity) canDo(action Action, bucket string) bool {
|
2020-11-12 21:57:54 +00:00
|
|
|
if identity.isAdmin() {
|
|
|
|
return true
|
2020-02-23 05:34:18 +00:00
|
|
|
}
|
|
|
|
for _, a := range identity.Actions {
|
|
|
|
if a == action {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if bucket == "" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
limitedByBucket := string(action) + ":" + bucket
|
|
|
|
for _, a := range identity.Actions {
|
|
|
|
if string(a) == limitedByBucket {
|
|
|
|
return true
|
2020-02-09 22:30:02 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
2020-11-12 21:57:54 +00:00
|
|
|
|
|
|
|
func (identity *Identity) isAdmin() bool {
|
|
|
|
for _, a := range identity.Actions {
|
|
|
|
if a == "Admin" {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|