auth_credentials.go 9.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354
  1. package s3api
  2. import (
  3. "fmt"
  4. "net/http"
  5. "os"
  6. "strings"
  7. "sync"
  8. "github.com/chrislusf/seaweedfs/weed/filer"
  9. "github.com/chrislusf/seaweedfs/weed/glog"
  10. "github.com/chrislusf/seaweedfs/weed/pb"
  11. "github.com/chrislusf/seaweedfs/weed/pb/filer_pb"
  12. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  13. xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
  14. "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
  15. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  16. )
  17. type Action string
  18. type Iam interface {
  19. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  20. }
  21. type IdentityAccessManagement struct {
  22. m sync.RWMutex
  23. identities []*Identity
  24. domain string
  25. }
  26. type Identity struct {
  27. Name string
  28. Credentials []*Credential
  29. Actions []Action
  30. }
  31. type Credential struct {
  32. AccessKey string
  33. SecretKey string
  34. }
  35. func (action Action) isAdmin() bool {
  36. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  37. }
  38. func (action Action) isOwner(bucket string) bool {
  39. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  40. }
  41. func (action Action) overBucket(bucket string) bool {
  42. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  43. }
  44. func (action Action) getPermission() Permission {
  45. switch act := strings.Split(string(action), ":")[0]; act {
  46. case s3_constants.ACTION_ADMIN:
  47. return Permission("FULL_CONTROL")
  48. case s3_constants.ACTION_WRITE:
  49. return Permission("WRITE")
  50. case s3_constants.ACTION_READ:
  51. return Permission("READ")
  52. default:
  53. return Permission("")
  54. }
  55. }
  56. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  57. iam := &IdentityAccessManagement{
  58. domain: option.DomainName,
  59. }
  60. if option.Config != "" {
  61. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  62. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  63. }
  64. } else {
  65. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  66. glog.Warningf("fail to load config: %v", err)
  67. }
  68. }
  69. return iam
  70. }
  71. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  72. var content []byte
  73. err = pb.WithFilerClient(false, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  74. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirecotry, filer.IamIdentityFile)
  75. return err
  76. })
  77. if err != nil {
  78. return fmt.Errorf("read S3 config: %v", err)
  79. }
  80. return iam.loadS3ApiConfigurationFromBytes(content)
  81. }
  82. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  83. content, readErr := os.ReadFile(fileName)
  84. if readErr != nil {
  85. glog.Warningf("fail to read %s : %v", fileName, readErr)
  86. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  87. }
  88. return iam.loadS3ApiConfigurationFromBytes(content)
  89. }
  90. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromBytes(content []byte) error {
  91. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  92. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  93. glog.Warningf("unmarshal error: %v", err)
  94. return fmt.Errorf("unmarshal error: %v", err)
  95. }
  96. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  97. return err
  98. }
  99. return nil
  100. }
  101. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  102. var identities []*Identity
  103. for _, ident := range config.Identities {
  104. t := &Identity{
  105. Name: ident.Name,
  106. Credentials: nil,
  107. Actions: nil,
  108. }
  109. for _, action := range ident.Actions {
  110. t.Actions = append(t.Actions, Action(action))
  111. }
  112. for _, cred := range ident.Credentials {
  113. t.Credentials = append(t.Credentials, &Credential{
  114. AccessKey: cred.AccessKey,
  115. SecretKey: cred.SecretKey,
  116. })
  117. }
  118. identities = append(identities, t)
  119. }
  120. iam.m.Lock()
  121. // atomically switch
  122. iam.identities = identities
  123. iam.m.Unlock()
  124. return nil
  125. }
  126. func (iam *IdentityAccessManagement) isEnabled() bool {
  127. iam.m.RLock()
  128. defer iam.m.RUnlock()
  129. return len(iam.identities) > 0
  130. }
  131. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  132. iam.m.RLock()
  133. defer iam.m.RUnlock()
  134. for _, ident := range iam.identities {
  135. for _, cred := range ident.Credentials {
  136. // println("checking", ident.Name, cred.AccessKey)
  137. if cred.AccessKey == accessKey {
  138. return ident, cred, true
  139. }
  140. }
  141. }
  142. glog.V(1).Infof("could not find accessKey %s", accessKey)
  143. return nil, nil, false
  144. }
  145. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  146. iam.m.RLock()
  147. defer iam.m.RUnlock()
  148. for _, ident := range iam.identities {
  149. if ident.Name == "anonymous" {
  150. return ident, true
  151. }
  152. }
  153. return nil, false
  154. }
  155. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  156. if !iam.isEnabled() {
  157. return f
  158. }
  159. return func(w http.ResponseWriter, r *http.Request) {
  160. identity, errCode := iam.authRequest(r, action)
  161. if errCode == s3err.ErrNone {
  162. if identity != nil && identity.Name != "" {
  163. r.Header.Set(xhttp.AmzIdentityId, identity.Name)
  164. if identity.isAdmin() {
  165. r.Header.Set(xhttp.AmzIsAdmin, "true")
  166. } else if _, ok := r.Header[xhttp.AmzIsAdmin]; ok {
  167. r.Header.Del(xhttp.AmzIsAdmin)
  168. }
  169. }
  170. f(w, r)
  171. return
  172. }
  173. s3err.WriteErrorResponse(w, r, errCode)
  174. }
  175. }
  176. // check whether the request has valid access keys
  177. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  178. var identity *Identity
  179. var s3Err s3err.ErrorCode
  180. var found bool
  181. var authType string
  182. switch getRequestAuthType(r) {
  183. case authTypeStreamingSigned:
  184. return identity, s3err.ErrNone
  185. case authTypeUnknown:
  186. glog.V(3).Infof("unknown auth type")
  187. r.Header.Set(xhttp.AmzAuthType, "Unknown")
  188. return identity, s3err.ErrAccessDenied
  189. case authTypePresignedV2, authTypeSignedV2:
  190. glog.V(3).Infof("v2 auth type")
  191. identity, s3Err = iam.isReqAuthenticatedV2(r)
  192. authType = "SigV2"
  193. case authTypeSigned, authTypePresigned:
  194. glog.V(3).Infof("v4 auth type")
  195. identity, s3Err = iam.reqSignatureV4Verify(r)
  196. authType = "SigV4"
  197. case authTypePostPolicy:
  198. glog.V(3).Infof("post policy auth type")
  199. r.Header.Set(xhttp.AmzAuthType, "PostPolicy")
  200. return identity, s3err.ErrNone
  201. case authTypeJWT:
  202. glog.V(3).Infof("jwt auth type")
  203. r.Header.Set(xhttp.AmzAuthType, "Jwt")
  204. return identity, s3err.ErrNotImplemented
  205. case authTypeAnonymous:
  206. authType = "Anonymous"
  207. identity, found = iam.lookupAnonymous()
  208. if !found {
  209. r.Header.Set(xhttp.AmzAuthType, authType)
  210. return identity, s3err.ErrAccessDenied
  211. }
  212. default:
  213. return identity, s3err.ErrNotImplemented
  214. }
  215. if len(authType) > 0 {
  216. r.Header.Set(xhttp.AmzAuthType, authType)
  217. }
  218. if s3Err != s3err.ErrNone {
  219. return identity, s3Err
  220. }
  221. glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
  222. bucket, object := xhttp.GetBucketAndObject(r)
  223. if !identity.canDo(action, bucket, object) {
  224. return identity, s3err.ErrAccessDenied
  225. }
  226. return identity, s3err.ErrNone
  227. }
  228. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  229. var identity *Identity
  230. var s3Err s3err.ErrorCode
  231. var found bool
  232. var authType string
  233. switch getRequestAuthType(r) {
  234. case authTypeStreamingSigned:
  235. return identity, s3err.ErrNone
  236. case authTypeUnknown:
  237. glog.V(3).Infof("unknown auth type")
  238. r.Header.Set(xhttp.AmzAuthType, "Unknown")
  239. return identity, s3err.ErrAccessDenied
  240. case authTypePresignedV2, authTypeSignedV2:
  241. glog.V(3).Infof("v2 auth type")
  242. identity, s3Err = iam.isReqAuthenticatedV2(r)
  243. authType = "SigV2"
  244. case authTypeSigned, authTypePresigned:
  245. glog.V(3).Infof("v4 auth type")
  246. identity, s3Err = iam.reqSignatureV4Verify(r)
  247. authType = "SigV4"
  248. case authTypePostPolicy:
  249. glog.V(3).Infof("post policy auth type")
  250. r.Header.Set(xhttp.AmzAuthType, "PostPolicy")
  251. return identity, s3err.ErrNone
  252. case authTypeJWT:
  253. glog.V(3).Infof("jwt auth type")
  254. r.Header.Set(xhttp.AmzAuthType, "Jwt")
  255. return identity, s3err.ErrNotImplemented
  256. case authTypeAnonymous:
  257. authType = "Anonymous"
  258. identity, found = iam.lookupAnonymous()
  259. if !found {
  260. r.Header.Set(xhttp.AmzAuthType, authType)
  261. return identity, s3err.ErrAccessDenied
  262. }
  263. default:
  264. return identity, s3err.ErrNotImplemented
  265. }
  266. if len(authType) > 0 {
  267. r.Header.Set(xhttp.AmzAuthType, authType)
  268. }
  269. glog.V(3).Infof("auth error: %v", s3Err)
  270. if s3Err != s3err.ErrNone {
  271. return identity, s3Err
  272. }
  273. return identity, s3err.ErrNone
  274. }
  275. func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
  276. if identity.isAdmin() {
  277. return true
  278. }
  279. for _, a := range identity.Actions {
  280. if a == action {
  281. return true
  282. }
  283. }
  284. if bucket == "" {
  285. return false
  286. }
  287. target := string(action) + ":" + bucket + objectKey
  288. adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
  289. limitedByBucket := string(action) + ":" + bucket
  290. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  291. for _, a := range identity.Actions {
  292. act := string(a)
  293. if strings.HasSuffix(act, "*") {
  294. if strings.HasPrefix(target, act[:len(act)-1]) {
  295. return true
  296. }
  297. if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
  298. return true
  299. }
  300. } else {
  301. if act == limitedByBucket {
  302. return true
  303. }
  304. if act == adminLimitedByBucket {
  305. return true
  306. }
  307. }
  308. }
  309. return false
  310. }
  311. func (identity *Identity) isAdmin() bool {
  312. for _, a := range identity.Actions {
  313. if a == "Admin" {
  314. return true
  315. }
  316. }
  317. return false
  318. }