iamapi_management_handlers.go 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516
  1. package iamapi
  2. import (
  3. "crypto/sha1"
  4. "encoding/json"
  5. "fmt"
  6. "math/rand"
  7. "net/http"
  8. "net/url"
  9. "reflect"
  10. "strings"
  11. "sync"
  12. "time"
  13. "github.com/seaweedfs/seaweedfs/weed/glog"
  14. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  15. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  16. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  17. "github.com/aws/aws-sdk-go/service/iam"
  18. )
  19. const (
  20. charsetUpper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  21. charset = charsetUpper + "abcdefghijklmnopqrstuvwxyz/"
  22. policyDocumentVersion = "2012-10-17"
  23. StatementActionAdmin = "*"
  24. StatementActionWrite = "Put*"
  25. StatementActionWriteAcp = "PutBucketAcl"
  26. StatementActionRead = "Get*"
  27. StatementActionReadAcp = "GetBucketAcl"
  28. StatementActionList = "List*"
  29. StatementActionTagging = "Tagging*"
  30. )
  31. var (
  32. seededRand *rand.Rand = rand.New(
  33. rand.NewSource(time.Now().UnixNano()))
  34. policyDocuments = map[string]*PolicyDocument{}
  35. policyLock = sync.RWMutex{}
  36. )
  37. func MapToStatementAction(action string) string {
  38. switch action {
  39. case StatementActionAdmin:
  40. return s3_constants.ACTION_ADMIN
  41. case StatementActionWrite:
  42. return s3_constants.ACTION_WRITE
  43. case StatementActionWriteAcp:
  44. return s3_constants.ACTION_WRITE_ACP
  45. case StatementActionRead:
  46. return s3_constants.ACTION_READ
  47. case StatementActionReadAcp:
  48. return s3_constants.ACTION_READ_ACP
  49. case StatementActionList:
  50. return s3_constants.ACTION_LIST
  51. case StatementActionTagging:
  52. return s3_constants.ACTION_TAGGING
  53. default:
  54. return ""
  55. }
  56. }
  57. func MapToIdentitiesAction(action string) string {
  58. switch action {
  59. case s3_constants.ACTION_ADMIN:
  60. return StatementActionAdmin
  61. case s3_constants.ACTION_WRITE:
  62. return StatementActionWrite
  63. case s3_constants.ACTION_WRITE_ACP:
  64. return StatementActionWriteAcp
  65. case s3_constants.ACTION_READ:
  66. return StatementActionRead
  67. case s3_constants.ACTION_READ_ACP:
  68. return StatementActionReadAcp
  69. case s3_constants.ACTION_LIST:
  70. return StatementActionList
  71. case s3_constants.ACTION_TAGGING:
  72. return StatementActionTagging
  73. default:
  74. return ""
  75. }
  76. }
  77. type Statement struct {
  78. Effect string `json:"Effect"`
  79. Action []string `json:"Action"`
  80. Resource []string `json:"Resource"`
  81. }
  82. type Policies struct {
  83. Policies map[string]PolicyDocument `json:"policies"`
  84. }
  85. type PolicyDocument struct {
  86. Version string `json:"Version"`
  87. Statement []*Statement `json:"Statement"`
  88. }
  89. func (p PolicyDocument) String() string {
  90. b, _ := json.Marshal(p)
  91. return string(b)
  92. }
  93. func Hash(s *string) string {
  94. h := sha1.New()
  95. h.Write([]byte(*s))
  96. return fmt.Sprintf("%x", h.Sum(nil))
  97. }
  98. func StringWithCharset(length int, charset string) string {
  99. b := make([]byte, length)
  100. for i := range b {
  101. b[i] = charset[seededRand.Intn(len(charset))]
  102. }
  103. return string(b)
  104. }
  105. func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListUsersResponse) {
  106. for _, ident := range s3cfg.Identities {
  107. resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name})
  108. }
  109. return resp
  110. }
  111. func (iama *IamApiServer) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListAccessKeysResponse) {
  112. status := iam.StatusTypeActive
  113. userName := values.Get("UserName")
  114. for _, ident := range s3cfg.Identities {
  115. if userName != "" && userName != ident.Name {
  116. continue
  117. }
  118. for _, cred := range ident.Credentials {
  119. resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata,
  120. &iam.AccessKeyMetadata{UserName: &ident.Name, AccessKeyId: &cred.AccessKey, Status: &status},
  121. )
  122. }
  123. }
  124. return resp
  125. }
  126. func (iama *IamApiServer) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateUserResponse) {
  127. userName := values.Get("UserName")
  128. resp.CreateUserResult.User.UserName = &userName
  129. s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName})
  130. return resp
  131. }
  132. func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp DeleteUserResponse, err error) {
  133. for i, ident := range s3cfg.Identities {
  134. if userName == ident.Name {
  135. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  136. return resp, nil
  137. }
  138. }
  139. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  140. }
  141. func (iama *IamApiServer) GetUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp GetUserResponse, err error) {
  142. for _, ident := range s3cfg.Identities {
  143. if userName == ident.Name {
  144. resp.GetUserResult.User = iam.User{UserName: &ident.Name}
  145. return resp, nil
  146. }
  147. }
  148. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  149. }
  150. func (iama *IamApiServer) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp UpdateUserResponse, err error) {
  151. userName := values.Get("UserName")
  152. newUserName := values.Get("NewUserName")
  153. if newUserName != "" {
  154. for _, ident := range s3cfg.Identities {
  155. if userName == ident.Name {
  156. ident.Name = newUserName
  157. return resp, nil
  158. }
  159. }
  160. } else {
  161. return resp, nil
  162. }
  163. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  164. }
  165. func GetPolicyDocument(policy *string) (policyDocument PolicyDocument, err error) {
  166. if err = json.Unmarshal([]byte(*policy), &policyDocument); err != nil {
  167. return PolicyDocument{}, err
  168. }
  169. return policyDocument, err
  170. }
  171. func (iama *IamApiServer) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreatePolicyResponse, err error) {
  172. policyName := values.Get("PolicyName")
  173. policyDocumentString := values.Get("PolicyDocument")
  174. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  175. if err != nil {
  176. return CreatePolicyResponse{}, err
  177. }
  178. policyId := Hash(&policyDocumentString)
  179. arn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
  180. resp.CreatePolicyResult.Policy.PolicyName = &policyName
  181. resp.CreatePolicyResult.Policy.Arn = &arn
  182. resp.CreatePolicyResult.Policy.PolicyId = &policyId
  183. policies := Policies{}
  184. policyLock.Lock()
  185. defer policyLock.Unlock()
  186. if err = iama.s3ApiConfig.GetPolicies(&policies); err != nil {
  187. return resp, err
  188. }
  189. policies.Policies[policyName] = policyDocument
  190. if err = iama.s3ApiConfig.PutPolicies(&policies); err != nil {
  191. return resp, err
  192. }
  193. return resp, nil
  194. }
  195. // https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
  196. func (iama *IamApiServer) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  197. userName := values.Get("UserName")
  198. policyName := values.Get("PolicyName")
  199. policyDocumentString := values.Get("PolicyDocument")
  200. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  201. if err != nil {
  202. return PutUserPolicyResponse{}, err
  203. }
  204. policyDocuments[policyName] = &policyDocument
  205. actions := GetActions(&policyDocument)
  206. for _, ident := range s3cfg.Identities {
  207. if userName != ident.Name {
  208. continue
  209. }
  210. ident.Actions = actions
  211. return resp, nil
  212. }
  213. return resp, fmt.Errorf("%s: the user with name %s cannot be found", iam.ErrCodeNoSuchEntityException, userName)
  214. }
  215. func (iama *IamApiServer) GetUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp GetUserPolicyResponse, err error) {
  216. userName := values.Get("UserName")
  217. policyName := values.Get("PolicyName")
  218. for _, ident := range s3cfg.Identities {
  219. if userName != ident.Name {
  220. continue
  221. }
  222. resp.GetUserPolicyResult.UserName = userName
  223. resp.GetUserPolicyResult.PolicyName = policyName
  224. if len(ident.Actions) == 0 {
  225. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  226. }
  227. policyDocument := PolicyDocument{Version: policyDocumentVersion}
  228. statements := make(map[string][]string)
  229. for _, action := range ident.Actions {
  230. // parse "Read:EXAMPLE-BUCKET"
  231. act := strings.Split(action, ":")
  232. resource := "*"
  233. if len(act) == 2 {
  234. resource = fmt.Sprintf("arn:aws:s3:::%s/*", act[1])
  235. }
  236. statements[resource] = append(statements[resource],
  237. fmt.Sprintf("s3:%s", MapToIdentitiesAction(act[0])),
  238. )
  239. }
  240. for resource, actions := range statements {
  241. isEqAction := false
  242. for i, statement := range policyDocument.Statement {
  243. if reflect.DeepEqual(statement.Action, actions) {
  244. policyDocument.Statement[i].Resource = append(
  245. policyDocument.Statement[i].Resource, resource)
  246. isEqAction = true
  247. break
  248. }
  249. }
  250. if isEqAction {
  251. continue
  252. }
  253. policyDocumentStatement := Statement{
  254. Effect: "Allow",
  255. Action: actions,
  256. }
  257. policyDocumentStatement.Resource = append(policyDocumentStatement.Resource, resource)
  258. policyDocument.Statement = append(policyDocument.Statement, &policyDocumentStatement)
  259. }
  260. resp.GetUserPolicyResult.PolicyDocument = policyDocument.String()
  261. return resp, nil
  262. }
  263. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  264. }
  265. func (iama *IamApiServer) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  266. userName := values.Get("UserName")
  267. for i, ident := range s3cfg.Identities {
  268. if ident.Name == userName {
  269. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  270. return resp, nil
  271. }
  272. }
  273. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  274. }
  275. func GetActions(policy *PolicyDocument) (actions []string) {
  276. for _, statement := range policy.Statement {
  277. if statement.Effect != "Allow" {
  278. continue
  279. }
  280. for _, resource := range statement.Resource {
  281. // Parse "arn:aws:s3:::my-bucket/shared/*"
  282. res := strings.Split(resource, ":")
  283. if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
  284. glog.Infof("not match resource: %s", res)
  285. continue
  286. }
  287. for _, action := range statement.Action {
  288. // Parse "s3:Get*"
  289. act := strings.Split(action, ":")
  290. if len(act) != 2 || act[0] != "s3" {
  291. glog.Infof("not match action: %s", act)
  292. continue
  293. }
  294. statementAction := MapToStatementAction(act[1])
  295. if res[5] == "*" {
  296. actions = append(actions, statementAction)
  297. continue
  298. }
  299. // Parse my-bucket/shared/*
  300. path := strings.Split(res[5], "/")
  301. if len(path) != 2 || path[1] != "*" {
  302. glog.Infof("not match bucket: %s", path)
  303. continue
  304. }
  305. actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path[0]))
  306. }
  307. }
  308. }
  309. return actions
  310. }
  311. func (iama *IamApiServer) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateAccessKeyResponse) {
  312. userName := values.Get("UserName")
  313. status := iam.StatusTypeActive
  314. accessKeyId := StringWithCharset(21, charsetUpper)
  315. secretAccessKey := StringWithCharset(42, charset)
  316. resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId
  317. resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey
  318. resp.CreateAccessKeyResult.AccessKey.UserName = &userName
  319. resp.CreateAccessKeyResult.AccessKey.Status = &status
  320. changed := false
  321. for _, ident := range s3cfg.Identities {
  322. if userName == ident.Name {
  323. ident.Credentials = append(ident.Credentials,
  324. &iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey})
  325. changed = true
  326. break
  327. }
  328. }
  329. if !changed {
  330. s3cfg.Identities = append(s3cfg.Identities,
  331. &iam_pb.Identity{
  332. Name: userName,
  333. Credentials: []*iam_pb.Credential{
  334. {
  335. AccessKey: accessKeyId,
  336. SecretKey: secretAccessKey,
  337. },
  338. },
  339. },
  340. )
  341. }
  342. return resp
  343. }
  344. func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp DeleteAccessKeyResponse) {
  345. userName := values.Get("UserName")
  346. accessKeyId := values.Get("AccessKeyId")
  347. for _, ident := range s3cfg.Identities {
  348. if userName == ident.Name {
  349. for i, cred := range ident.Credentials {
  350. if cred.AccessKey == accessKeyId {
  351. ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
  352. break
  353. }
  354. }
  355. break
  356. }
  357. }
  358. return resp
  359. }
  360. // handleImplicitUsername adds username who signs the request to values if 'username' is not specified
  361. // According to https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-access-key.html/
  362. // "If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web
  363. // Services access key ID signing the request."
  364. func handleImplicitUsername(r *http.Request, values url.Values) {
  365. if len(r.Header["Authorization"]) == 0 || values.Get("UserName") != "" {
  366. return
  367. }
  368. // get username who signs the request. For a typical Authorization:
  369. // "AWS4-HMAC-SHA256 Credential=197FSAQ7HHTA48X64O3A/20220420/test1/iam/aws4_request, SignedHeaders=content-type;
  370. // host;x-amz-date, Signature=6757dc6b3d7534d67e17842760310e99ee695408497f6edc4fdb84770c252dc8",
  371. // the "test1" will be extracted as the username
  372. glog.V(4).Infof("Authorization field: %v", r.Header["Authorization"][0])
  373. s := strings.Split(r.Header["Authorization"][0], "Credential=")
  374. if len(s) < 2 {
  375. return
  376. }
  377. s = strings.Split(s[1], ",")
  378. if len(s) < 2 {
  379. return
  380. }
  381. s = strings.Split(s[0], "/")
  382. if len(s) < 5 {
  383. return
  384. }
  385. userName := s[2]
  386. values.Set("UserName", userName)
  387. }
  388. func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
  389. if err := r.ParseForm(); err != nil {
  390. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  391. return
  392. }
  393. values := r.PostForm
  394. s3cfg := &iam_pb.S3ApiConfiguration{}
  395. if err := iama.s3ApiConfig.GetS3ApiConfiguration(s3cfg); err != nil {
  396. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  397. return
  398. }
  399. glog.V(4).Infof("DoActions: %+v", values)
  400. var response interface{}
  401. var err error
  402. changed := true
  403. switch r.Form.Get("Action") {
  404. case "ListUsers":
  405. response = iama.ListUsers(s3cfg, values)
  406. changed = false
  407. case "ListAccessKeys":
  408. handleImplicitUsername(r, values)
  409. response = iama.ListAccessKeys(s3cfg, values)
  410. changed = false
  411. case "CreateUser":
  412. response = iama.CreateUser(s3cfg, values)
  413. case "GetUser":
  414. userName := values.Get("UserName")
  415. response, err = iama.GetUser(s3cfg, userName)
  416. if err != nil {
  417. writeIamErrorResponse(w, r, err, "user", userName, nil)
  418. return
  419. }
  420. changed = false
  421. case "UpdateUser":
  422. response, err = iama.UpdateUser(s3cfg, values)
  423. if err != nil {
  424. glog.Errorf("UpdateUser: %+v", err)
  425. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  426. return
  427. }
  428. case "DeleteUser":
  429. userName := values.Get("UserName")
  430. response, err = iama.DeleteUser(s3cfg, userName)
  431. if err != nil {
  432. writeIamErrorResponse(w, r, err, "user", userName, nil)
  433. return
  434. }
  435. case "CreateAccessKey":
  436. handleImplicitUsername(r, values)
  437. response = iama.CreateAccessKey(s3cfg, values)
  438. case "DeleteAccessKey":
  439. handleImplicitUsername(r, values)
  440. response = iama.DeleteAccessKey(s3cfg, values)
  441. case "CreatePolicy":
  442. response, err = iama.CreatePolicy(s3cfg, values)
  443. if err != nil {
  444. glog.Errorf("CreatePolicy: %+v", err)
  445. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  446. return
  447. }
  448. case "PutUserPolicy":
  449. response, err = iama.PutUserPolicy(s3cfg, values)
  450. if err != nil {
  451. glog.Errorf("PutUserPolicy: %+v", err)
  452. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  453. return
  454. }
  455. case "GetUserPolicy":
  456. response, err = iama.GetUserPolicy(s3cfg, values)
  457. if err != nil {
  458. writeIamErrorResponse(w, r, err, "user", values.Get("UserName"), nil)
  459. return
  460. }
  461. changed = false
  462. case "DeleteUserPolicy":
  463. if response, err = iama.DeleteUserPolicy(s3cfg, values); err != nil {
  464. writeIamErrorResponse(w, r, err, "user", values.Get("UserName"), nil)
  465. return
  466. }
  467. default:
  468. errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented)
  469. errorResponse := ErrorResponse{}
  470. errorResponse.Error.Code = &errNotImplemented.Code
  471. errorResponse.Error.Message = &errNotImplemented.Description
  472. s3err.WriteXMLResponse(w, r, errNotImplemented.HTTPStatusCode, errorResponse)
  473. return
  474. }
  475. if changed {
  476. err := iama.s3ApiConfig.PutS3ApiConfiguration(s3cfg)
  477. if err != nil {
  478. writeIamErrorResponse(w, r, fmt.Errorf(iam.ErrCodeServiceFailureException), "", "", err)
  479. return
  480. }
  481. }
  482. s3err.WriteXMLResponse(w, r, http.StatusOK, response)
  483. }