iamapi_management_handlers.go 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523
  1. package iamapi
  2. import (
  3. "crypto/sha1"
  4. "encoding/json"
  5. "errors"
  6. "fmt"
  7. "math/rand"
  8. "net/http"
  9. "net/url"
  10. "reflect"
  11. "strings"
  12. "sync"
  13. "time"
  14. "github.com/seaweedfs/seaweedfs/weed/glog"
  15. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  16. "github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
  17. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  18. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  19. "github.com/aws/aws-sdk-go/service/iam"
  20. )
  21. const (
  22. charsetUpper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  23. charset = charsetUpper + "abcdefghijklmnopqrstuvwxyz/"
  24. policyDocumentVersion = "2012-10-17"
  25. StatementActionAdmin = "*"
  26. StatementActionWrite = "Put*"
  27. StatementActionWriteAcp = "PutBucketAcl"
  28. StatementActionRead = "Get*"
  29. StatementActionReadAcp = "GetBucketAcl"
  30. StatementActionList = "List*"
  31. StatementActionTagging = "Tagging*"
  32. StatementActionDelete = "DeleteBucket*"
  33. )
  34. var (
  35. seededRand *rand.Rand = rand.New(
  36. rand.NewSource(time.Now().UnixNano()))
  37. policyDocuments = map[string]*PolicyDocument{}
  38. policyLock = sync.RWMutex{}
  39. )
  40. func MapToStatementAction(action string) string {
  41. switch action {
  42. case StatementActionAdmin:
  43. return s3_constants.ACTION_ADMIN
  44. case StatementActionWrite:
  45. return s3_constants.ACTION_WRITE
  46. case StatementActionWriteAcp:
  47. return s3_constants.ACTION_WRITE_ACP
  48. case StatementActionRead:
  49. return s3_constants.ACTION_READ
  50. case StatementActionReadAcp:
  51. return s3_constants.ACTION_READ_ACP
  52. case StatementActionList:
  53. return s3_constants.ACTION_LIST
  54. case StatementActionTagging:
  55. return s3_constants.ACTION_TAGGING
  56. case StatementActionDelete:
  57. return s3_constants.ACTION_DELETE_BUCKET
  58. default:
  59. return ""
  60. }
  61. }
  62. func MapToIdentitiesAction(action string) string {
  63. switch action {
  64. case s3_constants.ACTION_ADMIN:
  65. return StatementActionAdmin
  66. case s3_constants.ACTION_WRITE:
  67. return StatementActionWrite
  68. case s3_constants.ACTION_WRITE_ACP:
  69. return StatementActionWriteAcp
  70. case s3_constants.ACTION_READ:
  71. return StatementActionRead
  72. case s3_constants.ACTION_READ_ACP:
  73. return StatementActionReadAcp
  74. case s3_constants.ACTION_LIST:
  75. return StatementActionList
  76. case s3_constants.ACTION_TAGGING:
  77. return StatementActionTagging
  78. case s3_constants.ACTION_DELETE_BUCKET:
  79. return StatementActionDelete
  80. default:
  81. return ""
  82. }
  83. }
  84. type Statement struct {
  85. Effect string `json:"Effect"`
  86. Action []string `json:"Action"`
  87. Resource []string `json:"Resource"`
  88. }
  89. type Policies struct {
  90. Policies map[string]PolicyDocument `json:"policies"`
  91. }
  92. type PolicyDocument struct {
  93. Version string `json:"Version"`
  94. Statement []*Statement `json:"Statement"`
  95. }
  96. func (p PolicyDocument) String() string {
  97. b, _ := json.Marshal(p)
  98. return string(b)
  99. }
  100. func Hash(s *string) string {
  101. h := sha1.New()
  102. h.Write([]byte(*s))
  103. return fmt.Sprintf("%x", h.Sum(nil))
  104. }
  105. func StringWithCharset(length int, charset string) string {
  106. b := make([]byte, length)
  107. for i := range b {
  108. b[i] = charset[seededRand.Intn(len(charset))]
  109. }
  110. return string(b)
  111. }
  112. func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListUsersResponse) {
  113. for _, ident := range s3cfg.Identities {
  114. resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name})
  115. }
  116. return resp
  117. }
  118. func (iama *IamApiServer) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListAccessKeysResponse) {
  119. status := iam.StatusTypeActive
  120. userName := values.Get("UserName")
  121. for _, ident := range s3cfg.Identities {
  122. if userName != "" && userName != ident.Name {
  123. continue
  124. }
  125. for _, cred := range ident.Credentials {
  126. resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata,
  127. &iam.AccessKeyMetadata{UserName: &ident.Name, AccessKeyId: &cred.AccessKey, Status: &status},
  128. )
  129. }
  130. }
  131. return resp
  132. }
  133. func (iama *IamApiServer) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateUserResponse) {
  134. userName := values.Get("UserName")
  135. resp.CreateUserResult.User.UserName = &userName
  136. s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName})
  137. return resp
  138. }
  139. func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp DeleteUserResponse, err error) {
  140. for i, ident := range s3cfg.Identities {
  141. if userName == ident.Name {
  142. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  143. return resp, nil
  144. }
  145. }
  146. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  147. }
  148. func (iama *IamApiServer) GetUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp GetUserResponse, err error) {
  149. for _, ident := range s3cfg.Identities {
  150. if userName == ident.Name {
  151. resp.GetUserResult.User = iam.User{UserName: &ident.Name}
  152. return resp, nil
  153. }
  154. }
  155. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  156. }
  157. func (iama *IamApiServer) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp UpdateUserResponse, err error) {
  158. userName := values.Get("UserName")
  159. newUserName := values.Get("NewUserName")
  160. if newUserName != "" {
  161. for _, ident := range s3cfg.Identities {
  162. if userName == ident.Name {
  163. ident.Name = newUserName
  164. return resp, nil
  165. }
  166. }
  167. } else {
  168. return resp, nil
  169. }
  170. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  171. }
  172. func GetPolicyDocument(policy *string) (policyDocument PolicyDocument, err error) {
  173. if err = json.Unmarshal([]byte(*policy), &policyDocument); err != nil {
  174. return PolicyDocument{}, err
  175. }
  176. return policyDocument, err
  177. }
  178. func (iama *IamApiServer) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreatePolicyResponse, err error) {
  179. policyName := values.Get("PolicyName")
  180. policyDocumentString := values.Get("PolicyDocument")
  181. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  182. if err != nil {
  183. return CreatePolicyResponse{}, err
  184. }
  185. policyId := Hash(&policyDocumentString)
  186. arn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
  187. resp.CreatePolicyResult.Policy.PolicyName = &policyName
  188. resp.CreatePolicyResult.Policy.Arn = &arn
  189. resp.CreatePolicyResult.Policy.PolicyId = &policyId
  190. policies := Policies{}
  191. policyLock.Lock()
  192. defer policyLock.Unlock()
  193. if err = iama.s3ApiConfig.GetPolicies(&policies); err != nil {
  194. return resp, err
  195. }
  196. policies.Policies[policyName] = policyDocument
  197. if err = iama.s3ApiConfig.PutPolicies(&policies); err != nil {
  198. return resp, err
  199. }
  200. return resp, nil
  201. }
  202. // https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
  203. func (iama *IamApiServer) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  204. userName := values.Get("UserName")
  205. policyName := values.Get("PolicyName")
  206. policyDocumentString := values.Get("PolicyDocument")
  207. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  208. if err != nil {
  209. return PutUserPolicyResponse{}, err
  210. }
  211. policyDocuments[policyName] = &policyDocument
  212. actions := GetActions(&policyDocument)
  213. for _, ident := range s3cfg.Identities {
  214. if userName != ident.Name {
  215. continue
  216. }
  217. ident.Actions = actions
  218. return resp, nil
  219. }
  220. return resp, fmt.Errorf("%s: the user with name %s cannot be found", iam.ErrCodeNoSuchEntityException, userName)
  221. }
  222. func (iama *IamApiServer) GetUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp GetUserPolicyResponse, err error) {
  223. userName := values.Get("UserName")
  224. policyName := values.Get("PolicyName")
  225. for _, ident := range s3cfg.Identities {
  226. if userName != ident.Name {
  227. continue
  228. }
  229. resp.GetUserPolicyResult.UserName = userName
  230. resp.GetUserPolicyResult.PolicyName = policyName
  231. if len(ident.Actions) == 0 {
  232. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  233. }
  234. policyDocument := PolicyDocument{Version: policyDocumentVersion}
  235. statements := make(map[string][]string)
  236. for _, action := range ident.Actions {
  237. // parse "Read:EXAMPLE-BUCKET"
  238. act := strings.Split(action, ":")
  239. resource := "*"
  240. if len(act) == 2 {
  241. resource = fmt.Sprintf("arn:aws:s3:::%s/*", act[1])
  242. }
  243. statements[resource] = append(statements[resource],
  244. fmt.Sprintf("s3:%s", MapToIdentitiesAction(act[0])),
  245. )
  246. }
  247. for resource, actions := range statements {
  248. isEqAction := false
  249. for i, statement := range policyDocument.Statement {
  250. if reflect.DeepEqual(statement.Action, actions) {
  251. policyDocument.Statement[i].Resource = append(
  252. policyDocument.Statement[i].Resource, resource)
  253. isEqAction = true
  254. break
  255. }
  256. }
  257. if isEqAction {
  258. continue
  259. }
  260. policyDocumentStatement := Statement{
  261. Effect: "Allow",
  262. Action: actions,
  263. }
  264. policyDocumentStatement.Resource = append(policyDocumentStatement.Resource, resource)
  265. policyDocument.Statement = append(policyDocument.Statement, &policyDocumentStatement)
  266. }
  267. resp.GetUserPolicyResult.PolicyDocument = policyDocument.String()
  268. return resp, nil
  269. }
  270. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  271. }
  272. func (iama *IamApiServer) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  273. userName := values.Get("UserName")
  274. for i, ident := range s3cfg.Identities {
  275. if ident.Name == userName {
  276. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  277. return resp, nil
  278. }
  279. }
  280. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  281. }
  282. func GetActions(policy *PolicyDocument) (actions []string) {
  283. for _, statement := range policy.Statement {
  284. if statement.Effect != "Allow" {
  285. continue
  286. }
  287. for _, resource := range statement.Resource {
  288. // Parse "arn:aws:s3:::my-bucket/shared/*"
  289. res := strings.Split(resource, ":")
  290. if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
  291. glog.Infof("not match resource: %s", res)
  292. continue
  293. }
  294. for _, action := range statement.Action {
  295. // Parse "s3:Get*"
  296. act := strings.Split(action, ":")
  297. if len(act) != 2 || act[0] != "s3" {
  298. glog.Infof("not match action: %s", act)
  299. continue
  300. }
  301. statementAction := MapToStatementAction(act[1])
  302. if res[5] == "*" {
  303. actions = append(actions, statementAction)
  304. continue
  305. }
  306. // Parse my-bucket/shared/*
  307. path := strings.Split(res[5], "/")
  308. if len(path) != 2 || path[1] != "*" {
  309. glog.Infof("not match bucket: %s", path)
  310. continue
  311. }
  312. actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path[0]))
  313. }
  314. }
  315. }
  316. return actions
  317. }
  318. func (iama *IamApiServer) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateAccessKeyResponse) {
  319. userName := values.Get("UserName")
  320. status := iam.StatusTypeActive
  321. accessKeyId := StringWithCharset(21, charsetUpper)
  322. secretAccessKey := StringWithCharset(42, charset)
  323. resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId
  324. resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey
  325. resp.CreateAccessKeyResult.AccessKey.UserName = &userName
  326. resp.CreateAccessKeyResult.AccessKey.Status = &status
  327. changed := false
  328. for _, ident := range s3cfg.Identities {
  329. if userName == ident.Name {
  330. ident.Credentials = append(ident.Credentials,
  331. &iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey})
  332. changed = true
  333. break
  334. }
  335. }
  336. if !changed {
  337. s3cfg.Identities = append(s3cfg.Identities,
  338. &iam_pb.Identity{
  339. Name: userName,
  340. Credentials: []*iam_pb.Credential{
  341. {
  342. AccessKey: accessKeyId,
  343. SecretKey: secretAccessKey,
  344. },
  345. },
  346. },
  347. )
  348. }
  349. return resp
  350. }
  351. func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp DeleteAccessKeyResponse) {
  352. userName := values.Get("UserName")
  353. accessKeyId := values.Get("AccessKeyId")
  354. for _, ident := range s3cfg.Identities {
  355. if userName == ident.Name {
  356. for i, cred := range ident.Credentials {
  357. if cred.AccessKey == accessKeyId {
  358. ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
  359. break
  360. }
  361. }
  362. break
  363. }
  364. }
  365. return resp
  366. }
  367. // handleImplicitUsername adds username who signs the request to values if 'username' is not specified
  368. // According to https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-access-key.html/
  369. // "If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web
  370. // Services access key ID signing the request."
  371. func handleImplicitUsername(r *http.Request, values url.Values) {
  372. if len(r.Header["Authorization"]) == 0 || values.Get("UserName") != "" {
  373. return
  374. }
  375. // get username who signs the request. For a typical Authorization:
  376. // "AWS4-HMAC-SHA256 Credential=197FSAQ7HHTA48X64O3A/20220420/test1/iam/aws4_request, SignedHeaders=content-type;
  377. // host;x-amz-date, Signature=6757dc6b3d7534d67e17842760310e99ee695408497f6edc4fdb84770c252dc8",
  378. // the "test1" will be extracted as the username
  379. glog.V(4).Infof("Authorization field: %v", r.Header["Authorization"][0])
  380. s := strings.Split(r.Header["Authorization"][0], "Credential=")
  381. if len(s) < 2 {
  382. return
  383. }
  384. s = strings.Split(s[1], ",")
  385. if len(s) < 2 {
  386. return
  387. }
  388. s = strings.Split(s[0], "/")
  389. if len(s) < 5 {
  390. return
  391. }
  392. userName := s[2]
  393. values.Set("UserName", userName)
  394. }
  395. func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
  396. if err := r.ParseForm(); err != nil {
  397. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  398. return
  399. }
  400. values := r.PostForm
  401. s3cfg := &iam_pb.S3ApiConfiguration{}
  402. if err := iama.s3ApiConfig.GetS3ApiConfiguration(s3cfg); err != nil && !errors.Is(err, filer_pb.ErrNotFound) {
  403. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  404. return
  405. }
  406. glog.V(4).Infof("DoActions: %+v", values)
  407. var response interface{}
  408. var err error
  409. changed := true
  410. switch r.Form.Get("Action") {
  411. case "ListUsers":
  412. response = iama.ListUsers(s3cfg, values)
  413. changed = false
  414. case "ListAccessKeys":
  415. handleImplicitUsername(r, values)
  416. response = iama.ListAccessKeys(s3cfg, values)
  417. changed = false
  418. case "CreateUser":
  419. response = iama.CreateUser(s3cfg, values)
  420. case "GetUser":
  421. userName := values.Get("UserName")
  422. response, err = iama.GetUser(s3cfg, userName)
  423. if err != nil {
  424. writeIamErrorResponse(w, r, err, "user", userName, nil)
  425. return
  426. }
  427. changed = false
  428. case "UpdateUser":
  429. response, err = iama.UpdateUser(s3cfg, values)
  430. if err != nil {
  431. glog.Errorf("UpdateUser: %+v", err)
  432. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  433. return
  434. }
  435. case "DeleteUser":
  436. userName := values.Get("UserName")
  437. response, err = iama.DeleteUser(s3cfg, userName)
  438. if err != nil {
  439. writeIamErrorResponse(w, r, err, "user", userName, nil)
  440. return
  441. }
  442. case "CreateAccessKey":
  443. handleImplicitUsername(r, values)
  444. response = iama.CreateAccessKey(s3cfg, values)
  445. case "DeleteAccessKey":
  446. handleImplicitUsername(r, values)
  447. response = iama.DeleteAccessKey(s3cfg, values)
  448. case "CreatePolicy":
  449. response, err = iama.CreatePolicy(s3cfg, values)
  450. if err != nil {
  451. glog.Errorf("CreatePolicy: %+v", err)
  452. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  453. return
  454. }
  455. case "PutUserPolicy":
  456. response, err = iama.PutUserPolicy(s3cfg, values)
  457. if err != nil {
  458. glog.Errorf("PutUserPolicy: %+v", err)
  459. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  460. return
  461. }
  462. case "GetUserPolicy":
  463. response, err = iama.GetUserPolicy(s3cfg, values)
  464. if err != nil {
  465. writeIamErrorResponse(w, r, err, "user", values.Get("UserName"), nil)
  466. return
  467. }
  468. changed = false
  469. case "DeleteUserPolicy":
  470. if response, err = iama.DeleteUserPolicy(s3cfg, values); err != nil {
  471. writeIamErrorResponse(w, r, err, "user", values.Get("UserName"), nil)
  472. return
  473. }
  474. default:
  475. errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented)
  476. errorResponse := ErrorResponse{}
  477. errorResponse.Error.Code = &errNotImplemented.Code
  478. errorResponse.Error.Message = &errNotImplemented.Description
  479. s3err.WriteXMLResponse(w, r, errNotImplemented.HTTPStatusCode, errorResponse)
  480. return
  481. }
  482. if changed {
  483. err := iama.s3ApiConfig.PutS3ApiConfiguration(s3cfg)
  484. if err != nil {
  485. writeIamErrorResponse(w, r, fmt.Errorf(iam.ErrCodeServiceFailureException), "", "", err)
  486. return
  487. }
  488. }
  489. s3err.WriteXMLResponse(w, r, http.StatusOK, response)
  490. }