Home Explore Help
Sign In
SMusatov
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Files Wiki
Branch: tikv
Branches Tags
seaweedfs
/
weed
/
s3api
/
auth_credentials.go

auth_credentials.go 4.2 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188 
  1. package s3api
    2. 

  2. 

  3. import (
    4. 

  4. 	"bytes"
    5. 

  5. 	"fmt"
    6. 

  6. 	"io/ioutil"
    7. 

  7. 	"net/http"
    8. 

  8. 

  9. 	"github.com/golang/protobuf/jsonpb"
    10. 

  10. 	"github.com/gorilla/mux"
    11. 

  11. 

  12. 	"github.com/chrislusf/seaweedfs/weed/glog"
    13. 

  13. 	"github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
    14. 

  14. )
    15. 

  15. 

  16. type Action string
    17. 

  17. 

  18. const (
    19. 

  19. 	ACTION_READ  = "Read"
    20. 

  20. 	ACTION_WRITE = "Write"
    21. 

  21. 	ACTION_ADMIN = "Admin"
    22. 

  22. )
    23. 

  23. 

  24. type Iam interface {
    25. 

  25. 	Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
    26. 

  26. }
    27. 

  27. 

  28. type IdentityAccessManagement struct {
    29. 

  29. 	identities []*Identity
    30. 

  30. 	domain     string
    31. 

  31. }
    32. 

  32. 

  33. type Identity struct {
    34. 

  34. 	Name        string
    35. 

  35. 	Credentials []*Credential
    36. 

  36. 	Actions     []Action
    37. 

  37. }
    38. 

  38. 

  39. type Credential struct {
    40. 

  40. 	AccessKey string
    41. 

  41. 	SecretKey string
    42. 

  42. }
    43. 

  43. 

  44. func NewIdentityAccessManagement(fileName string, domain string) *IdentityAccessManagement {
    45. 

  45. 	iam := &IdentityAccessManagement{
    46. 

  46. 		domain: domain,
    47. 

  47. 	}
    48. 

  48. 	if fileName == "" {
    49. 

  49. 		return iam
    50. 

  50. 	}
    51. 

  51. 	if err := iam.loadS3ApiConfiguration(fileName); err != nil {
    52. 

  52. 		glog.Fatalf("fail to load config file %s: %v", fileName, err)
    53. 

  53. 	}
    54. 

  54. 	return iam
    55. 

  55. }
    56. 

  56. 

  57. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(fileName string) error {
    58. 

  58. 

  59. 	s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
    60. 

  60. 

  61. 	rawData, readErr := ioutil.ReadFile(fileName)
    62. 

  62. 	if readErr != nil {
    63. 

  63. 		glog.Warningf("fail to read %s : %v", fileName, readErr)
    64. 

  64. 		return fmt.Errorf("fail to read %s : %v", fileName, readErr)
    65. 

  65. 	}
    66. 

  66. 

  67. 	glog.V(1).Infof("maybeLoadVolumeInfo Unmarshal volume info %v", fileName)
    68. 

  68. 	if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {
    69. 

  69. 		glog.Warningf("unmarshal error: %v", err)
    70. 

  70. 		return fmt.Errorf("unmarshal %s error: %v", fileName, err)
    71. 

  71. 	}
    72. 

  72. 

  73. 	for _, ident := range s3ApiConfiguration.Identities {
    74. 

  74. 		t := &Identity{
    75. 

  75. 			Name:        ident.Name,
    76. 

  76. 			Credentials: nil,
    77. 

  77. 			Actions:     nil,
    78. 

  78. 		}
    79. 

  79. 		for _, action := range ident.Actions {
    80. 

  80. 			t.Actions = append(t.Actions, Action(action))
    81. 

  81. 		}
    82. 

  82. 		for _, cred := range ident.Credentials {
    83. 

  83. 			t.Credentials = append(t.Credentials, &Credential{
    84. 

  84. 				AccessKey: cred.AccessKey,
    85. 

  85. 				SecretKey: cred.SecretKey,
    86. 

  86. 			})
    87. 

  87. 		}
    88. 

  88. 		iam.identities = append(iam.identities, t)
    89. 

  89. 	}
    90. 

  90. 

  91. 	return nil
    92. 

  92. }
    93. 

  93. 

  94. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
    95. 

  95. 	for _, ident := range iam.identities {
    96. 

  96. 		for _, cred := range ident.Credentials {
    97. 

  97. 			if cred.AccessKey == accessKey {
    98. 

  98. 				return ident, cred, true
    99. 

  99. 			}
    100. 

  100. 		}
    101. 

  101. 	}
    102. 

  102. 	return nil, nil, false
    103. 

  103. }
    104. 

  104. 

  105. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
    106. 

  106. 

  107. 	if len(iam.identities) == 0 {
    108. 

  108. 		return f
    109. 

  109. 	}
    110. 

  110. 

  111. 	return func(w http.ResponseWriter, r *http.Request) {
    112. 

  112. 		errCode := iam.authRequest(r, action)
    113. 

  113. 		if errCode == ErrNone {
    114. 

  114. 			f(w, r)
    115. 

  115. 			return
    116. 

  116. 		}
    117. 

  117. 		writeErrorResponse(w, errCode, r.URL)
    118. 

  118. 	}
    119. 

  119. }
    120. 

  120. 

  121. // check whether the request has valid access keys
    122. 

  122. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) ErrorCode {
    123. 

  123. 	var identity *Identity
    124. 

  124. 	var s3Err ErrorCode
    125. 

  125. 	switch getRequestAuthType(r) {
    126. 

  126. 	case authTypeStreamingSigned:
    127. 

  127. 		return ErrNone
    128. 

  128. 	case authTypeUnknown:
    129. 

  129. 		glog.V(3).Infof("unknown auth type")
    130. 

  130. 		return ErrAccessDenied
    131. 

  131. 	case authTypePresignedV2, authTypeSignedV2:
    132. 

  132. 		glog.V(3).Infof("v2 auth type")
    133. 

  133. 		identity, s3Err = iam.isReqAuthenticatedV2(r)
    134. 

  134. 	case authTypeSigned, authTypePresigned:
    135. 

  135. 		glog.V(3).Infof("v4 auth type")
    136. 

  136. 		identity, s3Err = iam.reqSignatureV4Verify(r)
    137. 

  137. 	case authTypePostPolicy:
    138. 

  138. 		glog.V(3).Infof("post policy auth type")
    139. 

  139. 		return ErrNotImplemented
    140. 

  140. 	case authTypeJWT:
    141. 

  141. 		glog.V(3).Infof("jwt auth type")
    142. 

  142. 		return ErrNotImplemented
    143. 

  143. 	case authTypeAnonymous:
    144. 

  144. 		return ErrAccessDenied
    145. 

  145. 	default:
    146. 

  146. 		return ErrNotImplemented
    147. 

  147. 	}
    148. 

  148. 

  149. 	glog.V(3).Infof("auth error: %v", s3Err)
    150. 

  150. 	if s3Err != ErrNone {
    151. 

  151. 		return s3Err
    152. 

  152. 	}
    153. 

  153. 

  154. 	glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
    155. 

  155. 

  156. 	vars := mux.Vars(r)
    157. 

  157. 	bucket := vars["bucket"]
    158. 

  158. 

  159. 	if !identity.canDo(action, bucket) {
    160. 

  160. 		return ErrAccessDenied
    161. 

  161. 	}
    162. 

  162. 

  163. 	return ErrNone
    164. 

  164. 

  165. }
    166. 

  166. 

  167. func (identity *Identity) canDo(action Action, bucket string) bool {
    168. 

  168. 	for _, a := range identity.Actions {
    169. 

  169. 		if a == "Admin" {
    170. 

  170. 			return true
    171. 

  171. 		}
    172. 

  172. 	}
    173. 

  173. 	for _, a := range identity.Actions {
    174. 

  174. 		if a == action {
    175. 

  175. 			return true
    176. 

  176. 		}
    177. 

  177. 	}
    178. 

  178. 	if bucket == "" {
    179. 

  179. 		return false
    180. 

  180. 	}
    181. 

  181. 	limitedByBucket := string(action) + ":" + bucket
    182. 

  182. 	for _, a := range identity.Actions {
    183. 

  183. 		if string(a) == limitedByBucket {
    184. 

  184. 			return true
    185. 

  185. 		}
    186. 

  186. 	}
    187. 

  187. 	return false
    188. 

  188. }
    189.