You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

94 lines
2.1 KiB

6 years ago
  1. package weed_server
  2. import (
  3. "net/http"
  4. "strings"
  5. "github.com/chrislusf/seaweedfs/weed/glog"
  6. "github.com/chrislusf/seaweedfs/weed/security"
  7. "github.com/chrislusf/seaweedfs/weed/stats"
  8. )
  9. /*
  10. If volume server is started with a separated public port, the public port will
  11. be more "secure".
  12. Public port currently only supports reads.
  13. Later writes on public port can have one of the 3
  14. security settings:
  15. 1. not secured
  16. 2. secured by white list
  17. 3. secured by JWT(Json Web Token)
  18. */
  19. func (vs *VolumeServer) privateStoreHandler(w http.ResponseWriter, r *http.Request) {
  20. switch r.Method {
  21. case "GET", "HEAD":
  22. stats.ReadRequest()
  23. vs.GetOrHeadHandler(w, r)
  24. case "DELETE":
  25. stats.DeleteRequest()
  26. vs.guard.WhiteList(vs.DeleteHandler)(w, r)
  27. case "PUT", "POST":
  28. stats.WriteRequest()
  29. vs.guard.WhiteList(vs.PostHandler)(w, r)
  30. }
  31. }
  32. func (vs *VolumeServer) publicReadOnlyHandler(w http.ResponseWriter, r *http.Request) {
  33. switch r.Method {
  34. case "GET":
  35. stats.ReadRequest()
  36. vs.GetOrHeadHandler(w, r)
  37. case "HEAD":
  38. stats.ReadRequest()
  39. vs.GetOrHeadHandler(w, r)
  40. }
  41. }
  42. func (vs *VolumeServer) maybeCheckJwtAuthorization(r *http.Request, vid, fid string, isWrite bool) bool {
  43. var signingKey security.SigningKey
  44. if isWrite {
  45. if len(vs.guard.SigningKey) == 0 {
  46. return true
  47. } else {
  48. signingKey = vs.guard.SigningKey
  49. }
  50. } else {
  51. if len(vs.guard.ReadSigningKey) == 0 {
  52. return true
  53. } else {
  54. signingKey = vs.guard.ReadSigningKey
  55. }
  56. }
  57. tokenStr := security.GetJwt(r)
  58. if tokenStr == "" {
  59. glog.V(1).Infof("missing jwt from %s", r.RemoteAddr)
  60. return false
  61. }
  62. token, err := security.DecodeJwt(signingKey, tokenStr)
  63. if err != nil {
  64. glog.V(1).Infof("jwt verification error from %s: %v", r.RemoteAddr, err)
  65. return false
  66. }
  67. if !token.Valid {
  68. glog.V(1).Infof("jwt invalid from %s: %v", r.RemoteAddr, tokenStr)
  69. return false
  70. }
  71. if sc, ok := token.Claims.(*security.SeaweedFileIdClaims); ok {
  72. if sepIndex := strings.LastIndex(fid, "_"); sepIndex > 0 {
  73. fid = fid[:sepIndex]
  74. }
  75. return sc.Fid == vid+","+fid
  76. }
  77. glog.V(1).Infof("unexpected jwt from %s: %v", r.RemoteAddr, tokenStr)
  78. return false
  79. }