Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8942 Commits
32 Branches
298 Tags
167 MiB
Tree: 4c280c06dc
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4c280c06dc'
${ noResults }
seaweedfs/weed/s3api/s3acl/acl_helper.go

555 lines
17 KiB
Raw Normal View History

add acl helper functionalities (#3831)
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
delete when empty at `AssembleEntryWithAcp` `PutBucketAcl/PutObjectAcl` allow request with empty grants, `AssembleEntryWithAcp` shouldn't skip empty value Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
add acl helper functionalities (#3831)
2 years ago
validate grants when setting ownership to `OwnershipBucketOwnerEnforced` Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago
Merge branch '6_object_read' into 10_acl_merged # Conflicts: # weed/s3api/s3acl/acl_helper.go # weed/s3api/s3api_acp.go
2 years ago
add acl validation for s3 GetObjectHandler
2 years ago
  1. package s3acl
  3. import (
  4. "encoding/json"
  5. "encoding/xml"
  6. "github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil"
  7. "github.com/aws/aws-sdk-go/service/s3"
  8. "github.com/seaweedfs/seaweedfs/weed/filer"
  9. "github.com/seaweedfs/seaweedfs/weed/glog"
  10. "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
  11. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  12. "github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
  13. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  14. "github.com/seaweedfs/seaweedfs/weed/util"
  15. "net/http"
  16. "strings"
  17. )
  19. // GetAccountId get AccountId from request headers, AccountAnonymousId will be return if not presen
  20. func GetAccountId(r *http.Request) string {
  21. id := r.Header.Get(s3_constants.AmzAccountId)
  22. if len(id) == 0 {
  23. return s3account.AccountAnonymous.Id
  24. } else {
  25. return id
  26. }
  27. }
  29. // ExtractAcl extracts the acl from the request body, or from the header if request body is empty
  30. func ExtractAcl(r *http.Request, accountManager *s3account.AccountManager, ownership, bucketOwnerId, ownerId, accountId string) (grants []*s3.Grant, errCode s3err.ErrorCode) {
  31. if r.Body != nil && r.Body != http.NoBody {
  32. defer util.CloseRequest(r)
  34. var acp s3.AccessControlPolicy
  35. err := xmlutil.UnmarshalXML(&acp, xml.NewDecoder(r.Body), "")
  36. if err != nil || acp.Owner == nil || acp.Owner.ID == nil {
  37. return nil, s3err.ErrInvalidRequest
  38. }
  40. //owner should present && owner is immutable
  41. if *acp.Owner.ID != ownerId {
  42. glog.V(3).Infof("set acl denied! owner account is not consistent, request account id: %s, expect account id: %s", accountId, ownerId)
  43. return nil, s3err.ErrAccessDenied
  44. }
  46. return ValidateAndTransferGrants(accountManager, acp.Grants)
  47. } else {
  48. _, grants, errCode = ParseAndValidateAclHeadersOrElseDefault(r, accountManager, ownership, bucketOwnerId, accountId, true)
  49. return grants, errCode
  50. }
  51. }
  53. // ParseAndValidateAclHeadersOrElseDefault will callParseAndValidateAclHeaders to get Grants, if empty, it will return Grant that grant `accountId` with `FullControl` permission
  54. func ParseAndValidateAclHeadersOrElseDefault(r *http.Request, accountManager *s3account.AccountManager, ownership, bucketOwnerId, accountId string, putAcl bool) (ownerId string, grants []*s3.Grant, errCode s3err.ErrorCode) {
  55. ownerId, grants, errCode = ParseAndValidateAclHeaders(r, accountManager, ownership, bucketOwnerId, accountId, putAcl)
  56. if errCode != s3err.ErrNone {
  57. return
  58. }
  59. if len(grants) == 0 {
  60. //if no acl(both customAcl and cannedAcl) specified, grant accountId(object writer) with full control permission
  61. grants = append(grants, &s3.Grant{
  62. Grantee: &s3.Grantee{
  63. Type: &s3_constants.GrantTypeCanonicalUser,
  64. ID: &accountId,
  65. },
  66. Permission: &s3_constants.PermissionFullControl,
  67. })
  68. }
  69. return
  70. }
  72. // ParseAndValidateAclHeaders parse and validate acl from header
  73. func ParseAndValidateAclHeaders(r *http.Request, accountManager *s3account.AccountManager, ownership, bucketOwnerId, accountId string, putAcl bool) (ownerId string, grants []*s3.Grant, errCode s3err.ErrorCode) {
  74. ownerId, grants, errCode = ParseAclHeaders(r, ownership, bucketOwnerId, accountId, putAcl)
  75. if errCode != s3err.ErrNone {
  76. return
  77. }
  78. if len(grants) > 0 {
  79. grants, errCode = ValidateAndTransferGrants(accountManager, grants)
  80. }
  81. return
  82. }
  84. // ParseAclHeaders parse acl headers
  85. // When `putAcl` is true, only `CannedAcl` is parsed, such as `PutBucketAcl` or `PutObjectAcl`
  86. // is requested, `CustomAcl` is parsed from the request body not from headers, and only if the
  87. // request body is empty, `CannedAcl` is parsed from the header, and will not parse `CustomAcl` from the header
  88. //
  89. // Since `CustomAcl` has higher priority, it will be parsed first; if `CustomAcl` does not exist, `CannedAcl` will be parsed
  90. func ParseAclHeaders(r *http.Request, ownership, bucketOwnerId, accountId string, putAcl bool) (ownerId string, grants []*s3.Grant, errCode s3err.ErrorCode) {
  91. if !putAcl {
  92. errCode = ParseCustomAclHeaders(r, &grants)
  93. if errCode != s3err.ErrNone {
  94. return "", nil, errCode
  95. }
  96. }
  97. if len(grants) > 0 {
  98. return accountId, grants, s3err.ErrNone
  99. }
  101. cannedAcl := r.Header.Get(s3_constants.AmzCannedAcl)
  102. if len(cannedAcl) == 0 {
  103. return accountId, grants, s3err.ErrNone
  104. }
  106. //if canned acl specified, parse cannedAcl (lower priority to custom acl)
  107. ownerId, grants, errCode = ParseCannedAclHeader(ownership, bucketOwnerId, accountId, cannedAcl, putAcl)
  108. if errCode != s3err.ErrNone {
  109. return "", nil, errCode
  110. }
  111. return ownerId, grants, errCode
  112. }
  114. func ParseCustomAclHeaders(r *http.Request, grants *[]*s3.Grant) s3err.ErrorCode {
  115. customAclHeaders := []string{s3_constants.AmzAclFullControl, s3_constants.AmzAclRead, s3_constants.AmzAclReadAcp, s3_constants.AmzAclWrite, s3_constants.AmzAclWriteAcp}
  116. var errCode s3err.ErrorCode
  117. for _, customAclHeader := range customAclHeaders {
  118. headerValue := r.Header.Get(customAclHeader)
  119. switch customAclHeader {
  120. case s3_constants.AmzAclRead:
  121. errCode = ParseCustomAclHeader(headerValue, s3_constants.PermissionRead, grants)
  122. case s3_constants.AmzAclWrite:
  123. errCode = ParseCustomAclHeader(headerValue, s3_constants.PermissionWrite, grants)
  124. case s3_constants.AmzAclReadAcp:
  125. errCode = ParseCustomAclHeader(headerValue, s3_constants.PermissionReadAcp, grants)
  126. case s3_constants.AmzAclWriteAcp:
  127. errCode = ParseCustomAclHeader(headerValue, s3_constants.PermissionWriteAcp, grants)
  128. case s3_constants.AmzAclFullControl:
  129. errCode = ParseCustomAclHeader(headerValue, s3_constants.PermissionFullControl, grants)
  130. }
  131. if errCode != s3err.ErrNone {
  132. return errCode
  133. }
  134. }
  135. return s3err.ErrNone
  136. }
  138. func ParseCustomAclHeader(headerValue, permission string, grants *[]*s3.Grant) s3err.ErrorCode {
  139. if len(headerValue) > 0 {
  140. split := strings.Split(headerValue, ", ")
  141. for _, grantStr := range split {
  142. kv := strings.Split(grantStr, "=")
  143. if len(kv) != 2 {
  144. return s3err.ErrInvalidRequest
  145. }
  147. switch kv[0] {
  148. case "id":
  149. var accountId string
  150. _ = json.Unmarshal([]byte(kv[1]), &accountId)
  151. *grants = append(*grants, &s3.Grant{
  152. Grantee: &s3.Grantee{
  153. Type: &s3_constants.GrantTypeCanonicalUser,
  154. ID: &accountId,
  155. },
  156. Permission: &permission,
  157. })
  158. case "emailAddress":
  159. var emailAddress string
  160. _ = json.Unmarshal([]byte(kv[1]), &emailAddress)
  161. *grants = append(*grants, &s3.Grant{
  162. Grantee: &s3.Grantee{
  163. Type: &s3_constants.GrantTypeAmazonCustomerByEmail,
  164. EmailAddress: &emailAddress,
  165. },
  166. Permission: &permission,
  167. })
  168. case "uri":
  169. var groupName string
  170. _ = json.Unmarshal([]byte(kv[1]), &groupName)
  171. *grants = append(*grants, &s3.Grant{
  172. Grantee: &s3.Grantee{
  173. Type: &s3_constants.GrantTypeGroup,
  174. URI: &groupName,
  175. },
  176. Permission: &permission,
  177. })
  178. }
  179. }
  180. }
  181. return s3err.ErrNone
  183. }
  185. func ParseCannedAclHeader(bucketOwnership, bucketOwnerId, accountId, cannedAcl string, putAcl bool) (ownerId string, grants []*s3.Grant, err s3err.ErrorCode) {
  186. err = s3err.ErrNone
  187. ownerId = accountId
  189. //objectWrite automatically has full control on current object
  190. objectWriterFullControl := &s3.Grant{
  191. Grantee: &s3.Grantee{
  192. ID: &accountId,
  193. Type: &s3_constants.GrantTypeCanonicalUser,
  194. },
  195. Permission: &s3_constants.PermissionFullControl,
  196. }
  198. switch cannedAcl {
  199. case s3_constants.CannedAclPrivate:
  200. grants = append(grants, objectWriterFullControl)
  201. case s3_constants.CannedAclPublicRead:
  202. grants = append(grants, objectWriterFullControl)
  203. grants = append(grants, s3_constants.PublicRead...)
  204. case s3_constants.CannedAclPublicReadWrite:
  205. grants = append(grants, objectWriterFullControl)
  206. grants = append(grants, s3_constants.PublicReadWrite...)
  207. case s3_constants.CannedAclAuthenticatedRead:
  208. grants = append(grants, objectWriterFullControl)
  209. grants = append(grants, s3_constants.AuthenticatedRead...)
  210. case s3_constants.CannedAclLogDeliveryWrite:
  211. grants = append(grants, objectWriterFullControl)
  212. grants = append(grants, s3_constants.LogDeliveryWrite...)
  213. case s3_constants.CannedAclBucketOwnerRead:
  214. grants = append(grants, objectWriterFullControl)
  215. if bucketOwnerId != "" && bucketOwnerId != accountId {
  216. grants = append(grants,
  217. &s3.Grant{
  218. Grantee: &s3.Grantee{
  219. Type: &s3_constants.GrantTypeCanonicalUser,
  220. ID: &bucketOwnerId,
  221. },
  222. Permission: &s3_constants.PermissionRead,
  223. })
  224. }
  225. case s3_constants.CannedAclBucketOwnerFullControl:
  226. if bucketOwnerId != "" {
  227. // if set ownership to 'BucketOwnerPreferred' when upload object, the bucket owner will be the object owner
  228. if !putAcl && bucketOwnership == s3_constants.OwnershipBucketOwnerPreferred {
  229. ownerId = bucketOwnerId
  230. grants = append(grants,
  231. &s3.Grant{
  232. Grantee: &s3.Grantee{
  233. Type: &s3_constants.GrantTypeCanonicalUser,
  234. ID: &bucketOwnerId,
  235. },
  236. Permission: &s3_constants.PermissionFullControl,
  237. })
  238. } else {
  239. grants = append(grants, objectWriterFullControl)
  240. if accountId != bucketOwnerId {
  241. grants = append(grants,
  242. &s3.Grant{
  243. Grantee: &s3.Grantee{
  244. Type: &s3_constants.GrantTypeCanonicalUser,
  245. ID: &bucketOwnerId,
  246. },
  247. Permission: &s3_constants.PermissionFullControl,
  248. })
  249. }
  250. }
  251. }
  252. case s3_constants.CannedAclAwsExecRead:
  253. err = s3err.ErrNotImplemented
  254. default:
  255. err = s3err.ErrInvalidRequest
  256. }
  257. return
  258. }
  260. // ValidateAndTransferGrants validate grant & transfer Email-Grant to Id-Grant
  261. func ValidateAndTransferGrants(accountManager *s3account.AccountManager, grants []*s3.Grant) ([]*s3.Grant, s3err.ErrorCode) {
  262. var result []*s3.Grant
  263. for _, grant := range grants {
  264. grantee := grant.Grantee
  265. if grantee == nil || grantee.Type == nil {
  266. glog.Warning("invalid grantee! grantee or granteeType is nil")
  267. return nil, s3err.ErrInvalidRequest
  268. }
  270. switch *grantee.Type {
  271. case s3_constants.GrantTypeGroup:
  272. if grantee.URI == nil {
  273. glog.Warning("invalid group grantee! group URI is nil")
  274. return nil, s3err.ErrInvalidRequest
  275. }
  276. ok := s3_constants.ValidateGroup(*grantee.URI)
  277. if !ok {
  278. glog.Warningf("invalid group grantee! group name[%s] is not valid", *grantee.URI)
  279. return nil, s3err.ErrInvalidRequest
  280. }
  281. result = append(result, grant)
  282. case s3_constants.GrantTypeCanonicalUser:
  283. if grantee.ID == nil {
  284. glog.Warning("invalid canonical grantee! account id is nil")
  285. return nil, s3err.ErrInvalidRequest
  286. }
  287. _, ok := accountManager.IdNameMapping[*grantee.ID]
  288. if !ok {
  289. glog.Warningf("invalid canonical grantee! account id[%s] is not exists", *grantee.ID)
  290. return nil, s3err.ErrInvalidRequest
  291. }
  292. result = append(result, grant)
  293. case s3_constants.GrantTypeAmazonCustomerByEmail:
  294. if grantee.EmailAddress == nil {
  295. glog.Warning("invalid email grantee! email address is nil")
  296. return nil, s3err.ErrInvalidRequest
  297. }
  298. accountId, ok := accountManager.EmailIdMapping[*grantee.EmailAddress]
  299. if !ok {
  300. glog.Warningf("invalid email grantee! email address[%s] is not exists", *grantee.EmailAddress)
  301. return nil, s3err.ErrInvalidRequest
  302. }
  303. result = append(result, &s3.Grant{
  304. Grantee: &s3.Grantee{
  305. Type: &s3_constants.GrantTypeCanonicalUser,
  306. ID: &accountId,
  307. },
  308. Permission: grant.Permission,
  309. })
  310. default:
  311. return nil, s3err.ErrInvalidRequest
  312. }
  313. }
  314. return result, s3err.ErrNone
  315. }
  317. // DetermineReqGrants generates the grant set (Grants) according to accountId and reqPermission.
  318. func DetermineReqGrants(accountId, aclAction string) (grants []*s3.Grant) {
  319. // group grantee (AllUsers)
  320. grants = append(grants, &s3.Grant{
  321. Grantee: &s3.Grantee{
  322. Type: &s3_constants.GrantTypeGroup,
  323. URI: &s3_constants.GranteeGroupAllUsers,
  324. },
  325. Permission: &aclAction,
  326. })
  327. grants = append(grants, &s3.Grant{
  328. Grantee: &s3.Grantee{
  329. Type: &s3_constants.GrantTypeGroup,
  330. URI: &s3_constants.GranteeGroupAllUsers,
  331. },
  332. Permission: &s3_constants.PermissionFullControl,
  333. })
  335. // canonical grantee (accountId)
  336. grants = append(grants, &s3.Grant{
  337. Grantee: &s3.Grantee{
  338. Type: &s3_constants.GrantTypeCanonicalUser,
  339. ID: &accountId,
  340. },
  341. Permission: &aclAction,
  342. })
  343. grants = append(grants, &s3.Grant{
  344. Grantee: &s3.Grantee{
  345. Type: &s3_constants.GrantTypeCanonicalUser,
  346. ID: &accountId,
  347. },
  348. Permission: &s3_constants.PermissionFullControl,
  349. })
  351. // group grantee (AuthenticateUsers)
  352. if accountId != s3account.AccountAnonymous.Id {
  353. grants = append(grants, &s3.Grant{
  354. Grantee: &s3.Grantee{
  355. Type: &s3_constants.GrantTypeGroup,
  356. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  357. },
  358. Permission: &aclAction,
  359. })
  360. grants = append(grants, &s3.Grant{
  361. Grantee: &s3.Grantee{
  362. Type: &s3_constants.GrantTypeGroup,
  363. URI: &s3_constants.GranteeGroupAuthenticatedUsers,
  364. },
  365. Permission: &s3_constants.PermissionFullControl,
  366. })
  367. }
  368. return
  369. }
  371. func SetAcpOwnerHeader(r *http.Request, acpOwnerId string) {
  372. r.Header.Set(s3_constants.ExtAmzOwnerKey, acpOwnerId)
  373. }
  375. func GetAcpOwner(entryExtended map[string][]byte, defaultOwner string) string {
  376. ownerIdBytes, ok := entryExtended[s3_constants.ExtAmzOwnerKey]
  377. if ok && len(ownerIdBytes) > 0 {
  378. return string(ownerIdBytes)
  379. }
  380. return defaultOwner
  381. }
  383. func SetAcpGrantsHeader(r *http.Request, acpGrants []*s3.Grant) {
  384. if len(acpGrants) > 0 {
  385. a, err := json.Marshal(acpGrants)
  386. if err == nil {
  387. r.Header.Set(s3_constants.ExtAmzAclKey, string(a))
  388. } else {
  389. glog.Warning("Marshal acp grants err", err)
  390. }
  391. }
  392. }
  394. // GetAcpGrants return grants parsed from entry
  395. func GetAcpGrants(entryExtended map[string][]byte) []*s3.Grant {
  396. acpBytes, ok := entryExtended[s3_constants.ExtAmzAclKey]
  397. if ok && len(acpBytes) > 0 {
  398. var grants []*s3.Grant
  399. err := json.Unmarshal(acpBytes, &grants)
  400. if err == nil {
  401. return grants
  402. }
  403. }
  404. return nil
  405. }
  407. // AssembleEntryWithAcp fill entry with owner and grants
  408. func AssembleEntryWithAcp(objectEntry *filer_pb.Entry, objectOwner string, grants []*s3.Grant) s3err.ErrorCode {
  409. if objectEntry.Extended == nil {
  410. objectEntry.Extended = make(map[string][]byte)
  411. }
  413. if len(objectOwner) > 0 {
  414. objectEntry.Extended[s3_constants.ExtAmzOwnerKey] = []byte(objectOwner)
  415. } else {
  416. delete(objectEntry.Extended, s3_constants.ExtAmzOwnerKey)
  417. }
  419. if len(grants) > 0 {
  420. grantsBytes, err := json.Marshal(grants)
  421. if err != nil {
  422. glog.Warning("assemble acp to entry:", err)
  423. return s3err.ErrInvalidRequest
  424. }
  425. objectEntry.Extended[s3_constants.ExtAmzAclKey] = grantsBytes
  426. } else {
  427. delete(objectEntry.Extended, s3_constants.ExtAmzAclKey)
  428. }
  430. return s3err.ErrNone
  431. }
  433. // GrantEquals Compare whether two Grants are equal in meaning, not completely
  434. // equal (compare Grantee.Type and the corresponding Value for equality, other
  435. // fields of Grantee are ignored)
  436. func GrantEquals(a, b *s3.Grant) bool {
  437. // grant
  438. if a == b {
  439. return true
  440. }
  442. if a == nil || b == nil {
  443. return false
  444. }
  446. // grant.Permission
  447. if a.Permission != b.Permission {
  448. if a.Permission == nil || b.Permission == nil {
  449. return false
  450. }
  452. if *a.Permission != *b.Permission {
  453. return false
  454. }
  455. }
  457. // grant.Grantee
  458. ag := a.Grantee
  459. bg := b.Grantee
  460. if ag != bg {
  461. if ag == nil || bg == nil {
  462. return false
  463. }
  464. // grantee.Type
  465. if ag.Type != bg.Type {
  466. if ag.Type == nil || bg.Type == nil {
  467. return false
  468. }
  469. if *ag.Type != *bg.Type {
  470. return false
  471. }
  472. }
  473. // value corresponding to granteeType
  474. if ag.Type != nil {
  475. switch *ag.Type {
  476. case s3_constants.GrantTypeGroup:
  477. if ag.URI != bg.URI {
  478. if ag.URI == nil || bg.URI == nil {
  479. return false
  480. }
  482. if *ag.URI != *bg.URI {
  483. return false
  484. }
  485. }
  486. case s3_constants.GrantTypeCanonicalUser:
  487. if ag.ID != bg.ID {
  488. if ag.ID == nil || bg.ID == nil {
  489. return false
  490. }
  492. if *ag.ID != *bg.ID {
  493. return false
  494. }
  495. }
  496. case s3_constants.GrantTypeAmazonCustomerByEmail:
  497. if ag.EmailAddress != bg.EmailAddress {
  498. if ag.EmailAddress == nil || bg.EmailAddress == nil {
  499. return false
  500. }
  502. if *ag.EmailAddress != *bg.EmailAddress {
  503. return false
  504. }
  505. }
  506. }
  507. }
  508. }
  509. return true
  510. }
  512. func GrantWithFullControl(accountId string) *s3.Grant {
  513. return &s3.Grant{
  514. Permission: &s3_constants.PermissionFullControl,
  515. Grantee: &s3.Grantee{
  516. Type: &s3_constants.GrantTypeCanonicalUser,
  517. ID: &accountId,
  518. },
  519. }
  520. }
  522. func CheckObjectAccessForReadObject(r *http.Request, w http.ResponseWriter, entry *filer.Entry, bucketOwnerId string) (statusCode int, ok bool) {
  523. if entry.IsDirectory() {
  524. w.Header().Set(s3_constants.X_SeaweedFS_Header_Directory_Key, "true")
  525. return http.StatusMethodNotAllowed, false
  526. }
  528. accountId := GetAccountId(r)
  529. if len(accountId) == 0 {
  530. glog.Warning("#checkObjectAccessForReadObject header[accountId] not exists!")
  531. return http.StatusForbidden, false
  532. }
  534. //owner access
  535. objectOwner := GetAcpOwner(entry.Extended, bucketOwnerId)
  536. if accountId == objectOwner {
  537. return http.StatusOK, true
  538. }
  540. //find in Grants
  541. acpGrants := GetAcpGrants(entry.Extended)
  542. if acpGrants != nil {
  543. reqGrants := DetermineReqGrants(accountId, s3_constants.PermissionRead)
  544. for _, requiredGrant := range reqGrants {
  545. for _, grant := range acpGrants {
  546. if GrantEquals(requiredGrant, grant) {
  547. return http.StatusOK, true
  548. }
  549. }
  550. }
  551. }
  553. glog.V(3).Infof("acl denied! request account id: %s", accountId)
  554. return http.StatusForbidden, false
  555. }