You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

207 lines
4.6 KiB

5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
4 years ago
4 years ago
4 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
  1. package s3api
  2. import (
  3. "bytes"
  4. "fmt"
  5. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  6. "io/ioutil"
  7. "net/http"
  8. "github.com/golang/protobuf/jsonpb"
  9. "github.com/chrislusf/seaweedfs/weed/glog"
  10. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  11. )
  12. type Action string
  13. const (
  14. ACTION_READ = "Read"
  15. ACTION_WRITE = "Write"
  16. ACTION_ADMIN = "Admin"
  17. )
  18. type Iam interface {
  19. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  20. }
  21. type IdentityAccessManagement struct {
  22. identities []*Identity
  23. domain string
  24. }
  25. type Identity struct {
  26. Name string
  27. Credentials []*Credential
  28. Actions []Action
  29. }
  30. type Credential struct {
  31. AccessKey string
  32. SecretKey string
  33. }
  34. func NewIdentityAccessManagement(fileName string, domain string) *IdentityAccessManagement {
  35. iam := &IdentityAccessManagement{
  36. domain: domain,
  37. }
  38. if fileName == "" {
  39. return iam
  40. }
  41. if err := iam.loadS3ApiConfiguration(fileName); err != nil {
  42. glog.Fatalf("fail to load config file %s: %v", fileName, err)
  43. }
  44. return iam
  45. }
  46. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(fileName string) error {
  47. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  48. rawData, readErr := ioutil.ReadFile(fileName)
  49. if readErr != nil {
  50. glog.Warningf("fail to read %s : %v", fileName, readErr)
  51. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  52. }
  53. glog.V(1).Infof("load s3 config: %v", fileName)
  54. if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {
  55. glog.Warningf("unmarshal error: %v", err)
  56. return fmt.Errorf("unmarshal %s error: %v", fileName, err)
  57. }
  58. for _, ident := range s3ApiConfiguration.Identities {
  59. t := &Identity{
  60. Name: ident.Name,
  61. Credentials: nil,
  62. Actions: nil,
  63. }
  64. for _, action := range ident.Actions {
  65. t.Actions = append(t.Actions, Action(action))
  66. }
  67. for _, cred := range ident.Credentials {
  68. t.Credentials = append(t.Credentials, &Credential{
  69. AccessKey: cred.AccessKey,
  70. SecretKey: cred.SecretKey,
  71. })
  72. }
  73. iam.identities = append(iam.identities, t)
  74. }
  75. return nil
  76. }
  77. func (iam *IdentityAccessManagement) isEnabled() bool {
  78. return len(iam.identities) > 0
  79. }
  80. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  81. for _, ident := range iam.identities {
  82. for _, cred := range ident.Credentials {
  83. if cred.AccessKey == accessKey {
  84. return ident, cred, true
  85. }
  86. }
  87. }
  88. return nil, nil, false
  89. }
  90. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  91. for _, ident := range iam.identities {
  92. if ident.Name == "anonymous" {
  93. return ident, true
  94. }
  95. }
  96. return nil, false
  97. }
  98. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  99. if !iam.isEnabled() {
  100. return f
  101. }
  102. return func(w http.ResponseWriter, r *http.Request) {
  103. errCode := iam.authRequest(r, action)
  104. if errCode == s3err.ErrNone {
  105. f(w, r)
  106. return
  107. }
  108. writeErrorResponse(w, errCode, r.URL)
  109. }
  110. }
  111. // check whether the request has valid access keys
  112. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) s3err.ErrorCode {
  113. var identity *Identity
  114. var s3Err s3err.ErrorCode
  115. var found bool
  116. switch getRequestAuthType(r) {
  117. case authTypeStreamingSigned:
  118. return s3err.ErrNone
  119. case authTypeUnknown:
  120. glog.V(3).Infof("unknown auth type")
  121. return s3err.ErrAccessDenied
  122. case authTypePresignedV2, authTypeSignedV2:
  123. glog.V(3).Infof("v2 auth type")
  124. identity, s3Err = iam.isReqAuthenticatedV2(r)
  125. case authTypeSigned, authTypePresigned:
  126. glog.V(3).Infof("v4 auth type")
  127. identity, s3Err = iam.reqSignatureV4Verify(r)
  128. case authTypePostPolicy:
  129. glog.V(3).Infof("post policy auth type")
  130. return s3err.ErrNone
  131. case authTypeJWT:
  132. glog.V(3).Infof("jwt auth type")
  133. return s3err.ErrNotImplemented
  134. case authTypeAnonymous:
  135. identity, found = iam.lookupAnonymous()
  136. if !found {
  137. return s3err.ErrAccessDenied
  138. }
  139. default:
  140. return s3err.ErrNotImplemented
  141. }
  142. glog.V(3).Infof("auth error: %v", s3Err)
  143. if s3Err != s3err.ErrNone {
  144. return s3Err
  145. }
  146. glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
  147. bucket, _ := getBucketAndObject(r)
  148. if !identity.canDo(action, bucket) {
  149. return s3err.ErrAccessDenied
  150. }
  151. return s3err.ErrNone
  152. }
  153. func (identity *Identity) canDo(action Action, bucket string) bool {
  154. for _, a := range identity.Actions {
  155. if a == "Admin" {
  156. return true
  157. }
  158. }
  159. for _, a := range identity.Actions {
  160. if a == action {
  161. return true
  162. }
  163. }
  164. if bucket == "" {
  165. return false
  166. }
  167. limitedByBucket := string(action) + ":" + bucket
  168. for _, a := range identity.Actions {
  169. if string(a) == limitedByBucket {
  170. return true
  171. }
  172. }
  173. return false
  174. }