You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

206 lines
4.5 KiB

5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
  1. package s3api
  2. import (
  3. "bytes"
  4. "fmt"
  5. "io/ioutil"
  6. "net/http"
  7. "github.com/golang/protobuf/jsonpb"
  8. "github.com/chrislusf/seaweedfs/weed/glog"
  9. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  10. )
  11. type Action string
  12. const (
  13. ACTION_READ = "Read"
  14. ACTION_WRITE = "Write"
  15. ACTION_ADMIN = "Admin"
  16. )
  17. type Iam interface {
  18. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  19. }
  20. type IdentityAccessManagement struct {
  21. identities []*Identity
  22. domain string
  23. }
  24. type Identity struct {
  25. Name string
  26. Credentials []*Credential
  27. Actions []Action
  28. }
  29. type Credential struct {
  30. AccessKey string
  31. SecretKey string
  32. }
  33. func NewIdentityAccessManagement(fileName string, domain string) *IdentityAccessManagement {
  34. iam := &IdentityAccessManagement{
  35. domain: domain,
  36. }
  37. if fileName == "" {
  38. return iam
  39. }
  40. if err := iam.loadS3ApiConfiguration(fileName); err != nil {
  41. glog.Fatalf("fail to load config file %s: %v", fileName, err)
  42. }
  43. return iam
  44. }
  45. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(fileName string) error {
  46. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  47. rawData, readErr := ioutil.ReadFile(fileName)
  48. if readErr != nil {
  49. glog.Warningf("fail to read %s : %v", fileName, readErr)
  50. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  51. }
  52. glog.V(1).Infof("maybeLoadVolumeInfo Unmarshal volume info %v", fileName)
  53. if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {
  54. glog.Warningf("unmarshal error: %v", err)
  55. return fmt.Errorf("unmarshal %s error: %v", fileName, err)
  56. }
  57. for _, ident := range s3ApiConfiguration.Identities {
  58. t := &Identity{
  59. Name: ident.Name,
  60. Credentials: nil,
  61. Actions: nil,
  62. }
  63. for _, action := range ident.Actions {
  64. t.Actions = append(t.Actions, Action(action))
  65. }
  66. for _, cred := range ident.Credentials {
  67. t.Credentials = append(t.Credentials, &Credential{
  68. AccessKey: cred.AccessKey,
  69. SecretKey: cred.SecretKey,
  70. })
  71. }
  72. iam.identities = append(iam.identities, t)
  73. }
  74. return nil
  75. }
  76. func (iam *IdentityAccessManagement) isEnabled() bool {
  77. return len(iam.identities) > 0
  78. }
  79. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  80. for _, ident := range iam.identities {
  81. for _, cred := range ident.Credentials {
  82. if cred.AccessKey == accessKey {
  83. return ident, cred, true
  84. }
  85. }
  86. }
  87. return nil, nil, false
  88. }
  89. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  90. for _, ident := range iam.identities {
  91. if ident.Name == "anonymous" {
  92. return ident, true
  93. }
  94. }
  95. return nil, false
  96. }
  97. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  98. if !iam.isEnabled() {
  99. return f
  100. }
  101. return func(w http.ResponseWriter, r *http.Request) {
  102. errCode := iam.authRequest(r, action)
  103. if errCode == ErrNone {
  104. f(w, r)
  105. return
  106. }
  107. writeErrorResponse(w, errCode, r.URL)
  108. }
  109. }
  110. // check whether the request has valid access keys
  111. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) ErrorCode {
  112. var identity *Identity
  113. var s3Err ErrorCode
  114. var found bool
  115. switch getRequestAuthType(r) {
  116. case authTypeStreamingSigned:
  117. return ErrNone
  118. case authTypeUnknown:
  119. glog.V(3).Infof("unknown auth type")
  120. return ErrAccessDenied
  121. case authTypePresignedV2, authTypeSignedV2:
  122. glog.V(3).Infof("v2 auth type")
  123. identity, s3Err = iam.isReqAuthenticatedV2(r)
  124. case authTypeSigned, authTypePresigned:
  125. glog.V(3).Infof("v4 auth type")
  126. identity, s3Err = iam.reqSignatureV4Verify(r)
  127. case authTypePostPolicy:
  128. glog.V(3).Infof("post policy auth type")
  129. return ErrNotImplemented
  130. case authTypeJWT:
  131. glog.V(3).Infof("jwt auth type")
  132. return ErrNotImplemented
  133. case authTypeAnonymous:
  134. identity, found = iam.lookupAnonymous()
  135. if !found {
  136. return ErrAccessDenied
  137. }
  138. default:
  139. return ErrNotImplemented
  140. }
  141. glog.V(3).Infof("auth error: %v", s3Err)
  142. if s3Err != ErrNone {
  143. return s3Err
  144. }
  145. glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
  146. bucket, _ := getBucketAndObject(r)
  147. if !identity.canDo(action, bucket) {
  148. return ErrAccessDenied
  149. }
  150. return ErrNone
  151. }
  152. func (identity *Identity) canDo(action Action, bucket string) bool {
  153. for _, a := range identity.Actions {
  154. if a == "Admin" {
  155. return true
  156. }
  157. }
  158. for _, a := range identity.Actions {
  159. if a == action {
  160. return true
  161. }
  162. }
  163. if bucket == "" {
  164. return false
  165. }
  166. limitedByBucket := string(action) + ":" + bucket
  167. for _, a := range identity.Actions {
  168. if string(a) == limitedByBucket {
  169. return true
  170. }
  171. }
  172. return false
  173. }