You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

360 lines
9.6 KiB

5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
3 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
3 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
3 years ago
5 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
  1. package s3api
  2. import (
  3. "fmt"
  4. "net/http"
  5. "os"
  6. "strings"
  7. "sync"
  8. "github.com/chrislusf/seaweedfs/weed/filer"
  9. "github.com/chrislusf/seaweedfs/weed/glog"
  10. "github.com/chrislusf/seaweedfs/weed/pb"
  11. "github.com/chrislusf/seaweedfs/weed/pb/filer_pb"
  12. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  13. "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
  14. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  15. )
  16. type Action string
  17. type Iam interface {
  18. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  19. }
  20. type IdentityAccessManagement struct {
  21. m sync.RWMutex
  22. identities []*Identity
  23. isAuthEnabled bool
  24. domain string
  25. }
  26. type Identity struct {
  27. Name string
  28. Credentials []*Credential
  29. Actions []Action
  30. }
  31. type Credential struct {
  32. AccessKey string
  33. SecretKey string
  34. }
  35. func (action Action) isAdmin() bool {
  36. return strings.HasPrefix(string(action), s3_constants.ACTION_ADMIN)
  37. }
  38. func (action Action) isOwner(bucket string) bool {
  39. return string(action) == s3_constants.ACTION_ADMIN+":"+bucket
  40. }
  41. func (action Action) overBucket(bucket string) bool {
  42. return strings.HasSuffix(string(action), ":"+bucket) || strings.HasSuffix(string(action), ":*")
  43. }
  44. func (action Action) getPermission() Permission {
  45. switch act := strings.Split(string(action), ":")[0]; act {
  46. case s3_constants.ACTION_ADMIN:
  47. return Permission("FULL_CONTROL")
  48. case s3_constants.ACTION_WRITE:
  49. return Permission("WRITE")
  50. case s3_constants.ACTION_READ:
  51. return Permission("READ")
  52. default:
  53. return Permission("")
  54. }
  55. }
  56. func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
  57. iam := &IdentityAccessManagement{
  58. domain: option.DomainName,
  59. }
  60. if option.Config != "" {
  61. if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
  62. glog.Fatalf("fail to load config file %s: %v", option.Config, err)
  63. }
  64. } else {
  65. if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
  66. glog.Warningf("fail to load config: %v", err)
  67. }
  68. }
  69. return iam
  70. }
  71. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) (err error) {
  72. var content []byte
  73. err = pb.WithFilerClient(false, option.Filer, option.GrpcDialOption, func(client filer_pb.SeaweedFilerClient) error {
  74. content, err = filer.ReadInsideFiler(client, filer.IamConfigDirecotry, filer.IamIdentityFile)
  75. return err
  76. })
  77. if err != nil {
  78. return fmt.Errorf("read S3 config: %v", err)
  79. }
  80. return iam.LoadS3ApiConfigurationFromBytes(content)
  81. }
  82. func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
  83. content, readErr := os.ReadFile(fileName)
  84. if readErr != nil {
  85. glog.Warningf("fail to read %s : %v", fileName, readErr)
  86. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  87. }
  88. return iam.LoadS3ApiConfigurationFromBytes(content)
  89. }
  90. func (iam *IdentityAccessManagement) LoadS3ApiConfigurationFromBytes(content []byte) error {
  91. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  92. if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
  93. glog.Warningf("unmarshal error: %v", err)
  94. return fmt.Errorf("unmarshal error: %v", err)
  95. }
  96. if err := filer.CheckDuplicateAccessKey(s3ApiConfiguration); err != nil {
  97. return err
  98. }
  99. if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
  100. return err
  101. }
  102. return nil
  103. }
  104. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
  105. var identities []*Identity
  106. for _, ident := range config.Identities {
  107. t := &Identity{
  108. Name: ident.Name,
  109. Credentials: nil,
  110. Actions: nil,
  111. }
  112. for _, action := range ident.Actions {
  113. t.Actions = append(t.Actions, Action(action))
  114. }
  115. for _, cred := range ident.Credentials {
  116. t.Credentials = append(t.Credentials, &Credential{
  117. AccessKey: cred.AccessKey,
  118. SecretKey: cred.SecretKey,
  119. })
  120. }
  121. identities = append(identities, t)
  122. }
  123. iam.m.Lock()
  124. // atomically switch
  125. iam.identities = identities
  126. if !iam.isAuthEnabled { // one-directional, no toggling
  127. iam.isAuthEnabled = len(identities) > 0
  128. }
  129. iam.m.Unlock()
  130. return nil
  131. }
  132. func (iam *IdentityAccessManagement) isEnabled() bool {
  133. return iam.isAuthEnabled
  134. }
  135. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  136. iam.m.RLock()
  137. defer iam.m.RUnlock()
  138. for _, ident := range iam.identities {
  139. for _, cred := range ident.Credentials {
  140. // println("checking", ident.Name, cred.AccessKey)
  141. if cred.AccessKey == accessKey {
  142. return ident, cred, true
  143. }
  144. }
  145. }
  146. glog.V(1).Infof("could not find accessKey %s", accessKey)
  147. return nil, nil, false
  148. }
  149. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  150. iam.m.RLock()
  151. defer iam.m.RUnlock()
  152. for _, ident := range iam.identities {
  153. if ident.Name == "anonymous" {
  154. return ident, true
  155. }
  156. }
  157. return nil, false
  158. }
  159. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  160. return func(w http.ResponseWriter, r *http.Request) {
  161. if !iam.isEnabled() {
  162. f(w, r)
  163. return
  164. }
  165. identity, errCode := iam.authRequest(r, action)
  166. if errCode == s3err.ErrNone {
  167. if identity != nil && identity.Name != "" {
  168. r.Header.Set(s3_constants.AmzIdentityId, identity.Name)
  169. if identity.isAdmin() {
  170. r.Header.Set(s3_constants.AmzIsAdmin, "true")
  171. } else if _, ok := r.Header[s3_constants.AmzIsAdmin]; ok {
  172. r.Header.Del(s3_constants.AmzIsAdmin)
  173. }
  174. }
  175. f(w, r)
  176. return
  177. }
  178. s3err.WriteErrorResponse(w, r, errCode)
  179. }
  180. }
  181. // check whether the request has valid access keys
  182. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  183. var identity *Identity
  184. var s3Err s3err.ErrorCode
  185. var found bool
  186. var authType string
  187. switch getRequestAuthType(r) {
  188. case authTypeStreamingSigned:
  189. return identity, s3err.ErrNone
  190. case authTypeUnknown:
  191. glog.V(3).Infof("unknown auth type")
  192. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  193. return identity, s3err.ErrAccessDenied
  194. case authTypePresignedV2, authTypeSignedV2:
  195. glog.V(3).Infof("v2 auth type")
  196. identity, s3Err = iam.isReqAuthenticatedV2(r)
  197. authType = "SigV2"
  198. case authTypeSigned, authTypePresigned:
  199. glog.V(3).Infof("v4 auth type")
  200. identity, s3Err = iam.reqSignatureV4Verify(r)
  201. authType = "SigV4"
  202. case authTypePostPolicy:
  203. glog.V(3).Infof("post policy auth type")
  204. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  205. return identity, s3err.ErrNone
  206. case authTypeJWT:
  207. glog.V(3).Infof("jwt auth type")
  208. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  209. return identity, s3err.ErrNotImplemented
  210. case authTypeAnonymous:
  211. authType = "Anonymous"
  212. identity, found = iam.lookupAnonymous()
  213. if !found {
  214. r.Header.Set(s3_constants.AmzAuthType, authType)
  215. return identity, s3err.ErrAccessDenied
  216. }
  217. default:
  218. return identity, s3err.ErrNotImplemented
  219. }
  220. if len(authType) > 0 {
  221. r.Header.Set(s3_constants.AmzAuthType, authType)
  222. }
  223. if s3Err != s3err.ErrNone {
  224. return identity, s3Err
  225. }
  226. glog.V(3).Infof("user name: %v actions: %v, action: %v", identity.Name, identity.Actions, action)
  227. bucket, object := s3_constants.GetBucketAndObject(r)
  228. if !identity.canDo(action, bucket, object) {
  229. return identity, s3err.ErrAccessDenied
  230. }
  231. return identity, s3err.ErrNone
  232. }
  233. func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
  234. var identity *Identity
  235. var s3Err s3err.ErrorCode
  236. var found bool
  237. var authType string
  238. switch getRequestAuthType(r) {
  239. case authTypeStreamingSigned:
  240. return identity, s3err.ErrNone
  241. case authTypeUnknown:
  242. glog.V(3).Infof("unknown auth type")
  243. r.Header.Set(s3_constants.AmzAuthType, "Unknown")
  244. return identity, s3err.ErrAccessDenied
  245. case authTypePresignedV2, authTypeSignedV2:
  246. glog.V(3).Infof("v2 auth type")
  247. identity, s3Err = iam.isReqAuthenticatedV2(r)
  248. authType = "SigV2"
  249. case authTypeSigned, authTypePresigned:
  250. glog.V(3).Infof("v4 auth type")
  251. identity, s3Err = iam.reqSignatureV4Verify(r)
  252. authType = "SigV4"
  253. case authTypePostPolicy:
  254. glog.V(3).Infof("post policy auth type")
  255. r.Header.Set(s3_constants.AmzAuthType, "PostPolicy")
  256. return identity, s3err.ErrNone
  257. case authTypeJWT:
  258. glog.V(3).Infof("jwt auth type")
  259. r.Header.Set(s3_constants.AmzAuthType, "Jwt")
  260. return identity, s3err.ErrNotImplemented
  261. case authTypeAnonymous:
  262. authType = "Anonymous"
  263. identity, found = iam.lookupAnonymous()
  264. if !found {
  265. r.Header.Set(s3_constants.AmzAuthType, authType)
  266. return identity, s3err.ErrAccessDenied
  267. }
  268. default:
  269. return identity, s3err.ErrNotImplemented
  270. }
  271. if len(authType) > 0 {
  272. r.Header.Set(s3_constants.AmzAuthType, authType)
  273. }
  274. glog.V(3).Infof("auth error: %v", s3Err)
  275. if s3Err != s3err.ErrNone {
  276. return identity, s3Err
  277. }
  278. return identity, s3err.ErrNone
  279. }
  280. func (identity *Identity) canDo(action Action, bucket string, objectKey string) bool {
  281. if identity.isAdmin() {
  282. return true
  283. }
  284. for _, a := range identity.Actions {
  285. if a == action {
  286. return true
  287. }
  288. }
  289. if bucket == "" {
  290. return false
  291. }
  292. target := string(action) + ":" + bucket + objectKey
  293. adminTarget := s3_constants.ACTION_ADMIN + ":" + bucket + objectKey
  294. limitedByBucket := string(action) + ":" + bucket
  295. adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
  296. for _, a := range identity.Actions {
  297. act := string(a)
  298. if strings.HasSuffix(act, "*") {
  299. if strings.HasPrefix(target, act[:len(act)-1]) {
  300. return true
  301. }
  302. if strings.HasPrefix(adminTarget, act[:len(act)-1]) {
  303. return true
  304. }
  305. } else {
  306. if act == limitedByBucket {
  307. return true
  308. }
  309. if act == adminLimitedByBucket {
  310. return true
  311. }
  312. }
  313. }
  314. return false
  315. }
  316. func (identity *Identity) isAdmin() bool {
  317. for _, a := range identity.Actions {
  318. if a == "Admin" {
  319. return true
  320. }
  321. }
  322. return false
  323. }