You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

213 lines
5.0 KiB

5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 years ago
5 years ago
4 years ago
5 years ago
5 years ago
5 years ago
5 years ago
  1. package s3api
  2. import (
  3. "bytes"
  4. "fmt"
  5. "io/ioutil"
  6. "net/http"
  7. xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
  8. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  9. "github.com/golang/protobuf/jsonpb"
  10. "github.com/chrislusf/seaweedfs/weed/glog"
  11. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  12. )
  13. type Action string
  14. const (
  15. ACTION_READ = "Read"
  16. ACTION_WRITE = "Write"
  17. ACTION_ADMIN = "Admin"
  18. ACTION_TAGGING = "Tagging"
  19. ACTION_LIST = "List"
  20. )
  21. type Iam interface {
  22. Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
  23. }
  24. type IdentityAccessManagement struct {
  25. identities []*Identity
  26. domain string
  27. }
  28. type Identity struct {
  29. Name string
  30. Credentials []*Credential
  31. Actions []Action
  32. }
  33. type Credential struct {
  34. AccessKey string
  35. SecretKey string
  36. }
  37. func NewIdentityAccessManagement(fileName string, domain string) *IdentityAccessManagement {
  38. iam := &IdentityAccessManagement{
  39. domain: domain,
  40. }
  41. if fileName == "" {
  42. return iam
  43. }
  44. if err := iam.loadS3ApiConfiguration(fileName); err != nil {
  45. glog.Fatalf("fail to load config file %s: %v", fileName, err)
  46. }
  47. return iam
  48. }
  49. func (iam *IdentityAccessManagement) loadS3ApiConfiguration(fileName string) error {
  50. s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
  51. rawData, readErr := ioutil.ReadFile(fileName)
  52. if readErr != nil {
  53. glog.Warningf("fail to read %s : %v", fileName, readErr)
  54. return fmt.Errorf("fail to read %s : %v", fileName, readErr)
  55. }
  56. glog.V(1).Infof("load s3 config: %v", fileName)
  57. if err := jsonpb.Unmarshal(bytes.NewReader(rawData), s3ApiConfiguration); err != nil {
  58. glog.Warningf("unmarshal error: %v", err)
  59. return fmt.Errorf("unmarshal %s error: %v", fileName, err)
  60. }
  61. for _, ident := range s3ApiConfiguration.Identities {
  62. t := &Identity{
  63. Name: ident.Name,
  64. Credentials: nil,
  65. Actions: nil,
  66. }
  67. for _, action := range ident.Actions {
  68. t.Actions = append(t.Actions, Action(action))
  69. }
  70. for _, cred := range ident.Credentials {
  71. t.Credentials = append(t.Credentials, &Credential{
  72. AccessKey: cred.AccessKey,
  73. SecretKey: cred.SecretKey,
  74. })
  75. }
  76. iam.identities = append(iam.identities, t)
  77. }
  78. return nil
  79. }
  80. func (iam *IdentityAccessManagement) isEnabled() bool {
  81. return len(iam.identities) > 0
  82. }
  83. func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
  84. for _, ident := range iam.identities {
  85. for _, cred := range ident.Credentials {
  86. if cred.AccessKey == accessKey {
  87. return ident, cred, true
  88. }
  89. }
  90. }
  91. return nil, nil, false
  92. }
  93. func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
  94. for _, ident := range iam.identities {
  95. if ident.Name == "anonymous" {
  96. return ident, true
  97. }
  98. }
  99. return nil, false
  100. }
  101. func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
  102. if !iam.isEnabled() {
  103. return f
  104. }
  105. return func(w http.ResponseWriter, r *http.Request) {
  106. identity, errCode := iam.authRequest(r, action)
  107. if errCode == s3err.ErrNone {
  108. if identity != nil && identity.Name != "" {
  109. r.Header.Set(xhttp.AmzIdentityId, identity.Name)
  110. }
  111. f(w, r)
  112. return
  113. }
  114. writeErrorResponse(w, errCode, r.URL)
  115. }
  116. }
  117. // check whether the request has valid access keys
  118. func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
  119. var identity *Identity
  120. var s3Err s3err.ErrorCode
  121. var found bool
  122. switch getRequestAuthType(r) {
  123. case authTypeStreamingSigned:
  124. return identity, s3err.ErrNone
  125. case authTypeUnknown:
  126. glog.V(3).Infof("unknown auth type")
  127. return identity, s3err.ErrAccessDenied
  128. case authTypePresignedV2, authTypeSignedV2:
  129. glog.V(3).Infof("v2 auth type")
  130. identity, s3Err = iam.isReqAuthenticatedV2(r)
  131. case authTypeSigned, authTypePresigned:
  132. glog.V(3).Infof("v4 auth type")
  133. identity, s3Err = iam.reqSignatureV4Verify(r)
  134. case authTypePostPolicy:
  135. glog.V(3).Infof("post policy auth type")
  136. return identity, s3err.ErrNone
  137. case authTypeJWT:
  138. glog.V(3).Infof("jwt auth type")
  139. return identity, s3err.ErrNotImplemented
  140. case authTypeAnonymous:
  141. identity, found = iam.lookupAnonymous()
  142. if !found {
  143. return identity, s3err.ErrAccessDenied
  144. }
  145. default:
  146. return identity, s3err.ErrNotImplemented
  147. }
  148. glog.V(3).Infof("auth error: %v", s3Err)
  149. if s3Err != s3err.ErrNone {
  150. return identity, s3Err
  151. }
  152. glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
  153. bucket, _ := getBucketAndObject(r)
  154. if !identity.canDo(action, bucket) {
  155. return identity, s3err.ErrAccessDenied
  156. }
  157. return identity, s3err.ErrNone
  158. }
  159. func (identity *Identity) canDo(action Action, bucket string) bool {
  160. for _, a := range identity.Actions {
  161. if a == "Admin" {
  162. return true
  163. }
  164. }
  165. for _, a := range identity.Actions {
  166. if a == action {
  167. return true
  168. }
  169. }
  170. if bucket == "" {
  171. return false
  172. }
  173. limitedByBucket := string(action) + ":" + bucket
  174. for _, a := range identity.Actions {
  175. if string(a) == limitedByBucket {
  176. return true
  177. }
  178. }
  179. return false
  180. }