You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

512 lines
15 KiB

4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
3 years ago
4 years ago
3 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
3 years ago
4 years ago
4 years ago
4 years ago
4 years ago
3 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
3 years ago
4 years ago
3 years ago
4 years ago
3 years ago
4 years ago
3 years ago
3 years ago
4 years ago
3 years ago
3 years ago
  1. package iamapi
  2. import (
  3. "crypto/sha1"
  4. "encoding/json"
  5. "fmt"
  6. "math/rand"
  7. "net/http"
  8. "net/url"
  9. "reflect"
  10. "strings"
  11. "sync"
  12. "time"
  13. "github.com/chrislusf/seaweedfs/weed/glog"
  14. "github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
  15. "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
  16. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  17. "github.com/aws/aws-sdk-go/service/iam"
  18. )
  19. const (
  20. charsetUpper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  21. charset = charsetUpper + "abcdefghijklmnopqrstuvwxyz/"
  22. policyDocumentVersion = "2012-10-17"
  23. StatementActionAdmin = "*"
  24. StatementActionWrite = "Put*"
  25. StatementActionRead = "Get*"
  26. StatementActionList = "List*"
  27. StatementActionTagging = "Tagging*"
  28. )
  29. var (
  30. seededRand *rand.Rand = rand.New(
  31. rand.NewSource(time.Now().UnixNano()))
  32. policyDocuments = map[string]*PolicyDocument{}
  33. policyLock = sync.RWMutex{}
  34. )
  35. func MapToStatementAction(action string) string {
  36. switch action {
  37. case StatementActionAdmin:
  38. return s3_constants.ACTION_ADMIN
  39. case StatementActionWrite:
  40. return s3_constants.ACTION_WRITE
  41. case StatementActionRead:
  42. return s3_constants.ACTION_READ
  43. case StatementActionList:
  44. return s3_constants.ACTION_LIST
  45. case StatementActionTagging:
  46. return s3_constants.ACTION_TAGGING
  47. default:
  48. return ""
  49. }
  50. }
  51. func MapToIdentitiesAction(action string) string {
  52. switch action {
  53. case s3_constants.ACTION_ADMIN:
  54. return StatementActionAdmin
  55. case s3_constants.ACTION_WRITE:
  56. return StatementActionWrite
  57. case s3_constants.ACTION_READ:
  58. return StatementActionRead
  59. case s3_constants.ACTION_LIST:
  60. return StatementActionList
  61. case s3_constants.ACTION_TAGGING:
  62. return StatementActionTagging
  63. default:
  64. return ""
  65. }
  66. }
  67. type Statement struct {
  68. Effect string `json:"Effect"`
  69. Action []string `json:"Action"`
  70. Resource []string `json:"Resource"`
  71. }
  72. type Policies struct {
  73. Policies map[string]PolicyDocument `json:"policies"`
  74. }
  75. type PolicyDocument struct {
  76. Version string `json:"Version"`
  77. Statement []*Statement `json:"Statement"`
  78. }
  79. func (p PolicyDocument) String() string {
  80. b, _ := json.Marshal(p)
  81. return string(b)
  82. }
  83. func Hash(s *string) string {
  84. h := sha1.New()
  85. h.Write([]byte(*s))
  86. return fmt.Sprintf("%x", h.Sum(nil))
  87. }
  88. func StringWithCharset(length int, charset string) string {
  89. b := make([]byte, length)
  90. for i := range b {
  91. b[i] = charset[seededRand.Intn(len(charset))]
  92. }
  93. return string(b)
  94. }
  95. func (iama *IamApiServer) ListUsers(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListUsersResponse) {
  96. for _, ident := range s3cfg.Identities {
  97. resp.ListUsersResult.Users = append(resp.ListUsersResult.Users, &iam.User{UserName: &ident.Name})
  98. }
  99. return resp
  100. }
  101. func (iama *IamApiServer) ListAccessKeys(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp ListAccessKeysResponse) {
  102. status := iam.StatusTypeActive
  103. userName := values.Get("UserName")
  104. for _, ident := range s3cfg.Identities {
  105. if userName != "" && userName != ident.Name {
  106. continue
  107. }
  108. for _, cred := range ident.Credentials {
  109. resp.ListAccessKeysResult.AccessKeyMetadata = append(resp.ListAccessKeysResult.AccessKeyMetadata,
  110. &iam.AccessKeyMetadata{UserName: &ident.Name, AccessKeyId: &cred.AccessKey, Status: &status},
  111. )
  112. }
  113. }
  114. return resp
  115. }
  116. func (iama *IamApiServer) CreateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateUserResponse) {
  117. userName := values.Get("UserName")
  118. resp.CreateUserResult.User.UserName = &userName
  119. s3cfg.Identities = append(s3cfg.Identities, &iam_pb.Identity{Name: userName})
  120. return resp
  121. }
  122. func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp DeleteUserResponse, err error) {
  123. for i, ident := range s3cfg.Identities {
  124. if userName == ident.Name {
  125. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  126. return resp, nil
  127. }
  128. }
  129. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  130. }
  131. func (iama *IamApiServer) GetUser(s3cfg *iam_pb.S3ApiConfiguration, userName string) (resp GetUserResponse, err error) {
  132. for _, ident := range s3cfg.Identities {
  133. if userName == ident.Name {
  134. resp.GetUserResult.User = iam.User{UserName: &ident.Name}
  135. return resp, nil
  136. }
  137. }
  138. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  139. }
  140. func (iama *IamApiServer) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp UpdateUserResponse, err error) {
  141. userName := values.Get("UserName")
  142. newUserName := values.Get("NewUserName")
  143. if newUserName != "" {
  144. for _, ident := range s3cfg.Identities {
  145. if userName == ident.Name {
  146. ident.Name = newUserName
  147. return resp, nil
  148. }
  149. }
  150. } else {
  151. return resp, nil
  152. }
  153. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  154. }
  155. func GetPolicyDocument(policy *string) (policyDocument PolicyDocument, err error) {
  156. if err = json.Unmarshal([]byte(*policy), &policyDocument); err != nil {
  157. return PolicyDocument{}, err
  158. }
  159. return policyDocument, err
  160. }
  161. func (iama *IamApiServer) CreatePolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreatePolicyResponse, err error) {
  162. policyName := values.Get("PolicyName")
  163. policyDocumentString := values.Get("PolicyDocument")
  164. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  165. if err != nil {
  166. return CreatePolicyResponse{}, err
  167. }
  168. policyId := Hash(&policyDocumentString)
  169. arn := fmt.Sprintf("arn:aws:iam:::policy/%s", policyName)
  170. resp.CreatePolicyResult.Policy.PolicyName = &policyName
  171. resp.CreatePolicyResult.Policy.Arn = &arn
  172. resp.CreatePolicyResult.Policy.PolicyId = &policyId
  173. policies := Policies{}
  174. policyLock.Lock()
  175. defer policyLock.Unlock()
  176. if err = iama.s3ApiConfig.GetPolicies(&policies); err != nil {
  177. return resp, err
  178. }
  179. policies.Policies[policyName] = policyDocument
  180. if err = iama.s3ApiConfig.PutPolicies(&policies); err != nil {
  181. return resp, err
  182. }
  183. return resp, nil
  184. }
  185. // https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html
  186. func (iama *IamApiServer) PutUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  187. userName := values.Get("UserName")
  188. policyName := values.Get("PolicyName")
  189. policyDocumentString := values.Get("PolicyDocument")
  190. policyDocument, err := GetPolicyDocument(&policyDocumentString)
  191. if err != nil {
  192. return PutUserPolicyResponse{}, err
  193. }
  194. isFound := false
  195. policyDocuments[policyName] = &policyDocument
  196. actions := GetActions(&policyDocument)
  197. for _, ident := range s3cfg.Identities {
  198. if userName != ident.Name {
  199. continue
  200. }
  201. isFound = true
  202. for _, action := range actions {
  203. ident.Actions = append(ident.Actions, action)
  204. }
  205. break
  206. }
  207. if !isFound {
  208. return resp, fmt.Errorf("%s: the user with name %s cannot be found", iam.ErrCodeNoSuchEntityException, userName)
  209. }
  210. return resp, nil
  211. }
  212. func (iama *IamApiServer) GetUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp GetUserPolicyResponse, err error) {
  213. userName := values.Get("UserName")
  214. policyName := values.Get("PolicyName")
  215. for _, ident := range s3cfg.Identities {
  216. if userName != ident.Name {
  217. continue
  218. }
  219. resp.GetUserPolicyResult.UserName = userName
  220. resp.GetUserPolicyResult.PolicyName = policyName
  221. if len(ident.Actions) == 0 {
  222. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  223. }
  224. policyDocument := PolicyDocument{Version: policyDocumentVersion}
  225. statements := make(map[string][]string)
  226. for _, action := range ident.Actions {
  227. // parse "Read:EXAMPLE-BUCKET"
  228. act := strings.Split(action, ":")
  229. resource := "*"
  230. if len(act) == 2 {
  231. resource = fmt.Sprintf("arn:aws:s3:::%s/*", act[1])
  232. }
  233. statements[resource] = append(statements[resource],
  234. fmt.Sprintf("s3:%s", MapToIdentitiesAction(act[0])),
  235. )
  236. }
  237. for resource, actions := range statements {
  238. isEqAction := false
  239. for i, statement := range policyDocument.Statement {
  240. if reflect.DeepEqual(statement.Action, actions) {
  241. policyDocument.Statement[i].Resource = append(
  242. policyDocument.Statement[i].Resource, resource)
  243. isEqAction = true
  244. break
  245. }
  246. }
  247. if isEqAction {
  248. continue
  249. }
  250. policyDocumentStatement := Statement{
  251. Effect: "Allow",
  252. Action: actions,
  253. }
  254. policyDocumentStatement.Resource = append(policyDocumentStatement.Resource, resource)
  255. policyDocument.Statement = append(policyDocument.Statement, &policyDocumentStatement)
  256. }
  257. resp.GetUserPolicyResult.PolicyDocument = policyDocument.String()
  258. return resp, nil
  259. }
  260. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  261. }
  262. func (iama *IamApiServer) DeleteUserPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp PutUserPolicyResponse, err error) {
  263. userName := values.Get("UserName")
  264. for i, ident := range s3cfg.Identities {
  265. if ident.Name == userName {
  266. s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
  267. return resp, nil
  268. }
  269. }
  270. return resp, fmt.Errorf(iam.ErrCodeNoSuchEntityException)
  271. }
  272. func GetActions(policy *PolicyDocument) (actions []string) {
  273. for _, statement := range policy.Statement {
  274. if statement.Effect != "Allow" {
  275. continue
  276. }
  277. for _, resource := range statement.Resource {
  278. // Parse "arn:aws:s3:::my-bucket/shared/*"
  279. res := strings.Split(resource, ":")
  280. if len(res) != 6 || res[0] != "arn" || res[1] != "aws" || res[2] != "s3" {
  281. glog.Infof("not match resource: %s", res)
  282. continue
  283. }
  284. for _, action := range statement.Action {
  285. // Parse "s3:Get*"
  286. act := strings.Split(action, ":")
  287. if len(act) != 2 || act[0] != "s3" {
  288. glog.Infof("not match action: %s", act)
  289. continue
  290. }
  291. statementAction := MapToStatementAction(act[1])
  292. if res[5] == "*" {
  293. actions = append(actions, statementAction)
  294. continue
  295. }
  296. // Parse my-bucket/shared/*
  297. path := strings.Split(res[5], "/")
  298. if len(path) != 2 || path[1] != "*" {
  299. glog.Infof("not match bucket: %s", path)
  300. continue
  301. }
  302. actions = append(actions, fmt.Sprintf("%s:%s", statementAction, path[0]))
  303. }
  304. }
  305. }
  306. return actions
  307. }
  308. func (iama *IamApiServer) CreateAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp CreateAccessKeyResponse) {
  309. userName := values.Get("UserName")
  310. status := iam.StatusTypeActive
  311. accessKeyId := StringWithCharset(21, charsetUpper)
  312. secretAccessKey := StringWithCharset(42, charset)
  313. resp.CreateAccessKeyResult.AccessKey.AccessKeyId = &accessKeyId
  314. resp.CreateAccessKeyResult.AccessKey.SecretAccessKey = &secretAccessKey
  315. resp.CreateAccessKeyResult.AccessKey.UserName = &userName
  316. resp.CreateAccessKeyResult.AccessKey.Status = &status
  317. changed := false
  318. for _, ident := range s3cfg.Identities {
  319. if userName == ident.Name {
  320. ident.Credentials = append(ident.Credentials,
  321. &iam_pb.Credential{AccessKey: accessKeyId, SecretKey: secretAccessKey})
  322. changed = true
  323. break
  324. }
  325. }
  326. if !changed {
  327. s3cfg.Identities = append(s3cfg.Identities,
  328. &iam_pb.Identity{Name: userName,
  329. Credentials: []*iam_pb.Credential{
  330. {
  331. AccessKey: accessKeyId,
  332. SecretKey: secretAccessKey,
  333. },
  334. },
  335. },
  336. )
  337. }
  338. return resp
  339. }
  340. func (iama *IamApiServer) DeleteAccessKey(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (resp DeleteAccessKeyResponse) {
  341. userName := values.Get("UserName")
  342. accessKeyId := values.Get("AccessKeyId")
  343. for _, ident := range s3cfg.Identities {
  344. if userName == ident.Name {
  345. for i, cred := range ident.Credentials {
  346. if cred.AccessKey == accessKeyId {
  347. ident.Credentials = append(ident.Credentials[:i], ident.Credentials[i+1:]...)
  348. break
  349. }
  350. }
  351. break
  352. }
  353. }
  354. return resp
  355. }
  356. // handleImplicitUsername adds username who signs the request to values if 'username' is not specified
  357. // According to https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-access-key.html/
  358. // "If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web
  359. // Services access key ID signing the request."
  360. func handleImplicitUsername(r *http.Request, values url.Values) {
  361. if len(r.Header["Authorization"]) == 0 || values.Get("UserName") != "" {
  362. return
  363. }
  364. // get username who signs the request. For a typical Authorization:
  365. // "AWS4-HMAC-SHA256 Credential=197FSAQ7HHTA48X64O3A/20220420/test1/iam/aws4_request, SignedHeaders=content-type;
  366. // host;x-amz-date, Signature=6757dc6b3d7534d67e17842760310e99ee695408497f6edc4fdb84770c252dc8",
  367. // the "test1" will be extracted as the username
  368. glog.V(4).Infof("Authorization field: %v", r.Header["Authorization"][0])
  369. s := strings.Split(r.Header["Authorization"][0], "Credential=")
  370. if len(s) < 2 {
  371. return
  372. }
  373. s = strings.Split(s[1], ",")
  374. if len(s) < 2 {
  375. return
  376. }
  377. s = strings.Split(s[0], "/")
  378. if len(s) < 5 {
  379. return
  380. }
  381. userName := s[2]
  382. values.Set("UserName", userName)
  383. }
  384. func (iama *IamApiServer) DoActions(w http.ResponseWriter, r *http.Request) {
  385. if err := r.ParseForm(); err != nil {
  386. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  387. return
  388. }
  389. values := r.PostForm
  390. s3cfg := &iam_pb.S3ApiConfiguration{}
  391. if err := iama.s3ApiConfig.GetS3ApiConfiguration(s3cfg); err != nil {
  392. s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
  393. return
  394. }
  395. glog.V(4).Infof("DoActions: %+v", values)
  396. var response interface{}
  397. var err error
  398. changed := true
  399. switch r.Form.Get("Action") {
  400. case "ListUsers":
  401. response = iama.ListUsers(s3cfg, values)
  402. changed = false
  403. case "ListAccessKeys":
  404. handleImplicitUsername(r, values)
  405. response = iama.ListAccessKeys(s3cfg, values)
  406. changed = false
  407. case "CreateUser":
  408. response = iama.CreateUser(s3cfg, values)
  409. case "GetUser":
  410. userName := values.Get("UserName")
  411. response, err = iama.GetUser(s3cfg, userName)
  412. if err != nil {
  413. writeIamErrorResponse(w, r, err, "user", userName, nil)
  414. return
  415. }
  416. changed = false
  417. case "UpdateUser":
  418. response, err = iama.UpdateUser(s3cfg, values)
  419. if err != nil {
  420. glog.Errorf("UpdateUser: %+v", err)
  421. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  422. return
  423. }
  424. case "DeleteUser":
  425. userName := values.Get("UserName")
  426. response, err = iama.DeleteUser(s3cfg, userName)
  427. if err != nil {
  428. writeIamErrorResponse(w, r, err, "user", userName, nil)
  429. return
  430. }
  431. case "CreateAccessKey":
  432. handleImplicitUsername(r, values)
  433. response = iama.CreateAccessKey(s3cfg, values)
  434. case "DeleteAccessKey":
  435. handleImplicitUsername(r, values)
  436. response = iama.DeleteAccessKey(s3cfg, values)
  437. case "CreatePolicy":
  438. response, err = iama.CreatePolicy(s3cfg, values)
  439. if err != nil {
  440. glog.Errorf("CreatePolicy: %+v", err)
  441. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  442. return
  443. }
  444. case "PutUserPolicy":
  445. response, err = iama.PutUserPolicy(s3cfg, values)
  446. if err != nil {
  447. glog.Errorf("PutUserPolicy: %+v", err)
  448. s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
  449. return
  450. }
  451. case "GetUserPolicy":
  452. response, err = iama.GetUserPolicy(s3cfg, values)
  453. if err != nil {
  454. writeIamErrorResponse(w, r, err, "user", values.Get("UserName"), nil)
  455. return
  456. }
  457. changed = false
  458. case "DeleteUserPolicy":
  459. if response, err = iama.DeleteUserPolicy(s3cfg, values); err != nil {
  460. writeIamErrorResponse(w, r, err, "user", values.Get("UserName"), nil)
  461. return
  462. }
  463. default:
  464. errNotImplemented := s3err.GetAPIError(s3err.ErrNotImplemented)
  465. errorResponse := ErrorResponse{}
  466. errorResponse.Error.Code = &errNotImplemented.Code
  467. errorResponse.Error.Message = &errNotImplemented.Description
  468. s3err.WriteXMLResponse(w, r, errNotImplemented.HTTPStatusCode, errorResponse)
  469. return
  470. }
  471. if changed {
  472. err := iama.s3ApiConfig.PutS3ApiConfiguration(s3cfg)
  473. if err != nil {
  474. writeIamErrorResponse(w, r, fmt.Errorf(iam.ErrCodeServiceFailureException), "", "", err)
  475. return
  476. }
  477. }
  478. s3err.WriteXMLResponse(w, r, http.StatusOK, response)
  479. }