Merge 188715df24 into bd97cbc523

9 years ago · 7ce56dc096
4 changed files with 264 additions and 7 deletions
--- a/weed/security/guard.go
+++ b/weed/security/guard.go
@ -1,10 +1,16 @@
 package security

 import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
+	"net/url"
+	"sort"
 	"strings"

 	"github.com/chrislusf/seaweedfs/weed/glog"
@ -40,16 +46,52 @@ Referenced:
 https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go

 */
+
+/*
+
+Below sample config section should be modified per your needs and added into the filer.json config file if you want to
+enable filer R/W API verfication like the AWS S3 RESTFUL authentication
+
+{
+   "appInfo": [
+       {
+           "AppKeyId": "XVNVWEYQVNGXWWNXGLKP",
+           "AppKeySecret": "H8peDqD3A9Uc8KO28Iu99ywnW7TKQ8pii2PE8xpQ",
+           "bucketList": [
+               "yourbucketName"
+           ]
+       }
+   ]
+}
+
+*/
+type AppContent struct {
+	AppKeySecret string
+	BucketList   []string
+}
+type AppConf struct {
+	AppContent
+	AppKeyID string
+}
+
 type Guard struct {
 	whiteList  []string
 	SecretKey  Secret
+	appKeyDict map[string]AppContent

 	isActive bool
 }

-func NewGuard(whiteList []string, secretKey string) *Guard {
-	g := &Guard{whiteList: whiteList, SecretKey: Secret(secretKey)}
-	g.isActive = len(g.whiteList) != 0 || len(g.SecretKey) != 0
+func NewGuard(whiteList []string, secretKey string, appConfs []AppConf) *Guard {
+	appKeyDict := make(map[string]AppContent, len(appConfs))
+	for _, appConf := range appConfs {
+		appKeyDict[appConf.AppKeyID] = AppContent{
+			AppKeySecret: appConf.AppKeySecret,
+			BucketList:   appConf.BucketList,
+		}
+	}
+	g := &Guard{whiteList: whiteList, SecretKey: Secret(secretKey), appKeyDict: appKeyDict}
+	g.isActive = len(g.whiteList) != 0 || len(g.SecretKey) != 0 || len(g.appKeyDict) != 0
 	return g
 }

@ -81,6 +123,23 @@ func (g *Guard) Secure(f func(w http.ResponseWriter, r *http.Request)) func(w ht
 	}
 }

+/*
+Please refer to http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html for Rest Authentication details
+*/
+func (g *Guard) CheckAuthorization(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
+	if !g.isActive {
+		//if no security needed, just skip all checkings
+		return f
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		if err := g.checkAuthorization(w, r); err != nil {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		f(w, r)
+	}
+}
+
 func GetActualRemoteHost(r *http.Request) (host string, err error) {
 	host = r.Header.Get("HTTP_X_FORWARDED_FOR")
 	if host == "" {
@ -160,3 +219,194 @@ func (g *Guard) checkJwt(w http.ResponseWriter, r *http.Request) error {
 	glog.V(1).Infof("No permission from %s", r.RemoteAddr)
 	return fmt.Errorf("No write permisson from %s", r.RemoteAddr)
 }
+
+func ComputeHmac256(message string, secret string) string {
+	key := []byte(secret)
+	h := hmac.New(sha256.New, key)
+	h.Write([]byte(message))
+	return base64.StdEncoding.EncodeToString(h.Sum(nil))
+}
+
+/*
+authentication sample:
+Authorization: AWS-HMAC-SHA256 PLLZOBTTZXGBNOWUFHZZ:tuXu/KcggHWPAfEmraUHDwEUdiIPSXVRsO+T2rxomBQ=
+*/
+func VerifyAuthorizationHeader(authorization string) (accessKeyId, signature string, err error) {
+	authArr := strings.Split(authorization, " ")
+	if len(authArr) != 2 {
+		err = fmt.Errorf("authorization %s is not correct", authorization)
+		return
+	}
+
+	/*
+		This is just a sample, you could customize the signature algorithm freely
+	*/
+	if authArr[0] != "AWS-HMAC-SHA256" {
+		err = fmt.Errorf("algorithm %s is not supported yet", authArr[0])
+		return
+	}
+
+	sigArr := strings.Split(authArr[1], ":")
+	if len(sigArr) != 2 {
+		err = fmt.Errorf("signature %s is not correct", authArr[1])
+		return
+	}
+	accessKeyId = sigArr[0]
+	signature = sigArr[1]
+	if len(accessKeyId) == 0 || len(signature) == 0 {
+		err = fmt.Errorf("accessKeyId %s or signature %s is empty", accessKeyId, signature)
+		return
+	}
+	return
+
+}
+
+func (g *Guard) GetAccessKeyAppContent(accessKeyId string) (AppContent, error) {
+
+	if appContent, found := g.appKeyDict[accessKeyId]; !found {
+		return AppContent{}, fmt.Errorf("%s key Not Found", accessKeyId)
+	} else {
+		return appContent, nil
+	}
+}
+
+func GetBucketAndObjectName(r *http.Request) (bucketName, objectName string) {
+	/*
+	 http://host:port/objectName?collection=bucketName
+	 http://host:port/bucketName/objectName
+	*/
+
+	collection := r.URL.Query().Get("collection")
+	if collection != "" {
+		return collection, r.URL.Path[1:]
+	}
+
+	secondPos := strings.Index(r.URL.Path[1:], "/")
+	if secondPos == -1 {
+		secondPos = len(r.URL.Path)
+	} else {
+		secondPos += 1
+	}
+	bucketName = r.URL.Path[1:secondPos]
+	if secondPos+1 < len(r.URL.Path) {
+		objectName = r.URL.Path[secondPos+1:]
+	}
+	return
+}
+
+type headerSorter struct {
+	Keys []string
+	Vals []string
+}
+
+func newHeaderSorter(m map[string]string) *headerSorter {
+	hs := &headerSorter{
+		Keys: make([]string, 0, len(m)),
+		Vals: make([]string, 0, len(m)),
+	}
+
+	for k, v := range m {
+		hs.Keys = append(hs.Keys, k)
+		hs.Vals = append(hs.Vals, v)
+	}
+	return hs
+}
+
+func (hs *headerSorter) Sort() {
+	sort.Sort(hs)
+}
+
+func (hs *headerSorter) Len() int {
+	return len(hs.Vals)
+}
+
+func (hs *headerSorter) Less(i, j int) bool {
+	return bytes.Compare([]byte(hs.Keys[i]), []byte(hs.Keys[j])) < 0
+}
+
+func (hs *headerSorter) Swap(i, j int) {
+	hs.Vals[i], hs.Vals[j] = hs.Vals[j], hs.Vals[i]
+	hs.Keys[i], hs.Keys[j] = hs.Keys[j], hs.Keys[i]
+}
+
+func (g *Guard) GenerateSignature(appKeySecret string, r *http.Request) (string, error) {
+	unescaped_uri, err := url.QueryUnescape(r.RequestURI)
+	if err != nil {
+		glog.V(1).Infof("uri %s unescape err %s", unescaped_uri, err.Error())
+		return "", ErrUnauthorized
+	}
+
+	temp := make(map[string]string)
+	/*
+		if there are some header options which were not prepared to added into the canonicalizedOSSHeaders,
+		add a prefix as below and bypass
+	*/
+	for k, v := range r.Header {
+		if !strings.HasPrefix(strings.ToLower(k), "x-aws-") {
+			temp[strings.ToLower(k)] = v[0]
+		}
+	}
+	hs := newHeaderSorter(temp)
+	hs.Sort()
+
+	// Get the CanonicalizedOSSHeaders
+	canonicalizedOSSHeaders := ""
+	for i := range hs.Keys {
+		canonicalizedOSSHeaders += hs.Keys[i] + ":" + hs.Vals[i] + "\n"
+	}
+
+	string_to_sign := r.Method + "\n" +
+		r.Header.Get("Content-MD5") + "\n" +
+		r.Header.Get("Content-Type") + "\n" +
+		r.Header.Get("Date") + "\n" +
+		canonicalizedOSSHeaders +
+		unescaped_uri
+
+	return ComputeHmac256(string_to_sign, appKeySecret), nil
+}
+
+func (g *Guard) checkAuthorization(w http.ResponseWriter, r *http.Request) error {
+	authorization_string_from_client := r.Header.Get("Authorization")
+	if len(authorization_string_from_client) == 0 {
+		glog.V(1).Infof("Authorization in header field is empty")
+		return ErrUnauthorized
+	}
+
+	accessKeyId, signature, err := VerifyAuthorizationHeader(authorization_string_from_client)
+	if err != nil {
+		glog.V(1).Infof("verify authorization failed %s", err.Error())
+		return ErrUnauthorized
+	}
+
+	appContent, err := g.GetAccessKeyAppContent(accessKeyId)
+	if err != nil {
+		glog.V(1).Infof("accessKeyId %s is invalid", accessKeyId)
+		return ErrUnauthorized
+	}
+
+	bucketName, _ := GetBucketAndObjectName(r)
+
+	var found bool
+	for _, bucket := range appContent.BucketList {
+		if bucket == bucketName {
+			found = true
+			break
+		}
+	}
+	if !found {
+		glog.V(1).Infof("bucketName %s is not authorized for appKeyId %s", bucketName, accessKeyId)
+		return ErrUnauthorized
+	}
+	if my_sig, err := g.GenerateSignature(appContent.AppKeySecret, r); err != nil {
+		return err
+	} else {
+		if signature != my_sig {
+			glog.V(1).Infof("Authorization[%s]'s signature from client is not valid", authorization_string_from_client)
+			return ErrUnauthorized
+		} else {
+			glog.V(3).Infof("Authorization succeeded!")
+		}
+	}
+
+	return nil
+}
--- a/weed/server/filer_server.go
+++ b/weed/server/filer_server.go
@ -26,6 +26,7 @@ type filerConf struct {
 	MysqlConf []mysql_store.MySqlConf `json:"mysql"`
 	mysql_store.ShardingConf
 	PostgresConf *postgres_store.PostgresConf `json:"postgres"`
+	AppConf      []security.AppConf           `json:"appInfo"`
 }

 func parseConfFile(confPath string) (*filerConf, error) {
@ -55,6 +56,7 @@ type FilerServer struct {
 	filer              filer.Filer
 	maxMB              int
 	masterNodes        *storage.MasterNodes
+	guard              *security.Guard
 }

 func NewFilerServer(r *http.ServeMux, ip string, port int, master string, dir string, collection string,
@ -110,6 +112,11 @@ func NewFilerServer(r *http.ServeMux, ip string, port int, master string, dir st
 		r.HandleFunc("/__api__", fs.apiHandler)
 	}

+	/*
+		guard := security.NewGuard(nil, secret, setting.AppConf)
+		fs.guard = guard
+		r.HandleFunc("/", guard.CheckAuthorization(fs.filerHandler))
+	*/
 	r.HandleFunc("/", fs.filerHandler)

 	go func() {
--- a/weed/server/master_server.go
+++ b/weed/server/master_server.go
@ -61,7 +61,7 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
 	ms.vg = topology.NewDefaultVolumeGrowth()
 	glog.V(0).Infoln("Volume Size Limit is", volumeSizeLimitMB, "MB")

-	ms.guard = security.NewGuard(whiteList, secureKey)
+	ms.guard = security.NewGuard(whiteList, secureKey, nil)

 	r.HandleFunc("/", ms.uiStatusHandler)
 	r.HandleFunc("/ui/index.html", ms.uiStatusHandler)
--- a/weed/server/volume_server.go
+++ b/weed/server/volume_server.go
@ -46,7 +46,7 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
 	vs.store = storage.NewStore(port, ip, publicUrl, folders, maxCounts, vs.needleMapKind)
 	storage.EnableBytesCache = enableBytesCache

-	vs.guard = security.NewGuard(whiteList, "")
+	vs.guard = security.NewGuard(whiteList, "", nil)

 	adminMux.HandleFunc("/ui/index.html", vs.uiStatusHandler)
 	adminMux.HandleFunc("/status", vs.guard.WhiteList(vs.statusHandler))