From 9fadd9def8e34c3b2300f0b4ffee5317b532c4af Mon Sep 17 00:00:00 2001
From: Maxim Kostyukov <maximkostyukov@yandex.ru>
Date: Fri, 1 Aug 2025 01:06:29 +0300
Subject: [PATCH] Fixed weed mount reads with jwt.signing.read.key (#7061)

---
 weed/filer/filechunk_manifest.go          |  2 +-
 weed/filer/reader_cache.go                |  2 +-
 weed/filer/stream.go                      |  2 +-
 weed/util/http/http_global_client_util.go | 29 +++++++++++++++++++++--
 4 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/weed/filer/filechunk_manifest.go b/weed/filer/filechunk_manifest.go
index e8de430f0..2abbc6729 100644
--- a/weed/filer/filechunk_manifest.go
+++ b/weed/filer/filechunk_manifest.go
@@ -122,7 +122,7 @@ func fetchChunkRange(buffer []byte, lookupFileIdFn wdclient.LookupFileIdFunction
 		glog.Errorf("operation LookupFileId %s failed, err: %v", fileId, err)
 		return 0, err
 	}
-	return util_http.RetriedFetchChunkData(context.Background(), buffer, urlStrings, cipherKey, isGzipped, false, offset)
+	return util_http.RetriedFetchChunkData(context.Background(), buffer, urlStrings, cipherKey, isGzipped, false, offset, fileId)
 }
 
 func retriedStreamFetchChunkData(ctx context.Context, writer io.Writer, urlStrings []string, jwt string, cipherKey []byte, isGzipped bool, isFullChunk bool, offset int64, size int) (err error) {
diff --git a/weed/filer/reader_cache.go b/weed/filer/reader_cache.go
index 08c59a34d..11382bed3 100644
--- a/weed/filer/reader_cache.go
+++ b/weed/filer/reader_cache.go
@@ -178,7 +178,7 @@ func (s *SingleChunkCacher) startCaching() {
 
 	s.data = mem.Allocate(s.chunkSize)
 
-	_, s.err = util_http.RetriedFetchChunkData(context.Background(), s.data, urlStrings, s.cipherKey, s.isGzipped, true, 0)
+	_, s.err = util_http.RetriedFetchChunkData(context.Background(), s.data, urlStrings, s.cipherKey, s.isGzipped, true, 0, s.chunkFileId)
 	if s.err != nil {
 		mem.Free(s.data)
 		s.data = nil
diff --git a/weed/filer/stream.go b/weed/filer/stream.go
index 579b5ed50..87280d6b0 100644
--- a/weed/filer/stream.go
+++ b/weed/filer/stream.go
@@ -196,7 +196,7 @@ func ReadAll(ctx context.Context, buffer []byte, masterClient *wdclient.MasterCl
 			return err
 		}
 
-		n, err := util_http.RetriedFetchChunkData(ctx, buffer[idx:idx+int(chunkView.ViewSize)], urlStrings, chunkView.CipherKey, chunkView.IsGzipped, chunkView.IsFullChunk(), chunkView.OffsetInChunk)
+		n, err := util_http.RetriedFetchChunkData(ctx, buffer[idx:idx+int(chunkView.ViewSize)], urlStrings, chunkView.CipherKey, chunkView.IsGzipped, chunkView.IsFullChunk(), chunkView.OffsetInChunk, chunkView.FileId)
 		if err != nil {
 			return err
 		}
diff --git a/weed/util/http/http_global_client_util.go b/weed/util/http/http_global_client_util.go
index af153bc74..27398f3ec 100644
--- a/weed/util/http/http_global_client_util.go
+++ b/weed/util/http/http_global_client_util.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"sync"
 
 	"github.com/seaweedfs/seaweedfs/weed/util"
 	"github.com/seaweedfs/seaweedfs/weed/util/mem"
@@ -18,10 +19,24 @@ import (
 	"time"
 
 	"github.com/seaweedfs/seaweedfs/weed/glog"
+
+	"github.com/seaweedfs/seaweedfs/weed/security"
 )
 
 var ErrNotFound = fmt.Errorf("not found")
 
+var (
+	jwtSigningReadKey        security.SigningKey
+	jwtSigningReadKeyExpires int
+	loadJwtConfigOnce        sync.Once
+)
+
+func loadJwtConfig() {
+	v := util.GetViper()
+	jwtSigningReadKey = security.SigningKey(v.GetString("jwt.signing.read.key"))
+	jwtSigningReadKeyExpires = v.GetInt("jwt.signing.read.expires_after_seconds")
+}
+
 func Post(url string, values url.Values) ([]byte, error) {
 	r, err := GetGlobalHttpClient().PostForm(url, values)
 	if err != nil {
@@ -452,7 +467,17 @@ func (r *CountingReader) Read(p []byte) (n int, err error) {
 	return n, err
 }
 
-func RetriedFetchChunkData(ctx context.Context, buffer []byte, urlStrings []string, cipherKey []byte, isGzipped bool, isFullChunk bool, offset int64) (n int, err error) {
+func RetriedFetchChunkData(ctx context.Context, buffer []byte, urlStrings []string, cipherKey []byte, isGzipped bool, isFullChunk bool, offset int64, fileId string) (n int, err error) {
+
+	loadJwtConfigOnce.Do(loadJwtConfig)
+	var jwt security.EncodedJwt
+	if len(jwtSigningReadKey) > 0 {
+		jwt = security.GenJwtForVolumeServer(
+			jwtSigningReadKey,
+			jwtSigningReadKeyExpires,
+			fileId,
+		)
+	}
 
 	var shouldRetry bool
 
@@ -462,7 +487,7 @@ func RetriedFetchChunkData(ctx context.Context, buffer []byte, urlStrings []stri
 			if strings.Contains(urlString, "%") {
 				urlString = url.PathEscape(urlString)
 			}
-			shouldRetry, err = ReadUrlAsStream(ctx, urlString+"?readDeleted=true", cipherKey, isGzipped, isFullChunk, offset, len(buffer), func(data []byte) {
+			shouldRetry, err = ReadUrlAsStreamAuthenticated(ctx, urlString+"?readDeleted=true", string(jwt), cipherKey, isGzipped, isFullChunk, offset, len(buffer), func(data []byte) {
 				if n < len(buffer) {
 					x := copy(buffer[n:], data)
 					n += x