|
@ -3,11 +3,10 @@ package security |
|
|
import ( |
|
|
import ( |
|
|
"errors" |
|
|
"errors" |
|
|
"fmt" |
|
|
"fmt" |
|
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/glog" |
|
|
"net" |
|
|
"net" |
|
|
"net/http" |
|
|
"net/http" |
|
|
"strings" |
|
|
"strings" |
|
|
|
|
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/glog" |
|
|
|
|
|
) |
|
|
) |
|
|
|
|
|
|
|
|
var ( |
|
|
var ( |
|
@ -40,24 +39,25 @@ Referenced: |
|
|
https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
|
|
|
https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
|
|
|
*/ |
|
|
*/ |
|
|
type Guard struct { |
|
|
type Guard struct { |
|
|
whiteList []string |
|
|
|
|
|
|
|
|
whiteListIp map[string]struct{} |
|
|
|
|
|
whiteListCIDR map[string]*net.IPNet |
|
|
SigningKey SigningKey |
|
|
SigningKey SigningKey |
|
|
ExpiresAfterSec int |
|
|
ExpiresAfterSec int |
|
|
ReadSigningKey SigningKey |
|
|
ReadSigningKey SigningKey |
|
|
ReadExpiresAfterSec int |
|
|
ReadExpiresAfterSec int |
|
|
|
|
|
|
|
|
isWriteActive bool |
|
|
isWriteActive bool |
|
|
|
|
|
isEmptyWhiteList bool |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard { |
|
|
func NewGuard(whiteList []string, signingKey string, expiresAfterSec int, readSigningKey string, readExpiresAfterSec int) *Guard { |
|
|
g := &Guard{ |
|
|
g := &Guard{ |
|
|
whiteList: whiteList, |
|
|
|
|
|
SigningKey: SigningKey(signingKey), |
|
|
SigningKey: SigningKey(signingKey), |
|
|
ExpiresAfterSec: expiresAfterSec, |
|
|
ExpiresAfterSec: expiresAfterSec, |
|
|
ReadSigningKey: SigningKey(readSigningKey), |
|
|
ReadSigningKey: SigningKey(readSigningKey), |
|
|
ReadExpiresAfterSec: readExpiresAfterSec, |
|
|
ReadExpiresAfterSec: readExpiresAfterSec, |
|
|
} |
|
|
} |
|
|
g.isWriteActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0 |
|
|
|
|
|
|
|
|
g.UpdateWhiteList(whiteList) |
|
|
return g |
|
|
return g |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
@ -90,37 +90,48 @@ func GetActualRemoteHost(r *http.Request) (host string, err error) { |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error { |
|
|
func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error { |
|
|
if len(g.whiteList) == 0 { |
|
|
|
|
|
|
|
|
if g.isEmptyWhiteList { |
|
|
return nil |
|
|
return nil |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
host, err := GetActualRemoteHost(r) |
|
|
host, err := GetActualRemoteHost(r) |
|
|
if err == nil { |
|
|
|
|
|
for _, ip := range g.whiteList { |
|
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
return fmt.Errorf("get actual remote host %s in checkWhiteList failed: %v", r.RemoteAddr, err) |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
if _, ok := g.whiteListIp[host]; ok { |
|
|
|
|
|
return nil |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
for _, cidrnet := range g.whiteListCIDR { |
|
|
// If the whitelist entry contains a "/" it
|
|
|
// If the whitelist entry contains a "/" it
|
|
|
// is a CIDR range, and we should check the
|
|
|
// is a CIDR range, and we should check the
|
|
|
// remote host is within it
|
|
|
|
|
|
if strings.Contains(ip, "/") { |
|
|
|
|
|
_, cidrnet, err := net.ParseCIDR(ip) |
|
|
|
|
|
if err != nil { |
|
|
|
|
|
panic(err) |
|
|
|
|
|
} |
|
|
|
|
|
remote := net.ParseIP(host) |
|
|
remote := net.ParseIP(host) |
|
|
if cidrnet.Contains(remote) { |
|
|
if cidrnet.Contains(remote) { |
|
|
return nil |
|
|
return nil |
|
|
} |
|
|
} |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
// Otherwise we're looking for a literal match.
|
|
|
|
|
|
//
|
|
|
|
|
|
if ip == host { |
|
|
|
|
|
return nil |
|
|
|
|
|
|
|
|
glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr) |
|
|
|
|
|
return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr) |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
func (g *Guard) UpdateWhiteList(whiteList []string) { |
|
|
|
|
|
whiteListIp := make(map[string]struct{}) |
|
|
|
|
|
whiteListCIDR := make(map[string]*net.IPNet) |
|
|
|
|
|
for _, ip := range whiteList { |
|
|
|
|
|
if strings.Contains(ip, "/") { |
|
|
|
|
|
_, cidrnet, err := net.ParseCIDR(ip) |
|
|
|
|
|
if err != nil { |
|
|
|
|
|
glog.Errorf("Parse CIDR %s in whitelist failed: %v", ip, err) |
|
|
} |
|
|
} |
|
|
|
|
|
whiteListCIDR[ip] = cidrnet |
|
|
|
|
|
} else { |
|
|
|
|
|
whiteListIp[ip] = struct{}{} |
|
|
} |
|
|
} |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
glog.V(0).Infof("Not in whitelist: %s", r.RemoteAddr) |
|
|
|
|
|
return fmt.Errorf("Not in whitelist: %s", r.RemoteAddr) |
|
|
|
|
|
|
|
|
g.isEmptyWhiteList = len(whiteListIp) == 0 && len(whiteListCIDR) == 0 |
|
|
|
|
|
g.isWriteActive = !g.isEmptyWhiteList || len(g.SigningKey) != 0 |
|
|
|
|
|
g.whiteListIp = whiteListIp |
|
|
|
|
|
g.whiteListCIDR = whiteListCIDR |
|
|
} |
|
|
} |