seaweedfs/weed/s3api/auth_credentials.go

286 lines
7.3 KiB
Go
Raw Normal View History

2020-02-10 06:30:02 +08:00
package s3api
import (
"fmt"
2020-12-07 15:16:20 +08:00
"github.com/chrislusf/seaweedfs/weed/filer"
2020-02-10 06:30:02 +08:00
"github.com/chrislusf/seaweedfs/weed/glog"
"github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
2020-12-07 16:10:29 +08:00
xhttp "github.com/chrislusf/seaweedfs/weed/s3api/http"
2021-04-28 00:45:40 +08:00
"github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
2020-12-07 16:10:29 +08:00
"github.com/chrislusf/seaweedfs/weed/s3api/s3err"
2021-04-28 00:45:40 +08:00
"io/ioutil"
"net/http"
"strings"
2020-02-10 06:30:02 +08:00
)
type Action string
type Iam interface {
Check(f http.HandlerFunc, actions ...Action) http.HandlerFunc
}
type IdentityAccessManagement struct {
identities []*Identity
2020-02-10 08:02:05 +08:00
domain string
2020-02-10 06:30:02 +08:00
}
type Identity struct {
Name string
Credentials []*Credential
Actions []Action
}
type Credential struct {
AccessKey string
SecretKey string
}
func NewIdentityAccessManagement(option *S3ApiServerOption) *IdentityAccessManagement {
2020-02-10 08:02:05 +08:00
iam := &IdentityAccessManagement{
domain: option.DomainName,
2020-02-10 08:02:05 +08:00
}
if option.Config != "" {
2020-11-26 04:30:11 +08:00
if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
glog.Fatalf("fail to load config file %s: %v", option.Config, err)
}
} else {
if err := iam.loadS3ApiConfigurationFromFiler(option); err != nil {
glog.Warningf("fail to load config: %v", err)
}
2020-02-10 06:30:02 +08:00
}
return iam
}
2020-11-26 04:30:11 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFiler(option *S3ApiServerOption) error {
2020-12-07 15:16:20 +08:00
content, err := filer.ReadContent(option.Filer, filer.IamConfigDirecotry, filer.IamIdentityFile)
if err != nil {
return fmt.Errorf("read S3 config: %v", err)
}
return iam.loadS3ApiConfigurationFromBytes(content)
2020-11-26 04:30:11 +08:00
}
2020-02-10 06:30:02 +08:00
2020-11-26 04:30:11 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromFile(fileName string) error {
content, readErr := ioutil.ReadFile(fileName)
2020-02-10 06:30:02 +08:00
if readErr != nil {
glog.Warningf("fail to read %s : %v", fileName, readErr)
return fmt.Errorf("fail to read %s : %v", fileName, readErr)
}
return iam.loadS3ApiConfigurationFromBytes(content)
}
2020-02-10 06:30:02 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfigurationFromBytes(content []byte) error {
s3ApiConfiguration := &iam_pb.S3ApiConfiguration{}
if err := filer.ParseS3ConfigurationFromBytes(content, s3ApiConfiguration); err != nil {
2020-02-10 06:30:02 +08:00
glog.Warningf("unmarshal error: %v", err)
return fmt.Errorf("unmarshal error: %v", err)
2020-02-10 06:30:02 +08:00
}
2020-11-26 04:30:11 +08:00
if err := iam.loadS3ApiConfiguration(s3ApiConfiguration); err != nil {
return err
}
return nil
}
2020-02-10 06:30:02 +08:00
2020-11-26 04:30:11 +08:00
func (iam *IdentityAccessManagement) loadS3ApiConfiguration(config *iam_pb.S3ApiConfiguration) error {
2020-12-07 16:10:29 +08:00
var identities []*Identity
2020-11-26 04:30:11 +08:00
for _, ident := range config.Identities {
2020-02-10 06:30:02 +08:00
t := &Identity{
Name: ident.Name,
Credentials: nil,
Actions: nil,
}
for _, action := range ident.Actions {
t.Actions = append(t.Actions, Action(action))
}
for _, cred := range ident.Credentials {
t.Credentials = append(t.Credentials, &Credential{
AccessKey: cred.AccessKey,
SecretKey: cred.SecretKey,
})
}
2020-12-07 16:10:29 +08:00
identities = append(identities, t)
2020-02-10 06:30:02 +08:00
}
2020-12-07 16:10:29 +08:00
// atomically switch
iam.identities = identities
2020-02-10 06:30:02 +08:00
return nil
}
2020-07-12 00:11:15 +08:00
func (iam *IdentityAccessManagement) isEnabled() bool {
return len(iam.identities) > 0
}
2020-02-10 06:30:02 +08:00
func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
2020-07-12 00:11:15 +08:00
2020-02-10 06:30:02 +08:00
for _, ident := range iam.identities {
for _, cred := range ident.Credentials {
if cred.AccessKey == accessKey {
return ident, cred, true
}
}
}
return nil, nil, false
}
func (iam *IdentityAccessManagement) lookupAnonymous() (identity *Identity, found bool) {
for _, ident := range iam.identities {
if ident.Name == "anonymous" {
return ident, true
}
}
return nil, false
}
2020-02-23 13:34:18 +08:00
func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
2020-02-10 06:30:02 +08:00
2020-07-25 17:14:49 +08:00
if !iam.isEnabled() {
2020-02-10 06:30:02 +08:00
return f
}
return func(w http.ResponseWriter, r *http.Request) {
2020-11-11 16:20:59 +08:00
identity, errCode := iam.authRequest(r, action)
2020-09-20 05:09:58 +08:00
if errCode == s3err.ErrNone {
2020-11-11 16:20:59 +08:00
if identity != nil && identity.Name != "" {
r.Header.Set(xhttp.AmzIdentityId, identity.Name)
2020-11-13 05:57:54 +08:00
if identity.isAdmin() {
r.Header.Set(xhttp.AmzIsAdmin, "true")
}
2020-11-11 16:20:59 +08:00
}
2020-02-10 06:30:02 +08:00
f(w, r)
return
}
writeErrorResponse(w, errCode, r.URL)
}
}
// check whether the request has valid access keys
2020-11-11 16:20:59 +08:00
func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) (*Identity, s3err.ErrorCode) {
var identity *Identity
var s3Err s3err.ErrorCode
var found bool
switch getRequestAuthType(r) {
case authTypeStreamingSigned:
return identity, s3err.ErrNone
case authTypeUnknown:
glog.V(3).Infof("unknown auth type")
return identity, s3err.ErrAccessDenied
case authTypePresignedV2, authTypeSignedV2:
glog.V(3).Infof("v2 auth type")
identity, s3Err = iam.isReqAuthenticatedV2(r)
case authTypeSigned, authTypePresigned:
glog.V(3).Infof("v4 auth type")
identity, s3Err = iam.reqSignatureV4Verify(r)
case authTypePostPolicy:
glog.V(3).Infof("post policy auth type")
return identity, s3err.ErrNone
case authTypeJWT:
glog.V(3).Infof("jwt auth type")
return identity, s3err.ErrNotImplemented
case authTypeAnonymous:
identity, found = iam.lookupAnonymous()
if !found {
return identity, s3err.ErrAccessDenied
}
default:
return identity, s3err.ErrNotImplemented
}
2020-12-25 16:38:56 +08:00
if s3Err != s3err.ErrNone {
return identity, s3Err
}
glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
bucket, _ := getBucketAndObject(r)
if !identity.canDo(action, bucket) {
return identity, s3err.ErrAccessDenied
}
return identity, s3err.ErrNone
}
func (iam *IdentityAccessManagement) authUser(r *http.Request) (*Identity, s3err.ErrorCode) {
2020-02-10 06:30:02 +08:00
var identity *Identity
2020-09-20 05:09:58 +08:00
var s3Err s3err.ErrorCode
var found bool
2020-02-10 06:30:02 +08:00
switch getRequestAuthType(r) {
2020-02-10 08:02:05 +08:00
case authTypeStreamingSigned:
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
2020-02-10 08:02:05 +08:00
case authTypeUnknown:
glog.V(3).Infof("unknown auth type")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrAccessDenied
2020-02-10 06:30:02 +08:00
case authTypePresignedV2, authTypeSignedV2:
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("v2 auth type")
identity, s3Err = iam.isReqAuthenticatedV2(r)
2020-02-10 06:30:02 +08:00
case authTypeSigned, authTypePresigned:
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("v4 auth type")
2020-02-10 06:30:02 +08:00
identity, s3Err = iam.reqSignatureV4Verify(r)
case authTypePostPolicy:
2020-02-23 06:01:04 +08:00
glog.V(3).Infof("post policy auth type")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
case authTypeJWT:
2020-02-23 06:01:04 +08:00
glog.V(3).Infof("jwt auth type")
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNotImplemented
case authTypeAnonymous:
identity, found = iam.lookupAnonymous()
if !found {
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrAccessDenied
}
2020-02-23 06:01:04 +08:00
default:
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNotImplemented
2020-02-10 06:30:02 +08:00
}
2020-02-10 08:02:05 +08:00
glog.V(3).Infof("auth error: %v", s3Err)
2020-09-20 05:09:58 +08:00
if s3Err != s3err.ErrNone {
2020-11-11 16:20:59 +08:00
return identity, s3Err
2020-02-10 08:02:05 +08:00
}
2020-11-11 16:20:59 +08:00
return identity, s3err.ErrNone
2020-02-10 06:30:02 +08:00
}
2020-02-23 13:34:18 +08:00
func (identity *Identity) canDo(action Action, bucket string) bool {
2020-11-13 05:57:54 +08:00
if identity.isAdmin() {
return true
2020-02-23 13:34:18 +08:00
}
for _, a := range identity.Actions {
if a == action {
return true
}
}
if bucket == "" {
return false
}
limitedByBucket := string(action) + ":" + bucket
2020-12-25 16:38:56 +08:00
adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket
2020-02-23 13:34:18 +08:00
for _, a := range identity.Actions {
2021-04-28 00:45:40 +08:00
act := string(a)
if strings.HasSuffix(act, "*") {
if strings.HasPrefix(limitedByBucket, act[:len(act)-1]) {
return true
}
if strings.HasPrefix(adminLimitedByBucket, act[:len(act)-1]) {
return true
}
} else {
if act == limitedByBucket {
return true
}
if act == adminLimitedByBucket {
return true
}
2020-12-25 16:38:56 +08:00
}
2020-02-10 06:30:02 +08:00
}
return false
}
2020-11-13 05:57:54 +08:00
func (identity *Identity) isAdmin() bool {
for _, a := range identity.Actions {
if a == "Admin" {
return true
}
}
return false
}