forked from TrueCloudLab/frostfs-s3-gw
126 lines
3.5 KiB
Go
126 lines
3.5 KiB
Go
package playback
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"regexp"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/detector"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/playback/utils"
|
|
v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
|
|
"github.com/aws/aws-sdk-go-v2/credentials"
|
|
)
|
|
|
|
var (
|
|
// authorizationFieldRegexp -- is regexp for credentials with Base58 encoded cid and oid and '0' (zero) as delimiter.
|
|
authorizationFieldRegexp = regexp.MustCompile(`AWS4-HMAC-SHA256 Credential=(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request,\s*SignedHeaders=(?P<signed_header_fields>.+),\s*Signature=(?P<v4_signature>.+)`)
|
|
ErrNoMatches = errors.New("no matches found")
|
|
)
|
|
|
|
type (
|
|
httpBody []byte
|
|
LoggedRequest struct {
|
|
From string `json:"from"`
|
|
URI string `json:"URI"`
|
|
Method string `json:"method"`
|
|
Payload httpBody `json:"payload,omitempty"`
|
|
Response httpBody `json:"response,omitempty"`
|
|
Query url.Values `json:"query"`
|
|
Header http.Header `json:"headers"`
|
|
}
|
|
Credentials struct {
|
|
AccessKey string
|
|
SecretKey string
|
|
}
|
|
contextKey struct{}
|
|
multipartKey struct{}
|
|
)
|
|
|
|
func (h *httpBody) UnmarshalJSON(data []byte) error {
|
|
unquoted, err := strconv.Unquote(string(data))
|
|
if err != nil {
|
|
return fmt.Errorf("failed to unquote data: %w", err)
|
|
}
|
|
detect := detector.NewDetector(strings.NewReader(unquoted), utils.DetectXML)
|
|
dataType, err := detect.Detect()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to detect data: %w", err)
|
|
}
|
|
reader := utils.ChooseReader(dataType, detect.RestoredReader())
|
|
*h, err = io.ReadAll(reader)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to unmarshal httpbody: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func SetCredentials(ctx context.Context, accessKey, secretKey string) context.Context {
|
|
return context.WithValue(ctx, contextKey{},
|
|
Credentials{
|
|
AccessKey: accessKey, SecretKey: secretKey,
|
|
},
|
|
)
|
|
}
|
|
|
|
func GetCredentials(ctx context.Context) (Credentials, error) {
|
|
val, ok := ctx.Value(contextKey{}).(Credentials)
|
|
if !ok {
|
|
return val, errors.New("credentials not set")
|
|
}
|
|
|
|
return val, nil
|
|
}
|
|
|
|
// Sign replace Authorization header with new Access key id and Signature values.
|
|
func Sign(ctx context.Context, r *http.Request) error {
|
|
creds, err := GetCredentials(ctx)
|
|
if err != nil {
|
|
return errors.New("failed to get credentials")
|
|
}
|
|
credProvider, err := credentials.NewStaticCredentialsProvider(creds.AccessKey,
|
|
creds.SecretKey, "").Retrieve(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
authInfo, err := parseAuthHeader(r.Header.Get(auth.AuthorizationHdr))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
r.Header[auth.AuthorizationHdr][0] = strings.Replace(r.Header[auth.AuthorizationHdr][0],
|
|
authInfo["access_key_id"], creds.AccessKey, 1)
|
|
|
|
signer := v4.NewSigner()
|
|
signatureDateTimeStr := r.Header.Get(api.AmzDate)
|
|
signatureDateTime, err := time.Parse("20060102T150405Z", signatureDateTimeStr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = signer.SignHTTP(ctx, credProvider, r, r.Header.Get(api.AmzContentSha256),
|
|
authInfo["service"], authInfo["region"], signatureDateTime)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func parseAuthHeader(authHeader string) (map[string]string, error) {
|
|
authInfo := auth.NewRegexpMatcher(authorizationFieldRegexp).GetSubmatches(authHeader)
|
|
if len(authInfo) == 0 {
|
|
return nil, ErrNoMatches
|
|
}
|
|
|
|
return authInfo, nil
|
|
}
|