EliChin/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Issues Pull requests Projects Releases Packages Wiki Activity
frostfs-s3-gw/api/auth/center.go

144 lines
3.9 KiB
Go
Raw Normal View History

Introduce a auth center + secure enclave in a separate package
2020-07-15 13:48:25 +00:00
package auth
import (
Tune getting bearer token; prepare for passing through bearer token
2020-07-20 17:23:16 +00:00
"bytes"
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
"context"
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
"crypto/sha256"
"encoding/hex"
[#19] Bug with AccessKey Closes #19. Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-19 13:28:17 +00:00
"fmt"
Remove enclove as a separate entity; move auth center to app settings
2020-07-15 20:16:27 +00:00
"io/ioutil"
Add early support of auth middleware
2020-07-16 15:33:47 +00:00
"net/http"
"regexp"
Enable auth validation for signed requests
2020-07-20 23:43:40 +00:00
"strings"
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
"time"
Introduce a auth center + secure enclave in a separate package
2020-07-15 13:48:25 +00:00
[#25] Migrate auth package to NeoFS API v2 - upgrade to NeoFS API v2 - upgrade to new Authmate package closes #25 Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-10-13 09:33:33 +00:00
"github.com/aws/aws-sdk-go/aws/credentials"
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
sdk "github.com/nspcc-dev/cdn-neofs-sdk"
Refactoring api/auth package Migrate to cred/bearer instead of CredentialsClient Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 16:31:57 +00:00
"github.com/nspcc-dev/cdn-neofs-sdk/creds/bearer"
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
"github.com/nspcc-dev/cdn-neofs-sdk/creds/hcs"
"github.com/nspcc-dev/neofs-api-go/pkg/object"
[#25] Migrate auth package to NeoFS API v2 - upgrade to NeoFS API v2 - upgrade to new Authmate package closes #25 Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-10-13 09:33:33 +00:00
"github.com/nspcc-dev/neofs-api-go/pkg/token"
Introduce a auth center + secure enclave in a separate package
2020-07-15 13:48:25 +00:00
"github.com/pkg/errors"
Tune getting bearer token; prepare for passing through bearer token
2020-07-20 17:23:16 +00:00
"go.uber.org/zap"
Introduce a auth center + secure enclave in a separate package
2020-07-15 13:48:25 +00:00
)
[#19] Bug with AccessKey Closes #19. Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-19 13:28:17 +00:00
var authorizationFieldRegexp = regexp.MustCompile(`AWS4-HMAC-SHA256 Credential=(?P<access_key_id_cid>[^/]+)/(?P<access_key_id_oid>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request,\s*SignedHeaders=(?P<signed_header_fields>.+),\s*Signature=(?P<v4_signature>.+)`)
Add early support of auth middleware
2020-07-16 15:33:47 +00:00
[#25] Migrate auth package to NeoFS API v2 - upgrade to NeoFS API v2 - upgrade to new Authmate package closes #25 Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-10-13 09:33:33 +00:00
type (
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
Center interface {
Authenticate(request *http.Request) (*token.BearerToken, error)
}
Tune getting bearer token; prepare for passing through bearer token
2020-07-20 17:23:16 +00:00
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
center struct {
reg *regexpSubmatcher
Refactoring api/auth package Migrate to cred/bearer instead of CredentialsClient Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 16:31:57 +00:00
cli bearer.Credentials
Add error checking while creating auth center
2020-07-21 10:21:03 +00:00
}
Remove enclove as a separate entity; move auth center to app settings
2020-07-15 20:16:27 +00:00
[#25] Migrate auth package to NeoFS API v2 - upgrade to NeoFS API v2 - upgrade to new Authmate package closes #25 Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-10-13 09:33:33 +00:00
Params struct {
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
Client sdk.Client
Logger *zap.Logger
Credential hcs.Credentials
[#25] Migrate auth package to NeoFS API v2 - upgrade to NeoFS API v2 - upgrade to new Authmate package closes #25 Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-10-13 09:33:33 +00:00
}
)
// New creates an instance of AuthCenter.
Refactoring api/auth package Migrate to cred/bearer instead of CredentialsClient Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 16:31:57 +00:00
func New(obj sdk.ObjectClient, key hcs.PrivateKey) Center {
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
return &center{
Refactoring api/auth package Migrate to cred/bearer instead of CredentialsClient Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 16:31:57 +00:00
cli: bearer.New(obj, key),
[#25] Migrate auth package to NeoFS API v2 - upgrade to NeoFS API v2 - upgrade to new Authmate package closes #25 Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-10-13 09:33:33 +00:00
reg: &regexpSubmatcher{re: authorizationFieldRegexp},
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
}
Introduce a auth center + secure enclave in a separate package
2020-07-15 13:48:25 +00:00
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {
queryValues := r.URL.Query()
Fast hot fix before rework of auth scheme
2020-07-24 14:03:02 +00:00
if queryValues.Get("X-Amz-Algorithm") == "AWS4-HMAC-SHA256" {
return nil, errors.New("pre-signed form of request is not supported")
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
authHeaderField := r.Header["Authorization"]
Fast hot fix before rework of auth scheme
2020-07-24 14:03:02 +00:00
if len(authHeaderField) != 1 {
return nil, errors.New("unsupported request: wrong length of Authorization header field")
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
sms1 := c.reg.getSubmatches(authHeaderField[0])
[#19] Bug with AccessKey Closes #19. Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-19 13:28:17 +00:00
if len(sms1) != 7 {
Fast hot fix before rework of auth scheme
2020-07-24 14:03:02 +00:00
return nil, errors.New("bad Authorization header field")
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
Fast hot fix before rework of auth scheme
2020-07-24 14:03:02 +00:00
signedHeaderFieldsNames := strings.Split(sms1["signed_header_fields"], ";")
if len(signedHeaderFieldsNames) == 0 {
return nil, errors.New("wrong format of signed headers part")
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
signatureDateTime, err := time.Parse("20060102T150405Z", r.Header.Get("X-Amz-Date"))
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
if err != nil {
return nil, errors.Wrap(err, "failed to parse x-amz-date header field")
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
[#19] Bug with AccessKey Closes #19. Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-19 13:28:17 +00:00
accessKeyID := fmt.Sprintf("%s/%s", sms1["access_key_id_cid"], sms1["access_key_id_oid"])
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
address := object.NewAddress()
if err = address.Parse(accessKeyID); err != nil {
return nil, errors.Wrapf(err, "could not parse AccessBox address: %s", accessKeyID)
}
Refactoring api/auth package Migrate to cred/bearer instead of CredentialsClient Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 16:31:57 +00:00
tkn, err := c.cli.Get(r.Context(), address)
Migrate to Credentials client Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 09:17:36 +00:00
if err != nil {
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
return nil, err
}
Migrate to Credentials client Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 09:17:36 +00:00
data, err := tkn.Marshal()
Fast hot fix before rework of auth scheme
2020-07-24 14:03:02 +00:00
if err != nil {
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
return nil, err
Fast hot fix before rework of auth scheme
2020-07-24 14:03:02 +00:00
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
hash := sha256.Sum256(data)
secret := hex.EncodeToString(hash[:])
otherRequest := r.Clone(context.TODO())
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
otherRequest.Header = map[string][]string{}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
for hfn, hfvs := range r.Header {
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
for _, shfn := range signedHeaderFieldsNames {
if strings.EqualFold(hfn, shfn) {
otherRequest.Header[hfn] = hfvs
Fast hot fix before rework of auth scheme
2020-07-24 14:03:02 +00:00
}
}
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
awsCreds := credentials.NewStaticCredentials(accessKeyID, secret, "")
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
signer := v4.NewSigner(awsCreds)
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
body, err := readAndKeepBody(r)
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
if err != nil {
return nil, errors.Wrap(err, "failed to read out request body")
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
hdr, err := signer.Sign(otherRequest, body, sms1["service"], sms1["region"], signatureDateTime)
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
if err != nil {
return nil, errors.Wrap(err, "failed to sign temporary HTTP request")
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
sms2 := c.reg.getSubmatches(hdr.Get("Authorization"))
[#8] Active validation of AWS V4 signature Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
2020-08-06 15:23:01 +00:00
if sms1["v4_signature"] != sms2["v4_signature"] {
return nil, errors.Wrap(err, "failed to pass authentication procedure")
}
Refactoring auth package and move into API Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 06:59:01 +00:00
Migrate to Credentials client Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
2020-11-24 09:17:36 +00:00
return tkn, nil
Add early support of auth middleware
2020-07-16 15:33:47 +00:00
}
Split code into smaller parts within the auth package
2020-07-21 09:40:46 +00:00
// TODO: Make this write into a smart buffer backed by a file on a fast drive.
Enable auth validation for signed requests
2020-07-20 23:43:40 +00:00
func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
Tune getting bearer token; prepare for passing through bearer token
2020-07-20 17:23:16 +00:00
if request.Body == nil {
Enable auth validation for signed requests
2020-07-20 23:43:40 +00:00
var r bytes.Reader
return &r, nil
}
payload, err := ioutil.ReadAll(request.Body)
if err != nil {
return nil, err
Tune getting bearer token; prepare for passing through bearer token
2020-07-20 17:23:16 +00:00
}
request.Body = ioutil.NopCloser(bytes.NewReader(payload))
Enable auth validation for signed requests
2020-07-20 23:43:40 +00:00
return bytes.NewReader(payload), nil
Tune getting bearer token; prepare for passing through bearer token
2020-07-20 17:23:16 +00:00
}
Reference in a new issue Copy permalink