EliChin/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#674] Add AccessKeyID filter

Browse source 
Signed-off-by: Angira Kekteeva <kira@nspcc.ru>
This commit is contained in:
Angira Kekteeva 2022-09-01 02:43:36 +04:00 committed by Alex Vanin
parent e02e85461d
commit 3e4fc52428
3 changed files with 31 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
api/auth/center.go
View file

@ -40,6 +40,7 @@ type (
reg *RegexpSubmatcher reg *RegexpSubmatcher
postReg *RegexpSubmatcher postReg *RegexpSubmatcher
cli tokens.Credentials cli tokens.Credentials
allowedAccessKeyIDPrefixes []string // empty slice means all access key ids are allowed
} }
prs int prs int
@ -85,11 +86,12 @@ func (p prs) Seek(_ int64, _ int) (int64, error) {
var _ io.ReadSeeker = prs(0) var _ io.ReadSeeker = prs(0)
// New creates an instance of AuthCenter. // New creates an instance of AuthCenter.
func New(neoFS tokens.NeoFS, key *keys.PrivateKey, config *cache.Config) Center { func New(neoFS tokens.NeoFS, key *keys.PrivateKey, prefixes []string, config *cache.Config) Center {
return &center{ return &center{
cli: tokens.New(neoFS, key, config), cli: tokens.New(neoFS, key, config),
reg: NewRegexpMatcher(authorizationFieldRegexp), reg: NewRegexpMatcher(authorizationFieldRegexp),
postReg: NewRegexpMatcher(postPolicyCredentialRegexp), postReg: NewRegexpMatcher(postPolicyCredentialRegexp),
allowedAccessKeyIDPrefixes: prefixes,
} }
} }
@ -171,6 +173,10 @@ func (c *center) Authenticate(r *http.Request) (*accessbox.Box, error) {
return nil, fmt.Errorf("failed to parse x-amz-date header field: %w", err) return nil, fmt.Errorf("failed to parse x-amz-date header field: %w", err)
} }
if err := c.checkAccessKeyID(authHdr.AccessKeyID); err != nil {
return nil, err
}
addr, err := authHdr.getAddress() addr, err := authHdr.getAddress()
if err != nil { if err != nil {
return nil, err return nil, err
@ -189,6 +195,20 @@ func (c *center) Authenticate(r *http.Request) (*accessbox.Box, error) {
return box, nil return box, nil
} }
func (c center) checkAccessKeyID(accessKeyID string) error {
if len(c.allowedAccessKeyIDPrefixes) == 0 {
return nil
}
for _, prefix := range c.allowedAccessKeyIDPrefixes {
if strings.HasPrefix(accessKeyID, prefix) {
return nil
}
}
return apiErrors.GetAPIError(apiErrors.ErrAccessDenied)
}
func (c *center) checkFormData(r *http.Request) (*accessbox.Box, error) { func (c *center) checkFormData(r *http.Request) (*accessbox.Box, error) {
if err := r.ParseMultipartForm(maxFormSizeMemory); err != nil { if err := r.ParseMultipartForm(maxFormSizeMemory); err != nil {
return nil, apiErrors.GetAPIError(apiErrors.ErrInvalidArgument) return nil, apiErrors.GetAPIError(apiErrors.ErrInvalidArgument)

2
cmd/s3-gw/app.go
View file

@ -188,7 +188,7 @@ func newApp(ctx context.Context, l *zap.Logger, v *viper.Viper) *App {
} }
// prepare auth center // prepare auth center
ctr = auth.New(neofs.NewAuthmateNeoFS(conns), key, getAccessBoxCacheConfig(v, l)) ctr = auth.New(neofs.NewAuthmateNeoFS(conns), key, v.GetStringSlice(cfgAllowedAccessKeyIDPrefixes), getAccessBoxCacheConfig(v, l))
handlerOptions := getHandlerOptions(v, l) handlerOptions := getHandlerOptions(v, l)
if caller, err = handler.New(l, obj, nc, handlerOptions); err != nil { if caller, err = handler.New(l, obj, nc, handlerOptions); err != nil {

3
cmd/s3-gw/app_settings.go
View file

@ -116,6 +116,9 @@ const ( // Settings.
// Number of the object copies to consider PUT to NeoFS successful. // Number of the object copies to consider PUT to NeoFS successful.
cfgSetCopiesNumber = "neofs.set_copies_number" cfgSetCopiesNumber = "neofs.set_copies_number"
// List of allowed AccessKeyID prefixes.
cfgAllowedAccessKeyIDPrefixes = "allowed_access_key_id_prefixes"
// envPrefix is an environment variables prefix used for configuration. // envPrefix is an environment variables prefix used for configuration.
envPrefix = "S3_GW" envPrefix = "S3_GW"
) )