forked from TrueCloudLab/frostfs-s3-gw
Refactoring auth.Center
Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
This commit is contained in:
parent
697d318a6b
commit
58b877b97c
1 changed files with 44 additions and 22 deletions
|
@ -1,12 +1,11 @@
|
|||
package auth
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"io"
|
||||
"net/http"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
@ -40,8 +39,20 @@ type (
|
|||
Logger *zap.Logger
|
||||
Credential hcs.Credentials
|
||||
}
|
||||
|
||||
prs int
|
||||
)
|
||||
|
||||
func (p prs) Read(_ []byte) (n int, err error) {
|
||||
panic("implement me")
|
||||
}
|
||||
|
||||
func (p prs) Seek(_ int64, _ int) (int64, error) {
|
||||
panic("implement me")
|
||||
}
|
||||
|
||||
var _ io.ReadSeeker = prs(0)
|
||||
|
||||
// New creates an instance of AuthCenter.
|
||||
func New(obj sdk.ObjectClient, key hcs.PrivateKey) Center {
|
||||
return ¢er{
|
||||
|
@ -61,6 +72,11 @@ func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {
|
|||
return nil, errors.New("unsupported request: wrong length of Authorization header field")
|
||||
}
|
||||
|
||||
// { // to debug request
|
||||
// data, _ := httputil.DumpRequest(r, false)
|
||||
// fmt.Println(string(data))
|
||||
// }
|
||||
|
||||
sms1 := c.reg.getSubmatches(authHeaderField[0])
|
||||
if len(sms1) != 7 {
|
||||
return nil, errors.New("bad Authorization header field")
|
||||
|
@ -110,34 +126,40 @@ func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {
|
|||
awsCreds := credentials.NewStaticCredentials(accessKeyID, secret, "")
|
||||
signer := v4.NewSigner(awsCreds)
|
||||
|
||||
body, err := readAndKeepBody(r)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "failed to read out request body")
|
||||
}
|
||||
// body, err := readAndKeepBody(r)
|
||||
// if err != nil {
|
||||
// return nil, errors.Wrap(err, "failed to read out request body")
|
||||
// }
|
||||
//
|
||||
// _ = body
|
||||
|
||||
hdr, err := signer.Sign(otherRequest, body, sms1["service"], sms1["region"], signatureDateTime)
|
||||
if err != nil {
|
||||
// body not required
|
||||
if _, err := signer.Sign(otherRequest, nil, sms1["service"], sms1["region"], signatureDateTime); err != nil {
|
||||
return nil, errors.Wrap(err, "failed to sign temporary HTTP request")
|
||||
}
|
||||
|
||||
sms2 := c.reg.getSubmatches(hdr.Get("Authorization"))
|
||||
sms2 := c.reg.getSubmatches(otherRequest.Header.Get("Authorization"))
|
||||
if sms1["v4_signature"] != sms2["v4_signature"] {
|
||||
return nil, errors.Wrap(err, "failed to pass authentication procedure")
|
||||
return nil, errors.New("failed to pass authentication procedure")
|
||||
}
|
||||
|
||||
return tkn, nil
|
||||
}
|
||||
|
||||
// for debug reasons
|
||||
func panicSeeker() io.ReadSeeker { return prs(0) }
|
||||
|
||||
// TODO: Make this write into a smart buffer backed by a file on a fast drive.
|
||||
func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
|
||||
if request.Body == nil {
|
||||
var r bytes.Reader
|
||||
return &r, nil
|
||||
}
|
||||
payload, err := ioutil.ReadAll(request.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
request.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
||||
return bytes.NewReader(payload), nil
|
||||
}
|
||||
// func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
|
||||
// if request.Body == nil {
|
||||
// return new(bytes.Reader), nil
|
||||
// }
|
||||
//
|
||||
// payload, err := ioutil.ReadAll(request.Body)
|
||||
// if err != nil {
|
||||
// return nil, err
|
||||
// }
|
||||
//
|
||||
// request.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
||||
// return bytes.NewReader(payload), nil
|
||||
// }
|
||||
|
|
Loading…
Reference in a new issue