EliChin/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Issues Pull requests Projects Releases Packages Wiki Activity

Move user auth procedure to S3 API router; activate overall setting bearer tokens in neofs objects

Browse source
This commit is contained in:
Pavel Korotkov 2020-07-22 22:48:34 +03:00
parent 9662fb0019
commit 916a216da5
5 changed files with 27 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
cmd/gate/app.go
View file

@ -199,13 +199,12 @@ func (a *App) Server(ctx context.Context) {
router := newS3Router()
// Attach app-specific routes:
attachNewUserAuth(router, a.center, a.log)
attachHealthy(router, a.cli)
attachMetrics(router, a.cfg, a.log)
attachProfiler(router, a.cfg, a.log)
// Attach S3 API:
api.Attach(router, a.maxClients, a.api)
api.Attach(router, a.maxClients, a.api, a.center, a.log)
// Use mux.Router as http.Handler
srv.Handler = router

6
neofs/api/router.go
View file

@ -4,7 +4,9 @@ import (
"net/http"
"github.com/gorilla/mux"
"github.com/minio/minio/auth"
"github.com/minio/minio/neofs/metrics"
"go.uber.org/zap"
)
type (
@ -89,8 +91,10 @@ const (
mimeXML mimeType = "application/xml"
)
func Attach(r *mux.Router, m MaxClients, h Handler) {
func Attach(r *mux.Router, m MaxClients, h Handler, center *auth.Center, log *zap.Logger) {
api := r.PathPrefix(SlashSeparator).Subrouter()
// Attach user authentication for all S3 routes.
AttachUserAuth(api, center, log)
bucket := api.PathPrefix("/{bucket}").Subrouter()

8
cmd/gate/app-new-auth.go → neofs/api/user-auth.go
View file

@ -1,4 +1,4 @@
package main
package api
import (
"net/http"
@ -8,19 +8,17 @@ import (
"go.uber.org/zap"
)
func attachNewUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) {
func AttachUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) {
uamw := func(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
bearerToken, err := center.AuthenticationPassed(r)
if err != nil {
log.Error("failed to pass authentication", zap.Error(err))
// TODO: Handle any auth error by rejecting request.
WriteErrorResponse(r.Context(), w, getAPIError(ErrAccessDenied), r.URL)
}
h.ServeHTTP(w, r.WithContext(auth.SetBearerToken(r.Context(), bearerToken)))
})
}
// TODO: should not be used for all routes,
// only for API
router.Use(uamw)
}

2
neofs/layer/neofs-container.go
View file

@ -15,8 +15,8 @@ import (
func (n *neofsObject) containerList(ctx context.Context) ([]refs.CID, error) {
req := new(container.ListRequest)
req.OwnerID = n.owner
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
err := service.SignRequestData(n.key, req)

25
neofs/layer/neofs-object.go
View file

@ -7,6 +7,7 @@ import (
"io"
"time"
auth "github.com/minio/minio/auth"
"github.com/nspcc-dev/neofs-api-go/object"
"github.com/nspcc-dev/neofs-api-go/query"
"github.com/nspcc-dev/neofs-api-go/refs"
@ -69,8 +70,9 @@ func (n *neofsObject) objectSearchContainer(ctx context.Context, cid refs.CID) (
req.Query = queryBinary
req.QueryVersion = 1
req.ContainerID = cid
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
req.SetToken(token)
err = service.SignRequestData(n.key, req)
@ -153,8 +155,9 @@ func (n *neofsObject) objectFindID(ctx context.Context, cid refs.CID, name strin
req.Query = queryBinary
req.QueryVersion = 1
req.ContainerID = cid
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
req.SetToken(token)
err = service.SignRequestData(n.key, req)
@ -229,8 +232,9 @@ func (n *neofsObject) objectHead(ctx context.Context, addr refs.Address) (*objec
req := new(object.HeadRequest)
req.Address = addr
req.FullHeaders = true
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
req.SetToken(token)
err = service.SignRequestData(n.key, req)
@ -271,8 +275,9 @@ func (n *neofsObject) objectGet(ctx context.Context, p getParams) (*object.Objec
// object.GetRange() response message become gRPC stream.
req := new(object.GetRequest)
req.Address = p.addr
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
req.SetToken(token)
err = service.SignRequestData(n.key, req)
@ -391,8 +396,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec
}
req := object.MakePutRequestHeader(obj)
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
req.SetToken(token)
err = service.SignRequestData(n.key, req)
@ -419,8 +425,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec
if read > 0 {
req := object.MakePutRequestChunk(readBuffer[:read])
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
err = service.SignRequestData(n.key, req)
if err != nil {
@ -493,8 +500,9 @@ func (n *neofsObject) storageGroupPut(ctx context.Context, p sgParams) (*object.
sg.SetStorageGroup(new(storagegroup.StorageGroup))
req := object.MakePutRequestHeader(sg)
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
req.SetToken(token)
err = service.SignRequestData(n.key, req)
@ -529,8 +537,9 @@ func (n *neofsObject) objectDelete(ctx context.Context, p delParams) error {
req := new(object.DeleteRequest)
req.Address = p.addr
req.OwnerID = n.owner
req.SetTTL(service.SingleForwardingTTL)
req.SetVersion(APIVersion)
req.SetTTL(service.SingleForwardingTTL)
req.SetBearer(auth.GetBearerToken(ctx))
req.SetToken(token)
err = service.SignRequestData(n.key, req)