diff --git a/cmd/gate/app.go b/cmd/gate/app.go index 263e336f2..bf519d990 100644 --- a/cmd/gate/app.go +++ b/cmd/gate/app.go @@ -199,13 +199,12 @@ func (a *App) Server(ctx context.Context) { router := newS3Router() // Attach app-specific routes: - attachNewUserAuth(router, a.center, a.log) attachHealthy(router, a.cli) attachMetrics(router, a.cfg, a.log) attachProfiler(router, a.cfg, a.log) // Attach S3 API: - api.Attach(router, a.maxClients, a.api) + api.Attach(router, a.maxClients, a.api, a.center, a.log) // Use mux.Router as http.Handler srv.Handler = router diff --git a/neofs/api/router.go b/neofs/api/router.go index 35d143104..83a6db91a 100644 --- a/neofs/api/router.go +++ b/neofs/api/router.go @@ -4,7 +4,9 @@ import ( "net/http" "github.com/gorilla/mux" + "github.com/minio/minio/auth" "github.com/minio/minio/neofs/metrics" + "go.uber.org/zap" ) type ( @@ -89,8 +91,10 @@ const ( mimeXML mimeType = "application/xml" ) -func Attach(r *mux.Router, m MaxClients, h Handler) { +func Attach(r *mux.Router, m MaxClients, h Handler, center *auth.Center, log *zap.Logger) { api := r.PathPrefix(SlashSeparator).Subrouter() + // Attach user authentication for all S3 routes. + AttachUserAuth(api, center, log) bucket := api.PathPrefix("/{bucket}").Subrouter() diff --git a/cmd/gate/app-new-auth.go b/neofs/api/user-auth.go similarity index 68% rename from cmd/gate/app-new-auth.go rename to neofs/api/user-auth.go index f2f1e4e7c..3b3c43146 100644 --- a/cmd/gate/app-new-auth.go +++ b/neofs/api/user-auth.go @@ -1,4 +1,4 @@ -package main +package api import ( "net/http" @@ -8,19 +8,17 @@ import ( "go.uber.org/zap" ) -func attachNewUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) { +func AttachUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) { uamw := func(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { bearerToken, err := center.AuthenticationPassed(r) if err != nil { log.Error("failed to pass authentication", zap.Error(err)) - // TODO: Handle any auth error by rejecting request. + WriteErrorResponse(r.Context(), w, getAPIError(ErrAccessDenied), r.URL) } h.ServeHTTP(w, r.WithContext(auth.SetBearerToken(r.Context(), bearerToken))) }) } - // TODO: should not be used for all routes, - // only for API router.Use(uamw) } diff --git a/neofs/layer/neofs-container.go b/neofs/layer/neofs-container.go index 6d385481f..845634e4c 100644 --- a/neofs/layer/neofs-container.go +++ b/neofs/layer/neofs-container.go @@ -15,8 +15,8 @@ import ( func (n *neofsObject) containerList(ctx context.Context) ([]refs.CID, error) { req := new(container.ListRequest) req.OwnerID = n.owner - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) req.SetBearer(auth.GetBearerToken(ctx)) err := service.SignRequestData(n.key, req) diff --git a/neofs/layer/neofs-object.go b/neofs/layer/neofs-object.go index f58561608..69d87ae49 100644 --- a/neofs/layer/neofs-object.go +++ b/neofs/layer/neofs-object.go @@ -7,6 +7,7 @@ import ( "io" "time" + auth "github.com/minio/minio/auth" "github.com/nspcc-dev/neofs-api-go/object" "github.com/nspcc-dev/neofs-api-go/query" "github.com/nspcc-dev/neofs-api-go/refs" @@ -69,8 +70,9 @@ func (n *neofsObject) objectSearchContainer(ctx context.Context, cid refs.CID) ( req.Query = queryBinary req.QueryVersion = 1 req.ContainerID = cid - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) + req.SetBearer(auth.GetBearerToken(ctx)) req.SetToken(token) err = service.SignRequestData(n.key, req) @@ -153,8 +155,9 @@ func (n *neofsObject) objectFindID(ctx context.Context, cid refs.CID, name strin req.Query = queryBinary req.QueryVersion = 1 req.ContainerID = cid - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) + req.SetBearer(auth.GetBearerToken(ctx)) req.SetToken(token) err = service.SignRequestData(n.key, req) @@ -229,8 +232,9 @@ func (n *neofsObject) objectHead(ctx context.Context, addr refs.Address) (*objec req := new(object.HeadRequest) req.Address = addr req.FullHeaders = true - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) + req.SetBearer(auth.GetBearerToken(ctx)) req.SetToken(token) err = service.SignRequestData(n.key, req) @@ -271,8 +275,9 @@ func (n *neofsObject) objectGet(ctx context.Context, p getParams) (*object.Objec // object.GetRange() response message become gRPC stream. req := new(object.GetRequest) req.Address = p.addr - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) + req.SetBearer(auth.GetBearerToken(ctx)) req.SetToken(token) err = service.SignRequestData(n.key, req) @@ -391,8 +396,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec } req := object.MakePutRequestHeader(obj) - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) + req.SetBearer(auth.GetBearerToken(ctx)) req.SetToken(token) err = service.SignRequestData(n.key, req) @@ -419,8 +425,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec if read > 0 { req := object.MakePutRequestChunk(readBuffer[:read]) - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) + req.SetBearer(auth.GetBearerToken(ctx)) err = service.SignRequestData(n.key, req) if err != nil { @@ -493,8 +500,9 @@ func (n *neofsObject) storageGroupPut(ctx context.Context, p sgParams) (*object. sg.SetStorageGroup(new(storagegroup.StorageGroup)) req := object.MakePutRequestHeader(sg) - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) + req.SetBearer(auth.GetBearerToken(ctx)) req.SetToken(token) err = service.SignRequestData(n.key, req) @@ -529,8 +537,9 @@ func (n *neofsObject) objectDelete(ctx context.Context, p delParams) error { req := new(object.DeleteRequest) req.Address = p.addr req.OwnerID = n.owner - req.SetTTL(service.SingleForwardingTTL) req.SetVersion(APIVersion) + req.SetTTL(service.SingleForwardingTTL) + req.SetBearer(auth.GetBearerToken(ctx)) req.SetToken(token) err = service.SignRequestData(n.key, req)