frostfs-s3-gw/api/middleware/auth.go

package middleware

import (
	"crypto/elliptic"
	"errors"
	"fmt"
	"net/http"
	"time"

	"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
	"go.uber.org/zap"
)

type (
	// Box contains access box and additional info.
	Box struct {
		AccessBox   *accessbox.Box
		ClientTime  time.Time
		AuthHeaders *AuthHeader
		Attributes  []object.Attribute
	}

	// Center is a user authentication interface.
	Center interface {
		// Authenticate validate and authenticate request.
		// Must return ErrNoAuthorizationHeader if auth header is missed.
		Authenticate(request *http.Request) (*Box, error)
	}

	//nolint:revive
	AuthHeader struct {
		AccessKeyID string
		Region      string
		SignatureV4 string
	}
)

// ErrNoAuthorizationHeader is returned for unauthenticated requests.
var ErrNoAuthorizationHeader = errors.New("no authorization header")

func Auth(center Center, log *zap.Logger) Func {
	return func(h http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			ctx := r.Context()
			reqInfo := GetReqInfo(ctx)
			reqInfo.User = "anon"
			box, err := center.Authenticate(r)
			if err != nil {
				if errors.Is(err, ErrNoAuthorizationHeader) {
					reqLogOrDefault(ctx, log).Debug(logs.CouldntReceiveAccessBoxForGateKeyRandomKeyWillBeUsed, zap.Error(err))
				} else {
					reqLogOrDefault(ctx, log).Error(logs.FailedToPassAuthentication, zap.Error(err))
					err = apierr.TransformToS3Error(err)
					if err.(apierr.Error).ErrCode == apierr.ErrInternalError {
						err = apierr.GetAPIError(apierr.ErrAccessDenied)
					}
					if _, wrErr := WriteErrorResponse(w, GetReqInfo(r.Context()), err); wrErr != nil {
						reqLogOrDefault(ctx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr))
					}
					return
				}
			} else {
				ctx = SetBox(ctx, box)

				if box.AccessBox.Gate.BearerToken != nil {
					reqInfo.User = bearer.ResolveIssuer(*box.AccessBox.Gate.BearerToken).String()
				}
				reqLogOrDefault(ctx, log).Debug(logs.SuccessfulAuth, zap.String("accessKeyID", box.AuthHeaders.AccessKeyID))
			}

			h.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}

type FrostFSIDValidator interface {
	ValidatePublicKey(key *keys.PublicKey) error
}

func FrostfsIDValidation(frostfsID FrostFSIDValidator, log *zap.Logger) Func {
	return func(h http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			ctx := r.Context()
			bd, err := GetBoxData(ctx)
			if err != nil || bd.Gate.BearerToken == nil {
				reqLogOrDefault(ctx, log).Debug(logs.AnonRequestSkipFrostfsIDValidation)
				h.ServeHTTP(w, r)
				return
			}

			if err = validateBearerToken(frostfsID, bd.Gate.BearerToken); err != nil {
				reqLogOrDefault(ctx, log).Error(logs.FrostfsIDValidationFailed, zap.Error(err))
				if _, wrErr := WriteErrorResponse(w, GetReqInfo(r.Context()), err); wrErr != nil {
					reqLogOrDefault(ctx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr))
				}
				return
			}

			h.ServeHTTP(w, r)
		})
	}
}

func validateBearerToken(frostfsID FrostFSIDValidator, bt *bearer.Token) error {
	m := new(acl.BearerToken)
	bt.WriteToV2(m)

	pk, err := keys.NewPublicKeyFromBytes(m.GetSignature().GetKey(), elliptic.P256())
	if err != nil {
		return fmt.Errorf("invalid bearer token public key: %w", err)
	}

	if err = frostfsID.ValidatePublicKey(pk); err != nil {
		return fmt.Errorf("validation data user key failed: %w", err)
	}

	return nil
}
[#149] Move middlewares to separate package Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-07-05 14:04:52 +00:00			`package middleware`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00
			`import (`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`"crypto/elliptic"`
[#318] auth: Add context for logged errors Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-02-21 13:16:14 +00:00			`"errors"`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`"fmt"`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`"net/http"`
[#260] Refactor api/auth/center.go Move the Center interface to middleware package where it's used Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 08:05:21 +00:00			`"time"`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"`
[#488] Renamed api/errors, layer/frostfs and layer/tree package names Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com> 2024-09-27 09:18:41 +00:00			`apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"`
[#260] Refactor api/auth/center.go Move the Center interface to middleware package where it's used Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 08:05:21 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"`
[#96] Move log messages to constants Signed-off-by: Roman Loginov <r.loginov@yadro.com> 2023-08-23 11:07:52 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"`
[#367] Add check of AccessBox attributes Signed-off-by: Marina Biryukova <m.biryukova@yadro.com> 2024-04-16 08:20:35 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`"github.com/nspcc-dev/neo-go/pkg/crypto/keys"`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`"go.uber.org/zap"`
			`)`

[#260] Refactor api/auth/center.go Move the Center interface to middleware package where it's used Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 08:05:21 +00:00			`type (`
			`// Box contains access box and additional info.`
			`Box struct {`
			`AccessBox *accessbox.Box`
			`ClientTime time.Time`
			`AuthHeaders *AuthHeader`
[#367] Add check of AccessBox attributes Signed-off-by: Marina Biryukova <m.biryukova@yadro.com> 2024-04-16 08:20:35 +00:00			`Attributes []object.Attribute`
[#260] Refactor api/auth/center.go Move the Center interface to middleware package where it's used Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 08:05:21 +00:00			`}`

			`// Center is a user authentication interface.`
			`Center interface {`
			`// Authenticate validate and authenticate request.`
			`// Must return ErrNoAuthorizationHeader if auth header is missed.`
			`Authenticate(request http.Request) (Box, error)`
			`}`

			`//nolint:revive`
			`AuthHeader struct {`
			`AccessKeyID string`
			`Region string`
			`SignatureV4 string`
			`}`
			`)`

			`// ErrNoAuthorizationHeader is returned for unauthenticated requests.`
[#318] auth: Add context for logged errors Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-02-21 13:16:14 +00:00			`var ErrNoAuthorizationHeader = errors.New("no authorization header")`
[#260] Refactor api/auth/center.go Move the Center interface to middleware package where it's used Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 08:05:21 +00:00
			`func Auth(center Center, log *zap.Logger) Func {`
[TrueCloudLab#5] Refactor middlewares Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2022-12-27 12:30:11 +00:00			`return func(h http.Handler) http.Handler {`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
[#111] auth: Get log from real request context Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-07-06 09:13:45 +00:00			`ctx := r.Context()`
[#321] Use correct owner id in billing metrics Signed-off-by: Marina Biryukova <m.biryukova@yadro.com> 2024-02-26 13:18:34 +00:00			`reqInfo := GetReqInfo(ctx)`
			`reqInfo.User = "anon"`
[#89] Add placement policy Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-07-16 12:35:07 +00:00			`box, err := center.Authenticate(r)`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`if err != nil {`
[#318] auth: Add context for logged errors Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-02-21 13:16:14 +00:00			`if errors.Is(err, ErrNoAuthorizationHeader) {`
			`reqLogOrDefault(ctx, log).Debug(logs.CouldntReceiveAccessBoxForGateKeyRandomKeyWillBeUsed, zap.Error(err))`
[#65] Added NoAuthorizationHeader error Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 16:29:55 +00:00			`} else {`
[#96] Move log messages to constants Signed-off-by: Roman Loginov <r.loginov@yadro.com> 2023-08-23 11:07:52 +00:00			`reqLogOrDefault(ctx, log).Error(logs.FailedToPassAuthentication, zap.Error(err))`
[#488] middleware/auth: Add frostfs-to-s3 error transformation Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com> 2024-09-30 08:34:45 +00:00			`err = apierr.TransformToS3Error(err)`
			`if err.(apierr.Error).ErrCode == apierr.ErrInternalError {`
[#488] Renamed api/errors, layer/frostfs and layer/tree package names Signed-off-by: Nikita Zinkevich <n.zinkevich@yadro.com> 2024-09-27 09:18:41 +00:00			`err = apierr.GetAPIError(apierr.ErrAccessDenied)`
[#199] Refactor Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 08:53:58 +00:00			`}`
[#328] Log error on failed response writing Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-03-04 12:53:00 +00:00			`if _, wrErr := WriteErrorResponse(w, GetReqInfo(r.Context()), err); wrErr != nil {`
			`reqLogOrDefault(ctx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr))`
			`}`
[#65] Added NoAuthorizationHeader error Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 16:29:55 +00:00			`return`
			`}`
[#65] Allow no sign requests Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 11:52:03 +00:00			`} else {`
[#367] Add check of AccessBox attributes Signed-off-by: Marina Biryukova <m.biryukova@yadro.com> 2024-04-16 08:20:35 +00:00			`ctx = SetBox(ctx, box)`
[#321] Use correct owner id in billing metrics Signed-off-by: Marina Biryukova <m.biryukova@yadro.com> 2024-02-26 13:18:34 +00:00
			`if box.AccessBox.Gate.BearerToken != nil {`
			`reqInfo.User = bearer.ResolveIssuer(*box.AccessBox.Gate.BearerToken).String()`
			`}`
[#318] Log successfully authenticated accessKeyIDs Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-02-21 13:41:56 +00:00			`reqLogOrDefault(ctx, log).Debug(logs.SuccessfulAuth, zap.String("accessKeyID", box.AuthHeaders.AccessKeyID))`
[#65] Allow no sign requests Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 11:52:03 +00:00			`}`

			`h.ServeHTTP(w, r.WithContext(ctx))`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`})`
[TrueCloudLab#5] Refactor middlewares Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2022-12-27 12:30:11 +00:00			`}`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`}`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00
[#283] Support frostfsid groups in policy request checking Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-12-13 14:44:18 +00:00			`type FrostFSIDValidator interface {`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`ValidatePublicKey(key *keys.PublicKey) error`
			`}`

[#283] Support frostfsid groups in policy request checking Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-12-13 14:44:18 +00:00			`func FrostfsIDValidation(frostfsID FrostFSIDValidator, log *zap.Logger) Func {`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`return func(h http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`ctx := r.Context()`
			`bd, err := GetBoxData(ctx)`
			`if err != nil \|\| bd.Gate.BearerToken == nil {`
			`reqLogOrDefault(ctx, log).Debug(logs.AnonRequestSkipFrostfsIDValidation)`
			`h.ServeHTTP(w, r)`
			`return`
			`}`

			`if err = validateBearerToken(frostfsID, bd.Gate.BearerToken); err != nil {`
			`reqLogOrDefault(ctx, log).Error(logs.FrostfsIDValidationFailed, zap.Error(err))`
[#328] Log error on failed response writing Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-03-04 12:53:00 +00:00			`if _, wrErr := WriteErrorResponse(w, GetReqInfo(r.Context()), err); wrErr != nil {`
			`reqLogOrDefault(ctx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr))`
			`}`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`return`
			`}`

			`h.ServeHTTP(w, r)`
			`})`
			`}`
			`}`

[#283] Support frostfsid groups in policy request checking Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-12-13 14:44:18 +00:00			`func validateBearerToken(frostfsID FrostFSIDValidator, bt *bearer.Token) error {`
[#260] Support frostfsid validation Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-10-05 13:25:25 +00:00			`m := new(acl.BearerToken)`
			`bt.WriteToV2(m)`

			`pk, err := keys.NewPublicKeyFromBytes(m.GetSignature().GetKey(), elliptic.P256())`
			`if err != nil {`
			`return fmt.Errorf("invalid bearer token public key: %w", err)`
			`}`

			`if err = frostfsID.ValidatePublicKey(pk); err != nil {`
			`return fmt.Errorf("validation data user key failed: %w", err)`
			`}`

			`return nil`
			`}`