frostfs-s3-gw/api/middleware/auth.go

package middleware

import (
	"context"
	"net/http"

	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
	"go.uber.org/zap"
)

// KeyWrapper is wrapper for context keys.
type KeyWrapper string

// AuthHeaders is a wrapper for authentication headers of a request.
var AuthHeaders = KeyWrapper("__context_auth_headers_key")

// BoxData is an ID used to store accessbox.Box in a context.
var BoxData = KeyWrapper("__context_box_key")

// ClientTime is an ID used to store client time.Time in a context.
var ClientTime = KeyWrapper("__context_client_time")

func Auth(center auth.Center, log *zap.Logger) Func {
	return func(h http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			ctx := r.Context()
			box, err := center.Authenticate(r)
			if err != nil {
				if err == auth.ErrNoAuthorizationHeader {
					reqLogOrDefault(ctx, log).Debug("couldn't receive access box for gate key, random key will be used")
				} else {
					reqLogOrDefault(ctx, log).Error("failed to pass authentication", zap.Error(err))
					if _, ok := err.(errors.Error); !ok {
						err = errors.GetAPIError(errors.ErrAccessDenied)
					}
					WriteErrorResponse(w, GetReqInfo(r.Context()), err)
					return
				}
			} else {
				ctx = context.WithValue(ctx, BoxData, box.AccessBox)
				if !box.ClientTime.IsZero() {
					ctx = context.WithValue(ctx, ClientTime, box.ClientTime)
				}
				ctx = context.WithValue(ctx, AuthHeaders, box.AuthHeaders)
			}

			h.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}
[#149] Move middlewares to separate package Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-07-05 14:04:52 +00:00			`package middleware`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00
			`import (`
*: drop old sdk dependecies, bump neofs-api-go version I'm not sure it works, but it's enough code-wise for now. We're reusing some http-gw components here that are to be moved into sdk-go in future. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-26 16:48:27 +00:00			`"context"`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`"net/http"`

Rename package name Due to source code relocation from GitHub. Signed-off-by: Alex Vanin <a.vanin@yadro.com> 2023-03-07 14:38:08 +00:00			`"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"`
			`"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`"go.uber.org/zap"`
			`)`

api: fix golint suggestion for proper context usage api/user-auth.go:27:5 golint should not use basic type string as key in context.WithValue Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-26 18:25:05 +00:00			`// KeyWrapper is wrapper for context keys.`
			`type KeyWrapper string`

[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`// AuthHeaders is a wrapper for authentication headers of a request.`
			`var AuthHeaders = KeyWrapper("__context_auth_headers_key")`

[#89] Add placement policy Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-07-16 12:35:07 +00:00			`// BoxData is an ID used to store accessbox.Box in a context.`
			`var BoxData = KeyWrapper("__context_box_key")`
*: drop old sdk dependecies, bump neofs-api-go version I'm not sure it works, but it's enough code-wise for now. We're reusing some http-gw components here that are to be moved into sdk-go in future. Signed-off-by: Roman Khimov <roman@nspcc.ru> 2021-05-26 16:48:27 +00:00
[#726] Use client time on regular requests Use `X-Amz-Date` header as `now` when * compute expiration epoch * set Timestamp for object and container * forming locks * send notifications Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-11-08 09:12:55 +00:00			`// ClientTime is an ID used to store client time.Time in a context.`
			`var ClientTime = KeyWrapper("__context_client_time")`

[#149] Move middlewares to separate package Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-07-05 14:04:52 +00:00			`func Auth(center auth.Center, log *zap.Logger) Func {`
[TrueCloudLab#5] Refactor middlewares Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2022-12-27 12:30:11 +00:00			`return func(h http.Handler) http.Handler {`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
[#111] auth: Get log from real request context Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-07-06 09:13:45 +00:00			`ctx := r.Context()`
[#89] Add placement policy Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-07-16 12:35:07 +00:00			`box, err := center.Authenticate(r)`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`if err != nil {`
[#65] Added NoAuthorizationHeader error Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 16:29:55 +00:00			`if err == auth.ErrNoAuthorizationHeader {`
[#111] Use request scope logger Store child zap logger with request scope fields into context. Request scoped fields: request_id, api/method, bucket, object Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-09 13:19:23 +00:00			`reqLogOrDefault(ctx, log).Debug("couldn't receive access box for gate key, random key will be used")`
[#65] Added NoAuthorizationHeader error Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 16:29:55 +00:00			`} else {`
[#111] Use request scope logger Store child zap logger with request scope fields into context. Request scoped fields: request_id, api/method, bucket, object Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-09 13:19:23 +00:00			`reqLogOrDefault(ctx, log).Error("failed to pass authentication", zap.Error(err))`
[#199] Refactor Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-08-09 08:53:58 +00:00			`if _, ok := err.(errors.Error); !ok {`
			`err = errors.GetAPIError(errors.ErrAccessDenied)`
			`}`
			`WriteErrorResponse(w, GetReqInfo(r.Context()), err)`
[#65] Added NoAuthorizationHeader error Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 16:29:55 +00:00			`return`
			`}`
[#65] Allow no sign requests Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 11:52:03 +00:00			`} else {`
[#111] auth: Get log from real request context Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-07-06 09:13:45 +00:00			`ctx = context.WithValue(ctx, BoxData, box.AccessBox)`
[#726] Use client time on regular requests Use `X-Amz-Date` header as `now` when * compute expiration epoch * set Timestamp for object and container * forming locks * send notifications Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2022-11-08 09:12:55 +00:00			`if !box.ClientTime.IsZero() {`
			`ctx = context.WithValue(ctx, ClientTime, box.ClientTime)`
			`}`
[#106] Add chunk uploading Signed-off-by: Artem Tataurov <a.tataurov@yadro.com> 2023-06-02 07:44:25 +00:00			`ctx = context.WithValue(ctx, AuthHeaders, box.AuthHeaders)`
[#65] Allow no sign requests Signed-off-by: Denis Kirillov <denis@nspcc.ru> 2021-06-11 11:52:03 +00:00			`}`

			`h.ServeHTTP(w, r.WithContext(ctx))`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`})`
[TrueCloudLab#5] Refactor middlewares Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2022-12-27 12:30:11 +00:00			`}`
Add early support of auth middleware 2020-07-16 15:33:47 +00:00			`}`