Move user auth procedure to S3 API router; activate overall setting bearer tokens in neofs objects
This commit is contained in:
parent
9662fb0019
commit
916a216da5
5 changed files with 27 additions and 17 deletions
|
@ -199,13 +199,12 @@ func (a *App) Server(ctx context.Context) {
|
||||||
router := newS3Router()
|
router := newS3Router()
|
||||||
|
|
||||||
// Attach app-specific routes:
|
// Attach app-specific routes:
|
||||||
attachNewUserAuth(router, a.center, a.log)
|
|
||||||
attachHealthy(router, a.cli)
|
attachHealthy(router, a.cli)
|
||||||
attachMetrics(router, a.cfg, a.log)
|
attachMetrics(router, a.cfg, a.log)
|
||||||
attachProfiler(router, a.cfg, a.log)
|
attachProfiler(router, a.cfg, a.log)
|
||||||
|
|
||||||
// Attach S3 API:
|
// Attach S3 API:
|
||||||
api.Attach(router, a.maxClients, a.api)
|
api.Attach(router, a.maxClients, a.api, a.center, a.log)
|
||||||
|
|
||||||
// Use mux.Router as http.Handler
|
// Use mux.Router as http.Handler
|
||||||
srv.Handler = router
|
srv.Handler = router
|
||||||
|
|
|
@ -4,7 +4,9 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"github.com/gorilla/mux"
|
"github.com/gorilla/mux"
|
||||||
|
"github.com/minio/minio/auth"
|
||||||
"github.com/minio/minio/neofs/metrics"
|
"github.com/minio/minio/neofs/metrics"
|
||||||
|
"go.uber.org/zap"
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
|
@ -89,8 +91,10 @@ const (
|
||||||
mimeXML mimeType = "application/xml"
|
mimeXML mimeType = "application/xml"
|
||||||
)
|
)
|
||||||
|
|
||||||
func Attach(r *mux.Router, m MaxClients, h Handler) {
|
func Attach(r *mux.Router, m MaxClients, h Handler, center *auth.Center, log *zap.Logger) {
|
||||||
api := r.PathPrefix(SlashSeparator).Subrouter()
|
api := r.PathPrefix(SlashSeparator).Subrouter()
|
||||||
|
// Attach user authentication for all S3 routes.
|
||||||
|
AttachUserAuth(api, center, log)
|
||||||
|
|
||||||
bucket := api.PathPrefix("/{bucket}").Subrouter()
|
bucket := api.PathPrefix("/{bucket}").Subrouter()
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
package main
|
package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
@ -8,19 +8,17 @@ import (
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
)
|
)
|
||||||
|
|
||||||
func attachNewUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) {
|
func AttachUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) {
|
||||||
uamw := func(h http.Handler) http.Handler {
|
uamw := func(h http.Handler) http.Handler {
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
bearerToken, err := center.AuthenticationPassed(r)
|
bearerToken, err := center.AuthenticationPassed(r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("failed to pass authentication", zap.Error(err))
|
log.Error("failed to pass authentication", zap.Error(err))
|
||||||
// TODO: Handle any auth error by rejecting request.
|
WriteErrorResponse(r.Context(), w, getAPIError(ErrAccessDenied), r.URL)
|
||||||
}
|
}
|
||||||
h.ServeHTTP(w, r.WithContext(auth.SetBearerToken(r.Context(), bearerToken)))
|
h.ServeHTTP(w, r.WithContext(auth.SetBearerToken(r.Context(), bearerToken)))
|
||||||
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
// TODO: should not be used for all routes,
|
|
||||||
// only for API
|
|
||||||
router.Use(uamw)
|
router.Use(uamw)
|
||||||
}
|
}
|
|
@ -15,8 +15,8 @@ import (
|
||||||
func (n *neofsObject) containerList(ctx context.Context) ([]refs.CID, error) {
|
func (n *neofsObject) containerList(ctx context.Context) ([]refs.CID, error) {
|
||||||
req := new(container.ListRequest)
|
req := new(container.ListRequest)
|
||||||
req.OwnerID = n.owner
|
req.OwnerID = n.owner
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
req.SetBearer(auth.GetBearerToken(ctx))
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
|
|
||||||
err := service.SignRequestData(n.key, req)
|
err := service.SignRequestData(n.key, req)
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"io"
|
"io"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
auth "github.com/minio/minio/auth"
|
||||||
"github.com/nspcc-dev/neofs-api-go/object"
|
"github.com/nspcc-dev/neofs-api-go/object"
|
||||||
"github.com/nspcc-dev/neofs-api-go/query"
|
"github.com/nspcc-dev/neofs-api-go/query"
|
||||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||||
|
@ -69,8 +70,9 @@ func (n *neofsObject) objectSearchContainer(ctx context.Context, cid refs.CID) (
|
||||||
req.Query = queryBinary
|
req.Query = queryBinary
|
||||||
req.QueryVersion = 1
|
req.QueryVersion = 1
|
||||||
req.ContainerID = cid
|
req.ContainerID = cid
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
req.SetToken(token)
|
req.SetToken(token)
|
||||||
|
|
||||||
err = service.SignRequestData(n.key, req)
|
err = service.SignRequestData(n.key, req)
|
||||||
|
@ -153,8 +155,9 @@ func (n *neofsObject) objectFindID(ctx context.Context, cid refs.CID, name strin
|
||||||
req.Query = queryBinary
|
req.Query = queryBinary
|
||||||
req.QueryVersion = 1
|
req.QueryVersion = 1
|
||||||
req.ContainerID = cid
|
req.ContainerID = cid
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
req.SetToken(token)
|
req.SetToken(token)
|
||||||
|
|
||||||
err = service.SignRequestData(n.key, req)
|
err = service.SignRequestData(n.key, req)
|
||||||
|
@ -229,8 +232,9 @@ func (n *neofsObject) objectHead(ctx context.Context, addr refs.Address) (*objec
|
||||||
req := new(object.HeadRequest)
|
req := new(object.HeadRequest)
|
||||||
req.Address = addr
|
req.Address = addr
|
||||||
req.FullHeaders = true
|
req.FullHeaders = true
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
req.SetToken(token)
|
req.SetToken(token)
|
||||||
|
|
||||||
err = service.SignRequestData(n.key, req)
|
err = service.SignRequestData(n.key, req)
|
||||||
|
@ -271,8 +275,9 @@ func (n *neofsObject) objectGet(ctx context.Context, p getParams) (*object.Objec
|
||||||
// object.GetRange() response message become gRPC stream.
|
// object.GetRange() response message become gRPC stream.
|
||||||
req := new(object.GetRequest)
|
req := new(object.GetRequest)
|
||||||
req.Address = p.addr
|
req.Address = p.addr
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
req.SetToken(token)
|
req.SetToken(token)
|
||||||
|
|
||||||
err = service.SignRequestData(n.key, req)
|
err = service.SignRequestData(n.key, req)
|
||||||
|
@ -391,8 +396,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec
|
||||||
}
|
}
|
||||||
|
|
||||||
req := object.MakePutRequestHeader(obj)
|
req := object.MakePutRequestHeader(obj)
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
req.SetToken(token)
|
req.SetToken(token)
|
||||||
|
|
||||||
err = service.SignRequestData(n.key, req)
|
err = service.SignRequestData(n.key, req)
|
||||||
|
@ -419,8 +425,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec
|
||||||
|
|
||||||
if read > 0 {
|
if read > 0 {
|
||||||
req := object.MakePutRequestChunk(readBuffer[:read])
|
req := object.MakePutRequestChunk(readBuffer[:read])
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
|
|
||||||
err = service.SignRequestData(n.key, req)
|
err = service.SignRequestData(n.key, req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -493,8 +500,9 @@ func (n *neofsObject) storageGroupPut(ctx context.Context, p sgParams) (*object.
|
||||||
sg.SetStorageGroup(new(storagegroup.StorageGroup))
|
sg.SetStorageGroup(new(storagegroup.StorageGroup))
|
||||||
|
|
||||||
req := object.MakePutRequestHeader(sg)
|
req := object.MakePutRequestHeader(sg)
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
req.SetToken(token)
|
req.SetToken(token)
|
||||||
|
|
||||||
err = service.SignRequestData(n.key, req)
|
err = service.SignRequestData(n.key, req)
|
||||||
|
@ -529,8 +537,9 @@ func (n *neofsObject) objectDelete(ctx context.Context, p delParams) error {
|
||||||
req := new(object.DeleteRequest)
|
req := new(object.DeleteRequest)
|
||||||
req.Address = p.addr
|
req.Address = p.addr
|
||||||
req.OwnerID = n.owner
|
req.OwnerID = n.owner
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
|
req.SetBearer(auth.GetBearerToken(ctx))
|
||||||
req.SetToken(token)
|
req.SetToken(token)
|
||||||
|
|
||||||
err = service.SignRequestData(n.key, req)
|
err = service.SignRequestData(n.key, req)
|
||||||
|
|
Loading…
Reference in a new issue