Tune getting bearer token; prepare for passing through bearer token
This commit is contained in:
parent
3ff7028229
commit
d9b146628d
7 changed files with 57 additions and 39 deletions
|
@ -1,11 +1,13 @@
|
||||||
package auth
|
package auth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
|
"encoding/hex"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
@ -16,12 +18,16 @@ import (
|
||||||
"github.com/nspcc-dev/neofs-api-go/service"
|
"github.com/nspcc-dev/neofs-api-go/service"
|
||||||
crypto "github.com/nspcc-dev/neofs-crypto"
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
"go.uber.org/zap"
|
||||||
)
|
)
|
||||||
|
|
||||||
const authorizationFieldPattern = `AWS4-HMAC-SHA256 Credential=(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request, SignedHeaders=(?P<signed_header_fields>.*), Signature=(?P<v4_signature>.*)`
|
const authorizationFieldPattern = `AWS4-HMAC-SHA256 Credential=(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request, SignedHeaders=(?P<signed_header_fields>.*), Signature=(?P<v4_signature>.*)`
|
||||||
|
|
||||||
|
const emptyStringSHA256 = `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
|
||||||
|
|
||||||
// Center is a central app's authentication/authorization management unit.
|
// Center is a central app's authentication/authorization management unit.
|
||||||
type Center struct {
|
type Center struct {
|
||||||
|
log *zap.Logger
|
||||||
submatcher *regexpSubmatcher
|
submatcher *regexpSubmatcher
|
||||||
zstdEncoder *zstd.Encoder
|
zstdEncoder *zstd.Encoder
|
||||||
zstdDecoder *zstd.Decoder
|
zstdDecoder *zstd.Decoder
|
||||||
|
@ -38,10 +44,11 @@ type Center struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewCenter creates an instance of AuthCenter.
|
// NewCenter creates an instance of AuthCenter.
|
||||||
func NewCenter() *Center {
|
func NewCenter(log *zap.Logger) *Center {
|
||||||
zstdEncoder, _ := zstd.NewWriter(nil)
|
zstdEncoder, _ := zstd.NewWriter(nil)
|
||||||
zstdDecoder, _ := zstd.NewReader(nil)
|
zstdDecoder, _ := zstd.NewReader(nil)
|
||||||
return &Center{
|
return &Center{
|
||||||
|
log: log,
|
||||||
submatcher: ®expSubmatcher{re: regexp.MustCompile(authorizationFieldPattern)},
|
submatcher: ®expSubmatcher{re: regexp.MustCompile(authorizationFieldPattern)},
|
||||||
zstdEncoder: zstdEncoder,
|
zstdEncoder: zstdEncoder,
|
||||||
zstdDecoder: zstdDecoder,
|
zstdDecoder: zstdDecoder,
|
||||||
|
@ -86,68 +93,72 @@ func (center *Center) SetUserAuthKeys(key *rsa.PrivateKey) {
|
||||||
center.userAuthKeys.PublicKey = &key.PublicKey
|
center.userAuthKeys.PublicKey = &key.PublicKey
|
||||||
}
|
}
|
||||||
|
|
||||||
func (center *Center) packBearerToken(bearerToken *service.BearerTokenMsg) ([]byte, error) {
|
func (center *Center) packBearerToken(bearerToken *service.BearerTokenMsg) (string, string, error) {
|
||||||
data, err := bearerToken.Marshal()
|
data, err := bearerToken.Marshal()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to marshal bearer token")
|
return "", "", errors.Wrap(err, "failed to marshal bearer token")
|
||||||
}
|
}
|
||||||
encryptedKeyID, err := encrypt(center.userAuthKeys.PublicKey, center.compress(data))
|
encryptedKeyID, err := encrypt(center.userAuthKeys.PublicKey, center.compress(data))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "")
|
return "", "", errors.Wrap(err, "failed to encrypt bearer token bytes")
|
||||||
}
|
}
|
||||||
return append(sha256Hash(data), encryptedKeyID...), nil
|
accessKeyID := hex.EncodeToString(encryptedKeyID)
|
||||||
|
secretAccessKey := hex.EncodeToString(sha256Hash(data))
|
||||||
|
return accessKeyID, secretAccessKey, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (center *Center) unpackBearerToken(packedBearerToken []byte) (*service.BearerTokenMsg, error) {
|
func (center *Center) unpackBearerToken(accessKeyID string) (*service.BearerTokenMsg, error) {
|
||||||
compressedKeyID := packedBearerToken[32:]
|
encryptedKeyID, err := hex.DecodeString(accessKeyID)
|
||||||
encryptedKeyID, err := center.decompress(compressedKeyID)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to decompress key ID")
|
return nil, errors.Wrap(err, "failed to decode HEX string")
|
||||||
}
|
}
|
||||||
keyID, err := decrypt(center.userAuthKeys.PrivateKey, encryptedKeyID)
|
compressedKeyID, err := decrypt(center.userAuthKeys.PrivateKey, encryptedKeyID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to decrypt key ID")
|
return nil, errors.Wrap(err, "failed to decrypt key ID")
|
||||||
}
|
}
|
||||||
|
data, err := center.decompress(compressedKeyID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "failed to decompress key ID")
|
||||||
|
}
|
||||||
bearerToken := new(service.BearerTokenMsg)
|
bearerToken := new(service.BearerTokenMsg)
|
||||||
if err := bearerToken.Unmarshal(keyID); err != nil {
|
if err := bearerToken.Unmarshal(data); err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to unmarshal embedded bearer token")
|
return nil, errors.Wrap(err, "failed to unmarshal embedded bearer token")
|
||||||
}
|
}
|
||||||
return bearerToken, nil
|
return bearerToken, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (center *Center) AuthenticationPassed(header http.Header) (*service.BearerTokenMsg, error) {
|
func (center *Center) AuthenticationPassed(request *http.Request) (*service.BearerTokenMsg, error) {
|
||||||
authHeaderField := header["Authorization"]
|
authHeaderField := request.Header["Authorization"]
|
||||||
if len(authHeaderField) != 1 {
|
if len(authHeaderField) != 1 {
|
||||||
return nil, errors.New("wrong length of Authorization header field")
|
return nil, errors.New("unsupported request: wrong length of Authorization header field")
|
||||||
}
|
}
|
||||||
sms := center.submatcher.getSubmatches(authHeaderField[0])
|
sms := center.submatcher.getSubmatches(authHeaderField[0])
|
||||||
if len(sms) != 6 {
|
if len(sms) != 6 {
|
||||||
return nil, errors.New("bad Authorization header field")
|
return nil, errors.New("bad Authorization header field")
|
||||||
}
|
}
|
||||||
akid := sms["access_key_id"]
|
bt, err := center.unpackBearerToken(sms["access_key_id"])
|
||||||
bt, err := center.unpackBearerToken([]byte(akid))
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to unpack bearer token")
|
center.log.Warn("Failed to unpack bearer token", zap.Error(err))
|
||||||
|
//return nil, errors.Wrap(err, "failed to unpack bearer token")
|
||||||
}
|
}
|
||||||
// v4sig := sms["v4_signature"]
|
|
||||||
// TODO: Validate V4 signature.
|
|
||||||
return bt, nil
|
return bt, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func readAndReplaceBody(request *http.Request) []byte {
|
||||||
|
if request.Body == nil {
|
||||||
|
return []byte{}
|
||||||
|
}
|
||||||
|
payload, _ := ioutil.ReadAll(request.Body)
|
||||||
|
request.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
||||||
|
return payload
|
||||||
|
}
|
||||||
|
|
||||||
func (center *Center) compress(data []byte) []byte {
|
func (center *Center) compress(data []byte) []byte {
|
||||||
center.zstdEncoder.Reset(nil)
|
return center.zstdEncoder.EncodeAll(data, make([]byte, 0, len(data)))
|
||||||
var compressedData []byte
|
|
||||||
center.zstdEncoder.EncodeAll(data, compressedData)
|
|
||||||
return compressedData
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (center *Center) decompress(data []byte) ([]byte, error) {
|
func (center *Center) decompress(data []byte) ([]byte, error) {
|
||||||
center.zstdDecoder.Reset(nil)
|
return center.zstdDecoder.DecodeAll(data, nil)
|
||||||
var decompressedData []byte
|
|
||||||
if _, err := center.zstdDecoder.DecodeAll(data, decompressedData); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return decompressedData, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func encrypt(key *rsa.PublicKey, data []byte) ([]byte, error) {
|
func encrypt(key *rsa.PublicKey, data []byte) ([]byte, error) {
|
||||||
|
|
|
@ -11,7 +11,7 @@ import (
|
||||||
func attachNewUserAuth(router *mux.Router, center *s3auth.Center, log *zap.Logger) {
|
func attachNewUserAuth(router *mux.Router, center *s3auth.Center, log *zap.Logger) {
|
||||||
uamw := func(h http.Handler) http.Handler {
|
uamw := func(h http.Handler) http.Handler {
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
_, err := center.AuthenticationPassed(r.Header)
|
_, err := center.AuthenticationPassed(r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("failed to pass authentication", zap.Error(err))
|
log.Error("failed to pass authentication", zap.Error(err))
|
||||||
}
|
}
|
||||||
|
|
|
@ -110,7 +110,7 @@ func fetchAuthCenter(l *zap.Logger, v *viper.Viper) (*s3auth.Center, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "could not load UserAuth private key")
|
return nil, errors.Wrap(err, "could not load UserAuth private key")
|
||||||
}
|
}
|
||||||
center := s3auth.NewCenter()
|
center := s3auth.NewCenter(l)
|
||||||
center.SetUserAuthKeys(userAuthPrivateKey)
|
center.SetUserAuthKeys(userAuthPrivateKey)
|
||||||
center.SetNeoFSKeys(neofsPrivateKey)
|
center.SetNeoFSKeys(neofsPrivateKey)
|
||||||
return center, nil
|
return center, nil
|
||||||
|
|
|
@ -120,7 +120,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
|
||||||
l.Info("used credentials", zap.String("AccessKey", uid.String()), zap.String("SecretKey", wif))
|
l.Info("used credentials", zap.String("AccessKey", uid.String()), zap.String("SecretKey", wif))
|
||||||
}
|
}
|
||||||
|
|
||||||
if obj, err = layer.NewLayer(cli, l, center); err != nil {
|
if obj, err = layer.NewLayer(l, cli, center); err != nil {
|
||||||
l.Fatal("could not prepare ObjectLayer", zap.Error(err))
|
l.Fatal("could not prepare ObjectLayer", zap.Error(err))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -274,13 +274,18 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
|
||||||
return s3Err
|
return s3Err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// FIXME: Remove this temporary stub to by-pass Minio auth procedure.
|
||||||
|
func checkRequestAuthTypeToAccessKey(ctx context.Context, r *http.Request, action policy.Action, bucketName, objectName string) (string, bool, APIErrorCode) {
|
||||||
|
return "", true, ErrNone
|
||||||
|
}
|
||||||
|
|
||||||
// Check request auth type verifies the incoming http request
|
// Check request auth type verifies the incoming http request
|
||||||
// - validates the request signature
|
// - validates the request signature
|
||||||
// - validates the policy action if anonymous tests bucket policies if any,
|
// - validates the policy action if anonymous tests bucket policies if any,
|
||||||
// for authenticated requests validates IAM policies.
|
// for authenticated requests validates IAM policies.
|
||||||
// returns APIErrorCode if any to be replied to the client.
|
// returns APIErrorCode if any to be replied to the client.
|
||||||
// Additionally returns the accessKey used in the request, and if this request is by an admin.
|
// Additionally returns the accessKey used in the request, and if this request is by an admin.
|
||||||
func checkRequestAuthTypeToAccessKey(ctx context.Context, r *http.Request, action policy.Action, bucketName, objectName string) (accessKey string, owner bool, s3Err APIErrorCode) {
|
func _checkRequestAuthTypeToAccessKey(ctx context.Context, r *http.Request, action policy.Action, bucketName, objectName string) (accessKey string, owner bool, s3Err APIErrorCode) {
|
||||||
var cred auth.Credentials
|
var cred auth.Credentials
|
||||||
switch getRequestAuthType(r) {
|
switch getRequestAuthType(r) {
|
||||||
case authTypeUnknown, authTypeStreamingSigned:
|
case authTypeUnknown, authTypeStreamingSigned:
|
||||||
|
|
|
@ -21,11 +21,12 @@ type (
|
||||||
neofsObject struct {
|
neofsObject struct {
|
||||||
minio.GatewayUnsupported // placeholder for unimplemented functions
|
minio.GatewayUnsupported // placeholder for unimplemented functions
|
||||||
|
|
||||||
cli pool.Client
|
|
||||||
log *zap.Logger
|
log *zap.Logger
|
||||||
|
cli pool.Client
|
||||||
key *ecdsa.PrivateKey
|
key *ecdsa.PrivateKey
|
||||||
owner refs.OwnerID
|
owner refs.OwnerID
|
||||||
token *service.Token
|
token *service.Token
|
||||||
|
bearerToken *service.BearerTokenMsg
|
||||||
|
|
||||||
// Concurrency must be resolved by creating one lock per object, but
|
// Concurrency must be resolved by creating one lock per object, but
|
||||||
// it may be unnecessary in neofs, because objects are immutable. So
|
// it may be unnecessary in neofs, because objects are immutable. So
|
||||||
|
@ -40,7 +41,7 @@ type (
|
||||||
|
|
||||||
// NewGatewayLayer creates instance of neofsObject. It checks credentials
|
// NewGatewayLayer creates instance of neofsObject. It checks credentials
|
||||||
// and establishes gRPC connection with node.
|
// and establishes gRPC connection with node.
|
||||||
func NewLayer(cli pool.Client, log *zap.Logger, center *s3auth.Center) (minio.ObjectLayer, error) {
|
func NewLayer(log *zap.Logger, cli pool.Client, center *s3auth.Center) (minio.ObjectLayer, error) {
|
||||||
// setup gRPC connection
|
// setup gRPC connection
|
||||||
// todo: think about getting timeout parameters from cli args
|
// todo: think about getting timeout parameters from cli args
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||||
|
|
|
@ -16,6 +16,7 @@ func (n *neofsObject) containerList(ctx context.Context) ([]refs.CID, error) {
|
||||||
req.OwnerID = n.owner
|
req.OwnerID = n.owner
|
||||||
req.SetTTL(service.SingleForwardingTTL)
|
req.SetTTL(service.SingleForwardingTTL)
|
||||||
req.SetVersion(APIVersion)
|
req.SetVersion(APIVersion)
|
||||||
|
req.SetBearer(nil)
|
||||||
|
|
||||||
err := service.SignRequestData(n.key, req)
|
err := service.SignRequestData(n.key, req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in a new issue