Denis Kirillov
62cc5a04a7
Some checks failed
/ DCO (pull_request) Successful in 3m34s
/ Vulncheck (pull_request) Failing after 4m18s
/ Builds (1.20) (pull_request) Successful in 4m58s
/ Builds (1.21) (pull_request) Successful in 4m24s
/ Lint (pull_request) Successful in 7m27s
/ Tests (1.20) (pull_request) Successful in 5m24s
/ Tests (1.21) (pull_request) Successful in 5m0s
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
127 lines
3.8 KiB
Go
127 lines
3.8 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/elliptic"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"time"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-api-go/v2/acl"
|
|
apiErrors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
|
|
frostfsErrors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/bearer"
|
|
"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
type (
|
|
// Box contains access box and additional info.
|
|
Box struct {
|
|
AccessBox *accessbox.Box
|
|
ClientTime time.Time
|
|
AuthHeaders *AuthHeader
|
|
}
|
|
|
|
// Center is a user authentication interface.
|
|
Center interface {
|
|
// Authenticate validate and authenticate request.
|
|
// Must return ErrNoAuthorizationHeader if auth header is missed.
|
|
Authenticate(request *http.Request) (*Box, error)
|
|
}
|
|
|
|
//nolint:revive
|
|
AuthHeader struct {
|
|
AccessKeyID string
|
|
Region string
|
|
SignatureV4 string
|
|
}
|
|
)
|
|
|
|
// ErrNoAuthorizationHeader is returned for unauthenticated requests.
|
|
var ErrNoAuthorizationHeader = errors.New("no authorization header")
|
|
|
|
func Auth(center Center, log *zap.Logger) Func {
|
|
return func(h http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
reqInfo := GetReqInfo(ctx)
|
|
reqInfo.User = "anon"
|
|
box, err := center.Authenticate(r)
|
|
if err != nil {
|
|
if errors.Is(err, ErrNoAuthorizationHeader) {
|
|
reqLogOrDefault(ctx, log).Debug(logs.CouldntReceiveAccessBoxForGateKeyRandomKeyWillBeUsed, zap.Error(err))
|
|
} else {
|
|
reqLogOrDefault(ctx, log).Error(logs.FailedToPassAuthentication, zap.Error(err))
|
|
err = frostfsErrors.UnwrapErr(err)
|
|
if _, ok := err.(apiErrors.Error); !ok {
|
|
err = apiErrors.GetAPIError(apiErrors.ErrAccessDenied)
|
|
}
|
|
if _, wrErr := WriteErrorResponse(w, GetReqInfo(r.Context()), err); wrErr != nil {
|
|
reqLogOrDefault(ctx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr))
|
|
}
|
|
return
|
|
}
|
|
} else {
|
|
ctx = SetBoxData(ctx, box.AccessBox)
|
|
if !box.ClientTime.IsZero() {
|
|
ctx = SetClientTime(ctx, box.ClientTime)
|
|
}
|
|
ctx = SetAuthHeaders(ctx, box.AuthHeaders)
|
|
|
|
if box.AccessBox.Gate.BearerToken != nil {
|
|
reqInfo.User = bearer.ResolveIssuer(*box.AccessBox.Gate.BearerToken).String()
|
|
}
|
|
reqLogOrDefault(ctx, log).Debug(logs.SuccessfulAuth, zap.String("accessKeyID", box.AuthHeaders.AccessKeyID))
|
|
}
|
|
|
|
h.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
type FrostFSIDValidator interface {
|
|
ValidatePublicKey(key *keys.PublicKey) error
|
|
}
|
|
|
|
func FrostfsIDValidation(frostfsID FrostFSIDValidator, log *zap.Logger) Func {
|
|
return func(h http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
bd, err := GetBoxData(ctx)
|
|
if err != nil || bd.Gate.BearerToken == nil {
|
|
reqLogOrDefault(ctx, log).Debug(logs.AnonRequestSkipFrostfsIDValidation)
|
|
h.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
if err = validateBearerToken(frostfsID, bd.Gate.BearerToken); err != nil {
|
|
reqLogOrDefault(ctx, log).Error(logs.FrostfsIDValidationFailed, zap.Error(err))
|
|
if _, wrErr := WriteErrorResponse(w, GetReqInfo(r.Context()), err); wrErr != nil {
|
|
reqLogOrDefault(ctx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr))
|
|
}
|
|
return
|
|
}
|
|
|
|
h.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
func validateBearerToken(frostfsID FrostFSIDValidator, bt *bearer.Token) error {
|
|
m := new(acl.BearerToken)
|
|
bt.WriteToV2(m)
|
|
|
|
pk, err := keys.NewPublicKeyFromBytes(m.GetSignature().GetKey(), elliptic.P256())
|
|
if err != nil {
|
|
return fmt.Errorf("invalid bearer token public key: %w", err)
|
|
}
|
|
|
|
if err = frostfsID.ValidatePublicKey(pk); err != nil {
|
|
return fmt.Errorf("validation data user key failed: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|