forked from TrueCloudLab/frostfs-s3-gw
Move user auth procedure to S3 API router; activate overall setting bearer tokens in neofs objects
This commit is contained in:
parent
9662fb0019
commit
916a216da5
5 changed files with 27 additions and 17 deletions
|
@ -199,13 +199,12 @@ func (a *App) Server(ctx context.Context) {
|
|||
router := newS3Router()
|
||||
|
||||
// Attach app-specific routes:
|
||||
attachNewUserAuth(router, a.center, a.log)
|
||||
attachHealthy(router, a.cli)
|
||||
attachMetrics(router, a.cfg, a.log)
|
||||
attachProfiler(router, a.cfg, a.log)
|
||||
|
||||
// Attach S3 API:
|
||||
api.Attach(router, a.maxClients, a.api)
|
||||
api.Attach(router, a.maxClients, a.api, a.center, a.log)
|
||||
|
||||
// Use mux.Router as http.Handler
|
||||
srv.Handler = router
|
||||
|
|
|
@ -4,7 +4,9 @@ import (
|
|||
"net/http"
|
||||
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/minio/minio/auth"
|
||||
"github.com/minio/minio/neofs/metrics"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
type (
|
||||
|
@ -89,8 +91,10 @@ const (
|
|||
mimeXML mimeType = "application/xml"
|
||||
)
|
||||
|
||||
func Attach(r *mux.Router, m MaxClients, h Handler) {
|
||||
func Attach(r *mux.Router, m MaxClients, h Handler, center *auth.Center, log *zap.Logger) {
|
||||
api := r.PathPrefix(SlashSeparator).Subrouter()
|
||||
// Attach user authentication for all S3 routes.
|
||||
AttachUserAuth(api, center, log)
|
||||
|
||||
bucket := api.PathPrefix("/{bucket}").Subrouter()
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
package main
|
||||
package api
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
@ -8,19 +8,17 @@ import (
|
|||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
func attachNewUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) {
|
||||
func AttachUserAuth(router *mux.Router, center *auth.Center, log *zap.Logger) {
|
||||
uamw := func(h http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
bearerToken, err := center.AuthenticationPassed(r)
|
||||
if err != nil {
|
||||
log.Error("failed to pass authentication", zap.Error(err))
|
||||
// TODO: Handle any auth error by rejecting request.
|
||||
WriteErrorResponse(r.Context(), w, getAPIError(ErrAccessDenied), r.URL)
|
||||
}
|
||||
h.ServeHTTP(w, r.WithContext(auth.SetBearerToken(r.Context(), bearerToken)))
|
||||
|
||||
})
|
||||
}
|
||||
// TODO: should not be used for all routes,
|
||||
// only for API
|
||||
router.Use(uamw)
|
||||
}
|
|
@ -15,8 +15,8 @@ import (
|
|||
func (n *neofsObject) containerList(ctx context.Context) ([]refs.CID, error) {
|
||||
req := new(container.ListRequest)
|
||||
req.OwnerID = n.owner
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
|
||||
err := service.SignRequestData(n.key, req)
|
||||
|
|
|
@ -7,6 +7,7 @@ import (
|
|||
"io"
|
||||
"time"
|
||||
|
||||
auth "github.com/minio/minio/auth"
|
||||
"github.com/nspcc-dev/neofs-api-go/object"
|
||||
"github.com/nspcc-dev/neofs-api-go/query"
|
||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||
|
@ -69,8 +70,9 @@ func (n *neofsObject) objectSearchContainer(ctx context.Context, cid refs.CID) (
|
|||
req.Query = queryBinary
|
||||
req.QueryVersion = 1
|
||||
req.ContainerID = cid
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
req.SetToken(token)
|
||||
|
||||
err = service.SignRequestData(n.key, req)
|
||||
|
@ -153,8 +155,9 @@ func (n *neofsObject) objectFindID(ctx context.Context, cid refs.CID, name strin
|
|||
req.Query = queryBinary
|
||||
req.QueryVersion = 1
|
||||
req.ContainerID = cid
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
req.SetToken(token)
|
||||
|
||||
err = service.SignRequestData(n.key, req)
|
||||
|
@ -229,8 +232,9 @@ func (n *neofsObject) objectHead(ctx context.Context, addr refs.Address) (*objec
|
|||
req := new(object.HeadRequest)
|
||||
req.Address = addr
|
||||
req.FullHeaders = true
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
req.SetToken(token)
|
||||
|
||||
err = service.SignRequestData(n.key, req)
|
||||
|
@ -271,8 +275,9 @@ func (n *neofsObject) objectGet(ctx context.Context, p getParams) (*object.Objec
|
|||
// object.GetRange() response message become gRPC stream.
|
||||
req := new(object.GetRequest)
|
||||
req.Address = p.addr
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
req.SetToken(token)
|
||||
|
||||
err = service.SignRequestData(n.key, req)
|
||||
|
@ -391,8 +396,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec
|
|||
}
|
||||
|
||||
req := object.MakePutRequestHeader(obj)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
req.SetToken(token)
|
||||
|
||||
err = service.SignRequestData(n.key, req)
|
||||
|
@ -419,8 +425,9 @@ func (n *neofsObject) objectPut(ctx context.Context, p putParams) (*object.Objec
|
|||
|
||||
if read > 0 {
|
||||
req := object.MakePutRequestChunk(readBuffer[:read])
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
|
||||
err = service.SignRequestData(n.key, req)
|
||||
if err != nil {
|
||||
|
@ -493,8 +500,9 @@ func (n *neofsObject) storageGroupPut(ctx context.Context, p sgParams) (*object.
|
|||
sg.SetStorageGroup(new(storagegroup.StorageGroup))
|
||||
|
||||
req := object.MakePutRequestHeader(sg)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
req.SetToken(token)
|
||||
|
||||
err = service.SignRequestData(n.key, req)
|
||||
|
@ -529,8 +537,9 @@ func (n *neofsObject) objectDelete(ctx context.Context, p delParams) error {
|
|||
req := new(object.DeleteRequest)
|
||||
req.Address = p.addr
|
||||
req.OwnerID = n.owner
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetVersion(APIVersion)
|
||||
req.SetTTL(service.SingleForwardingTTL)
|
||||
req.SetBearer(auth.GetBearerToken(ctx))
|
||||
req.SetToken(token)
|
||||
|
||||
err = service.SignRequestData(n.key, req)
|
||||
|
|
Loading…
Reference in a new issue