From f6aeb06ee9e0593a755519965087d2fd99c83b54 Mon Sep 17 00:00:00 2001 From: Pavel Korotkov Date: Fri, 24 Jul 2020 17:03:02 +0300 Subject: [PATCH] Fast hot fix before rework of auth scheme --- auth/center.go | 119 +++++++++++++++++++++++++++--------------------- cmd/gate/app.go | 2 +- go.sum | 1 + 3 files changed, 69 insertions(+), 53 deletions(-) diff --git a/auth/center.go b/auth/center.go index 5400ec469..3ba2e5a39 100644 --- a/auth/center.go +++ b/auth/center.go @@ -2,18 +2,15 @@ package auth import ( "bytes" - "context" "crypto/ecdsa" "crypto/rsa" "encoding/hex" + "fmt" "io/ioutil" "net/http" "regexp" "strings" - "time" - "github.com/aws/aws-sdk-go/aws/credentials" - v4 "github.com/aws/aws-sdk-go/aws/signer/v4" "github.com/klauspost/compress/zstd" "github.com/nspcc-dev/neofs-api-go/refs" "github.com/nspcc-dev/neofs-api-go/service" @@ -100,6 +97,64 @@ func (center *Center) SetUserAuthKeys(key *rsa.PrivateKey) { center.userAuthKeys.PublicKey = &key.PublicKey } +func (center *Center) AuthenticationPassed(request *http.Request) (*service.BearerTokenMsg, error) { + queryValues := request.URL.Query() + if queryValues.Get("X-Amz-Algorithm") == "AWS4-HMAC-SHA256" { + return nil, errors.New("pre-signed form of request is not supported") + } + authHeaderField := request.Header["Authorization"] + if len(authHeaderField) != 1 { + return nil, errors.New("unsupported request: wrong length of Authorization header field") + } + sms1 := center.submatcher.getSubmatches(authHeaderField[0]) + if len(sms1) != 6 { + return nil, errors.New("bad Authorization header field") + } + signedHeaderFieldsNames := strings.Split(sms1["signed_header_fields"], ";") + if len(signedHeaderFieldsNames) == 0 { + return nil, errors.New("wrong format of signed headers part") + } + // signatureDateTime, err := time.Parse("20060102T150405Z", request.Header.Get("X-Amz-Date")) + // if err != nil { + // return nil, errors.Wrap(err, "failed to parse x-amz-date header field") + // } + + accessKeyID := sms1["access_key_id"] + bearerToken, _, err := center.fetchBearerToken(accessKeyID) + if err != nil { + return nil, errors.Wrap(err, "failed to fetch bearer token") + } + + // Disable verification of S3 signature for arrival of the new auth scheme. + /* + otherRequest := request.Clone(context.TODO()) + otherRequest.Header = map[string][]string{} + for hfn, hfvs := range request.Header { + for _, shfn := range signedHeaderFieldsNames { + if strings.EqualFold(hfn, shfn) { + otherRequest.Header[hfn] = hfvs + } + } + } + awsCreds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "") + signer := v4.NewSigner(awsCreds) + body, err := readAndKeepBody(request) + if err != nil { + return nil, errors.Wrap(err, "failed to read out request body") + } + _, err = signer.Sign(otherRequest, body, sms1["service"], sms1["region"], signatureDateTime) + if err != nil { + return nil, errors.Wrap(err, "failed to sign temporary HTTP request") + } + sms2 := center.submatcher.getSubmatches(otherRequest.Header.Get("Authorization")) + if sms1["v4_signature"] != sms2["v4_signature"] { + return nil, errors.Wrap(err, "failed to pass authentication procedure") + } + */ + fmt.Println(bearerToken) + return bearerToken, nil +} + func (center *Center) packBearerToken(bearerToken *service.BearerTokenMsg) (string, string, error) { data, err := bearerToken.Marshal() if err != nil { @@ -135,56 +190,16 @@ func (center *Center) unpackBearerToken(accessKeyID string) (*service.BearerToke return bearerToken, secretAccessKey, nil } -func (center *Center) AuthenticationPassed(request *http.Request) (*service.BearerTokenMsg, error) { - queryValues := request.URL.Query() - if queryValues.Get("X-Amz-Algorithm") == "AWS4-HMAC-SHA256" { - return nil, errors.New("pre-signed form of request is not supported") - } - authHeaderField := request.Header["Authorization"] - if len(authHeaderField) != 1 { - return nil, errors.New("unsupported request: wrong length of Authorization header field") - } - sms1 := center.submatcher.getSubmatches(authHeaderField[0]) - if len(sms1) != 6 { - return nil, errors.New("bad Authorization header field") - } - signedHeaderFieldsNames := strings.Split(sms1["signed_header_fields"], ";") - if len(signedHeaderFieldsNames) == 0 { - return nil, errors.New("wrong format of signed headers part") - } - signatureDateTime, err := time.Parse("20060102T150405Z", request.Header.Get("X-Amz-Date")) +// FIXME: Reimplement this method right after finilizign a new auth scheme. +func (center *Center) fetchBearerToken(accessKeyID string) (*service.BearerTokenMsg, string, error) { + // TODO: Turn it into getting bearer token from NeoFS node later on. + accessKeyID = "051d729a102513387b63f2f07a5cd45ca3158b273646527916cc3f705fa0006b249e038f4e4b4986d85b18358da8692819ef6e35063e91efce17da32d956ad9e48d2674f0cab2bd5ff27b49cb9a1b0e71eb73d330b6cd8f23e85252e55afe992765b2983ee2bafc57079221fdc8e48a3f5d8b0be87a259fd12c6afd59e3ec748c8677a4211c8d6ec7b67008a006f526b22a8536effe8ecb6581ea16d7f9358ede53dddf36fb589ab9a829b81d9c69d19a4b9d1ac58d5e9311e3608eb233475bfc47a02633c5611d1bb3b9450ef00b2490924be5f3375e3eb4b6ed2f23906f183c213e77c19ec5c62b3be3a5a5b526851ea674c613b542c2861fd4a5178b65d8df8899a05b25db8b9e15f5e257467044e41b69144fe4b802aff2a56c8960e5e3c7eb004d41a6d873f927db43ed047171f36cda5be080e0df2ddfe15edb423b41491559a7a5cc70932566cdd71058913abb0a68d3c1ac50586f0a48b02e1cea24ca8a2010d5495dbc5daf0575413c06542a16288664104ad06289a5b2bf119071171562dcdc05d6b9260df2fc676540fc1d836c36f77a090cc5ce52b930f74ae625d53e1a80b7a59aa2d85e2f188c131de5739bf0e49e6d5f081e757f2b0d85a8264dfb66c4400bcd4727d7c21eca92c138d975fe51f986e80ec32ba13e8850c82dd813cd45640caa303555e0759d0d111dac6cc39cbe711dd56dc8f01a6022635" + secretAccessKey := "12775ab859000dd87b3c7586146f465efc73bbbd33ac3b36f2ab2b061df15f7b" + bearerToken, _, err := center.unpackBearerToken(accessKeyID) if err != nil { - return nil, errors.Wrap(err, "failed to parse x-amz-date header field") + return nil, "", errors.Wrap(err, "failed to fetch bearer token") } - accessKeyID := sms1["access_key_id"] - bearerToken, secretAccessKey, err := center.unpackBearerToken(accessKeyID) - if err != nil { - return nil, errors.Wrap(err, "failed to unpack bearer token") - } - otherRequest := request.Clone(context.TODO()) - otherRequest.Header = map[string][]string{} - for hfn, hfvs := range request.Header { - for _, shfn := range signedHeaderFieldsNames { - if strings.EqualFold(hfn, shfn) { - otherRequest.Header[hfn] = hfvs - } - } - } - awsCreds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "") - signer := v4.NewSigner(awsCreds) - body, err := readAndKeepBody(request) - if err != nil { - return nil, errors.Wrap(err, "failed to read out request body") - } - _, err = signer.Sign(otherRequest, body, sms1["service"], sms1["region"], signatureDateTime) - if err != nil { - return nil, errors.Wrap(err, "failed to sign temporary HTTP request") - } - sms2 := center.submatcher.getSubmatches(otherRequest.Header.Get("Authorization")) - if sms1["v4_signature"] != sms2["v4_signature"] { - return nil, errors.Wrap(err, "failed to pass authentication procedure") - } - return bearerToken, nil + return bearerToken, secretAccessKey, nil } // TODO: Make this write into a smart buffer backed by a file on a fast drive. diff --git a/cmd/gate/app.go b/cmd/gate/app.go index bf519d990..256ab67b1 100644 --- a/cmd/gate/app.go +++ b/cmd/gate/app.go @@ -140,7 +140,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App { } else if err = os.Setenv(config.EnvSecretKey, wif); err != nil { l.Fatal("could not set "+config.EnvSecretKey, zap.Error(err)) } - l.Info("used credentials", zap.String("AccessKey", uid.String()), zap.String("SecretKey", wif)) + l.Info("gate neofs credentials", zap.String("OwnerID", uid.String()), zap.String("WIF", wif)) } if obj, err = layer.NewLayer(l, cli, center); err != nil { diff --git a/go.sum b/go.sum index bb5f39f6e..8ee0365c5 100644 --- a/go.sum +++ b/go.sum @@ -401,6 +401,7 @@ github.com/nspcc-dev/hrw v1.0.8 h1:vwRuJXZXgkMvf473vFzeWGCfY1WBVeSHAEHvR4u3/Cg= github.com/nspcc-dev/hrw v1.0.8/go.mod h1:l/W2vx83vMQo6aStyx2AuZrJ+07lGv2JQGlVkPG06MU= github.com/nspcc-dev/neofs-api-go v1.2.0 h1:8vovd8hvnoWS4qkSa6rhyMFLFvjLtNKar5vYRodf+y4= github.com/nspcc-dev/neofs-api-go v1.2.0/go.mod h1:2tf31g2Ns/Z2ev5d8LZ/9f1VHIeY5LHpDbq4EsDhYM0= +github.com/nspcc-dev/neofs-api-go v1.3.0 h1:w0wYIXzPJIElwhqahnQw/1NKiHxjRZKJhDUMSbEHmdk= github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnBg0L4ifM= github.com/nspcc-dev/neofs-crypto v0.3.0/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw= github.com/nspcc-dev/netmap v1.7.0 h1:ak64xn/gPdgYw4tsqSSF7kAGQGbEpeuJEF3XwBX4L9Y=