forked from TrueCloudLab/frostfs-s3-gw
parent
b2bf81cec7
commit
42ed6a16ea
7 changed files with 560 additions and 52 deletions
|
@ -2,9 +2,13 @@ package auth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/sha256"
|
||||||
|
"encoding/hex"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
"mime/multipart"
|
||||||
"net/http"
|
"net/http"
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -24,6 +28,9 @@ import (
|
||||||
// authorizationFieldRegexp -- is regexp for credentials with Base58 encoded cid and oid and '0' (zero) as delimiter.
|
// authorizationFieldRegexp -- is regexp for credentials with Base58 encoded cid and oid and '0' (zero) as delimiter.
|
||||||
var authorizationFieldRegexp = regexp.MustCompile(`AWS4-HMAC-SHA256 Credential=(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request,\s*SignedHeaders=(?P<signed_header_fields>.+),\s*Signature=(?P<v4_signature>.+)`)
|
var authorizationFieldRegexp = regexp.MustCompile(`AWS4-HMAC-SHA256 Credential=(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request,\s*SignedHeaders=(?P<signed_header_fields>.+),\s*Signature=(?P<v4_signature>.+)`)
|
||||||
|
|
||||||
|
// postPolicyCredentialRegexp -- is regexp for credentials when uploading file using POST with policy.
|
||||||
|
var postPolicyCredentialRegexp = regexp.MustCompile(`(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request`)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
// Center is a user authentication interface.
|
// Center is a user authentication interface.
|
||||||
Center interface {
|
Center interface {
|
||||||
|
@ -31,8 +38,9 @@ type (
|
||||||
}
|
}
|
||||||
|
|
||||||
center struct {
|
center struct {
|
||||||
reg *regexpSubmatcher
|
reg *regexpSubmatcher
|
||||||
cli tokens.Credentials
|
postReg *regexpSubmatcher
|
||||||
|
cli tokens.Credentials
|
||||||
}
|
}
|
||||||
|
|
||||||
// Params stores node connection parameters.
|
// Params stores node connection parameters.
|
||||||
|
@ -56,6 +64,7 @@ type (
|
||||||
const (
|
const (
|
||||||
accessKeyPartsNum = 2
|
accessKeyPartsNum = 2
|
||||||
authHeaderPartsNum = 6
|
authHeaderPartsNum = 6
|
||||||
|
maxFormSizeMemory = 50 * 1048576 // 50 MB
|
||||||
)
|
)
|
||||||
|
|
||||||
// ErrNoAuthorizationHeader is returned for unauthenticated requests.
|
// ErrNoAuthorizationHeader is returned for unauthenticated requests.
|
||||||
|
@ -74,8 +83,9 @@ var _ io.ReadSeeker = prs(0)
|
||||||
// New creates an instance of AuthCenter.
|
// New creates an instance of AuthCenter.
|
||||||
func New(conns pool.Pool, key *keys.PrivateKey) Center {
|
func New(conns pool.Pool, key *keys.PrivateKey) Center {
|
||||||
return ¢er{
|
return ¢er{
|
||||||
cli: tokens.New(conns, key),
|
cli: tokens.New(conns, key),
|
||||||
reg: ®expSubmatcher{re: authorizationFieldRegexp},
|
reg: ®expSubmatcher{re: authorizationFieldRegexp},
|
||||||
|
postReg: ®expSubmatcher{re: postPolicyCredentialRegexp},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -118,6 +128,9 @@ func (c *center) Authenticate(r *http.Request) (*accessbox.Box, error) {
|
||||||
|
|
||||||
authHeaderField := r.Header["Authorization"]
|
authHeaderField := r.Header["Authorization"]
|
||||||
if len(authHeaderField) != 1 {
|
if len(authHeaderField) != 1 {
|
||||||
|
if strings.HasPrefix(r.Header.Get("Content-Type"), "multipart/form-data") {
|
||||||
|
return c.checkFormData(r)
|
||||||
|
}
|
||||||
return nil, ErrNoAuthorizationHeader
|
return nil, ErrNoAuthorizationHeader
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -149,6 +162,51 @@ func (c *center) Authenticate(r *http.Request) (*accessbox.Box, error) {
|
||||||
return box, nil
|
return box, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *center) checkFormData(r *http.Request) (*accessbox.Box, error) {
|
||||||
|
if err := r.ParseMultipartForm(maxFormSizeMemory); err != nil {
|
||||||
|
return nil, apiErrors.GetAPIError(apiErrors.ErrInvalidArgument)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := prepareForm(r.MultipartForm); err != nil {
|
||||||
|
return nil, fmt.Errorf("couldn't parse form: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
policy := MultipartFormValue(r, "policy")
|
||||||
|
if policy == "" {
|
||||||
|
return nil, ErrNoAuthorizationHeader
|
||||||
|
}
|
||||||
|
|
||||||
|
submatches := c.postReg.getSubmatches(MultipartFormValue(r, "x-amz-credential"))
|
||||||
|
if len(submatches) != 4 {
|
||||||
|
return nil, apiErrors.GetAPIError(apiErrors.ErrAuthorizationHeaderMalformed)
|
||||||
|
}
|
||||||
|
|
||||||
|
signatureDateTime, err := time.Parse("20060102T150405Z", MultipartFormValue(r, "x-amz-date"))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse x-amz-date field: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
address := object.NewAddress()
|
||||||
|
if err = address.Parse(strings.ReplaceAll(submatches["access_key_id"], "0", "/")); err != nil {
|
||||||
|
return nil, apiErrors.GetAPIError(apiErrors.ErrInvalidAccessKeyID)
|
||||||
|
}
|
||||||
|
|
||||||
|
box, err := c.cli.GetBox(r.Context(), address)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
secret := box.Gate.AccessKey
|
||||||
|
service, region := submatches["service"], submatches["region"]
|
||||||
|
|
||||||
|
signature := signStr(secret, service, region, signatureDateTime, policy)
|
||||||
|
if signature != MultipartFormValue(r, "x-amz-signature") {
|
||||||
|
return nil, apiErrors.GetAPIError(apiErrors.ErrSignatureDoesNotMatch)
|
||||||
|
}
|
||||||
|
|
||||||
|
return box, nil
|
||||||
|
}
|
||||||
|
|
||||||
func cloneRequest(r *http.Request, authHeader *authHeader) *http.Request {
|
func cloneRequest(r *http.Request, authHeader *authHeader) *http.Request {
|
||||||
otherRequest := r.Clone(context.TODO())
|
otherRequest := r.Clone(context.TODO())
|
||||||
otherRequest.Header = make(http.Header)
|
otherRequest.Header = make(http.Header)
|
||||||
|
@ -181,3 +239,77 @@ func (c *center) checkSign(authHeader *authHeader, box *accessbox.Box, request *
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func signStr(secret, service, region string, t time.Time, strToSign string) string {
|
||||||
|
creds := deriveKey(secret, service, region, t)
|
||||||
|
signature := hmacSHA256(creds, []byte(strToSign))
|
||||||
|
return hex.EncodeToString(signature)
|
||||||
|
}
|
||||||
|
|
||||||
|
func deriveKey(secret, service, region string, t time.Time) []byte {
|
||||||
|
hmacDate := hmacSHA256([]byte("AWS4"+secret), []byte(t.UTC().Format("20060102")))
|
||||||
|
hmacRegion := hmacSHA256(hmacDate, []byte(region))
|
||||||
|
hmacService := hmacSHA256(hmacRegion, []byte(service))
|
||||||
|
return hmacSHA256(hmacService, []byte("aws4_request"))
|
||||||
|
}
|
||||||
|
|
||||||
|
func hmacSHA256(key []byte, data []byte) []byte {
|
||||||
|
hash := hmac.New(sha256.New, key)
|
||||||
|
hash.Write(data)
|
||||||
|
return hash.Sum(nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// MultipartFormValue get value by key from multipart form.
|
||||||
|
func MultipartFormValue(r *http.Request, key string) string {
|
||||||
|
if r.MultipartForm == nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
if vs := r.MultipartForm.Value[key]; len(vs) > 0 {
|
||||||
|
return vs[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
func prepareForm(form *multipart.Form) error {
|
||||||
|
var oldKeysValue []string
|
||||||
|
var oldKeysFile []string
|
||||||
|
|
||||||
|
for k, v := range form.Value {
|
||||||
|
lowerKey := strings.ToLower(k)
|
||||||
|
if lowerKey != k {
|
||||||
|
form.Value[lowerKey] = v
|
||||||
|
oldKeysValue = append(oldKeysValue, k)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, k := range oldKeysValue {
|
||||||
|
delete(form.Value, k)
|
||||||
|
}
|
||||||
|
|
||||||
|
for k, v := range form.File {
|
||||||
|
lowerKey := strings.ToLower(k)
|
||||||
|
if lowerKey != "file" {
|
||||||
|
oldKeysFile = append(oldKeysFile, k)
|
||||||
|
if len(v) > 0 {
|
||||||
|
field, err := v[0].Open()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
data, err := io.ReadAll(field)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
form.Value[lowerKey] = []string{string(data)}
|
||||||
|
}
|
||||||
|
} else if lowerKey != k {
|
||||||
|
form.File[lowerKey] = v
|
||||||
|
oldKeysFile = append(oldKeysFile, k)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, k := range oldKeysFile {
|
||||||
|
delete(form.File, k)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
@ -3,6 +3,7 @@ package auth
|
||||||
import (
|
import (
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-s3-gw/api/errors"
|
"github.com/nspcc-dev/neofs-s3-gw/api/errors"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
@ -85,3 +86,16 @@ func TestAuthHeaderGetAddress(t *testing.T) {
|
||||||
require.Equal(t, tc.err, err, tc.authHeader.AccessKeyID)
|
require.Equal(t, tc.err, err, tc.authHeader.AccessKeyID)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestSignature(t *testing.T) {
|
||||||
|
secret := "66be461c3cd429941c55daf42fad2b8153e5a2016ba89c9494d97677cc9d3872"
|
||||||
|
strToSign := "eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiYWNsIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDg0L2FjbCJ9LAogICAgWyJzdGFydHMtd2l0aCIsICIkQ29udGVudC1UeXBlIiwgImltYWdlLyJdLAogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJHgtYW16LW1ldGEtdGFnIiwgIiJdLAoKICAgIHsiWC1BbXotQ3JlZGVudGlhbCI6ICI4Vmk0MVBIbjVGMXNzY2J4OUhqMXdmMUU2aERUYURpNndxOGhxTU05NllKdTA1QzVDeUVkVlFoV1E2aVZGekFpTkxXaTlFc3BiUTE5ZDRuR3pTYnZVZm10TS8yMDE1MTIyOS91cy1lYXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IlgtQW16LURhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfSwKICAgIHsieC1pZ25vcmUtdG1wIjogInNvbWV0aGluZyIgfQogIF0KfQ=="
|
||||||
|
|
||||||
|
signTime, err := time.Parse("20060102T150405Z", "20151229T000000Z")
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
signature := signStr(secret, "s3", "us-east-1", signTime, strToSign)
|
||||||
|
require.Equal(t, "dfbe886241d9e369cf4b329ca0f15eb27306c97aa1022cc0bb5a914c4ef87634", signature)
|
||||||
|
}
|
||||||
|
|
|
@ -1,19 +1,159 @@
|
||||||
package handler
|
package handler
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/base64"
|
||||||
|
"encoding/json"
|
||||||
"encoding/xml"
|
"encoding/xml"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
"github.com/nspcc-dev/neofs-api-go/pkg/acl/eacl"
|
||||||
"github.com/nspcc-dev/neofs-s3-gw/api"
|
"github.com/nspcc-dev/neofs-s3-gw/api"
|
||||||
|
"github.com/nspcc-dev/neofs-s3-gw/api/auth"
|
||||||
"github.com/nspcc-dev/neofs-s3-gw/api/errors"
|
"github.com/nspcc-dev/neofs-s3-gw/api/errors"
|
||||||
"github.com/nspcc-dev/neofs-s3-gw/api/layer"
|
"github.com/nspcc-dev/neofs-s3-gw/api/layer"
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type postPolicy struct {
|
||||||
|
Expiration time.Time `json:"expiration"`
|
||||||
|
Conditions []*policyCondition `json:"conditions"`
|
||||||
|
empty bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *postPolicy) condition(key string) *policyCondition {
|
||||||
|
for _, condition := range p.Conditions {
|
||||||
|
if condition.Key == key {
|
||||||
|
return condition
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *postPolicy) CheckContentLength(size int64) bool {
|
||||||
|
if p.empty {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
for _, condition := range p.Conditions {
|
||||||
|
if condition.Matching == "content-length-range" {
|
||||||
|
length := strconv.FormatInt(size, 10)
|
||||||
|
return condition.Key <= length && length <= condition.Value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *policyCondition) match(value string) bool {
|
||||||
|
switch p.Matching {
|
||||||
|
case "eq":
|
||||||
|
p.Matched = p.Value == value
|
||||||
|
case "starts-with":
|
||||||
|
if p.Key == api.ContentType {
|
||||||
|
p.Matched = true
|
||||||
|
for _, contentType := range strings.Split(value, ",") {
|
||||||
|
if !strings.HasPrefix(contentType, p.Value) {
|
||||||
|
p.Matched = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
p.Matched = strings.HasPrefix(value, p.Value)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return p.Matched
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *postPolicy) CheckField(key string, value string) error {
|
||||||
|
if p.empty {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
cond := p.condition(key)
|
||||||
|
if cond == nil {
|
||||||
|
return errors.GetAPIError(errors.ErrPostPolicyConditionInvalidFormat)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !cond.match(value) {
|
||||||
|
return errors.GetAPIError(errors.ErrPostPolicyConditionInvalidFormat)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *postPolicy) AllConditionMatched() bool {
|
||||||
|
for _, condition := range p.Conditions {
|
||||||
|
if !condition.Matched {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
type policyCondition struct {
|
||||||
|
Matching string
|
||||||
|
Key string
|
||||||
|
Value string
|
||||||
|
Matched bool
|
||||||
|
}
|
||||||
|
|
||||||
|
var errInvalidCondition = fmt.Errorf("invalid condition")
|
||||||
|
|
||||||
|
func (p *policyCondition) UnmarshalJSON(data []byte) error {
|
||||||
|
var (
|
||||||
|
ok bool
|
||||||
|
v interface{}
|
||||||
|
)
|
||||||
|
|
||||||
|
if err := json.Unmarshal(data, &v); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch v := v.(type) {
|
||||||
|
case []interface{}:
|
||||||
|
if len(v) != 3 {
|
||||||
|
return errInvalidCondition
|
||||||
|
}
|
||||||
|
if p.Matching, ok = v[0].(string); !ok {
|
||||||
|
return errInvalidCondition
|
||||||
|
}
|
||||||
|
|
||||||
|
if p.Matching == "content-length-range" {
|
||||||
|
min, ok := v[1].(float64)
|
||||||
|
max, ok2 := v[2].(float64)
|
||||||
|
if !ok || !ok2 {
|
||||||
|
return errInvalidCondition
|
||||||
|
}
|
||||||
|
p.Key = strconv.FormatFloat(min, 'f', 0, 32)
|
||||||
|
p.Value = strconv.FormatFloat(max, 'f', 0, 32)
|
||||||
|
} else {
|
||||||
|
key, ok2 := v[1].(string)
|
||||||
|
p.Value, ok = v[2].(string)
|
||||||
|
if !ok || !ok2 {
|
||||||
|
return errInvalidCondition
|
||||||
|
}
|
||||||
|
p.Key = strings.ToLower(strings.TrimPrefix(key, "$"))
|
||||||
|
}
|
||||||
|
|
||||||
|
case map[string]interface{}:
|
||||||
|
p.Matching = "eq"
|
||||||
|
for key, val := range v {
|
||||||
|
p.Key = strings.ToLower(key)
|
||||||
|
if p.Value, ok = val.(string); !ok {
|
||||||
|
return errInvalidCondition
|
||||||
|
}
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
return fmt.Errorf("unknown condition type")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// keywords of predefined basic ACL values.
|
// keywords of predefined basic ACL values.
|
||||||
const (
|
const (
|
||||||
basicACLPrivate = "private"
|
basicACLPrivate = "private"
|
||||||
|
@ -68,49 +208,10 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if containsACLHeaders(r) {
|
if containsACLHeaders(r) {
|
||||||
objectACL, err := parseACLHeaders(r)
|
if newEaclTable, err = h.getNewEAclTable(r, info); err != nil {
|
||||||
if err != nil {
|
h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
|
||||||
h.logAndSendError(w, "could not parse object acl", reqInfo, err)
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
resInfo := &resourceInfo{
|
|
||||||
Bucket: reqInfo.BucketName,
|
|
||||||
Object: reqInfo.ObjectName,
|
|
||||||
Version: info.Version(),
|
|
||||||
}
|
|
||||||
|
|
||||||
bktPolicy, err := aclToPolicy(objectACL, resInfo)
|
|
||||||
if err != nil {
|
|
||||||
h.logAndSendError(w, "could not translate object acl to bucket policy", reqInfo, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
astChild, err := policyToAst(bktPolicy)
|
|
||||||
if err != nil {
|
|
||||||
h.logAndSendError(w, "could not translate policy to ast", reqInfo, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
bacl, err := h.obj.GetBucketACL(r.Context(), reqInfo.BucketName)
|
|
||||||
if err != nil {
|
|
||||||
h.logAndSendError(w, "could not get bucket eacl", reqInfo, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
parentAst := tableToAst(bacl.EACL, reqInfo.BucketName)
|
|
||||||
for _, resource := range parentAst.Resources {
|
|
||||||
if resource.Bucket == bacl.Info.CID.String() {
|
|
||||||
resource.Bucket = reqInfo.BucketName
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if resAst, updated := mergeAst(parentAst, astChild); updated {
|
|
||||||
if newEaclTable, err = astToTable(resAst); err != nil {
|
|
||||||
h.logAndSendError(w, "could not translate ast to table", reqInfo, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if tagSet != nil {
|
if tagSet != nil {
|
||||||
|
@ -142,11 +243,226 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
api.WriteSuccessResponseHeadersOnly(w)
|
api.WriteSuccessResponseHeadersOnly(w)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
|
||||||
|
var (
|
||||||
|
newEaclTable *eacl.Table
|
||||||
|
tagSet map[string]string
|
||||||
|
reqInfo = api.GetReqInfo(r.Context())
|
||||||
|
metadata = make(map[string]string)
|
||||||
|
)
|
||||||
|
|
||||||
|
policy, err := checkPostPolicy(r, reqInfo, metadata)
|
||||||
|
if err != nil {
|
||||||
|
h.logAndSendError(w, "failed check policy", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if tagging := auth.MultipartFormValue(r, "tagging"); tagging != "" {
|
||||||
|
buffer := bytes.NewBufferString(tagging)
|
||||||
|
tagSet, err = readTagSet(buffer)
|
||||||
|
if err != nil {
|
||||||
|
h.logAndSendError(w, "could not read tag set", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var contentReader io.Reader
|
||||||
|
var size int64
|
||||||
|
if content, ok := r.MultipartForm.Value["file"]; ok {
|
||||||
|
contentReader = bytes.NewBufferString(content[0])
|
||||||
|
size = int64(len(content[0]))
|
||||||
|
} else {
|
||||||
|
file, head, err := r.FormFile("file")
|
||||||
|
if err != nil {
|
||||||
|
h.logAndSendError(w, "could get uploading file", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
contentReader = file
|
||||||
|
size = head.Size
|
||||||
|
reqInfo.ObjectName = strings.ReplaceAll(reqInfo.ObjectName, "${filename}", head.Filename)
|
||||||
|
}
|
||||||
|
if !policy.CheckContentLength(size) {
|
||||||
|
h.logAndSendError(w, "invalid content-length", reqInfo, errors.GetAPIError(errors.ErrInvalidArgument))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
params := &layer.PutObjectParams{
|
||||||
|
Bucket: reqInfo.BucketName,
|
||||||
|
Object: reqInfo.ObjectName,
|
||||||
|
Reader: contentReader,
|
||||||
|
Size: size,
|
||||||
|
Header: metadata,
|
||||||
|
}
|
||||||
|
|
||||||
|
info, err := h.obj.PutObject(r.Context(), params)
|
||||||
|
if err != nil {
|
||||||
|
h.logAndSendError(w, "could not upload object", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if acl := auth.MultipartFormValue(r, "acl"); acl != "" {
|
||||||
|
r.Header.Set(api.AmzACL, acl)
|
||||||
|
r.Header.Set(api.AmzGrantFullControl, "")
|
||||||
|
r.Header.Set(api.AmzGrantWrite, "")
|
||||||
|
r.Header.Set(api.AmzGrantRead, "")
|
||||||
|
|
||||||
|
if newEaclTable, err = h.getNewEAclTable(r, info); err != nil {
|
||||||
|
h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if tagSet != nil {
|
||||||
|
if err = h.obj.PutObjectTagging(r.Context(), &layer.PutTaggingParams{ObjectInfo: info, TagSet: tagSet}); err != nil {
|
||||||
|
h.logAndSendError(w, "could not upload object tagging", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if newEaclTable != nil {
|
||||||
|
p := &layer.PutBucketACLParams{
|
||||||
|
Name: reqInfo.BucketName,
|
||||||
|
EACL: newEaclTable,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
||||||
|
h.logAndSendError(w, "could not put bucket acl", reqInfo, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if versioning, err := h.obj.GetBucketVersioning(r.Context(), reqInfo.BucketName); err != nil {
|
||||||
|
h.log.Warn("couldn't get bucket versioning", zap.String("bucket name", reqInfo.BucketName), zap.Error(err))
|
||||||
|
} else if versioning.VersioningEnabled {
|
||||||
|
w.Header().Set(api.AmzVersionID, info.Version())
|
||||||
|
}
|
||||||
|
|
||||||
|
if redirectURL := auth.MultipartFormValue(r, "success_action_redirect"); redirectURL != "" {
|
||||||
|
http.Redirect(w, r, redirectURL, http.StatusTemporaryRedirect)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
status := http.StatusNoContent
|
||||||
|
if statusStr := auth.MultipartFormValue(r, "success_action_status"); statusStr != "" {
|
||||||
|
switch statusStr {
|
||||||
|
case "200":
|
||||||
|
status = http.StatusOK
|
||||||
|
case "201":
|
||||||
|
status = http.StatusCreated
|
||||||
|
resp := &PostResponse{
|
||||||
|
Bucket: info.Bucket,
|
||||||
|
Key: info.Name,
|
||||||
|
ETag: info.HashSum,
|
||||||
|
}
|
||||||
|
w.WriteHeader(status)
|
||||||
|
if _, err = w.Write(api.EncodeResponse(resp)); err != nil {
|
||||||
|
h.logAndSendError(w, "something went wrong", reqInfo, err)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
w.Header().Set(api.ETag, info.HashSum)
|
||||||
|
w.WriteHeader(status)
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkPostPolicy(r *http.Request, reqInfo *api.ReqInfo, metadata map[string]string) (*postPolicy, error) {
|
||||||
|
policy := &postPolicy{}
|
||||||
|
if policyStr := auth.MultipartFormValue(r, "policy"); policyStr != "" {
|
||||||
|
policyData, err := base64.StdEncoding.DecodeString(policyStr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("could not decode policy: %w", err)
|
||||||
|
}
|
||||||
|
if err = json.Unmarshal(policyData, policy); err != nil {
|
||||||
|
return nil, fmt.Errorf("could not unmarshal policy: %w", err)
|
||||||
|
}
|
||||||
|
if policy.Expiration.Before(time.Now()) {
|
||||||
|
return nil, fmt.Errorf("policy is expired: %w", errors.GetAPIError(errors.ErrInvalidArgument))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for key, v := range r.MultipartForm.Value {
|
||||||
|
value := v[0]
|
||||||
|
if key == "file" || key == "policy" || key == "x-amz-signature" || strings.HasPrefix(key, "x-ignore-") {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if err := policy.CheckField(key, value); err != nil {
|
||||||
|
return nil, fmt.Errorf("'%s' form field doesn't match the policy: %w", key, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
prefix := strings.ToLower(api.MetadataPrefix)
|
||||||
|
if strings.HasPrefix(key, prefix) {
|
||||||
|
metadata[strings.TrimPrefix(key, prefix)] = value
|
||||||
|
}
|
||||||
|
|
||||||
|
if key == "content-type" {
|
||||||
|
metadata[api.ContentType] = value
|
||||||
|
}
|
||||||
|
|
||||||
|
if key == "key" {
|
||||||
|
reqInfo.ObjectName = value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, cond := range policy.Conditions {
|
||||||
|
if cond.Key == "bucket" {
|
||||||
|
if !cond.match(reqInfo.BucketName) {
|
||||||
|
return nil, errors.GetAPIError(errors.ErrPostPolicyConditionInvalidFormat)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return policy, nil
|
||||||
|
}
|
||||||
|
|
||||||
func containsACLHeaders(r *http.Request) bool {
|
func containsACLHeaders(r *http.Request) bool {
|
||||||
return r.Header.Get(api.AmzACL) != "" || r.Header.Get(api.AmzGrantRead) != "" ||
|
return r.Header.Get(api.AmzACL) != "" || r.Header.Get(api.AmzGrantRead) != "" ||
|
||||||
r.Header.Get(api.AmzGrantFullControl) != "" || r.Header.Get(api.AmzGrantWrite) != ""
|
r.Header.Get(api.AmzGrantFullControl) != "" || r.Header.Get(api.AmzGrantWrite) != ""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h *handler) getNewEAclTable(r *http.Request, objInfo *layer.ObjectInfo) (*eacl.Table, error) {
|
||||||
|
var newEaclTable *eacl.Table
|
||||||
|
objectACL, err := parseACLHeaders(r)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("could not parse object acl: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
resInfo := &resourceInfo{
|
||||||
|
Bucket: objInfo.Bucket,
|
||||||
|
Object: objInfo.Name,
|
||||||
|
Version: objInfo.Version(),
|
||||||
|
}
|
||||||
|
|
||||||
|
bktPolicy, err := aclToPolicy(objectACL, resInfo)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("could not translate object acl to bucket policy: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
astChild, err := policyToAst(bktPolicy)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("could not translate policy to ast: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
bacl, err := h.obj.GetBucketACL(r.Context(), objInfo.Bucket)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("could not get bucket eacl: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
parentAst := tableToAst(bacl.EACL, objInfo.Bucket)
|
||||||
|
for _, resource := range parentAst.Resources {
|
||||||
|
if resource.Bucket == bacl.Info.CID.String() {
|
||||||
|
resource.Bucket = objInfo.Bucket
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if resAst, updated := mergeAst(parentAst, astChild); updated {
|
||||||
|
if newEaclTable, err = astToTable(resAst); err != nil {
|
||||||
|
return nil, fmt.Errorf("could not translate ast to table: %w", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return newEaclTable, nil
|
||||||
|
}
|
||||||
|
|
||||||
func parseTaggingHeader(header http.Header) (map[string]string, error) {
|
func parseTaggingHeader(header http.Header) (map[string]string, error) {
|
||||||
var tagSet map[string]string
|
var tagSet map[string]string
|
||||||
if tagging := header.Get(api.AmzTagging); len(tagging) > 0 {
|
if tagging := header.Get(api.AmzTagging); len(tagging) > 0 {
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
package handler
|
package handler
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
@ -43,3 +45,44 @@ func TestCheckBucketName(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestCustomJSONMarshal(t *testing.T) {
|
||||||
|
data := []byte(`
|
||||||
|
{ "expiration": "2015-12-30T12:00:00.000Z",
|
||||||
|
"conditions": [
|
||||||
|
["content-length-range", 1048576, 10485760],
|
||||||
|
{"bucket": "bucketName"},
|
||||||
|
["starts-with", "$key", "user/user1/"]
|
||||||
|
]
|
||||||
|
}`)
|
||||||
|
|
||||||
|
parsedTime, err := time.Parse(time.RFC3339, "2015-12-30T12:00:00.000Z")
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
expectedPolicy := &postPolicy{
|
||||||
|
Expiration: parsedTime,
|
||||||
|
Conditions: []*policyCondition{
|
||||||
|
{
|
||||||
|
Matching: "content-length-range",
|
||||||
|
Key: "1048576",
|
||||||
|
Value: "10485760",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Matching: "eq",
|
||||||
|
Key: "bucket",
|
||||||
|
Value: "bucketName",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Matching: "starts-with",
|
||||||
|
Key: "key",
|
||||||
|
Value: "user/user1/",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
policy := &postPolicy{}
|
||||||
|
err = json.Unmarshal(data, policy)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
require.Equal(t, expectedPolicy, policy)
|
||||||
|
}
|
||||||
|
|
|
@ -175,6 +175,13 @@ type Tagging struct {
|
||||||
TagSet []Tag `xml:"TagSet>Tag"`
|
TagSet []Tag `xml:"TagSet>Tag"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PostResponse contains result of posting object.
|
||||||
|
type PostResponse struct {
|
||||||
|
Bucket string `xml:"Bucket"`
|
||||||
|
Key string `xml:"Key"`
|
||||||
|
ETag string `xml:"Etag"`
|
||||||
|
}
|
||||||
|
|
||||||
// Tag is AWS key-value tag.
|
// Tag is AWS key-value tag.
|
||||||
type Tag struct {
|
type Tag struct {
|
||||||
Key string
|
Key string
|
||||||
|
|
|
@ -114,7 +114,3 @@ func (h *handler) PutBucketEncryptionHandler(w http.ResponseWriter, r *http.Requ
|
||||||
func (h *handler) PutBucketObjectLockConfigHandler(w http.ResponseWriter, r *http.Request) {
|
func (h *handler) PutBucketObjectLockConfigHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
h.logAndSendError(w, "not implemented", api.GetReqInfo(r.Context()), errors.GetAPIError(errors.ErrNotImplemented))
|
h.logAndSendError(w, "not implemented", api.GetReqInfo(r.Context()), errors.GetAPIError(errors.ErrNotImplemented))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *handler) PostPolicyBucketHandler(w http.ResponseWriter, r *http.Request) {
|
|
||||||
h.logAndSendError(w, "not implemented", api.GetReqInfo(r.Context()), errors.GetAPIError(errors.ErrNotImplemented))
|
|
||||||
}
|
|
||||||
|
|
|
@ -70,7 +70,7 @@ type (
|
||||||
PutBucketNotificationHandler(http.ResponseWriter, *http.Request)
|
PutBucketNotificationHandler(http.ResponseWriter, *http.Request)
|
||||||
CreateBucketHandler(http.ResponseWriter, *http.Request)
|
CreateBucketHandler(http.ResponseWriter, *http.Request)
|
||||||
HeadBucketHandler(http.ResponseWriter, *http.Request)
|
HeadBucketHandler(http.ResponseWriter, *http.Request)
|
||||||
PostPolicyBucketHandler(http.ResponseWriter, *http.Request)
|
PostObject(http.ResponseWriter, *http.Request)
|
||||||
DeleteMultipleObjectsHandler(http.ResponseWriter, *http.Request)
|
DeleteMultipleObjectsHandler(http.ResponseWriter, *http.Request)
|
||||||
DeleteBucketPolicyHandler(http.ResponseWriter, *http.Request)
|
DeleteBucketPolicyHandler(http.ResponseWriter, *http.Request)
|
||||||
DeleteBucketLifecycleHandler(http.ResponseWriter, *http.Request)
|
DeleteBucketLifecycleHandler(http.ResponseWriter, *http.Request)
|
||||||
|
@ -422,8 +422,8 @@ func Attach(r *mux.Router, domains []string, m MaxClients, h Handler, center aut
|
||||||
Name("HeadBucket")
|
Name("HeadBucket")
|
||||||
// PostPolicy
|
// PostPolicy
|
||||||
bucket.Methods(http.MethodPost).HeadersRegexp(hdrContentType, "multipart/form-data*").HandlerFunc(
|
bucket.Methods(http.MethodPost).HeadersRegexp(hdrContentType, "multipart/form-data*").HandlerFunc(
|
||||||
m.Handle(metrics.APIStats("postpolicybucket", h.PostPolicyBucketHandler))).
|
m.Handle(metrics.APIStats("postobject", h.PostObject))).
|
||||||
Name("PostPolicyBucket")
|
Name("PostObject")
|
||||||
// DeleteMultipleObjects
|
// DeleteMultipleObjects
|
||||||
bucket.Methods(http.MethodPost).HandlerFunc(
|
bucket.Methods(http.MethodPost).HandlerFunc(
|
||||||
m.Handle(metrics.APIStats("deletemultipleobjects", h.DeleteMultipleObjectsHandler))).Queries("delete", "").
|
m.Handle(metrics.APIStats("deletemultipleobjects", h.DeleteMultipleObjectsHandler))).Queries("delete", "").
|
||||||
|
|
Loading…
Reference in a new issue