forked from TrueCloudLab/frostfs-s3-gw
Refactoring auth.Center
Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru>
This commit is contained in:
parent
697d318a6b
commit
58b877b97c
1 changed files with 44 additions and 22 deletions
|
@ -1,12 +1,11 @@
|
||||||
package auth
|
package auth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
|
||||||
"context"
|
"context"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -40,8 +39,20 @@ type (
|
||||||
Logger *zap.Logger
|
Logger *zap.Logger
|
||||||
Credential hcs.Credentials
|
Credential hcs.Credentials
|
||||||
}
|
}
|
||||||
|
|
||||||
|
prs int
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func (p prs) Read(_ []byte) (n int, err error) {
|
||||||
|
panic("implement me")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p prs) Seek(_ int64, _ int) (int64, error) {
|
||||||
|
panic("implement me")
|
||||||
|
}
|
||||||
|
|
||||||
|
var _ io.ReadSeeker = prs(0)
|
||||||
|
|
||||||
// New creates an instance of AuthCenter.
|
// New creates an instance of AuthCenter.
|
||||||
func New(obj sdk.ObjectClient, key hcs.PrivateKey) Center {
|
func New(obj sdk.ObjectClient, key hcs.PrivateKey) Center {
|
||||||
return ¢er{
|
return ¢er{
|
||||||
|
@ -61,6 +72,11 @@ func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {
|
||||||
return nil, errors.New("unsupported request: wrong length of Authorization header field")
|
return nil, errors.New("unsupported request: wrong length of Authorization header field")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// { // to debug request
|
||||||
|
// data, _ := httputil.DumpRequest(r, false)
|
||||||
|
// fmt.Println(string(data))
|
||||||
|
// }
|
||||||
|
|
||||||
sms1 := c.reg.getSubmatches(authHeaderField[0])
|
sms1 := c.reg.getSubmatches(authHeaderField[0])
|
||||||
if len(sms1) != 7 {
|
if len(sms1) != 7 {
|
||||||
return nil, errors.New("bad Authorization header field")
|
return nil, errors.New("bad Authorization header field")
|
||||||
|
@ -110,34 +126,40 @@ func (c *center) Authenticate(r *http.Request) (*token.BearerToken, error) {
|
||||||
awsCreds := credentials.NewStaticCredentials(accessKeyID, secret, "")
|
awsCreds := credentials.NewStaticCredentials(accessKeyID, secret, "")
|
||||||
signer := v4.NewSigner(awsCreds)
|
signer := v4.NewSigner(awsCreds)
|
||||||
|
|
||||||
body, err := readAndKeepBody(r)
|
// body, err := readAndKeepBody(r)
|
||||||
if err != nil {
|
// if err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to read out request body")
|
// return nil, errors.Wrap(err, "failed to read out request body")
|
||||||
}
|
// }
|
||||||
|
//
|
||||||
|
// _ = body
|
||||||
|
|
||||||
hdr, err := signer.Sign(otherRequest, body, sms1["service"], sms1["region"], signatureDateTime)
|
// body not required
|
||||||
if err != nil {
|
if _, err := signer.Sign(otherRequest, nil, sms1["service"], sms1["region"], signatureDateTime); err != nil {
|
||||||
return nil, errors.Wrap(err, "failed to sign temporary HTTP request")
|
return nil, errors.Wrap(err, "failed to sign temporary HTTP request")
|
||||||
}
|
}
|
||||||
|
|
||||||
sms2 := c.reg.getSubmatches(hdr.Get("Authorization"))
|
sms2 := c.reg.getSubmatches(otherRequest.Header.Get("Authorization"))
|
||||||
if sms1["v4_signature"] != sms2["v4_signature"] {
|
if sms1["v4_signature"] != sms2["v4_signature"] {
|
||||||
return nil, errors.Wrap(err, "failed to pass authentication procedure")
|
return nil, errors.New("failed to pass authentication procedure")
|
||||||
}
|
}
|
||||||
|
|
||||||
return tkn, nil
|
return tkn, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// for debug reasons
|
||||||
|
func panicSeeker() io.ReadSeeker { return prs(0) }
|
||||||
|
|
||||||
// TODO: Make this write into a smart buffer backed by a file on a fast drive.
|
// TODO: Make this write into a smart buffer backed by a file on a fast drive.
|
||||||
func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
|
// func readAndKeepBody(request *http.Request) (*bytes.Reader, error) {
|
||||||
if request.Body == nil {
|
// if request.Body == nil {
|
||||||
var r bytes.Reader
|
// return new(bytes.Reader), nil
|
||||||
return &r, nil
|
// }
|
||||||
}
|
//
|
||||||
payload, err := ioutil.ReadAll(request.Body)
|
// payload, err := ioutil.ReadAll(request.Body)
|
||||||
if err != nil {
|
// if err != nil {
|
||||||
return nil, err
|
// return nil, err
|
||||||
}
|
// }
|
||||||
request.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
//
|
||||||
return bytes.NewReader(payload), nil
|
// request.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
||||||
}
|
// return bytes.NewReader(payload), nil
|
||||||
|
// }
|
||||||
|
|
Loading…
Reference in a new issue