You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
122 lines
3.7 KiB
122 lines
3.7 KiB
10 years ago
|
/*
|
||
10 years ago
|
* Minio Cloud Storage, (C) 2015 Minio, Inc.
|
||
10 years ago
|
*
|
||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
* you may not use this file except in compliance with the License.
|
||
|
* You may obtain a copy of the License at
|
||
|
*
|
||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||
|
*
|
||
|
* Unless required by applicable law or agreed to in writing, software
|
||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
* See the License for the specific language governing permissions and
|
||
|
* limitations under the License.
|
||
|
*/
|
||
|
|
||
9 years ago
|
package main
|
||
10 years ago
|
|
||
|
import (
|
||
|
"errors"
|
||
|
"net/http"
|
||
|
"strings"
|
||
|
|
||
|
"github.com/minio/minio/pkg/auth"
|
||
|
"github.com/minio/minio/pkg/donut"
|
||
10 years ago
|
"github.com/minio/minio/pkg/probe"
|
||
10 years ago
|
)
|
||
|
|
||
|
const (
|
||
|
authHeaderPrefix = "AWS4-HMAC-SHA256"
|
||
9 years ago
|
iso8601Format = "20060102T150405Z"
|
||
|
yyyymmdd = "20060102"
|
||
10 years ago
|
)
|
||
|
|
||
9 years ago
|
// getCredentialsFromAuth parse credentials tag from authorization value
|
||
|
func getCredentialsFromAuth(authValue string) ([]string, *probe.Error) {
|
||
|
if authValue == "" {
|
||
|
return nil, probe.NewError(errMissingAuthHeaderValue)
|
||
10 years ago
|
}
|
||
9 years ago
|
authFields := strings.Split(strings.TrimSpace(authValue), ",")
|
||
10 years ago
|
if len(authFields) != 3 {
|
||
9 years ago
|
return nil, probe.NewError(errInvalidAuthHeaderValue)
|
||
10 years ago
|
}
|
||
|
authPrefixFields := strings.Fields(authFields[0])
|
||
|
if len(authPrefixFields) != 2 {
|
||
9 years ago
|
return nil, probe.NewError(errMissingFieldsAuthHeader)
|
||
10 years ago
|
}
|
||
|
if authPrefixFields[0] != authHeaderPrefix {
|
||
9 years ago
|
return nil, probe.NewError(errInvalidAuthHeaderPrefix)
|
||
10 years ago
|
}
|
||
10 years ago
|
credentials := strings.Split(strings.TrimSpace(authPrefixFields[1]), "=")
|
||
10 years ago
|
if len(credentials) != 2 {
|
||
9 years ago
|
return nil, probe.NewError(errMissingFieldsCredentialTag)
|
||
10 years ago
|
}
|
||
10 years ago
|
if len(strings.Split(strings.TrimSpace(authFields[1]), "=")) != 2 {
|
||
9 years ago
|
return nil, probe.NewError(errMissingFieldsSignedHeadersTag)
|
||
10 years ago
|
}
|
||
10 years ago
|
if len(strings.Split(strings.TrimSpace(authFields[2]), "=")) != 2 {
|
||
9 years ago
|
return nil, probe.NewError(errMissingFieldsSignatureTag)
|
||
10 years ago
|
}
|
||
9 years ago
|
credentialElements := strings.Split(strings.TrimSpace(credentials[1]), "/")
|
||
|
if len(credentialElements) != 5 {
|
||
|
return nil, probe.NewError(errCredentialTagMalformed)
|
||
|
}
|
||
|
return credentialElements, nil
|
||
|
}
|
||
|
|
||
|
// verify if authHeader value has valid region
|
||
|
func isValidRegion(authHeaderValue string) *probe.Error {
|
||
|
credentialElements, err := getCredentialsFromAuth(authHeaderValue)
|
||
|
if err != nil {
|
||
|
return err.Trace()
|
||
|
}
|
||
|
region := credentialElements[2]
|
||
|
if region != "milkyway" {
|
||
|
return probe.NewError(errInvalidRegion)
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// stripAccessKeyID - strip only access key id from auth header
|
||
|
func stripAccessKeyID(authHeaderValue string) (string, *probe.Error) {
|
||
|
if err := isValidRegion(authHeaderValue); err != nil {
|
||
|
return "", err.Trace()
|
||
|
}
|
||
|
credentialElements, err := getCredentialsFromAuth(authHeaderValue)
|
||
|
if err != nil {
|
||
|
return "", err.Trace()
|
||
|
}
|
||
|
accessKeyID := credentialElements[0]
|
||
10 years ago
|
if !auth.IsValidAccessKey(accessKeyID) {
|
||
9 years ago
|
return "", probe.NewError(errAccessKeyIDInvalid)
|
||
10 years ago
|
}
|
||
|
return accessKeyID, nil
|
||
|
}
|
||
|
|
||
9 years ago
|
// initSignatureV4 initializing signature verification
|
||
|
func initSignatureV4(req *http.Request) (*donut.Signature, *probe.Error) {
|
||
10 years ago
|
// strip auth from authorization header
|
||
9 years ago
|
authHeaderValue := req.Header.Get("Authorization")
|
||
|
accessKeyID, err := stripAccessKeyID(authHeaderValue)
|
||
|
if err != nil {
|
||
|
return nil, err.Trace()
|
||
10 years ago
|
}
|
||
|
authConfig, err := auth.LoadConfig()
|
||
10 years ago
|
if err != nil {
|
||
|
return nil, err.Trace()
|
||
|
}
|
||
9 years ago
|
for _, user := range authConfig.Users {
|
||
|
if user.AccessKeyID == accessKeyID {
|
||
|
signature := &donut.Signature{
|
||
|
AccessKeyID: user.AccessKeyID,
|
||
|
SecretAccessKey: user.SecretAccessKey,
|
||
9 years ago
|
AuthHeader: authHeaderValue,
|
||
9 years ago
|
Request: req,
|
||
|
}
|
||
|
return signature, nil
|
||
|
}
|
||
10 years ago
|
}
|
||
9 years ago
|
return nil, probe.NewError(errors.New("AccessKeyID not found"))
|
||
10 years ago
|
}
|