diff options
Diffstat (limited to 'weed/s3api/s3api_auth.go')
| -rw-r--r-- | weed/s3api/s3api_auth.go | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/weed/s3api/s3api_auth.go b/weed/s3api/s3api_auth.go new file mode 100644 index 000000000..f429ad28d --- /dev/null +++ b/weed/s3api/s3api_auth.go @@ -0,0 +1,90 @@ +package s3api + +import ( + "net/http" + "strings" +) + +// AWS Signature Version '4' constants. +const ( + signV4Algorithm = "AWS4-HMAC-SHA256" + signV2Algorithm = "AWS" +) + +// Verify if request has JWT. +func isRequestJWT(r *http.Request) bool { + return strings.HasPrefix(r.Header.Get("Authorization"), "Bearer") +} + +// Verify if request has AWS Signature Version '4'. +func isRequestSignatureV4(r *http.Request) bool { + return strings.HasPrefix(r.Header.Get("Authorization"), signV4Algorithm) +} + +// Verify if request has AWS Signature Version '2'. +func isRequestSignatureV2(r *http.Request) bool { + return (!strings.HasPrefix(r.Header.Get("Authorization"), signV4Algorithm) && + strings.HasPrefix(r.Header.Get("Authorization"), signV2Algorithm)) +} + +// Verify if request has AWS PreSign Version '4'. +func isRequestPresignedSignatureV4(r *http.Request) bool { + _, ok := r.URL.Query()["X-Amz-Credential"] + return ok +} + +// Verify request has AWS PreSign Version '2'. +func isRequestPresignedSignatureV2(r *http.Request) bool { + _, ok := r.URL.Query()["AWSAccessKeyId"] + return ok +} + +// Verify if request has AWS Post policy Signature Version '4'. +func isRequestPostPolicySignatureV4(r *http.Request) bool { + return strings.Contains(r.Header.Get("Content-Type"), "multipart/form-data") && + r.Method == http.MethodPost +} + +// Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation. +func isRequestSignStreamingV4(r *http.Request) bool { + return r.Header.Get("x-amz-content-sha256") == streamingContentSHA256 && + r.Method == http.MethodPut +} + +// Authorization type. +type authType int + +// List of all supported auth types. +const ( + authTypeUnknown authType = iota + authTypeAnonymous + authTypePresigned + authTypePresignedV2 + authTypePostPolicy + authTypeStreamingSigned + authTypeSigned + authTypeSignedV2 + authTypeJWT +) + +// Get request authentication type. +func getRequestAuthType(r *http.Request) authType { + if isRequestSignatureV2(r) { + return authTypeSignedV2 + } else if isRequestPresignedSignatureV2(r) { + return authTypePresignedV2 + } else if isRequestSignStreamingV4(r) { + return authTypeStreamingSigned + } else if isRequestSignatureV4(r) { + return authTypeSigned + } else if isRequestPresignedSignatureV4(r) { + return authTypePresigned + } else if isRequestJWT(r) { + return authTypeJWT + } else if isRequestPostPolicySignatureV4(r) { + return authTypePostPolicy + } else if _, ok := r.Header["Authorization"]; !ok { + return authTypeAnonymous + } + return authTypeUnknown +} |