1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
|
package s3api
import (
"fmt"
"net/http"
"strconv"
"strings"
"time"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
)
// S3MultipartIAMManager handles IAM integration for multipart upload operations
type S3MultipartIAMManager struct {
s3iam *S3IAMIntegration
}
// NewS3MultipartIAMManager creates a new multipart IAM manager
func NewS3MultipartIAMManager(s3iam *S3IAMIntegration) *S3MultipartIAMManager {
return &S3MultipartIAMManager{
s3iam: s3iam,
}
}
// MultipartUploadRequest represents a multipart upload request
type MultipartUploadRequest struct {
Bucket string `json:"bucket"` // S3 bucket name
ObjectKey string `json:"object_key"` // S3 object key
UploadID string `json:"upload_id"` // Multipart upload ID
PartNumber int `json:"part_number"` // Part number for upload part
Operation string `json:"operation"` // Multipart operation type
SessionToken string `json:"session_token"` // JWT session token
Headers map[string]string `json:"headers"` // Request headers
ContentSize int64 `json:"content_size"` // Content size for validation
}
// MultipartUploadPolicy represents security policies for multipart uploads
type MultipartUploadPolicy struct {
MaxPartSize int64 `json:"max_part_size"` // Maximum part size (5GB AWS limit)
MinPartSize int64 `json:"min_part_size"` // Minimum part size (5MB AWS limit, except last part)
MaxParts int `json:"max_parts"` // Maximum number of parts (10,000 AWS limit)
MaxUploadDuration time.Duration `json:"max_upload_duration"` // Maximum time to complete multipart upload
AllowedContentTypes []string `json:"allowed_content_types"` // Allowed content types
RequiredHeaders []string `json:"required_headers"` // Required headers for validation
IPWhitelist []string `json:"ip_whitelist"` // Allowed IP addresses/ranges
}
// MultipartOperation represents different multipart upload operations
type MultipartOperation string
const (
MultipartOpInitiate MultipartOperation = "initiate"
MultipartOpUploadPart MultipartOperation = "upload_part"
MultipartOpComplete MultipartOperation = "complete"
MultipartOpAbort MultipartOperation = "abort"
MultipartOpList MultipartOperation = "list"
MultipartOpListParts MultipartOperation = "list_parts"
)
// ValidateMultipartOperationWithIAM validates multipart operations using IAM policies
func (iam *IdentityAccessManagement) ValidateMultipartOperationWithIAM(r *http.Request, identity *Identity, operation MultipartOperation) s3err.ErrorCode {
if iam.iamIntegration == nil {
// Fall back to standard validation
return s3err.ErrNone
}
// Extract bucket and object from request
bucket, object := s3_constants.GetBucketAndObject(r)
// Determine the S3 action based on multipart operation
action := determineMultipartS3Action(operation)
// Extract session token from request
sessionToken := extractSessionTokenFromRequest(r)
if sessionToken == "" {
// No session token - use standard auth
return s3err.ErrNone
}
// Retrieve the actual principal ARN from the request header
// This header is set during initial authentication and contains the correct assumed role ARN
principalArn := r.Header.Get("X-SeaweedFS-Principal")
if principalArn == "" {
glog.V(2).Info("IAM authorization for multipart operation failed: missing principal ARN in request header")
return s3err.ErrAccessDenied
}
// Create IAM identity for authorization
iamIdentity := &IAMIdentity{
Name: identity.Name,
Principal: principalArn,
SessionToken: sessionToken,
Account: identity.Account,
}
// Authorize using IAM
ctx := r.Context()
errCode := iam.iamIntegration.AuthorizeAction(ctx, iamIdentity, action, bucket, object, r)
if errCode != s3err.ErrNone {
glog.V(3).Infof("IAM authorization failed for multipart operation: principal=%s operation=%s action=%s bucket=%s object=%s",
iamIdentity.Principal, operation, action, bucket, object)
return errCode
}
glog.V(3).Infof("IAM authorization succeeded for multipart operation: principal=%s operation=%s action=%s bucket=%s object=%s",
iamIdentity.Principal, operation, action, bucket, object)
return s3err.ErrNone
}
// ValidateMultipartRequestWithPolicy validates multipart request against security policy
func (policy *MultipartUploadPolicy) ValidateMultipartRequestWithPolicy(req *MultipartUploadRequest) error {
if req == nil {
return fmt.Errorf("multipart request cannot be nil")
}
// Validate part size for upload part operations
if req.Operation == string(MultipartOpUploadPart) {
if req.ContentSize > policy.MaxPartSize {
return fmt.Errorf("part size %d exceeds maximum allowed %d", req.ContentSize, policy.MaxPartSize)
}
// Minimum part size validation (except for last part)
// Note: Last part validation would require knowing if this is the final part
if req.ContentSize < policy.MinPartSize && req.ContentSize > 0 {
glog.V(2).Infof("Part size %d is below minimum %d - assuming last part", req.ContentSize, policy.MinPartSize)
}
// Validate part number
if req.PartNumber < 1 || req.PartNumber > policy.MaxParts {
return fmt.Errorf("part number %d is invalid (must be 1-%d)", req.PartNumber, policy.MaxParts)
}
}
// Validate required headers first
if req.Headers != nil {
for _, requiredHeader := range policy.RequiredHeaders {
if _, exists := req.Headers[requiredHeader]; !exists {
// Check lowercase version
if _, exists := req.Headers[strings.ToLower(requiredHeader)]; !exists {
return fmt.Errorf("required header %s is missing", requiredHeader)
}
}
}
}
// Validate content type if specified
if len(policy.AllowedContentTypes) > 0 && req.Headers != nil {
contentType := req.Headers["Content-Type"]
if contentType == "" {
contentType = req.Headers["content-type"]
}
allowed := false
for _, allowedType := range policy.AllowedContentTypes {
if contentType == allowedType {
allowed = true
break
}
}
if !allowed {
return fmt.Errorf("content type %s is not allowed", contentType)
}
}
return nil
}
// Enhanced multipart handlers with IAM integration
// NewMultipartUploadWithIAM handles initiate multipart upload with IAM validation
func (s3a *S3ApiServer) NewMultipartUploadWithIAM(w http.ResponseWriter, r *http.Request) {
// Validate IAM permissions first
if s3a.iam.iamIntegration != nil {
if identity, errCode := s3a.iam.authRequest(r, s3_constants.ACTION_WRITE); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
} else {
// Additional multipart-specific IAM validation
if errCode := s3a.iam.ValidateMultipartOperationWithIAM(r, identity, MultipartOpInitiate); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
}
}
// Delegate to existing handler
s3a.NewMultipartUploadHandler(w, r)
}
// CompleteMultipartUploadWithIAM handles complete multipart upload with IAM validation
func (s3a *S3ApiServer) CompleteMultipartUploadWithIAM(w http.ResponseWriter, r *http.Request) {
// Validate IAM permissions first
if s3a.iam.iamIntegration != nil {
if identity, errCode := s3a.iam.authRequest(r, s3_constants.ACTION_WRITE); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
} else {
// Additional multipart-specific IAM validation
if errCode := s3a.iam.ValidateMultipartOperationWithIAM(r, identity, MultipartOpComplete); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
}
}
// Delegate to existing handler
s3a.CompleteMultipartUploadHandler(w, r)
}
// AbortMultipartUploadWithIAM handles abort multipart upload with IAM validation
func (s3a *S3ApiServer) AbortMultipartUploadWithIAM(w http.ResponseWriter, r *http.Request) {
// Validate IAM permissions first
if s3a.iam.iamIntegration != nil {
if identity, errCode := s3a.iam.authRequest(r, s3_constants.ACTION_WRITE); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
} else {
// Additional multipart-specific IAM validation
if errCode := s3a.iam.ValidateMultipartOperationWithIAM(r, identity, MultipartOpAbort); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
}
}
// Delegate to existing handler
s3a.AbortMultipartUploadHandler(w, r)
}
// ListMultipartUploadsWithIAM handles list multipart uploads with IAM validation
func (s3a *S3ApiServer) ListMultipartUploadsWithIAM(w http.ResponseWriter, r *http.Request) {
// Validate IAM permissions first
if s3a.iam.iamIntegration != nil {
if identity, errCode := s3a.iam.authRequest(r, s3_constants.ACTION_LIST); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
} else {
// Additional multipart-specific IAM validation
if errCode := s3a.iam.ValidateMultipartOperationWithIAM(r, identity, MultipartOpList); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
}
}
// Delegate to existing handler
s3a.ListMultipartUploadsHandler(w, r)
}
// UploadPartWithIAM handles upload part with IAM validation
func (s3a *S3ApiServer) UploadPartWithIAM(w http.ResponseWriter, r *http.Request) {
// Validate IAM permissions first
if s3a.iam.iamIntegration != nil {
if identity, errCode := s3a.iam.authRequest(r, s3_constants.ACTION_WRITE); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
} else {
// Additional multipart-specific IAM validation
if errCode := s3a.iam.ValidateMultipartOperationWithIAM(r, identity, MultipartOpUploadPart); errCode != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, errCode)
return
}
// Validate part size and other policies
if err := s3a.validateUploadPartRequest(r); err != nil {
glog.Errorf("Upload part validation failed: %v", err)
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
return
}
}
}
// Delegate to existing object PUT handler (which handles upload part)
s3a.PutObjectHandler(w, r)
}
// Helper functions
// determineMultipartS3Action maps multipart operations to granular S3 actions
// This enables fine-grained IAM policies for multipart upload operations
func determineMultipartS3Action(operation MultipartOperation) Action {
switch operation {
case MultipartOpInitiate:
return s3_constants.ACTION_CREATE_MULTIPART_UPLOAD
case MultipartOpUploadPart:
return s3_constants.ACTION_UPLOAD_PART
case MultipartOpComplete:
return s3_constants.ACTION_COMPLETE_MULTIPART
case MultipartOpAbort:
return s3_constants.ACTION_ABORT_MULTIPART
case MultipartOpList:
return s3_constants.ACTION_LIST_MULTIPART_UPLOADS
case MultipartOpListParts:
return s3_constants.ACTION_LIST_PARTS
default:
// Fail closed for unmapped operations to prevent unintended access
glog.Errorf("unmapped multipart operation: %s", operation)
return "s3:InternalErrorUnknownMultipartAction" // Non-existent action ensures denial
}
}
// extractSessionTokenFromRequest extracts session token from various request sources
func extractSessionTokenFromRequest(r *http.Request) string {
// Check Authorization header for Bearer token
if authHeader := r.Header.Get("Authorization"); authHeader != "" {
if strings.HasPrefix(authHeader, "Bearer ") {
return strings.TrimPrefix(authHeader, "Bearer ")
}
}
// Check X-Amz-Security-Token header
if token := r.Header.Get("X-Amz-Security-Token"); token != "" {
return token
}
// Check query parameters for presigned URL tokens
if token := r.URL.Query().Get("X-Amz-Security-Token"); token != "" {
return token
}
return ""
}
// validateUploadPartRequest validates upload part request against policies
func (s3a *S3ApiServer) validateUploadPartRequest(r *http.Request) error {
// Get default multipart policy
policy := DefaultMultipartUploadPolicy()
// Extract part number from query
partNumberStr := r.URL.Query().Get("partNumber")
if partNumberStr == "" {
return fmt.Errorf("missing partNumber parameter")
}
partNumber, err := strconv.Atoi(partNumberStr)
if err != nil {
return fmt.Errorf("invalid partNumber: %v", err)
}
// Get content length
contentLength := r.ContentLength
if contentLength < 0 {
contentLength = 0
}
// Create multipart request for validation
bucket, object := s3_constants.GetBucketAndObject(r)
multipartReq := &MultipartUploadRequest{
Bucket: bucket,
ObjectKey: object,
PartNumber: partNumber,
Operation: string(MultipartOpUploadPart),
ContentSize: contentLength,
Headers: make(map[string]string),
}
// Copy relevant headers
for key, values := range r.Header {
if len(values) > 0 {
multipartReq.Headers[key] = values[0]
}
}
// Validate against policy
return policy.ValidateMultipartRequestWithPolicy(multipartReq)
}
// DefaultMultipartUploadPolicy returns a default multipart upload security policy
func DefaultMultipartUploadPolicy() *MultipartUploadPolicy {
return &MultipartUploadPolicy{
MaxPartSize: 5 * 1024 * 1024 * 1024, // 5GB AWS limit
MinPartSize: 5 * 1024 * 1024, // 5MB AWS minimum (except last part)
MaxParts: 10000, // AWS limit
MaxUploadDuration: 7 * 24 * time.Hour, // 7 days to complete upload
AllowedContentTypes: []string{}, // Empty means all types allowed
RequiredHeaders: []string{}, // No required headers by default
IPWhitelist: []string{}, // Empty means no IP restrictions
}
}
// MultipartUploadSession represents an ongoing multipart upload session
type MultipartUploadSession struct {
UploadID string `json:"upload_id"`
Bucket string `json:"bucket"`
ObjectKey string `json:"object_key"`
Initiator string `json:"initiator"` // User who initiated the upload
Owner string `json:"owner"` // Object owner
CreatedAt time.Time `json:"created_at"` // When upload was initiated
Parts []MultipartUploadPart `json:"parts"` // Uploaded parts
Metadata map[string]string `json:"metadata"` // Object metadata
Policy *MultipartUploadPolicy `json:"policy"` // Applied security policy
SessionToken string `json:"session_token"` // IAM session token
}
// MultipartUploadPart represents an uploaded part
type MultipartUploadPart struct {
PartNumber int `json:"part_number"`
Size int64 `json:"size"`
ETag string `json:"etag"`
LastModified time.Time `json:"last_modified"`
Checksum string `json:"checksum"` // Optional integrity checksum
}
// GetMultipartUploadSessions retrieves active multipart upload sessions for a bucket
func (s3a *S3ApiServer) GetMultipartUploadSessions(bucket string) ([]*MultipartUploadSession, error) {
// This would typically query the filer for active multipart uploads
// For now, return empty list as this is a placeholder for the full implementation
return []*MultipartUploadSession{}, nil
}
// CleanupExpiredMultipartUploads removes expired multipart upload sessions
func (s3a *S3ApiServer) CleanupExpiredMultipartUploads(maxAge time.Duration) error {
// This would typically scan for and remove expired multipart uploads
// Implementation would depend on how multipart sessions are stored in the filer
glog.V(2).Infof("Cleanup expired multipart uploads older than %v", maxAge)
return nil
}
|
