mirrors/versitygw
1
0
Fork 0
mirror of https://github.com/versity/versitygw.git synced 2026-01-28 14:02:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: mirrors:ben/plugin
Branches Tags
mirrors:main mirrors:test/direct_tests_three_temp mirrors:ben/validate-object-name mirrors:ben/plugin mirrors:sis/bucket-cors mirrors:ben/chunk-refactor mirrors:feat/betteralign mirrors:fix/versioning-upload-racing mirrors:ben/plugfest mirrors:ben/read_only mirrors:ben/posix_read_perms mirrors:ben/noop mirrors:int-tests-by-unit mirrors:proxy-tests mirrors:fix/iam-account-cleanup mirrors:fix/issue-136 mirrors:audit-logging-kafka mirrors:assets mirrors:api-unit-test
mirrors:v1.1.0 mirrors:v1.0.20 mirrors:v1.0.19 mirrors:v1.0.18 mirrors:v1.0.17 mirrors:v1.0.16 mirrors:v1.0.15 mirrors:v1.0.14 mirrors:v1.0.13 mirrors:v1.0.12 mirrors:v1.0.11 mirrors:v1.0.10 mirrors:v1.0.9 mirrors:v1.0.8 mirrors:v1.0.7 mirrors:v1.0.6 mirrors:v1.0.5 mirrors:v1.0.4 mirrors:v1.0.3 mirrors:v1.0.2 mirrors:v1.0.1 mirrors:v1.0.0 mirrors:v0.23 mirrors:v0.22 mirrors:v0.21 mirrors:v0.20 mirrors:v0.19 mirrors:v0.18 mirrors:v0.17 mirrors:v0.16 mirrors:v0.15 mirrors:v0.14 mirrors:v0.13 mirrors:v0.12 mirrors:v0.11 mirrors:v0.10 mirrors:v0.9 mirrors:v0.8 mirrors:v0.7 mirrors:v0.6 mirrors:v0.5 mirrors:v0.4 mirrors:v0.3 mirrors:v0.2 mirrors:v0.1
...
compare: mirrors:audit-logging-kafka
Branches Tags
mirrors:main mirrors:test/direct_tests_three_temp mirrors:ben/validate-object-name mirrors:ben/plugin mirrors:sis/bucket-cors mirrors:ben/chunk-refactor mirrors:feat/betteralign mirrors:fix/versioning-upload-racing mirrors:ben/plugfest mirrors:ben/read_only mirrors:ben/posix_read_perms mirrors:ben/noop mirrors:int-tests-by-unit mirrors:proxy-tests mirrors:fix/iam-account-cleanup mirrors:fix/issue-136 mirrors:audit-logging-kafka mirrors:assets mirrors:api-unit-test
mirrors:v1.1.0 mirrors:v1.0.20 mirrors:v1.0.19 mirrors:v1.0.18 mirrors:v1.0.17 mirrors:v1.0.16 mirrors:v1.0.15 mirrors:v1.0.14 mirrors:v1.0.13 mirrors:v1.0.12 mirrors:v1.0.11 mirrors:v1.0.10 mirrors:v1.0.9 mirrors:v1.0.8 mirrors:v1.0.7 mirrors:v1.0.6 mirrors:v1.0.5 mirrors:v1.0.4 mirrors:v1.0.3 mirrors:v1.0.2 mirrors:v1.0.1 mirrors:v1.0.0 mirrors:v0.23 mirrors:v0.22 mirrors:v0.21 mirrors:v0.20 mirrors:v0.19 mirrors:v0.18 mirrors:v0.17 mirrors:v0.16 mirrors:v0.15 mirrors:v0.14 mirrors:v0.13 mirrors:v0.12 mirrors:v0.11 mirrors:v0.10 mirrors:v0.9 mirrors:v0.8 mirrors:v0.7 mirrors:v0.6 mirrors:v0.5 mirrors:v0.4 mirrors:v0.3 mirrors:v0.2 mirrors:v0.1

3 Commits
ben/plugin ... audit-logg

Author SHA1 Message Date
jonaustin09
82cc95e9b9 feat: Added audit logging option with kafka 2023-07-12 19:00:42 +04:00
jonaustin09
bdf6e93510 fix: Fixed statickchecker error 2023-07-10 21:36:16 +04:00
jonaustin09
8f81f4aa3d feat: Set up audit logging basic structure, set up webhook logger, bug fix in DeleteObject poisix function 2023-07-10 21:31:41 +04:00
17 changed files with 744 additions and 160 deletions
Expand all files Collapse all files

2
backend/posix/posix.go
View File

@@ -921,7 +921,7 @@ func (p *Posix) DeleteObject(bucket, object string) error {
return fmt.Errorf("stat bucket: %w", err)
}
os.Remove(filepath.Join(bucket, object))
err = os.Remove(filepath.Join(bucket, object))
if errors.Is(err, fs.ErrNotExist) {
return s3err.GetAPIError(s3err.ErrNoSuchKey)
}

44
cmd/versitygw/main.go
View File

@@ -27,6 +27,7 @@ import (
"github.com/versity/versitygw/backend"
"github.com/versity/versitygw/s3api"
"github.com/versity/versitygw/s3api/middlewares"
"github.com/versity/versitygw/s3log"
)
var (
@@ -35,6 +36,10 @@ var (
rootUserSecret string
region string
certFile, keyFile string
webhookLoggerURL string
kafkaLoggerURL string
kafkaMessageTopic string
kafkaMessageKey string
debug bool
)
@@ -141,10 +146,34 @@ func initFlags() []cli.Flag {
Usage: "enable debug output",
Destination: &debug,
},
&cli.StringFlag{
Name: "webhook-logger-url",
Usage: "Webhook logger url to send audit logs",
Destination: &webhookLoggerURL,
Aliases: []string{"wlu"},
},
&cli.StringFlag{
Name: "kafka-logger-url",
Usage: "Kafka server url to send audit logs",
Destination: &kafkaLoggerURL,
Aliases: []string{"klu"},
},
&cli.StringFlag{
Name: "kafka-message-topic",
Usage: "Kafka server message topic to send the logs",
Destination: &kafkaMessageTopic,
Aliases: []string{"kmt"},
},
&cli.StringFlag{
Name: "kafka-message-key",
Usage: "Kafka server message topic key for partitioning",
Destination: &kafkaMessageKey,
Aliases: []string{"kmk"},
},
}
}
func runGateway(ctx *cli.Context, be backend.Backend, s auth.Storer) error {
func runGateway(ctx *cli.Context, be backend.Backend, s auth.Storer, storageSystem string) error {
app := fiber.New(fiber.Config{
AppName: "versitygw",
ServerHeader: "VERSITYGW",
@@ -182,10 +211,21 @@ func runGateway(ctx *cli.Context, be backend.Backend, s auth.Storer) error {
return fmt.Errorf("setup internal iam service: %w", err)
}
logger, err := s3log.InitLogger(&s3log.LogConfig{
StorageSystem: storageSystem,
WebhookURL: webhookLoggerURL,
KafkaURL: kafkaLoggerURL,
KafkaTopic: kafkaMessageTopic,
KafkaTopicKey: kafkaMessageKey,
})
if err != nil {
return fmt.Errorf("setup logger: %w", err)
}
srv, err := s3api.New(app, be, middlewares.RootUserConfig{
Access: rootUserAccess,
Secret: rootUserSecret,
}, port, region, iam, opts...)
}, port, region, iam, logger, opts...)
if err != nil {
return fmt.Errorf("init gateway: %v", err)
}

2
cmd/versitygw/posix.go
View File

@@ -49,5 +49,5 @@ func runPosix(ctx *cli.Context) error {
return fmt.Errorf("init posix: %v", err)
}
return runGateway(ctx, be, be)
return runGateway(ctx, be, be, "Posix")
}

2
cmd/versitygw/scoutfs.go
View File

@@ -69,5 +69,5 @@ func runScoutfs(ctx *cli.Context) error {
return fmt.Errorf("init scoutfs: %v", err)
}
return runGateway(ctx, be, be)
return runGateway(ctx, be, be, "ScoutFS")
}

18
go.mod
View File

@@ -3,6 +3,7 @@ module github.com/versity/versitygw
go 1.20
require (
github.com/Shopify/sarama v1.38.1
github.com/aws/aws-sdk-go-v2 v1.18.1
github.com/aws/aws-sdk-go-v2/service/s3 v1.36.0
github.com/aws/smithy-go v1.13.5
@@ -21,7 +22,24 @@ require (
github.com/aws/aws-sdk-go-v2/service/sso v1.12.12 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.19.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/eapache/go-resiliency v1.3.0 // indirect
github.com/eapache/go-xerial-snappy v0.0.0-20230111030713-bf00bc1b83b6 // indirect
github.com/eapache/queue v1.1.0 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/hashicorp/errwrap v1.0.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/jcmturner/aescts/v2 v2.0.0 // indirect
github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
github.com/jcmturner/gofork v1.7.6 // indirect
github.com/jcmturner/gokrb5/v8 v8.4.3 // indirect
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/pierrec/lz4/v4 v4.1.17 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
golang.org/x/crypto v0.7.0 // indirect
golang.org/x/net v0.8.0 // indirect
)
require (

60
go.sum
View File

@@ -1,3 +1,6 @@
github.com/Shopify/sarama v1.38.1 h1:lqqPUPQZ7zPqYlWpTh+LQ9bhYNu2xJL6k1SJN4WVe2A=
github.com/Shopify/sarama v1.38.1/go.mod h1:iwv9a67Ha8VNa+TifujYoWGxWnu2kNVAQdSdZ4X2o5g=
github.com/Shopify/toxiproxy/v2 v2.5.0 h1:i4LPT+qrSlKNtQf5QliVjdP08GyAH8+BUIc9gT0eahc=
github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
github.com/aws/aws-sdk-go-v2 v1.18.1 h1:+tefE750oAb7ZQGzla6bLkOwfcQCEtC5y2RqoqCeqKo=
@@ -40,14 +43,45 @@ github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/eapache/go-resiliency v1.3.0 h1:RRL0nge+cWGlxXbUzJ7yMcq6w2XBEr19dCN6HECGaT0=
github.com/eapache/go-resiliency v1.3.0/go.mod h1:5yPzW0MIvSe0JDsv0v+DvcjEv2FyD6iZYSs1ZI+iQho=
github.com/eapache/go-xerial-snappy v0.0.0-20230111030713-bf00bc1b83b6 h1:8yY/I9ndfrgrXUbOGObLHKBR4Fl3nZXwM2c7OYTT8hM=
github.com/eapache/go-xerial-snappy v0.0.0-20230111030713-bf00bc1b83b6/go.mod h1:YvSRo5mw33fLEx1+DlK6L2VV43tJt5Eyel9n9XBcR+0=
github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc=
github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
github.com/gofiber/fiber/v2 v2.47.0 h1:EN5lHVCc+Pyqh5OEsk8fzRiifgwpbrP0rulQ4iNf3fs=
github.com/gofiber/fiber/v2 v2.47.0/go.mod h1:mbFMVN1lQuzziTkkakgtKKdjfsXSw9BKR5lmcNksUoU=
github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
github.com/jcmturner/gokrb5/v8 v8.4.3 h1:iTonLeSJOn7MVUtyMT+arAn5AKAPrkilzhGw8wE/Tq8=
github.com/jcmturner/gokrb5/v8 v8.4.3/go.mod h1:dqRwJGXznQrzw6cWmyo6kH+E7jksEQG/CyVWsJEsJO0=
github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -64,10 +98,14 @@ github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh
github.com/philhofer/fwd v1.1.1/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU=
github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0=
github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -79,6 +117,11 @@ github.com/savsgio/gotils v0.0.0-20220530130905-52f3993e8d6d/go.mod h1:Gy+0tqhJv
github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee h1:8Iv5m6xEo1NR1AvpV+7XmhI4r39LGNzwUL4YpMuL5vk=
github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee/go.mod h1:qwtSXrKuJh/zsFQ12yEE89xfCrGKK63Rr7ctU/uCo4g=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
github.com/tinylib/msgp v1.1.6/go.mod h1:75BAfg2hauQhs3qedfdDZmWAPcFMAvJE5b9rGOMufyw=
github.com/tinylib/msgp v1.1.8 h1:FCXC1xanKO4I8plpHGH2P7koL/RzZs12l/+r7vakfm0=
github.com/tinylib/msgp v1.1.8/go.mod h1:qkpG+2ldGg4xRFmx+jfTvZPxfGFhi64BcnL9vkCm/Tw=
@@ -100,23 +143,33 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM=
golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -131,6 +184,7 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -142,5 +196,9 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

288
s3api/controllers/base.go
View File

@@ -17,7 +17,6 @@ package controllers
import (
"bytes"
"encoding/xml"
"errors"
"fmt"
"io"
"log"
@@ -33,25 +32,27 @@ import (
"github.com/versity/versitygw/backend"
"github.com/versity/versitygw/s3api/utils"
"github.com/versity/versitygw/s3err"
"github.com/versity/versitygw/s3log"
"github.com/versity/versitygw/s3response"
)
type S3ApiController struct {
be backend.Backend
iam auth.IAMService
be backend.Backend
iam auth.IAMService
logger s3log.Logger
}
func New(be backend.Backend, iam auth.IAMService) S3ApiController {
return S3ApiController{be: be, iam: iam}
func New(be backend.Backend, iam auth.IAMService, logger s3log.Logger) S3ApiController {
return S3ApiController{be: be, iam: iam, logger: logger}
}
func (c S3ApiController) ListBuckets(ctx *fiber.Ctx) error {
access, isRoot := ctx.Locals("access").(string), ctx.Locals("isRoot").(bool)
if err := auth.IsAdmin(access, isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "ListBucket"})
}
res, err := c.be.ListBuckets()
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "ListBucket"})
}
func (c S3ApiController) GetActions(ctx *fiber.Ctx) error {
@@ -70,22 +71,22 @@ func (c S3ApiController) GetActions(ctx *fiber.Ctx) error {
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger})
}
if ctx.Request().URI().QueryArgs().Has("tagging") {
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "GetObjectTagging", Bucket: &bucket, Object: &key})
}
tags, err := c.be.GetTags(bucket, key)
if err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "GetObjectTagging", Bucket: &bucket, Object: &key})
}
resp := s3response.Tagging{TagSet: s3response.TagSet{Tags: []s3response.Tag{}}}
@@ -93,52 +94,62 @@ func (c S3ApiController) GetActions(ctx *fiber.Ctx) error {
resp.TagSet.Tags = append(resp.TagSet.Tags, s3response.Tag{Key: key, Value: val})
}
return SendXMLResponse(ctx, resp, nil)
return SendXMLResponse(ctx, resp, nil, LogOptions{Logger: c.logger, Action: "GetObjectTagging", Bucket: &bucket, Object: &key})
}
if uploadId != "" {
if maxParts < 0 || (maxParts == 0 && ctx.Query("max-parts") != "") {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidMaxParts))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidMaxParts), LogOptions{
Logger: c.logger,
Action: "ListObjectParts",
Bucket: &bucket,
Object: &key,
})
}
if partNumberMarker < 0 || (partNumberMarker == 0 && ctx.Query("part-number-marker") != "") {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidPartNumberMarker))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidPartNumberMarker), LogOptions{
Logger: c.logger,
Action: "ListObjectParts",
Bucket: &bucket,
Object: &key,
})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "ListObjectParts", Bucket: &bucket, Object: &key})
}
res, err := c.be.ListObjectParts(bucket, key, uploadId, partNumberMarker, maxParts)
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "ListObjectParts", Bucket: &bucket, Object: &key})
}
if ctx.Request().URI().QueryArgs().Has("acl") {
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ_ACP", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "GetObjectAcl", Bucket: &bucket, Object: &key})
}
res, err := c.be.GetObjectAcl(bucket, key)
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "GetObjectAcl", Bucket: &bucket, Object: &key})
}
if attrs := ctx.Get("X-Amz-Object-Attributes"); attrs != "" {
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "GetObjectAttributes", Bucket: &bucket, Object: &key})
}
res, err := c.be.GetObjectAttributes(bucket, key, strings.Split(attrs, ","))
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "GetObjectAttributes", Bucket: &bucket, Object: &key})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ_ACP", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key, Action: "GetObject"})
}
ctx.Locals("logResBody", false)
res, err := c.be.GetObject(bucket, key, acceptRange, ctx.Response().BodyWriter())
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key, Action: "GetObject"})
}
if res == nil {
return SendResponse(ctx, fmt.Errorf("get object nil response"))
return SendResponse(ctx, fmt.Errorf("get object nil response"), LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key, Action: "GetObject"})
}
utils.SetMetaHeaders(ctx, res.Metadata)
@@ -172,7 +183,7 @@ func (c S3ApiController) GetActions(ctx *fiber.Ctx) error {
Value: string(res.StorageClass),
},
})
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key, Action: "GetObject"})
}
func getstring(s *string) string {
@@ -193,45 +204,45 @@ func (c S3ApiController) ListActions(ctx *fiber.Ctx) error {
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger})
}
if ctx.Request().URI().QueryArgs().Has("acl") {
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ_ACP", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "GetBucketAcl", Bucket: &bucket})
}
res, err := auth.ParseACLOutput(data)
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "GetBucketAcl", Bucket: &bucket})
}
if ctx.Request().URI().QueryArgs().Has("uploads") {
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "ListMultipartUploads", Bucket: &bucket})
}
res, err := c.be.ListMultipartUploads(&s3.ListMultipartUploadsInput{Bucket: aws.String(ctx.Params("bucket"))})
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "ListMultipartUploads", Bucket: &bucket})
}
if ctx.QueryInt("list-type") == 2 {
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "ListObjectsV2", Bucket: &bucket})
}
res, err := c.be.ListObjectsV2(bucket, prefix, marker, delimiter, maxkeys)
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "ListObjectsV2", Bucket: &bucket})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "ListObjects", Bucket: &bucket})
}
res, err := c.be.ListObjects(bucket, prefix, marker, delimiter, maxkeys)
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "ListObjects", Bucket: &bucket})
}
func (c S3ApiController) PutBucketActions(ctx *fiber.Ctx) error {
@@ -254,13 +265,13 @@ func (c S3ApiController) PutBucketActions(ctx *fiber.Ctx) error {
if len(ctx.Body()) > 0 {
if grants+acl != "" {
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
var accessControlPolicy auth.AccessControlPolicy
err := xml.Unmarshal(ctx.Body(), &accessControlPolicy)
if err != nil {
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
input = &s3.PutBucketAclInput{
@@ -271,10 +282,10 @@ func (c S3ApiController) PutBucketActions(ctx *fiber.Ctx) error {
}
if acl != "" {
if acl != "private" && acl != "public-read" && acl != "public-read-write" {
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
if len(ctx.Body()) > 0 || grants != "" {
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
input = &s3.PutBucketAclInput{
@@ -298,29 +309,29 @@ func (c S3ApiController) PutBucketActions(ctx *fiber.Ctx) error {
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE_ACP", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
updAcl, err := auth.UpdateACL(input, parsedAcl, c.iam)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
err = c.be.PutBucketAcl(bucket, updAcl)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutBucketAcl", Bucket: &bucket})
}
err := c.be.PutBucket(bucket, access)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutBucket", Bucket: &bucket})
}
func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
@@ -361,30 +372,21 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
keyStart = keyStart + "/"
}
var contentLength int64
if contentLengthStr != "" {
var err error
contentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)
if err != nil {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest))
}
}
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &keyStart})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger})
}
if ctx.Request().URI().QueryArgs().Has("tagging") {
var objTagging s3response.Tagging
err := xml.Unmarshal(ctx.Body(), &objTagging)
if err != nil {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutObjectTagging", Bucket: &bucket, Object: &keyStart})
}
tags := make(map[string]string, len(objTagging.TagSet.Tags))
@@ -394,18 +396,18 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutObjectTagging", Bucket: &bucket, Object: &keyStart})
}
err = c.be.SetTags(bucket, keyStart, tags)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutObjectTagging", Bucket: &bucket, Object: &keyStart})
}
if ctx.Request().URI().QueryArgs().Has("uploadId") && ctx.Request().URI().QueryArgs().Has("partNumber") && copySource != "" {
partNumber := ctx.QueryInt("partNumber", -1)
if partNumber < 1 || partNumber > 10000 {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidPart))
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidPart), LogOptions{Logger: c.logger, Action: "UploadPartCopy", Bucket: &bucket, Object: &keyStart})
}
resp, err := c.be.UploadPartCopy(&s3.UploadPartCopyInput{
@@ -417,17 +419,22 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
ExpectedBucketOwner: &bucketOwner,
CopySourceRange: &copySrcRange,
})
return SendXMLResponse(ctx, resp, err)
return SendXMLResponse(ctx, resp, err, LogOptions{Logger: c.logger, Action: "UploadPartCopy", Bucket: &bucket, Object: &keyStart})
}
if ctx.Request().URI().QueryArgs().Has("uploadId") && ctx.Request().URI().QueryArgs().Has("partNumber") {
partNumber := ctx.QueryInt("partNumber", -1)
if partNumber < 1 || partNumber > 10000 {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidPart))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidPart), LogOptions{Logger: c.logger, Action: "PutObjectPart", Bucket: &bucket, Object: &keyStart})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutObjectPart", Bucket: &bucket, Object: &keyStart})
}
contentLength, err := strconv.ParseInt(contentLengthStr, 10, 64)
if err != nil {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutObjectPart", Bucket: &bucket, Object: &keyStart})
}
body := io.ReadSeeker(bytes.NewReader([]byte(ctx.Body())))
@@ -435,7 +442,7 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
etag, err := c.be.PutObjectPart(bucket, keyStart, uploadId,
partNumber, contentLength, body)
ctx.Response().Header.Set("Etag", etag)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutObjectPart", Bucket: &bucket, Object: &keyStart})
}
if ctx.Request().URI().QueryArgs().Has("acl") {
@@ -443,13 +450,13 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
if len(ctx.Body()) > 0 {
if grants+acl != "" {
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutObjectAcl", Bucket: &bucket, Object: &keyStart})
}
var accessControlPolicy auth.AccessControlPolicy
err := xml.Unmarshal(ctx.Body(), &accessControlPolicy)
if err != nil {
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutObjectAcl", Bucket: &bucket, Object: &keyStart})
}
input = &s3.PutObjectAclInput{
@@ -461,10 +468,10 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
}
if acl != "" {
if acl != "private" && acl != "public-read" && acl != "public-read-write" {
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutObjectAcl", Bucket: &bucket, Object: &keyStart})
}
if len(ctx.Body()) > 0 || grants != "" {
return SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutObjectAcl", Bucket: &bucket, Object: &keyStart})
}
input = &s3.PutObjectAclInput{
@@ -489,7 +496,7 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
}
err = c.be.PutObjectAcl(input)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutObjectAcl", Bucket: &bucket, Object: &keyStart})
}
if copySource != "" {
@@ -499,17 +506,22 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
srcBucket, srcObject := copySourceSplit[0], copySourceSplit[1:]
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "CopyObject", Bucket: &bucket, Object: &keyStart})
}
res, err := c.be.CopyObject(srcBucket, strings.Join(srcObject, "/"), bucket, keyStart)
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "CopyObject", Bucket: &bucket, Object: &keyStart})
}
metadata := utils.GetUserMetaData(&ctx.Request().Header)
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutObject", Bucket: &bucket, Object: &keyStart})
}
contentLength, err := strconv.ParseInt(contentLengthStr, 10, 64)
if err != nil {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "PutObject", Bucket: &bucket, Object: &keyStart})
}
ctx.Locals("logReqBody", false)
@@ -521,7 +533,7 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
Body: bytes.NewReader(ctx.Request().Body()),
})
ctx.Response().Header.Set("ETag", etag)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "PutObject", Bucket: &bucket, Object: &keyStart})
}
func (c S3ApiController) DeleteBucket(ctx *fiber.Ctx) error {
@@ -529,20 +541,20 @@ func (c S3ApiController) DeleteBucket(ctx *fiber.Ctx) error {
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteBucket", Bucket: &bucket})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteBucket", Bucket: &bucket})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteBucket", Bucket: &bucket})
}
err = c.be.DeleteBucket(bucket)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteBucket", Bucket: &bucket})
}
func (c S3ApiController) DeleteObjects(ctx *fiber.Ctx) error {
@@ -550,25 +562,25 @@ func (c S3ApiController) DeleteObjects(ctx *fiber.Ctx) error {
var dObj types.Delete
if err := xml.Unmarshal(ctx.Body(), &dObj); err != nil {
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest))
return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), LogOptions{Logger: c.logger, Action: "DeleteObjects", Bucket: &bucket})
}
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteObjects", Bucket: &bucket})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteObjects", Bucket: &bucket})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteObjects", Bucket: &bucket})
}
err = c.be.DeleteObjects(bucket, &s3.DeleteObjectsInput{Delete: &dObj})
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteObjects", Bucket: &bucket})
}
func (c S3ApiController) DeleteActions(ctx *fiber.Ctx) error {
@@ -585,28 +597,28 @@ func (c S3ApiController) DeleteActions(ctx *fiber.Ctx) error {
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key})
}
if ctx.Request().URI().QueryArgs().Has("tagging") {
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "RemoveObjectTagging", Bucket: &bucket, Object: &key})
}
err = c.be.RemoveTags(bucket, key)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "RemoveObjectTagging", Bucket: &bucket, Object: &key})
}
if uploadId != "" {
expectedBucketOwner, requestPayer := ctx.Get("X-Amz-Expected-Bucket-Owner"), ctx.Get("X-Amz-Request-Payer")
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "AbortMultipartUpload", Bucket: &bucket, Object: &key})
}
err := c.be.AbortMultipartUpload(&s3.AbortMultipartUploadInput{
@@ -616,15 +628,15 @@ func (c S3ApiController) DeleteActions(ctx *fiber.Ctx) error {
ExpectedBucketOwner: &expectedBucketOwner,
RequestPayer: types.RequestPayer(requestPayer),
})
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "AbortMultipartUpload", Bucket: &bucket, Object: &key})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteObject", Bucket: &bucket, Object: &key})
}
err = c.be.DeleteObject(bucket, key)
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "DeleteObject", Bucket: &bucket, Object: &key})
}
func (c S3ApiController) HeadBucket(ctx *fiber.Ctx) error {
@@ -632,21 +644,21 @@ func (c S3ApiController) HeadBucket(ctx *fiber.Ctx) error {
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "HeadBucket", Bucket: &bucket})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "HeadBucket", Bucket: &bucket})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "HeadBucket", Bucket: &bucket})
}
_, err = c.be.HeadBucket(bucket)
// TODO: set bucket response headers
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "HeadBucket", Bucket: &bucket})
}
const (
@@ -663,24 +675,24 @@ func (c S3ApiController) HeadObject(ctx *fiber.Ctx) error {
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "HeadObject", Bucket: &bucket, Object: &key})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "HeadObject", Bucket: &bucket, Object: &key})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "READ", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "HeadObject", Bucket: &bucket, Object: &key})
}
res, err := c.be.HeadObject(bucket, key)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "HeadObject", Bucket: &bucket, Object: &key})
}
if res == nil {
return SendResponse(ctx, fmt.Errorf("head object nil response"))
return SendResponse(ctx, fmt.Errorf("head object nil response"), LogOptions{Logger: c.logger, Action: "HeadObject", Bucket: &bucket, Object: &key})
}
utils.SetMetaHeaders(ctx, res.Metadata)
@@ -719,7 +731,7 @@ func (c S3ApiController) HeadObject(ctx *fiber.Ctx) error {
},
})
return SendResponse(ctx, nil)
return SendResponse(ctx, nil, LogOptions{Logger: c.logger, Action: "HeadObject", Bucket: &bucket, Object: &key})
}
func (c S3ApiController) CreateActions(ctx *fiber.Ctx) error {
@@ -736,27 +748,27 @@ func (c S3ApiController) CreateActions(ctx *fiber.Ctx) error {
data, err := c.be.GetBucketAcl(bucket)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key})
}
parsedAcl, err := auth.ParseACL(data)
if err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Bucket: &bucket, Object: &key})
}
var restoreRequest s3.RestoreObjectInput
if ctx.Request().URI().QueryArgs().Has("restore") {
xmlErr := xml.Unmarshal(ctx.Body(), &restoreRequest)
if xmlErr != nil {
return errors.New("wrong api call")
err := xml.Unmarshal(ctx.Body(), &restoreRequest)
if err != nil {
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "RestoreObject", Bucket: &bucket, Object: &key})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendResponse(ctx, err)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "RestoreObject", Bucket: &bucket, Object: &key})
}
err := c.be.RestoreObject(bucket, key, &restoreRequest)
return SendResponse(ctx, err)
err = c.be.RestoreObject(bucket, key, &restoreRequest)
return SendResponse(ctx, err, LogOptions{Logger: c.logger, Action: "RestoreObject", Bucket: &bucket, Object: &key})
}
if uploadId != "" {
@@ -765,27 +777,49 @@ func (c S3ApiController) CreateActions(ctx *fiber.Ctx) error {
}{}
if err := xml.Unmarshal(ctx.Body(), &data); err != nil {
return errors.New("wrong api call")
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "CompleteMultipartUpload", Bucket: &bucket, Object: &key})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "CompleteMultipartUpload", Bucket: &bucket, Object: &key})
}
res, err := c.be.CompleteMultipartUpload(bucket, key, uploadId, data.Parts)
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "CompleteMultipartUpload", Bucket: &bucket, Object: &key})
}
if err := auth.VerifyACL(parsedAcl, bucket, access, "WRITE", isRoot); err != nil {
return SendXMLResponse(ctx, nil, err)
return SendXMLResponse(ctx, nil, err, LogOptions{Logger: c.logger, Action: "CreateMultipartUpload", Bucket: &bucket, Object: &key})
}
res, err := c.be.CreateMultipartUpload(&s3.CreateMultipartUploadInput{Bucket: &bucket, Key: &key})
return SendXMLResponse(ctx, res, err)
return SendXMLResponse(ctx, res, err, LogOptions{Logger: c.logger, Action: "CreateMultipartUpload", Bucket: &bucket, Object: &key})
}
func SendResponse(ctx *fiber.Ctx, err error) error {
type LogOptions struct {
Logger s3log.Logger
Action string
Bucket *string
Object *string
LogType string
}
func SendResponse(ctx *fiber.Ctx, err error, lo LogOptions) error {
if err != nil {
if lo.Logger != nil {
var access *string
acc := ctx.Locals("access")
switch tp := acc.(type) {
case string:
access = &tp
}
if lo.LogType == "auth" {
lo.Logger.SendAuthLog(access, err)
} else {
lo.Logger.SendErrorLog(err, lo.Action, access, lo.Bucket, lo.Object)
}
}
serr, ok := err.(s3err.APIError)
if ok {
ctx.Status(serr.HTTPStatusCode)
@@ -800,15 +834,33 @@ func SendResponse(ctx *fiber.Ctx, err error) error {
utils.LogCtxDetails(ctx, []byte{})
if lo.Logger != nil {
var access *string
acc := ctx.Locals("access")
switch tp := acc.(type) {
case string:
access = &tp
}
if lo.LogType == "auth" {
lo.Logger.SendAuthLog(access, nil)
} else {
lo.Logger.SendSuccessLog(nil, lo.Action, access, lo.Bucket, lo.Object)
}
}
// https://github.com/gofiber/fiber/issues/2080
// ctx.SendStatus() sets incorrect content length on HEAD request
ctx.Status(http.StatusOK)
return nil
}
func SendXMLResponse(ctx *fiber.Ctx, resp any, err error) error {
func SendXMLResponse(ctx *fiber.Ctx, resp any, err error, lo LogOptions) error {
if err != nil {
fmt.Println(err)
if lo.Logger != nil {
access := ctx.Locals("access").(string)
lo.Logger.SendErrorLog(err, lo.Action, &access, lo.Bucket, lo.Object)
}
serr, ok := err.(s3err.APIError)
if ok {
ctx.Status(serr.HTTPStatusCode)
@@ -835,6 +887,12 @@ func SendXMLResponse(ctx *fiber.Ctx, resp any, err error) error {
}
utils.LogCtxDetails(ctx, b)
if lo.Logger != nil {
access := ctx.Locals("access").(string)
if lo.Logger != nil {
lo.Logger.SendSuccessLog(resp, lo.Action, &access, lo.Bucket, lo.Object)
}
}
return ctx.Send(b)
}

21
s3api/controllers/base_test.go
View File

@@ -31,6 +31,7 @@ import (
"github.com/versity/versitygw/auth"
"github.com/versity/versitygw/backend"
"github.com/versity/versitygw/s3err"
"github.com/versity/versitygw/s3log"
"github.com/versity/versitygw/s3response"
)
@@ -49,8 +50,9 @@ func init() {
func TestNew(t *testing.T) {
type args struct {
be backend.Backend
iam auth.IAMService
be backend.Backend
iam auth.IAMService
logger s3log.Logger
}
be := backend.BackendUnsupported{}
@@ -74,7 +76,7 @@ func TestNew(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := New(tt.args.be, tt.args.iam); !reflect.DeepEqual(got, tt.want) {
if got := New(tt.args.be, tt.args.iam, tt.args.logger); !reflect.DeepEqual(got, tt.want) {
t.Errorf("New() = %v, want %v", got, tt.want)
}
})
@@ -187,14 +189,15 @@ func TestS3ApiController_ListBuckets(t *testing.T) {
}
}
func getPtr(val string) *string {
return &val
}
func TestS3ApiController_GetActions(t *testing.T) {
type args struct {
req *http.Request
}
getPtr := func(val string) *string {
return &val
}
now := time.Now()
app := fiber.New()
@@ -1359,6 +1362,8 @@ func TestS3ApiController_CreateActions(t *testing.T) {
for _, tt := range tests {
resp, err := tt.app.Test(tt.args.req)
fmt.Println(tt.name)
if (err != nil) != tt.wantErr {
t.Errorf("S3ApiController.CreateActions() error = %v, wantErr %v", err, tt.wantErr)
}
@@ -1435,7 +1440,7 @@ func Test_XMLresponse(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := SendXMLResponse(tt.args.ctx, tt.args.resp, tt.args.err); (err != nil) != tt.wantErr {
if err := SendXMLResponse(tt.args.ctx, tt.args.resp, tt.args.err, LogOptions{}); (err != nil) != tt.wantErr {
t.Errorf("response() %v error = %v, wantErr %v", tt.name, err, tt.wantErr)
}
@@ -1515,7 +1520,7 @@ func Test_response(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := SendResponse(tt.args.ctx, tt.args.err); (err != nil) != tt.wantErr {
if err := SendResponse(tt.args.ctx, tt.args.err, LogOptions{}); (err != nil) != tt.wantErr {
t.Errorf("response() %v error = %v, wantErr %v", tt.name, err, tt.wantErr)
}

40
s3api/middlewares/authentication.go
View File

@@ -29,6 +29,7 @@ import (
"github.com/versity/versitygw/s3api/controllers"
"github.com/versity/versitygw/s3api/utils"
"github.com/versity/versitygw/s3err"
"github.com/versity/versitygw/s3log"
)
const (
@@ -40,13 +41,13 @@ type RootUserConfig struct {
Secret string
}
func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, debug bool) fiber.Handler {
func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Logger, region string, debug bool) fiber.Handler {
acct := accounts{root: root, iam: iam}
return func(ctx *fiber.Ctx) error {
authorization := ctx.Get("Authorization")
if authorization == "" {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrAuthHeaderEmpty))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrAuthHeaderEmpty), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
// Check the signature version
@@ -56,48 +57,50 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string,
}
if len(authParts) != 3 {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingFields))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingFields), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
startParts := strings.Split(authParts[0], " ")
if startParts[0] != "AWS4-HMAC-SHA256" {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureVersionNotSupported))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureVersionNotSupported), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
credKv := strings.Split(startParts[1], "=")
if len(credKv) != 2 {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrCredMalformed))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrCredMalformed), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
creds := strings.Split(credKv[1], "/")
if len(creds) < 4 {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrCredMalformed))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrCredMalformed), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
ctx.Locals("access", creds[0])
signHdrKv := strings.Split(authParts[1], "=")
if len(signHdrKv) != 2 {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrCredMalformed))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrCredMalformed), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
signedHdrs := strings.Split(signHdrKv[1], ";")
account, err := acct.getAccount(creds[0])
if err == auth.ErrNoSuchUser {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
if err != nil {
return controllers.SendResponse(ctx, err)
return controllers.SendResponse(ctx, err, controllers.LogOptions{Logger: logger, LogType: "auth"})
}
// Check X-Amz-Date header
date := ctx.Get("X-Amz-Date")
if date == "" {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingDateHeader))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingDateHeader), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
// Parse the date and check the date validity
tdate, err := time.Parse(iso8601Format, date)
if err != nil {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedDate))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedDate), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
hashPayloadHeader := ctx.Get("X-Amz-Content-Sha256")
@@ -110,14 +113,14 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string,
// Compare the calculated hash with the hash provided
if hashPayloadHeader != hexPayload {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrContentSHA256Mismatch))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrContentSHA256Mismatch), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
}
// Create a new http request instance from fasthttp request
req, err := utils.CreateHttpRequestFromCtx(ctx, signedHdrs)
if err != nil {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInternalError))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInternalError), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
signer := v4.NewSigner()
@@ -132,24 +135,27 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string,
}
})
if signErr != nil {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInternalError))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInternalError), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
parts := strings.Split(req.Header.Get("Authorization"), " ")
if len(parts) < 4 {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingFields))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingFields), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
calculatedSign := strings.Split(parts[3], "=")[1]
expectedSign := strings.Split(authParts[2], "=")[1]
if expectedSign != calculatedSign {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureDoesNotMatch))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureDoesNotMatch), controllers.LogOptions{Logger: logger, LogType: "auth"})
}
ctx.Locals("role", account.Role)
ctx.Locals("access", creds[0])
ctx.Locals("isRoot", creds[0] == root.Access)
if logger != nil {
logger.SendAuthLog(&creds[0], nil)
}
return ctx.Next()
}
}

6
s3api/middlewares/md5.go
View File

@@ -21,9 +21,10 @@ import (
"github.com/gofiber/fiber/v2"
"github.com/versity/versitygw/s3api/controllers"
"github.com/versity/versitygw/s3err"
"github.com/versity/versitygw/s3log"
)
func VerifyMD5Body() fiber.Handler {
func VerifyMD5Body(logger s3log.Logger) fiber.Handler {
return func(ctx *fiber.Ctx) error {
incomingSum := ctx.Get("Content-Md5")
if incomingSum == "" {
@@ -34,10 +35,9 @@ func VerifyMD5Body() fiber.Handler {
calculatedSum := base64.StdEncoding.EncodeToString(sum[:])
if incomingSum != calculatedSum {
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidDigest))
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidDigest), controllers.LogOptions{Logger: logger})
}
return ctx.Next()
}
}

5
s3api/router.go
View File

@@ -19,12 +19,13 @@ import (
"github.com/versity/versitygw/auth"
"github.com/versity/versitygw/backend"
"github.com/versity/versitygw/s3api/controllers"
"github.com/versity/versitygw/s3log"
)
type S3ApiRouter struct{}
func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMService) {
s3ApiController := controllers.New(be, iam)
func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMService, logger s3log.Logger) {
s3ApiController := controllers.New(be, iam, logger)
adminController := controllers.AdminController{IAMService: iam}
app.Patch("/create-user", adminController.CreateUser)

10
s3api/router_test.go
View File

@@ -20,13 +20,15 @@ import (
"github.com/gofiber/fiber/v2"
"github.com/versity/versitygw/auth"
"github.com/versity/versitygw/backend"
"github.com/versity/versitygw/s3log"
)
func TestS3ApiRouter_Init(t *testing.T) {
type args struct {
app *fiber.App
be backend.Backend
iam auth.IAMService
app *fiber.App
be backend.Backend
iam auth.IAMService
logger s3log.Logger
}
tests := []struct {
name string
@@ -45,7 +47,7 @@ func TestS3ApiRouter_Init(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
tt.sa.Init(tt.args.app, tt.args.be, tt.args.iam)
tt.sa.Init(tt.args.app, tt.args.be, tt.args.iam, tt.args.logger)
})
}
}

9
s3api/server.go
View File

@@ -22,6 +22,7 @@ import (
"github.com/versity/versitygw/auth"
"github.com/versity/versitygw/backend"
"github.com/versity/versitygw/s3api/middlewares"
"github.com/versity/versitygw/s3log"
)
type S3ApiServer struct {
@@ -33,7 +34,7 @@ type S3ApiServer struct {
debug bool
}
func New(app *fiber.App, be backend.Backend, root middlewares.RootUserConfig, port, region string, iam auth.IAMService, opts ...Option) (*S3ApiServer, error) {
func New(app *fiber.App, be backend.Backend, root middlewares.RootUserConfig, port, region string, iam auth.IAMService, l s3log.Logger, opts ...Option) (*S3ApiServer, error) {
server := &S3ApiServer{
app: app,
backend: be,
@@ -50,10 +51,10 @@ func New(app *fiber.App, be backend.Backend, root middlewares.RootUserConfig, po
app.Use(middlewares.RequestLogger(server.debug))
// Authentication middlewares
app.Use(middlewares.VerifyV4Signature(root, iam, region, server.debug))
app.Use(middlewares.VerifyMD5Body())
app.Use(middlewares.VerifyV4Signature(root, iam, l, region, server.debug))
app.Use(middlewares.VerifyMD5Body(l))
server.router.Init(app, be, iam)
server.router.Init(app, be, iam, l)
return server, nil
}

2
s3api/server_test.go
View File

@@ -64,7 +64,7 @@ func TestNew(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotS3ApiServer, err := New(tt.args.app, tt.args.be, tt.args.root,
tt.args.port, "us-east-1", &auth.IAMServiceInternal{})
tt.args.port, "us-east-1", &auth.IAMServiceInternal{}, nil)
if (err != nil) != tt.wantErr {
t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr)
return

165
s3log/kafka.go Normal file
View File

@@ -0,0 +1,165 @@
// Copyright 2023 Versity Software
// This file is licensed under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package s3log
import (
"encoding/json"
"fmt"
"sync"
"time"
"github.com/Shopify/sarama"
"github.com/versity/versitygw/s3err"
)
type KafkaLogger struct {
StorageSystem string
Action string
UserAccess *string
Bucket *string
Object *string
Time time.Time
Response any
Error *LogError
topic string
key string
producer sarama.SyncProducer
mu sync.Mutex
}
func InitKafkaLogger(storageSystem, url, topic, key string) (Logger, error) {
if topic == "" {
return nil, fmt.Errorf("kafka message topic should be specified")
}
config := sarama.NewConfig()
config.Producer.Return.Successes = true
producer, err := sarama.NewSyncProducer([]string{url}, config)
if err != nil {
return nil, err
}
return &KafkaLogger{
StorageSystem: storageSystem,
topic: topic,
key: key,
producer: producer,
}, nil
}
func (l *KafkaLogger) SendSuccessLog(data any, action string, access, bucket, object *string) {
l.mu.Lock()
defer l.mu.Unlock()
l.Action = action
l.UserAccess = access
l.Bucket = bucket
l.Object = object
l.Response = data
l.Time = time.Now()
l.Error = nil
l.sendLog(nil)
}
func (l *KafkaLogger) SendErrorLog(err error, action string, access, bucket, object *string) {
l.mu.Lock()
defer l.mu.Unlock()
l.Action = action
l.UserAccess = access
l.Bucket = bucket
l.Object = object
serr, ok := err.(s3err.APIError)
if ok {
l.Error = &LogError{
StatusCode: serr.HTTPStatusCode,
Message: serr.Description,
}
} else {
l.Error = &LogError{
StatusCode: 500,
Message: err.Error(),
}
}
l.Response = nil
l.sendLog(nil)
}
func (l *KafkaLogger) SendAuthLog(access *string, err error) {
l.mu.Lock()
defer l.mu.Unlock()
if err != nil {
serr, ok := err.(s3err.APIError)
if ok {
l.sendLog(AuthErrorLog{
StorageSystem: l.StorageSystem,
Time: time.Now(),
UserAccess: access,
ErrorMessage: serr.Description,
ErrorStatus: serr.HTTPStatusCode,
ErrorType: "Authentication error",
})
} else {
l.sendLog(AuthErrorLog{
StorageSystem: l.StorageSystem,
Time: time.Now(),
UserAccess: access,
ErrorMessage: err.Error(),
ErrorStatus: 500,
ErrorType: "Authentication error",
})
}
return
}
l.sendLog(AuthSuccessLog{
StorageSystem: l.StorageSystem,
Time: time.Now(),
UserAccess: access,
Message: "The user passed the authentication successfully",
})
}
func (l *KafkaLogger) sendLog(data any) {
if data == nil {
data = l
}
msg, err := json.Marshal(data)
if err != nil {
fmt.Printf("\n failed to parse the log data: %v", err.Error())
}
var message *sarama.ProducerMessage
if l.key == "" {
message = &sarama.ProducerMessage{
Topic: l.topic,
Value: sarama.StringEncoder(msg),
}
} else {
message = &sarama.ProducerMessage{
Topic: l.topic,
Key: sarama.StringEncoder(l.key),
Value: sarama.StringEncoder(msg),
}
}
_, _, err = l.producer.SendMessage(message)
if err != nil {
fmt.Println(err)
}
}

69
s3log/logger.go Normal file
View File

@@ -0,0 +1,69 @@
// Copyright 2023 Versity Software
// This file is licensed under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package s3log
import (
"fmt"
"time"
)
type LoggerType string
const (
WebhookLoggerType LoggerType = "webhook"
)
type Logger interface {
SendErrorLog(err error, action string, access, bucket, object *string)
SendSuccessLog(data any, action string, access, bucket, object *string)
SendAuthLog(access *string, err error)
}
type AuthSuccessLog struct {
StorageSystem string
Time time.Time
UserAccess *string
Message string
}
type AuthErrorLog struct {
StorageSystem string
Time time.Time
UserAccess *string
ErrorMessage string
ErrorStatus int
ErrorType string
}
type LogConfig struct {
WebhookURL string
KafkaURL string
KafkaTopic string
KafkaTopicKey string
StorageSystem string
}
func InitLogger(cfg *LogConfig) (Logger, error) {
if cfg.WebhookURL != "" && cfg.KafkaURL != "" {
return nil, fmt.Errorf("specify one of 2 option for audit logging: kafka, webhook")
}
if cfg.WebhookURL != "" {
return InitWebhookLogger(cfg.StorageSystem, cfg.WebhookURL)
}
if cfg.KafkaURL != "" {
return InitKafkaLogger(cfg.StorageSystem, cfg.KafkaURL, cfg.KafkaTopic, cfg.KafkaTopicKey)
}
return nil, nil
}

161
s3log/webhook.go Normal file
View File

@@ -0,0 +1,161 @@
// Copyright 2023 Versity Software
// This file is licensed under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package s3log
import (
"bytes"
"encoding/json"
"fmt"
"net"
"net/http"
"sync"
"time"
"github.com/versity/versitygw/s3err"
)
type LogError struct {
StatusCode int
Message string
}
type WebhookLogger struct {
StorageSystem string
Time time.Time
Action string
UserAccess *string
Bucket *string
Object *string
Response any
Error *LogError
url string
mu sync.Mutex
}
var _ Logger = &WebhookLogger{}
func InitWebhookLogger(storageSystem, url string) (Logger, error) {
client := &http.Client{
Timeout: 3 * time.Second,
}
_, err := client.Post(url, "application/json", nil)
if err != nil {
if err, ok := err.(net.Error); ok && !err.Timeout() {
return nil, fmt.Errorf("unreachable webhook url")
}
}
return &WebhookLogger{
url: url,
StorageSystem: storageSystem,
}, nil
}
func (l *WebhookLogger) SendSuccessLog(data any, action string, access, bucket, object *string) {
l.mu.Lock()
defer l.mu.Unlock()
l.Action = action
l.UserAccess = access
l.Bucket = bucket
l.Object = object
l.Response = data
l.Time = time.Now()
l.Error = nil
l.sendLog(nil)
}
func (l *WebhookLogger) SendErrorLog(err error, action string, access, bucket, object *string) {
l.mu.Lock()
defer l.mu.Unlock()
l.Action = action
l.UserAccess = access
l.Bucket = bucket
l.Object = object
serr, ok := err.(s3err.APIError)
if ok {
l.Error = &LogError{
StatusCode: serr.HTTPStatusCode,
Message: serr.Description,
}
} else {
l.Error = &LogError{
StatusCode: 500,
Message: err.Error(),
}
}
l.Response = nil
l.sendLog(nil)
}
func (l *WebhookLogger) SendAuthLog(access *string, err error) {
l.mu.Lock()
defer l.mu.Unlock()
if err != nil {
serr, ok := err.(s3err.APIError)
if ok {
l.sendLog(AuthErrorLog{
StorageSystem: l.StorageSystem,
Time: time.Now(),
UserAccess: access,
ErrorMessage: serr.Description,
ErrorStatus: serr.HTTPStatusCode,
ErrorType: "Authentication error",
})
} else {
l.sendLog(AuthErrorLog{
StorageSystem: l.StorageSystem,
Time: time.Now(),
UserAccess: access,
ErrorMessage: err.Error(),
ErrorStatus: 500,
ErrorType: "Authentication error",
})
}
return
}
l.sendLog(AuthSuccessLog{
StorageSystem: l.StorageSystem,
Time: time.Now(),
UserAccess: access,
Message: "The user passed the authentication successfully",
})
}
func (l *WebhookLogger) sendLog(data any) {
if data == nil {
data = l
}
jsonLog, err := json.Marshal(data)
if err != nil {
fmt.Printf("\n failed to parse the log data: %v", err.Error())
}
req, err := http.NewRequest(http.MethodPost, l.url, bytes.NewReader(jsonLog))
if err != nil {
fmt.Println(err)
}
req.Header.Set("Content-Type", "application/json; charset=utf-8")
client := &http.Client{
Timeout: 3 * time.Second,
}
_, err = client.Do(req)
if err != nil {
fmt.Printf("\n failed to send the log %v", err.Error())
}
}