(r *http.Request, auth Auther)
| 181 | } |
| 182 | |
| 183 | func (o *ObjectNode) validateAuthInfo(r *http.Request, auth Auther) (err error) { |
| 184 | param := ParseRequestParam(r) |
| 185 | reqAK := auth.Credential().AccessKey |
| 186 | |
| 187 | var uid, ak, sk, token string |
| 188 | var stsInfo *FedDecodeResult |
| 189 | if token = getSecurityToken(r); token == "" { |
| 190 | ak = reqAK |
| 191 | if uid, sk, err = o.getUidSecretKeyWithCheckVol(r, ak, true); err != nil { |
| 192 | log.LogErrorf("validateAuthInfo: get user uid and sk fail: requestID(%v) ak(%v) err(%v)", |
| 193 | GetRequestID(r), ak, err) |
| 194 | return err |
| 195 | } |
| 196 | } else { |
| 197 | stsInfo, err = DecodeFedSessionToken(reqAK, token, o.getUserInfoByAccessKeyV2) |
| 198 | if err != nil { |
| 199 | log.LogErrorf("validateAuthInfo: decode session token fail: requestID(%v) ak(%v) token(%v) err(%v)", |
| 200 | GetRequestID(r), reqAK, token, err) |
| 201 | return err |
| 202 | } |
| 203 | uid, ak, sk = stsInfo.UserInfo.UserID, stsInfo.UserInfo.AccessKey, stsInfo.FedSK |
| 204 | } |
| 205 | |
| 206 | mux.Vars(r)[ContextKeyAccessKey] = ak |
| 207 | mux.Vars(r)[ContextKeyRequester] = uid |
| 208 | |
| 209 | if !param.action.IsNone() && o.signatureIgnoredActions.Contains(param.action) { |
| 210 | return nil |
| 211 | } |
| 212 | cred := auth.Credential() |
| 213 | if auth.IsSkewed() { |
| 214 | log.LogErrorf("validateAuthInfo: request skewed: requestID(%v) reqTime(%v) servTime(%v)", |
| 215 | GetRequestID(r), cred.TimeStamp, time.Now().UTC().Format(ISO8601Format)) |
| 216 | return RequestTimeTooSkewed |
| 217 | } |
| 218 | if auth.IsExpired() { |
| 219 | log.LogErrorf("validateAuthInfo: signature has expired: requestID(%v) servTime(%v) reqDate(%v) expires(%v)", |
| 220 | GetRequestID(r), time.Now().UTC().Format(ISO8601Format), cred.Date, cred.Expires) |
| 221 | return ExpiredToken |
| 222 | } |
| 223 | if !auth.SignatureMatch(sk, o.wildcards) { |
| 224 | log.LogErrorf("validateAuthInfo: signature not match: requestID(%v) AccessKeyId(%v)\nstringToSign=(\n%v\n)\ncanonialRequest=(\n%v\n)", |
| 225 | GetRequestID(r), reqAK, auth.StringToSign(), auth.CanonicalRequest()) |
| 226 | return SignatureDoesNotMatch |
| 227 | } |
| 228 | |
| 229 | if stsInfo != nil { |
| 230 | if o.stsNotAllowedActions.Contains(param.action) { |
| 231 | log.LogErrorf("validateAuthInfo: action not allowed by sts user: requestID(%v) action(%v)", |
| 232 | GetRequestID(r), param.action) |
| 233 | return AccessDeniedBySTS |
| 234 | } |
| 235 | userPolicy := stsInfo.UserInfo.Policy |
| 236 | if !IsAccountLevelApi(param.apiName) && param.bucket != "" && userPolicy != nil && !userPolicy.IsOwn(param. |
| 237 | bucket) { |
| 238 | log.LogErrorf("validateAuthInfo: sts user access non-owner vol: requestID(%v) reqVol(%v) ownVols(%v)", |
| 239 | GetRequestID(r), param.bucket, userPolicy.OwnVols) |
| 240 | return AccessDenied |
no test coverage detected