MCPcopy Index your code
hub / github.com/cubefs/cubefs / validateAuthInfo

Method validateAuthInfo

objectnode/auth.go:183–272  ·  view source on GitHub ↗
(r *http.Request, auth Auther)

Source from the content-addressed store, hash-verified

181}
182
183func (o *ObjectNode) validateAuthInfo(r *http.Request, auth Auther) (err error) {
184 param := ParseRequestParam(r)
185 reqAK := auth.Credential().AccessKey
186
187 var uid, ak, sk, token string
188 var stsInfo *FedDecodeResult
189 if token = getSecurityToken(r); token == "" {
190 ak = reqAK
191 if uid, sk, err = o.getUidSecretKeyWithCheckVol(r, ak, true); err != nil {
192 log.LogErrorf("validateAuthInfo: get user uid and sk fail: requestID(%v) ak(%v) err(%v)",
193 GetRequestID(r), ak, err)
194 return err
195 }
196 } else {
197 stsInfo, err = DecodeFedSessionToken(reqAK, token, o.getUserInfoByAccessKeyV2)
198 if err != nil {
199 log.LogErrorf("validateAuthInfo: decode session token fail: requestID(%v) ak(%v) token(%v) err(%v)",
200 GetRequestID(r), reqAK, token, err)
201 return err
202 }
203 uid, ak, sk = stsInfo.UserInfo.UserID, stsInfo.UserInfo.AccessKey, stsInfo.FedSK
204 }
205
206 mux.Vars(r)[ContextKeyAccessKey] = ak
207 mux.Vars(r)[ContextKeyRequester] = uid
208
209 if !param.action.IsNone() && o.signatureIgnoredActions.Contains(param.action) {
210 return nil
211 }
212 cred := auth.Credential()
213 if auth.IsSkewed() {
214 log.LogErrorf("validateAuthInfo: request skewed: requestID(%v) reqTime(%v) servTime(%v)",
215 GetRequestID(r), cred.TimeStamp, time.Now().UTC().Format(ISO8601Format))
216 return RequestTimeTooSkewed
217 }
218 if auth.IsExpired() {
219 log.LogErrorf("validateAuthInfo: signature has expired: requestID(%v) servTime(%v) reqDate(%v) expires(%v)",
220 GetRequestID(r), time.Now().UTC().Format(ISO8601Format), cred.Date, cred.Expires)
221 return ExpiredToken
222 }
223 if !auth.SignatureMatch(sk, o.wildcards) {
224 log.LogErrorf("validateAuthInfo: signature not match: requestID(%v) AccessKeyId(%v)\nstringToSign=(\n%v\n)\ncanonialRequest=(\n%v\n)",
225 GetRequestID(r), reqAK, auth.StringToSign(), auth.CanonicalRequest())
226 return SignatureDoesNotMatch
227 }
228
229 if stsInfo != nil {
230 if o.stsNotAllowedActions.Contains(param.action) {
231 log.LogErrorf("validateAuthInfo: action not allowed by sts user: requestID(%v) action(%v)",
232 GetRequestID(r), param.action)
233 return AccessDeniedBySTS
234 }
235 userPolicy := stsInfo.UserInfo.Policy
236 if !IsAccountLevelApi(param.apiName) && param.bucket != "" && userPolicy != nil && !userPolicy.IsOwn(param.
237 bucket) {
238 log.LogErrorf("validateAuthInfo: sts user access non-owner vol: requestID(%v) reqVol(%v) ownVols(%v)",
239 GetRequestID(r), param.bucket, userPolicy.OwnVols)
240 return AccessDenied

Callers 1

authMiddlewareMethod · 0.95

Calls 15

LogErrorfFunction · 0.92
ParseRequestParamFunction · 0.85
getSecurityTokenFunction · 0.85
GetRequestIDFunction · 0.85
DecodeFedSessionTokenFunction · 0.85
IsAccountLevelApiFunction · 0.85
IsOwnMethod · 0.80
CredentialMethod · 0.65
IsSkewedMethod · 0.65
IsExpiredMethod · 0.65
SignatureMatchMethod · 0.65

Tested by

no test coverage detected