JointCloud
/
JCS-pub
Not watched
1
0
Fork 0
Code
Releases 0 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 4d0f6c824b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4d0f6c824b'
${ noResults }
JCS-pub/client/internal/http/auth/auth.go

95 lines
2.4 kB
Raw Blame History 

  1. package auth

  2. 

  3. import (

  4. 	"crypto/tls"

  5. 

  6. 	"github.com/gin-gonic/gin"

  7. 	"gitlink.org.cn/cloudream/common/pkgs/logger"

  8. 	"gitlink.org.cn/cloudream/jcs-pub/client/internal/http/types"

  9. 	"gitlink.org.cn/cloudream/jcs-pub/client/sdk/signer"

  10. 	"gitlink.org.cn/cloudream/jcs-pub/common/ecode"

  11. )

  12. 

  13. type ClusterProxyRequestKey string

  14. 

  15. const (

  16. 	ClientInternalSNI                          = "client.jcs-pub.internal"

  17. 	ClusterProxyRequest ClusterProxyRequestKey = "ClusterProxyRequest"

  18. )

  19. 

  20. type Auth struct {

  21. 	cfg *types.Config

  22. }

  23. 

  24. func New(cfg *types.Config) *Auth {

  25. 	return &Auth{

  26. 		cfg: cfg,

  27. 	}

  28. }

  29. 

  30. func (a *Auth) TLSConfigSelector(hello *tls.ClientHelloInfo) (*tls.Config, error) {

  31. 	switch hello.ServerName {

  32. 	case ClientInternalSNI:

  33. 		return &tls.Config{

  34. 			Certificates: []tls.Certificate{a.cfg.ServerCert},

  35. 			ClientAuth:   tls.RequireAndVerifyClientCert,

  36. 			ClientCAs:    a.cfg.RootCA,

  37. 			NextProtos:   []string{"h2", "http/1.1"},

  38. 		}, nil

  39. 

  40. 	default:

  41. 		return &tls.Config{

  42. 			Certificates: []tls.Certificate{a.cfg.ServerCert},

  43. 			ClientAuth:   tls.NoClientCert,

  44. 			NextProtos:   []string{"h2", "http/1.1"},

  45. 		}, nil

  46. 	}

  47. }

  48. 

  49. func (a *Auth) RejectNoCertAuth(c *gin.Context) {

  50. 	if c.Request.Context().Value(ClusterProxyRequest) != nil {

  51. 		c.Next()

  52. 		return

  53. 	}

  54. 

  55. 	if c.Request.TLS == nil || c.Request.TLS.ServerName != ClientInternalSNI {

  56. 		c.AbortWithStatusJSON(401, types.Failed(ecode.Unauthorized, "must provide client certificate"))

  57. 		return

  58. 	}

  59. 

  60. 	c.Next()

  61. }

  62. 

  63. func (a *Auth) Presigned(c *gin.Context) {

  64. 	log := logger.WithField("HTTP", "Auth")

  65. 

  66. 	if c.Request.Context().Value(ClusterProxyRequest) != nil {

  67. 		c.Next()

  68. 		return

  69. 	}

  70. 

  71. 	accID := signer.GetAccessKeyID(c.Request.URL)

  72. 	if accID == "" {

  73. 		log.Warn("access key id not found in query string")

  74. 		c.AbortWithStatusJSON(401, types.Failed(ecode.Unauthorized, "access key id not found in query string"))

  75. 		return

  76. 	}

  77. 

  78. 	cliCert := a.cfg.ClientCerts[accID]

  79. 	if cliCert == nil {

  80. 		log.Warnf("client cert not found for access key id %s", accID)

  81. 		c.AbortWithStatusJSON(401, types.Failed(ecode.Unauthorized, "client cert not found for access key id %s", accID))

  82. 		return

  83. 	}

  84. 	c.Request.URL.Host = c.Request.Host

  85. 

  86. 	err := signer.VerifyPresigned(cliCert.VerifyKey, c.Request.Method, c.Request.URL)

  87. 	if err != nil {

  88. 		log.Warn(err.Error())

  89. 		c.AbortWithStatusJSON(401, types.Failed(ecode.Unauthorized, err.Error()))

  90. 		return

  91. 	}

  92. 

  93. 	c.Next()

  94. }