internal RequestMetadata AuthorizeServiceRequest(S3Context ctx, RequestMetadata md)
{
if (ctx == null)
{
throw new ArgumentNullException(nameof(ctx));
}
if (md == null)
{
throw new ArgumentNullException(nameof(md));
}
md.Authorization = AuthorizationResult.NotAuthorized;
string header = "[" + ctx.Http.Request.Source.IpAddress + ":" + ctx.Http.Request.Source.Port + " " + ctx.Http.Request.Method.ToString() + " " + ctx.Http.Request.Url.RawWithoutQuery + "] AuthorizeServiceRequest ";
#region Check-for-Admin-API-Key
if (ctx.Http.Request.Headers.ContainsKey(_Settings.Server.HeaderApiKey))
{
if (ctx.Http.Request.Headers[_Settings.Server.HeaderApiKey].Equals(_Settings.Server.AdminApiKey))
{
if (_Settings.Debug.Authentication)
{
_Logging.Info(header + "admin API key in use");
}
md.Authorization = AuthorizationResult.AdminAuthorized;
return(md);
}
}
#endregion
if (md.User != null && md.Authentication == AuthenticationResult.Authenticated)
{
md.Authorization = AuthorizationResult.PermitService;
}
return(md);
}
internal RequestMetadata AuthenticateAndBuildMetadata(S3Context ctx)
{
if (ctx == null)
{
throw new ArgumentNullException(nameof(ctx));
}
RequestMetadata md = new RequestMetadata();
md.Authentication = AuthenticationResult.NotAuthenticated;
#region Credential-and-User
if (String.IsNullOrEmpty(ctx.Request.AccessKey))
{
md.Authentication = AuthenticationResult.NoMaterialSupplied;
}
else
{
Credential cred = _Config.GetCredentialByAccessKey(ctx.Request.AccessKey);
if (cred == null)
{
md.Authentication = AuthenticationResult.AccessKeyNotFound;
}
else
{
md.Credential = cred;
User user = _Config.GetUserByAccessKey(ctx.Request.AccessKey);
if (user == null)
{
md.Authentication = AuthenticationResult.UserNotFound;
}
else
{
md.User = user;
md.Authentication = AuthenticationResult.Authenticated;
}
}
}
#endregion
#region Bucket
if (!String.IsNullOrEmpty(ctx.Request.Bucket))
{
md.Bucket = _Buckets.Get(ctx.Request.Bucket);
if (md.Bucket != null)
{
md.BucketClient = _Buckets.GetClient(ctx.Request.Bucket);
if (md.BucketClient != null)
{
md.BucketAcls = md.BucketClient.GetBucketAcl();
md.BucketTags = md.BucketClient.GetBucketTags();
}
}
}
#endregion
#region Object
if (md.BucketClient != null &&
ctx.Request.IsObjectRequest &&
!String.IsNullOrEmpty(ctx.Request.Key))
{
md.Obj = md.BucketClient.GetObjectMetadata(ctx.Request.Key);
if (md.Obj != null)
{
md.ObjectAcls = md.BucketClient.GetObjectAcl(md.Obj.GUID);
md.ObjectTags = md.BucketClient.GetObjectTags(md.Obj.GUID);
}
}
#endregion
return(md);
}
internal RequestMetadata AuthorizeObjectRequest(S3Context ctx, RequestMetadata md)
{
if (ctx == null)
{
throw new ArgumentNullException(nameof(ctx));
}
if (md == null)
{
throw new ArgumentNullException(nameof(md));
}
md.Authorization = AuthorizationResult.NotAuthorized;
string header = "[" + ctx.Http.Request.Source.IpAddress + ":" + ctx.Http.Request.Source.Port + " " + ctx.Http.Request.Method.ToString() + " " + ctx.Http.Request.Url.RawWithoutQuery + "] AuthorizeObjectWriteRequest ";
bool allowed = false;
#region Get-Version-ID
long versionId = 1;
if (!String.IsNullOrEmpty(ctx.Request.VersionId))
{
if (!Int64.TryParse(ctx.Request.VersionId, out versionId))
{
}
}
#endregion
#region Check-for-Admin-API-Key
if (ctx.Http.Request.Headers.ContainsKey(_Settings.Server.HeaderApiKey))
{
if (ctx.Http.Request.Headers[_Settings.Server.HeaderApiKey].Equals(_Settings.Server.AdminApiKey))
{
if (_Settings.Debug.Authentication)
{
_Logging.Info(header + "admin API key in use");
}
md.Authorization = AuthorizationResult.AdminAuthorized;
return(md);
}
}
#endregion
#region Check-for-Bucket-Global-Config
if (md.Bucket != null)
{
switch (ctx.Request.RequestType)
{
case S3RequestType.ObjectExists:
case S3RequestType.ObjectRead:
case S3RequestType.ObjectReadLegalHold:
case S3RequestType.ObjectReadRange:
case S3RequestType.ObjectReadRetention:
case S3RequestType.ObjectReadTags:
if (md.Bucket.EnablePublicRead)
{
allowed = true;
}
break;
case S3RequestType.ObjectDelete:
case S3RequestType.ObjectDeleteMultiple:
case S3RequestType.ObjectDeleteTags:
case S3RequestType.ObjectWrite:
case S3RequestType.ObjectWriteLegalHold:
case S3RequestType.ObjectWriteRetention:
case S3RequestType.ObjectWriteTags:
if (md.Bucket.EnablePublicWrite)
{
allowed = true;
}
break;
}
}
if (allowed)
{
md.Authorization = AuthorizationResult.PermitBucketGlobalConfig;
return(md);
}
#endregion
#region Check-for-Bucket-AllUsers-ACL
if (md.BucketAcls != null && md.BucketAcls.Count > 0)
{
switch (ctx.Request.RequestType)
{
case S3RequestType.ObjectExists:
case S3RequestType.ObjectRead:
case S3RequestType.ObjectReadLegalHold:
case S3RequestType.ObjectReadRange:
case S3RequestType.ObjectReadRetention:
case S3RequestType.ObjectReadTags:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AllUsers") &&
(b.PermitRead || b.FullControl));
break;
case S3RequestType.ObjectReadAcl:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AllUsers") &&
(b.PermitReadAcp || b.FullControl));
break;
case S3RequestType.ObjectDelete:
case S3RequestType.ObjectDeleteMultiple:
case S3RequestType.ObjectDeleteTags:
case S3RequestType.ObjectWrite:
case S3RequestType.ObjectWriteLegalHold:
case S3RequestType.ObjectWriteRetention:
case S3RequestType.ObjectWriteTags:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AllUsers") &&
(b.PermitWrite || b.FullControl));
break;
case S3RequestType.ObjectWriteAcl:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AllUsers") &&
(b.PermitWriteAcp || b.FullControl));
break;
}
if (allowed)
{
md.Authorization = AuthorizationResult.PermitBucketAllUsersAcl;
return(md);
}
}
#endregion
#region Check-for-Object-AllUsers-ACL
if (md.ObjectAcls != null && md.ObjectAcls.Count > 0)
{
switch (ctx.Request.RequestType)
{
case S3RequestType.ObjectExists:
case S3RequestType.ObjectRead:
case S3RequestType.ObjectReadLegalHold:
case S3RequestType.ObjectReadRange:
case S3RequestType.ObjectReadRetention:
case S3RequestType.ObjectReadTags:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AllUsers") &&
(b.PermitRead || b.FullControl));
break;
case S3RequestType.ObjectReadAcl:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AllUsers") &&
(b.PermitReadAcp || b.FullControl));
break;
case S3RequestType.ObjectDelete:
case S3RequestType.ObjectDeleteMultiple:
case S3RequestType.ObjectDeleteTags:
// case S3RequestType.ObjectWrite:
case S3RequestType.ObjectWriteLegalHold:
case S3RequestType.ObjectWriteRetention:
case S3RequestType.ObjectWriteTags:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AllUsers") &&
(b.PermitWrite || b.FullControl));
break;
case S3RequestType.ObjectWriteAcl:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AllUsers") &&
(b.PermitWriteAcp || b.FullControl));
break;
}
if (allowed)
{
md.Authorization = AuthorizationResult.PermitObjectAllUsersAcl;
return(md);
}
}
#endregion
#region Check-for-Auth-Material
if (md.User == null || md.Credential == null)
{
md.Authorization = AuthorizationResult.NotAuthorized;
return(md);
}
#endregion
#region Check-for-Bucket-Owner
if (md.Bucket != null)
{
if (md.Bucket.OwnerGUID.Equals(md.User.GUID))
{
md.Authorization = AuthorizationResult.PermitBucketOwnership;
return(md);
}
}
#endregion
#region Check-for-Object-Owner
if (md.Obj != null)
{
if (md.Obj.OwnerGUID.Equals(md.User.GUID))
{
md.Authorization = AuthorizationResult.PermitObjectOwnership;
return(md);
}
}
#endregion
#region Check-for-Bucket-AuthenticatedUsers-ACL
if (md.BucketAcls != null && md.BucketAcls.Count > 0)
{
switch (ctx.Request.RequestType)
{
case S3RequestType.ObjectExists:
case S3RequestType.ObjectRead:
case S3RequestType.ObjectReadLegalHold:
case S3RequestType.ObjectReadRange:
case S3RequestType.ObjectReadRetention:
case S3RequestType.ObjectReadTags:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AuthenticatedUsers") &&
(b.PermitRead || b.FullControl));
break;
case S3RequestType.ObjectReadAcl:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AuthenticatedUsers") &&
(b.PermitReadAcp || b.FullControl));
break;
case S3RequestType.ObjectDelete:
case S3RequestType.ObjectDeleteMultiple:
case S3RequestType.ObjectDeleteTags:
case S3RequestType.ObjectWrite:
case S3RequestType.ObjectWriteLegalHold:
case S3RequestType.ObjectWriteRetention:
case S3RequestType.ObjectWriteTags:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AuthenticatedUsers") &&
(b.PermitWrite || b.FullControl));
break;
case S3RequestType.ObjectWriteAcl:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AuthenticatedUsers") &&
(b.PermitWriteAcp || b.FullControl));
break;
}
if (allowed)
{
md.Authorization = AuthorizationResult.PermitBucketAuthUserAcl;
return(md);
}
}
#endregion
#region Check-for-Object-AuthenticatedUsers-ACL
if (md.ObjectAcls != null && md.ObjectAcls.Count > 0)
{
switch (ctx.Request.RequestType)
{
case S3RequestType.ObjectExists:
case S3RequestType.ObjectRead:
case S3RequestType.ObjectReadLegalHold:
case S3RequestType.ObjectReadRange:
case S3RequestType.ObjectReadRetention:
case S3RequestType.ObjectReadTags:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AuthenticatedUsers") &&
(b.PermitRead || b.FullControl));
break;
case S3RequestType.ObjectReadAcl:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AuthenticatedUsers") &&
(b.PermitReadAcp || b.FullControl));
break;
case S3RequestType.ObjectDelete:
case S3RequestType.ObjectDeleteMultiple:
case S3RequestType.ObjectDeleteTags:
// case S3RequestType.ObjectWrite:
case S3RequestType.ObjectWriteLegalHold:
case S3RequestType.ObjectWriteRetention:
case S3RequestType.ObjectWriteTags:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AuthenticatedUsers") &&
(b.PermitWrite || b.FullControl));
break;
case S3RequestType.ObjectWriteAcl:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGroup) &&
b.UserGroup.Contains("AuthenticatedUsers") &&
(b.PermitWriteAcp || b.FullControl));
break;
}
if (allowed)
{
md.Authorization = AuthorizationResult.PermitObjectAuthUserAcl;
return(md);
}
}
#endregion
#region Check-for-Bucket-User-ACL
if (md.BucketAcls != null && md.BucketAcls.Count > 0)
{
switch (ctx.Request.RequestType)
{
case S3RequestType.ObjectExists:
case S3RequestType.ObjectRead:
case S3RequestType.ObjectReadLegalHold:
case S3RequestType.ObjectReadRange:
case S3RequestType.ObjectReadRetention:
case S3RequestType.ObjectReadTags:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGUID) &&
b.UserGUID.Equals(md.User.GUID) &&
(b.PermitRead || b.FullControl));
break;
case S3RequestType.ObjectReadAcl:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGUID) &&
b.UserGUID.Equals(md.User.GUID) &&
(b.PermitReadAcp || b.FullControl));
break;
case S3RequestType.ObjectDelete:
case S3RequestType.ObjectDeleteMultiple:
case S3RequestType.ObjectDeleteTags:
case S3RequestType.ObjectWrite:
case S3RequestType.ObjectWriteLegalHold:
case S3RequestType.ObjectWriteRetention:
case S3RequestType.ObjectWriteTags:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGUID) &&
b.UserGUID.Equals(md.User.GUID) &&
(b.PermitWrite || b.FullControl));
break;
case S3RequestType.ObjectWriteAcl:
allowed = md.BucketAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGUID) &&
b.UserGUID.Equals(md.User.GUID) &&
(b.PermitWriteAcp || b.FullControl));
break;
}
if (allowed)
{
md.Authorization = AuthorizationResult.PermitBucketUserAcl;
return(md);
}
}
#endregion
#region Check-for-Object-User-ACL
if (md.ObjectAcls != null && md.ObjectAcls.Count > 0)
{
switch (ctx.Request.RequestType)
{
case S3RequestType.ObjectExists:
case S3RequestType.ObjectRead:
case S3RequestType.ObjectReadLegalHold:
case S3RequestType.ObjectReadRange:
case S3RequestType.ObjectReadRetention:
case S3RequestType.ObjectReadTags:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGUID) &&
b.UserGUID.Equals(md.User.GUID) &&
(b.PermitRead || b.FullControl));
break;
case S3RequestType.ObjectReadAcl:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGUID) &&
b.UserGUID.Equals(md.User.GUID) &&
(b.PermitReadAcp || b.FullControl));
break;
case S3RequestType.ObjectDelete:
case S3RequestType.ObjectDeleteMultiple:
case S3RequestType.ObjectDeleteTags:
// case S3RequestType.ObjectWrite:
case S3RequestType.ObjectWriteLegalHold:
case S3RequestType.ObjectWriteRetention:
case S3RequestType.ObjectWriteTags:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGUID) &&
b.UserGUID.Equals(md.User.GUID) &&
(b.PermitWrite || b.FullControl));
break;
case S3RequestType.ObjectWriteAcl:
allowed = md.ObjectAcls.Exists(
b => !String.IsNullOrEmpty(b.UserGUID) &&
b.UserGUID.Equals(md.User.GUID) &&
(b.PermitWriteAcp || b.FullControl));
break;
}
if (allowed)
{
md.Authorization = AuthorizationResult.PermitObjectUserAcl;
return(md);
}
}
#endregion
return(md);
}
