4fce274c50
According to [1] when an Authorization header is specified, either a Date or x-amz-date header needs to be specified, with the x-amz-date header taking precedence. Now, the x-amz-date header is validated first, and if both headers are missing, an AccessDenied error should be returned. This should prevent replay attacks occurring on valid requests that are missing the Date header. [1] http://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonRequestHeaders. html N.B. This also fixes some pylint issues and dependencies Closes-Bug: 1497424 SecurityImpact [CVE-2015-8466] Co-Authored-By: Darryl Tam <dtam@swiftstack.com> Co-Authored-By: Tim Burke <tim.burke@gmail.com> Change-Id: Ibeff8503fa147e1cf08c1b5374aecee7a4c0bee2
551 lines
16 KiB
Python
551 lines
16 KiB
Python
# Copyright (c) 2014 OpenStack Foundation.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from functools import partial
|
|
|
|
from swift.common.utils import json
|
|
|
|
from swift3.response import InvalidArgument, MalformedACLError, \
|
|
S3NotImplemented, InvalidRequest, AccessDenied
|
|
from swift3.etree import Element, SubElement
|
|
from swift3.utils import LOGGER, sysmeta_header
|
|
from swift3.cfg import CONF
|
|
from swift3.exception import InvalidSubresource
|
|
|
|
XMLNS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
|
|
PERMISSIONS = ['FULL_CONTROL', 'READ', 'WRITE', 'READ_ACP', 'WRITE_ACP']
|
|
LOG_DELIVERY_USER = '.log_delivery'
|
|
|
|
"""
|
|
An entry point of this approach is here.
|
|
We should understand what we have to design to achieve real S3 ACL.
|
|
S3's ACL Model is as follows:
|
|
|
|
AccessControlPolicy:
|
|
Owner:
|
|
AccessControlList:
|
|
Grant[n]:
|
|
(Grantee, Permission)
|
|
|
|
Each bucket or object has its own acl consists of Owner and
|
|
AcessControlList. AccessControlList can contain some Grants.
|
|
By default, AccessControlList has only one Grant to allow FULL
|
|
CONTROLL to owner. Each Grant includes single pair with Grantee,
|
|
Permission. Grantee is the user (or user group) allowed the given
|
|
permission.
|
|
|
|
If you wanna get more information about S3's ACL model in detail,
|
|
please see official documentation here,
|
|
|
|
http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
|
|
|
|
"""
|
|
|
|
|
|
def encode_acl(resource, acl):
|
|
"""
|
|
Encode an ACL instance to Swift metadata.
|
|
|
|
Given a resource type and an ACL instance, this method returns HTTP
|
|
headers, which can be used for Swift metadata.
|
|
"""
|
|
header_value = {"Owner": acl.owner.id}
|
|
grants = []
|
|
for grant in acl.grants:
|
|
grant = {"Permission": grant.permission,
|
|
"Grantee": str(grant.grantee)}
|
|
grants.append(grant)
|
|
header_value.update({"Grant": grants})
|
|
headers = {}
|
|
key = sysmeta_header(resource, 'acl')
|
|
headers[key] = json.dumps(header_value, separators=(',', ':'))
|
|
|
|
return headers
|
|
|
|
|
|
def decode_acl(resource, headers):
|
|
"""
|
|
Decode Swift metadata to an ACL instance.
|
|
|
|
Given a resource type and HTTP headers, this method returns an ACL
|
|
instance.
|
|
"""
|
|
value = ''
|
|
|
|
key = sysmeta_header(resource, 'acl')
|
|
if key in headers:
|
|
value = headers[key]
|
|
|
|
if value == '':
|
|
# Fix me: In the case of value is empty or not dict instance,
|
|
# I want an instance of Owner as None.
|
|
# However, in the above process would occur error in reference
|
|
# to an instance variable of Owner.
|
|
return ACL(Owner(None, None), [])
|
|
|
|
try:
|
|
encode_value = json.loads(value)
|
|
if not isinstance(encode_value, dict):
|
|
return ACL(Owner(None, None), [])
|
|
|
|
id = None
|
|
name = None
|
|
grants = []
|
|
if 'Owner' in encode_value:
|
|
id = encode_value['Owner']
|
|
name = encode_value['Owner']
|
|
if 'Grant' in encode_value:
|
|
for grant in encode_value['Grant']:
|
|
grantee = None
|
|
# pylint: disable-msg=E1101
|
|
for group in Group.__subclasses__():
|
|
if group.__name__ == grant['Grantee']:
|
|
grantee = group()
|
|
if not grantee:
|
|
grantee = User(grant['Grantee'])
|
|
permission = grant['Permission']
|
|
grants.append(Grant(grantee, permission))
|
|
return ACL(Owner(id, name), grants)
|
|
except Exception as e:
|
|
LOGGER.debug(e)
|
|
pass
|
|
|
|
raise InvalidSubresource((resource, 'acl', value))
|
|
|
|
|
|
class Grantee(object):
|
|
"""
|
|
Base class for grantee.
|
|
|
|
:Definition (methods):
|
|
init -> create a Grantee instance
|
|
elem -> create an ElementTree from itself
|
|
|
|
:Definition (static methods):
|
|
from_header -> convert a grantee string in the HTTP header
|
|
to an Grantee instance.
|
|
from_elem -> convert a ElementTree to an Grantee instance.
|
|
|
|
TODO (not yet):
|
|
NOTE: Needs confirmation whether we really need these methods or not.
|
|
encode (method) -> create a JSON which includes whole own elements
|
|
encode_from_elem (static method) -> convert from an ElementTree to a JSON
|
|
elem_from_json (static method) -> convert from a JSON to an ElementTree
|
|
from_json (static method) -> convert a Json string to an Grantee instance.
|
|
"""
|
|
|
|
def __contains__(self, key):
|
|
"""
|
|
The key argument is a S3 user id. This method checks that the user id
|
|
belongs to this class.
|
|
"""
|
|
raise S3NotImplemented()
|
|
|
|
def elem(self):
|
|
"""
|
|
Get an etree element of this instance.
|
|
"""
|
|
raise S3NotImplemented()
|
|
|
|
@staticmethod
|
|
def from_elem(elem):
|
|
type = elem.get('{%s}type' % XMLNS_XSI)
|
|
if type == 'CanonicalUser':
|
|
value = elem.find('./ID').text
|
|
return User(value)
|
|
elif type == 'Group':
|
|
value = elem.find('./URI').text
|
|
subclass = get_group_subclass_from_uri(value)
|
|
return subclass()
|
|
elif type == 'AmazonCustomerByEmail':
|
|
raise S3NotImplemented()
|
|
else:
|
|
raise MalformedACLError()
|
|
|
|
@staticmethod
|
|
def from_header(grantee):
|
|
"""
|
|
Convert a grantee string in the HTTP header to an Grantee instance.
|
|
"""
|
|
type, value = grantee.split('=', 1)
|
|
value = value.strip('"\'')
|
|
if type == 'id':
|
|
return User(value)
|
|
elif type == 'emailAddress':
|
|
raise S3NotImplemented()
|
|
elif type == 'uri':
|
|
# retrun a subclass instance of Group class
|
|
subclass = get_group_subclass_from_uri(value)
|
|
return subclass()
|
|
else:
|
|
raise InvalidArgument(type, value,
|
|
'Argument format not recognized')
|
|
|
|
|
|
class User(Grantee):
|
|
"""
|
|
Canonical user class for S3 accounts.
|
|
"""
|
|
type = 'CanonicalUser'
|
|
|
|
def __init__(self, name):
|
|
self.id = name
|
|
self.display_name = name
|
|
|
|
def __contains__(self, key):
|
|
return key == self.id
|
|
|
|
def elem(self):
|
|
elem = Element('Grantee', nsmap={'xsi': XMLNS_XSI})
|
|
elem.set('{%s}type' % XMLNS_XSI, self.type)
|
|
SubElement(elem, 'ID').text = self.id
|
|
SubElement(elem, 'DisplayName').text = self.display_name
|
|
return elem
|
|
|
|
def __str__(self):
|
|
return self.display_name
|
|
|
|
|
|
class Owner(object):
|
|
"""
|
|
Owner class for S3 accounts
|
|
"""
|
|
def __init__(self, id, name):
|
|
self.id = id
|
|
self.name = name
|
|
|
|
|
|
def get_group_subclass_from_uri(uri):
|
|
"""
|
|
Convert a URI to one of the predefined groups.
|
|
"""
|
|
for group in Group.__subclasses__(): # pylint: disable-msg=E1101
|
|
if group.uri == uri:
|
|
return group
|
|
raise InvalidArgument('uri', uri, 'Invalid group uri')
|
|
|
|
|
|
class Group(Grantee):
|
|
"""
|
|
Base class for Amazon S3 Predefined Groups
|
|
"""
|
|
type = 'Group'
|
|
uri = ''
|
|
|
|
def __init__(self):
|
|
# Initialize method to clarify this has nothing to do
|
|
pass
|
|
|
|
def elem(self):
|
|
elem = Element('Grantee', nsmap={'xsi': XMLNS_XSI})
|
|
elem.set('{%s}type' % XMLNS_XSI, self.type)
|
|
SubElement(elem, 'URI').text = self.uri
|
|
|
|
return elem
|
|
|
|
def __str__(self):
|
|
return self.__class__.__name__
|
|
|
|
|
|
def canned_acl_grantees(bucket_owner, object_owner=None):
|
|
"""
|
|
A set of predefined grants supported by AWS S3.
|
|
"""
|
|
owner = object_owner or bucket_owner
|
|
|
|
return {
|
|
'private': [
|
|
('FULL_CONTROL', User(owner.name)),
|
|
],
|
|
'public-read': [
|
|
('READ', AllUsers()),
|
|
('FULL_CONTROL', User(owner.name)),
|
|
],
|
|
'public-read-write': [
|
|
('READ', AllUsers()),
|
|
('WRITE', AllUsers()),
|
|
('FULL_CONTROL', User(owner.name)),
|
|
],
|
|
'authenticated-read': [
|
|
('READ', AuthenticatedUsers()),
|
|
('FULL_CONTROL', User(owner.name)),
|
|
],
|
|
'bucket-owner-read': [
|
|
('READ', User(bucket_owner.name)),
|
|
('FULL_CONTROL', User(owner.name)),
|
|
],
|
|
'bucket-owner-full-control': [
|
|
('FULL_CONTROL', User(owner.name)),
|
|
('FULL_CONTROL', User(bucket_owner.name)),
|
|
],
|
|
'log-delivery-write': [
|
|
('WRITE', LogDelivery()),
|
|
('READ_ACP', LogDelivery()),
|
|
('FULL_CONTROL', User(owner.name)),
|
|
],
|
|
}
|
|
|
|
|
|
class AuthenticatedUsers(Group):
|
|
"""
|
|
This group represents all AWS accounts. Access permission to this group
|
|
allows any AWS account to access the resource. However, all requests must
|
|
be signed (authenticated).
|
|
"""
|
|
uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
|
|
|
|
def __contains__(self, key):
|
|
# Swift3 handles only signed requests.
|
|
return True
|
|
|
|
|
|
class AllUsers(Group):
|
|
"""
|
|
Access permission to this group allows anyone to access the resource. The
|
|
requests can be signed (authenticated) or unsigned (anonymous). Unsigned
|
|
requests omit the Authentication header in the request.
|
|
|
|
Note: Swift3 regards unsigned requests as Swift API accesses, and bypasses
|
|
them to Swift. As a result, AllUsers behaves completely same as
|
|
AuthenticatedUsers.
|
|
"""
|
|
uri = 'http://acs.amazonaws.com/groups/global/AllUsers'
|
|
|
|
def __contains__(self, key):
|
|
return True
|
|
|
|
|
|
class LogDelivery(Group):
|
|
"""
|
|
WRITE and READ_ACP permissions on a bucket enables this group to write
|
|
server access logs to the bucket.
|
|
"""
|
|
uri = 'http://acs.amazonaws.com/groups/s3/LogDelivery'
|
|
|
|
def __contains__(self, key):
|
|
if ':' in key:
|
|
tenant, user = key.split(':', 1)
|
|
else:
|
|
user = key
|
|
return user == LOG_DELIVERY_USER
|
|
|
|
|
|
class Grant(object):
|
|
"""
|
|
Grant Class which includes both Grantee and Permission
|
|
"""
|
|
|
|
def __init__(self, grantee, permission):
|
|
"""
|
|
:param grantee: a grantee class or its subclass
|
|
:param permission: string
|
|
"""
|
|
if permission.upper() not in PERMISSIONS:
|
|
raise S3NotImplemented()
|
|
if not isinstance(grantee, Grantee):
|
|
raise ValueError()
|
|
self.grantee = grantee
|
|
self.permission = permission
|
|
|
|
@classmethod
|
|
def from_elem(cls, elem):
|
|
"""
|
|
Convert an ElementTree to an ACL instance
|
|
"""
|
|
grantee = Grantee.from_elem(elem.find('./Grantee'))
|
|
permission = elem.find('./Permission').text
|
|
return cls(grantee, permission)
|
|
|
|
def elem(self):
|
|
"""
|
|
Create an etree element.
|
|
"""
|
|
elem = Element('Grant')
|
|
elem.append(self.grantee.elem())
|
|
SubElement(elem, 'Permission').text = self.permission
|
|
|
|
return elem
|
|
|
|
def allow(self, grantee, permission):
|
|
return permission == self.permission and grantee in self.grantee
|
|
|
|
|
|
class ACL(object):
|
|
"""
|
|
S3 ACL class.
|
|
|
|
Refs (S3 API - acl-overview:
|
|
http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html):
|
|
|
|
The sample ACL includes an Owner element identifying the owner via the
|
|
AWS account's canonical user ID. The Grant element identifies the grantee
|
|
(either an AWS account or a predefined group), and the permission granted.
|
|
This default ACL has one Grant element for the owner. You grant permissions
|
|
by adding Grant elements, each grant identifying the grantee and the
|
|
permission.
|
|
"""
|
|
metadata_name = 'acl'
|
|
root_tag = 'AccessControlPolicy'
|
|
max_xml_length = 200 * 1024
|
|
|
|
def __init__(self, owner, grants=[]):
|
|
"""
|
|
:param owner: Owner Class for ACL instance
|
|
"""
|
|
self.owner = owner
|
|
self.grants = grants
|
|
|
|
@classmethod
|
|
def from_elem(cls, elem):
|
|
"""
|
|
Convert an ElementTree to an ACL instance
|
|
"""
|
|
id = elem.find('./Owner/ID').text
|
|
try:
|
|
name = elem.find('./Owner/DisplayName').text
|
|
except AttributeError:
|
|
name = id
|
|
|
|
grants = [Grant.from_elem(e)
|
|
for e in elem.findall('./AccessControlList/Grant')]
|
|
return cls(Owner(id, name), grants)
|
|
|
|
def elem(self):
|
|
"""
|
|
Decode the value to an ACL instance.
|
|
"""
|
|
elem = Element(self.root_tag)
|
|
|
|
owner = SubElement(elem, 'Owner')
|
|
SubElement(owner, 'ID').text = self.owner.id
|
|
SubElement(owner, 'DisplayName').text = self.owner.name
|
|
|
|
SubElement(elem, 'AccessControlList').extend(
|
|
g.elem() for g in self.grants
|
|
)
|
|
|
|
return elem
|
|
|
|
def check_owner(self, user_id):
|
|
"""
|
|
Check that the user is an owner.
|
|
"""
|
|
if not CONF.s3_acl:
|
|
# Ignore Swift3 ACL.
|
|
return
|
|
|
|
if not self.owner.id:
|
|
if CONF.allow_no_owner:
|
|
# No owner means public.
|
|
return
|
|
raise AccessDenied()
|
|
|
|
if user_id != self.owner.id:
|
|
raise AccessDenied()
|
|
|
|
def check_permission(self, user_id, permission):
|
|
"""
|
|
Check that the user has a permission.
|
|
"""
|
|
if not CONF.s3_acl:
|
|
# Ignore Swift3 ACL.
|
|
return
|
|
|
|
try:
|
|
# owners have full control permission
|
|
self.check_owner(user_id)
|
|
return
|
|
except AccessDenied:
|
|
pass
|
|
|
|
if permission in PERMISSIONS:
|
|
for g in self.grants:
|
|
if g.allow(user_id, 'FULL_CONTROL') or \
|
|
g.allow(user_id, permission):
|
|
return
|
|
|
|
raise AccessDenied()
|
|
|
|
@classmethod
|
|
def from_headers(cls, headers, bucket_owner, object_owner=None,
|
|
as_private=True):
|
|
"""
|
|
Convert HTTP headers to an ACL instance.
|
|
"""
|
|
grants = []
|
|
try:
|
|
for key, value in headers.items():
|
|
if key.lower().startswith('x-amz-grant-'):
|
|
permission = key[len('x-amz-grant-'):]
|
|
permission = permission.upper().replace('-', '_')
|
|
if permission not in PERMISSIONS:
|
|
continue
|
|
for grantee in value.split(','):
|
|
grants.append(
|
|
Grant(Grantee.from_header(grantee), permission))
|
|
|
|
if 'x-amz-acl' in headers:
|
|
try:
|
|
acl = headers['x-amz-acl']
|
|
if len(grants) > 0:
|
|
err_msg = 'Specifying both Canned ACLs and Header ' \
|
|
'Grants is not allowed'
|
|
raise InvalidRequest(err_msg)
|
|
grantees = canned_acl_grantees(
|
|
bucket_owner, object_owner)[acl]
|
|
for permission, grantee in grantees:
|
|
grants.append(Grant(grantee, permission))
|
|
except KeyError:
|
|
# expects canned_acl_grantees()[] raises KeyError
|
|
raise InvalidArgument('x-amz-acl', headers['x-amz-acl'])
|
|
except (KeyError, ValueError):
|
|
# TODO: think about we really catch this except sequence
|
|
raise InvalidRequest()
|
|
|
|
if len(grants) == 0:
|
|
# No ACL headers
|
|
if as_private:
|
|
return ACLPrivate(bucket_owner, object_owner)
|
|
else:
|
|
return None
|
|
|
|
return cls(object_owner or bucket_owner, grants)
|
|
|
|
|
|
class CannedACL(object):
|
|
"""
|
|
A dict-like object that returns canned ACL.
|
|
"""
|
|
def __getitem__(self, key):
|
|
def acl(key, bucket_owner, object_owner=None):
|
|
grants = []
|
|
grantees = canned_acl_grantees(bucket_owner, object_owner)[key]
|
|
for permission, grantee in grantees:
|
|
grants.append(Grant(grantee, permission))
|
|
return ACL(object_owner or bucket_owner, grants)
|
|
|
|
return partial(acl, key)
|
|
|
|
|
|
canned_acl = CannedACL()
|
|
|
|
ACLPrivate = canned_acl['private']
|
|
ACLPublicRead = canned_acl['public-read']
|
|
ACLPublicReadWrite = canned_acl['public-read-write']
|
|
ACLAuthenticatedRead = canned_acl['authenticated-read']
|
|
ACLBucketOwnerRead = canned_acl['bucket-owner-read']
|
|
ACLBucketOwnerFullControl = canned_acl['bucket-owner-full-control']
|
|
ACLLogDeliveryWrite = canned_acl['log-delivery-write']
|