s3fs-fuse/src/s3fs_cred.cpp

1059 lines
32 KiB
C++
Raw Normal View History

/*
* s3fs - FUSE-based file system backed by Amazon S3
*
* Copyright(C) 2007 Randy Rizun <rrizun@gmail.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>
#include <fstream>
#include <sstream>
#include "common.h"
#include "s3fs.h"
#include "s3fs_cred.h"
#include "curl.h"
#include "string_util.h"
#include "metaheader.h"
//-------------------------------------------------------------------
// Symbols
//-------------------------------------------------------------------
#define DEFAULT_AWS_PROFILE_NAME "default"
//-------------------------------------------------------------------
// Class Variables
//-------------------------------------------------------------------
const char* S3fsCred::ALLBUCKET_FIELDS_TYPE = "";
const char* S3fsCred::KEYVAL_FIELDS_TYPE = "\t";
const char* S3fsCred::AWS_ACCESSKEYID = "AWSAccessKeyId";
const char* S3fsCred::AWS_SECRETKEY = "AWSSecretKey";
const int S3fsCred::IAM_EXPIRE_MERGIN = 20 * 60; // update timing
const char* S3fsCred::ECS_IAM_ENV_VAR = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
const char* S3fsCred::IAMCRED_ACCESSKEYID = "AccessKeyId";
const char* S3fsCred::IAMCRED_SECRETACCESSKEY = "SecretAccessKey";
const char* S3fsCred::IAMCRED_ROLEARN = "RoleArn";
const char* S3fsCred::IAMv2_token_url = "http://169.254.169.254/latest/api/token";
int S3fsCred::IAMv2_token_ttl = 21600;
const char* S3fsCred::IAMv2_token_ttl_hdr = "X-aws-ec2-metadata-token-ttl-seconds";
const char* S3fsCred::IAMv2_token_hdr = "X-aws-ec2-metadata-token";
std::string S3fsCred::bucket_name;
//-------------------------------------------------------------------
// Class Methods
//-------------------------------------------------------------------
bool S3fsCred::SetBucket(const char* bucket)
{
if(!bucket || strlen(bucket) == 0){
return false;
}
S3fsCred::bucket_name = bucket;
return true;
}
const std::string& S3fsCred::GetBucket()
{
return S3fsCred::bucket_name;
}
bool S3fsCred::ParseIAMRoleFromMetaDataResponse(const char* response, std::string& rolename)
{
if(!response){
return false;
}
// [NOTE]
// expected following strings.
//
// myrolename
//
std::istringstream ssrole(response);
std::string oneline;
if (getline(ssrole, oneline, '\n')){
rolename = oneline;
return !rolename.empty();
}
return false;
}
//-------------------------------------------------------------------
// Methods : Constructor / Destructor
//-------------------------------------------------------------------
S3fsCred::S3fsCred() :
passwd_file(""),
aws_profile(DEFAULT_AWS_PROFILE_NAME),
load_iamrole(false),
AWSAccessKeyId(""),
AWSSecretAccessKey(""),
AWSAccessToken(""),
AWSAccessTokenExpire(0),
is_ecs(false),
is_use_session_token(false),
is_ibm_iam_auth(false),
IAM_cred_url("http://169.254.169.254/latest/meta-data/iam/security-credentials/"),
IAM_api_version(2),
IAMv2_api_token(""),
IAM_field_count(4),
IAM_token_field("Token"),
IAM_expiry_field("Expiration"),
IAM_role("")
{
}
S3fsCred::~S3fsCred()
{
}
//-------------------------------------------------------------------
// Methods : Access member variables
//-------------------------------------------------------------------
bool S3fsCred::SetS3fsPasswdFile(const char* file)
{
if(!file || strlen(file) == 0){
return false;
}
passwd_file = file;
return true;
}
bool S3fsCred::IsSetPasswdFile()
{
return !passwd_file.empty();
}
bool S3fsCred::SetAwsProfileName(const char* name)
{
if(!name || strlen(name) == 0){
return false;
}
aws_profile = name;
return true;
}
bool S3fsCred::SetIAMRoleMetadataType(bool flag)
{
bool old = load_iamrole;
load_iamrole = flag;
return old;
}
bool S3fsCred::SetAccessKey(const char* AccessKeyId, const char* SecretAccessKey)
{
if((!is_ibm_iam_auth && (!AccessKeyId || '\0' == AccessKeyId[0])) || !SecretAccessKey || '\0' == SecretAccessKey[0]){
return false;
}
AWSAccessKeyId = AccessKeyId;
AWSSecretAccessKey = SecretAccessKey;
return true;
}
bool S3fsCred::SetAccessKeyWithSessionToken(const char* AccessKeyId, const char* SecretAccessKey, const char * SessionToken)
{
bool access_key_is_empty = !AccessKeyId || '\0' == AccessKeyId[0];
bool secret_access_key_is_empty = !SecretAccessKey || '\0' == SecretAccessKey[0];
bool session_token_is_empty = !SessionToken || '\0' == SessionToken[0];
if((!is_ibm_iam_auth && access_key_is_empty) || secret_access_key_is_empty || session_token_is_empty){
return false;
}
AWSAccessKeyId = AccessKeyId;
AWSSecretAccessKey = SecretAccessKey;
AWSAccessToken = SessionToken;
is_use_session_token= true;
return true;
}
bool S3fsCred::IsSetAccessKeys() const
{
return !IAM_role.empty() || ((!AWSAccessKeyId.empty() || is_ibm_iam_auth) && !AWSSecretAccessKey.empty());
}
bool S3fsCred::SetIsECS(bool flag)
{
bool old = is_ecs;
is_ecs = flag;
return old;
}
bool S3fsCred::SetIsUseSessionToken(bool flag)
{
bool old = is_use_session_token;
is_use_session_token = flag;
return old;
}
bool S3fsCred::SetIsIBMIAMAuth(bool flag)
{
bool old = is_ibm_iam_auth;
is_ibm_iam_auth = flag;
return old;
}
std::string S3fsCred::SetIAMRole(const char* role)
{
std::string old = IAM_role;
IAM_role = role ? role : "";
return old;
}
size_t S3fsCred::SetIAMFieldCount(size_t field_count)
{
size_t old = IAM_field_count;
IAM_field_count = field_count;
return old;
}
std::string S3fsCred::SetIAMCredentialsURL(const char* url)
{
std::string old = IAM_cred_url;
IAM_cred_url = url ? url : "";
return old;
}
std::string S3fsCred::SetIAMTokenField(const char* token_field)
{
std::string old = IAM_token_field;
IAM_token_field = token_field ? token_field : "";
return old;
}
std::string S3fsCred::SetIAMExpiryField(const char* expiry_field)
{
std::string old = IAM_expiry_field;
IAM_expiry_field = expiry_field ? expiry_field : "";
return old;
}
int S3fsCred::SetIMDSVersion(int version)
{
int old = IAM_api_version;
IAM_api_version = version;
return old;
}
bool S3fsCred::SetIAMv2APIToken(const char* response)
{
S3FS_PRN_INFO3("Setting AWS IMDSv2 API token to %s", response ? response : "(null)");
if(!response){
return false;
}
IAMv2_api_token = std::string(response);
return true;
}
bool S3fsCred::SetIAMCredentials(const char* response)
{
S3FS_PRN_INFO3("IAM credential response = \"%s\"", response);
iamcredmap_t keyval;
if(!ParseIAMCredentialResponse(response, keyval)){
return false;
}
if(IAM_field_count != keyval.size()){
return false;
}
AWSAccessToken = keyval[IAM_token_field];
if(is_ibm_iam_auth){
off_t tmp_expire = 0;
if(!s3fs_strtoofft(&tmp_expire, keyval[IAM_expiry_field].c_str(), /*base=*/ 10)){
return false;
}
AWSAccessTokenExpire = static_cast<time_t>(tmp_expire);
}else{
AWSAccessKeyId = keyval[std::string(S3fsCred::IAMCRED_ACCESSKEYID)];
AWSSecretAccessKey = keyval[std::string(S3fsCred::IAMCRED_SECRETACCESSKEY)];
AWSAccessTokenExpire = cvtIAMExpireStringToTime(keyval[IAM_expiry_field].c_str());
}
return true;
}
bool S3fsCred::SetIAMRoleFromMetaData(const char* response)
{
S3FS_PRN_INFO3("IAM role name response = \"%s\"", response ? response : "(null)");
std::string rolename;
if(!S3fsCred::ParseIAMRoleFromMetaDataResponse(response, rolename)){
return false;
}
SetIAMRole(rolename.c_str());
return true;
}
//-------------------------------------------------------------------
// Methods : for Credentials
//-------------------------------------------------------------------
//
// Check passwd file readable
//
bool S3fsCred::IsReadableS3fsPasswdFile()
{
if(passwd_file.empty()){
return false;
}
std::ifstream PF(passwd_file.c_str());
if(!PF.good()){
return false;
}
PF.close();
return true;
}
//
// S3fsCred::CheckS3fsPasswdFilePerms
//
// expect that global passwd_file variable contains
// a non-empty value and is readable by the current user
//
// Check for too permissive access to the file
// help save users from themselves via a security hole
//
// only two options: return or error out
//
bool S3fsCred::CheckS3fsPasswdFilePerms()
{
struct stat info;
// let's get the file info
if(stat(passwd_file.c_str(), &info) != 0){
S3FS_PRN_EXIT("unexpected error from stat(%s).", passwd_file.c_str());
return false;
}
// Check readable
if(!IsReadableS3fsPasswdFile()){
S3FS_PRN_EXIT("S3fs passwd file \"%s\" is not readable.", passwd_file.c_str());
return false;
}
// return error if any file has others permissions
if( (info.st_mode & S_IROTH) ||
(info.st_mode & S_IWOTH) ||
(info.st_mode & S_IXOTH)) {
S3FS_PRN_EXIT("credentials file %s should not have others permissions.", passwd_file.c_str());
return false;
}
// Any local file should not have any group permissions
// /etc/passwd-s3fs can have group permissions
if(passwd_file != "/etc/passwd-s3fs"){
if( (info.st_mode & S_IRGRP) ||
(info.st_mode & S_IWGRP) ||
(info.st_mode & S_IXGRP)) {
S3FS_PRN_EXIT("credentials file %s should not have group permissions.", passwd_file.c_str());
return false;
}
}else{
// "/etc/passwd-s3fs" does not allow group write.
if((info.st_mode & S_IWGRP)){
S3FS_PRN_EXIT("credentials file %s should not have group writable permissions.", passwd_file.c_str());
return false;
}
}
if((info.st_mode & S_IXUSR) || (info.st_mode & S_IXGRP)){
S3FS_PRN_EXIT("credentials file %s should not have executable permissions.", passwd_file.c_str());
return false;
}
return true;
}
//
// Read and Parse passwd file
//
// The line of the password file is one of the following formats:
// (1) "accesskey:secretkey" : AWS format for default(all) access key/secret key
// (2) "bucket:accesskey:secretkey" : AWS format for bucket's access key/secret key
// (3) "key=value" : Content-dependent KeyValue contents
//
// This function sets result into bucketkvmap_t, it bucket name and key&value mapping.
// If bucket name is empty(1 or 3 format), bucket name for mapping is set "\t" or "".
//
// Return: true - Succeed parsing
// false - Should shutdown immediately
//
bool S3fsCred::ParseS3fsPasswdFile(bucketkvmap_t& resmap)
{
std::string line;
size_t first_pos;
readline_t linelist;
readline_t::iterator iter;
// open passwd file
std::ifstream PF(passwd_file.c_str());
if(!PF.good()){
S3FS_PRN_EXIT("could not open passwd file : %s", passwd_file.c_str());
2022-02-19 09:30:38 +00:00
return false;
}
// read each line
while(getline(PF, line)){
line = trim(line);
if(line.empty()){
continue;
}
if('#' == line[0]){
continue;
}
if(std::string::npos != line.find_first_of(" \t")){
S3FS_PRN_EXIT("invalid line in passwd file, found whitespace character.");
2022-02-19 09:30:38 +00:00
return false;
}
if('[' == line[0]){
S3FS_PRN_EXIT("invalid line in passwd file, found a bracket \"[\" character.");
2022-02-19 09:30:38 +00:00
return false;
}
linelist.push_back(line);
}
// read '=' type
kvmap_t kv;
for(iter = linelist.begin(); iter != linelist.end(); ++iter){
first_pos = iter->find_first_of('=');
if(first_pos == std::string::npos){
continue;
}
// formatted by "key=val"
std::string key = trim(iter->substr(0, first_pos));
std::string val = trim(iter->substr(first_pos + 1, std::string::npos));
if(key.empty()){
continue;
}
if(kv.end() != kv.find(key)){
S3FS_PRN_WARN("same key name(%s) found in passwd file, skip this.", key.c_str());
continue;
}
kv[key] = val;
}
// set special key name
resmap[S3fsCred::KEYVAL_FIELDS_TYPE] = kv;
// read ':' type
for(iter = linelist.begin(); iter != linelist.end(); ++iter){
first_pos = iter->find_first_of(':');
size_t last_pos = iter->find_last_of(':');
if(first_pos == std::string::npos){
continue;
}
std::string bucketname;
std::string accesskey;
std::string secret;
if(first_pos != last_pos){
// formatted by "bucket:accesskey:secretkey"
bucketname= trim(iter->substr(0, first_pos));
accesskey = trim(iter->substr(first_pos + 1, last_pos - first_pos - 1));
secret = trim(iter->substr(last_pos + 1, std::string::npos));
}else{
// formatted by "accesskey:secretkey"
bucketname= S3fsCred::ALLBUCKET_FIELDS_TYPE;
accesskey = trim(iter->substr(0, first_pos));
secret = trim(iter->substr(first_pos + 1, std::string::npos));
}
if(resmap.end() != resmap.find(bucketname)){
S3FS_PRN_EXIT("there are multiple entries for the same bucket(%s) in the passwd file.", (bucketname.empty() ? "default" : bucketname.c_str()));
2022-02-19 09:30:38 +00:00
return false;
}
kv.clear();
kv[S3fsCred::AWS_ACCESSKEYID] = accesskey;
kv[S3fsCred::AWS_SECRETKEY] = secret;
resmap[bucketname] = kv;
}
return true;
}
//
// ReadS3fsPasswdFile
//
// Support for per bucket credentials
//
// Format for the credentials file:
// [bucket:]AccessKeyId:SecretAccessKey
//
// Lines beginning with # are considered comments
// and ignored, as are empty lines
//
// Uncommented lines without the ":" character are flagged as
// an error, so are lines with spaces or tabs
//
// only one default key pair is allowed, but not required
//
bool S3fsCred::ReadS3fsPasswdFile()
{
bucketkvmap_t bucketmap;
kvmap_t keyval;
// if you got here, the password file
// exists and is readable by the
// current user, check for permissions
if(!CheckS3fsPasswdFilePerms()){
return false;
}
//
// parse passwd file
//
if(!ParseS3fsPasswdFile(bucketmap)){
return false;
}
//
// check key=value type format.
//
bucketkvmap_t::iterator it = bucketmap.find(S3fsCred::KEYVAL_FIELDS_TYPE);
if(bucketmap.end() != it){
// aws format
int result = CheckS3fsCredentialAwsFormat(it->second);
if(-1 == result){
return false;
}else if(1 == result){
// success to set
return true;
}
}
std::string bucket_key = S3fsCred::ALLBUCKET_FIELDS_TYPE;
if(!S3fsCred::bucket_name.empty() && bucketmap.end() != bucketmap.find(S3fsCred::bucket_name)){
bucket_key = S3fsCred::bucket_name;
}
it = bucketmap.find(bucket_key);
if(bucketmap.end() == it){
S3FS_PRN_EXIT("Not found access key/secret key in passwd file.");
return false;
}
keyval = it->second;
kvmap_t::iterator aws_accesskeyid_it = keyval.find(S3fsCred::AWS_ACCESSKEYID);
kvmap_t::iterator aws_secretkey_it = keyval.find(S3fsCred::AWS_SECRETKEY);
if(keyval.end() == aws_accesskeyid_it || keyval.end() == aws_secretkey_it){
S3FS_PRN_EXIT("Not found access key/secret key in passwd file.");
return false;
}
if(!SetAccessKey(aws_accesskeyid_it->second.c_str(), aws_secretkey_it->second.c_str())){
S3FS_PRN_EXIT("failed to set internal data for access key/secret key from passwd file.");
return false;
}
return true;
}
//
// Return: 1 - OK(could read and set accesskey etc.)
// 0 - NG(could not read)
// -1 - Should shutdown immediately
//
int S3fsCred::CheckS3fsCredentialAwsFormat(const kvmap_t& kvmap)
{
std::string str1(S3fsCred::AWS_ACCESSKEYID);
std::string str2(S3fsCred::AWS_SECRETKEY);
if(kvmap.empty()){
return 0;
}
kvmap_t::const_iterator str1_it = kvmap.find(str1);
kvmap_t::const_iterator str2_it = kvmap.find(str2);
if(kvmap.end() == str1_it && kvmap.end() == str2_it){
return 0;
}
if(kvmap.end() == str1_it || kvmap.end() == str2_it){
S3FS_PRN_EXIT("AWSAccesskey or AWSSecretkey is not specified.");
return -1;
}
if(!SetAccessKey(str1_it->second.c_str(), str2_it->second.c_str())){
S3FS_PRN_EXIT("failed to set access key/secret key.");
return -1;
}
return 1;
}
//
// Read Aws Credential File
//
bool S3fsCred::ReadAwsCredentialFile(const std::string &filename)
{
// open passwd file
std::ifstream PF(filename.c_str());
if(!PF.good()){
return false;
}
std::string profile;
std::string accesskey;
std::string secret;
std::string session_token;
// read each line
std::string line;
while(getline(PF, line)){
line = trim(line);
if(line.empty()){
continue;
}
if('#' == line[0]){
continue;
}
if(line.size() > 2 && line[0] == '[' && line[line.size() - 1] == ']') {
if(profile == aws_profile){
break;
}
profile = line.substr(1, line.size() - 2);
accesskey.clear();
secret.clear();
session_token.clear();
}
size_t pos = line.find_first_of('=');
if(pos == std::string::npos){
continue;
}
std::string key = trim(line.substr(0, pos));
std::string value = trim(line.substr(pos + 1, std::string::npos));
if(key == "aws_access_key_id"){
accesskey = value;
}else if(key == "aws_secret_access_key"){
secret = value;
}else if(key == "aws_session_token"){
session_token = value;
}
}
if(profile != aws_profile){
return false;
}
if(session_token.empty()){
if(is_use_session_token){
S3FS_PRN_EXIT("AWS session token was expected but wasn't provided in aws/credentials file for profile: %s.", aws_profile.c_str());
return false;
}
if(!SetAccessKey(accesskey.c_str(), secret.c_str())){
S3FS_PRN_EXIT("failed to set internal data for access key/secret key from aws credential file.");
return false;
}
}else{
if(!SetAccessKeyWithSessionToken(accesskey.c_str(), secret.c_str(), session_token.c_str())){
S3FS_PRN_EXIT("session token is invalid.");
return false;
}
}
return true;
}
//
// InitialS3fsCredentials
//
// called only when were are not mounting a
// public bucket
//
// Here is the order precedence for getting the
// keys:
//
// 1 - from the command line (security risk)
// 2 - from a password file specified on the command line
// 3 - from environment variables
// 3a - from the AWS_CREDENTIAL_FILE environment variable
// 3b - from ${HOME}/.aws/credentials
// 4 - from the users ~/.passwd-s3fs
// 5 - from /etc/passwd-s3fs
//
bool S3fsCred::InitialS3fsCredentials()
{
// should be redundant
if(S3fsCurl::IsPublicBucket()){
return true;
}
// access key loading is deferred
if(load_iamrole || is_ecs){
return true;
}
// 1 - keys specified on the command line
if(IsSetAccessKeys()){
return true;
}
// 2 - was specified on the command line
if(IsSetPasswdFile()){
if(!ReadS3fsPasswdFile()){
2022-02-19 09:30:38 +00:00
return false;
}
return true;
}
// 3 - environment variables
char* AWSACCESSKEYID = getenv("AWS_ACCESS_KEY_ID") ? getenv("AWS_ACCESS_KEY_ID") : getenv("AWSACCESSKEYID");
char* AWSSECRETACCESSKEY = getenv("AWS_SECRET_ACCESS_KEY") ? getenv("AWS_SECRET_ACCESS_KEY") : getenv("AWSSECRETACCESSKEY");
char* AWSSESSIONTOKEN = getenv("AWS_SESSION_TOKEN") ? getenv("AWS_SESSION_TOKEN") : getenv("AWSSESSIONTOKEN");
if(AWSACCESSKEYID != NULL || AWSSECRETACCESSKEY != NULL){
if( (AWSACCESSKEYID == NULL && AWSSECRETACCESSKEY != NULL) ||
(AWSACCESSKEYID != NULL && AWSSECRETACCESSKEY == NULL) ){
S3FS_PRN_EXIT("both environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY must be set together.");
2022-02-19 09:30:38 +00:00
return false;
}
S3FS_PRN_INFO2("access key from env variables");
if(AWSSESSIONTOKEN != NULL){
S3FS_PRN_INFO2("session token is available");
if(!SetAccessKeyWithSessionToken(AWSACCESSKEYID, AWSSECRETACCESSKEY, AWSSESSIONTOKEN)){
S3FS_PRN_EXIT("session token is invalid.");
2022-02-19 09:30:38 +00:00
return false;
}
}else{
S3FS_PRN_INFO2("session token is not available");
if(is_use_session_token){
S3FS_PRN_EXIT("environment variable AWS_SESSION_TOKEN is expected to be set.");
2022-02-19 09:30:38 +00:00
return false;
}
}
if(!SetAccessKey(AWSACCESSKEYID, AWSSECRETACCESSKEY)){
S3FS_PRN_EXIT("if one access key is specified, both keys need to be specified.");
2022-02-19 09:30:38 +00:00
return false;
}
return true;
}
// 3a - from the AWS_CREDENTIAL_FILE environment variable
char* AWS_CREDENTIAL_FILE = getenv("AWS_CREDENTIAL_FILE");
if(AWS_CREDENTIAL_FILE != NULL){
passwd_file = AWS_CREDENTIAL_FILE;
2022-02-19 09:30:38 +00:00
if(IsSetPasswdFile()){
if(!IsReadableS3fsPasswdFile()){
S3FS_PRN_EXIT("AWS_CREDENTIAL_FILE: \"%s\" is not readable.", passwd_file.c_str());
return false;
}
if(!ReadS3fsPasswdFile()){
2022-02-19 09:30:38 +00:00
return false;
}
return true;
}
}
// 3b - check ${HOME}/.aws/credentials
std::string aws_credentials = std::string(getpwuid(getuid())->pw_dir) + "/.aws/credentials";
if(ReadAwsCredentialFile(aws_credentials)){
return true;
}else if(aws_profile != DEFAULT_AWS_PROFILE_NAME){
S3FS_PRN_EXIT("Could not find profile: %s in file: %s", aws_profile.c_str(), aws_credentials.c_str());
2022-02-19 09:30:38 +00:00
return false;
}
// 4 - from the default location in the users home directory
char* HOME = getenv("HOME");
if(HOME != NULL){
passwd_file = HOME;
passwd_file += "/.passwd-s3fs";
if(IsReadableS3fsPasswdFile()){
if(!ReadS3fsPasswdFile()){
2022-02-19 09:30:38 +00:00
return false;
}
// It is possible that the user's file was there but
// contained no key pairs i.e. commented out
// in that case, go look in the final location
if(IsSetAccessKeys()){
return true;
}
}
}
// 5 - from the system default location
passwd_file = "/etc/passwd-s3fs";
if(IsReadableS3fsPasswdFile()){
if(!ReadS3fsPasswdFile()){
2022-02-19 09:30:38 +00:00
return false;
}
return true;
}
S3FS_PRN_EXIT("could not determine how to establish security credentials.");
2022-02-19 09:30:38 +00:00
return false;
}
//-------------------------------------------------------------------
// Methods : for IAM
//-------------------------------------------------------------------
bool S3fsCred::ParseIAMCredentialResponse(const char* response, iamcredmap_t& keyval)
{
if(!response){
return false;
}
std::istringstream sscred(response);
std::string oneline;
keyval.clear();
while(getline(sscred, oneline, ',')){
std::string::size_type pos;
std::string key;
std::string val;
if(std::string::npos != (pos = oneline.find(S3fsCred::IAMCRED_ACCESSKEYID))){
key = S3fsCred::IAMCRED_ACCESSKEYID;
}else if(std::string::npos != (pos = oneline.find(S3fsCred::IAMCRED_SECRETACCESSKEY))){
key = S3fsCred::IAMCRED_SECRETACCESSKEY;
}else if(std::string::npos != (pos = oneline.find(IAM_token_field))){
key = IAM_token_field;
}else if(std::string::npos != (pos = oneline.find(IAM_expiry_field))){
key = IAM_expiry_field;
}else if(std::string::npos != (pos = oneline.find(S3fsCred::IAMCRED_ROLEARN))){
key = S3fsCred::IAMCRED_ROLEARN;
}else{
continue;
}
if(std::string::npos == (pos = oneline.find(':', pos + key.length()))){
continue;
}
if(is_ibm_iam_auth && key == IAM_expiry_field){
// parse integer value
if(std::string::npos == (pos = oneline.find_first_of("0123456789", pos))){
continue;
}
oneline.erase(0, pos);
if(std::string::npos == (pos = oneline.find_last_of("0123456789"))){
continue;
}
val = oneline.substr(0, pos+1);
}else{
// parse std::string value (starts and ends with quotes)
if(std::string::npos == (pos = oneline.find('\"', pos))){
continue;
}
oneline.erase(0, pos+1);
if(std::string::npos == (pos = oneline.find('\"'))){
continue;
}
val = oneline.substr(0, pos);
}
keyval[key] = val;
}
return true;
}
bool S3fsCred::CheckIAMCredentialUpdate()
{
if(IAM_role.empty() && !is_ecs && !is_ibm_iam_auth){
return true;
}
if(time(NULL) + S3fsCred::IAM_EXPIRE_MERGIN <= AWSAccessTokenExpire){
return true;
}
S3FS_PRN_INFO("IAM Access Token refreshing...");
// update
S3fsCurl s3fscurl;
if(0 != s3fscurl.GetIAMCredentials()){
S3FS_PRN_ERR("IAM Access Token refresh failed");
return false;
}
S3FS_PRN_INFO("IAM Access Token refreshed");
return true;
}
//-------------------------------------------------------------------
// Methods: Option detection
//-------------------------------------------------------------------
// return value: 1 = Not processed as it is not a option for this class
// 0 = The option was detected and processed appropriately
// -1 = Processing cannot be continued because a fatal error was detected
//
int S3fsCred::DetectParam(const char* arg)
{
if(!arg){
S3FS_PRN_EXIT("parameter arg is empty(null)");
return -1;
}
if(is_prefix(arg, "passwd_file=")){
SetS3fsPasswdFile(strchr(arg, '=') + sizeof(char));
return 0;
}
if(0 == strcmp(arg, "ibm_iam_auth")){
SetIsIBMIAMAuth(true);
SetIAMCredentialsURL("https://iam.cloud.ibm.com/identity/token");
SetIAMTokenField("\"access_token\"");
SetIAMExpiryField("\"expiration\"");
SetIAMFieldCount(2);
SetIMDSVersion(1);
return 0;
}
if(0 == strcmp(arg, "use_session_token")){
SetIsUseSessionToken(true);
return 0;
}
if(is_prefix(arg, "ibm_iam_endpoint=")){
std::string endpoint_url;
const char* iam_endpoint = strchr(arg, '=') + sizeof(char);
// Check url for http / https protocol std::string
if(!is_prefix(iam_endpoint, "https://") && !is_prefix(iam_endpoint, "http://")){
S3FS_PRN_EXIT("option ibm_iam_endpoint has invalid format, missing http / https protocol");
return -1;
}
endpoint_url = std::string(iam_endpoint) + "/identity/token";
SetIAMCredentialsURL(endpoint_url.c_str());
return 0;
}
if(0 == strcmp(arg, "imdsv1only")){
SetIMDSVersion(1);
return 0;
}
if(0 == strcmp(arg, "ecs")){
if(IsIBMIAMAuth()){
S3FS_PRN_EXIT("option ecs cannot be used in conjunction with ibm");
return -1;
}
SetIsECS(true);
SetIMDSVersion(1);
SetIAMCredentialsURL("http://169.254.170.2");
SetIAMFieldCount(5);
return 0;
}
if(is_prefix(arg, "iam_role")){
if(IsECS() || IsIBMIAMAuth()){
S3FS_PRN_EXIT("option iam_role cannot be used in conjunction with ecs or ibm");
return -1;
}
if(0 == strcmp(arg, "iam_role") || 0 == strcmp(arg, "iam_role=auto")){
// loading IAM role name in s3fs_init(), because we need to wait initializing curl.
//
SetIAMRoleMetadataType(true);
return 0;
}else if(is_prefix(arg, "iam_role=")){
const char* role = strchr(arg, '=') + sizeof(char);
SetIAMRole(role);
SetIAMRoleMetadataType(false);
return 0;
}
}
if(is_prefix(arg, "profile=")){
SetAwsProfileName(strchr(arg, '=') + sizeof(char));
return 0;
}
return 1;
}
//-------------------------------------------------------------------
// Methods : check parameters
//-------------------------------------------------------------------
//
// Checking forbidden parameters for bucket
//
bool S3fsCred::CheckForbiddenBucketParams()
{
// The first plain argument is the bucket
if(bucket_name.empty()){
S3FS_PRN_EXIT("missing BUCKET argument.");
return false;
}
// bucket names cannot contain upper case characters in virtual-hosted style
if(!pathrequeststyle && (lower(bucket_name) != bucket_name)){
S3FS_PRN_EXIT("BUCKET %s, name not compatible with virtual-hosted style.", bucket_name.c_str());
return false;
}
// check bucket name for illegal characters
size_t found = bucket_name.find_first_of("/:\\;!@#$%^&*?|+=");
if(found != std::string::npos){
S3FS_PRN_EXIT("BUCKET %s -- bucket name contains an illegal character.", bucket_name.c_str());
return false;
}
if(!pathrequeststyle && is_prefix(s3host.c_str(), "https://") && bucket_name.find_first_of('.') != std::string::npos) {
S3FS_PRN_EXIT("BUCKET %s -- cannot mount bucket with . while using HTTPS without use_path_request_style", bucket_name.c_str());
return false;
}
return true;
}
//
// Check the combination of parameters
//
bool S3fsCred::CheckAllParams()
{
//
// Checking forbidden parameters for bucket
//
if(!CheckForbiddenBucketParams()){
return false;
}
// error checking of command line arguments for compatibility
if(S3fsCurl::IsPublicBucket() && IsSetAccessKeys()){
S3FS_PRN_EXIT("specifying both public_bucket and the access keys options is invalid.");
return false;
}
2022-02-19 09:30:38 +00:00
if(IsSetPasswdFile() && IsSetAccessKeys()){
S3FS_PRN_EXIT("specifying both passwd_file and the access keys options is invalid.");
return false;
}
if(!S3fsCurl::IsPublicBucket() && !IsIAMRoleMetadataType() && !IsECS()){
if(!InitialS3fsCredentials()){
return false;
}
if(!IsSetAccessKeys()){
S3FS_PRN_EXIT("could not establish security credentials, check documentation.");
return false;
}
// More error checking on the access key pair can be done
// like checking for appropriate lengths and characters
}
// check IBM IAM requirements
if(IsIBMIAMAuth()){
// check that default ACL is either public-read or private
acl_t defaultACL = S3fsCurl::GetDefaultAcl();
if(defaultACL != acl_t::PRIVATE && defaultACL != acl_t::PUBLIC_READ){
S3FS_PRN_EXIT("can only use 'public-read' or 'private' ACL while using ibm_iam_auth");
return false;
}
}
return true;
}
/*
* Local variables:
* tab-width: 4
* c-basic-offset: 4
* End:
* vim600: expandtab sw=4 ts=4 fdm=marker
* vim<600: expandtab sw=4 ts=4
*/