octoleo/s3fs-fuse
1
0
Fork 0
mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2024-06-06 11:00:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Moved parameter analysis processing to S3fsCred class

Browse Source
This commit is contained in:
Takeshi Nakatani 2022-02-16 11:24:06 +00:00 committed by Andrew Gaul
parent b9e2be5c21
commit b64dc7749c
3 changed files with 174 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
src/s3fs.cpp
View File

@ -3964,72 +3964,13 @@ static int my_fuse_opt_proc(void* data, const char* arg, int key, struct fuse_ar
}
return 0;
}
if(is_prefix(arg, "passwd_file=")){
ps3fscred->SetS3fsPasswdFile(strchr(arg, '=') + sizeof(char));
return 0;
}
if(0 == strcmp(arg, "ibm_iam_auth")){
ps3fscred->SetIsIBMIAMAuth(true);
ps3fscred->SetIAMCredentialsURL("https://iam.cloud.ibm.com/identity/token");
ps3fscred->SetIAMTokenField("\"access_token\"");
ps3fscred->SetIAMExpiryField("\"expiration\"");
ps3fscred->SetIAMFieldCount(2);
ps3fscred->SetIMDSVersion(1);
ps3fscred->SetIsIBMIAMAuth(true);
return 0;
}
if (0 == strcmp(arg, "use_session_token")) {
ps3fscred->SetIsUseSessionToken(true);
return 0;
}
if(is_prefix(arg, "ibm_iam_endpoint=")){
std::string endpoint_url;
const char *iam_endpoint = strchr(arg, '=') + sizeof(char);
// Check url for http / https protocol std::string
if(!is_prefix(iam_endpoint, "https://") && !is_prefix(iam_endpoint, "http://")) {
S3FS_PRN_EXIT("option ibm_iam_endpoint has invalid format, missing http / https protocol");
return -1;
}
endpoint_url = std::string(iam_endpoint) + "/identity/token";
ps3fscred->SetIAMCredentialsURL(endpoint_url.c_str());
return 0;
}
if(0 == strcmp(arg, "imdsv1only")){
ps3fscred->SetIMDSVersion(1);
return 0;
}
if(0 == strcmp(arg, "ecs")){
if(ps3fscred->IsIBMIAMAuth()){
S3FS_PRN_EXIT("option ecs cannot be used in conjunction with ibm");
//
// Detect options for credential
//
if(0 >= (ret = ps3fscred->DetectParam(arg))){
if(0 > ret){
return -1;
}
ps3fscred->SetIsECS(true);
ps3fscred->SetIMDSVersion(1);
ps3fscred->SetIAMCredentialsURL("http://169.254.170.2");
ps3fscred->SetIAMFieldCount(5);
ps3fscred->SetIsECS(true);
return 0;
}
if(is_prefix(arg, "iam_role")){
if(ps3fscred->IsECS() || ps3fscred->IsIBMIAMAuth()){
S3FS_PRN_EXIT("option iam_role cannot be used in conjunction with ecs or ibm");
return -1;
}
if(0 == strcmp(arg, "iam_role") || 0 == strcmp(arg, "iam_role=auto")){
// loading IAM role name in s3fs_init(), because we need to wait initializing curl.
//
ps3fscred->SetIAMRoleMetadataType(true);
return 0;
}else if(is_prefix(arg, "iam_role=")){
const char* role = strchr(arg, '=') + sizeof(char);
ps3fscred->SetIAMRole(role);
ps3fscred->SetIAMRoleMetadataType(false);
return 0;
}
}
if(is_prefix(arg, "profile=")){
ps3fscred->SetAwsProfileName(strchr(arg, '=') + sizeof(char));
return 0;
}
if(is_prefix(arg, "public_bucket=")){
@ -4608,10 +4549,9 @@ int main(int argc, char* argv[])
}
//
// Checking forbidden parameters for bucket
// Check the combination of parameters for credential
//
if(!ps3fscred->CheckForbiddenBucketParams()){
show_usage();
if(!ps3fscred->CheckAllParams()){
S3fsCurl::DestroyS3fsCurl();
s3fs_destroy_global_ssl();
destroy_parser_xml_lock();
@ -4633,42 +4573,6 @@ int main(int argc, char* argv[])
}
}
// error checking of command line arguments for compatibility
if(S3fsCurl::IsPublicBucket() && ps3fscred->IsSetAccessKeys()){
S3FS_PRN_EXIT("specifying both public_bucket and the access keys options is invalid.");
S3fsCurl::DestroyS3fsCurl();
s3fs_destroy_global_ssl();
destroy_parser_xml_lock();
exit(EXIT_FAILURE);
}
if(!ps3fscred->IsSetPasswdFile() && ps3fscred->IsSetAccessKeys()){
S3FS_PRN_EXIT("specifying both passwd_file and the access keys options is invalid.");
S3fsCurl::DestroyS3fsCurl();
s3fs_destroy_global_ssl();
destroy_parser_xml_lock();
exit(EXIT_FAILURE);
}
if(!S3fsCurl::IsPublicBucket() && !ps3fscred->IsIAMRoleMetadataType() && !ps3fscred->IsECS()){
if(!ps3fscred->InitialS3fsCredentials()){
S3fsCurl::DestroyS3fsCurl();
s3fs_destroy_global_ssl();
destroy_parser_xml_lock();
exit(EXIT_FAILURE);
}
if(!ps3fscred->IsSetAccessKeys()){
S3FS_PRN_EXIT("could not establish security credentials, check documentation.");
S3fsCurl::DestroyS3fsCurl();
s3fs_destroy_global_ssl();
destroy_parser_xml_lock();
exit(EXIT_FAILURE);
}
// More error checking on the access key pair can be done
// like checking for appropriate lengths and characters
}
// check tmp dir permission
if(!FdManager::CheckTmpDirExist()){
S3FS_PRN_EXIT("temporary directory doesn't exists.");
@ -4692,20 +4596,6 @@ int main(int argc, char* argv[])
FdManager::InitFakeUsedDiskSize(fake_diskfree_size);
}
// check IBM IAM requirements
if(ps3fscred->IsIBMIAMAuth()){
// check that default ACL is either public-read or private
acl_t defaultACL = S3fsCurl::GetDefaultAcl();
if(defaultACL != acl_t::PRIVATE && defaultACL != acl_t::PUBLIC_READ){
S3FS_PRN_EXIT("can only use 'public-read' or 'private' ACL while using ibm_iam_auth");
S3fsCurl::DestroyS3fsCurl();
s3fs_destroy_global_ssl();
destroy_parser_xml_lock();
exit(EXIT_FAILURE);
}
}
// set user agent
S3fsCurl::InitUserAgent();

148
src/s3fs_cred.cpp
View File

@ -184,11 +184,6 @@ bool S3fsCred::SetAccessKeyWithSessionToken(const char* AccessKeyId, const char*
return true;
}
bool S3fsCred::IsSetAccessKeyID() const
{
return !AWSAccessKeyId.empty();
}
bool S3fsCred::IsSetAccessKeys() const
{
return !IAM_role.empty() || ((!AWSAccessKeyId.empty() || is_ibm_iam_auth) && !AWSSecretAccessKey.empty());
@ -705,7 +700,7 @@ bool S3fsCred::InitialS3fsCredentials()
}
// 2 - was specified on the command line
if(!IsSetPasswdFile()){
if(IsSetPasswdFile()){
if(!ReadS3fsPasswdFile()){
return false;;
}
@ -877,7 +872,99 @@ bool S3fsCred::CheckIAMCredentialUpdate()
}
//-------------------------------------------------------------------
// Methods : Checking forbidden parameters
// Methods: Option detection
//-------------------------------------------------------------------
// return value: 1 = Not processed as it is not a option for this class
// 0 = The option was detected and processed appropriately
// -1 = Processing cannot be continued because a fatal error was detected
//
int S3fsCred::DetectParam(const char* arg)
{
if(!arg){
S3FS_PRN_EXIT("parameter arg is empty(null)");
return -1;
}
if(is_prefix(arg, "passwd_file=")){
SetS3fsPasswdFile(strchr(arg, '=') + sizeof(char));
return 0;
}
if(0 == strcmp(arg, "ibm_iam_auth")){
SetIsIBMIAMAuth(true);
SetIAMCredentialsURL("https://iam.cloud.ibm.com/identity/token");
SetIAMTokenField("\"access_token\"");
SetIAMExpiryField("\"expiration\"");
SetIAMFieldCount(2);
SetIMDSVersion(1);
return 0;
}
if(0 == strcmp(arg, "use_session_token")){
SetIsUseSessionToken(true);
return 0;
}
if(is_prefix(arg, "ibm_iam_endpoint=")){
std::string endpoint_url;
const char* iam_endpoint = strchr(arg, '=') + sizeof(char);
// Check url for http / https protocol std::string
if(!is_prefix(iam_endpoint, "https://") && !is_prefix(iam_endpoint, "http://")){
S3FS_PRN_EXIT("option ibm_iam_endpoint has invalid format, missing http / https protocol");
return -1;
}
endpoint_url = std::string(iam_endpoint) + "/identity/token";
SetIAMCredentialsURL(endpoint_url.c_str());
return 0;
}
if(0 == strcmp(arg, "imdsv1only")){
SetIMDSVersion(1);
return 0;
}
if(0 == strcmp(arg, "ecs")){
if(IsIBMIAMAuth()){
S3FS_PRN_EXIT("option ecs cannot be used in conjunction with ibm");
return -1;
}
SetIsECS(true);
SetIMDSVersion(1);
SetIAMCredentialsURL("http://169.254.170.2");
SetIAMFieldCount(5);
return 0;
}
if(is_prefix(arg, "iam_role")){
if(IsECS() || IsIBMIAMAuth()){
S3FS_PRN_EXIT("option iam_role cannot be used in conjunction with ecs or ibm");
return -1;
}
if(0 == strcmp(arg, "iam_role") || 0 == strcmp(arg, "iam_role=auto")){
// loading IAM role name in s3fs_init(), because we need to wait initializing curl.
//
SetIAMRoleMetadataType(true);
return 0;
}else if(is_prefix(arg, "iam_role=")){
const char* role = strchr(arg, '=') + sizeof(char);
SetIAMRole(role);
SetIAMRoleMetadataType(false);
return 0;
}
}
if(is_prefix(arg, "profile=")){
SetAwsProfileName(strchr(arg, '=') + sizeof(char));
return 0;
}
return 1;
}
//-------------------------------------------------------------------
// Methods : check parameters
//-------------------------------------------------------------------
//
// Checking forbidden parameters for bucket
@ -910,6 +997,53 @@ bool S3fsCred::CheckForbiddenBucketParams()
return true;
}
//
// Check the combination of parameters
//
bool S3fsCred::CheckAllParams()
{
//
// Checking forbidden parameters for bucket
//
if(!CheckForbiddenBucketParams()){
return false;
}
// error checking of command line arguments for compatibility
if(S3fsCurl::IsPublicBucket() && IsSetAccessKeys()){
S3FS_PRN_EXIT("specifying both public_bucket and the access keys options is invalid.");
return false;
}
if(!IsSetPasswdFile() && IsSetAccessKeys()){
S3FS_PRN_EXIT("specifying both passwd_file and the access keys options is invalid.");
return false;
}
if(!S3fsCurl::IsPublicBucket() && !IsIAMRoleMetadataType() && !IsECS()){
if(!InitialS3fsCredentials()){
return false;
}
if(!IsSetAccessKeys()){
S3FS_PRN_EXIT("could not establish security credentials, check documentation.");
return false;
}
// More error checking on the access key pair can be done
// like checking for appropriate lengths and characters
}
// check IBM IAM requirements
if(IsIBMIAMAuth()){
// check that default ACL is either public-read or private
acl_t defaultACL = S3fsCurl::GetDefaultAcl();
if(defaultACL != acl_t::PRIVATE && defaultACL != acl_t::PUBLIC_READ){
S3FS_PRN_EXIT("can only use 'public-read' or 'private' ACL while using ibm_iam_auth");
return false;
}
}
return true;
}
/*
* Local variables:
* tab-width: 4

46
src/s3fs_cred.h
View File

@ -82,6 +82,26 @@ class S3fsCred
private:
static bool ParseIAMRoleFromMetaDataResponse(const char* response, std::string& rolename);
bool SetS3fsPasswdFile(const char* file);
bool IsSetPasswdFile();
bool SetAwsProfileName(const char* profile_name);
bool SetIAMRoleMetadataType(bool flag);
bool SetAccessKey(const char* AccessKeyId, const char* SecretAccessKey);
bool SetAccessKeyWithSessionToken(const char* AccessKeyId, const char* SecretAccessKey, const char * SessionToken);
bool IsSetAccessKeys() const;
bool SetIsECS(bool flag);
bool SetIsUseSessionToken(bool flag);
bool SetIsIBMIAMAuth(bool flag);
std::string SetIAMRole(const char* role);
size_t SetIAMFieldCount(size_t field_count);
std::string SetIAMCredentialsURL(const char* url);
std::string SetIAMTokenField(const char* token_field);
std::string SetIAMExpiryField(const char* expiry_field);
bool IsReadableS3fsPasswdFile();
bool CheckS3fsPasswdFilePerms();
bool ParseS3fsPasswdFile(bucketkvmap_t& resmap);
@ -90,8 +110,11 @@ class S3fsCred
int CheckS3fsCredentialAwsFormat(const kvmap_t& kvmap);
bool ReadAwsCredentialFile(const std::string &filename);
bool InitialS3fsCredentials();
bool ParseIAMCredentialResponse(const char* response, iamcredmap_t& keyval);
bool CheckForbiddenBucketParams();
public:
static bool SetBucket(const char* bucket);
static const std::string& GetBucket();
@ -99,34 +122,18 @@ class S3fsCred
S3fsCred();
~S3fsCred();
bool SetS3fsPasswdFile(const char* file);
bool IsSetPasswdFile();
bool SetAwsProfileName(const char* profile_name);
bool SetIAMRoleMetadataType(bool flag);
bool IsIAMRoleMetadataType() const { return load_iamrole; }
bool SetAccessKey(const char* AccessKeyId, const char* SecretAccessKey);
bool SetAccessKeyWithSessionToken(const char* AccessKeyId, const char* SecretAccessKey, const char * SessionToken);
bool IsSetAccessKeyID() const;
bool IsSetAccessKeys() const;
const std::string& GetAccessKeyID() const { return AWSAccessKeyId; }
const std::string& GetSecretAccessKey() const { return AWSSecretAccessKey; }
const std::string& GetAccessToken() const { return AWSAccessToken; }
bool SetIsECS(bool flag);
bool IsECS() const { return is_ecs; }
bool SetIsUseSessionToken(bool flag);
bool IsUseSessionToken() const { return is_use_session_token; }
bool SetIsIBMIAMAuth(bool flag);
bool IsIBMIAMAuth() const { return is_ibm_iam_auth; }
std::string SetIAMRole(const char* role);
const std::string& GetIAMRole() const { return IAM_role; }
size_t SetIAMFieldCount(size_t field_count);
std::string SetIAMCredentialsURL(const char* url);
const std::string& GetIAMCredentialsURL() const { return IAM_cred_url; }
std::string SetIAMTokenField(const char* token_field);
std::string SetIAMExpiryField(const char* expiry_field);
int SetIMDSVersion(int version);
int GetIMDSVersion() const { return IAM_api_version; }
@ -135,11 +142,10 @@ class S3fsCred
bool SetIAMCredentials(const char* response);
bool SetIAMRoleFromMetaData(const char* response);
bool InitialS3fsCredentials();
bool CheckIAMCredentialUpdate();
bool CheckForbiddenBucketParams();
int DetectParam(const char* arg);
bool CheckAllParams();
};
#endif // S3FS_CRED_H_