[Auth](ft): Allow custom object

- Allow a custom object in the process, like the VaultRequest object - Allow using another service than s3 in the signingKey
scality · Jun 22, 2016 · 36061b1 · 36061b1
1 parent 6f57d8a
commit 36061b1
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 19 deletions.
diff --git a/lib/auth/auth.js b/lib/auth/auth.js
@@ -21,7 +21,7 @@ auth.setAuthHandler = handler => {
     return auth;
 };
 
-auth.doAuth = (request, log, cb, awsService, data) => {
+auth.doAuth = (request, log, cb, awsService, data, custom) => {
     log.debug('running auth checks', { method: 'auth' });
     const authHeader = request.headers.authorization;
     // Check whether signature is in header
@@ -31,21 +31,21 @@ auth.doAuth = (request, log, cb, awsService, data) => {
         // handle temporary security credentials
         if (authHeader.startsWith('AWS ')) {
             log.trace('authenticating request with auth v2 using headers');
-            authV2.headerAuthCheck.check(request, log, cb);
+            authV2.headerAuthCheck.check(request, log, cb, custom);
         } else if (authHeader.startsWith('AWS4')) {
             log.debug('authenticating request with Auth V4 using headers');
-            authV4.headerAuthCheck.check(request, log, cb, awsService);
+            authV4.headerAuthCheck.check(request, log, cb, awsService, custom);
         } else {
             log.warn('missing authorization security header');
             return cb(errors.MissingSecurityHeader);
         }
     } else if (data.Signature) {
         // Check whether signature is in query string
         log.trace('authenticating request with auth v2 using query string');
-        authV2.queryAuthCheck.check(request, log, data, cb);
+        authV2.queryAuthCheck.check(request, log, data, cb, custom);
     } else if (data['X-Amz-Algorithm']) {
         log.debug('authenticating request with Auth v4 using query string');
-        authV4.queryAuthCheck.check(request, log, data, cb);
+        authV4.queryAuthCheck.check(request, log, data, cb, custom);
     } else {
         // If no auth information is provided in request, then
         // user is part of 'All Users Group' so send back this
@@ -91,7 +91,8 @@ auth.generateV4Headers =
         const stringToSign = constructStringToSignV4(params);
         const signingKey = vaultUtilities.calculateSigningKey(secretKeyValue,
                                                               region,
-                                                              scopeDate);
+                                                              scopeDate,
+                                                              service);
         const signature = crypto.createHmac('sha256', signingKey)
                             .update(stringToSign).digest('hex');
         const authorizationHeader = `${algorithm} Credential=${accessKey}` +

diff --git a/lib/auth/in_memory/vaultUtilities.js b/lib/auth/in_memory/vaultUtilities.js
@@ -17,15 +17,16 @@ function hashSignature(stringToSign, secretKey, algorithm) {
  * @param {string} secretKey - requester's secretKey
  * @param {string} region - region included in request
  * @param {string} scopeDate - scopeDate included in request
+ * @param {string} [service] - To specify another service than s3
  * @return {string} signingKey - signingKey to calculate signature
  */
-function calculateSigningKey(secretKey, region, scopeDate) {
+function calculateSigningKey(secretKey, region, scopeDate, service) {
     const dateKey = crypto.createHmac('sha256', `AWS4${secretKey}`)
         .update(scopeDate).digest('binary');
     const dateRegionKey = crypto.createHmac('sha256', dateKey)
         .update(region).digest('binary');
     const dateRegionServiceKey = crypto.createHmac('sha256', dateRegionKey)
-        .update('s3').digest('binary');
+        .update(service || 's3').digest('binary');
     const signingKey = crypto.createHmac('sha256', dateRegionServiceKey)
         .update('aws4_request').digest('binary');
     return signingKey;

diff --git a/lib/auth/v2/headerAuthCheck.js b/lib/auth/v2/headerAuthCheck.js
@@ -14,7 +14,7 @@ headerAuthCheck.setAuthHandler = handler => {
     return headerAuthCheck;
 };
 
-headerAuthCheck.check = (request, log, callback) => {
+headerAuthCheck.check = (request, log, callback, custom) => {
     log.trace('running header auth check');
     const headers = request.headers;
 
@@ -68,7 +68,7 @@ headerAuthCheck.check = (request, log, callback) => {
                 return callback(err);
             }
             return callback(null, authInfo);
-        });
+        }, custom);
 };
 
 module.exports = headerAuthCheck;
diff --git a/lib/auth/v2/queryAuthCheck.js b/lib/auth/v2/queryAuthCheck.js
@@ -1,6 +1,6 @@
 'use strict'; // eslint-disable-line strict
 
-const errors = require('../../../index').errors;
+const errors = require('../../errors');
 
 const algoCheck = require('./algoCheck');
 const constructStringToSign = require('./constructStringToSign');
@@ -15,13 +15,12 @@ queryAuthCheck.setAuthHandler = handler => {
     return queryAuthCheck;
 };
 
-queryAuthCheck.check = (request, log, data, callback) => {
+queryAuthCheck.check = (request, log, data, callback, custom) => {
     log.trace('running query auth check');
     if (request.method === 'POST') {
         log.warn('query string auth not supported for post requests');
         return callback(errors.NotImplemented);
     }
-
     /*
     Check whether request has expired or if
     expires parameter is more than 15 minutes in the future.
@@ -61,8 +60,7 @@ queryAuthCheck.check = (request, log, data, callback) => {
                 return callback(err);
             }
             return callback(null, authInfo);
-        }
-    );
+        }, custom);
 };
 
 module.exports = queryAuthCheck;
diff --git a/lib/auth/v4/headerAuthCheck.js b/lib/auth/v4/headerAuthCheck.js
@@ -23,9 +23,10 @@ headerAuthCheck.setAuthHandler = handler => {
  * @param {object} log - logging object
  * @param {function} callback - callback to auth checking function
  * @param {string} awsService - either 's3' or 'iam'
+ * @param {*} custom - Allow custom object
  * @return {callback} calls callback
  */
-headerAuthCheck.check = (request, log, callback, awsService) => {
+headerAuthCheck.check = (request, log, callback, awsService, custom) => {
     log.trace('running header auth check');
     // authorization header
     const authHeader = request.headers.authorization;
@@ -122,7 +123,7 @@ headerAuthCheck.check = (request, log, callback, awsService) => {
         stringToSign,
         log,
     };
-    return vault.authenticateV4Request(vaultParams, callback);
+    return vault.authenticateV4Request(vaultParams, callback, custom);
 };
 
 module.exports = headerAuthCheck;
diff --git a/lib/auth/v4/queryAuthCheck.js b/lib/auth/v4/queryAuthCheck.js
@@ -20,10 +20,12 @@ queryAuthCheck.setAuthHandler = handler => {
  * V4 query auth check
  * @param {object} request - HTTP request object
  * @param {object} log - logging object
+ * @param {object} data - Contain authentification params (GET or POST data)
  * @param {function} callback - callback to auth checking function
+ * @param {*} custom - Allow a custom data (like vaultRequest in Vault)
  * @return {callback} calls callback
  */
-queryAuthCheck.check = (request, log, data, callback) => {
+queryAuthCheck.check = (request, log, data, callback, custom) => {
     const authParams = extractQueryParams(data, log);
 
     if (Object.keys(authParams).length !== 5) {
@@ -87,7 +89,7 @@ queryAuthCheck.check = (request, log, data, callback) => {
         stringToSign,
         log,
     };
-    return vault.authenticateV4Request(vaultParams, callback);
+    return vault.authenticateV4Request(vaultParams, callback, custom);
 };
 
 module.exports = queryAuthCheck;