jamhall · leontastic · Mar 5, 2021 · Mar 5, 2021 · Mar 5, 2021 · Mar 5, 2021
diff --git a/lib/cli.js b/lib/cli.js
@@ -72,6 +72,16 @@ program
     'Bucket name and configuration files for creating and configuring a bucket at startup',
     parseConfigureBucket,
   )
+  .option(
+    '--default-access-key-id <accessKeyId>',
+    'Access Key ID used to authenticate with s3rver.',
+    S3rver.defaultOptions.defaultAccessKeyId,
+  )
+  .option(
+    '--default-secret-access-key <secretAccessKey>',
+    'Secret Access Key used to authenticate with s3rver.',
+    S3rver.defaultOptions.defaultSecretAccessKey,
+  )
   .version(pkg.version, '-v, --version');
 
 // NOTE: commander doesn't support repeated variadic options,

diff --git a/lib/controllers/bucket.js b/lib/controllers/bucket.js
@@ -2,7 +2,6 @@
 
 const crypto = require('crypto');
 
-const { DUMMY_ACCOUNT } = require('../models/account');
 const S3Error = require('../models/error');
 const {
   S3CorsConfiguration,
@@ -11,7 +10,7 @@ const {
 const { utf8BodyParser } = require('../utils');
 
 function generateContinuationToken(bucket, keyName, region) {
-  const key = Buffer.alloc(8, 'S3RVER', 'utf8');
+  const key = Buffer.alloc(8, 'S3RVER_CONTINUATION_TOKEN_SECRET', 'utf8');
   const iv = crypto.randomBytes(8);
   // ensure the first byte of IV lies between [212, 216)
   iv[0] = (iv[0] & 0b00000011) | 0b11010100;
@@ -28,7 +27,7 @@ function generateContinuationToken(bucket, keyName, region) {
 function decipherContinuationToken(token) {
   const buf = Buffer.from(token, 'base64');
   if (buf.length < 8) return '';
-  const key = Buffer.alloc(8, 'S3RVER', 'utf8');
+  const key = Buffer.alloc(8, 'S3RVER_CONTINUATION_TOKEN_SECRET', 'utf8');
   const iv = buf.slice(0, 8);
   const decipher = crypto.createDecipheriv('des', key, iv);
   const ciphertext = buf.slice(8);
@@ -270,8 +269,9 @@ exports.getBucket = async function getBucket(ctx) {
           Size: object.size,
           Owner: options.fetchOwner
             ? {
-                ID: DUMMY_ACCOUNT.id,
-                DisplayName: DUMMY_ACCOUNT.displayName,
+                // we assume the objects are owned by the fetching user since we don't store owner metadata with objects
+                ID: ctx.state.account.id,
+                DisplayName: ctx.state.account.displayName,
               }
             : undefined,
           StorageClass: 'STANDARD',

diff --git a/lib/controllers/object.js b/lib/controllers/object.js
@@ -6,7 +6,6 @@ const xmlParser = require('fast-xml-parser');
 const he = require('he');
 const { URL } = require('url');
 
-const { DUMMY_ACCOUNT } = require('../models/account');
 const S3Error = require('../models/error');
 const S3Event = require('../models/event');
 const S3Object = require('../models/object');
@@ -209,8 +208,9 @@ exports.getObjectAcl = async function getObjectAcl(ctx) {
     AccessControlPolicy: {
       '@': { xmlns: 'http://doc.s3.amazonaws.com/2006-03-01/' },
       Owner: {
-        ID: DUMMY_ACCOUNT.id,
-        DisplayName: DUMMY_ACCOUNT.displayName,
+        // we assume the objects are owned by the fetching user since we don't store owner metadata with objects
+        ID: ctx.state.account.id,
+        DisplayName: ctx.state.account.displayName,
       },
       AccessControlList: {
         Grant: {

diff --git a/lib/controllers/service.js b/lib/controllers/service.js
@@ -1,7 +1,5 @@
 'use strict';
 
-const { DUMMY_ACCOUNT } = require('../models/account');
-
 /*
  * Operations on the Service
  * The following methods correspond to operations you can perform on the Amazon S3 service.
@@ -21,8 +19,9 @@ exports.getService = async function getService(ctx) {
     ListAllMyBucketsResult: {
       '@': { xmlns: 'http://doc.s3.amazonaws.com/2006-03-01/' },
       Owner: {
-        ID: DUMMY_ACCOUNT.id,
-        DisplayName: DUMMY_ACCOUNT.displayName,
+        // we provide dummy values here because we don't store any metadata with buckets
+        ID: 'BUCKET_OWNER_ID',
+        DisplayName: 'BUCKET_OWNER_DISPLAY_NAME',
       },
       Buckets: {
         Bucket: buckets.map((bucket) => ({

diff --git a/lib/middleware/authentication.js b/lib/middleware/authentication.js
@@ -3,7 +3,6 @@
 const { createHmac, createHash } = require('crypto');
 const { mapKeys, pickBy } = require('lodash');
 
-const AWSAccount = require('../models/account');
 const S3Error = require('../models/error');
 const { RESPONSE_HEADERS } = require('./response-header-override');
 const {
@@ -174,7 +173,7 @@ module.exports = () =>
     }
 
     let stringToSign;
-    const account = AWSAccount.registry.get(signature.accessKeyId);
+    const account = ctx.app.accounts.getByAccessKeyId(signature.accessKeyId);
     if (!account) {
       throw new S3Error(
         'InvalidAccessKeyId',
@@ -186,7 +185,7 @@ module.exports = () =>
     if (signature.version === 2) {
       stringToSign = getStringToSignV2(canonicalRequest);
 
-      const signingKey = account.accessKeys.get(signature.accessKeyId);
+      const signingKey = account.getSecretAccessKey(signature.accessKeyId);
       const calculatedSignature = calculateSignatureV2(
         stringToSign,
         signingKey,
@@ -198,7 +197,7 @@ module.exports = () =>
     } else if (signature.version === 4) {
       stringToSign = getStringToSignV4(canonicalRequest, signature);
 
-      const secretKey = account.accessKeys.get(signature.accessKeyId);
+      const secretKey = account.getSecretAccessKey(signature.accessKeyId);
       const calculatedSignature = calculateSignatureV4(
         stringToSign,
         secretKey,

diff --git a/lib/models/account.js b/lib/models/account.js
@@ -1,26 +1,60 @@
 'use strict';
 
-class AWSAccount {
-  constructor(accountId, displayName) {
-    this.id = accountId;
-    this.displayName = displayName;
-    this.accessKeys = new Map();
+// basic in-memory storage abstraction for accounts and AWS credential key pairs
+
+class Account {
+  constructor(id, displayName) {
+    Object.assign(this, { id, displayName });
+    this.secretAccessKeys = new Map();
+  }
+
+  assignKeyPair(accessKeyId, secretAccessKey) {
+    this.secretAccessKeys.set(accessKeyId, secretAccessKey);
   }
 
-  createKeyPair(accessKeyId, secretAccessKey) {
-    AWSAccount.registry.set(accessKeyId, this);
-    this.accessKeys.set(accessKeyId, secretAccessKey);
+  getSecretAccessKey(accessKeyId) {
+    return this.secretAccessKeys.get(accessKeyId);
   }
 
-  revokeAccessKey(accessKeyId) {
-    AWSAccount.registry.delete(accessKeyId);
-    this.accessKeys.delete(accessKeyId);
+  deleteKeyPair(accessKeyId) {
+    this.secretAccessKeys.delete(accessKeyId);
   }
 }
-AWSAccount.registry = new Map();
 
-exports = module.exports = AWSAccount;
+class AccountStore {
+  constructor() {
+    // track accounts by both account id and access key id
+    this.accountsById = new Map();
+    this.accountsByAccessKeyId = new Map();
+  }
+
+  addAccount(accountId, displayName) {
+    const account = new Account(accountId, displayName);
+    this.accountsById.set(accountId, account);
+  }
+
+  addKeyPair(accountId, accessKeyId, secretAccessKey) {
+    const account = this.accountsById.get(accountId);
+    account.assignKeyPair(accessKeyId, secretAccessKey);
+    this.accountsByAccessKeyId.set(accessKeyId, account);
+  }
+
+  revokeKeyPair(accessKeyId) {
+    const account = this.accountsByAccessKeyId.get(accessKeyId);
+    account.deleteKeyPair(accessKeyId);
+    this.accountsByAccessKeyId.delete(accessKeyId);
+  }
+
+  getByAccessKeyId(accessKeyId) {
+    return this.accountsByAccessKeyId.get(accessKeyId);
+  }
+
+  removeAccount(accountId) {
+    const account = this.accountsById.get(accountId);
+    const accessKeyIds = [...account.secretAccessKeys.keys()];
+    accessKeyIds.forEach((accessKeyId) => this.revokeKeyPair(accessKeyId));
+    this.accountsById.delete(accountId);
+  }
+}
 
-// Hardcoded dummy user used for authenticated requests
-exports.DUMMY_ACCOUNT = new AWSAccount(123456789000, 'S3rver');
-exports.DUMMY_ACCOUNT.createKeyPair('S3RVER', 'S3RVER');
+module.exports = AccountStore;
diff --git a/lib/s3rver.js b/lib/s3rver.js
@@ -15,9 +15,13 @@ const vhostMiddleware = require('./middleware/vhost');
 const { getConfigModel } = require('./models/config');
 const S3Error = require('./models/error');
 const FilesystemStore = require('./stores/filesystem');
+const AccountStore = require('./models/account');
 const router = require('./routes');
 const { getXmlRootTag } = require('./utils');
 
+const defaultAccountId = 123456789000;
+const defaultAccountDisplayName = 'S3rver';
+
 class S3rver extends Koa {
   constructor(options) {
     super();
@@ -30,6 +34,8 @@ class S3rver extends Koa {
       allowMismatchedSignatures,
       vhostBuckets,
       configureBuckets,
+      defaultAccessKeyId,
+      defaultSecretAccessKey,
       ...serverOptions
     } = defaults({}, options, S3rver.defaultOptions);
     this.serverOptions = serverOptions;
@@ -39,6 +45,16 @@ class S3rver extends Koa {
     this.allowMismatchedSignatures = allowMismatchedSignatures;
     this.store = this.context.store = new FilesystemStore(directory);
 
+    this.accounts = new AccountStore();
+
+    // create a default account
+    this.accounts.addAccount(defaultAccountId, defaultAccountDisplayName);
+    this.accounts.addKeyPair(
+      defaultAccountId,
+      defaultAccessKeyId,
+      defaultSecretAccessKey,
+    );
+
     // Log all requests
     this.use(loggerMiddleware(this, silent));
 
@@ -216,6 +232,8 @@ S3rver.defaultOptions = {
   allowMismatchedSignatures: false,
   vhostBuckets: true,
   configureBuckets: [],
+  defaultAccessKeyId: 'S3RVER',
+  defaultSecretAccessKey: 'S3RVER',
 };
 S3rver.prototype.getMiddleware = S3rver.prototype.callback;