2021-04-18 12:41:13 -07:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
2015-06-30 14:42:29 -07:00
2016-08-18 16:23:42 -07:00
package cmd
2015-06-30 14:42:29 -07:00
import (
2021-03-25 13:57:57 -07:00
"bytes"
2021-03-03 08:47:08 -08:00
"crypto/subtle"
2016-10-25 12:17:03 +05:30
"encoding/base64"
2021-04-03 09:03:42 -07:00
"encoding/json"
2016-03-05 16:43:48 -08:00
"encoding/xml"
2018-04-05 20:48:42 +05:30
"fmt"
2016-02-15 17:42:39 -08:00
"io"
2015-06-30 14:42:29 -07:00
"net/http"
2021-02-03 20:41:33 -08:00
"net/textproto"
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 16:46:56 -08:00
"net/url"
2017-01-12 02:56:42 +05:30
"path"
2021-01-28 11:44:48 -08:00
"sort"
2020-07-08 17:36:56 -07:00
"strconv"
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 16:46:56 -08:00
"strings"
2021-01-28 11:44:48 -08:00
"sync"
2021-06-01 19:59:11 -07:00
"time"
2015-06-30 14:42:29 -07:00
2020-12-11 20:44:08 -08:00
"github.com/google/uuid"
2018-04-22 07:53:54 +05:30
"github.com/gorilla/mux"
2018-05-12 00:32:30 +05:30
2020-07-14 17:38:05 +01:00
"github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/minio-go/v7/pkg/tags"
2021-06-01 14:59:40 -07:00
objectlock "github.com/minio/minio/internal/bucket/object/lock"
"github.com/minio/minio/internal/bucket/replication"
"github.com/minio/minio/internal/config/dns"
"github.com/minio/minio/internal/crypto"
"github.com/minio/minio/internal/event"
"github.com/minio/minio/internal/handlers"
"github.com/minio/minio/internal/hash"
xhttp "github.com/minio/minio/internal/http"
"github.com/minio/minio/internal/kms"
"github.com/minio/minio/internal/logger"
"github.com/minio/minio/internal/sync/errgroup"
2021-05-29 21:16:42 -07:00
"github.com/minio/pkg/bucket/policy"
iampolicy "github.com/minio/pkg/iam/policy"
2015-06-30 14:42:29 -07:00
)
2019-11-13 04:20:18 +05:30
const (
2020-07-21 17:49:56 -07:00
objectLockConfig = "object-lock.xml"
bucketTaggingConfig = "tagging.xml"
bucketReplicationConfig = "replication.xml"
2019-11-13 04:20:18 +05:30
)
2018-04-05 20:48:42 +05:30
// Check if there are buckets on server without corresponding entry in etcd backend and
// make entries. Here is the general flow
// - Range over all the available buckets
// - Check if a bucket has an entry in etcd backend
// -- If no, make an entry
2019-12-16 20:30:57 -08:00
// -- If yes, check if the entry matches local IP check if we
// need to update the entry then proceed to update
// -- If yes, check if the IP of entry matches local IP.
// This means entry is for this instance.
// -- If IP of the entry doesn't match, this means entry is
// for another instance. Log an error to console.
2019-11-09 09:27:23 -08:00
func initFederatorBackend ( buckets [ ] BucketInfo , objLayer ObjectLayer ) {
if len ( buckets ) == 0 {
2018-04-05 20:48:42 +05:30
return
}
2019-08-13 11:49:26 -04:00
// Get buckets in the DNS
dnsBuckets , err := globalDNSConfig . List ( )
2021-01-28 11:44:48 -08:00
if err != nil && ! IsErrIgnored ( err , dns . ErrNoEntriesFound , dns . ErrNotImplemented , dns . ErrDomainMissing ) {
2020-04-09 09:30:02 -07:00
logger . LogIf ( GlobalContext , err )
2019-08-13 11:49:26 -04:00
return
}
2020-02-03 13:54:20 +05:30
bucketsSet := set . NewStringSet ( )
bucketsToBeUpdated := set . NewStringSet ( )
bucketsInConflict := set . NewStringSet ( )
2021-01-28 11:44:48 -08:00
// This means that domain is updated, we should update
// all bucket entries with new domain name.
domainMissing := err == dns . ErrDomainMissing
2020-09-10 00:50:49 +05:30
if dnsBuckets != nil {
for _ , bucket := range buckets {
bucketsSet . Add ( bucket . Name )
r , ok := dnsBuckets [ bucket . Name ]
if ! ok {
bucketsToBeUpdated . Add ( bucket . Name )
2020-02-03 13:54:20 +05:30
continue
}
2020-09-10 00:50:49 +05:30
if ! globalDomainIPs . Intersection ( set . CreateStringSet ( getHostsSlice ( r ) ... ) ) . IsEmpty ( ) {
2021-01-28 11:44:48 -08:00
if globalDomainIPs . Difference ( set . CreateStringSet ( getHostsSlice ( r ) ... ) ) . IsEmpty ( ) && ! domainMissing {
2020-09-10 00:50:49 +05:30
// No difference in terms of domainIPs and nothing
// has changed so we don't change anything on the etcd.
2021-01-28 11:44:48 -08:00
//
// Additionally also check if domain is updated/missing with more
// entries, if that is the case we should update the
// new domain entries as well.
2020-09-10 00:50:49 +05:30
continue
}
2021-01-28 11:44:48 -08:00
2020-09-10 00:50:49 +05:30
// if domain IPs intersect then it won't be an empty set.
// such an intersection means that bucket exists on etcd.
// but if we do see a difference with local domain IPs with
// hostSlice from etcd then we should update with newer
// domainIPs, we proceed to do that here.
bucketsToBeUpdated . Add ( bucket . Name )
continue
}
2021-01-28 11:44:48 -08:00
2020-09-10 00:50:49 +05:30
// No IPs seem to intersect, this means that bucket exists but has
// different IP addresses perhaps from a different deployment.
// bucket names are globally unique in federation at a given
// path prefix, name collision is not allowed. We simply log
// an error and continue.
bucketsInConflict . Add ( bucket . Name )
2020-02-03 13:54:20 +05:30
}
}
2019-08-13 11:49:26 -04:00
2020-02-03 13:54:20 +05:30
// Add/update buckets that are not registered with the DNS
bucketsToBeUpdatedSlice := bucketsToBeUpdated . ToSlice ( )
2021-02-09 12:08:25 -08:00
g := errgroup . WithNErrs ( len ( bucketsToBeUpdatedSlice ) ) . WithConcurrency ( 50 )
ctx , cancel := g . WithCancelOnError ( GlobalContext )
defer cancel ( )
2020-02-03 13:54:20 +05:30
for index := range bucketsToBeUpdatedSlice {
2019-10-14 09:44:51 -07:00
index := index
2018-04-05 20:48:42 +05:30
g . Go ( func ( ) error {
2020-02-03 13:54:20 +05:30
return globalDNSConfig . Put ( bucketsToBeUpdatedSlice [ index ] )
2018-04-05 20:48:42 +05:30
} , index )
}
2021-02-09 12:08:25 -08:00
if err := g . WaitErr ( ) ; err != nil {
logger . LogIf ( ctx , err )
return
2019-08-13 11:49:26 -04:00
}
2020-02-03 13:54:20 +05:30
for _ , bucket := range bucketsInConflict . ToSlice ( ) {
2021-02-09 12:08:25 -08:00
logger . LogIf ( ctx , fmt . Errorf ( "Unable to add bucket DNS entry for bucket %s, an entry exists for the same bucket by a different tenant. This local bucket will be ignored. Bucket names are globally unique in federated deployments. Use path style requests on following addresses '%v' to access this bucket" , bucket , globalDomainIPs . ToSlice ( ) ) )
2020-02-03 13:54:20 +05:30
}
2021-01-28 11:44:48 -08:00
var wg sync . WaitGroup
2019-08-13 11:49:26 -04:00
// Remove buckets that are in DNS for this server, but aren't local
2020-02-03 13:54:20 +05:30
for bucket , records := range dnsBuckets {
if bucketsSet . Contains ( bucket ) {
continue
}
2019-08-13 11:49:26 -04:00
2020-02-03 13:54:20 +05:30
if globalDomainIPs . Intersection ( set . CreateStringSet ( getHostsSlice ( records ) ... ) ) . IsEmpty ( ) {
2019-08-13 11:49:26 -04:00
// This is not for our server, so we can continue
2020-02-03 13:54:20 +05:30
continue
}
2019-08-13 11:49:26 -04:00
2021-01-28 11:44:48 -08:00
wg . Add ( 1 )
go func ( bucket string ) {
defer wg . Done ( )
// We go to here, so we know the bucket no longer exists,
// but is registered in DNS to this server
if err := globalDNSConfig . Delete ( bucket ) ; err != nil {
logger . LogIf ( GlobalContext , fmt . Errorf ( "Failed to remove DNS entry for %s due to %w" ,
bucket , err ) )
}
} ( bucket )
2018-04-05 20:48:42 +05:30
}
2021-01-28 11:44:48 -08:00
wg . Wait ( )
2018-04-05 20:48:42 +05:30
}
2015-12-27 00:38:38 -07:00
// GetBucketLocationHandler - GET Bucket location.
// -------------------------
// This operation returns bucket location.
2016-04-12 12:45:15 -07:00
func ( api objectAPIHandlers ) GetBucketLocationHandler ( w http . ResponseWriter , r * http . Request ) {
2018-07-20 18:46:32 -07:00
ctx := newContext ( r , w , "GetBucketLocation" )
2018-03-14 12:01:47 -07:00
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2018-10-12 12:25:59 -07:00
2016-02-15 17:42:39 -08:00
vars := mux . Vars ( r )
2015-12-27 00:38:38 -07:00
bucket := vars [ "bucket" ]
2016-08-10 18:47:49 -07:00
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2016-08-10 18:47:49 -07:00
return
}
2018-04-25 04:23:30 +05:30
if s3Error := checkRequestAuthType ( ctx , r , policy . GetBucketLocationAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2016-11-21 13:51:05 -08:00
return
2016-02-04 12:52:25 -08:00
}
2018-03-28 14:14:06 -07:00
getBucketInfo := objectAPI . GetBucketInfo
2019-08-09 17:09:08 -07:00
2018-03-28 14:14:06 -07:00
if _ , err := getBucketInfo ( ctx , bucket ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2016-01-19 17:49:48 -08:00
return
2015-12-27 00:38:38 -07:00
}
2016-02-15 17:42:39 -08:00
// Generate response.
2016-03-06 12:16:22 -08:00
encodedSuccessResponse := encodeResponse ( LocationResponse { } )
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
// Get current region.
2019-10-22 22:59:13 -07:00
region := globalServerRegion
2017-01-18 12:24:34 -08:00
if region != globalMinioDefaultRegion {
2016-03-06 12:16:22 -08:00
encodedSuccessResponse = encodeResponse ( LocationResponse {
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 15:27:10 -08:00
Location : region ,
2016-02-15 17:42:39 -08:00
} )
}
2017-01-06 00:37:00 -08:00
// Write success response.
writeSuccessResponseXML ( w , encodedSuccessResponse )
2015-12-27 00:38:38 -07:00
}
2015-06-30 20:15:48 -07:00
// ListMultipartUploadsHandler - GET Bucket (List Multipart uploads)
2015-06-30 14:42:29 -07:00
// -------------------------
// This operation lists in-progress multipart uploads. An in-progress
// multipart upload is a multipart upload that has been initiated,
2015-10-16 19:09:35 -07:00
// using the Initiate Multipart Upload request, but has not yet been
// completed or aborted. This operation returns at most 1,000 multipart
// uploads in the response.
2015-06-30 14:42:29 -07:00
//
2016-04-12 12:45:15 -07:00
func ( api objectAPIHandlers ) ListMultipartUploadsHandler ( w http . ResponseWriter , r * http . Request ) {
2018-07-20 18:46:32 -07:00
ctx := newContext ( r , w , "ListMultipartUploads" )
2018-03-14 12:01:47 -07:00
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2018-10-12 12:25:59 -07:00
2016-02-15 17:42:39 -08:00
vars := mux . Vars ( r )
2015-10-16 19:09:35 -07:00
bucket := vars [ "bucket" ]
2016-08-10 18:47:49 -07:00
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2016-08-10 18:47:49 -07:00
return
}
2018-04-25 04:23:30 +05:30
if s3Error := checkRequestAuthType ( ctx , r , policy . ListBucketMultipartUploadsAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2016-02-15 17:42:39 -08:00
return
2016-02-04 12:52:25 -08:00
}
2019-02-24 07:14:24 +01:00
prefix , keyMarker , uploadIDMarker , delimiter , maxUploads , encodingType , errCode := getBucketMultipartResources ( r . URL . Query ( ) )
2019-02-12 01:25:52 -08:00
if errCode != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( errCode ) , r . URL )
2018-10-18 16:31:46 +02:00
return
}
2019-02-12 01:25:52 -08:00
objectAPI: Fix object API interface, remove unnecessary structs.
ObjectAPI changes.
```
ListObjects(bucket, prefix, marker, delimiter string, maxKeys int) (ListObjectsInfo, *probe.Error)
ListMultipartUploads(bucket, objectPrefix, keyMarker, uploadIDMarker, delimiter string, maxUploads int) (ListMultipartsInfo, *probe.Error)
ListObjectParts(bucket, object, uploadID string, partNumberMarker, maxParts int) (ListPartsInfo, *probe.Error)
CompleteMultipartUpload(bucket string, object string, uploadID string, parts []completePart) (ObjectInfo, *probe.Error)
```
2016-04-03 01:34:20 -07:00
if maxUploads < 0 {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrInvalidMaxUploads ) , r . URL )
2015-07-16 17:22:45 -07:00
return
}
2019-02-12 01:25:52 -08:00
2016-04-05 12:26:17 -07:00
if keyMarker != "" {
2016-04-29 14:24:10 -07:00
// Marker not common with prefix is not implemented.
2019-12-06 12:46:06 +05:30
if ! HasPrefix ( keyMarker , prefix ) {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrNotImplemented ) , r . URL )
2016-04-29 14:24:10 -07:00
return
2016-04-05 12:26:17 -07:00
}
2015-06-30 14:42:29 -07:00
}
2018-03-14 12:01:47 -07:00
listMultipartsInfo , err := objectAPI . ListMultipartUploads ( ctx , bucket , prefix , keyMarker , uploadIDMarker , delimiter , maxUploads )
2015-09-19 03:20:07 -07:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2015-08-03 16:17:21 -07:00
return
}
2015-09-19 03:20:07 -07:00
// generate response
2019-02-24 07:14:24 +01:00
response := generateListMultipartUploadsResponse ( bucket , listMultipartsInfo , encodingType )
2016-03-06 12:16:22 -08:00
encodedSuccessResponse := encodeResponse ( response )
2017-01-06 00:37:00 -08:00
2016-01-08 00:40:06 -08:00
// write success response.
2017-01-06 00:37:00 -08:00
writeSuccessResponseXML ( w , encodedSuccessResponse )
2015-06-30 14:42:29 -07:00
}
2016-10-09 21:51:37 +05:30
// ListBucketsHandler - GET Service.
2015-06-30 14:42:29 -07:00
// -----------
// This implementation of the GET operation returns a list of all buckets
// owned by the authenticated sender of the request.
2016-04-12 12:45:15 -07:00
func ( api objectAPIHandlers ) ListBucketsHandler ( w http . ResponseWriter , r * http . Request ) {
2018-07-20 18:46:32 -07:00
ctx := newContext ( r , w , "ListBuckets" )
2018-03-14 12:01:47 -07:00
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2018-10-12 12:25:59 -07:00
2016-08-10 18:47:49 -07:00
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2016-08-10 18:47:49 -07:00
return
}
2019-02-12 01:25:52 -08:00
listBuckets := objectAPI . ListBuckets
2018-04-25 04:23:30 +05:30
2021-03-23 15:15:51 -07:00
cred , owner , s3Error := checkRequestAuthTypeCredential ( ctx , r , policy . ListAllMyBucketsAction , "" , "" )
2020-04-02 12:35:22 -07:00
if s3Error != ErrNone && s3Error != ErrAccessDenied {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2016-02-15 17:42:39 -08:00
return
2016-02-04 12:52:25 -08:00
}
2019-02-12 01:25:52 -08:00
2021-04-28 21:37:02 -07:00
// Anonymous users, should be rejected.
if cred . AccessKey == "" {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrAccessDenied ) , r . URL )
2021-04-28 21:37:02 -07:00
return
}
2018-02-02 18:18:52 -08:00
// If etcd, dns federation configured list buckets from etcd.
var bucketsInfo [ ] BucketInfo
2019-12-29 08:56:45 -08:00
if globalDNSConfig != nil && globalBucketFederation {
2018-02-02 18:18:52 -08:00
dnsBuckets , err := globalDNSConfig . List ( )
2021-01-28 11:44:48 -08:00
if err != nil && ! IsErrIgnored ( err ,
dns . ErrNoEntriesFound ,
dns . ErrDomainMissing ) {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2018-02-02 18:18:52 -08:00
return
}
2020-02-03 13:54:20 +05:30
for _ , dnsRecords := range dnsBuckets {
2018-02-02 18:18:52 -08:00
bucketsInfo = append ( bucketsInfo , BucketInfo {
2020-02-03 13:54:20 +05:30
Name : dnsRecords [ 0 ] . Key ,
Created : dnsRecords [ 0 ] . CreationDate ,
2018-02-02 18:18:52 -08:00
} )
}
2021-01-28 11:44:48 -08:00
sort . Slice ( bucketsInfo , func ( i , j int ) bool {
return bucketsInfo [ i ] . Name < bucketsInfo [ j ] . Name
} )
2018-02-02 18:18:52 -08:00
} else {
// Invoke the list buckets.
var err error
bucketsInfo , err = listBuckets ( ctx )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2018-02-02 18:18:52 -08:00
return
}
2015-08-03 16:17:21 -07:00
}
2016-07-17 13:23:15 -07:00
2020-04-02 12:35:22 -07:00
if s3Error == ErrAccessDenied {
// Set prefix value for "s3:prefix" policy conditionals.
r . Header . Set ( "prefix" , "" )
// Set delimiter value for "s3:delimiter" policy conditionals.
r . Header . Set ( "delimiter" , SlashSeparator )
// err will be nil here as we already called this function
// earlier in this request.
2021-03-03 08:47:08 -08:00
claims , _ := getClaimsFromToken ( getSessionToken ( r ) )
2020-04-02 12:35:22 -07:00
n := 0
// Use the following trick to filter in place
// https://github.com/golang/go/wiki/SliceTricks#filter-in-place
for _ , bucketInfo := range bucketsInfo {
if globalIAMSys . IsAllowed ( iampolicy . Args {
2021-03-23 15:15:51 -07:00
AccountName : cred . AccessKey ,
Groups : cred . Groups ,
2020-04-02 12:35:22 -07:00
Action : iampolicy . ListBucketAction ,
BucketName : bucketInfo . Name ,
2021-03-23 15:15:51 -07:00
ConditionValues : getConditionValues ( r , "" , cred . AccessKey , claims ) ,
2020-04-02 12:35:22 -07:00
IsOwner : owner ,
ObjectName : "" ,
Claims : claims ,
} ) {
bucketsInfo [ n ] = bucketInfo
n ++
}
}
bucketsInfo = bucketsInfo [ : n ]
// No buckets can be filtered return access denied error.
if len ( bucketsInfo ) == 0 {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-04-02 12:35:22 -07:00
return
2019-08-12 10:27:38 -07:00
}
}
2016-07-17 13:23:15 -07:00
// Generate response.
2020-04-02 12:35:22 -07:00
response := generateListBucketsResponse ( bucketsInfo )
2016-07-17 13:23:15 -07:00
encodedSuccessResponse := encodeResponse ( response )
2017-01-06 00:37:00 -08:00
2016-07-17 13:23:15 -07:00
// Write response.
2017-01-06 00:37:00 -08:00
writeSuccessResponseXML ( w , encodedSuccessResponse )
2015-06-30 14:42:29 -07:00
}
2016-03-05 16:43:48 -08:00
// DeleteMultipleObjectsHandler - deletes multiple objects.
2016-04-12 12:45:15 -07:00
func ( api objectAPIHandlers ) DeleteMultipleObjectsHandler ( w http . ResponseWriter , r * http . Request ) {
2018-07-20 18:46:32 -07:00
ctx := newContext ( r , w , "DeleteMultipleObjects" )
2018-03-14 12:01:47 -07:00
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2018-11-02 18:40:08 -07:00
2016-03-05 16:43:48 -08:00
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
2016-08-10 18:47:49 -07:00
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2016-08-10 18:47:49 -07:00
return
}
2020-02-23 09:06:46 +05:30
// Content-Md5 is requied should be set
2016-03-05 16:43:48 -08:00
// http://docs.aws.amazon.com/AmazonS3/latest/API/multiobjectdeleteapi.html
2020-02-23 09:06:46 +05:30
if _ , ok := r . Header [ xhttp . ContentMD5 ] ; ! ok {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMissingContentMD5 ) , r . URL )
2016-03-05 16:43:48 -08:00
return
}
2020-02-23 09:06:46 +05:30
// Content-Length is required and should be non-zero
2016-03-05 16:43:48 -08:00
// http://docs.aws.amazon.com/AmazonS3/latest/API/multiobjectdeleteapi.html
2020-02-23 09:06:46 +05:30
if r . ContentLength <= 0 {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMissingContentLength ) , r . URL )
2016-03-05 16:43:48 -08:00
return
}
2020-02-21 11:29:57 +05:30
// The max. XML contains 100000 object names (each at most 1024 bytes long) + XML overhead
const maxBodySize = 2 * 100000 * 1024
2016-03-05 16:43:48 -08:00
// Unmarshal list of keys to be deleted.
deleteObjects := & DeleteObjectsRequest { }
2020-02-21 11:29:57 +05:30
if err := xmlDecoder ( r . Body , deleteObjects , maxBodySize ) ; err != nil {
2019-10-11 18:50:54 -07:00
logger . LogIf ( ctx , err , logger . Application )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2016-03-05 16:43:48 -08:00
return
}
2018-03-28 05:14:45 +05:30
2021-03-11 13:57:03 -08:00
// Convert object name delete objects if it has `/` in the beginning.
for i := range deleteObjects . Objects {
deleteObjects . Objects [ i ] . ObjectName = trimLeadingSlash ( deleteObjects . Objects [ i ] . ObjectName )
}
2020-11-04 12:13:34 -05:00
// Call checkRequestAuthType to populate ReqInfo.AccessKey before GetBucketInfo()
// Ignore errors here to preserve the S3 error behavior of GetBucketInfo()
checkRequestAuthType ( ctx , r , policy . DeleteObjectAction , bucket , "" )
2020-07-10 08:30:23 -07:00
// Before proceeding validate if bucket exists.
_ , err := objectAPI . GetBucketInfo ( ctx , bucket )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-10 08:30:23 -07:00
return
}
2019-05-13 20:25:49 +01:00
deleteObjectsFn := objectAPI . DeleteObjects
2018-07-20 21:21:01 -07:00
if api . CacheAPI ( ) != nil {
2019-05-13 20:25:49 +01:00
deleteObjectsFn = api . CacheAPI ( ) . DeleteObjects
2018-07-20 21:21:01 -07:00
}
2016-09-02 01:59:08 -07:00
2021-02-13 18:48:25 +01:00
// Return Malformed XML as S3 spec if the list of objects is empty
if len ( deleteObjects . Objects ) == 0 {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMalformedXML ) , r . URL )
2021-02-13 18:48:25 +01:00
return
}
2020-06-12 20:04:01 -07:00
var objectsToDelete = map [ ObjectToDelete ] int { }
2019-11-20 13:18:09 -08:00
getObjectInfoFn := objectAPI . GetObjectInfo
if api . CacheAPI ( ) != nil {
getObjectInfoFn = api . CacheAPI ( ) . GetObjectInfo
}
2020-11-25 11:24:50 -08:00
var (
2021-04-19 10:30:42 -07:00
hasLockEnabled , replicateSync bool
goi ObjectInfo
gerr error
2020-11-25 11:24:50 -08:00
)
2020-11-19 18:43:58 -08:00
replicateDeletes := hasReplicationRules ( ctx , bucket , deleteObjects . Objects )
2020-11-25 11:24:50 -08:00
if rcfg , _ := globalBucketObjectLockSys . Get ( bucket ) ; rcfg . LockEnabled {
hasLockEnabled = true
}
2021-04-19 10:30:42 -07:00
2020-06-12 20:04:01 -07:00
dErrs := make ( [ ] DeleteError , len ( deleteObjects . Objects ) )
2021-04-19 10:30:42 -07:00
oss := make ( [ ] * objSweeper , len ( deleteObjects . Objects ) )
2016-09-02 01:59:08 -07:00
for index , object := range deleteObjects . Objects {
2020-06-12 20:04:01 -07:00
if apiErrCode := checkRequestAuthType ( ctx , r , policy . DeleteObjectAction , bucket , object . ObjectName ) ; apiErrCode != ErrNone {
if apiErrCode == ErrSignatureDoesNotMatch || apiErrCode == ErrInvalidAccessKeyID {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( apiErrCode ) , r . URL )
2019-04-22 07:54:43 -07:00
return
2017-08-16 05:49:31 +10:00
}
2020-06-12 20:04:01 -07:00
apiErr := errorCodes . ToAPIErr ( apiErrCode )
dErrs [ index ] = DeleteError {
Code : apiErr . Code ,
Message : apiErr . Description ,
Key : object . ObjectName ,
VersionID : object . VersionID ,
}
2018-07-20 21:21:01 -07:00
continue
}
2020-12-11 20:44:08 -08:00
if object . VersionID != "" && object . VersionID != nullVersionID {
if _ , err := uuid . Parse ( object . VersionID ) ; err != nil {
logger . LogIf ( ctx , fmt . Errorf ( "invalid version-id specified %w" , err ) )
apiErr := errorCodes . ToAPIErr ( ErrNoSuchVersion )
dErrs [ index ] = DeleteError {
Code : apiErr . Code ,
Message : apiErr . Description ,
Key : object . ObjectName ,
VersionID : object . VersionID ,
}
continue
}
}
2021-04-19 10:30:42 -07:00
oss [ index ] = newObjSweeper ( bucket , object . ObjectName ) . WithVersion ( multiDelete ( object ) )
// Mutations of objects on versioning suspended buckets
// affect its null version. Through opts below we select
// the null version's remote object to delete if
// transitioned.
opts := oss [ index ] . GetOpts ( )
goi , gerr = getObjectInfoFn ( ctx , bucket , object . ObjectName , opts )
if gerr == nil {
oss [ index ] . SetTransitionState ( goi )
2020-11-25 11:24:50 -08:00
}
if replicateDeletes {
2021-03-30 17:15:36 -07:00
replicate , repsync := checkReplicateDelete ( ctx , bucket , ObjectToDelete {
2020-11-25 11:24:50 -08:00
ObjectName : object . ObjectName ,
VersionID : object . VersionID ,
} , goi , gerr )
2021-01-11 22:36:51 -08:00
replicateSync = repsync
2020-11-25 11:24:50 -08:00
if replicate {
2021-01-15 15:22:55 -08:00
if apiErrCode := checkRequestAuthType ( ctx , r , policy . ReplicateDeleteAction , bucket , object . ObjectName ) ; apiErrCode != ErrNone {
if apiErrCode == ErrSignatureDoesNotMatch || apiErrCode == ErrInvalidAccessKeyID {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( apiErrCode ) , r . URL )
2021-01-15 15:22:55 -08:00
return
}
continue
}
2020-11-25 11:24:50 -08:00
if object . VersionID != "" {
object . VersionPurgeStatus = Pending
} else {
object . DeleteMarkerReplicationStatus = string ( replication . Pending )
}
}
}
2020-06-12 20:04:01 -07:00
if object . VersionID != "" {
2020-11-25 11:24:50 -08:00
if hasLockEnabled {
if apiErrCode := enforceRetentionBypassForDelete ( ctx , r , bucket , object , goi , gerr ) ; apiErrCode != ErrNone {
2020-06-12 20:04:01 -07:00
apiErr := errorCodes . ToAPIErr ( apiErrCode )
dErrs [ index ] = DeleteError {
Code : apiErr . Code ,
Message : apiErr . Description ,
Key : object . ObjectName ,
VersionID : object . VersionID ,
}
continue
}
2020-04-06 13:44:16 -07:00
}
2019-11-20 13:18:09 -08:00
}
2020-04-06 13:44:16 -07:00
2019-11-19 17:42:27 -08:00
// Avoid duplicate objects, we use map to filter them out.
2020-06-12 20:04:01 -07:00
if _ , ok := objectsToDelete [ object ] ; ! ok {
objectsToDelete [ object ] = index
2019-11-19 17:42:27 -08:00
}
2019-05-13 20:25:49 +01:00
}
2020-06-12 20:04:01 -07:00
toNames := func ( input map [ ObjectToDelete ] int ) ( output [ ] ObjectToDelete ) {
output = make ( [ ] ObjectToDelete , len ( input ) )
2019-11-20 17:51:10 -08:00
idx := 0
2020-06-12 20:04:01 -07:00
for obj := range input {
output [ idx ] = obj
2019-11-20 17:51:10 -08:00
idx ++
2019-04-22 07:54:43 -07:00
}
2019-05-13 20:25:49 +01:00
return
}
2019-11-20 17:51:10 -08:00
deleteList := toNames ( objectsToDelete )
2020-06-12 20:04:01 -07:00
dObjects , errs := deleteObjectsFn ( ctx , bucket , deleteList , ObjectOptions {
2020-09-02 00:19:03 -07:00
Versioned : globalBucketVersioningSys . Enabled ( bucket ) ,
VersionSuspended : globalBucketVersioningSys . Suspended ( bucket ) ,
2020-06-12 20:04:01 -07:00
} )
deletedObjects := make ( [ ] DeletedObject , len ( deleteObjects . Objects ) )
for i := range errs {
2021-03-30 17:15:36 -07:00
// DeleteMarkerVersionID is not used specifically to avoid
// lookup errors, since DeleteMarkerVersionID is only
// created during DeleteMarker creation when client didn't
// specify a versionID.
objToDel := ObjectToDelete {
2020-11-25 11:24:50 -08:00
ObjectName : dObjects [ i ] . ObjectName ,
VersionID : dObjects [ i ] . VersionID ,
VersionPurgeStatus : dObjects [ i ] . VersionPurgeStatus ,
DeleteMarkerReplicationStatus : dObjects [ i ] . DeleteMarkerReplicationStatus ,
2021-03-30 17:15:36 -07:00
}
dindex := objectsToDelete [ objToDel ]
2020-12-11 12:39:09 -08:00
if errs [ i ] == nil || isErrObjectNotFound ( errs [ i ] ) || isErrVersionNotFound ( errs [ i ] ) {
2020-11-12 12:10:59 -08:00
if replicateDeletes {
dObjects [ i ] . DeleteMarkerReplicationStatus = deleteList [ i ] . DeleteMarkerReplicationStatus
dObjects [ i ] . VersionPurgeStatus = deleteList [ i ] . VersionPurgeStatus
}
2020-06-12 20:04:01 -07:00
deletedObjects [ dindex ] = dObjects [ i ]
continue
}
2020-11-12 12:10:59 -08:00
apiErr := toAPIError ( ctx , errs [ i ] )
2020-06-12 20:04:01 -07:00
dErrs [ dindex ] = DeleteError {
Code : apiErr . Code ,
Message : apiErr . Description ,
Key : deleteList [ i ] . ObjectName ,
VersionID : deleteList [ i ] . VersionID ,
}
2016-09-02 01:59:08 -07:00
}
var deleteErrors [ ] DeleteError
2020-06-12 20:04:01 -07:00
for _ , dErr := range dErrs {
if dErr . Code != "" {
deleteErrors = append ( deleteErrors , dErr )
2016-09-08 00:19:12 +05:30
}
2016-03-05 16:43:48 -08:00
}
2016-09-02 01:59:08 -07:00
2016-03-05 16:43:48 -08:00
// Generate response
response := generateMultiDeleteResponse ( deleteObjects . Quiet , deletedObjects , deleteErrors )
encodedSuccessResponse := encodeResponse ( response )
2017-01-06 00:37:00 -08:00
2016-03-05 16:43:48 -08:00
// Write success response.
2017-01-06 00:37:00 -08:00
writeSuccessResponseXML ( w , encodedSuccessResponse )
2020-11-19 18:43:58 -08:00
for _ , dobj := range deletedObjects {
2021-02-10 22:00:42 -08:00
if dobj . ObjectName == "" {
continue
}
2020-11-12 12:10:59 -08:00
if replicateDeletes {
if dobj . DeleteMarkerReplicationStatus == string ( replication . Pending ) || dobj . VersionPurgeStatus == Pending {
2021-06-01 19:59:11 -07:00
dv := DeletedObjectReplicationInfo {
2020-11-12 12:10:59 -08:00
DeletedObject : dobj ,
Bucket : bucket ,
2021-01-11 22:36:51 -08:00
}
scheduleReplicationDelete ( ctx , dv , objectAPI , replicateSync )
2020-11-12 12:10:59 -08:00
}
2020-11-19 18:43:58 -08:00
}
2020-11-25 11:24:50 -08:00
2021-04-19 10:30:42 -07:00
}
// Clean up transitioned objects from remote tier
for _ , os := range oss {
if os == nil { // skip objects that weren't deleted due to invalid versionID etc.
continue
2020-11-25 11:24:50 -08:00
}
2021-04-19 10:30:42 -07:00
logger . LogIf ( ctx , os . Sweep ( ) )
}
2020-11-25 11:24:50 -08:00
2021-04-19 10:30:42 -07:00
// Notify deleted event for objects.
for _ , dobj := range deletedObjects {
2020-10-17 05:22:12 +01:00
eventName := event . ObjectRemovedDelete
2020-06-12 20:04:01 -07:00
objInfo := ObjectInfo {
2021-03-30 17:15:36 -07:00
Name : dobj . ObjectName ,
VersionID : dobj . VersionID ,
DeleteMarker : dobj . DeleteMarker ,
2020-06-12 20:04:01 -07:00
}
2020-10-17 05:22:12 +01:00
2021-03-30 17:15:36 -07:00
if objInfo . DeleteMarker {
2020-10-17 05:22:12 +01:00
objInfo . VersionID = dobj . DeleteMarkerVersionID
eventName = event . ObjectRemovedDeleteMarkerCreated
2020-06-12 20:04:01 -07:00
}
2020-10-17 05:22:12 +01:00
2018-03-16 01:33:41 +05:30
sendEvent ( eventArgs {
2020-10-17 05:22:12 +01:00
EventName : eventName ,
2020-06-12 20:04:01 -07:00
BucketName : bucket ,
Object : objInfo ,
2018-11-02 18:40:08 -07:00
ReqParams : extractReqParams ( r ) ,
RespElements : extractRespElements ( w ) ,
UserAgent : r . UserAgent ( ) ,
2019-03-25 11:45:42 -07:00
Host : handlers . GetSourceIP ( r ) ,
2016-09-29 11:16:19 +05:30
} )
2016-09-02 01:59:08 -07:00
}
2016-03-05 16:43:48 -08:00
}
2015-06-30 20:15:48 -07:00
// PutBucketHandler - PUT Bucket
2015-06-30 14:42:29 -07:00
// ----------
// This implementation of the PUT operation creates a new bucket for authenticated request
2016-04-12 12:45:15 -07:00
func ( api objectAPIHandlers ) PutBucketHandler ( w http . ResponseWriter , r * http . Request ) {
2018-07-20 18:46:32 -07:00
ctx := newContext ( r , w , "PutBucket" )
2018-03-14 12:01:47 -07:00
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2018-10-12 12:25:59 -07:00
2016-08-10 18:47:49 -07:00
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2016-08-10 18:47:49 -07:00
return
}
2018-04-25 04:23:30 +05:30
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
2019-11-13 04:20:18 +05:30
objectLockEnabled := false
2019-12-13 15:51:28 -08:00
if vs , found := r . Header [ http . CanonicalHeaderKey ( "x-amz-bucket-object-lock-enabled" ) ] ; found {
v := strings . ToLower ( strings . Join ( vs , "" ) )
if v != "true" && v != "false" {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrInvalidRequest ) , r . URL )
2019-11-13 04:20:18 +05:30
return
}
2019-12-13 15:51:28 -08:00
objectLockEnabled = v == "true"
2019-11-13 04:20:18 +05:30
}
2018-04-25 04:23:30 +05:30
if s3Error := checkRequestAuthType ( ctx , r , policy . CreateBucketAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2016-02-04 12:52:25 -08:00
return
2015-07-14 09:17:30 -07:00
}
2017-04-03 14:50:09 -07:00
// Parse incoming location constraint.
location , s3Error := parseLocationConstraint ( r )
if s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2016-08-25 20:00:47 -07:00
return
2016-04-21 06:05:38 +05:30
}
2016-07-23 22:51:12 -07:00
2017-04-03 14:50:09 -07:00
// Validate if location sent by the client is valid, reject
// requests which do not follow valid region requirements.
if ! isValidLocation ( location ) {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrInvalidRegion ) , r . URL )
2017-04-03 14:50:09 -07:00
return
}
2020-06-12 20:04:01 -07:00
opts := BucketOptions {
Location : location ,
LockEnabled : objectLockEnabled ,
}
2018-02-02 18:18:52 -08:00
if globalDNSConfig != nil {
2020-01-22 08:25:28 -08:00
sr , err := globalDNSConfig . Get ( bucket )
if err != nil {
2020-09-10 00:50:49 +05:30
// ErrNotImplemented indicates a DNS backend that doesn't need to check if bucket already
// exists elsewhere
if err == dns . ErrNoEntriesFound || err == dns . ErrNotImplemented {
2018-02-02 18:18:52 -08:00
// Proceed to creating a bucket.
2020-06-12 20:04:01 -07:00
if err = objectAPI . MakeBucketWithLocation ( ctx , bucket , opts ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-01 16:53:14 +00:00
return
2019-11-13 04:20:18 +05:30
}
2018-02-02 18:18:52 -08:00
if err = globalDNSConfig . Put ( bucket ) ; err != nil {
2020-03-28 04:52:59 +00:00
objectAPI . DeleteBucket ( ctx , bucket , false )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2018-02-02 18:18:52 -08:00
return
}
2020-05-21 11:03:59 -07:00
// Load updated bucket metadata into memory.
globalNotificationSys . LoadBucketMetadata ( GlobalContext , bucket )
2020-05-19 13:53:54 -07:00
2018-02-02 18:18:52 -08:00
// Make sure to add Location information here only for bucket
2019-07-02 22:34:32 -07:00
w . Header ( ) . Set ( xhttp . Location ,
getObjectLocation ( r , globalDomainNames , bucket , "" ) )
2018-02-02 18:18:52 -08:00
writeSuccessResponseHeadersOnly ( w )
2020-07-20 12:52:49 -07:00
sendEvent ( eventArgs {
EventName : event . BucketCreated ,
BucketName : bucket ,
ReqParams : extractReqParams ( r ) ,
RespElements : extractRespElements ( w ) ,
UserAgent : r . UserAgent ( ) ,
Host : handlers . GetSourceIP ( r ) ,
} )
2018-02-02 18:18:52 -08:00
return
}
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2018-02-02 18:18:52 -08:00
return
}
2020-01-22 08:25:28 -08:00
apiErr := ErrBucketAlreadyExists
if ! globalDomainIPs . Intersection ( set . CreateStringSet ( getHostsSlice ( sr ) ... ) ) . IsEmpty ( ) {
apiErr = ErrBucketAlreadyOwnedByYou
}
// No IPs seem to intersect, this means that bucket exists but has
// different IP addresses perhaps from a different deployment.
// bucket names are globally unique in federation at a given
// path prefix, name collision is not allowed. Return appropriate error.
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( apiErr ) , r . URL )
2018-02-15 17:45:57 -08:00
return
}
2016-07-23 22:51:12 -07:00
// Proceed to creating a bucket.
2020-06-12 20:04:01 -07:00
err := objectAPI . MakeBucketWithLocation ( ctx , bucket , opts )
2015-09-19 03:20:07 -07:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2015-08-03 16:17:21 -07:00
return
}
2017-01-06 00:37:00 -08:00
2020-05-21 11:03:59 -07:00
// Load updated bucket metadata into memory.
globalNotificationSys . LoadBucketMetadata ( GlobalContext , bucket )
2019-11-13 04:20:18 +05:30
2015-09-19 03:20:07 -07:00
// Make sure to add Location information here only for bucket
2021-04-15 16:32:13 -07:00
if cp := pathClean ( r . URL . Path ) ; cp != "" {
w . Header ( ) . Set ( xhttp . Location , cp ) // Clean any trailing slashes.
}
2017-01-06 00:37:00 -08:00
writeSuccessResponseHeadersOnly ( w )
2020-07-20 12:52:49 -07:00
sendEvent ( eventArgs {
EventName : event . BucketCreated ,
BucketName : bucket ,
ReqParams : extractReqParams ( r ) ,
RespElements : extractRespElements ( w ) ,
UserAgent : r . UserAgent ( ) ,
Host : handlers . GetSourceIP ( r ) ,
} )
2015-06-30 14:42:29 -07:00
}
2015-10-01 23:51:17 -07:00
// PostPolicyBucketHandler - POST policy
// ----------
// This implementation of the POST operation handles object creation with a specified
// signature policy in multipart/form-data
2016-04-12 12:45:15 -07:00
func ( api objectAPIHandlers ) PostPolicyBucketHandler ( w http . ResponseWriter , r * http . Request ) {
2018-07-20 18:46:32 -07:00
ctx := newContext ( r , w , "PostPolicyBucket" )
2018-03-14 12:01:47 -07:00
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2018-10-12 12:25:59 -07:00
2016-08-10 18:47:49 -07:00
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2016-08-10 18:47:49 -07:00
return
}
2019-02-12 01:25:52 -08:00
2018-12-14 21:39:59 -08:00
if crypto . S3KMS . IsRequested ( r . Header ) { // SSE-KMS is not supported
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrNotImplemented ) , r . URL )
2018-12-14 21:39:59 -08:00
return
}
2020-09-15 13:57:15 -07:00
2020-12-22 18:19:32 +01:00
if _ , ok := crypto . IsRequested ( r . Header ) ; ! objectAPI . IsEncryptionSupported ( ) && ok {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrNotImplemented ) , r . URL )
2018-12-14 21:39:59 -08:00
return
}
2019-02-12 01:25:52 -08:00
2017-11-13 16:30:20 -08:00
bucket := mux . Vars ( r ) [ "bucket" ]
2017-02-02 19:45:00 +01:00
// Require Content-Length to be set in the request
size := r . ContentLength
if size < 0 {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMissingContentLength ) , r . URL )
2017-02-02 19:45:00 +01:00
return
}
2021-03-03 08:47:08 -08:00
2019-02-22 19:18:01 -08:00
resource , err := getResource ( r . URL . Path , r . Host , globalDomainNames )
2017-11-15 14:10:45 -08:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrInvalidRequest ) , r . URL )
2017-11-15 14:10:45 -08:00
return
}
2021-03-03 08:47:08 -08:00
// Make sure that the URL does not contain object name.
if bucket != path . Clean ( resource [ 1 : ] ) {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMethodNotAllowed ) , r . URL )
2017-11-15 14:10:45 -08:00
return
}
2017-02-02 19:45:00 +01:00
2015-10-01 23:51:17 -07:00
// Here the parameter is the size of the form data that should
2016-03-22 17:54:31 -07:00
// be loaded in memory, the remaining being put in temporary files.
2016-04-29 14:24:10 -07:00
reader , err := r . MultipartReader ( )
if err != nil {
2018-04-05 15:04:40 -07:00
logger . LogIf ( ctx , err )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMalformedPOSTRequest ) , r . URL )
2015-10-01 23:51:17 -07:00
return
}
2017-02-02 19:45:00 +01:00
// Read multipart data and save in memory and in the disk if needed
form , err := reader . ReadForm ( maxFormMemory )
if err != nil {
2019-10-11 18:50:54 -07:00
logger . LogIf ( ctx , err , logger . Application )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMalformedPOSTRequest ) , r . URL )
2017-02-02 19:45:00 +01:00
return
}
2019-07-09 22:18:43 -07:00
// Remove all tmp files created during multipart upload
2017-02-02 19:45:00 +01:00
defer form . RemoveAll ( )
// Extract all form fields
2018-04-05 15:04:40 -07:00
fileBody , fileName , fileSize , formValues , err := extractPostPolicyFormValues ( ctx , form )
2016-02-04 12:52:25 -08:00
if err != nil {
2019-10-11 18:50:54 -07:00
logger . LogIf ( ctx , err , logger . Application )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMalformedPOSTRequest ) , r . URL )
2015-10-01 23:51:17 -07:00
return
}
2017-02-02 19:45:00 +01:00
2017-02-09 21:37:32 +01:00
// Check if file is provided, error out otherwise.
if fileBody == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrPOSTFileRequired ) , r . URL )
2017-02-09 21:37:32 +01:00
return
}
2017-02-02 19:45:00 +01:00
// Close multipart file
defer fileBody . Close ( )
2017-03-13 14:41:13 -07:00
formValues . Set ( "Bucket" , bucket )
if fileName != "" && strings . Contains ( formValues . Get ( "Key" ) , "${filename}" ) {
2016-07-28 02:51:55 +02:00
// S3 feature to replace ${filename} found in Key form field
// by the filename attribute passed in multipart
2017-03-13 14:41:13 -07:00
formValues . Set ( "Key" , strings . Replace ( formValues . Get ( "Key" ) , "${filename}" , fileName , - 1 ) )
}
2021-03-11 13:57:03 -08:00
object := trimLeadingSlash ( formValues . Get ( "Key" ) )
2021-03-09 12:58:22 -08:00
2017-03-13 14:41:13 -07:00
successRedirect := formValues . Get ( "success_action_redirect" )
successStatus := formValues . Get ( "success_action_status" )
var redirectURL * url . URL
if successRedirect != "" {
redirectURL , err = url . Parse ( successRedirect )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMalformedPOSTRequest ) , r . URL )
2017-03-13 14:41:13 -07:00
return
}
2016-07-28 02:51:55 +02:00
}
2016-02-15 17:42:39 -08:00
// Verify policy signature.
2021-03-03 08:47:08 -08:00
cred , errCode := doesPolicySignatureMatch ( formValues )
2019-02-12 01:25:52 -08:00
if errCode != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( errCode ) , r . URL )
2015-10-01 23:51:17 -07:00
return
}
2016-10-25 12:17:03 +05:30
2021-03-03 08:47:08 -08:00
// Once signature is validated, check if the user has
// explicit permissions for the user.
{
token := formValues . Get ( xhttp . AmzSecurityToken )
if token != "" && cred . AccessKey == "" {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrNoAccessKey ) , r . URL )
2021-03-03 08:47:08 -08:00
return
}
if cred . IsServiceAccount ( ) && token == "" {
token = cred . SessionToken
}
if subtle . ConstantTimeCompare ( [ ] byte ( token ) , [ ] byte ( cred . SessionToken ) ) != 1 {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrInvalidToken ) , r . URL )
2021-03-03 08:47:08 -08:00
return
}
// Extract claims if any.
claims , err := getClaimsFromToken ( token )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-03-03 08:47:08 -08:00
return
}
if ! globalIAMSys . IsAllowed ( iampolicy . Args {
AccountName : cred . AccessKey ,
Action : iampolicy . PutObjectAction ,
ConditionValues : getConditionValues ( r , "" , cred . AccessKey , claims ) ,
BucketName : bucket ,
ObjectName : object ,
IsOwner : globalActiveCred . AccessKey == cred . AccessKey ,
Claims : claims ,
} ) {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrAccessDenied ) , r . URL )
2021-03-03 08:47:08 -08:00
return
}
}
2017-03-13 14:41:13 -07:00
policyBytes , err := base64 . StdEncoding . DecodeString ( formValues . Get ( "Policy" ) )
2016-10-25 12:17:03 +05:30
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMalformedPOSTRequest ) , r . URL )
2016-10-25 12:17:03 +05:30
return
}
2018-12-04 01:31:28 +05:30
// Handle policy if it is set.
if len ( policyBytes ) > 0 {
2021-03-25 13:57:57 -07:00
postPolicyForm , err := parsePostPolicyForm ( bytes . NewReader ( policyBytes ) )
2018-12-04 01:31:28 +05:30
if err != nil {
2021-03-25 13:57:57 -07:00
errAPI := errorCodes . ToAPIErr ( ErrPostPolicyConditionInvalidFormat )
errAPI . Description = fmt . Sprintf ( "%s '(%s)'" , errAPI . Description , err )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errAPI , r . URL )
2017-02-02 19:45:00 +01:00
return
2016-11-21 04:15:26 -08:00
}
2017-02-02 19:45:00 +01:00
2018-12-04 01:31:28 +05:30
// Make sure formValues adhere to policy restrictions.
2019-03-06 01:40:47 +05:30
if err = checkPostPolicy ( formValues , postPolicyForm ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErrWithErr ( ErrAccessDenied , err ) , r . URL )
2017-02-02 19:45:00 +01:00
return
2016-11-21 04:15:26 -08:00
}
2018-12-04 01:31:28 +05:30
// Ensure that the object size is within expected range, also the file size
// should not exceed the maximum single Put size (5 GiB)
lengthRange := postPolicyForm . Conditions . ContentLengthRange
if lengthRange . Valid {
if fileSize < lengthRange . Min {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , errDataTooSmall ) , r . URL )
2018-12-04 01:31:28 +05:30
return
}
if fileSize > lengthRange . Max || isMaxObjectSize ( fileSize ) {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , errDataTooLarge ) , r . URL )
2018-12-04 01:31:28 +05:30
return
}
}
2016-10-25 12:17:03 +05:30
}
2016-12-20 01:14:04 +01:00
// Extract metadata to be saved from received Form.
2018-07-11 08:57:10 +05:30
metadata := make ( map [ string ] string )
2021-02-03 20:41:33 -08:00
err = extractMetadataFromMime ( ctx , textproto . MIMEHeader ( formValues ) , metadata )
2017-07-05 16:56:10 -07:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2017-07-05 16:56:10 -07:00
return
}
2016-10-03 04:21:49 +05:30
pkg/etag: add new package for S3 ETag handling (#11577)
This commit adds a new package `etag` for dealing
with S3 ETags.
Even though ETag is often viewed as MD5 checksum of
an object, handling S3 ETags correctly is a surprisingly
complex task. While it is true that the ETag corresponds
to the MD5 for the most basic S3 API operations, there are
many exceptions in case of multipart uploads or encryption.
In worse, some S3 clients expect very specific behavior when
it comes to ETags. For example, some clients expect that the
ETag is a double-quoted string and fail otherwise.
Non-AWS compliant ETag handling has been a source of many bugs
in the past.
Therefore, this commit adds a dedicated `etag` package that provides
functionality for parsing, generating and converting S3 ETags.
Further, this commit removes the ETag computation from the `hash`
package. Instead, the `hash` package (i.e. `hash.Reader`) should
focus only on computing and verifying the content-sha256.
One core feature of this commit is to provide a mechanism to
communicate a computed ETag from a low-level `io.Reader` to
a high-level `io.Reader`.
This problem occurs when an S3 server receives a request and
has to compute the ETag of the content. However, the server
may also wrap the initial body with several other `io.Reader`,
e.g. when encrypting or compressing the content:
```
reader := Encrypt(Compress(ETag(content)))
```
In such a case, the ETag should be accessible by the high-level
`io.Reader`.
The `etag` provides a mechanism to wrap `io.Reader` implementations
such that the `ETag` can be accessed by a type-check.
This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 21:31:53 +01:00
hashReader , err := hash . NewReader ( fileBody , fileSize , "" , "" , fileSize )
2017-10-21 22:30:34 -07:00
if err != nil {
2018-04-05 15:04:40 -07:00
logger . LogIf ( ctx , err )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2017-10-21 22:30:34 -07:00
return
}
2018-11-14 17:36:41 -08:00
rawReader := hashReader
2021-02-10 08:52:50 -08:00
pReader := NewPutObjReader ( rawReader )
2020-04-10 02:01:45 +02:00
var objectEncryptionKey crypto . ObjectKey
2018-12-14 22:35:48 +01:00
2020-02-05 01:42:34 -08:00
// Check if bucket encryption is enabled
2021-05-14 09:59:05 +02:00
sseConfig , _ := globalBucketSSEConfigSys . Get ( bucket )
sseConfig . Apply ( r . Header , globalAutoEncryption )
2020-05-19 13:53:54 -07:00
2019-01-05 14:16:43 -08:00
// get gateway encryption options
var opts ObjectOptions
2019-02-08 21:31:06 -08:00
opts , err = putOpts ( ctx , r , bucket , object , metadata )
2019-01-05 14:16:43 -08:00
if err != nil {
2019-02-12 01:25:52 -08:00
writeErrorResponseHeadersOnly ( w , toAPIError ( ctx , err ) )
2019-01-05 14:16:43 -08:00
return
}
2018-03-05 17:02:56 +01:00
if objectAPI . IsEncryptionSupported ( ) {
2020-12-22 18:19:32 +01:00
if _ , ok := crypto . IsRequested ( formValues ) ; ok && ! HasSuffix ( object , SlashSeparator ) { // handle SSE requests
2019-09-20 23:56:12 +02:00
if crypto . SSECopy . IsRequested ( r . Header ) {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , errInvalidEncryptionParameters ) , r . URL )
2019-09-20 23:56:12 +02:00
return
}
2021-05-07 00:24:01 +02:00
var (
reader io . Reader
keyID string
key [ ] byte
2021-05-11 03:15:11 +02:00
kmsCtx kms . Context
2021-05-07 00:24:01 +02:00
)
kind , _ := crypto . IsRequested ( formValues )
switch kind {
case crypto . SSEC :
2018-08-17 12:52:14 -07:00
key , err = ParseSSECustomerHeader ( formValues )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2018-08-17 12:52:14 -07:00
return
}
2021-05-07 00:24:01 +02:00
case crypto . S3KMS :
keyID , kmsCtx , err = crypto . S3KMS . ParseHTTP ( formValues )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-05-07 00:24:01 +02:00
return
}
2018-03-05 17:02:56 +01:00
}
2021-05-07 00:24:01 +02:00
reader , objectEncryptionKey , err = newEncryptReader ( hashReader , kind , keyID , key , bucket , object , metadata , kmsCtx )
2018-03-05 17:02:56 +01:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2018-03-05 17:02:56 +01:00
return
}
info := ObjectInfo { Size : fileSize }
2019-05-08 18:35:40 -07:00
// do not try to verify encrypted content
pkg/etag: add new package for S3 ETag handling (#11577)
This commit adds a new package `etag` for dealing
with S3 ETags.
Even though ETag is often viewed as MD5 checksum of
an object, handling S3 ETags correctly is a surprisingly
complex task. While it is true that the ETag corresponds
to the MD5 for the most basic S3 API operations, there are
many exceptions in case of multipart uploads or encryption.
In worse, some S3 clients expect very specific behavior when
it comes to ETags. For example, some clients expect that the
ETag is a double-quoted string and fail otherwise.
Non-AWS compliant ETag handling has been a source of many bugs
in the past.
Therefore, this commit adds a dedicated `etag` package that provides
functionality for parsing, generating and converting S3 ETags.
Further, this commit removes the ETag computation from the `hash`
package. Instead, the `hash` package (i.e. `hash.Reader`) should
focus only on computing and verifying the content-sha256.
One core feature of this commit is to provide a mechanism to
communicate a computed ETag from a low-level `io.Reader` to
a high-level `io.Reader`.
This problem occurs when an S3 server receives a request and
has to compute the ETag of the content. However, the server
may also wrap the initial body with several other `io.Reader`,
e.g. when encrypting or compressing the content:
```
reader := Encrypt(Compress(ETag(content)))
```
In such a case, the ETag should be accessible by the high-level
`io.Reader`.
The `etag` provides a mechanism to wrap `io.Reader` implementations
such that the `ETag` can be accessed by a type-check.
This technique is applied to the PUT, COPY and Upload handlers.
2021-02-23 21:31:53 +01:00
hashReader , err = hash . NewReader ( reader , info . EncryptedSize ( ) , "" , "" , fileSize )
2018-03-05 17:02:56 +01:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2018-03-05 17:02:56 +01:00
return
}
2021-02-10 08:52:50 -08:00
pReader , err = pReader . WithEncryption ( hashReader , & objectEncryptionKey )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-02-10 08:52:50 -08:00
return
}
2018-03-05 17:02:56 +01:00
}
}
2019-02-08 21:31:06 -08:00
objInfo , err := objectAPI . PutObject ( ctx , bucket , object , pReader , opts )
2016-02-04 12:52:25 -08:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2015-10-01 23:51:17 -07:00
return
}
2017-03-13 14:41:13 -07:00
2020-06-12 20:04:01 -07:00
// We must not use the http.Header().Set method here because some (broken)
// clients expect the ETag header key to be literally "ETag" - not "Etag" (case-sensitive).
// Therefore, we have to set the ETag directly as map entry.
2019-07-02 22:34:32 -07:00
w . Header ( ) [ xhttp . ETag ] = [ ] string { ` " ` + objInfo . ETag + ` " ` }
2020-06-12 20:04:01 -07:00
// Set the relevant version ID as part of the response header.
if objInfo . VersionID != "" {
w . Header ( ) [ xhttp . AmzVersionID ] = [ ] string { objInfo . VersionID }
}
w . Header ( ) . Set ( xhttp . Location , getObjectLocation ( r , globalDomainNames , bucket , object ) )
2016-08-04 22:01:58 -07:00
2017-03-13 14:41:13 -07:00
// Notify object created event.
2018-03-16 01:33:41 +05:30
defer sendEvent ( eventArgs {
2018-11-02 18:40:08 -07:00
EventName : event . ObjectCreatedPost ,
BucketName : objInfo . Bucket ,
Object : objInfo ,
ReqParams : extractReqParams ( r ) ,
RespElements : extractRespElements ( w ) ,
UserAgent : r . UserAgent ( ) ,
2019-03-25 11:45:42 -07:00
Host : handlers . GetSourceIP ( r ) ,
2017-03-13 14:41:13 -07:00
} )
if successRedirect != "" {
// Replace raw query params..
redirectURL . RawQuery = getRedirectPostRawQuery ( objInfo )
writeRedirectSeeOther ( w , redirectURL . String ( ) )
return
}
2016-07-23 22:51:12 -07:00
2017-03-13 14:41:13 -07:00
// Decide what http response to send depending on success_action_status parameter
switch successStatus {
case "201" :
resp := encodeResponse ( PostResponse {
Bucket : objInfo . Bucket ,
Key : objInfo . Name ,
2017-05-14 12:05:51 -07:00
ETag : ` " ` + objInfo . ETag + ` " ` ,
2020-06-12 20:04:01 -07:00
Location : w . Header ( ) . Get ( xhttp . Location ) ,
2017-03-13 14:41:13 -07:00
} )
2020-06-12 20:04:01 -07:00
writeResponse ( w , http . StatusCreated , resp , mimeXML )
2017-03-13 14:41:13 -07:00
case "200" :
writeSuccessResponseHeadersOnly ( w )
default :
2016-12-18 22:39:56 +01:00
writeSuccessNoContent ( w )
}
2015-10-01 23:51:17 -07:00
}
2021-03-01 23:10:33 -08:00
// GetBucketPolicyStatusHandler - Retrieves the policy status
// for an MinIO bucket, indicating whether the bucket is public.
func ( api objectAPIHandlers ) GetBucketPolicyStatusHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "GetBucketPolicyStatus" )
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
writeErrorResponseHeadersOnly ( w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) )
return
}
if s3Error := checkRequestAuthType ( ctx , r , policy . GetBucketPolicyStatusAction , bucket , "" ) ; s3Error != ErrNone {
writeErrorResponseHeadersOnly ( w , errorCodes . ToAPIErr ( s3Error ) )
return
}
// Check if bucket exists.
if _ , err := objectAPI . GetBucketInfo ( ctx , bucket ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-03-01 23:10:33 -08:00
return
}
// Check if anonymous (non-owner) has access to list objects.
readable := globalPolicySys . IsAllowed ( policy . Args {
Action : policy . ListBucketAction ,
BucketName : bucket ,
ConditionValues : getConditionValues ( r , "" , "" , nil ) ,
IsOwner : false ,
} )
// Check if anonymous (non-owner) has access to upload objects.
writable := globalPolicySys . IsAllowed ( policy . Args {
Action : policy . PutObjectAction ,
BucketName : bucket ,
ConditionValues : getConditionValues ( r , "" , "" , nil ) ,
IsOwner : false ,
} )
encodedSuccessResponse := encodeResponse ( PolicyStatus {
IsPublic : func ( ) string {
// Silly to have special 'boolean' values yes
// but complying with silly implementation
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketPolicyStatus.html
if readable && writable {
return "TRUE"
}
return "FALSE"
} ( ) ,
} )
writeSuccessResponseXML ( w , encodedSuccessResponse )
}
2015-06-30 20:15:48 -07:00
// HeadBucketHandler - HEAD Bucket
2015-06-30 14:42:29 -07:00
// ----------
// This operation is useful to determine if a bucket exists.
// The operation returns a 200 OK if the bucket exists and you
// have permission to access it. Otherwise, the operation might
// return responses such as 404 Not Found and 403 Forbidden.
2016-04-12 12:45:15 -07:00
func ( api objectAPIHandlers ) HeadBucketHandler ( w http . ResponseWriter , r * http . Request ) {
2018-07-20 18:46:32 -07:00
ctx := newContext ( r , w , "HeadBucket" )
2018-03-14 12:01:47 -07:00
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2018-10-12 12:25:59 -07:00
2016-02-15 17:42:39 -08:00
vars := mux . Vars ( r )
2015-06-30 14:42:29 -07:00
bucket := vars [ "bucket" ]
2015-07-02 20:31:22 -07:00
2016-08-10 18:47:49 -07:00
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2019-02-12 01:25:52 -08:00
writeErrorResponseHeadersOnly ( w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) )
2016-08-10 18:47:49 -07:00
return
}
2016-11-21 13:51:05 -08:00
2018-04-25 04:23:30 +05:30
if s3Error := checkRequestAuthType ( ctx , r , policy . ListBucketAction , bucket , "" ) ; s3Error != ErrNone {
2019-02-12 01:25:52 -08:00
writeErrorResponseHeadersOnly ( w , errorCodes . ToAPIErr ( s3Error ) )
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 16:46:56 -08:00
return
2016-02-04 12:52:25 -08:00
}
2018-04-25 04:23:30 +05:30
2018-03-28 14:14:06 -07:00
getBucketInfo := objectAPI . GetBucketInfo
2019-08-09 17:09:08 -07:00
2018-03-28 14:14:06 -07:00
if _ , err := getBucketInfo ( ctx , bucket ) ; err != nil {
2019-02-12 01:25:52 -08:00
writeErrorResponseHeadersOnly ( w , toAPIError ( ctx , err ) )
2015-08-03 16:17:21 -07:00
return
}
2017-01-06 00:37:00 -08:00
writeSuccessResponseHeadersOnly ( w )
2015-06-30 14:42:29 -07:00
}
2015-10-16 11:26:01 -07:00
// DeleteBucketHandler - Delete bucket
2016-04-12 12:45:15 -07:00
func ( api objectAPIHandlers ) DeleteBucketHandler ( w http . ResponseWriter , r * http . Request ) {
2018-07-20 18:46:32 -07:00
ctx := newContext ( r , w , "DeleteBucket" )
2018-03-14 12:01:47 -07:00
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2018-10-12 12:25:59 -07:00
2018-04-25 04:23:30 +05:30
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
2020-04-06 17:51:05 -07:00
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2020-04-06 17:51:05 -07:00
return
}
2020-07-08 17:36:56 -07:00
// Verify if the caller has sufficient permissions.
if s3Error := checkRequestAuthType ( ctx , r , policy . DeleteBucketAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-07-08 17:36:56 -07:00
return
}
2020-03-28 04:52:59 +00:00
forceDelete := false
2020-04-06 17:51:05 -07:00
if value := r . Header . Get ( xhttp . MinIOForceDelete ) ; value != "" {
2020-07-08 17:36:56 -07:00
var err error
forceDelete , err = strconv . ParseBool ( value )
if err != nil {
apiErr := errorCodes . ToAPIErr ( ErrInvalidRequest )
apiErr . Description = err . Error ( )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , apiErr , r . URL )
2020-03-28 04:52:59 +00:00
return
}
2020-07-08 17:36:56 -07:00
// if force delete header is set, we need to evaluate the policy anyways
// regardless of it being true or not.
2020-04-06 17:51:05 -07:00
if s3Error := checkRequestAuthType ( ctx , r , policy . ForceDeleteBucketAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-04-06 17:51:05 -07:00
return
}
2016-08-10 18:47:49 -07:00
2020-07-08 17:36:56 -07:00
if forceDelete {
if rcfg , _ := globalBucketObjectLockSys . Get ( bucket ) ; rcfg . LockEnabled {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrMethodNotAllowed ) , r . URL )
2020-07-08 17:36:56 -07:00
return
}
2020-05-19 13:53:54 -07:00
}
2016-02-04 12:52:25 -08:00
}
2021-05-14 12:40:54 -07:00
if globalDNSConfig != nil {
if err := globalDNSConfig . Delete ( bucket ) ; err != nil {
logger . LogIf ( ctx , fmt . Errorf ( "Unable to delete bucket DNS entry %w, please delete it manually" , err ) )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-05-14 12:40:54 -07:00
return
}
}
2018-03-28 14:14:06 -07:00
deleteBucket := objectAPI . DeleteBucket
2019-08-09 17:09:08 -07:00
2016-07-23 22:51:12 -07:00
// Attempt to delete bucket.
2020-03-28 04:52:59 +00:00
if err := deleteBucket ( ctx , bucket , forceDelete ) ; err != nil {
2021-05-14 12:40:54 -07:00
apiErr := toAPIError ( ctx , err )
if _ , ok := err . ( BucketNotEmpty ) ; ok {
if globalBucketVersioningSys . Enabled ( bucket ) || globalBucketVersioningSys . Suspended ( bucket ) {
apiErr . Description = "The bucket you tried to delete is not empty. You must delete all versions in the bucket."
}
2020-06-12 20:04:01 -07:00
}
2021-05-14 12:40:54 -07:00
if globalDNSConfig != nil {
if err2 := globalDNSConfig . Put ( bucket ) ; err2 != nil {
logger . LogIf ( ctx , fmt . Errorf ( "Unable to restore bucket DNS entry %w, pl1ease fix it manually" , err2 ) )
}
}
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , apiErr , r . URL )
2015-10-16 11:26:01 -07:00
return
}
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 16:46:56 -08:00
2020-06-12 20:04:01 -07:00
globalNotificationSys . DeleteBucketMetadata ( ctx , bucket )
accessPolicy: Implement Put, Get, Delete access policy.
This patch implements Get,Put,Delete bucket policies
Supporting - http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
Currently supports following actions.
"*": true,
"s3:*": true,
"s3:GetObject": true,
"s3:ListBucket": true,
"s3:PutObject": true,
"s3:CreateBucket": true,
"s3:GetBucketLocation": true,
"s3:DeleteBucket": true,
"s3:DeleteObject": true,
"s3:AbortMultipartUpload": true,
"s3:ListBucketMultipartUploads": true,
"s3:ListMultipartUploadParts": true,
following conditions for "StringEquals" and "StringNotEquals"
"s3:prefix", "s3:max-keys"
2016-02-03 16:46:56 -08:00
// Write success response.
2015-10-16 20:02:37 -07:00
writeSuccessNoContent ( w )
2020-07-20 12:52:49 -07:00
sendEvent ( eventArgs {
EventName : event . BucketRemoved ,
BucketName : bucket ,
ReqParams : extractReqParams ( r ) ,
RespElements : extractRespElements ( w ) ,
UserAgent : r . UserAgent ( ) ,
Host : handlers . GetSourceIP ( r ) ,
} )
2015-10-16 11:26:01 -07:00
}
2019-11-13 04:20:18 +05:30
// PutBucketObjectLockConfigHandler - PUT Bucket object lock configuration.
// ----------
// Places an Object Lock configuration on the specified bucket. The rule
// specified in the Object Lock configuration will be applied by default
// to every new object placed in the specified bucket.
func ( api objectAPIHandlers ) PutBucketObjectLockConfigHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "PutBucketObjectLockConfig" )
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2019-11-13 04:20:18 +05:30
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2019-11-13 04:20:18 +05:30
return
}
2020-07-22 17:39:40 -07:00
if ! globalIsErasure {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrNotImplemented ) , r . URL )
return
}
2019-11-20 13:18:09 -08:00
if s3Error := checkRequestAuthType ( ctx , r , policy . PutBucketObjectLockConfigurationAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2019-11-20 13:18:09 -08:00
return
}
2020-05-08 13:44:44 -07:00
2020-01-16 15:41:56 -08:00
config , err := objectlock . ParseObjectLockConfig ( r . Body )
2019-11-13 04:20:18 +05:30
if err != nil {
2019-11-13 08:21:41 -08:00
apiErr := errorCodes . ToAPIErr ( ErrMalformedXML )
apiErr . Description = err . Error ( )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , apiErr , r . URL )
2019-11-13 04:20:18 +05:30
return
}
2020-05-01 16:53:14 +00:00
2020-05-19 13:53:54 -07:00
configData , err := xml . Marshal ( config )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2019-11-13 04:20:18 +05:30
return
}
2020-05-01 16:53:14 +00:00
2020-05-23 10:01:01 -07:00
// Deny object locking configuration settings on existing buckets without object lock enabled.
if _ , err = globalBucketMetadataSys . GetObjectLockConfig ( bucket ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-23 10:01:01 -07:00
return
}
2020-05-19 13:53:54 -07:00
if err = globalBucketMetadataSys . Update ( bucket , objectLockConfig , configData ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-19 13:53:54 -07:00
return
2019-11-13 04:20:18 +05:30
}
// Write success response.
writeSuccessResponseHeadersOnly ( w )
}
// GetBucketObjectLockConfigHandler - GET Bucket object lock configuration.
// ----------
// Gets the Object Lock configuration for a bucket. The rule specified in
// the Object Lock configuration will be applied by default to every new
// object placed in the specified bucket.
func ( api objectAPIHandlers ) GetBucketObjectLockConfigHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "GetBucketObjectLockConfig" )
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2019-11-13 04:20:18 +05:30
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2019-11-13 04:20:18 +05:30
return
}
2020-05-19 13:53:54 -07:00
2019-11-20 13:18:09 -08:00
// check if user has permissions to perform this operation
if s3Error := checkRequestAuthType ( ctx , r , policy . GetBucketObjectLockConfigurationAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2019-11-20 13:18:09 -08:00
return
}
2020-05-01 16:53:14 +00:00
2020-05-20 10:18:15 -07:00
config , err := globalBucketMetadataSys . GetObjectLockConfig ( bucket )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-20 10:18:15 -07:00
return
}
configData , err := xml . Marshal ( config )
2019-11-13 04:20:18 +05:30
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-08 13:44:44 -07:00
return
2019-11-13 04:20:18 +05:30
}
// Write success response.
writeSuccessResponseXML ( w , configData )
}
2020-05-05 21:18:13 +00:00
// PutBucketTaggingHandler - PUT Bucket tagging.
// ----------
func ( api objectAPIHandlers ) PutBucketTaggingHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "PutBucketTagging" )
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2020-05-05 21:18:13 +00:00
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
if s3Error := checkRequestAuthType ( ctx , r , policy . PutBucketTaggingAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
2020-05-08 13:44:44 -07:00
2020-05-05 21:18:13 +00:00
tags , err := tags . ParseBucketXML ( io . LimitReader ( r . Body , r . ContentLength ) )
if err != nil {
apiErr := errorCodes . ToAPIErr ( ErrMalformedXML )
apiErr . Description = err . Error ( )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , apiErr , r . URL )
2020-05-05 21:18:13 +00:00
return
}
2020-05-08 13:44:44 -07:00
2020-05-19 13:53:54 -07:00
configData , err := xml . Marshal ( tags )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-19 13:53:54 -07:00
return
}
2020-06-15 22:09:39 -07:00
if err = globalBucketMetadataSys . Update ( bucket , bucketTaggingConfig , configData ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
// Write success response.
writeSuccessResponseHeadersOnly ( w )
}
// GetBucketTaggingHandler - GET Bucket tagging.
// ----------
func ( api objectAPIHandlers ) GetBucketTaggingHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "GetBucketTagging" )
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2020-05-05 21:18:13 +00:00
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
2020-05-08 13:44:44 -07:00
2020-05-05 21:18:13 +00:00
// check if user has permissions to perform this operation
if s3Error := checkRequestAuthType ( ctx , r , policy . GetBucketTaggingAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
2020-05-08 13:44:44 -07:00
2020-05-20 10:18:15 -07:00
config , err := globalBucketMetadataSys . GetTaggingConfig ( bucket )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-20 10:18:15 -07:00
return
}
configData , err := xml . Marshal ( config )
2020-05-08 13:44:44 -07:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
// Write success response.
writeSuccessResponseXML ( w , configData )
}
// DeleteBucketTaggingHandler - DELETE Bucket tagging.
// ----------
func ( api objectAPIHandlers ) DeleteBucketTaggingHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "DeleteBucketTagging" )
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2020-05-05 21:18:13 +00:00
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
if s3Error := checkRequestAuthType ( ctx , r , policy . PutBucketTaggingAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
2020-06-15 22:09:39 -07:00
if err := globalBucketMetadataSys . Update ( bucket , bucketTaggingConfig , nil ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-05-05 21:18:13 +00:00
return
}
// Write success response.
writeSuccessResponseHeadersOnly ( w )
}
2020-07-21 17:49:56 -07:00
// PutBucketReplicationConfigHandler - PUT Bucket replication configuration.
// ----------
// Add a replication configuration on the specified bucket as specified in https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html
func ( api objectAPIHandlers ) PutBucketReplicationConfigHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "PutBucketReplicationConfig" )
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2020-07-21 17:49:56 -07:00
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
2020-07-22 17:39:40 -07:00
if ! globalIsErasure {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErr ( ErrNotImplemented ) , r . URL )
return
}
2020-07-21 17:49:56 -07:00
if s3Error := checkRequestAuthType ( ctx , r , policy . PutReplicationConfigurationAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
// Check if bucket exists.
if _ , err := objectAPI . GetBucketInfo ( ctx , bucket ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
if versioned := globalBucketVersioningSys . Enabled ( bucket ) ; ! versioned {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrReplicationNeedsVersioningError ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
replicationConfig , err := replication . ParseConfig ( io . LimitReader ( r . Body , r . ContentLength ) )
if err != nil {
apiErr := errorCodes . ToAPIErr ( ErrMalformedXML )
apiErr . Description = err . Error ( )
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , apiErr , r . URL )
2020-07-21 17:49:56 -07:00
return
}
2020-07-30 19:55:22 -07:00
sameTarget , err := validateReplicationDestination ( ctx , bucket , replicationConfig )
2020-07-21 17:49:56 -07:00
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
// Validate the received bucket replication config
if err = replicationConfig . Validate ( bucket , sameTarget ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
configData , err := xml . Marshal ( replicationConfig )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
if err = globalBucketMetadataSys . Update ( bucket , bucketReplicationConfig , configData ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
// Write success response.
writeSuccessResponseHeadersOnly ( w )
}
// GetBucketReplicationConfigHandler - GET Bucket replication configuration.
// ----------
// Gets the replication configuration for a bucket.
func ( api objectAPIHandlers ) GetBucketReplicationConfigHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "GetBucketReplicationConfig" )
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2020-07-21 17:49:56 -07:00
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
// check if user has permissions to perform this operation
if s3Error := checkRequestAuthType ( ctx , r , policy . GetReplicationConfigurationAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
// Check if bucket exists.
if _ , err := objectAPI . GetBucketInfo ( ctx , bucket ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
config , err := globalBucketMetadataSys . GetReplicationConfig ( ctx , bucket )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
configData , err := xml . Marshal ( config )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
// Write success response.
writeSuccessResponseXML ( w , configData )
}
// DeleteBucketReplicationConfigHandler - DELETE Bucket replication config.
// ----------
func ( api objectAPIHandlers ) DeleteBucketReplicationConfigHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "DeleteBucketReplicationConfig" )
2021-01-26 22:21:51 +01:00
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
2020-07-21 17:49:56 -07:00
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
if s3Error := checkRequestAuthType ( ctx , r , policy . PutReplicationConfigurationAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
// Check if bucket exists.
if _ , err := objectAPI . GetBucketInfo ( ctx , bucket ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
if err := globalBucketMetadataSys . Update ( bucket , bucketReplicationConfig , nil ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2020-07-21 17:49:56 -07:00
return
}
// Write success response.
writeSuccessResponseHeadersOnly ( w )
}
2021-04-03 09:03:42 -07:00
// GetBucketReplicationMetricsHandler - GET Bucket replication metrics.
// ----------
// Gets the replication metrics for a bucket.
func ( api objectAPIHandlers ) GetBucketReplicationMetricsHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "GetBucketReplicationMetrics" )
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2021-04-03 09:03:42 -07:00
return
}
// check if user has permissions to perform this operation
if s3Error := checkRequestAuthType ( ctx , r , policy . GetReplicationConfigurationAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2021-04-03 09:03:42 -07:00
return
}
// Check if bucket exists.
if _ , err := objectAPI . GetBucketInfo ( ctx , bucket ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-04-03 09:03:42 -07:00
return
}
2021-04-04 15:34:33 -07:00
bucketStats := globalNotificationSys . GetClusterBucketStats ( r . Context ( ) , bucket )
bucketReplStats := BucketReplicationStats { }
2021-04-06 11:32:52 -07:00
// sum up metrics from each node in the cluster
2021-04-04 15:34:33 -07:00
for _ , bucketStat := range bucketStats {
bucketReplStats . FailedCount += bucketStat . ReplicationStats . FailedCount
bucketReplStats . FailedSize += bucketStat . ReplicationStats . FailedSize
bucketReplStats . PendingCount += bucketStat . ReplicationStats . PendingCount
bucketReplStats . PendingSize += bucketStat . ReplicationStats . PendingSize
bucketReplStats . ReplicaSize += bucketStat . ReplicationStats . ReplicaSize
bucketReplStats . ReplicatedSize += bucketStat . ReplicationStats . ReplicatedSize
}
2021-04-06 11:32:52 -07:00
// add initial usage from the time of cluster up
usageStat := globalReplicationStats . GetInitialUsage ( bucket )
bucketReplStats . FailedCount += usageStat . FailedCount
bucketReplStats . FailedSize += usageStat . FailedSize
bucketReplStats . PendingCount += usageStat . PendingCount
bucketReplStats . PendingSize += usageStat . PendingSize
bucketReplStats . ReplicaSize += usageStat . ReplicaSize
bucketReplStats . ReplicatedSize += usageStat . ReplicatedSize
2021-04-04 15:34:33 -07:00
if err := json . NewEncoder ( w ) . Encode ( & bucketReplStats ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-04-03 09:03:42 -07:00
return
}
w . ( http . Flusher ) . Flush ( )
}
2021-06-01 19:59:11 -07:00
// ResetBucketReplicationStateHandler - starts a replication reset for all objects in a bucket which
// qualify for replication and re-sync the object(s) to target, provided ExistingObjectReplication is
// enabled for the qualifying rule. This API is a MinIO only extension provided for situations where
// remote target is entirely lost,and previously replicated objects need to be re-synced.
func ( api objectAPIHandlers ) ResetBucketReplicationStateHandler ( w http . ResponseWriter , r * http . Request ) {
ctx := newContext ( r , w , "ResetBucketReplicationState" )
defer logger . AuditLog ( ctx , w , r , mustGetClaimsFromToken ( r ) )
vars := mux . Vars ( r )
bucket := vars [ "bucket" ]
durationStr := r . URL . Query ( ) . Get ( "older-than" )
var (
days time . Duration
err error
)
if durationStr != "" {
days , err = time . ParseDuration ( durationStr )
if err != nil {
writeErrorResponse ( ctx , w , toAPIError ( ctx , InvalidArgument {
Bucket : bucket ,
Err : fmt . Errorf ( "invalid query parameter older-than %s for %s : %w" , durationStr , bucket , err ) ,
2021-06-17 20:27:04 -07:00
} ) , r . URL )
2021-06-01 19:59:11 -07:00
}
}
objectAPI := api . ObjectAPI ( )
if objectAPI == nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrServerNotInitialized ) , r . URL )
2021-06-01 19:59:11 -07:00
return
}
if s3Error := checkRequestAuthType ( ctx , r , policy . ResetBucketReplicationStateAction , bucket , "" ) ; s3Error != ErrNone {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( s3Error ) , r . URL )
2021-06-01 19:59:11 -07:00
return
}
// Check if bucket exists.
if _ , err := objectAPI . GetBucketInfo ( ctx , bucket ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-06-01 19:59:11 -07:00
return
}
config , err := globalBucketMetadataSys . GetReplicationConfig ( ctx , bucket )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-06-01 19:59:11 -07:00
return
}
if ! config . HasActiveRules ( "" , true ) {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , errorCodes . ToAPIErr ( ErrReplicationNoMatchingRuleError ) , r . URL )
2021-06-01 19:59:11 -07:00
return
}
target := globalBucketTargetSys . GetRemoteBucketTargetByArn ( ctx , bucket , config . RoleArn )
target . ResetBeforeDate = UTCNow ( ) . AddDate ( 0 , 0 , - 1 * int ( days / 24 ) )
target . ResetID = mustGetUUID ( )
if err = globalBucketTargetSys . SetTarget ( ctx , bucket , & target , true ) ; err != nil {
switch err . ( type ) {
case BucketRemoteConnectionErr :
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErrWithErr ( ErrReplicationRemoteConnectionError , err ) , r . URL )
default :
writeErrorResponseJSON ( ctx , w , toAPIError ( ctx , err ) , r . URL )
}
return
}
targets , err := globalBucketTargetSys . ListBucketTargets ( ctx , bucket )
if err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-06-01 19:59:11 -07:00
return
}
tgtBytes , err := json . Marshal ( & targets )
if err != nil {
writeErrorResponseJSON ( ctx , w , errorCodes . ToAPIErrWithErr ( ErrAdminConfigBadJSON , err ) , r . URL )
return
}
if err = globalBucketMetadataSys . Update ( bucket , bucketTargetsFile , tgtBytes ) ; err != nil {
2021-06-17 20:27:04 -07:00
writeErrorResponse ( ctx , w , toAPIError ( ctx , err ) , r . URL )
2021-06-01 19:59:11 -07:00
return
}
data , err := json . Marshal ( target . ResetID )
if err != nil {
writeErrorResponseJSON ( ctx , w , toAdminAPIErr ( ctx , err ) , r . URL )
return
}
// Write success response.
writeSuccessResponseJSON ( w , data )
}