mirror of
https://github.com/minio/minio.git
synced 2025-01-11 23:13:23 -05:00
Add a new validateContentTypeHandler{}, verify Accept header earlier
This commit is contained in:
parent
fdbfa5070b
commit
5498c90788
@ -69,10 +69,6 @@ func (server *minioAPI) isValidOp(w http.ResponseWriter, req *http.Request, acce
|
||||
//
|
||||
func (server *minioAPI) listObjectsHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
// verify if bucket allows this operation
|
||||
if !server.isValidOp(w, req, acceptsContentType) {
|
||||
return
|
||||
@ -123,10 +119,6 @@ func (server *minioAPI) listObjectsHandler(w http.ResponseWriter, req *http.Requ
|
||||
// owned by the authenticated sender of the request.
|
||||
func (server *minioAPI) listBucketsHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
// uncomment this when we have webcli
|
||||
// without access key credentials one cannot list buckets
|
||||
// if _, err := stripAuth(req); err != nil {
|
||||
@ -161,10 +153,6 @@ func (server *minioAPI) listBucketsHandler(w http.ResponseWriter, req *http.Requ
|
||||
// This implementation of the PUT operation creates a new bucket for authenticated request
|
||||
func (server *minioAPI) putBucketHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
// uncomment this when we have webcli
|
||||
// without access key credentials one cannot create a bucket
|
||||
// if _, err := stripAuth(req); err != nil {
|
||||
@ -217,11 +205,6 @@ func (server *minioAPI) putBucketHandler(w http.ResponseWriter, req *http.Reques
|
||||
// This implementation of the PUT operation modifies the bucketACL for authenticated request
|
||||
func (server *minioAPI) putBucketACLHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// read from 'x-amz-acl'
|
||||
aclType := getACLType(req)
|
||||
if aclType == unsupportedACLType {
|
||||
@ -261,11 +244,6 @@ func (server *minioAPI) putBucketACLHandler(w http.ResponseWriter, req *http.Req
|
||||
// return responses such as 404 Not Found and 403 Forbidden.
|
||||
func (server *minioAPI) headBucketHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// verify if bucket allows this operation
|
||||
if !server.isValidOp(w, req, acceptsContentType) {
|
||||
return
|
||||
|
@ -25,12 +25,15 @@ import (
|
||||
"github.com/minio/minio/pkg/api/config"
|
||||
)
|
||||
|
||||
type contentTypeHandler struct {
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
type timeHandler struct {
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
type validateAuthHandler struct {
|
||||
conf config.Config
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
@ -46,6 +49,10 @@ type auth struct {
|
||||
accessKey string
|
||||
}
|
||||
|
||||
const (
|
||||
timeFormat = "20060102T150405Z"
|
||||
)
|
||||
|
||||
// strip auth from authorization header
|
||||
func stripAuth(r *http.Request) (*auth, error) {
|
||||
authHeader := r.Header.Get("Authorization")
|
||||
@ -74,10 +81,6 @@ func stripAuth(r *http.Request) (*auth, error) {
|
||||
return a, nil
|
||||
}
|
||||
|
||||
const (
|
||||
timeFormat = "20060102T150405Z"
|
||||
)
|
||||
|
||||
func getDate(req *http.Request) (time.Time, error) {
|
||||
amzDate := req.Header.Get("X-Amz-Date")
|
||||
switch {
|
||||
@ -108,16 +111,25 @@ func getDate(req *http.Request) (time.Time, error) {
|
||||
return time.Time{}, errors.New("invalid request")
|
||||
}
|
||||
|
||||
func validContentTypeHandler(h http.Handler) http.Handler {
|
||||
return contentTypeHandler{h}
|
||||
}
|
||||
|
||||
func (h contentTypeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
acceptsContentType := getContentType(r)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
h.handler.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
func timeValidityHandler(h http.Handler) http.Handler {
|
||||
return timeHandler{h}
|
||||
}
|
||||
|
||||
func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
acceptsContentType := getContentType(r)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
// Verify if date headers are set, if not reject the request
|
||||
if r.Header.Get("Authorization") != "" {
|
||||
if r.Header.Get("X-Amz-Date") == "" && r.Header.Get("Date") == "" {
|
||||
@ -143,29 +155,27 @@ func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
// validate auth header handler is wrapper handler used for API request validation with authorization header.
|
||||
// Current authorization layer supports S3's standard HMAC based signature request.
|
||||
func validateAuthHeaderHandler(conf config.Config, h http.Handler) http.Handler {
|
||||
return validateAuthHandler{
|
||||
conf: conf,
|
||||
handler: h,
|
||||
}
|
||||
func validateAuthHeaderHandler(h http.Handler) http.Handler {
|
||||
return validateAuthHandler{h}
|
||||
}
|
||||
|
||||
// validate auth header handler ServeHTTP() wrapper
|
||||
func (h validateAuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
acceptsContentType := getContentType(r)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
_, err := stripAuth(r)
|
||||
switch err.(type) {
|
||||
case nil:
|
||||
if err := h.conf.ReadConfig(); err != nil {
|
||||
var conf = config.Config{}
|
||||
if err := conf.SetupConfig(); err != nil {
|
||||
writeErrorResponse(w, r, InternalError, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
if err := conf.ReadConfig(); err != nil {
|
||||
writeErrorResponse(w, r, InternalError, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
// uncomment this when we have webcli
|
||||
// _, ok := h.conf.Users[auth.accessKey]
|
||||
// _, ok := conf.Users[auth.accessKey]
|
||||
//if !ok {
|
||||
// writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
|
||||
// return
|
||||
@ -189,10 +199,6 @@ func ignoreResourcesHandler(h http.Handler) http.Handler {
|
||||
// Resource handler ServeHTTP() wrapper
|
||||
func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
acceptsContentType := getContentType(r)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
if ignoreNotImplementedObjectResources(r) || ignoreNotImplementedBucketResources(r) {
|
||||
error := getErrorCode(NotImplemented)
|
||||
errorResponse := getErrorResponse(error, "")
|
||||
|
@ -39,11 +39,6 @@ const (
|
||||
// you must have READ access to the object.
|
||||
func (server *minioAPI) getObjectHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// verify if this operation is allowed
|
||||
if !server.isValidOp(w, req, acceptsContentType) {
|
||||
return
|
||||
@ -101,11 +96,6 @@ func (server *minioAPI) getObjectHandler(w http.ResponseWriter, req *http.Reques
|
||||
// The HEAD operation retrieves metadata from an object without returning the object itself.
|
||||
func (server *minioAPI) headObjectHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// verify if this operation is allowed
|
||||
if !server.isValidOp(w, req, acceptsContentType) {
|
||||
return
|
||||
@ -144,11 +134,6 @@ func (server *minioAPI) headObjectHandler(w http.ResponseWriter, req *http.Reque
|
||||
// This implementation of the PUT operation adds an object to a bucket.
|
||||
func (server *minioAPI) putObjectHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// verify if this operation is allowed
|
||||
if !server.isValidOp(w, req, acceptsContentType) {
|
||||
return
|
||||
@ -224,13 +209,7 @@ func (server *minioAPI) putObjectHandler(w http.ResponseWriter, req *http.Reques
|
||||
}
|
||||
|
||||
func (server *minioAPI) newMultipartUploadHandler(w http.ResponseWriter, req *http.Request) {
|
||||
// TODO ensure ?uploads is part of URL
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// handle ACL's here at bucket level
|
||||
if !server.isValidOp(w, req, acceptsContentType) {
|
||||
return
|
||||
@ -262,11 +241,6 @@ func (server *minioAPI) newMultipartUploadHandler(w http.ResponseWriter, req *ht
|
||||
|
||||
func (server *minioAPI) putObjectPartHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// handle ACL's here at bucket level
|
||||
if !server.isValidOp(w, req, acceptsContentType) {
|
||||
return
|
||||
@ -356,10 +330,7 @@ func (server *minioAPI) putObjectPartHandler(w http.ResponseWriter, req *http.Re
|
||||
|
||||
func (server *minioAPI) abortMultipartUploadHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
vars := mux.Vars(req)
|
||||
bucket := vars["bucket"]
|
||||
object := vars["object"]
|
||||
@ -381,10 +352,7 @@ func (server *minioAPI) abortMultipartUploadHandler(w http.ResponseWriter, req *
|
||||
|
||||
func (server *minioAPI) listObjectPartsHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
vars := mux.Vars(req)
|
||||
bucket := vars["bucket"]
|
||||
object := vars["object"]
|
||||
@ -415,10 +383,6 @@ func (server *minioAPI) listObjectPartsHandler(w http.ResponseWriter, req *http.
|
||||
|
||||
func (server *minioAPI) completeMultipartUploadHandler(w http.ResponseWriter, req *http.Request) {
|
||||
acceptsContentType := getContentType(req)
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, req, NotAcceptable, acceptsContentType, req.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
decoder := xml.NewDecoder(req.Body)
|
||||
parts := &CompleteMultipartUpload{}
|
||||
|
@ -21,11 +21,9 @@ import (
|
||||
"net/http"
|
||||
|
||||
router "github.com/gorilla/mux"
|
||||
"github.com/minio/minio/pkg/api/config"
|
||||
"github.com/minio/minio/pkg/api/logging"
|
||||
"github.com/minio/minio/pkg/api/quota"
|
||||
"github.com/minio/minio/pkg/featureflags"
|
||||
"github.com/minio/minio/pkg/iodine"
|
||||
"github.com/minio/minio/pkg/storage/drivers"
|
||||
)
|
||||
|
||||
@ -57,13 +55,10 @@ func HTTPHandler(driver drivers.Driver) http.Handler {
|
||||
mux.HandleFunc("/{bucket}/{object:.*}", api.getObjectHandler).Methods("GET")
|
||||
mux.HandleFunc("/{bucket}/{object:.*}", api.putObjectHandler).Methods("PUT")
|
||||
|
||||
var conf = config.Config{}
|
||||
if err := conf.SetupConfig(); err != nil {
|
||||
log.Fatal(iodine.New(err, nil))
|
||||
}
|
||||
h := timeValidityHandler(mux)
|
||||
h := validContentTypeHandler(mux)
|
||||
h = timeValidityHandler(h)
|
||||
h = ignoreResourcesHandler(h)
|
||||
h = validateAuthHeaderHandler(conf, h)
|
||||
h = validateAuthHeaderHandler(h)
|
||||
// h = quota.BandwidthCap(h, 25*1024*1024, time.Duration(30*time.Minute))
|
||||
// h = quota.BandwidthCap(h, 100*1024*1024, time.Duration(24*time.Hour))
|
||||
// h = quota.RequestLimit(h, 100, time.Duration(30*time.Minute))
|
||||
|
Loading…
Reference in New Issue
Block a user