mirror of
https://github.com/minio/minio.git
synced 2025-02-23 11:32:32 -05:00
Fix some bugs in controller rpc
This commit is contained in:
Harshavardhana
parent
05de60a598
commit
7cde4577d0
@ -194,6 +194,7 @@ func getControllerConfig(c *cli.Context) minioConfig {
|
|||||||
CertFile: certFile,
|
CertFile: certFile,
|
||||||
KeyFile: keyFile,
|
KeyFile: keyFile,
|
||||||
RateLimit: c.GlobalInt("ratelimit"),
|
RateLimit: c.GlobalInt("ratelimit"),
|
||||||
|
Anonymous: c.GlobalBool("anonymous"),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -20,6 +20,7 @@ import (
|
|||||||
"bytes"
|
"bytes"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"io"
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
"sort"
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
@ -35,7 +36,7 @@ type rpcSignatureHandler struct {
|
|||||||
|
|
||||||
// RPCSignatureHandler to validate authorization header for the incoming request.
|
// RPCSignatureHandler to validate authorization header for the incoming request.
|
||||||
func RPCSignatureHandler(h http.Handler) http.Handler {
|
func RPCSignatureHandler(h http.Handler) http.Handler {
|
||||||
return signatureHandler{h}
|
return rpcSignatureHandler{h}
|
||||||
}
|
}
|
||||||
|
|
||||||
type rpcSignature struct {
|
type rpcSignature struct {
|
||||||
@ -114,7 +115,7 @@ func (r rpcSignature) extractSignedHeaders() map[string][]string {
|
|||||||
// <HashedPayload>
|
// <HashedPayload>
|
||||||
//
|
//
|
||||||
func (r *rpcSignature) getCanonicalRequest() string {
|
func (r *rpcSignature) getCanonicalRequest() string {
|
||||||
payload := r.Request.Header.Get(http.CanonicalHeaderKey("x-amz-content-sha256"))
|
payload := r.Request.Header.Get(http.CanonicalHeaderKey("x-minio-content-sha256"))
|
||||||
r.Request.URL.RawQuery = strings.Replace(r.Request.URL.Query().Encode(), "+", "%20", -1)
|
r.Request.URL.RawQuery = strings.Replace(r.Request.URL.Query().Encode(), "+", "%20", -1)
|
||||||
encodedPath := getURLEncodedName(r.Request.URL.Path)
|
encodedPath := getURLEncodedName(r.Request.URL.Path)
|
||||||
// convert any space strings back to "+"
|
// convert any space strings back to "+"
|
||||||
@ -143,7 +144,7 @@ func (r rpcSignature) getScope(t time.Time) string {
|
|||||||
|
|
||||||
// getStringToSign a string based on selected query values
|
// getStringToSign a string based on selected query values
|
||||||
func (r rpcSignature) getStringToSign(canonicalRequest string, t time.Time) string {
|
func (r rpcSignature) getStringToSign(canonicalRequest string, t time.Time) string {
|
||||||
stringToSign := authHeaderPrefix + "\n" + t.Format(iso8601Format) + "\n"
|
stringToSign := rpcAuthHeaderPrefix + "\n" + t.Format(iso8601Format) + "\n"
|
||||||
stringToSign = stringToSign + r.getScope(t) + "\n"
|
stringToSign = stringToSign + r.getScope(t) + "\n"
|
||||||
stringToSign = stringToSign + hex.EncodeToString(sha256.Sum256([]byte(canonicalRequest)))
|
stringToSign = stringToSign + hex.EncodeToString(sha256.Sum256([]byte(canonicalRequest)))
|
||||||
return stringToSign
|
return stringToSign
|
||||||
@ -236,8 +237,10 @@ func (s rpcSignatureHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
// Copy the buffer back into request body to be read by the RPC service callers
|
||||||
|
r.Body = ioutil.NopCloser(buffer)
|
||||||
s.handler.ServeHTTP(w, r)
|
s.handler.ServeHTTP(w, r)
|
||||||
return
|
} else {
|
||||||
|
writeErrorResponse(w, r, AccessDenied, r.URL.Path)
|
||||||
}
|
}
|
||||||
writeErrorResponse(w, r, AccessDenied, r.URL.Path)
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -78,25 +78,24 @@ func isValidRPCRegion(authHeaderValue string) *probe.Error {
|
|||||||
|
|
||||||
// stripRPCAccessKeyID - strip only access key id from auth header
|
// stripRPCAccessKeyID - strip only access key id from auth header
|
||||||
func stripRPCAccessKeyID(authHeaderValue string) (string, *probe.Error) {
|
func stripRPCAccessKeyID(authHeaderValue string) (string, *probe.Error) {
|
||||||
if err := isValidRegion(authHeaderValue); err != nil {
|
if err := isValidRPCRegion(authHeaderValue); err != nil {
|
||||||
return "", err.Trace()
|
return "", err.Trace()
|
||||||
}
|
}
|
||||||
credentialElements, err := getRPCCredentialsFromAuth(authHeaderValue)
|
credentialElements, err := getRPCCredentialsFromAuth(authHeaderValue)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err.Trace()
|
return "", err.Trace()
|
||||||
}
|
}
|
||||||
accessKeyID := credentialElements[0]
|
if credentialElements[0] != "admin" {
|
||||||
if !IsValidAccessKey(accessKeyID) {
|
|
||||||
return "", probe.NewError(errAccessKeyIDInvalid)
|
return "", probe.NewError(errAccessKeyIDInvalid)
|
||||||
}
|
}
|
||||||
return accessKeyID, nil
|
return credentialElements[0], nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// initSignatureRPC initializing rpc signature verification
|
// initSignatureRPC initializing rpc signature verification
|
||||||
func initSignatureRPC(req *http.Request) (*rpcSignature, *probe.Error) {
|
func initSignatureRPC(req *http.Request) (*rpcSignature, *probe.Error) {
|
||||||
// strip auth from authorization header
|
// strip auth from authorization header
|
||||||
authHeaderValue := req.Header.Get("Authorization")
|
authHeaderValue := req.Header.Get("Authorization")
|
||||||
accessKeyID, err := stripAccessKeyID(authHeaderValue)
|
accessKeyID, err := stripRPCAccessKeyID(authHeaderValue)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err.Trace()
|
return nil, err.Trace()
|
||||||
}
|
}
|
||||||
|
|||||||
@ -19,7 +19,6 @@ package main
|
|||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"fmt"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"sort"
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
@ -64,7 +63,7 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
|
|||||||
|
|
||||||
hashedPayload := hash()
|
hashedPayload := hash()
|
||||||
req.Header.Set("Content-Type", "application/json")
|
req.Header.Set("Content-Type", "application/json")
|
||||||
req.Header.Set("x-amz-content-sha256", hashedPayload)
|
req.Header.Set("x-minio-content-sha256", hashedPayload)
|
||||||
|
|
||||||
var headers []string
|
var headers []string
|
||||||
vals := make(map[string][]string)
|
vals := make(map[string][]string)
|
||||||
@ -133,7 +132,6 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
|
|||||||
stringToSign = stringToSign + scope + "\n"
|
stringToSign = stringToSign + scope + "\n"
|
||||||
stringToSign = stringToSign + hex.EncodeToString(sum256([]byte(canonicalRequest)))
|
stringToSign = stringToSign + hex.EncodeToString(sum256([]byte(canonicalRequest)))
|
||||||
|
|
||||||
fmt.Println(config)
|
|
||||||
date := sumHMAC([]byte("MINIO"+config.Users["admin"].SecretAccessKey), []byte(t.Format(yyyymmdd)))
|
date := sumHMAC([]byte("MINIO"+config.Users["admin"].SecretAccessKey), []byte(t.Format(yyyymmdd)))
|
||||||
region := sumHMAC(date, []byte("milkyway"))
|
region := sumHMAC(date, []byte("milkyway"))
|
||||||
service := sumHMAC(region, []byte("rpc"))
|
service := sumHMAC(region, []byte("rpc"))
|
||||||
@ -143,7 +141,7 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
|
|||||||
|
|
||||||
// final Authorization header
|
// final Authorization header
|
||||||
parts := []string{
|
parts := []string{
|
||||||
rpcAuthHeaderPrefix + " Credential=" + config.Users["admin"].AccessKeyID + "/" + scope,
|
rpcAuthHeaderPrefix + " Credential=admin/" + scope,
|
||||||
"SignedHeaders=" + signedHeaders,
|
"SignedHeaders=" + signedHeaders,
|
||||||
"Signature=" + signature,
|
"Signature=" + signature,
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user