handlers: Avoid initializing a struct in each handler call (#11217)

This commit is contained in:
Anis Elleuch 2021-01-04 18:54:22 +01:00 committed by GitHub
parent a4383051d9
commit cb7fc99368
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 334 additions and 457 deletions

View File

@ -468,16 +468,6 @@ func isReqAuthenticated(ctx context.Context, r *http.Request, region string, sty
return ErrNone return ErrNone
} }
// authHandler - handles all the incoming authorization headers and validates them if possible.
type authHandler struct {
handler http.Handler
}
// setAuthHandler to validate authorization header for the incoming request.
func setAuthHandler(h http.Handler) http.Handler {
return authHandler{h}
}
// List of all support S3 auth types. // List of all support S3 auth types.
var supportedS3AuthTypes = map[authType]struct{}{ var supportedS3AuthTypes = map[authType]struct{}{
authTypeAnonymous: {}, authTypeAnonymous: {},
@ -495,26 +485,29 @@ func isSupportedS3AuthType(aType authType) bool {
return ok return ok
} }
// handler for validating incoming authorization headers. // setAuthHandler to validate authorization header for the incoming request.
func (a authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func setAuthHandler(h http.Handler) http.Handler {
aType := getRequestAuthType(r) // handler for validating incoming authorization headers.
if isSupportedS3AuthType(aType) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Let top level caller validate for anonymous and known signed requests. aType := getRequestAuthType(r)
a.handler.ServeHTTP(w, r) if isSupportedS3AuthType(aType) {
return // Let top level caller validate for anonymous and known signed requests.
} else if aType == authTypeJWT { h.ServeHTTP(w, r)
// Validate Authorization header if its valid for JWT request. return
if _, _, authErr := webRequestAuthenticate(r); authErr != nil { } else if aType == authTypeJWT {
w.WriteHeader(http.StatusUnauthorized) // Validate Authorization header if its valid for JWT request.
if _, _, authErr := webRequestAuthenticate(r); authErr != nil {
w.WriteHeader(http.StatusUnauthorized)
return
}
h.ServeHTTP(w, r)
return
} else if aType == authTypeSTS {
h.ServeHTTP(w, r)
return return
} }
a.handler.ServeHTTP(w, r) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrSignatureVersionNotSupported), r.URL, guessIsBrowserReq(r))
return })
} else if aType == authTypeSTS {
a.handler.ServeHTTP(w, r)
return
}
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrSignatureVersionNotSupported), r.URL, guessIsBrowserReq(r))
} }
func validateSignature(atype authType, r *http.Request) (auth.Credentials, bool, map[string]interface{}, APIErrorCode) { func validateSignature(atype authType, r *http.Request) (auth.Credentials, bool, map[string]interface{}, APIErrorCode) {

View File

@ -271,7 +271,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
registerAPIRouter(router) registerAPIRouter(router)
// Use all the middlewares // Use all the middlewares
router.Use(registerMiddlewares) router.Use(globalHandlers...)
var getCert certs.GetCertificateFunc var getCert certs.GetCertificateFunc
if globalTLSCerts != nil { if globalTLSCerts != nil {

View File

@ -33,16 +33,6 @@ import (
"github.com/minio/minio/pkg/handlers" "github.com/minio/minio/pkg/handlers"
) )
// MiddlewareFunc - useful to chain different http.Handler middlewares
type MiddlewareFunc func(http.Handler) http.Handler
func registerMiddlewares(next http.Handler) http.Handler {
for _, handlerFn := range globalHandlers {
next = handlerFn(next)
}
return next
}
// Adds limiting body size middleware // Adds limiting body size middleware
// Maximum allowed form data field values. 64MiB is a guessed practical value // Maximum allowed form data field values. 64MiB is a guessed practical value
@ -53,19 +43,12 @@ const requestFormDataSize = 64 * humanize.MiByte
// where, 16GiB is the maximum allowed object size for object upload. // where, 16GiB is the maximum allowed object size for object upload.
const requestMaxBodySize = globalMaxObjectSize + requestFormDataSize const requestMaxBodySize = globalMaxObjectSize + requestFormDataSize
type requestSizeLimitHandler struct {
handler http.Handler
maxBodySize int64
}
func setRequestSizeLimitHandler(h http.Handler) http.Handler { func setRequestSizeLimitHandler(h http.Handler) http.Handler {
return requestSizeLimitHandler{handler: h, maxBodySize: requestMaxBodySize} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
} // Restricting read data to a given maximum length
r.Body = http.MaxBytesReader(w, r.Body, requestMaxBodySize)
func (h requestSizeLimitHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { h.ServeHTTP(w, r)
// Restricting read data to a given maximum length })
r.Body = http.MaxBytesReader(w, r.Body, h.maxBodySize)
h.handler.ServeHTTP(w, r)
} }
const ( const (
@ -75,22 +58,16 @@ const (
maxUserDataSize = 2 * 1024 maxUserDataSize = 2 * 1024
) )
type requestHeaderSizeLimitHandler struct {
http.Handler
}
func setRequestHeaderSizeLimitHandler(h http.Handler) http.Handler {
return requestHeaderSizeLimitHandler{h}
}
// ServeHTTP restricts the size of the http header to 8 KB and the size // ServeHTTP restricts the size of the http header to 8 KB and the size
// of the user-defined metadata to 2 KB. // of the user-defined metadata to 2 KB.
func (h requestHeaderSizeLimitHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func setRequestHeaderSizeLimitHandler(h http.Handler) http.Handler {
if isHTTPHeaderSizeTooLarge(r.Header) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrMetadataTooLarge), r.URL, guessIsBrowserReq(r)) if isHTTPHeaderSizeTooLarge(r.Header) {
return writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrMetadataTooLarge), r.URL, guessIsBrowserReq(r))
} return
h.Handler.ServeHTTP(w, r) }
h.ServeHTTP(w, r)
})
} }
// isHTTPHeaderSizeTooLarge returns true if the provided // isHTTPHeaderSizeTooLarge returns true if the provided
@ -121,22 +98,16 @@ const (
ReservedMetadataPrefixLower = "x-minio-internal-" ReservedMetadataPrefixLower = "x-minio-internal-"
) )
type reservedMetadataHandler struct {
http.Handler
}
func filterReservedMetadata(h http.Handler) http.Handler {
return reservedMetadataHandler{h}
}
// ServeHTTP fails if the request contains at least one reserved header which // ServeHTTP fails if the request contains at least one reserved header which
// would be treated as metadata. // would be treated as metadata.
func (h reservedMetadataHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func filterReservedMetadata(h http.Handler) http.Handler {
if containsReservedMetadata(r.Header) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrUnsupportedMetadata), r.URL, guessIsBrowserReq(r)) if containsReservedMetadata(r.Header) {
return writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrUnsupportedMetadata), r.URL, guessIsBrowserReq(r))
} return
h.Handler.ServeHTTP(w, r) }
h.ServeHTTP(w, r)
})
} }
// containsReservedMetadata returns true if the http.Header contains // containsReservedMetadata returns true if the http.Header contains
@ -158,24 +129,38 @@ const (
loginPathPrefix = SlashSeparator + "login" loginPathPrefix = SlashSeparator + "login"
) )
type redirectHandler struct {
handler http.Handler
}
func setRedirectHandler(h http.Handler) http.Handler { func setRedirectHandler(h http.Handler) http.Handler {
return redirectHandler{handler: h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
} if !shouldProxy() || guessIsRPCReq(r) || guessIsBrowserReq(r) ||
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) || isAdminReq(r) {
// Adds redirect rules for incoming requests. h.ServeHTTP(w, r)
type browserRedirectHandler struct { return
handler http.Handler }
// if this server is still initializing, proxy the request
// to any other online servers to avoid 503 for any incoming
// API calls.
if idx := getOnlineProxyEndpointIdx(); idx >= 0 {
proxyRequest(context.TODO(), w, r, globalProxyEndpoints[idx])
return
}
h.ServeHTTP(w, r)
})
} }
func setBrowserRedirectHandler(h http.Handler) http.Handler { func setBrowserRedirectHandler(h http.Handler) http.Handler {
if !globalBrowserEnabled { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
return h // Re-direction is handled specifically for browser requests.
} if globalBrowserEnabled && guessIsBrowserReq(r) {
return browserRedirectHandler{handler: h} // Fetch the redirect location if any.
redirectLocation := getRedirectLocation(r.URL.Path)
if redirectLocation != "" {
// Employ a temporary re-direct.
http.Redirect(w, r, redirectLocation, http.StatusTemporaryRedirect)
return
}
}
h.ServeHTTP(w, r)
})
} }
func shouldProxy() bool { func shouldProxy() bool {
@ -185,22 +170,6 @@ func shouldProxy() bool {
return !globalIAMSys.Initialized() return !globalIAMSys.Initialized()
} }
func (h redirectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if !shouldProxy() || guessIsRPCReq(r) || guessIsBrowserReq(r) ||
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) || isAdminReq(r) {
h.handler.ServeHTTP(w, r)
return
}
// if this server is still initializing, proxy the request
// to any other online servers to avoid 503 for any incoming
// API calls.
if idx := getOnlineProxyEndpointIdx(); idx >= 0 {
proxyRequest(context.TODO(), w, r, globalProxyEndpoints[idx])
return
}
h.handler.ServeHTTP(w, r)
}
// Fetch redirect location if urlPath satisfies certain // Fetch redirect location if urlPath satisfies certain
// criteria. Some special names are considered to be // criteria. Some special names are considered to be
// redirectable, this is purely internal function and // redirectable, this is purely internal function and
@ -271,48 +240,25 @@ func guessIsRPCReq(req *http.Request) bool {
strings.HasPrefix(req.URL.Path, minioReservedBucketPath+SlashSeparator) strings.HasPrefix(req.URL.Path, minioReservedBucketPath+SlashSeparator)
} }
func (h browserRedirectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Re-direction is handled specifically for browser requests.
if guessIsBrowserReq(r) {
// Fetch the redirect location if any.
redirectLocation := getRedirectLocation(r.URL.Path)
if redirectLocation != "" {
// Employ a temporary re-direct.
http.Redirect(w, r, redirectLocation, http.StatusTemporaryRedirect)
return
}
}
h.handler.ServeHTTP(w, r)
}
// Adds Cache-Control header // Adds Cache-Control header
type cacheControlHandler struct {
handler http.Handler
}
func setBrowserCacheControlHandler(h http.Handler) http.Handler { func setBrowserCacheControlHandler(h http.Handler) http.Handler {
if !globalBrowserEnabled { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
return h if globalBrowserEnabled && r.Method == http.MethodGet && guessIsBrowserReq(r) {
} // For all browser requests set appropriate Cache-Control policies
return cacheControlHandler{h} if HasPrefix(r.URL.Path, minioReservedBucketPath+SlashSeparator) {
} if HasSuffix(r.URL.Path, ".js") || r.URL.Path == minioReservedBucketPath+"/favicon.ico" {
// For assets set cache expiry of one year. For each release, the name
func (h cacheControlHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // of the asset name will change and hence it can not be served from cache.
if r.Method == http.MethodGet && guessIsBrowserReq(r) { w.Header().Set(xhttp.CacheControl, "max-age=31536000")
// For all browser requests set appropriate Cache-Control policies } else {
if HasPrefix(r.URL.Path, minioReservedBucketPath+SlashSeparator) { // For non asset requests we serve index.html which will never be cached.
if HasSuffix(r.URL.Path, ".js") || r.URL.Path == minioReservedBucketPath+"/favicon.ico" { w.Header().Set(xhttp.CacheControl, "no-store")
// For assets set cache expiry of one year. For each release, the name }
// of the asset name will change and hence it can not be served from cache.
w.Header().Set(xhttp.CacheControl, "max-age=31536000")
} else {
// For non asset requests we serve index.html which will never be cached.
w.Header().Set(xhttp.CacheControl, "no-store")
} }
} }
}
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }
// Check to allow access to the reserved "bucket" `/minio` for Admin // Check to allow access to the reserved "bucket" `/minio` for Admin
@ -332,33 +278,18 @@ func guessIsLoginSTSReq(req *http.Request) bool {
} }
// Adds verification for incoming paths. // Adds verification for incoming paths.
type minioReservedBucketHandler struct {
handler http.Handler
}
func setReservedBucketHandler(h http.Handler) http.Handler { func setReservedBucketHandler(h http.Handler) http.Handler {
return minioReservedBucketHandler{h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
} // For all other requests reject access to reserved buckets
bucketName, _ := request2BucketObjectName(r)
func (h minioReservedBucketHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
// For all other requests reject access to reserved buckets if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) {
bucketName, _ := request2BucketObjectName(r) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL, guessIsBrowserReq(r))
if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { return
if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) { }
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL, guessIsBrowserReq(r))
return
} }
} h.ServeHTTP(w, r)
h.handler.ServeHTTP(w, r) })
}
type timeValidityHandler struct {
handler http.Handler
}
// setTimeValidityHandler to validate parsable time over http header
func setTimeValidityHandler(h http.Handler) http.Handler {
return timeValidityHandler{h}
} }
// Supported Amz date formats. // Supported Amz date formats.
@ -399,39 +330,30 @@ func parseAmzDateHeader(req *http.Request) (time.Time, APIErrorCode) {
return time.Time{}, ErrMissingDateHeader return time.Time{}, ErrMissingDateHeader
} }
func (h timeValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // setTimeValidityHandler to validate parsable time over http header
aType := getRequestAuthType(r) func setTimeValidityHandler(h http.Handler) http.Handler {
if aType == authTypeSigned || aType == authTypeSignedV2 || aType == authTypeStreamingSigned { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Verify if date headers are set, if not reject the request aType := getRequestAuthType(r)
amzDate, errCode := parseAmzDateHeader(r) if aType == authTypeSigned || aType == authTypeSignedV2 || aType == authTypeStreamingSigned {
if errCode != ErrNone { // Verify if date headers are set, if not reject the request
// All our internal APIs are sensitive towards Date amzDate, errCode := parseAmzDateHeader(r)
// header, for all requests where Date header is not if errCode != ErrNone {
// present we will reject such clients. // All our internal APIs are sensitive towards Date
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(errCode), r.URL, guessIsBrowserReq(r)) // header, for all requests where Date header is not
return // present we will reject such clients.
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(errCode), r.URL, guessIsBrowserReq(r))
return
}
// Verify if the request date header is shifted by less than globalMaxSkewTime parameter in the past
// or in the future, reject request otherwise.
curTime := UTCNow()
if curTime.Sub(amzDate) > globalMaxSkewTime || amzDate.Sub(curTime) > globalMaxSkewTime {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrRequestTimeTooSkewed), r.URL, guessIsBrowserReq(r))
return
}
} }
// Verify if the request date header is shifted by less than globalMaxSkewTime parameter in the past h.ServeHTTP(w, r)
// or in the future, reject request otherwise. })
curTime := UTCNow()
if curTime.Sub(amzDate) > globalMaxSkewTime || amzDate.Sub(curTime) > globalMaxSkewTime {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrRequestTimeTooSkewed), r.URL, guessIsBrowserReq(r))
return
}
}
h.handler.ServeHTTP(w, r)
}
type resourceHandler struct {
handler http.Handler
}
// setIgnoreResourcesHandler -
// Ignore resources handler is wrapper handler used for API request resource validation
// Since we do not support all the S3 queries, it is necessary for us to throw back a
// valid error message indicating that requested feature is not implemented.
func setIgnoreResourcesHandler(h http.Handler) http.Handler {
return resourceHandler{h}
} }
var supportedDummyBucketAPIs = map[string][]string{ var supportedDummyBucketAPIs = map[string][]string{
@ -500,65 +422,54 @@ func ignoreNotImplementedObjectResources(req *http.Request) bool {
return false return false
} }
// Resource handler ServeHTTP() wrapper // setIgnoreResourcesHandler -
func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Ignore resources handler is wrapper handler used for API request resource validation
bucketName, objectName := request2BucketObjectName(r) // Since we do not support all the S3 queries, it is necessary for us to throw back a
// valid error message indicating that requested feature is not implemented.
func setIgnoreResourcesHandler(h http.Handler) http.Handler {
// Resource handler ServeHTTP() wrapper
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
bucketName, objectName := request2BucketObjectName(r)
// If bucketName is present and not objectName check for bucket level resource queries. // If bucketName is present and not objectName check for bucket level resource queries.
if bucketName != "" && objectName == "" { if bucketName != "" && objectName == "" {
if ignoreNotImplementedBucketResources(r) { if ignoreNotImplementedBucketResources(r) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
return return
}
} }
} // If bucketName and objectName are present check for its resource queries.
// If bucketName and objectName are present check for its resource queries. if bucketName != "" && objectName != "" {
if bucketName != "" && objectName != "" { if ignoreNotImplementedObjectResources(r) {
if ignoreNotImplementedObjectResources(r) { writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) return
return }
} }
}
// Serve HTTP. // Serve HTTP.
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }
// httpStatsHandler definition: gather HTTP statistics // setHttpStatsHandler sets a http Stats handler to gather HTTP statistics
type httpStatsHandler struct {
handler http.Handler
}
// setHttpStatsHandler sets a http Stats Handler
func setHTTPStatsHandler(h http.Handler) http.Handler { func setHTTPStatsHandler(h http.Handler) http.Handler {
return httpStatsHandler{handler: h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
} // Meters s3 connection stats.
meteredRequest := &stats.IncomingTrafficMeter{ReadCloser: r.Body}
meteredResponse := &stats.OutgoingTrafficMeter{ResponseWriter: w}
func (h httpStatsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Execute the request
// Meters s3 connection stats. r.Body = meteredRequest
meteredRequest := &stats.IncomingTrafficMeter{ReadCloser: r.Body} h.ServeHTTP(meteredResponse, r)
meteredResponse := &stats.OutgoingTrafficMeter{ResponseWriter: w}
// Execute the request if strings.HasPrefix(r.URL.Path, minioReservedBucketPath) {
r.Body = meteredRequest globalConnStats.incInputBytes(meteredRequest.BytesCount())
h.handler.ServeHTTP(meteredResponse, r) globalConnStats.incOutputBytes(meteredResponse.BytesCount())
} else {
if strings.HasPrefix(r.URL.Path, minioReservedBucketPath) { globalConnStats.incS3InputBytes(meteredRequest.BytesCount())
globalConnStats.incInputBytes(meteredRequest.BytesCount()) globalConnStats.incS3OutputBytes(meteredResponse.BytesCount())
globalConnStats.incOutputBytes(meteredResponse.BytesCount()) }
} else { })
globalConnStats.incS3InputBytes(meteredRequest.BytesCount())
globalConnStats.incS3OutputBytes(meteredResponse.BytesCount())
}
}
// requestValidityHandler validates all the incoming paths for
// any malicious requests.
type requestValidityHandler struct {
handler http.Handler
}
func setRequestValidityHandler(h http.Handler) http.Handler {
return requestValidityHandler{handler: h}
} }
// Bad path components to be rejected by the path validity handler. // Bad path components to be rejected by the path validity handler.
@ -593,71 +504,130 @@ func hasMultipleAuth(r *http.Request) bool {
return authTypeCount > 1 return authTypeCount > 1
} }
func (h requestValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // requestValidityHandler validates all the incoming paths for
// Check for bad components in URL path. // any malicious requests.
if hasBadPathComponent(r.URL.Path) { func setRequestValidityHandler(h http.Handler) http.Handler {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r)) return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
return // Check for bad components in URL path.
} if hasBadPathComponent(r.URL.Path) {
// Check for bad components in URL query values. writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
for _, vv := range r.URL.Query() { return
for _, v := range vv { }
if hasBadPathComponent(v) { // Check for bad components in URL query values.
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r)) for _, vv := range r.URL.Query() {
for _, v := range vv {
if hasBadPathComponent(v) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
return
}
}
}
if hasMultipleAuth(r) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r))
return
}
h.ServeHTTP(w, r)
})
}
var fwd = handlers.NewForwarder(&handlers.Forwarder{
PassHost: true,
RoundTripper: newGatewayHTTPTransport(1 * time.Hour),
Logger: func(err error) {
logger.LogIf(GlobalContext, err)
},
})
// setBucketForwardingHandler middleware forwards the path style requests
// on a bucket to the right bucket location, bucket to IP configuration
// is obtained from centralized etcd configuration service.
func setBucketForwardingHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if globalDNSConfig == nil || len(globalDomainNames) == 0 || !globalBucketFederation ||
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
h.ServeHTTP(w, r)
return
}
// For browser requests, when federation is setup we need to
// specifically handle download and upload for browser requests.
if guessIsBrowserReq(r) {
var bucket, _ string
switch r.Method {
case http.MethodPut:
if getRequestAuthType(r) == authTypeJWT {
bucket, _ = path2BucketObjectWithBasePath(minioReservedBucketPath+"/upload", r.URL.Path)
}
case http.MethodGet:
if t := r.URL.Query().Get("token"); t != "" {
bucket, _ = path2BucketObjectWithBasePath(minioReservedBucketPath+"/download", r.URL.Path)
} else if getRequestAuthType(r) != authTypeJWT && !strings.HasPrefix(r.URL.Path, minioReservedBucketPath) {
bucket, _ = request2BucketObjectName(r)
}
}
if bucket == "" {
h.ServeHTTP(w, r)
return return
} }
} sr, err := globalDNSConfig.Get(bucket)
} if err != nil {
if hasMultipleAuth(r) { if err == dns.ErrNoEntriesFound {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r)) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket),
return r.URL, guessIsBrowserReq(r))
} } else {
h.handler.ServeHTTP(w, r) writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err),
} r.URL, guessIsBrowserReq(r))
}
// To forward the path style requests on a bucket to the right return
// configured server, bucket to IP configuration is obtained
// from centralized etcd configuration service.
type bucketForwardingHandler struct {
fwd *handlers.Forwarder
handler http.Handler
}
func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
f.handler.ServeHTTP(w, r)
return
}
// For browser requests, when federation is setup we need to
// specifically handle download and upload for browser requests.
if guessIsBrowserReq(r) {
var bucket, _ string
switch r.Method {
case http.MethodPut:
if getRequestAuthType(r) == authTypeJWT {
bucket, _ = path2BucketObjectWithBasePath(minioReservedBucketPath+"/upload", r.URL.Path)
} }
case http.MethodGet: if globalDomainIPs.Intersection(set.CreateStringSet(getHostsSlice(sr)...)).IsEmpty() {
if t := r.URL.Query().Get("token"); t != "" { r.URL.Scheme = "http"
bucket, _ = path2BucketObjectWithBasePath(minioReservedBucketPath+"/download", r.URL.Path) if globalIsTLS {
} else if getRequestAuthType(r) != authTypeJWT && !strings.HasPrefix(r.URL.Path, minioReservedBucketPath) { r.URL.Scheme = "https"
bucket, _ = request2BucketObjectName(r) }
r.URL.Host = getHostFromSrv(sr)
fwd.ServeHTTP(w, r)
return
} }
} h.ServeHTTP(w, r)
if bucket == "" {
f.handler.ServeHTTP(w, r)
return return
} }
bucket, object := request2BucketObjectName(r)
// Requests in federated setups for STS type calls which are
// performed at '/' resource should be routed by the muxer,
// the assumption is simply such that requests without a bucket
// in a federated setup cannot be proxied, so serve them at
// current server.
if bucket == "" {
h.ServeHTTP(w, r)
return
}
// MakeBucket requests should be handled at current endpoint
if r.Method == http.MethodPut && bucket != "" && object == "" && r.URL.RawQuery == "" {
h.ServeHTTP(w, r)
return
}
// CopyObject requests should be handled at current endpoint as path style
// requests have target bucket and object in URI and source details are in
// header fields
if r.Method == http.MethodPut && r.Header.Get(xhttp.AmzCopySource) != "" {
bucket, object = path2BucketObject(r.Header.Get(xhttp.AmzCopySource))
if bucket == "" || object == "" {
h.ServeHTTP(w, r)
return
}
}
sr, err := globalDNSConfig.Get(bucket) sr, err := globalDNSConfig.Get(bucket)
if err != nil { if err != nil {
if err == dns.ErrNoEntriesFound { if err == dns.ErrNoEntriesFound {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket), writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket), r.URL, guessIsBrowserReq(r))
r.URL, guessIsBrowserReq(r))
} else { } else {
writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err), writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err), r.URL, guessIsBrowserReq(r))
r.URL, guessIsBrowserReq(r))
} }
return return
} }
@ -667,78 +637,11 @@ func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
r.URL.Scheme = "https" r.URL.Scheme = "https"
} }
r.URL.Host = getHostFromSrv(sr) r.URL.Host = getHostFromSrv(sr)
f.fwd.ServeHTTP(w, r) fwd.ServeHTTP(w, r)
return return
} }
f.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return
}
bucket, object := request2BucketObjectName(r)
// Requests in federated setups for STS type calls which are
// performed at '/' resource should be routed by the muxer,
// the assumption is simply such that requests without a bucket
// in a federated setup cannot be proxied, so serve them at
// current server.
if bucket == "" {
f.handler.ServeHTTP(w, r)
return
}
// MakeBucket requests should be handled at current endpoint
if r.Method == http.MethodPut && bucket != "" && object == "" && r.URL.RawQuery == "" {
f.handler.ServeHTTP(w, r)
return
}
// CopyObject requests should be handled at current endpoint as path style
// requests have target bucket and object in URI and source details are in
// header fields
if r.Method == http.MethodPut && r.Header.Get(xhttp.AmzCopySource) != "" {
bucket, object = path2BucketObject(r.Header.Get(xhttp.AmzCopySource))
if bucket == "" || object == "" {
f.handler.ServeHTTP(w, r)
return
}
}
sr, err := globalDNSConfig.Get(bucket)
if err != nil {
if err == dns.ErrNoEntriesFound {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket), r.URL, guessIsBrowserReq(r))
} else {
writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err), r.URL, guessIsBrowserReq(r))
}
return
}
if globalDomainIPs.Intersection(set.CreateStringSet(getHostsSlice(sr)...)).IsEmpty() {
r.URL.Scheme = "http"
if globalIsTLS {
r.URL.Scheme = "https"
}
r.URL.Host = getHostFromSrv(sr)
f.fwd.ServeHTTP(w, r)
return
}
f.handler.ServeHTTP(w, r)
}
// setBucketForwardingHandler middleware forwards the path style requests
// on a bucket to the right bucket location, bucket to IP configuration
// is obtained from centralized etcd configuration service.
func setBucketForwardingHandler(h http.Handler) http.Handler {
if globalDNSConfig == nil || len(globalDomainNames) == 0 || !globalBucketFederation {
return h
}
fwd := handlers.NewForwarder(&handlers.Forwarder{
PassHost: true,
RoundTripper: newGatewayHTTPTransport(1 * time.Hour),
Logger: func(err error) {
logger.LogIf(GlobalContext, err)
},
}) })
return bucketForwardingHandler{fwd, h}
} }
// customHeaderHandler sets x-amz-request-id header. // customHeaderHandler sets x-amz-request-id header.
@ -746,33 +649,21 @@ func setBucketForwardingHandler(h http.Handler) http.Handler {
// the client. So, logger and Error response XML were not using this // the client. So, logger and Error response XML were not using this
// value. This is set here so that this header can be logged as // value. This is set here so that this header can be logged as
// part of the log entry, Error response XML and auditing. // part of the log entry, Error response XML and auditing.
type customHeaderHandler struct {
handler http.Handler
}
func addCustomHeaders(h http.Handler) http.Handler { func addCustomHeaders(h http.Handler) http.Handler {
return customHeaderHandler{handler: h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
} // Set custom headers such as x-amz-request-id for each request.
w.Header().Set(xhttp.AmzRequestID, mustGetRequestID(UTCNow()))
func (s customHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { h.ServeHTTP(logger.NewResponseWriter(w), r)
// Set custom headers such as x-amz-request-id for each request. })
w.Header().Set(xhttp.AmzRequestID, mustGetRequestID(UTCNow()))
s.handler.ServeHTTP(logger.NewResponseWriter(w), r)
}
type securityHeaderHandler struct {
handler http.Handler
} }
func addSecurityHeaders(h http.Handler) http.Handler { func addSecurityHeaders(h http.Handler) http.Handler {
return securityHeaderHandler{handler: h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
} header := w.Header()
header.Set("X-XSS-Protection", "1; mode=block") // Prevents against XSS attacks
func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
header := w.Header() h.ServeHTTP(w, r)
header.Set("X-XSS-Protection", "1; mode=block") // Prevents against XSS attacks })
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
s.handler.ServeHTTP(w, r)
} }
// criticalErrorHandler handles critical server failures caused by // criticalErrorHandler handles critical server failures caused by
@ -793,25 +684,18 @@ func (h criticalErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
h.handler.ServeHTTP(w, r) h.handler.ServeHTTP(w, r)
} }
func setSSETLSHandler(h http.Handler) http.Handler {
if globalIsTLS {
return h
}
return sseTLSHandler{h}
}
// sseTLSHandler enforces certain rules for SSE requests which are made / must be made over TLS. // sseTLSHandler enforces certain rules for SSE requests which are made / must be made over TLS.
type sseTLSHandler struct{ handler http.Handler } func setSSETLSHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
func (h sseTLSHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Deny SSE-C requests if not made over TLS
// Deny SSE-C requests if not made over TLS if !globalIsTLS && (crypto.SSEC.IsRequested(r.Header) || crypto.SSECopy.IsRequested(r.Header)) {
if crypto.SSEC.IsRequested(r.Header) || crypto.SSECopy.IsRequested(r.Header) { if r.Method == http.MethodHead {
if r.Method == http.MethodHead { writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest))
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest)) } else {
} else { writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest), r.URL, guessIsBrowserReq(r))
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest), r.URL, guessIsBrowserReq(r)) }
return
} }
return h.ServeHTTP(w, r)
} })
h.handler.ServeHTTP(w, r)
} }

View File

@ -38,47 +38,47 @@ func registerDistErasureRouters(router *mux.Router, endpointServerPools Endpoint
} }
// List of some generic handlers which are applied for all incoming requests. // List of some generic handlers which are applied for all incoming requests.
var globalHandlers = []MiddlewareFunc{ var globalHandlers = []mux.MiddlewareFunc{
// add redirect handler to redirect // filters HTTP headers which are treated as metadata and are reserved
// requests when object layer is not // for internal use only.
// initialized. filterReservedMetadata,
setRedirectHandler, // Enforce rules specific for TLS requests
// set x-amz-request-id header. setSSETLSHandler,
addCustomHeaders,
// set HTTP security headers such as Content-Security-Policy.
addSecurityHeaders,
// Forward path style requests to actual host in a bucket federated setup.
setBucketForwardingHandler,
// Validate all the incoming requests.
setRequestValidityHandler,
// Network statistics
setHTTPStatsHandler,
// Limits all requests size to a maximum fixed limit
setRequestSizeLimitHandler,
// Limits all header sizes to a maximum fixed limit
setRequestHeaderSizeLimitHandler,
// Adds 'crossdomain.xml' policy handler to serve legacy flash clients.
setCrossDomainPolicy,
// Redirect some pre-defined browser request paths to a static location prefix.
setBrowserRedirectHandler,
// Validates if incoming request is for restricted buckets.
setReservedBucketHandler,
// Adds cache control for all browser requests.
setBrowserCacheControlHandler,
// Validates all incoming requests to have a valid date header.
setTimeValidityHandler,
// Validates all incoming URL resources, for invalid/unsupported
// resources client receives a HTTP error.
setIgnoreResourcesHandler,
// Auth handler verifies incoming authorization headers and // Auth handler verifies incoming authorization headers and
// routes them accordingly. Client receives a HTTP error for // routes them accordingly. Client receives a HTTP error for
// invalid/unsupported signatures. // invalid/unsupported signatures.
setAuthHandler, setAuthHandler,
// Enforce rules specific for TLS requests // Validates all incoming URL resources, for invalid/unsupported
setSSETLSHandler, // resources client receives a HTTP error.
// filters HTTP headers which are treated as metadata and are reserved setIgnoreResourcesHandler,
// for internal use only. // Validates all incoming requests to have a valid date header.
filterReservedMetadata, setTimeValidityHandler,
// Adds cache control for all browser requests.
setBrowserCacheControlHandler,
// Validates if incoming request is for restricted buckets.
setReservedBucketHandler,
// Redirect some pre-defined browser request paths to a static location prefix.
setBrowserRedirectHandler,
// Adds 'crossdomain.xml' policy handler to serve legacy flash clients.
setCrossDomainPolicy,
// Limits all header sizes to a maximum fixed limit
setRequestHeaderSizeLimitHandler,
// Limits all requests size to a maximum fixed limit
setRequestSizeLimitHandler,
// Network statistics
setHTTPStatsHandler,
// Validate all the incoming requests.
setRequestValidityHandler,
// Forward path style requests to actual host in a bucket federated setup.
setBucketForwardingHandler,
// set HTTP security headers such as Content-Security-Policy.
addSecurityHeaders,
// set x-amz-request-id header.
addCustomHeaders,
// add redirect handler to redirect
// requests when object layer is not
// initialized.
setRedirectHandler,
// Add new handlers here. // Add new handlers here.
} }
@ -115,7 +115,7 @@ func configureServerHandler(endpointServerPools EndpointServerPools) (http.Handl
// Add API router // Add API router
registerAPIRouter(router) registerAPIRouter(router)
router.Use(registerMiddlewares) router.Use(globalHandlers...)
return router, nil return router, nil
} }