mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
handlers: Avoid initializing a struct in each handler call (#11217)
This commit is contained in:
parent
a4383051d9
commit
cb7fc99368
@ -468,16 +468,6 @@ func isReqAuthenticated(ctx context.Context, r *http.Request, region string, sty
|
|||||||
return ErrNone
|
return ErrNone
|
||||||
}
|
}
|
||||||
|
|
||||||
// authHandler - handles all the incoming authorization headers and validates them if possible.
|
|
||||||
type authHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
// setAuthHandler to validate authorization header for the incoming request.
|
|
||||||
func setAuthHandler(h http.Handler) http.Handler {
|
|
||||||
return authHandler{h}
|
|
||||||
}
|
|
||||||
|
|
||||||
// List of all support S3 auth types.
|
// List of all support S3 auth types.
|
||||||
var supportedS3AuthTypes = map[authType]struct{}{
|
var supportedS3AuthTypes = map[authType]struct{}{
|
||||||
authTypeAnonymous: {},
|
authTypeAnonymous: {},
|
||||||
@ -495,26 +485,29 @@ func isSupportedS3AuthType(aType authType) bool {
|
|||||||
return ok
|
return ok
|
||||||
}
|
}
|
||||||
|
|
||||||
// handler for validating incoming authorization headers.
|
// setAuthHandler to validate authorization header for the incoming request.
|
||||||
func (a authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
func setAuthHandler(h http.Handler) http.Handler {
|
||||||
aType := getRequestAuthType(r)
|
// handler for validating incoming authorization headers.
|
||||||
if isSupportedS3AuthType(aType) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
// Let top level caller validate for anonymous and known signed requests.
|
aType := getRequestAuthType(r)
|
||||||
a.handler.ServeHTTP(w, r)
|
if isSupportedS3AuthType(aType) {
|
||||||
return
|
// Let top level caller validate for anonymous and known signed requests.
|
||||||
} else if aType == authTypeJWT {
|
h.ServeHTTP(w, r)
|
||||||
// Validate Authorization header if its valid for JWT request.
|
return
|
||||||
if _, _, authErr := webRequestAuthenticate(r); authErr != nil {
|
} else if aType == authTypeJWT {
|
||||||
w.WriteHeader(http.StatusUnauthorized)
|
// Validate Authorization header if its valid for JWT request.
|
||||||
|
if _, _, authErr := webRequestAuthenticate(r); authErr != nil {
|
||||||
|
w.WriteHeader(http.StatusUnauthorized)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
return
|
||||||
|
} else if aType == authTypeSTS {
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
a.handler.ServeHTTP(w, r)
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrSignatureVersionNotSupported), r.URL, guessIsBrowserReq(r))
|
||||||
return
|
})
|
||||||
} else if aType == authTypeSTS {
|
|
||||||
a.handler.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrSignatureVersionNotSupported), r.URL, guessIsBrowserReq(r))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func validateSignature(atype authType, r *http.Request) (auth.Credentials, bool, map[string]interface{}, APIErrorCode) {
|
func validateSignature(atype authType, r *http.Request) (auth.Credentials, bool, map[string]interface{}, APIErrorCode) {
|
||||||
|
@ -271,7 +271,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
|
|||||||
registerAPIRouter(router)
|
registerAPIRouter(router)
|
||||||
|
|
||||||
// Use all the middlewares
|
// Use all the middlewares
|
||||||
router.Use(registerMiddlewares)
|
router.Use(globalHandlers...)
|
||||||
|
|
||||||
var getCert certs.GetCertificateFunc
|
var getCert certs.GetCertificateFunc
|
||||||
if globalTLSCerts != nil {
|
if globalTLSCerts != nil {
|
||||||
|
@ -33,16 +33,6 @@ import (
|
|||||||
"github.com/minio/minio/pkg/handlers"
|
"github.com/minio/minio/pkg/handlers"
|
||||||
)
|
)
|
||||||
|
|
||||||
// MiddlewareFunc - useful to chain different http.Handler middlewares
|
|
||||||
type MiddlewareFunc func(http.Handler) http.Handler
|
|
||||||
|
|
||||||
func registerMiddlewares(next http.Handler) http.Handler {
|
|
||||||
for _, handlerFn := range globalHandlers {
|
|
||||||
next = handlerFn(next)
|
|
||||||
}
|
|
||||||
return next
|
|
||||||
}
|
|
||||||
|
|
||||||
// Adds limiting body size middleware
|
// Adds limiting body size middleware
|
||||||
|
|
||||||
// Maximum allowed form data field values. 64MiB is a guessed practical value
|
// Maximum allowed form data field values. 64MiB is a guessed practical value
|
||||||
@ -53,19 +43,12 @@ const requestFormDataSize = 64 * humanize.MiByte
|
|||||||
// where, 16GiB is the maximum allowed object size for object upload.
|
// where, 16GiB is the maximum allowed object size for object upload.
|
||||||
const requestMaxBodySize = globalMaxObjectSize + requestFormDataSize
|
const requestMaxBodySize = globalMaxObjectSize + requestFormDataSize
|
||||||
|
|
||||||
type requestSizeLimitHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
maxBodySize int64
|
|
||||||
}
|
|
||||||
|
|
||||||
func setRequestSizeLimitHandler(h http.Handler) http.Handler {
|
func setRequestSizeLimitHandler(h http.Handler) http.Handler {
|
||||||
return requestSizeLimitHandler{handler: h, maxBodySize: requestMaxBodySize}
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
// Restricting read data to a given maximum length
|
||||||
|
r.Body = http.MaxBytesReader(w, r.Body, requestMaxBodySize)
|
||||||
func (h requestSizeLimitHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
h.ServeHTTP(w, r)
|
||||||
// Restricting read data to a given maximum length
|
})
|
||||||
r.Body = http.MaxBytesReader(w, r.Body, h.maxBodySize)
|
|
||||||
h.handler.ServeHTTP(w, r)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -75,22 +58,16 @@ const (
|
|||||||
maxUserDataSize = 2 * 1024
|
maxUserDataSize = 2 * 1024
|
||||||
)
|
)
|
||||||
|
|
||||||
type requestHeaderSizeLimitHandler struct {
|
|
||||||
http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
func setRequestHeaderSizeLimitHandler(h http.Handler) http.Handler {
|
|
||||||
return requestHeaderSizeLimitHandler{h}
|
|
||||||
}
|
|
||||||
|
|
||||||
// ServeHTTP restricts the size of the http header to 8 KB and the size
|
// ServeHTTP restricts the size of the http header to 8 KB and the size
|
||||||
// of the user-defined metadata to 2 KB.
|
// of the user-defined metadata to 2 KB.
|
||||||
func (h requestHeaderSizeLimitHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
func setRequestHeaderSizeLimitHandler(h http.Handler) http.Handler {
|
||||||
if isHTTPHeaderSizeTooLarge(r.Header) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrMetadataTooLarge), r.URL, guessIsBrowserReq(r))
|
if isHTTPHeaderSizeTooLarge(r.Header) {
|
||||||
return
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrMetadataTooLarge), r.URL, guessIsBrowserReq(r))
|
||||||
}
|
return
|
||||||
h.Handler.ServeHTTP(w, r)
|
}
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// isHTTPHeaderSizeTooLarge returns true if the provided
|
// isHTTPHeaderSizeTooLarge returns true if the provided
|
||||||
@ -121,22 +98,16 @@ const (
|
|||||||
ReservedMetadataPrefixLower = "x-minio-internal-"
|
ReservedMetadataPrefixLower = "x-minio-internal-"
|
||||||
)
|
)
|
||||||
|
|
||||||
type reservedMetadataHandler struct {
|
|
||||||
http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
func filterReservedMetadata(h http.Handler) http.Handler {
|
|
||||||
return reservedMetadataHandler{h}
|
|
||||||
}
|
|
||||||
|
|
||||||
// ServeHTTP fails if the request contains at least one reserved header which
|
// ServeHTTP fails if the request contains at least one reserved header which
|
||||||
// would be treated as metadata.
|
// would be treated as metadata.
|
||||||
func (h reservedMetadataHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
func filterReservedMetadata(h http.Handler) http.Handler {
|
||||||
if containsReservedMetadata(r.Header) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrUnsupportedMetadata), r.URL, guessIsBrowserReq(r))
|
if containsReservedMetadata(r.Header) {
|
||||||
return
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrUnsupportedMetadata), r.URL, guessIsBrowserReq(r))
|
||||||
}
|
return
|
||||||
h.Handler.ServeHTTP(w, r)
|
}
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// containsReservedMetadata returns true if the http.Header contains
|
// containsReservedMetadata returns true if the http.Header contains
|
||||||
@ -158,24 +129,38 @@ const (
|
|||||||
loginPathPrefix = SlashSeparator + "login"
|
loginPathPrefix = SlashSeparator + "login"
|
||||||
)
|
)
|
||||||
|
|
||||||
type redirectHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
func setRedirectHandler(h http.Handler) http.Handler {
|
func setRedirectHandler(h http.Handler) http.Handler {
|
||||||
return redirectHandler{handler: h}
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
if !shouldProxy() || guessIsRPCReq(r) || guessIsBrowserReq(r) ||
|
||||||
|
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) || isAdminReq(r) {
|
||||||
// Adds redirect rules for incoming requests.
|
h.ServeHTTP(w, r)
|
||||||
type browserRedirectHandler struct {
|
return
|
||||||
handler http.Handler
|
}
|
||||||
|
// if this server is still initializing, proxy the request
|
||||||
|
// to any other online servers to avoid 503 for any incoming
|
||||||
|
// API calls.
|
||||||
|
if idx := getOnlineProxyEndpointIdx(); idx >= 0 {
|
||||||
|
proxyRequest(context.TODO(), w, r, globalProxyEndpoints[idx])
|
||||||
|
return
|
||||||
|
}
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func setBrowserRedirectHandler(h http.Handler) http.Handler {
|
func setBrowserRedirectHandler(h http.Handler) http.Handler {
|
||||||
if !globalBrowserEnabled {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
return h
|
// Re-direction is handled specifically for browser requests.
|
||||||
}
|
if globalBrowserEnabled && guessIsBrowserReq(r) {
|
||||||
return browserRedirectHandler{handler: h}
|
// Fetch the redirect location if any.
|
||||||
|
redirectLocation := getRedirectLocation(r.URL.Path)
|
||||||
|
if redirectLocation != "" {
|
||||||
|
// Employ a temporary re-direct.
|
||||||
|
http.Redirect(w, r, redirectLocation, http.StatusTemporaryRedirect)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func shouldProxy() bool {
|
func shouldProxy() bool {
|
||||||
@ -185,22 +170,6 @@ func shouldProxy() bool {
|
|||||||
return !globalIAMSys.Initialized()
|
return !globalIAMSys.Initialized()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h redirectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
||||||
if !shouldProxy() || guessIsRPCReq(r) || guessIsBrowserReq(r) ||
|
|
||||||
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) || isAdminReq(r) {
|
|
||||||
h.handler.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
// if this server is still initializing, proxy the request
|
|
||||||
// to any other online servers to avoid 503 for any incoming
|
|
||||||
// API calls.
|
|
||||||
if idx := getOnlineProxyEndpointIdx(); idx >= 0 {
|
|
||||||
proxyRequest(context.TODO(), w, r, globalProxyEndpoints[idx])
|
|
||||||
return
|
|
||||||
}
|
|
||||||
h.handler.ServeHTTP(w, r)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Fetch redirect location if urlPath satisfies certain
|
// Fetch redirect location if urlPath satisfies certain
|
||||||
// criteria. Some special names are considered to be
|
// criteria. Some special names are considered to be
|
||||||
// redirectable, this is purely internal function and
|
// redirectable, this is purely internal function and
|
||||||
@ -271,48 +240,25 @@ func guessIsRPCReq(req *http.Request) bool {
|
|||||||
strings.HasPrefix(req.URL.Path, minioReservedBucketPath+SlashSeparator)
|
strings.HasPrefix(req.URL.Path, minioReservedBucketPath+SlashSeparator)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h browserRedirectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
||||||
// Re-direction is handled specifically for browser requests.
|
|
||||||
if guessIsBrowserReq(r) {
|
|
||||||
// Fetch the redirect location if any.
|
|
||||||
redirectLocation := getRedirectLocation(r.URL.Path)
|
|
||||||
if redirectLocation != "" {
|
|
||||||
// Employ a temporary re-direct.
|
|
||||||
http.Redirect(w, r, redirectLocation, http.StatusTemporaryRedirect)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
h.handler.ServeHTTP(w, r)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Adds Cache-Control header
|
// Adds Cache-Control header
|
||||||
type cacheControlHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
func setBrowserCacheControlHandler(h http.Handler) http.Handler {
|
func setBrowserCacheControlHandler(h http.Handler) http.Handler {
|
||||||
if !globalBrowserEnabled {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
return h
|
if globalBrowserEnabled && r.Method == http.MethodGet && guessIsBrowserReq(r) {
|
||||||
}
|
// For all browser requests set appropriate Cache-Control policies
|
||||||
return cacheControlHandler{h}
|
if HasPrefix(r.URL.Path, minioReservedBucketPath+SlashSeparator) {
|
||||||
}
|
if HasSuffix(r.URL.Path, ".js") || r.URL.Path == minioReservedBucketPath+"/favicon.ico" {
|
||||||
|
// For assets set cache expiry of one year. For each release, the name
|
||||||
func (h cacheControlHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
// of the asset name will change and hence it can not be served from cache.
|
||||||
if r.Method == http.MethodGet && guessIsBrowserReq(r) {
|
w.Header().Set(xhttp.CacheControl, "max-age=31536000")
|
||||||
// For all browser requests set appropriate Cache-Control policies
|
} else {
|
||||||
if HasPrefix(r.URL.Path, minioReservedBucketPath+SlashSeparator) {
|
// For non asset requests we serve index.html which will never be cached.
|
||||||
if HasSuffix(r.URL.Path, ".js") || r.URL.Path == minioReservedBucketPath+"/favicon.ico" {
|
w.Header().Set(xhttp.CacheControl, "no-store")
|
||||||
// For assets set cache expiry of one year. For each release, the name
|
}
|
||||||
// of the asset name will change and hence it can not be served from cache.
|
|
||||||
w.Header().Set(xhttp.CacheControl, "max-age=31536000")
|
|
||||||
} else {
|
|
||||||
// For non asset requests we serve index.html which will never be cached.
|
|
||||||
w.Header().Set(xhttp.CacheControl, "no-store")
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
h.handler.ServeHTTP(w, r)
|
h.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check to allow access to the reserved "bucket" `/minio` for Admin
|
// Check to allow access to the reserved "bucket" `/minio` for Admin
|
||||||
@ -332,33 +278,18 @@ func guessIsLoginSTSReq(req *http.Request) bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Adds verification for incoming paths.
|
// Adds verification for incoming paths.
|
||||||
type minioReservedBucketHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
func setReservedBucketHandler(h http.Handler) http.Handler {
|
func setReservedBucketHandler(h http.Handler) http.Handler {
|
||||||
return minioReservedBucketHandler{h}
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
// For all other requests reject access to reserved buckets
|
||||||
|
bucketName, _ := request2BucketObjectName(r)
|
||||||
func (h minioReservedBucketHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
|
||||||
// For all other requests reject access to reserved buckets
|
if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) {
|
||||||
bucketName, _ := request2BucketObjectName(r)
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL, guessIsBrowserReq(r))
|
||||||
if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
|
return
|
||||||
if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) {
|
}
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL, guessIsBrowserReq(r))
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
}
|
h.ServeHTTP(w, r)
|
||||||
h.handler.ServeHTTP(w, r)
|
})
|
||||||
}
|
|
||||||
|
|
||||||
type timeValidityHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
// setTimeValidityHandler to validate parsable time over http header
|
|
||||||
func setTimeValidityHandler(h http.Handler) http.Handler {
|
|
||||||
return timeValidityHandler{h}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Supported Amz date formats.
|
// Supported Amz date formats.
|
||||||
@ -399,39 +330,30 @@ func parseAmzDateHeader(req *http.Request) (time.Time, APIErrorCode) {
|
|||||||
return time.Time{}, ErrMissingDateHeader
|
return time.Time{}, ErrMissingDateHeader
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h timeValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
// setTimeValidityHandler to validate parsable time over http header
|
||||||
aType := getRequestAuthType(r)
|
func setTimeValidityHandler(h http.Handler) http.Handler {
|
||||||
if aType == authTypeSigned || aType == authTypeSignedV2 || aType == authTypeStreamingSigned {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
// Verify if date headers are set, if not reject the request
|
aType := getRequestAuthType(r)
|
||||||
amzDate, errCode := parseAmzDateHeader(r)
|
if aType == authTypeSigned || aType == authTypeSignedV2 || aType == authTypeStreamingSigned {
|
||||||
if errCode != ErrNone {
|
// Verify if date headers are set, if not reject the request
|
||||||
// All our internal APIs are sensitive towards Date
|
amzDate, errCode := parseAmzDateHeader(r)
|
||||||
// header, for all requests where Date header is not
|
if errCode != ErrNone {
|
||||||
// present we will reject such clients.
|
// All our internal APIs are sensitive towards Date
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(errCode), r.URL, guessIsBrowserReq(r))
|
// header, for all requests where Date header is not
|
||||||
return
|
// present we will reject such clients.
|
||||||
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(errCode), r.URL, guessIsBrowserReq(r))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// Verify if the request date header is shifted by less than globalMaxSkewTime parameter in the past
|
||||||
|
// or in the future, reject request otherwise.
|
||||||
|
curTime := UTCNow()
|
||||||
|
if curTime.Sub(amzDate) > globalMaxSkewTime || amzDate.Sub(curTime) > globalMaxSkewTime {
|
||||||
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrRequestTimeTooSkewed), r.URL, guessIsBrowserReq(r))
|
||||||
|
return
|
||||||
|
}
|
||||||
}
|
}
|
||||||
// Verify if the request date header is shifted by less than globalMaxSkewTime parameter in the past
|
h.ServeHTTP(w, r)
|
||||||
// or in the future, reject request otherwise.
|
})
|
||||||
curTime := UTCNow()
|
|
||||||
if curTime.Sub(amzDate) > globalMaxSkewTime || amzDate.Sub(curTime) > globalMaxSkewTime {
|
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrRequestTimeTooSkewed), r.URL, guessIsBrowserReq(r))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
h.handler.ServeHTTP(w, r)
|
|
||||||
}
|
|
||||||
|
|
||||||
type resourceHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
// setIgnoreResourcesHandler -
|
|
||||||
// Ignore resources handler is wrapper handler used for API request resource validation
|
|
||||||
// Since we do not support all the S3 queries, it is necessary for us to throw back a
|
|
||||||
// valid error message indicating that requested feature is not implemented.
|
|
||||||
func setIgnoreResourcesHandler(h http.Handler) http.Handler {
|
|
||||||
return resourceHandler{h}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var supportedDummyBucketAPIs = map[string][]string{
|
var supportedDummyBucketAPIs = map[string][]string{
|
||||||
@ -500,65 +422,54 @@ func ignoreNotImplementedObjectResources(req *http.Request) bool {
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// Resource handler ServeHTTP() wrapper
|
// setIgnoreResourcesHandler -
|
||||||
func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
// Ignore resources handler is wrapper handler used for API request resource validation
|
||||||
bucketName, objectName := request2BucketObjectName(r)
|
// Since we do not support all the S3 queries, it is necessary for us to throw back a
|
||||||
|
// valid error message indicating that requested feature is not implemented.
|
||||||
|
func setIgnoreResourcesHandler(h http.Handler) http.Handler {
|
||||||
|
// Resource handler ServeHTTP() wrapper
|
||||||
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
bucketName, objectName := request2BucketObjectName(r)
|
||||||
|
|
||||||
// If bucketName is present and not objectName check for bucket level resource queries.
|
// If bucketName is present and not objectName check for bucket level resource queries.
|
||||||
if bucketName != "" && objectName == "" {
|
if bucketName != "" && objectName == "" {
|
||||||
if ignoreNotImplementedBucketResources(r) {
|
if ignoreNotImplementedBucketResources(r) {
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
|
||||||
return
|
return
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
// If bucketName and objectName are present check for its resource queries.
|
||||||
// If bucketName and objectName are present check for its resource queries.
|
if bucketName != "" && objectName != "" {
|
||||||
if bucketName != "" && objectName != "" {
|
if ignoreNotImplementedObjectResources(r) {
|
||||||
if ignoreNotImplementedObjectResources(r) {
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r))
|
return
|
||||||
return
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// Serve HTTP.
|
// Serve HTTP.
|
||||||
h.handler.ServeHTTP(w, r)
|
h.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// httpStatsHandler definition: gather HTTP statistics
|
// setHttpStatsHandler sets a http Stats handler to gather HTTP statistics
|
||||||
type httpStatsHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
// setHttpStatsHandler sets a http Stats Handler
|
|
||||||
func setHTTPStatsHandler(h http.Handler) http.Handler {
|
func setHTTPStatsHandler(h http.Handler) http.Handler {
|
||||||
return httpStatsHandler{handler: h}
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
// Meters s3 connection stats.
|
||||||
|
meteredRequest := &stats.IncomingTrafficMeter{ReadCloser: r.Body}
|
||||||
|
meteredResponse := &stats.OutgoingTrafficMeter{ResponseWriter: w}
|
||||||
|
|
||||||
func (h httpStatsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
// Execute the request
|
||||||
// Meters s3 connection stats.
|
r.Body = meteredRequest
|
||||||
meteredRequest := &stats.IncomingTrafficMeter{ReadCloser: r.Body}
|
h.ServeHTTP(meteredResponse, r)
|
||||||
meteredResponse := &stats.OutgoingTrafficMeter{ResponseWriter: w}
|
|
||||||
|
|
||||||
// Execute the request
|
if strings.HasPrefix(r.URL.Path, minioReservedBucketPath) {
|
||||||
r.Body = meteredRequest
|
globalConnStats.incInputBytes(meteredRequest.BytesCount())
|
||||||
h.handler.ServeHTTP(meteredResponse, r)
|
globalConnStats.incOutputBytes(meteredResponse.BytesCount())
|
||||||
|
} else {
|
||||||
if strings.HasPrefix(r.URL.Path, minioReservedBucketPath) {
|
globalConnStats.incS3InputBytes(meteredRequest.BytesCount())
|
||||||
globalConnStats.incInputBytes(meteredRequest.BytesCount())
|
globalConnStats.incS3OutputBytes(meteredResponse.BytesCount())
|
||||||
globalConnStats.incOutputBytes(meteredResponse.BytesCount())
|
}
|
||||||
} else {
|
})
|
||||||
globalConnStats.incS3InputBytes(meteredRequest.BytesCount())
|
|
||||||
globalConnStats.incS3OutputBytes(meteredResponse.BytesCount())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// requestValidityHandler validates all the incoming paths for
|
|
||||||
// any malicious requests.
|
|
||||||
type requestValidityHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
func setRequestValidityHandler(h http.Handler) http.Handler {
|
|
||||||
return requestValidityHandler{handler: h}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Bad path components to be rejected by the path validity handler.
|
// Bad path components to be rejected by the path validity handler.
|
||||||
@ -593,71 +504,130 @@ func hasMultipleAuth(r *http.Request) bool {
|
|||||||
return authTypeCount > 1
|
return authTypeCount > 1
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h requestValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
// requestValidityHandler validates all the incoming paths for
|
||||||
// Check for bad components in URL path.
|
// any malicious requests.
|
||||||
if hasBadPathComponent(r.URL.Path) {
|
func setRequestValidityHandler(h http.Handler) http.Handler {
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
// Check for bad components in URL path.
|
||||||
}
|
if hasBadPathComponent(r.URL.Path) {
|
||||||
// Check for bad components in URL query values.
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
|
||||||
for _, vv := range r.URL.Query() {
|
return
|
||||||
for _, v := range vv {
|
}
|
||||||
if hasBadPathComponent(v) {
|
// Check for bad components in URL query values.
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
|
for _, vv := range r.URL.Query() {
|
||||||
|
for _, v := range vv {
|
||||||
|
if hasBadPathComponent(v) {
|
||||||
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if hasMultipleAuth(r) {
|
||||||
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
var fwd = handlers.NewForwarder(&handlers.Forwarder{
|
||||||
|
PassHost: true,
|
||||||
|
RoundTripper: newGatewayHTTPTransport(1 * time.Hour),
|
||||||
|
Logger: func(err error) {
|
||||||
|
logger.LogIf(GlobalContext, err)
|
||||||
|
},
|
||||||
|
})
|
||||||
|
|
||||||
|
// setBucketForwardingHandler middleware forwards the path style requests
|
||||||
|
// on a bucket to the right bucket location, bucket to IP configuration
|
||||||
|
// is obtained from centralized etcd configuration service.
|
||||||
|
func setBucketForwardingHandler(h http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if globalDNSConfig == nil || len(globalDomainNames) == 0 || !globalBucketFederation ||
|
||||||
|
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
|
||||||
|
guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// For browser requests, when federation is setup we need to
|
||||||
|
// specifically handle download and upload for browser requests.
|
||||||
|
if guessIsBrowserReq(r) {
|
||||||
|
var bucket, _ string
|
||||||
|
switch r.Method {
|
||||||
|
case http.MethodPut:
|
||||||
|
if getRequestAuthType(r) == authTypeJWT {
|
||||||
|
bucket, _ = path2BucketObjectWithBasePath(minioReservedBucketPath+"/upload", r.URL.Path)
|
||||||
|
}
|
||||||
|
case http.MethodGet:
|
||||||
|
if t := r.URL.Query().Get("token"); t != "" {
|
||||||
|
bucket, _ = path2BucketObjectWithBasePath(minioReservedBucketPath+"/download", r.URL.Path)
|
||||||
|
} else if getRequestAuthType(r) != authTypeJWT && !strings.HasPrefix(r.URL.Path, minioReservedBucketPath) {
|
||||||
|
bucket, _ = request2BucketObjectName(r)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if bucket == "" {
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
sr, err := globalDNSConfig.Get(bucket)
|
||||||
}
|
if err != nil {
|
||||||
if hasMultipleAuth(r) {
|
if err == dns.ErrNoEntriesFound {
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r))
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket),
|
||||||
return
|
r.URL, guessIsBrowserReq(r))
|
||||||
}
|
} else {
|
||||||
h.handler.ServeHTTP(w, r)
|
writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err),
|
||||||
}
|
r.URL, guessIsBrowserReq(r))
|
||||||
|
}
|
||||||
// To forward the path style requests on a bucket to the right
|
return
|
||||||
// configured server, bucket to IP configuration is obtained
|
|
||||||
// from centralized etcd configuration service.
|
|
||||||
type bucketForwardingHandler struct {
|
|
||||||
fwd *handlers.Forwarder
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
||||||
if guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
|
|
||||||
guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
|
|
||||||
f.handler.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// For browser requests, when federation is setup we need to
|
|
||||||
// specifically handle download and upload for browser requests.
|
|
||||||
if guessIsBrowserReq(r) {
|
|
||||||
var bucket, _ string
|
|
||||||
switch r.Method {
|
|
||||||
case http.MethodPut:
|
|
||||||
if getRequestAuthType(r) == authTypeJWT {
|
|
||||||
bucket, _ = path2BucketObjectWithBasePath(minioReservedBucketPath+"/upload", r.URL.Path)
|
|
||||||
}
|
}
|
||||||
case http.MethodGet:
|
if globalDomainIPs.Intersection(set.CreateStringSet(getHostsSlice(sr)...)).IsEmpty() {
|
||||||
if t := r.URL.Query().Get("token"); t != "" {
|
r.URL.Scheme = "http"
|
||||||
bucket, _ = path2BucketObjectWithBasePath(minioReservedBucketPath+"/download", r.URL.Path)
|
if globalIsTLS {
|
||||||
} else if getRequestAuthType(r) != authTypeJWT && !strings.HasPrefix(r.URL.Path, minioReservedBucketPath) {
|
r.URL.Scheme = "https"
|
||||||
bucket, _ = request2BucketObjectName(r)
|
}
|
||||||
|
r.URL.Host = getHostFromSrv(sr)
|
||||||
|
fwd.ServeHTTP(w, r)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
}
|
h.ServeHTTP(w, r)
|
||||||
if bucket == "" {
|
|
||||||
f.handler.ServeHTTP(w, r)
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bucket, object := request2BucketObjectName(r)
|
||||||
|
|
||||||
|
// Requests in federated setups for STS type calls which are
|
||||||
|
// performed at '/' resource should be routed by the muxer,
|
||||||
|
// the assumption is simply such that requests without a bucket
|
||||||
|
// in a federated setup cannot be proxied, so serve them at
|
||||||
|
// current server.
|
||||||
|
if bucket == "" {
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// MakeBucket requests should be handled at current endpoint
|
||||||
|
if r.Method == http.MethodPut && bucket != "" && object == "" && r.URL.RawQuery == "" {
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// CopyObject requests should be handled at current endpoint as path style
|
||||||
|
// requests have target bucket and object in URI and source details are in
|
||||||
|
// header fields
|
||||||
|
if r.Method == http.MethodPut && r.Header.Get(xhttp.AmzCopySource) != "" {
|
||||||
|
bucket, object = path2BucketObject(r.Header.Get(xhttp.AmzCopySource))
|
||||||
|
if bucket == "" || object == "" {
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
sr, err := globalDNSConfig.Get(bucket)
|
sr, err := globalDNSConfig.Get(bucket)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == dns.ErrNoEntriesFound {
|
if err == dns.ErrNoEntriesFound {
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket),
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket), r.URL, guessIsBrowserReq(r))
|
||||||
r.URL, guessIsBrowserReq(r))
|
|
||||||
} else {
|
} else {
|
||||||
writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err),
|
writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err), r.URL, guessIsBrowserReq(r))
|
||||||
r.URL, guessIsBrowserReq(r))
|
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -667,78 +637,11 @@ func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
|
|||||||
r.URL.Scheme = "https"
|
r.URL.Scheme = "https"
|
||||||
}
|
}
|
||||||
r.URL.Host = getHostFromSrv(sr)
|
r.URL.Host = getHostFromSrv(sr)
|
||||||
f.fwd.ServeHTTP(w, r)
|
fwd.ServeHTTP(w, r)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
f.handler.ServeHTTP(w, r)
|
h.ServeHTTP(w, r)
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
bucket, object := request2BucketObjectName(r)
|
|
||||||
|
|
||||||
// Requests in federated setups for STS type calls which are
|
|
||||||
// performed at '/' resource should be routed by the muxer,
|
|
||||||
// the assumption is simply such that requests without a bucket
|
|
||||||
// in a federated setup cannot be proxied, so serve them at
|
|
||||||
// current server.
|
|
||||||
if bucket == "" {
|
|
||||||
f.handler.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// MakeBucket requests should be handled at current endpoint
|
|
||||||
if r.Method == http.MethodPut && bucket != "" && object == "" && r.URL.RawQuery == "" {
|
|
||||||
f.handler.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// CopyObject requests should be handled at current endpoint as path style
|
|
||||||
// requests have target bucket and object in URI and source details are in
|
|
||||||
// header fields
|
|
||||||
if r.Method == http.MethodPut && r.Header.Get(xhttp.AmzCopySource) != "" {
|
|
||||||
bucket, object = path2BucketObject(r.Header.Get(xhttp.AmzCopySource))
|
|
||||||
if bucket == "" || object == "" {
|
|
||||||
f.handler.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
sr, err := globalDNSConfig.Get(bucket)
|
|
||||||
if err != nil {
|
|
||||||
if err == dns.ErrNoEntriesFound {
|
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrNoSuchBucket), r.URL, guessIsBrowserReq(r))
|
|
||||||
} else {
|
|
||||||
writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err), r.URL, guessIsBrowserReq(r))
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if globalDomainIPs.Intersection(set.CreateStringSet(getHostsSlice(sr)...)).IsEmpty() {
|
|
||||||
r.URL.Scheme = "http"
|
|
||||||
if globalIsTLS {
|
|
||||||
r.URL.Scheme = "https"
|
|
||||||
}
|
|
||||||
r.URL.Host = getHostFromSrv(sr)
|
|
||||||
f.fwd.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
f.handler.ServeHTTP(w, r)
|
|
||||||
}
|
|
||||||
|
|
||||||
// setBucketForwardingHandler middleware forwards the path style requests
|
|
||||||
// on a bucket to the right bucket location, bucket to IP configuration
|
|
||||||
// is obtained from centralized etcd configuration service.
|
|
||||||
func setBucketForwardingHandler(h http.Handler) http.Handler {
|
|
||||||
if globalDNSConfig == nil || len(globalDomainNames) == 0 || !globalBucketFederation {
|
|
||||||
return h
|
|
||||||
}
|
|
||||||
|
|
||||||
fwd := handlers.NewForwarder(&handlers.Forwarder{
|
|
||||||
PassHost: true,
|
|
||||||
RoundTripper: newGatewayHTTPTransport(1 * time.Hour),
|
|
||||||
Logger: func(err error) {
|
|
||||||
logger.LogIf(GlobalContext, err)
|
|
||||||
},
|
|
||||||
})
|
})
|
||||||
return bucketForwardingHandler{fwd, h}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// customHeaderHandler sets x-amz-request-id header.
|
// customHeaderHandler sets x-amz-request-id header.
|
||||||
@ -746,33 +649,21 @@ func setBucketForwardingHandler(h http.Handler) http.Handler {
|
|||||||
// the client. So, logger and Error response XML were not using this
|
// the client. So, logger and Error response XML were not using this
|
||||||
// value. This is set here so that this header can be logged as
|
// value. This is set here so that this header can be logged as
|
||||||
// part of the log entry, Error response XML and auditing.
|
// part of the log entry, Error response XML and auditing.
|
||||||
type customHeaderHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
|
||||||
|
|
||||||
func addCustomHeaders(h http.Handler) http.Handler {
|
func addCustomHeaders(h http.Handler) http.Handler {
|
||||||
return customHeaderHandler{handler: h}
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
// Set custom headers such as x-amz-request-id for each request.
|
||||||
|
w.Header().Set(xhttp.AmzRequestID, mustGetRequestID(UTCNow()))
|
||||||
func (s customHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
h.ServeHTTP(logger.NewResponseWriter(w), r)
|
||||||
// Set custom headers such as x-amz-request-id for each request.
|
})
|
||||||
w.Header().Set(xhttp.AmzRequestID, mustGetRequestID(UTCNow()))
|
|
||||||
s.handler.ServeHTTP(logger.NewResponseWriter(w), r)
|
|
||||||
}
|
|
||||||
|
|
||||||
type securityHeaderHandler struct {
|
|
||||||
handler http.Handler
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func addSecurityHeaders(h http.Handler) http.Handler {
|
func addSecurityHeaders(h http.Handler) http.Handler {
|
||||||
return securityHeaderHandler{handler: h}
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
header := w.Header()
|
||||||
|
header.Set("X-XSS-Protection", "1; mode=block") // Prevents against XSS attacks
|
||||||
func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
|
||||||
header := w.Header()
|
h.ServeHTTP(w, r)
|
||||||
header.Set("X-XSS-Protection", "1; mode=block") // Prevents against XSS attacks
|
})
|
||||||
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
|
|
||||||
s.handler.ServeHTTP(w, r)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// criticalErrorHandler handles critical server failures caused by
|
// criticalErrorHandler handles critical server failures caused by
|
||||||
@ -793,25 +684,18 @@ func (h criticalErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
|
|||||||
h.handler.ServeHTTP(w, r)
|
h.handler.ServeHTTP(w, r)
|
||||||
}
|
}
|
||||||
|
|
||||||
func setSSETLSHandler(h http.Handler) http.Handler {
|
|
||||||
if globalIsTLS {
|
|
||||||
return h
|
|
||||||
}
|
|
||||||
return sseTLSHandler{h}
|
|
||||||
}
|
|
||||||
|
|
||||||
// sseTLSHandler enforces certain rules for SSE requests which are made / must be made over TLS.
|
// sseTLSHandler enforces certain rules for SSE requests which are made / must be made over TLS.
|
||||||
type sseTLSHandler struct{ handler http.Handler }
|
func setSSETLSHandler(h http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
func (h sseTLSHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
// Deny SSE-C requests if not made over TLS
|
||||||
// Deny SSE-C requests if not made over TLS
|
if !globalIsTLS && (crypto.SSEC.IsRequested(r.Header) || crypto.SSECopy.IsRequested(r.Header)) {
|
||||||
if crypto.SSEC.IsRequested(r.Header) || crypto.SSECopy.IsRequested(r.Header) {
|
if r.Method == http.MethodHead {
|
||||||
if r.Method == http.MethodHead {
|
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest))
|
||||||
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest))
|
} else {
|
||||||
} else {
|
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest), r.URL, guessIsBrowserReq(r))
|
||||||
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest), r.URL, guessIsBrowserReq(r))
|
}
|
||||||
|
return
|
||||||
}
|
}
|
||||||
return
|
h.ServeHTTP(w, r)
|
||||||
}
|
})
|
||||||
h.handler.ServeHTTP(w, r)
|
|
||||||
}
|
}
|
||||||
|
@ -38,47 +38,47 @@ func registerDistErasureRouters(router *mux.Router, endpointServerPools Endpoint
|
|||||||
}
|
}
|
||||||
|
|
||||||
// List of some generic handlers which are applied for all incoming requests.
|
// List of some generic handlers which are applied for all incoming requests.
|
||||||
var globalHandlers = []MiddlewareFunc{
|
var globalHandlers = []mux.MiddlewareFunc{
|
||||||
// add redirect handler to redirect
|
// filters HTTP headers which are treated as metadata and are reserved
|
||||||
// requests when object layer is not
|
// for internal use only.
|
||||||
// initialized.
|
filterReservedMetadata,
|
||||||
setRedirectHandler,
|
// Enforce rules specific for TLS requests
|
||||||
// set x-amz-request-id header.
|
setSSETLSHandler,
|
||||||
addCustomHeaders,
|
|
||||||
// set HTTP security headers such as Content-Security-Policy.
|
|
||||||
addSecurityHeaders,
|
|
||||||
// Forward path style requests to actual host in a bucket federated setup.
|
|
||||||
setBucketForwardingHandler,
|
|
||||||
// Validate all the incoming requests.
|
|
||||||
setRequestValidityHandler,
|
|
||||||
// Network statistics
|
|
||||||
setHTTPStatsHandler,
|
|
||||||
// Limits all requests size to a maximum fixed limit
|
|
||||||
setRequestSizeLimitHandler,
|
|
||||||
// Limits all header sizes to a maximum fixed limit
|
|
||||||
setRequestHeaderSizeLimitHandler,
|
|
||||||
// Adds 'crossdomain.xml' policy handler to serve legacy flash clients.
|
|
||||||
setCrossDomainPolicy,
|
|
||||||
// Redirect some pre-defined browser request paths to a static location prefix.
|
|
||||||
setBrowserRedirectHandler,
|
|
||||||
// Validates if incoming request is for restricted buckets.
|
|
||||||
setReservedBucketHandler,
|
|
||||||
// Adds cache control for all browser requests.
|
|
||||||
setBrowserCacheControlHandler,
|
|
||||||
// Validates all incoming requests to have a valid date header.
|
|
||||||
setTimeValidityHandler,
|
|
||||||
// Validates all incoming URL resources, for invalid/unsupported
|
|
||||||
// resources client receives a HTTP error.
|
|
||||||
setIgnoreResourcesHandler,
|
|
||||||
// Auth handler verifies incoming authorization headers and
|
// Auth handler verifies incoming authorization headers and
|
||||||
// routes them accordingly. Client receives a HTTP error for
|
// routes them accordingly. Client receives a HTTP error for
|
||||||
// invalid/unsupported signatures.
|
// invalid/unsupported signatures.
|
||||||
setAuthHandler,
|
setAuthHandler,
|
||||||
// Enforce rules specific for TLS requests
|
// Validates all incoming URL resources, for invalid/unsupported
|
||||||
setSSETLSHandler,
|
// resources client receives a HTTP error.
|
||||||
// filters HTTP headers which are treated as metadata and are reserved
|
setIgnoreResourcesHandler,
|
||||||
// for internal use only.
|
// Validates all incoming requests to have a valid date header.
|
||||||
filterReservedMetadata,
|
setTimeValidityHandler,
|
||||||
|
// Adds cache control for all browser requests.
|
||||||
|
setBrowserCacheControlHandler,
|
||||||
|
// Validates if incoming request is for restricted buckets.
|
||||||
|
setReservedBucketHandler,
|
||||||
|
// Redirect some pre-defined browser request paths to a static location prefix.
|
||||||
|
setBrowserRedirectHandler,
|
||||||
|
// Adds 'crossdomain.xml' policy handler to serve legacy flash clients.
|
||||||
|
setCrossDomainPolicy,
|
||||||
|
// Limits all header sizes to a maximum fixed limit
|
||||||
|
setRequestHeaderSizeLimitHandler,
|
||||||
|
// Limits all requests size to a maximum fixed limit
|
||||||
|
setRequestSizeLimitHandler,
|
||||||
|
// Network statistics
|
||||||
|
setHTTPStatsHandler,
|
||||||
|
// Validate all the incoming requests.
|
||||||
|
setRequestValidityHandler,
|
||||||
|
// Forward path style requests to actual host in a bucket federated setup.
|
||||||
|
setBucketForwardingHandler,
|
||||||
|
// set HTTP security headers such as Content-Security-Policy.
|
||||||
|
addSecurityHeaders,
|
||||||
|
// set x-amz-request-id header.
|
||||||
|
addCustomHeaders,
|
||||||
|
// add redirect handler to redirect
|
||||||
|
// requests when object layer is not
|
||||||
|
// initialized.
|
||||||
|
setRedirectHandler,
|
||||||
// Add new handlers here.
|
// Add new handlers here.
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -115,7 +115,7 @@ func configureServerHandler(endpointServerPools EndpointServerPools) (http.Handl
|
|||||||
// Add API router
|
// Add API router
|
||||||
registerAPIRouter(router)
|
registerAPIRouter(router)
|
||||||
|
|
||||||
router.Use(registerMiddlewares)
|
router.Use(globalHandlers...)
|
||||||
|
|
||||||
return router, nil
|
return router, nil
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user