mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
parent
5a9333a67b
commit
dd9aaa855c
@ -75,6 +75,7 @@ const (
|
||||
BucketNotEmpty
|
||||
RootPathFull
|
||||
ObjectExistsAsPrefix
|
||||
AllAccessDisabled
|
||||
)
|
||||
|
||||
// APIError code to Error structure map
|
||||
@ -244,6 +245,11 @@ var errorCodeResponse = map[int]APIError{
|
||||
Description: "An object already exists as your prefix, choose a different prefix to proceed.",
|
||||
HTTPStatusCode: http.StatusConflict,
|
||||
},
|
||||
AllAccessDisabled: {
|
||||
Code: "AllAccessDisabled",
|
||||
Description: "All access to this bucket has been disabled.",
|
||||
HTTPStatusCode: http.StatusForbidden,
|
||||
},
|
||||
}
|
||||
|
||||
// errorCodeError provides errorCode to Error. It returns empty if the code provided is unknown
|
||||
|
@ -39,13 +39,34 @@ func setAuthHandler(h http.Handler) http.Handler {
|
||||
return authHandler{h}
|
||||
}
|
||||
|
||||
// handler for validating incoming authorization headers.
|
||||
func (a authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
// Verify if request has post policy signature.
|
||||
// Verify if request is presigned, validate signature inside each handlers.
|
||||
if isRequestPresignedSignatureV4(r) {
|
||||
a.handler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// Verify if request has post policy signature, validate signature
|
||||
// inside POST policy handler.
|
||||
if isRequestPostPolicySignatureV4(r) && r.Method == "POST" {
|
||||
a.handler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// No authorization found, let the top level caller validate if
|
||||
// public request is allowed.
|
||||
if _, ok := r.Header["Authorization"]; !ok {
|
||||
a.handler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// Verify if the signature algorithms are known.
|
||||
if !isRequestSignatureV4(r) && !isRequestJWT(r) {
|
||||
writeErrorResponse(w, r, SignatureVersionNotSupported, r.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// Verify JWT authorization header is present.
|
||||
if isRequestJWT(r) {
|
||||
// Validate Authorization header to be valid.
|
||||
@ -62,7 +83,6 @@ func (a authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
// For signed, presigned, jwt and anonymous requests let the top level
|
||||
// caller handle and verify.
|
||||
// For all other signed requests, let top level caller verify.
|
||||
a.handler.ServeHTTP(w, r)
|
||||
}
|
||||
|
@ -241,10 +241,20 @@ func (api CloudStorageAPI) PutBucketHandler(w http.ResponseWriter, r *http.Reque
|
||||
}
|
||||
|
||||
// Set http request for signature.
|
||||
api.Signature.SetHTTPRequestToVerify(r)
|
||||
|
||||
// Verify signature for the incoming body if any.
|
||||
if api.Signature != nil {
|
||||
auth := api.Signature.SetHTTPRequestToVerify(r)
|
||||
if isRequestPresignedSignatureV4(r) {
|
||||
ok, err := auth.DoesPresignedSignatureMatch()
|
||||
if err != nil {
|
||||
errorIf(err.Trace(r.URL.String()), "Presigned signature verification failed.", nil)
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
if !ok {
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
} else if isRequestSignatureV4(r) {
|
||||
// Verify signature for the incoming body if any.
|
||||
locationBytes, e := ioutil.ReadAll(r.Body)
|
||||
if e != nil {
|
||||
errorIf(probe.NewError(e), "MakeBucket failed.", nil)
|
||||
@ -253,7 +263,7 @@ func (api CloudStorageAPI) PutBucketHandler(w http.ResponseWriter, r *http.Reque
|
||||
}
|
||||
sh := sha256.New()
|
||||
sh.Write(locationBytes)
|
||||
ok, err := api.Signature.DoesSignatureMatch(hex.EncodeToString(sh.Sum(nil)))
|
||||
ok, err := auth.DoesSignatureMatch(hex.EncodeToString(sh.Sum(nil)))
|
||||
if err != nil {
|
||||
errorIf(err.Trace(), "MakeBucket failed.", nil)
|
||||
writeErrorResponse(w, r, InternalError, r.URL.Path)
|
||||
|
@ -28,6 +28,7 @@ import (
|
||||
|
||||
const (
|
||||
iso8601Format = "20060102T150405Z"
|
||||
privateBucket = "/minio"
|
||||
)
|
||||
|
||||
// HandlerFunc - useful to chain different middleware http.Handler
|
||||
@ -42,59 +43,81 @@ func registerHandlers(mux *router.Router, handlerFns ...HandlerFunc) http.Handle
|
||||
return f
|
||||
}
|
||||
|
||||
type timeHandler struct {
|
||||
handler http.Handler
|
||||
// Attempts to parse date string into known date layouts. Date layouts
|
||||
// currently supported are ``time.RFC1123``, ``time.RFC1123Z`` and
|
||||
// special ``iso8601Format``.
|
||||
func parseKnownLayouts(date string) (time.Time, error) {
|
||||
parsedTime, e := time.Parse(time.RFC1123, date)
|
||||
if e == nil {
|
||||
return parsedTime, nil
|
||||
}
|
||||
parsedTime, e = time.Parse(time.RFC1123Z, date)
|
||||
if e == nil {
|
||||
return parsedTime, nil
|
||||
}
|
||||
parsedTime, e = time.Parse(iso8601Format, date)
|
||||
if e == nil {
|
||||
return parsedTime, nil
|
||||
}
|
||||
return time.Time{}, e
|
||||
}
|
||||
|
||||
type resourceHandler struct {
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
type ignoreSignatureV2RequestHandler struct {
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
func parseDate(req *http.Request) (time.Time, error) {
|
||||
// Parse date string from incoming header, current supports and verifies
|
||||
// follow HTTP headers.
|
||||
//
|
||||
// - X-Amz-Date
|
||||
// - X-Minio-Date
|
||||
// - Date
|
||||
//
|
||||
// In following time layouts ``time.RFC1123``, ``time.RFC1123Z`` and ``iso8601Format``.
|
||||
func parseDateHeader(req *http.Request) (time.Time, error) {
|
||||
amzDate := req.Header.Get(http.CanonicalHeaderKey("x-amz-date"))
|
||||
switch {
|
||||
case amzDate != "":
|
||||
if _, err := time.Parse(time.RFC1123, amzDate); err == nil {
|
||||
return time.Parse(time.RFC1123, amzDate)
|
||||
}
|
||||
if _, err := time.Parse(time.RFC1123Z, amzDate); err == nil {
|
||||
return time.Parse(time.RFC1123Z, amzDate)
|
||||
}
|
||||
if _, err := time.Parse(iso8601Format, amzDate); err == nil {
|
||||
return time.Parse(iso8601Format, amzDate)
|
||||
}
|
||||
if amzDate != "" {
|
||||
return parseKnownLayouts(amzDate)
|
||||
}
|
||||
minioDate := req.Header.Get(http.CanonicalHeaderKey("x-minio-date"))
|
||||
switch {
|
||||
case minioDate != "":
|
||||
if _, err := time.Parse(time.RFC1123, minioDate); err == nil {
|
||||
return time.Parse(time.RFC1123, minioDate)
|
||||
}
|
||||
if _, err := time.Parse(time.RFC1123Z, minioDate); err == nil {
|
||||
return time.Parse(time.RFC1123Z, minioDate)
|
||||
}
|
||||
if _, err := time.Parse(iso8601Format, minioDate); err == nil {
|
||||
return time.Parse(iso8601Format, minioDate)
|
||||
if minioDate != "" {
|
||||
return parseKnownLayouts(minioDate)
|
||||
}
|
||||
genericDate := req.Header.Get("Date")
|
||||
if genericDate != "" {
|
||||
return parseKnownLayouts(genericDate)
|
||||
}
|
||||
return time.Time{}, errors.New("Date header missing, invalid request.")
|
||||
}
|
||||
|
||||
// Adds redirect rules for incoming requests.
|
||||
type redirectHandler struct {
|
||||
handler http.Handler
|
||||
locationPrefix string
|
||||
}
|
||||
|
||||
func setBrowserRedirectHandler(h http.Handler) http.Handler {
|
||||
return redirectHandler{handler: h, locationPrefix: privateBucket}
|
||||
}
|
||||
|
||||
func (h redirectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
// Re-direction handled specifically for browsers.
|
||||
if strings.Contains(r.Header.Get("User-Agent"), "Mozilla") {
|
||||
switch r.URL.Path {
|
||||
case "/":
|
||||
// This could be the default route for browser, redirect
|
||||
// to 'locationPrefix/'.
|
||||
fallthrough
|
||||
case "/rpc":
|
||||
// This is '/rpc' API route for browser, redirect to
|
||||
// 'locationPrefix/rpc'.
|
||||
fallthrough
|
||||
case "/login":
|
||||
// This is '/login' route for browser, redirect to
|
||||
// 'locationPrefix/login'.
|
||||
location := h.locationPrefix + r.URL.Path
|
||||
// Redirect to new location.
|
||||
http.Redirect(w, r, location, http.StatusTemporaryRedirect)
|
||||
return
|
||||
}
|
||||
}
|
||||
date := req.Header.Get("Date")
|
||||
switch {
|
||||
case date != "":
|
||||
if _, err := time.Parse(time.RFC1123, date); err == nil {
|
||||
return time.Parse(time.RFC1123, date)
|
||||
}
|
||||
if _, err := time.Parse(time.RFC1123Z, date); err == nil {
|
||||
return time.Parse(time.RFC1123Z, date)
|
||||
}
|
||||
if _, err := time.Parse(iso8601Format, amzDate); err == nil {
|
||||
return time.Parse(iso8601Format, amzDate)
|
||||
}
|
||||
}
|
||||
return time.Time{}, errors.New("invalid request")
|
||||
h.handler.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
// Adds Cache-Control header
|
||||
@ -102,18 +125,41 @@ type cacheControlHandler struct {
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
func setCacheControlHandler(h http.Handler) http.Handler {
|
||||
func setBrowserCacheControlHandler(h http.Handler) http.Handler {
|
||||
return cacheControlHandler{h}
|
||||
}
|
||||
|
||||
func (h cacheControlHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method == "GET" {
|
||||
// expire the cache in one week
|
||||
w.Header().Set("Cache-Control", "public, max-age=604800")
|
||||
if r.Method == "GET" && strings.Contains(r.Header.Get("User-Agent"), "Mozilla") {
|
||||
// Expire cache in one hour for all browser requests.
|
||||
w.Header().Set("Cache-Control", "public, max-age=3600")
|
||||
}
|
||||
h.handler.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
// Adds verification for incoming paths.
|
||||
type minioPrivateBucketHandler struct {
|
||||
handler http.Handler
|
||||
privateBucket string
|
||||
}
|
||||
|
||||
func setPrivateBucketHandler(h http.Handler) http.Handler {
|
||||
return minioPrivateBucketHandler{handler: h, privateBucket: privateBucket}
|
||||
}
|
||||
|
||||
func (h minioPrivateBucketHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
// For all non browser requests, reject access to 'privateBucket'.
|
||||
if !strings.Contains(r.Header.Get("User-Agent"), "Mozilla") && strings.HasPrefix(r.URL.Path, privateBucket) {
|
||||
writeErrorResponse(w, r, AllAccessDisabled, r.URL.Path)
|
||||
return
|
||||
}
|
||||
h.handler.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
type timeHandler struct {
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
// setTimeValidityHandler to validate parsable time over http header
|
||||
func setTimeValidityHandler(h http.Handler) http.Handler {
|
||||
return timeHandler{h}
|
||||
@ -122,19 +168,18 @@ func setTimeValidityHandler(h http.Handler) http.Handler {
|
||||
func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
// Verify if date headers are set, if not reject the request
|
||||
if r.Header.Get("Authorization") != "" {
|
||||
if r.Header.Get(http.CanonicalHeaderKey("x-amz-date")) == "" && r.Header.Get(http.CanonicalHeaderKey("x-minio-date")) == "" && r.Header.Get("Date") == "" {
|
||||
// there is no way to knowing if this is a valid request, could be a attack reject such clients
|
||||
writeErrorResponse(w, r, RequestTimeTooSkewed, r.URL.Path)
|
||||
return
|
||||
}
|
||||
date, err := parseDate(r)
|
||||
if err != nil {
|
||||
// there is no way to knowing if this is a valid request, could be a attack reject such clients
|
||||
date, e := parseDateHeader(r)
|
||||
if e != nil {
|
||||
// All our internal APIs are sensitive towards Date
|
||||
// header, for all requests where Date header is not
|
||||
// present we will reject such clients.
|
||||
writeErrorResponse(w, r, RequestTimeTooSkewed, r.URL.Path)
|
||||
return
|
||||
}
|
||||
duration := time.Since(date)
|
||||
minutes := time.Duration(5) * time.Minute
|
||||
// Verify if the request date header is more than 5minutes
|
||||
// late, reject such clients.
|
||||
if duration.Minutes() > minutes.Minutes() {
|
||||
writeErrorResponse(w, r, RequestTimeTooSkewed, r.URL.Path)
|
||||
return
|
||||
@ -143,6 +188,10 @@ func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
h.handler.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
type resourceHandler struct {
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
// setCorsHandler handler for CORS (Cross Origin Resource Sharing)
|
||||
func setCorsHandler(h http.Handler) http.Handler {
|
||||
c := cors.New(cors.Options{
|
||||
@ -153,26 +202,10 @@ func setCorsHandler(h http.Handler) http.Handler {
|
||||
return c.Handler(h)
|
||||
}
|
||||
|
||||
// setIgnoreSignatureV2RequestHandler -
|
||||
// Verify if authorization header has signature version '2', reject it cleanly.
|
||||
func setIgnoreSignatureV2RequestHandler(h http.Handler) http.Handler {
|
||||
return ignoreSignatureV2RequestHandler{h}
|
||||
}
|
||||
|
||||
// Ignore signature version '2' ServerHTTP() wrapper.
|
||||
func (h ignoreSignatureV2RequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
if isRequestSignatureV4(r) || isRequestJWT(r) || isRequestPresignedSignatureV4(r) || isRequestPostPolicySignatureV4(r) {
|
||||
h.handler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
writeErrorResponse(w, r, SignatureVersionNotSupported, r.URL.Path)
|
||||
return
|
||||
}
|
||||
|
||||
// setIgnoreResourcesHandler -
|
||||
// Ignore resources handler is wrapper handler used for API request resource validation
|
||||
// Since we do not support all the S3 queries, it is necessary for us to throw back a
|
||||
// valid error message indicating such a feature is not implemented.
|
||||
// valid error message indicating that requested feature is not implemented.
|
||||
func setIgnoreResourcesHandler(h http.Handler) http.Handler {
|
||||
return resourceHandler{h}
|
||||
}
|
||||
|
48
logger_test.go
Normal file
48
logger_test.go
Normal file
@ -0,0 +1,48 @@
|
||||
/*
|
||||
* Minio Cloud Storage (C) 2015 Minio, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
|
||||
"github.com/Sirupsen/logrus"
|
||||
"github.com/minio/minio/pkg/probe"
|
||||
|
||||
. "gopkg.in/check.v1"
|
||||
)
|
||||
|
||||
type LoggerSuite struct{}
|
||||
|
||||
var _ = Suite(&LoggerSuite{})
|
||||
|
||||
func (s *LoggerSuite) TestLogger(c *C) {
|
||||
var buffer bytes.Buffer
|
||||
var fields logrus.Fields
|
||||
log.Out = &buffer
|
||||
log.Formatter = new(logrus.JSONFormatter)
|
||||
|
||||
errorIf(probe.NewError(errors.New("Fake error")), "Failed with error.", nil)
|
||||
err := json.Unmarshal(buffer.Bytes(), &fields)
|
||||
c.Assert(err, IsNil)
|
||||
c.Assert(fields["level"], Equals, "error")
|
||||
|
||||
msg, ok := fields["Error"]
|
||||
c.Assert(ok, Equals, true)
|
||||
c.Assert(msg.(map[string]interface{})["cause"], Equals, "Fake error")
|
||||
}
|
@ -182,10 +182,25 @@ func (api CloudStorageAPI) PutObjectHandler(w http.ResponseWriter, r *http.Reque
|
||||
}
|
||||
|
||||
// Set http request for signature.
|
||||
api.Signature.SetHTTPRequestToVerify(r)
|
||||
auth := api.Signature.SetHTTPRequestToVerify(r)
|
||||
|
||||
// For presigned requests verify them right here.
|
||||
if isRequestPresignedSignatureV4(r) {
|
||||
ok, err := auth.DoesPresignedSignatureMatch()
|
||||
if err != nil {
|
||||
errorIf(err.Trace(r.URL.String()), "Presigned signature verification failed.", nil)
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
if !ok {
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
auth = nil
|
||||
}
|
||||
|
||||
// Create object.
|
||||
metadata, err := api.Filesystem.CreateObject(bucket, object, md5, size, r.Body, api.Signature)
|
||||
metadata, err := api.Filesystem.CreateObject(bucket, object, md5, size, r.Body, auth)
|
||||
if err != nil {
|
||||
errorIf(err.Trace(), "CreateObject failed.", nil)
|
||||
switch err.ToGoError().(type) {
|
||||
@ -311,10 +326,26 @@ func (api CloudStorageAPI) PutObjectPartHandler(w http.ResponseWriter, r *http.R
|
||||
}
|
||||
}
|
||||
|
||||
// Set http request.
|
||||
api.Signature.SetHTTPRequestToVerify(r)
|
||||
// Set http request for signature.
|
||||
auth := api.Signature.SetHTTPRequestToVerify(r)
|
||||
// For presigned requests verify right here.
|
||||
if isRequestPresignedSignatureV4(r) {
|
||||
ok, err := auth.DoesPresignedSignatureMatch()
|
||||
if err != nil {
|
||||
errorIf(err.Trace(r.URL.String()), "Presigned signature verification failed.", nil)
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
if !ok {
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
// Signature verified, set this to nil payload verification
|
||||
// not necessary.
|
||||
auth = nil
|
||||
}
|
||||
|
||||
calculatedMD5, err := api.Filesystem.CreateObjectPart(bucket, object, uploadID, md5, partID, size, r.Body, api.Signature)
|
||||
calculatedMD5, err := api.Filesystem.CreateObjectPart(bucket, object, uploadID, md5, partID, size, r.Body, auth)
|
||||
if err != nil {
|
||||
errorIf(err.Trace(), "CreateObjectPart failed.", nil)
|
||||
switch err.ToGoError().(type) {
|
||||
@ -454,7 +485,21 @@ func (api CloudStorageAPI) CompleteMultipartUploadHandler(w http.ResponseWriter,
|
||||
}
|
||||
|
||||
// Set http request for signature.
|
||||
api.Signature.SetHTTPRequestToVerify(r)
|
||||
auth := api.Signature.SetHTTPRequestToVerify(r)
|
||||
// For presigned requests verify right here.
|
||||
if isRequestPresignedSignatureV4(r) {
|
||||
ok, err := auth.DoesPresignedSignatureMatch()
|
||||
if err != nil {
|
||||
errorIf(err.Trace(r.URL.String()), "Presigned signature verification failed.", nil)
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
if !ok {
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
auth = nil
|
||||
}
|
||||
|
||||
// Extract object resources.
|
||||
objectResourcesMetadata := getObjectResources(r.URL.Query())
|
||||
|
@ -210,7 +210,7 @@ func (s Signature) getSignature(signingKey []byte, stringToSign string) string {
|
||||
// returns true if matches, false otherwise. if error is not nil then it is always false
|
||||
func (s *Signature) DoesPolicySignatureMatch(formValues map[string]string) (bool, *probe.Error) {
|
||||
// Parse credential tag.
|
||||
creds, err := parseCredential(formValues["X-Amz-Credential"])
|
||||
creds, err := parseCredential("Credential=" + formValues["X-Amz-Credential"])
|
||||
if err != nil {
|
||||
return false, err.Trace(formValues["X-Amz-Credential"])
|
||||
}
|
||||
@ -273,13 +273,13 @@ func (s *Signature) DoesPresignedSignatureMatch() (bool, *probe.Error) {
|
||||
query := make(url.Values)
|
||||
query.Set("X-Amz-Algorithm", signV4Algorithm)
|
||||
|
||||
if time.Now().UTC().Sub(preSignV4Values.Date) > time.Duration(preSignV4Values.Expires)*time.Second {
|
||||
if time.Now().UTC().Sub(preSignV4Values.Date) > time.Duration(preSignV4Values.Expires)/time.Second {
|
||||
return false, ErrExpiredPresignRequest("Presigned request already expired, please initiate a new request.")
|
||||
}
|
||||
|
||||
// Save the date and expires.
|
||||
t := preSignV4Values.Date
|
||||
expireSeconds := int(preSignV4Values.Expires)
|
||||
expireSeconds := int(time.Duration(preSignV4Values.Expires) / time.Second)
|
||||
|
||||
query.Set("X-Amz-Date", t.Format(iso8601Format))
|
||||
query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
|
||||
|
@ -116,7 +116,7 @@ func parsePreSignV4(query url.Values) (preSignValues, *probe.Error) {
|
||||
|
||||
var err *probe.Error
|
||||
// Save credentail values.
|
||||
preSignV4Values.Creds, err = parseCredential(query.Get("X-Amz-Credential"))
|
||||
preSignV4Values.Creds, err = parseCredential("Credential=" + query.Get("X-Amz-Credential"))
|
||||
if err != nil {
|
||||
return preSignValues{}, err.Trace(query.Get("X-Amz-Credential"))
|
||||
}
|
||||
@ -135,13 +135,13 @@ func parsePreSignV4(query url.Values) (preSignValues, *probe.Error) {
|
||||
}
|
||||
|
||||
// Save signed headers.
|
||||
preSignV4Values.SignedHeaders, err = parseSignedHeaders(query.Get("X-Amz-SignedHeaders"))
|
||||
preSignV4Values.SignedHeaders, err = parseSignedHeaders("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))
|
||||
if err != nil {
|
||||
return preSignValues{}, err.Trace(query.Get("X-Amz-SignedHeaders"))
|
||||
}
|
||||
|
||||
// Save signature.
|
||||
preSignV4Values.Signature, err = parseSignature(query.Get("X-Amz-Signature"))
|
||||
preSignV4Values.Signature, err = parseSignature("Signature=" + query.Get("X-Amz-Signature"))
|
||||
if err != nil {
|
||||
return preSignValues{}, err.Trace(query.Get("X-Amz-Signature"))
|
||||
}
|
||||
|
82
routers.go
82
routers.go
@ -19,6 +19,7 @@ package main
|
||||
import (
|
||||
"net"
|
||||
"net/http"
|
||||
"path/filepath"
|
||||
|
||||
router "github.com/gorilla/mux"
|
||||
jsonrpc "github.com/gorilla/rpc/v2"
|
||||
@ -58,38 +59,30 @@ type WebAPI struct {
|
||||
secretAccessKey string
|
||||
}
|
||||
|
||||
func getWebAPIHandler(web *WebAPI) http.Handler {
|
||||
var handlerFns = []HandlerFunc{
|
||||
setCacheControlHandler, // Adds Cache-Control header
|
||||
setTimeValidityHandler, // Validate time.
|
||||
setCorsHandler, // CORS added only for testing purposes.
|
||||
}
|
||||
if web.AccessLog {
|
||||
handlerFns = append(handlerFns, setAccessLogHandler)
|
||||
}
|
||||
|
||||
s := jsonrpc.NewServer()
|
||||
codec := json2.NewCodec()
|
||||
s.RegisterCodec(codec, "application/json")
|
||||
s.RegisterCodec(codec, "application/json; charset=UTF-8")
|
||||
s.RegisterService(web, "Web")
|
||||
mux := router.NewRouter()
|
||||
// Root router.
|
||||
root := mux.NewRoute().PathPrefix("/").Subrouter()
|
||||
root.Handle("/rpc", s)
|
||||
|
||||
// Enable this when we add assets.
|
||||
root.PathPrefix("/login").Handler(http.StripPrefix("/login", http.FileServer(assetFS())))
|
||||
root.Handle("/{file:.*}", http.FileServer(assetFS()))
|
||||
return registerHandlers(mux, handlerFns...)
|
||||
}
|
||||
|
||||
// registerCloudStorageAPI - register all the handlers to their respective paths
|
||||
func registerCloudStorageAPI(mux *router.Router, a CloudStorageAPI) {
|
||||
// root Router
|
||||
root := mux.NewRoute().PathPrefix("/").Subrouter()
|
||||
func registerCloudStorageAPI(mux *router.Router, a CloudStorageAPI, w *WebAPI) {
|
||||
// Minio rpc router
|
||||
minio := mux.NewRoute().PathPrefix(privateBucket).Subrouter()
|
||||
|
||||
// Initialize json rpc handlers.
|
||||
rpc := jsonrpc.NewServer()
|
||||
codec := json2.NewCodec()
|
||||
rpc.RegisterCodec(codec, "application/json")
|
||||
rpc.RegisterCodec(codec, "application/json; charset=UTF-8")
|
||||
rpc.RegisterService(w, "Web")
|
||||
|
||||
// RPC handler at URI - /minio/rpc
|
||||
minio.Path("/rpc").Handler(rpc)
|
||||
|
||||
// Web handler assets at URI - /minio/login
|
||||
minio.Path("/login").Handler(http.StripPrefix(filepath.Join(privateBucket, "login"), http.FileServer(assetFS())))
|
||||
minio.Path("/{file:.*}").Handler(http.StripPrefix(privateBucket, http.FileServer(assetFS())))
|
||||
|
||||
// API Router
|
||||
api := mux.NewRoute().PathPrefix("/").Subrouter()
|
||||
|
||||
// Bucket router
|
||||
bucket := root.PathPrefix("/{bucket}").Subrouter()
|
||||
bucket := api.PathPrefix("/{bucket}").Subrouter()
|
||||
|
||||
// Object operations
|
||||
bucket.Methods("HEAD").Path("/{object:.+}").HandlerFunc(a.HeadObjectHandler)
|
||||
@ -114,7 +107,7 @@ func registerCloudStorageAPI(mux *router.Router, a CloudStorageAPI) {
|
||||
bucket.Methods("DELETE").HandlerFunc(a.DeleteBucketHandler)
|
||||
|
||||
// Root operation
|
||||
root.Methods("GET").HandlerFunc(a.ListBucketsHandler)
|
||||
api.Methods("GET").HandlerFunc(a.ListBucketsHandler)
|
||||
}
|
||||
|
||||
// getNewWebAPI instantiate a new WebAPI.
|
||||
@ -133,7 +126,7 @@ func getNewWebAPI(conf cloudServerConfig) *WebAPI {
|
||||
client, e := minio.NewV4(net.JoinHostPort(host, port), conf.AccessKeyID, conf.SecretAccessKey, inSecure)
|
||||
fatalIf(probe.NewError(e), "Unable to initialize minio client", nil)
|
||||
|
||||
web := &WebAPI{
|
||||
w := &WebAPI{
|
||||
FSPath: conf.Path,
|
||||
AccessLog: conf.AccessLog,
|
||||
Client: client,
|
||||
@ -142,7 +135,7 @@ func getNewWebAPI(conf cloudServerConfig) *WebAPI {
|
||||
accessKeyID: conf.AccessKeyID,
|
||||
secretAccessKey: conf.SecretAccessKey,
|
||||
}
|
||||
return web
|
||||
return w
|
||||
}
|
||||
|
||||
// getNewCloudStorageAPI instantiate a new CloudStorageAPI.
|
||||
@ -161,18 +154,29 @@ func getNewCloudStorageAPI(conf cloudServerConfig) CloudStorageAPI {
|
||||
}
|
||||
}
|
||||
|
||||
func getCloudStorageAPIHandler(api CloudStorageAPI) http.Handler {
|
||||
func getCloudStorageAPIHandler(api CloudStorageAPI, web *WebAPI) http.Handler {
|
||||
var handlerFns = []HandlerFunc{
|
||||
// Redirect some pre-defined browser request paths to a static
|
||||
// location prefix.
|
||||
setBrowserRedirectHandler,
|
||||
// Validates if incoming request is for restricted buckets.
|
||||
setPrivateBucketHandler,
|
||||
// Adds cache control for all browser requests.
|
||||
setBrowserCacheControlHandler,
|
||||
// Validates all incoming requests to have a valid date header.
|
||||
setTimeValidityHandler,
|
||||
// CORS setting for all browser API requests.
|
||||
setCorsHandler,
|
||||
// Validates all incoming URL resources, for invalid/unsupported
|
||||
// resources client receives a HTTP error.
|
||||
setIgnoreResourcesHandler,
|
||||
setIgnoreSignatureV2RequestHandler,
|
||||
// Auth handler verifies incoming authorization headers and
|
||||
// routes them accordingly. Client receives a HTTP error for
|
||||
// invalid/unsupported signatures.
|
||||
setAuthHandler,
|
||||
}
|
||||
if api.AccessLog {
|
||||
handlerFns = append(handlerFns, setAccessLogHandler)
|
||||
}
|
||||
handlerFns = append(handlerFns, setCorsHandler)
|
||||
mux := router.NewRouter()
|
||||
registerCloudStorageAPI(mux, api)
|
||||
registerCloudStorageAPI(mux, api, web)
|
||||
return registerHandlers(mux, handlerFns...)
|
||||
}
|
||||
|
@ -90,45 +90,12 @@ type cloudServerConfig struct {
|
||||
KeyFile string // Domain key
|
||||
}
|
||||
|
||||
func configureWebServer(conf cloudServerConfig) (*http.Server, *probe.Error) {
|
||||
// Split the api address into host and port.
|
||||
host, port, e := net.SplitHostPort(conf.Address)
|
||||
if e != nil {
|
||||
return nil, probe.NewError(e)
|
||||
}
|
||||
webPort, e := strconv.Atoi(port)
|
||||
if e != nil {
|
||||
return nil, probe.NewError(e)
|
||||
}
|
||||
// Always choose the next port, based on the API address port.
|
||||
webPort = webPort + 1
|
||||
webAddress := net.JoinHostPort(host, strconv.Itoa(webPort))
|
||||
|
||||
// Minio server config
|
||||
webServer := &http.Server{
|
||||
Addr: webAddress,
|
||||
Handler: getWebAPIHandler(getNewWebAPI(conf)),
|
||||
MaxHeaderBytes: 1 << 20,
|
||||
}
|
||||
|
||||
if conf.TLS {
|
||||
var err error
|
||||
webServer.TLSConfig = &tls.Config{}
|
||||
webServer.TLSConfig.Certificates = make([]tls.Certificate, 1)
|
||||
webServer.TLSConfig.Certificates[0], err = tls.LoadX509KeyPair(conf.CertFile, conf.KeyFile)
|
||||
if err != nil {
|
||||
return nil, probe.NewError(err)
|
||||
}
|
||||
}
|
||||
return webServer, nil
|
||||
}
|
||||
|
||||
// configureAPIServer configure a new server instance
|
||||
func configureAPIServer(conf cloudServerConfig) (*http.Server, *probe.Error) {
|
||||
// Minio server config
|
||||
apiServer := &http.Server{
|
||||
Addr: conf.Address,
|
||||
Handler: getCloudStorageAPIHandler(getNewCloudStorageAPI(conf)),
|
||||
Handler: getCloudStorageAPIHandler(getNewCloudStorageAPI(conf), getNewWebAPI(conf)),
|
||||
MaxHeaderBytes: 1 << 20,
|
||||
}
|
||||
|
||||
@ -325,13 +292,6 @@ func serverMain(c *cli.Context) {
|
||||
Println("\nMinio Object Storage:")
|
||||
printServerMsg(apiServer)
|
||||
|
||||
// configure Web server.
|
||||
webServer, err := configureWebServer(serverConfig)
|
||||
errorIf(err.Trace(), "Failed to configure Web server.", nil)
|
||||
|
||||
Println("\nMinio Browser:")
|
||||
printServerMsg(webServer)
|
||||
|
||||
Println("\nTo configure Minio Client:")
|
||||
if runtime.GOOS == "windows" {
|
||||
Println(" Download \"mc\" from https://dl.minio.io/client/mc/release/" + runtime.GOOS + "-" + runtime.GOARCH + "/mc.exe")
|
||||
@ -343,6 +303,6 @@ func serverMain(c *cli.Context) {
|
||||
}
|
||||
|
||||
// Start server.
|
||||
err = minhttp.ListenAndServe(apiServer, webServer)
|
||||
err = minhttp.ListenAndServe(apiServer)
|
||||
errorIf(err.Trace(), "Failed to start the minio server.", nil)
|
||||
}
|
||||
|
@ -21,8 +21,10 @@ import (
|
||||
"crypto/md5"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"os"
|
||||
"sort"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@ -52,6 +54,21 @@ var _ = Suite(&MyAPIFSCacheSuite{})
|
||||
|
||||
var testAPIFSCacheServer *httptest.Server
|
||||
|
||||
// Ask the kernel for a free open port.
|
||||
func getFreePort() int {
|
||||
addr, err := net.ResolveTCPAddr("tcp", "localhost:0")
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
l, err := net.ListenTCP("tcp", addr)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
defer l.Close()
|
||||
return l.Addr().(*net.TCPAddr).Port
|
||||
}
|
||||
|
||||
func (s *MyAPIFSCacheSuite) SetUpSuite(c *C) {
|
||||
root, e := ioutil.TempDir(os.TempDir(), "api-")
|
||||
c.Assert(e, IsNil)
|
||||
@ -77,6 +94,7 @@ func (s *MyAPIFSCacheSuite) SetUpSuite(c *C) {
|
||||
c.Assert(saveConfig(conf), IsNil)
|
||||
|
||||
cloudServer := cloudServerConfig{
|
||||
Address: ":" + strconv.Itoa(getFreePort()),
|
||||
Path: fsroot,
|
||||
MinFreeDisk: 0,
|
||||
AccessKeyID: s.accessKeyID,
|
||||
@ -84,7 +102,8 @@ func (s *MyAPIFSCacheSuite) SetUpSuite(c *C) {
|
||||
Region: "us-east-1",
|
||||
}
|
||||
cloudStorageAPI := getNewCloudStorageAPI(cloudServer)
|
||||
httpHandler := getCloudStorageAPIHandler(cloudStorageAPI)
|
||||
webAPI := getNewWebAPI(cloudServer)
|
||||
httpHandler := getCloudStorageAPIHandler(cloudStorageAPI, webAPI)
|
||||
testAPIFSCacheServer = httptest.NewServer(httpHandler)
|
||||
}
|
||||
|
||||
|
@ -60,8 +60,7 @@ func isSignV4ReqAuthenticated(sign *signV4.Signature, r *http.Request) bool {
|
||||
return false
|
||||
}
|
||||
return ok
|
||||
}
|
||||
if isRequestPresignedSignatureV4(r) {
|
||||
} else if isRequestPresignedSignatureV4(r) {
|
||||
ok, err := auth.DoesPresignedSignatureMatch()
|
||||
if err != nil {
|
||||
errorIf(err.Trace(), "Presigned signature verification failed.", nil)
|
||||
|
Loading…
Reference in New Issue
Block a user