mirror of
https://github.com/minio/minio.git
synced 2024-12-26 23:25:54 -05:00
c1a49be639
This commit replaces the usage of github.com/minio/sha256-simd with crypto/sha256 of the standard library in all non-performance critical paths. This is necessary for FIPS 140-2 compliance which requires that all crypto. primitives are implemented by a FIPS-validated module. Go can use the Google FIPS module. The boringcrypto branch of the Go standard library uses the BoringSSL FIPS module to implement crypto. primitives like AES or SHA256. We only keep github.com/minio/sha256-simd when computing the content-SHA256 of an object. Therefore, this commit relies on a build tag `fips`. When MinIO is compiled without the `fips` flag it will use github.com/minio/sha256-simd. When MinIO is compiled with the fips flag (go build --tags "fips") then MinIO uses crypto/sha256 to compute the content-SHA256.
125 lines
3.7 KiB
Go
125 lines
3.7 KiB
Go
/*
|
|
* MinIO Cloud Storage, (C) 2016 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package madmin
|
|
|
|
import (
|
|
"encoding/json"
|
|
"io"
|
|
"io/ioutil"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/minio/minio-go/v7/pkg/s3utils"
|
|
)
|
|
|
|
// AdminAPIVersion - admin api version used in the request.
|
|
const (
|
|
AdminAPIVersion = "v3"
|
|
AdminAPIVersionV2 = "v2"
|
|
adminAPIPrefix = "/" + AdminAPIVersion
|
|
)
|
|
|
|
// jsonDecoder decode json to go type.
|
|
func jsonDecoder(body io.Reader, v interface{}) error {
|
|
d := json.NewDecoder(body)
|
|
return d.Decode(v)
|
|
}
|
|
|
|
// getEndpointURL - construct a new endpoint.
|
|
func getEndpointURL(endpoint string, secure bool) (*url.URL, error) {
|
|
if strings.Contains(endpoint, ":") {
|
|
host, _, err := net.SplitHostPort(endpoint)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !s3utils.IsValidIP(host) && !s3utils.IsValidDomain(host) {
|
|
msg := "Endpoint: " + endpoint + " does not follow ip address or domain name standards."
|
|
return nil, ErrInvalidArgument(msg)
|
|
}
|
|
} else {
|
|
if !s3utils.IsValidIP(endpoint) && !s3utils.IsValidDomain(endpoint) {
|
|
msg := "Endpoint: " + endpoint + " does not follow ip address or domain name standards."
|
|
return nil, ErrInvalidArgument(msg)
|
|
}
|
|
}
|
|
|
|
// If secure is false, use 'http' scheme.
|
|
scheme := "https"
|
|
if !secure {
|
|
scheme = "http"
|
|
}
|
|
|
|
// Strip the obvious :443 and :80 from the endpoint
|
|
// to avoid the signature mismatch error.
|
|
if secure && strings.HasSuffix(endpoint, ":443") {
|
|
endpoint = strings.TrimSuffix(endpoint, ":443")
|
|
}
|
|
if !secure && strings.HasSuffix(endpoint, ":80") {
|
|
endpoint = strings.TrimSuffix(endpoint, ":80")
|
|
}
|
|
|
|
// Construct a secured endpoint URL.
|
|
endpointURLStr := scheme + "://" + endpoint
|
|
endpointURL, err := url.Parse(endpointURLStr)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Validate incoming endpoint URL.
|
|
if err := isValidEndpointURL(endpointURL.String()); err != nil {
|
|
return nil, err
|
|
}
|
|
return endpointURL, nil
|
|
}
|
|
|
|
// Verify if input endpoint URL is valid.
|
|
func isValidEndpointURL(endpointURL string) error {
|
|
if endpointURL == "" {
|
|
return ErrInvalidArgument("Endpoint url cannot be empty.")
|
|
}
|
|
url, err := url.Parse(endpointURL)
|
|
if err != nil {
|
|
return ErrInvalidArgument("Endpoint url cannot be parsed.")
|
|
}
|
|
if url.Path != "/" && url.Path != "" {
|
|
return ErrInvalidArgument("Endpoint url cannot have fully qualified paths.")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// closeResponse close non nil response with any response Body.
|
|
// convenient wrapper to drain any remaining data on response body.
|
|
//
|
|
// Subsequently this allows golang http RoundTripper
|
|
// to re-use the same connection for future requests.
|
|
func closeResponse(resp *http.Response) {
|
|
// Callers should close resp.Body when done reading from it.
|
|
// If resp.Body is not closed, the Client's underlying RoundTripper
|
|
// (typically Transport) may not be able to re-use a persistent TCP
|
|
// connection to the server for a subsequent "keep-alive" request.
|
|
if resp != nil && resp.Body != nil {
|
|
// Drain any remaining Body and then close the connection.
|
|
// Without this closing connection would disallow re-using
|
|
// the same connection for future uses.
|
|
// - http://stackoverflow.com/a/17961593/4465767
|
|
io.Copy(ioutil.Discard, resp.Body)
|
|
resp.Body.Close()
|
|
}
|
|
}
|