mirror of
https://github.com/minio/minio.git
synced 2024-12-31 17:43:21 -05:00
ec5293ce29
This commit fixes a potential security issue, whereby a full-access token to the server would be available in the GET URL of a download request. This fixes that issue by introducing short-expiry tokens, which are only valid for one minute, and are regenerated for every download request. This commit specifically introduces the short-lived tokens, adds tests for the tokens, adds an RPC call for generating a token given a full-access token, updates the browser to use the new tokens for requests where the token is passed as a GET parameter, and adds some tests with the new temporary tokens. Refs: https://github.com/minio/minio/pull/4673
103 lines
3.3 KiB
Go
103 lines
3.3 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/elazarl/go-bindata-assetfs"
|
|
"github.com/gorilla/handlers"
|
|
router "github.com/gorilla/mux"
|
|
jsonrpc "github.com/gorilla/rpc/v2"
|
|
"github.com/gorilla/rpc/v2/json2"
|
|
"github.com/minio/minio/browser"
|
|
)
|
|
|
|
// webAPI container for Web API.
|
|
type webAPIHandlers struct {
|
|
ObjectAPI func() ObjectLayer
|
|
}
|
|
|
|
// indexHandler - Handler to serve index.html
|
|
type indexHandler struct {
|
|
handler http.Handler
|
|
}
|
|
|
|
func (h indexHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
r.URL.Path = minioReservedBucketPath + "/"
|
|
h.handler.ServeHTTP(w, r)
|
|
}
|
|
|
|
const assetPrefix = "production"
|
|
|
|
func assetFS() *assetfs.AssetFS {
|
|
return &assetfs.AssetFS{
|
|
Asset: browser.Asset,
|
|
AssetDir: browser.AssetDir,
|
|
AssetInfo: browser.AssetInfo,
|
|
Prefix: assetPrefix,
|
|
}
|
|
}
|
|
|
|
// specialAssets are files which are unique files not embedded inside index_bundle.js.
|
|
const specialAssets = "loader.css|logo.svg|firefox.png|safari.png|chrome.png|favicon.ico"
|
|
|
|
// registerWebRouter - registers web router for serving minio browser.
|
|
func registerWebRouter(mux *router.Router) error {
|
|
// Initialize Web.
|
|
web := &webAPIHandlers{
|
|
ObjectAPI: newObjectLayerFn,
|
|
}
|
|
|
|
// Initialize a new json2 codec.
|
|
codec := json2.NewCodec()
|
|
|
|
// Minio browser router.
|
|
webBrowserRouter := mux.NewRoute().PathPrefix(minioReservedBucketPath).Subrouter()
|
|
|
|
// Initialize json rpc handlers.
|
|
webRPC := jsonrpc.NewServer()
|
|
webRPC.RegisterCodec(codec, "application/json")
|
|
webRPC.RegisterCodec(codec, "application/json; charset=UTF-8")
|
|
|
|
// Register RPC handlers with server
|
|
if err := webRPC.RegisterService(web, "Web"); err != nil {
|
|
return err
|
|
}
|
|
|
|
// RPC handler at URI - /minio/webrpc
|
|
webBrowserRouter.Methods("POST").Path("/webrpc").Handler(webRPC)
|
|
webBrowserRouter.Methods("PUT").Path("/upload/{bucket}/{object:.+}").HandlerFunc(web.Upload)
|
|
|
|
// These methods use short-expiry tokens in the URLs. These tokens may unintentionally
|
|
// be logged, so a new one must be generated for each request.
|
|
webBrowserRouter.Methods("GET").Path("/download/{bucket}/{object:.+}").Queries("token", "{token:.*}").HandlerFunc(web.Download)
|
|
webBrowserRouter.Methods("POST").Path("/zip").Queries("token", "{token:.*}").HandlerFunc(web.DownloadZip)
|
|
|
|
// Add compression for assets.
|
|
compressedAssets := handlers.CompressHandler(http.StripPrefix(minioReservedBucketPath, http.FileServer(assetFS())))
|
|
|
|
// Serve javascript files and favicon from assets.
|
|
webBrowserRouter.Path(fmt.Sprintf("/{assets:[^/]+.js|%s}", specialAssets)).Handler(compressedAssets)
|
|
|
|
// Serve index.html for rest of the requests.
|
|
webBrowserRouter.Path("/{index:.*}").Handler(indexHandler{http.StripPrefix(minioReservedBucketPath, http.FileServer(assetFS()))})
|
|
|
|
return nil
|
|
}
|