minio/server-api-generic-handlers.go

/*
 * Minio Cloud Storage, (C) 2015 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package main

import (
	"errors"
	"net/http"
	"time"

	"github.com/minio/minio/pkg/auth"
	"github.com/rs/cors"
)

// MiddlewareHandler - useful to chain different middleware http.Handler
type MiddlewareHandler func(http.Handler) http.Handler

type contentTypeHandler struct {
	handler http.Handler
}

type timeHandler struct {
	handler http.Handler
}

type validateAuthHandler struct {
	handler http.Handler
}

type resourceHandler struct {
	handler http.Handler
}

func parseDate(req *http.Request) (time.Time, error) {
	amzDate := req.Header.Get(http.CanonicalHeaderKey("x-amz-date"))
	switch {
	case amzDate != "":
		if _, err := time.Parse(time.RFC1123, amzDate); err == nil {
			return time.Parse(time.RFC1123, amzDate)
		}
		if _, err := time.Parse(time.RFC1123Z, amzDate); err == nil {
			return time.Parse(time.RFC1123Z, amzDate)
		}
		if _, err := time.Parse(iso8601Format, amzDate); err == nil {
			return time.Parse(iso8601Format, amzDate)
		}
	}
	date := req.Header.Get("Date")
	switch {
	case date != "":
		if _, err := time.Parse(time.RFC1123, date); err == nil {
			return time.Parse(time.RFC1123, date)
		}
		if _, err := time.Parse(time.RFC1123Z, date); err == nil {
			return time.Parse(time.RFC1123Z, date)
		}
		if _, err := time.Parse(iso8601Format, amzDate); err == nil {
			return time.Parse(iso8601Format, amzDate)
		}
	}
	return time.Time{}, errors.New("invalid request")
}

// ValidContentTypeHandler to validate Accept type
func ValidContentTypeHandler(h http.Handler) http.Handler {
	return contentTypeHandler{h}
}

func (h contentTypeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	acceptsContentType := getContentType(r)
	if acceptsContentType == unknownContentType {
		writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
		return
	}
	h.handler.ServeHTTP(w, r)
}

// TimeValidityHandler to validate parsable time over http header
func TimeValidityHandler(h http.Handler) http.Handler {
	return timeHandler{h}
}

func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	acceptsContentType := getContentType(r)
	// Verify if date headers are set, if not reject the request
	if r.Header.Get("Authorization") != "" {
		if r.Header.Get(http.CanonicalHeaderKey("x-amz-date")) == "" && r.Header.Get("Date") == "" {
			// there is no way to knowing if this is a valid request, could be a attack reject such clients
			writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
			return
		}
		date, err := parseDate(r)
		if err != nil {
			// there is no way to knowing if this is a valid request, could be a attack reject such clients
			writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
			return
		}
		duration := time.Since(date)
		minutes := time.Duration(5) * time.Minute
		if duration.Minutes() > minutes.Minutes() {
			writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
			return
		}
	}
	h.handler.ServeHTTP(w, r)
}

// ValidateAuthHeaderHandler - validate auth header handler is wrapper handler used
// for request validation with authorization header. Current authorization layer
// supports S3's standard HMAC based signature request.
func ValidateAuthHeaderHandler(h http.Handler) http.Handler {
	return validateAuthHandler{h}
}

// validate auth header handler ServeHTTP() wrapper
func (h validateAuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	acceptsContentType := getContentType(r)
	accessKeyID, err := stripAccessKeyID(r.Header.Get("Authorization"))
	switch err.ToGoError() {
	case errInvalidRegion:
		writeErrorResponse(w, r, AuthorizationHeaderMalformed, acceptsContentType, r.URL.Path)
		return
	case errAccessKeyIDInvalid:
		writeErrorResponse(w, r, InvalidAccessKeyID, acceptsContentType, r.URL.Path)
		return
	case nil:
		// load auth config
		authConfig, err := auth.LoadConfig()
		if err != nil {
			writeErrorResponse(w, r, InternalError, acceptsContentType, r.URL.Path)
			return
		}
		// Access key not found
		for _, user := range authConfig.Users {
			if user.AccessKeyID == accessKeyID {
				h.handler.ServeHTTP(w, r)
				return
			}
		}
		writeErrorResponse(w, r, InvalidAccessKeyID, acceptsContentType, r.URL.Path)
		return
	// All other errors for now, serve them
	default:
		// control reaches here, we should just send the request up the stack - internally
		// individual calls will validate themselves against un-authenticated requests
		h.handler.ServeHTTP(w, r)
	}
}

// CorsHandler handler for CORS (Cross Origin Resource Sharing)
func CorsHandler(h http.Handler) http.Handler {
	return cors.Default().Handler(h)
}

// IgnoreResourcesHandler -
// Ignore resources handler is wrapper handler used for API request resource validation
// Since we do not support all the S3 queries, it is necessary for us to throw back a
// valid error message indicating such a feature is not implemented.
func IgnoreResourcesHandler(h http.Handler) http.Handler {
	return resourceHandler{h}
}

// Resource handler ServeHTTP() wrapper
func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	acceptsContentType := getContentType(r)
	if ignoreNotImplementedObjectResources(r) || ignoreNotImplementedBucketResources(r) {
		writeErrorResponse(w, r, NotImplemented, acceptsContentType, r.URL.Path)
		return
	}
	h.handler.ServeHTTP(w, r)
}

//// helpers

// Checks requests for not implemented Bucket resources
func ignoreNotImplementedBucketResources(req *http.Request) bool {
	q := req.URL.Query()
	for name := range q {
		if notimplementedBucketResourceNames[name] {
			return true
		}
	}
	return false
}

// Checks requests for not implemented Object resources
func ignoreNotImplementedObjectResources(req *http.Request) bool {
	q := req.URL.Query()
	for name := range q {
		if notimplementedObjectResourceNames[name] {
			return true
		}
	}
	return false
}
Add license and fix development scripts 10 years ago			`/*`
Move from Minimalist Object Storage to Minio Cloud Storage 9 years ago			`* Minio Cloud Storage, (C) 2015 Minio, Inc.`
Add license and fix development scripts 10 years ago			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

Move all server and controller packages into top-level 9 years ago			`package main`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago
			`import (`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`"errors"`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`"net/http"`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`"time"`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago
Add auth rpc service to generate access keys, add corresponding test 9 years ago			`"github.com/minio/minio/pkg/auth"`
Add CORS support to minio s3 server 9 years ago			`"github.com/rs/cors"`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`)`

Fix all the golint complaints about newly added changes Do not use func(this *server), such generic names should not be used for writing struct methods. 9 years ago			`// MiddlewareHandler - useful to chain different middleware http.Handler`
Remove unneeded functions in middleware init 9 years ago			`type MiddlewareHandler func(http.Handler) http.Handler`

Add a new validateContentTypeHandler{}, verify Accept header earlier 10 years ago			`type contentTypeHandler struct {`
			`handler http.Handler`
			`}`

Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`type timeHandler struct {`
			`handler http.Handler`
			`}`

Remove SignatureV2 support, bring in SignatureV4 header only validation for now 10 years ago			`type validateAuthHandler struct {`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`handler http.Handler`
			`}`

Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`type resourceHandler struct {`
Some more cleanup 10 years ago			`handler http.Handler`
			`}`

Remove some api server code bringing in new cleanup 10 years ago			`func parseDate(req *http.Request) (time.Time, error) {`
Do not reply on ignoredHeaders for server, rely on SignedHeaders sent as part of Authorization header 9 years ago			`amzDate := req.Header.Get(http.CanonicalHeaderKey("x-amz-date"))`
Handle two different styles of time format, s3cmd now compatible 10 years ago			`switch {`
			`case amzDate != "":`
			`if _, err := time.Parse(time.RFC1123, amzDate); err == nil {`
			`return time.Parse(time.RFC1123, amzDate)`
			`}`
			`if _, err := time.Parse(time.RFC1123Z, amzDate); err == nil {`
			`return time.Parse(time.RFC1123Z, amzDate)`
			`}`
Add server side signaturev4 check, not wired up to the readers yet. 9 years ago			`if _, err := time.Parse(iso8601Format, amzDate); err == nil {`
			`return time.Parse(iso8601Format, amzDate)`
Remove SignatureV2 support, bring in SignatureV4 header only validation for now 10 years ago			`}`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`}`
Handle two different styles of time format, s3cmd now compatible 10 years ago			`date := req.Header.Get("Date")`
			`switch {`
			`case date != "":`
			`if _, err := time.Parse(time.RFC1123, date); err == nil {`
			`return time.Parse(time.RFC1123, date)`
			`}`
			`if _, err := time.Parse(time.RFC1123Z, date); err == nil {`
			`return time.Parse(time.RFC1123Z, date)`
			`}`
Add server side signaturev4 check, not wired up to the readers yet. 9 years ago			`if _, err := time.Parse(iso8601Format, amzDate); err == nil {`
			`return time.Parse(iso8601Format, amzDate)`
Remove SignatureV2 support, bring in SignatureV4 header only validation for now 10 years ago			`}`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`}`
			`return time.Time{}, errors.New("invalid request")`
			`}`

Return x-amz-request-id for all replies 9 years ago			`// ValidContentTypeHandler to validate Accept type`
Restructure API handlers, add JSON RPC simple HelloService right now. 10 years ago			`func ValidContentTypeHandler(h http.Handler) http.Handler {`
Add a new validateContentTypeHandler{}, verify Accept header earlier 10 years ago			`return contentTypeHandler{h}`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`}`

Add a new validateContentTypeHandler{}, verify Accept header earlier 10 years ago			`func (h contentTypeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`acceptsContentType := getContentType(r)`
			`if acceptsContentType == unknownContentType {`
			`writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)`
			`return`
			`}`
Add a new validateContentTypeHandler{}, verify Accept header earlier 10 years ago			`h.handler.ServeHTTP(w, r)`
			`}`

Return x-amz-request-id for all replies 9 years ago			`// TimeValidityHandler to validate parsable time over http header`
Restructure API handlers, add JSON RPC simple HelloService right now. 10 years ago			`func TimeValidityHandler(h http.Handler) http.Handler {`
Add a new validateContentTypeHandler{}, verify Accept header earlier 10 years ago			`return timeHandler{h}`
			`}`

			`func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {`
			`acceptsContentType := getContentType(r)`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`// Verify if date headers are set, if not reject the request`
Make minio work with curl and browsers again 10 years ago			`if r.Header.Get("Authorization") != "" {`
Do not reply on ignoredHeaders for server, rely on SignedHeaders sent as part of Authorization header 9 years ago			`if r.Header.Get(http.CanonicalHeaderKey("x-amz-date")) == "" && r.Header.Get("Date") == "" {`
Make minio work with curl and browsers again 10 years ago			`// there is no way to knowing if this is a valid request, could be a attack reject such clients`
			`writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)`
			`return`
			`}`
Remove some api server code bringing in new cleanup 10 years ago			`date, err := parseDate(r)`
Make minio work with curl and browsers again 10 years ago			`if err != nil {`
			`// there is no way to knowing if this is a valid request, could be a attack reject such clients`
			`writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)`
			`return`
			`}`
			`duration := time.Since(date)`
			`minutes := time.Duration(5) * time.Minute`
			`if duration.Minutes() > minutes.Minutes() {`
			`writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)`
			`return`
			`}`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`}`
			`h.handler.ServeHTTP(w, r)`
			`}`

Enhance signature handler - throw back valid error messages 9 years ago			`// ValidateAuthHeaderHandler - validate auth header handler is wrapper handler used`
			`// for request validation with authorization header. Current authorization layer`
			`// supports S3's standard HMAC based signature request.`
Restructure API handlers, add JSON RPC simple HelloService right now. 10 years ago			`func ValidateAuthHeaderHandler(h http.Handler) http.Handler {`
Add a new validateContentTypeHandler{}, verify Accept header earlier 10 years ago			`return validateAuthHandler{h}`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`}`

Remove SignatureV2 support, bring in SignatureV4 header only validation for now 10 years ago			`// validate auth header handler ServeHTTP() wrapper`
			`func (h validateAuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {`
Reply in xml from validate and ignore handlers 10 years ago			`acceptsContentType := getContentType(r)`
Enhance signature handler - throw back valid error messages 9 years ago			`accessKeyID, err := stripAccessKeyID(r.Header.Get("Authorization"))`
			`switch err.ToGoError() {`
			`case errInvalidRegion:`
			`writeErrorResponse(w, r, AuthorizationHeaderMalformed, acceptsContentType, r.URL.Path)`
			`return`
			`case errAccessKeyIDInvalid:`
			`writeErrorResponse(w, r, InvalidAccessKeyID, acceptsContentType, r.URL.Path)`
			`return`
Remove SignatureV2 support, bring in SignatureV4 header only validation for now 10 years ago			`case nil:`
PutObject handler gets initial support for signature v4, working 9 years ago			`// load auth config`
Generate auth now saves in ${HOME}/.minio/users.json, also authHandler verifies request validity 9 years ago			`authConfig, err := auth.LoadConfig()`
Remove custom Config, will use quick Config instead for user access keys 10 years ago			`if err != nil {`
			`writeErrorResponse(w, r, InternalError, acceptsContentType, r.URL.Path)`
			`return`
			`}`
PutObject handler gets initial support for signature v4, working 9 years ago			`// Access key not found`
With new auth config changes, restructure the API code to use the new style 9 years ago			`for _, user := range authConfig.Users {`
			`if user.AccessKeyID == accessKeyID {`
			`h.handler.ServeHTTP(w, r)`
			`return`
			`}`
Bring in full fledged acl support 10 years ago			`}`
With new auth config changes, restructure the API code to use the new style 9 years ago			`writeErrorResponse(w, r, InvalidAccessKeyID, acceptsContentType, r.URL.Path)`
			`return`
Enhance signature handler - throw back valid error messages 9 years ago			`// All other errors for now, serve them`
Remove SignatureV2 support, bring in SignatureV4 header only validation for now 10 years ago			`default:`
			`// control reaches here, we should just send the request up the stack - internally`
			`// individual calls will validate themselves against un-authenticated requests`
			`h.handler.ServeHTTP(w, r)`
			`}`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`}`

Fix all the golint complaints about newly added changes Do not use func(this *server), such generic names should not be used for writing struct methods. 9 years ago			`// CorsHandler handler for CORS (Cross Origin Resource Sharing)`
Add CORS support to minio s3 server 9 years ago			`func CorsHandler(h http.Handler) http.Handler {`
			`return cors.Default().Handler(h)`
			`}`

Restructure API handlers, add JSON RPC simple HelloService right now. 10 years ago			`// IgnoreResourcesHandler -`
Update minioapi documentation 10 years ago			`// Ignore resources handler is wrapper handler used for API request resource validation`
			`// Since we do not support all the S3 queries, it is necessary for us to throw back a`
Misc changes before capturing proper video - Disable management UI command option - Remove featureflags option, filesystem and memory already support multipart - Print informative messages after starting minio server 10 years ago			`// valid error message indicating such a feature is not implemented.`
Restructure API handlers, add JSON RPC simple HelloService right now. 10 years ago			`func IgnoreResourcesHandler(h http.Handler) http.Handler {`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`return resourceHandler{h}`
Some more cleanup 10 years ago			`}`

Update comments across the codebase 10 years ago			`// Resource handler ServeHTTP() wrapper`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {`
Some more cleanup 10 years ago			`acceptsContentType := getContentType(r)`
Add proper content-length for error and success responses - All compliance issues with S3 API for Put,Get,List (Bucket,Object) respectively - Encodes and returns back proper HTTP headers 10 years ago			`if ignoreNotImplementedObjectResources(r) \|\| ignoreNotImplementedBucketResources(r) {`
HEAD shouldn't have any body, handle it in writeErrorResponse() 9 years ago			`writeErrorResponse(w, r, NotImplemented, acceptsContentType, r.URL.Path)`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`return`
Some more cleanup 10 years ago			`}`
Verify if request date is 5minutes late, reject such a request as it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented 10 years ago			`h.handler.ServeHTTP(w, r)`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`}`

			`//// helpers`

Add proper content-length for error and success responses - All compliance issues with S3 API for Put,Get,List (Bucket,Object) respectively - Encodes and returns back proper HTTP headers 10 years ago			`// Checks requests for not implemented Bucket resources`
			`func ignoreNotImplementedBucketResources(req *http.Request) bool {`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`q := req.URL.Query()`
			`for name := range q {`
Add proper content-length for error and success responses - All compliance issues with S3 API for Put,Get,List (Bucket,Object) respectively - Encodes and returns back proper HTTP headers 10 years ago			`if notimplementedBucketResourceNames[name] {`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`return true`
			`}`
			`}`
			`return false`
			`}`

Add proper content-length for error and success responses - All compliance issues with S3 API for Put,Get,List (Bucket,Object) respectively - Encodes and returns back proper HTTP headers 10 years ago			`// Checks requests for not implemented Object resources`
			`func ignoreNotImplementedObjectResources(req *http.Request) bool {`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`q := req.URL.Query()`
			`for name := range q {`
Add proper content-length for error and success responses - All compliance issues with S3 API for Put,Get,List (Bucket,Object) respectively - Encodes and returns back proper HTTP headers 10 years ago			`if notimplementedObjectResourceNames[name] {`
Implement S3 Style ErrorCodes and Response This patchset also brings in lot of cleanup in terms of minioapi codebase 10 years ago			`return true`
			`}`
			`}`
			`return false`
			`}`