Merge pull request #904 from harshavardhana/fix-bugs

Fix bugs in post policy and presigned signature handling
9 years ago · 8c4119cbeb
parent 189188fdf3 2d0cc80646
commit 8c4119cbeb
3 changed files with 16 additions and 72 deletions
--- a/server-api-bucket-handlers.go
+++ b/server-api-bucket-handlers.go
@ -25,38 +25,6 @@ import (
 	signv4 "github.com/minio/minio/pkg/signature"
 )

-func (api API) isValidOp(w http.ResponseWriter, req *http.Request) bool {
-	vars := mux.Vars(req)
-	bucket := vars["bucket"]
-
-	bucketMetadata, err := api.Donut.GetBucketMetadata(bucket)
-	if err != nil {
-		errorIf(err.Trace(), "GetBucketMetadata failed.", nil)
-		switch err.ToGoError().(type) {
-		case donut.BucketNotFound:
-			writeErrorResponse(w, req, NoSuchBucket, req.URL.Path)
-			return false
-		case donut.BucketNameInvalid:
-			writeErrorResponse(w, req, InvalidBucketName, req.URL.Path)
-			return false
-		default:
-			writeErrorResponse(w, req, InternalError, req.URL.Path)
-			return false
-		}
-	}
-	if _, err = stripAccessKeyID(req.Header.Get("Authorization")); err != nil {
-		if bucketMetadata.ACL.IsPrivate() {
-			writeErrorResponse(w, req, AccessDenied, req.URL.Path)
-			return false
-		}
-		if bucketMetadata.ACL.IsPublicRead() && req.Method == "PUT" {
-			writeErrorResponse(w, req, AccessDenied, req.URL.Path)
-			return false
-		}
-	}
-	return true
-}
-
 // ListMultipartUploadsHandler - GET Bucket (List Multipart uploads)
 // -------------------------
 // This operation lists in-progress multipart uploads. An in-progress
@ -74,10 +42,6 @@ func (api API) ListMultipartUploadsHandler(w http.ResponseWriter, req *http.Requ
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	resources := getBucketMultipartResources(req.URL.Query())
 	if resources.MaxUploads < 0 {
 		writeErrorResponse(w, req, InvalidMaxUploads, req.URL.Path)
@ -126,10 +90,6 @@ func (api API) ListObjectsHandler(w http.ResponseWriter, req *http.Request) {
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	if isRequestUploads(req.URL.Query()) {
 		api.ListMultipartUploadsHandler(w, req)
 		return
--- a/server-api-object-handlers.go
+++ b/server-api-object-handlers.go
@ -44,10 +44,6 @@ func (api API) GetObjectHandler(w http.ResponseWriter, req *http.Request) {
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	var object, bucket string
 	vars := mux.Vars(req)
 	bucket = vars["bucket"]
@ -96,10 +92,6 @@ func (api API) HeadObjectHandler(w http.ResponseWriter, req *http.Request) {
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	var object, bucket string
 	vars := mux.Vars(req)
 	bucket = vars["bucket"]
@ -139,10 +131,6 @@ func (api API) PutObjectHandler(w http.ResponseWriter, req *http.Request) {
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	var object, bucket string
 	vars := mux.Vars(req)
 	bucket = vars["bucket"]
@ -243,10 +231,6 @@ func (api API) NewMultipartUploadHandler(w http.ResponseWriter, req *http.Reques
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	if !isRequestUploads(req.URL.Query()) {
 		writeErrorResponse(w, req, MethodNotAllowed, req.URL.Path)
 		return
@ -288,10 +272,6 @@ func (api API) PutObjectPartHandler(w http.ResponseWriter, req *http.Request) {
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	// get Content-MD5 sent by client and verify if valid
 	md5 := req.Header.Get("Content-MD5")
 	if !isValidMD5(md5) {
@ -391,10 +371,6 @@ func (api API) AbortMultipartUploadHandler(w http.ResponseWriter, req *http.Requ
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	vars := mux.Vars(req)
 	bucket := vars["bucket"]
 	object := vars["object"]
@ -427,10 +403,6 @@ func (api API) ListObjectPartsHandler(w http.ResponseWriter, req *http.Request)
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	objectResourcesMetadata := getObjectResources(req.URL.Query())
 	if objectResourcesMetadata.PartNumberMarker < 0 {
 		writeErrorResponse(w, req, InvalidPartNumberMarker, req.URL.Path)
@ -478,10 +450,6 @@ func (api API) CompleteMultipartUploadHandler(w http.ResponseWriter, req *http.R
 		<-op.ProceedCh
 	}

-	if !api.isValidOp(w, req) {
-		return
-	}
-
 	vars := mux.Vars(req)
 	bucket := vars["bucket"]
 	object := vars["object"]
--- a/server-api-signature-handler.go
+++ b/server-api-signature-handler.go
@ -19,6 +19,7 @@ package main
 import (
 	"encoding/hex"
 	"net/http"
+	"strings"

 	"github.com/minio/minio/pkg/crypto/sha256"
 	"github.com/minio/minio/pkg/probe"
@ -48,7 +49,21 @@ func isRequestPresignedSignatureV4(req *http.Request) bool {
 	return false
 }

+func isRequestPostPolicySignatureV4(req *http.Request) bool {
+	if _, ok := req.Header["Content-Type"]; ok {
+		if strings.Contains(req.Header.Get("Content-Type"), "multipart/form-data") {
+			return true
+		}
+	}
+	return false
+}
+
 func (s signatureHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if isRequestPostPolicySignatureV4(r) && r.Method == "POST" {
+		s.handler.ServeHTTP(w, r)
+		return
+	}
+
 	var signature *signv4.Signature
 	if isRequestSignatureV4(r) {
 		// For PUT and POST requests with payload, send the call upwards for verification.
@ -113,6 +128,7 @@ func (s signatureHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		s.handler.ServeHTTP(w, r)
+		return
 	}
 	writeErrorResponse(w, r, AccessDenied, r.URL.Path)
 }