oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

handlers: Avoid initializing a struct in each handler call (#11217)

Browse Source
master
Anis Elleuch 4 years ago committed by GitHub
parent a4383051d9
commit cb7fc99368
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 331 additions and 454 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 23
      cmd/auth-handler.go
  2. 2
      cmd/gateway-main.go
  3. 324
      cmd/generic-handlers.go
  4. 76
      cmd/routers.go

23
cmd/auth-handler.go
Unescape View File

@ -468,16 +468,6 @@ func isReqAuthenticated(ctx context.Context, r *http.Request, region string, sty
return ErrNone return ErrNone
} }
// authHandler - handles all the incoming authorization headers and validates them if possible.
type authHandler struct {
handler http.Handler
}
// setAuthHandler to validate authorization header for the incoming request.
func setAuthHandler(h http.Handler) http.Handler {
return authHandler{h}
}
// List of all support S3 auth types. // List of all support S3 auth types.
var supportedS3AuthTypes = map[authType]struct{}{ var supportedS3AuthTypes = map[authType]struct{}{
authTypeAnonymous: {}, authTypeAnonymous: {},
@ -495,12 +485,14 @@ func isSupportedS3AuthType(aType authType) bool {
return ok return ok
} }
// handler for validating incoming authorization headers. // setAuthHandler to validate authorization header for the incoming request.
func (a authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func setAuthHandler(h http.Handler) http.Handler {
// handler for validating incoming authorization headers.
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
aType := getRequestAuthType(r) aType := getRequestAuthType(r)
if isSupportedS3AuthType(aType) { if isSupportedS3AuthType(aType) {
// Let top level caller validate for anonymous and known signed requests. // Let top level caller validate for anonymous and known signed requests.
a.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} else if aType == authTypeJWT { } else if aType == authTypeJWT {
// Validate Authorization header if its valid for JWT request. // Validate Authorization header if its valid for JWT request.
@ -508,13 +500,14 @@ func (a authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusUnauthorized) w.WriteHeader(http.StatusUnauthorized)
return return
} }
a.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} else if aType == authTypeSTS { } else if aType == authTypeSTS {
a.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} }
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrSignatureVersionNotSupported), r.URL, guessIsBrowserReq(r)) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrSignatureVersionNotSupported), r.URL, guessIsBrowserReq(r))
})
} }
func validateSignature(atype authType, r *http.Request) (auth.Credentials, bool, map[string]interface{}, APIErrorCode) { func validateSignature(atype authType, r *http.Request) (auth.Credentials, bool, map[string]interface{}, APIErrorCode) {

2
cmd/gateway-main.go
Unescape View File

@ -271,7 +271,7 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
registerAPIRouter(router) registerAPIRouter(router)
// Use all the middlewares // Use all the middlewares
router.Use(registerMiddlewares) router.Use(globalHandlers...)
var getCert certs.GetCertificateFunc var getCert certs.GetCertificateFunc
if globalTLSCerts != nil { if globalTLSCerts != nil {

324
cmd/generic-handlers.go
Unescape View File

@ -33,16 +33,6 @@ import (
"github.com/minio/minio/pkg/handlers" "github.com/minio/minio/pkg/handlers"
) )
// MiddlewareFunc - useful to chain different http.Handler middlewares
type MiddlewareFunc func(http.Handler) http.Handler
func registerMiddlewares(next http.Handler) http.Handler {
for _, handlerFn := range globalHandlers {
next = handlerFn(next)
}
return next
}
// Adds limiting body size middleware // Adds limiting body size middleware
// Maximum allowed form data field values. 64MiB is a guessed practical value // Maximum allowed form data field values. 64MiB is a guessed practical value
@ -53,19 +43,12 @@ const requestFormDataSize = 64 * humanize.MiByte
// where, 16GiB is the maximum allowed object size for object upload. // where, 16GiB is the maximum allowed object size for object upload.
const requestMaxBodySize = globalMaxObjectSize + requestFormDataSize const requestMaxBodySize = globalMaxObjectSize + requestFormDataSize
type requestSizeLimitHandler struct {
handler http.Handler
maxBodySize int64
}
func setRequestSizeLimitHandler(h http.Handler) http.Handler { func setRequestSizeLimitHandler(h http.Handler) http.Handler {
return requestSizeLimitHandler{handler: h, maxBodySize: requestMaxBodySize} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
}
func (h requestSizeLimitHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Restricting read data to a given maximum length // Restricting read data to a given maximum length
r.Body = http.MaxBytesReader(w, r.Body, h.maxBodySize) r.Body = http.MaxBytesReader(w, r.Body, requestMaxBodySize)
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }
const ( const (
@ -75,22 +58,16 @@ const (
maxUserDataSize = 2 * 1024 maxUserDataSize = 2 * 1024
) )
type requestHeaderSizeLimitHandler struct {
http.Handler
}
func setRequestHeaderSizeLimitHandler(h http.Handler) http.Handler {
return requestHeaderSizeLimitHandler{h}
}
// ServeHTTP restricts the size of the http header to 8 KB and the size // ServeHTTP restricts the size of the http header to 8 KB and the size
// of the user-defined metadata to 2 KB. // of the user-defined metadata to 2 KB.
func (h requestHeaderSizeLimitHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func setRequestHeaderSizeLimitHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if isHTTPHeaderSizeTooLarge(r.Header) { if isHTTPHeaderSizeTooLarge(r.Header) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrMetadataTooLarge), r.URL, guessIsBrowserReq(r)) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrMetadataTooLarge), r.URL, guessIsBrowserReq(r))
return return
} }
h.Handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }
// isHTTPHeaderSizeTooLarge returns true if the provided // isHTTPHeaderSizeTooLarge returns true if the provided
@ -121,22 +98,16 @@ const (
ReservedMetadataPrefixLower = "x-minio-internal-" ReservedMetadataPrefixLower = "x-minio-internal-"
) )
type reservedMetadataHandler struct {
http.Handler
}
func filterReservedMetadata(h http.Handler) http.Handler {
return reservedMetadataHandler{h}
}
// ServeHTTP fails if the request contains at least one reserved header which // ServeHTTP fails if the request contains at least one reserved header which
// would be treated as metadata. // would be treated as metadata.
func (h reservedMetadataHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func filterReservedMetadata(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if containsReservedMetadata(r.Header) { if containsReservedMetadata(r.Header) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrUnsupportedMetadata), r.URL, guessIsBrowserReq(r)) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrUnsupportedMetadata), r.URL, guessIsBrowserReq(r))
return return
} }
h.Handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }
// containsReservedMetadata returns true if the http.Header contains // containsReservedMetadata returns true if the http.Header contains
@ -158,37 +129,11 @@ const (
loginPathPrefix = SlashSeparator + "login" loginPathPrefix = SlashSeparator + "login"
) )
type redirectHandler struct {
handler http.Handler
}
func setRedirectHandler(h http.Handler) http.Handler { func setRedirectHandler(h http.Handler) http.Handler {
return redirectHandler{handler: h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
}
// Adds redirect rules for incoming requests.
type browserRedirectHandler struct {
handler http.Handler
}
func setBrowserRedirectHandler(h http.Handler) http.Handler {
if !globalBrowserEnabled {
return h
}
return browserRedirectHandler{handler: h}
}
func shouldProxy() bool {
if newObjectLayerFn() == nil {
return true
}
return !globalIAMSys.Initialized()
}
func (h redirectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if !shouldProxy() || guessIsRPCReq(r) || guessIsBrowserReq(r) || if !shouldProxy() || guessIsRPCReq(r) || guessIsBrowserReq(r) ||
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) || isAdminReq(r) { guessIsHealthCheckReq(r) || guessIsMetricsReq(r) || isAdminReq(r) {
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} }
// if this server is still initializing, proxy the request // if this server is still initializing, proxy the request
@ -198,7 +143,31 @@ func (h redirectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
proxyRequest(context.TODO(), w, r, globalProxyEndpoints[idx]) proxyRequest(context.TODO(), w, r, globalProxyEndpoints[idx])
return return
} }
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
}
func setBrowserRedirectHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Re-direction is handled specifically for browser requests.
if globalBrowserEnabled && guessIsBrowserReq(r) {
// Fetch the redirect location if any.
redirectLocation := getRedirectLocation(r.URL.Path)
if redirectLocation != "" {
// Employ a temporary re-direct.
http.Redirect(w, r, redirectLocation, http.StatusTemporaryRedirect)
return
}
}
h.ServeHTTP(w, r)
})
}
func shouldProxy() bool {
if newObjectLayerFn() == nil {
return true
}
return !globalIAMSys.Initialized()
} }
// Fetch redirect location if urlPath satisfies certain // Fetch redirect location if urlPath satisfies certain
@ -271,34 +240,10 @@ func guessIsRPCReq(req *http.Request) bool {
strings.HasPrefix(req.URL.Path, minioReservedBucketPath+SlashSeparator) strings.HasPrefix(req.URL.Path, minioReservedBucketPath+SlashSeparator)
} }
func (h browserRedirectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Re-direction is handled specifically for browser requests.
if guessIsBrowserReq(r) {
// Fetch the redirect location if any.
redirectLocation := getRedirectLocation(r.URL.Path)
if redirectLocation != "" {
// Employ a temporary re-direct.
http.Redirect(w, r, redirectLocation, http.StatusTemporaryRedirect)
return
}
}
h.handler.ServeHTTP(w, r)
}
// Adds Cache-Control header // Adds Cache-Control header
type cacheControlHandler struct {
handler http.Handler
}
func setBrowserCacheControlHandler(h http.Handler) http.Handler { func setBrowserCacheControlHandler(h http.Handler) http.Handler {
if !globalBrowserEnabled { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
return h if globalBrowserEnabled && r.Method == http.MethodGet && guessIsBrowserReq(r) {
}
return cacheControlHandler{h}
}
func (h cacheControlHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodGet && guessIsBrowserReq(r) {
// For all browser requests set appropriate Cache-Control policies // For all browser requests set appropriate Cache-Control policies
if HasPrefix(r.URL.Path, minioReservedBucketPath+SlashSeparator) { if HasPrefix(r.URL.Path, minioReservedBucketPath+SlashSeparator) {
if HasSuffix(r.URL.Path, ".js") || r.URL.Path == minioReservedBucketPath+"/favicon.ico" { if HasSuffix(r.URL.Path, ".js") || r.URL.Path == minioReservedBucketPath+"/favicon.ico" {
@ -312,7 +257,8 @@ func (h cacheControlHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
} }
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }
// Check to allow access to the reserved "bucket" `/minio` for Admin // Check to allow access to the reserved "bucket" `/minio` for Admin
@ -332,15 +278,8 @@ func guessIsLoginSTSReq(req *http.Request) bool {
} }
// Adds verification for incoming paths. // Adds verification for incoming paths.
type minioReservedBucketHandler struct {
handler http.Handler
}
func setReservedBucketHandler(h http.Handler) http.Handler { func setReservedBucketHandler(h http.Handler) http.Handler {
return minioReservedBucketHandler{h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
}
func (h minioReservedBucketHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// For all other requests reject access to reserved buckets // For all other requests reject access to reserved buckets
bucketName, _ := request2BucketObjectName(r) bucketName, _ := request2BucketObjectName(r)
if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
@ -349,16 +288,8 @@ func (h minioReservedBucketHandler) ServeHTTP(w http.ResponseWriter, r *http.Req
return return
} }
} }
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
} })
type timeValidityHandler struct {
handler http.Handler
}
// setTimeValidityHandler to validate parsable time over http header
func setTimeValidityHandler(h http.Handler) http.Handler {
return timeValidityHandler{h}
} }
// Supported Amz date formats. // Supported Amz date formats.
@ -399,7 +330,9 @@ func parseAmzDateHeader(req *http.Request) (time.Time, APIErrorCode) {
return time.Time{}, ErrMissingDateHeader return time.Time{}, ErrMissingDateHeader
} }
func (h timeValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // setTimeValidityHandler to validate parsable time over http header
func setTimeValidityHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
aType := getRequestAuthType(r) aType := getRequestAuthType(r)
if aType == authTypeSigned || aType == authTypeSignedV2 || aType == authTypeStreamingSigned { if aType == authTypeSigned || aType == authTypeSignedV2 || aType == authTypeStreamingSigned {
// Verify if date headers are set, if not reject the request // Verify if date headers are set, if not reject the request
@ -419,19 +352,8 @@ func (h timeValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return return
} }
} }
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
} })
type resourceHandler struct {
handler http.Handler
}
// setIgnoreResourcesHandler -
// Ignore resources handler is wrapper handler used for API request resource validation
// Since we do not support all the S3 queries, it is necessary for us to throw back a
// valid error message indicating that requested feature is not implemented.
func setIgnoreResourcesHandler(h http.Handler) http.Handler {
return resourceHandler{h}
} }
var supportedDummyBucketAPIs = map[string][]string{ var supportedDummyBucketAPIs = map[string][]string{
@ -500,8 +422,13 @@ func ignoreNotImplementedObjectResources(req *http.Request) bool {
return false return false
} }
// Resource handler ServeHTTP() wrapper // setIgnoreResourcesHandler -
func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Ignore resources handler is wrapper handler used for API request resource validation
// Since we do not support all the S3 queries, it is necessary for us to throw back a
// valid error message indicating that requested feature is not implemented.
func setIgnoreResourcesHandler(h http.Handler) http.Handler {
// Resource handler ServeHTTP() wrapper
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
bucketName, objectName := request2BucketObjectName(r) bucketName, objectName := request2BucketObjectName(r)
// If bucketName is present and not objectName check for bucket level resource queries. // If bucketName is present and not objectName check for bucket level resource queries.
@ -520,27 +447,20 @@ func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
// Serve HTTP. // Serve HTTP.
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
} })
// httpStatsHandler definition: gather HTTP statistics
type httpStatsHandler struct {
handler http.Handler
} }
// setHttpStatsHandler sets a http Stats Handler // setHttpStatsHandler sets a http Stats handler to gather HTTP statistics
func setHTTPStatsHandler(h http.Handler) http.Handler { func setHTTPStatsHandler(h http.Handler) http.Handler {
return httpStatsHandler{handler: h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
}
func (h httpStatsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Meters s3 connection stats. // Meters s3 connection stats.
meteredRequest := &stats.IncomingTrafficMeter{ReadCloser: r.Body} meteredRequest := &stats.IncomingTrafficMeter{ReadCloser: r.Body}
meteredResponse := &stats.OutgoingTrafficMeter{ResponseWriter: w} meteredResponse := &stats.OutgoingTrafficMeter{ResponseWriter: w}
// Execute the request // Execute the request
r.Body = meteredRequest r.Body = meteredRequest
h.handler.ServeHTTP(meteredResponse, r) h.ServeHTTP(meteredResponse, r)
if strings.HasPrefix(r.URL.Path, minioReservedBucketPath) { if strings.HasPrefix(r.URL.Path, minioReservedBucketPath) {
globalConnStats.incInputBytes(meteredRequest.BytesCount()) globalConnStats.incInputBytes(meteredRequest.BytesCount())
@ -549,16 +469,7 @@ func (h httpStatsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
globalConnStats.incS3InputBytes(meteredRequest.BytesCount()) globalConnStats.incS3InputBytes(meteredRequest.BytesCount())
globalConnStats.incS3OutputBytes(meteredResponse.BytesCount()) globalConnStats.incS3OutputBytes(meteredResponse.BytesCount())
} }
} })
// requestValidityHandler validates all the incoming paths for
// any malicious requests.
type requestValidityHandler struct {
handler http.Handler
}
func setRequestValidityHandler(h http.Handler) http.Handler {
return requestValidityHandler{handler: h}
} }
// Bad path components to be rejected by the path validity handler. // Bad path components to be rejected by the path validity handler.
@ -593,7 +504,10 @@ func hasMultipleAuth(r *http.Request) bool {
return authTypeCount > 1 return authTypeCount > 1
} }
func (h requestValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // requestValidityHandler validates all the incoming paths for
// any malicious requests.
func setRequestValidityHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Check for bad components in URL path. // Check for bad components in URL path.
if hasBadPathComponent(r.URL.Path) { if hasBadPathComponent(r.URL.Path) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r)) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
@ -612,21 +526,27 @@ func (h requestValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r)) writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r))
return return
} }
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }
// To forward the path style requests on a bucket to the right var fwd = handlers.NewForwarder(&handlers.Forwarder{
// configured server, bucket to IP configuration is obtained PassHost: true,
// from centralized etcd configuration service. RoundTripper: newGatewayHTTPTransport(1 * time.Hour),
type bucketForwardingHandler struct { Logger: func(err error) {
fwd *handlers.Forwarder logger.LogIf(GlobalContext, err)
handler http.Handler },
} })
func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // setBucketForwardingHandler middleware forwards the path style requests
if guessIsHealthCheckReq(r) || guessIsMetricsReq(r) || // on a bucket to the right bucket location, bucket to IP configuration
// is obtained from centralized etcd configuration service.
func setBucketForwardingHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if globalDNSConfig == nil || len(globalDomainNames) == 0 || !globalBucketFederation ||
guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) { guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
f.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} }
@ -647,7 +567,7 @@ func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
} }
} }
if bucket == "" { if bucket == "" {
f.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} }
sr, err := globalDNSConfig.Get(bucket) sr, err := globalDNSConfig.Get(bucket)
@ -667,10 +587,10 @@ func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
r.URL.Scheme = "https" r.URL.Scheme = "https"
} }
r.URL.Host = getHostFromSrv(sr) r.URL.Host = getHostFromSrv(sr)
f.fwd.ServeHTTP(w, r) fwd.ServeHTTP(w, r)
return return
} }
f.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} }
@ -682,13 +602,13 @@ func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
// in a federated setup cannot be proxied, so serve them at // in a federated setup cannot be proxied, so serve them at
// current server. // current server.
if bucket == "" { if bucket == "" {
f.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} }
// MakeBucket requests should be handled at current endpoint // MakeBucket requests should be handled at current endpoint
if r.Method == http.MethodPut && bucket != "" && object == "" && r.URL.RawQuery == "" { if r.Method == http.MethodPut && bucket != "" && object == "" && r.URL.RawQuery == "" {
f.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} }
@ -698,7 +618,7 @@ func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
if r.Method == http.MethodPut && r.Header.Get(xhttp.AmzCopySource) != "" { if r.Method == http.MethodPut && r.Header.Get(xhttp.AmzCopySource) != "" {
bucket, object = path2BucketObject(r.Header.Get(xhttp.AmzCopySource)) bucket, object = path2BucketObject(r.Header.Get(xhttp.AmzCopySource))
if bucket == "" || object == "" { if bucket == "" || object == "" {
f.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
return return
} }
} }
@ -717,28 +637,11 @@ func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
r.URL.Scheme = "https" r.URL.Scheme = "https"
} }
r.URL.Host = getHostFromSrv(sr) r.URL.Host = getHostFromSrv(sr)
f.fwd.ServeHTTP(w, r) fwd.ServeHTTP(w, r)
return return
} }
f.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
}
// setBucketForwardingHandler middleware forwards the path style requests
// on a bucket to the right bucket location, bucket to IP configuration
// is obtained from centralized etcd configuration service.
func setBucketForwardingHandler(h http.Handler) http.Handler {
if globalDNSConfig == nil || len(globalDomainNames) == 0 || !globalBucketFederation {
return h
}
fwd := handlers.NewForwarder(&handlers.Forwarder{
PassHost: true,
RoundTripper: newGatewayHTTPTransport(1 * time.Hour),
Logger: func(err error) {
logger.LogIf(GlobalContext, err)
},
}) })
return bucketForwardingHandler{fwd, h}
} }
// customHeaderHandler sets x-amz-request-id header. // customHeaderHandler sets x-amz-request-id header.
@ -746,33 +649,21 @@ func setBucketForwardingHandler(h http.Handler) http.Handler {
// the client. So, logger and Error response XML were not using this // the client. So, logger and Error response XML were not using this
// value. This is set here so that this header can be logged as // value. This is set here so that this header can be logged as
// part of the log entry, Error response XML and auditing. // part of the log entry, Error response XML and auditing.
type customHeaderHandler struct {
handler http.Handler
}
func addCustomHeaders(h http.Handler) http.Handler { func addCustomHeaders(h http.Handler) http.Handler {
return customHeaderHandler{handler: h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
}
func (s customHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Set custom headers such as x-amz-request-id for each request. // Set custom headers such as x-amz-request-id for each request.
w.Header().Set(xhttp.AmzRequestID, mustGetRequestID(UTCNow())) w.Header().Set(xhttp.AmzRequestID, mustGetRequestID(UTCNow()))
s.handler.ServeHTTP(logger.NewResponseWriter(w), r) h.ServeHTTP(logger.NewResponseWriter(w), r)
} })
type securityHeaderHandler struct {
handler http.Handler
} }
func addSecurityHeaders(h http.Handler) http.Handler { func addSecurityHeaders(h http.Handler) http.Handler {
return securityHeaderHandler{handler: h} return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
}
func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
header := w.Header() header := w.Header()
header.Set("X-XSS-Protection", "1; mode=block") // Prevents against XSS attacks header.Set("X-XSS-Protection", "1; mode=block") // Prevents against XSS attacks
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content) header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
s.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }
// criticalErrorHandler handles critical server failures caused by // criticalErrorHandler handles critical server failures caused by
@ -793,19 +684,11 @@ func (h criticalErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
h.handler.ServeHTTP(w, r) h.handler.ServeHTTP(w, r)
} }
func setSSETLSHandler(h http.Handler) http.Handler {
if globalIsTLS {
return h
}
return sseTLSHandler{h}
}
// sseTLSHandler enforces certain rules for SSE requests which are made / must be made over TLS. // sseTLSHandler enforces certain rules for SSE requests which are made / must be made over TLS.
type sseTLSHandler struct{ handler http.Handler } func setSSETLSHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
func (h sseTLSHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Deny SSE-C requests if not made over TLS // Deny SSE-C requests if not made over TLS
if crypto.SSEC.IsRequested(r.Header) || crypto.SSECopy.IsRequested(r.Header) { if !globalIsTLS && (crypto.SSEC.IsRequested(r.Header) || crypto.SSECopy.IsRequested(r.Header)) {
if r.Method == http.MethodHead { if r.Method == http.MethodHead {
writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest)) writeErrorResponseHeadersOnly(w, errorCodes.ToAPIErr(ErrInsecureSSECustomerRequest))
} else { } else {
@ -813,5 +696,6 @@ func (h sseTLSHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
return return
} }
h.handler.ServeHTTP(w, r) h.ServeHTTP(w, r)
})
} }

76
cmd/routers.go
Unescape View File

@ -38,47 +38,47 @@ func registerDistErasureRouters(router *mux.Router, endpointServerPools Endpoint
} }
// List of some generic handlers which are applied for all incoming requests. // List of some generic handlers which are applied for all incoming requests.
var globalHandlers = []MiddlewareFunc{ var globalHandlers = []mux.MiddlewareFunc{
// add redirect handler to redirect // filters HTTP headers which are treated as metadata and are reserved
// requests when object layer is not // for internal use only.
// initialized. filterReservedMetadata,
setRedirectHandler, // Enforce rules specific for TLS requests
// set x-amz-request-id header. setSSETLSHandler,
addCustomHeaders,
// set HTTP security headers such as Content-Security-Policy.
addSecurityHeaders,
// Forward path style requests to actual host in a bucket federated setup.
setBucketForwardingHandler,
// Validate all the incoming requests.
setRequestValidityHandler,
// Network statistics
setHTTPStatsHandler,
// Limits all requests size to a maximum fixed limit
setRequestSizeLimitHandler,
// Limits all header sizes to a maximum fixed limit
setRequestHeaderSizeLimitHandler,
// Adds 'crossdomain.xml' policy handler to serve legacy flash clients.
setCrossDomainPolicy,
// Redirect some pre-defined browser request paths to a static location prefix.
setBrowserRedirectHandler,
// Validates if incoming request is for restricted buckets.
setReservedBucketHandler,
// Adds cache control for all browser requests.
setBrowserCacheControlHandler,
// Validates all incoming requests to have a valid date header.
setTimeValidityHandler,
// Validates all incoming URL resources, for invalid/unsupported
// resources client receives a HTTP error.
setIgnoreResourcesHandler,
// Auth handler verifies incoming authorization headers and // Auth handler verifies incoming authorization headers and
// routes them accordingly. Client receives a HTTP error for // routes them accordingly. Client receives a HTTP error for
// invalid/unsupported signatures. // invalid/unsupported signatures.
setAuthHandler, setAuthHandler,
// Enforce rules specific for TLS requests // Validates all incoming URL resources, for invalid/unsupported
setSSETLSHandler, // resources client receives a HTTP error.
// filters HTTP headers which are treated as metadata and are reserved setIgnoreResourcesHandler,
// for internal use only. // Validates all incoming requests to have a valid date header.
filterReservedMetadata, setTimeValidityHandler,
// Adds cache control for all browser requests.
setBrowserCacheControlHandler,
// Validates if incoming request is for restricted buckets.
setReservedBucketHandler,
// Redirect some pre-defined browser request paths to a static location prefix.
setBrowserRedirectHandler,
// Adds 'crossdomain.xml' policy handler to serve legacy flash clients.
setCrossDomainPolicy,
// Limits all header sizes to a maximum fixed limit
setRequestHeaderSizeLimitHandler,
// Limits all requests size to a maximum fixed limit
setRequestSizeLimitHandler,
// Network statistics
setHTTPStatsHandler,
// Validate all the incoming requests.
setRequestValidityHandler,
// Forward path style requests to actual host in a bucket federated setup.
setBucketForwardingHandler,
// set HTTP security headers such as Content-Security-Policy.
addSecurityHeaders,
// set x-amz-request-id header.
addCustomHeaders,
// add redirect handler to redirect
// requests when object layer is not
// initialized.
setRedirectHandler,
// Add new handlers here. // Add new handlers here.
} }
@ -115,7 +115,7 @@ func configureServerHandler(endpointServerPools EndpointServerPools) (http.Handl
// Add API router // Add API router
registerAPIRouter(router) registerAPIRouter(router)
router.Use(registerMiddlewares) router.Use(globalHandlers...)
return router, nil return router, nil
} }

Write Preview
Loading…
Cancel
Save