mirror of
https://github.com/pgsty/minio.git
synced 2026-07-19 12:10:24 +03:00
Bring in full fledged acl support
This commit is contained in:
@@ -20,11 +20,14 @@ import (
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/minio-io/minio/pkg/api/config"
|
||||
"github.com/minio-io/minio/pkg/storage/drivers"
|
||||
)
|
||||
|
||||
type vHandler struct {
|
||||
conf config.Config
|
||||
driver drivers.Driver
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
@@ -47,43 +50,56 @@ func stripAccessKey(r *http.Request) string {
|
||||
|
||||
// Validate handler is wrapper handler used for API request validation with authorization header.
|
||||
// Current authorization layer supports S3's standard HMAC based signature request.
|
||||
func validateHandler(conf config.Config, h http.Handler) http.Handler {
|
||||
return vHandler{conf, h}
|
||||
func validateHandler(conf config.Config, driver drivers.Driver, h http.Handler) http.Handler {
|
||||
return vHandler{
|
||||
conf: conf,
|
||||
driver: driver,
|
||||
handler: h,
|
||||
}
|
||||
}
|
||||
|
||||
// Validate handler ServeHTTP() wrapper
|
||||
func (h vHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
accessKey := stripAccessKey(r)
|
||||
acceptsContentType := getContentType(r)
|
||||
if accessKey != "" {
|
||||
if err := h.conf.ReadConfig(); err != nil {
|
||||
error := getErrorCode(InternalError)
|
||||
errorResponse := getErrorResponse(error, "")
|
||||
setCommonHeaders(w, getContentTypeString(acceptsContentType))
|
||||
w.WriteHeader(error.HTTPStatusCode)
|
||||
w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
|
||||
} else {
|
||||
user, ok := h.conf.Users[accessKey]
|
||||
if ok == false {
|
||||
error := getErrorCode(AccessDenied)
|
||||
errorResponse := getErrorResponse(error, "")
|
||||
setCommonHeaders(w, getContentTypeString(acceptsContentType))
|
||||
w.WriteHeader(error.HTTPStatusCode)
|
||||
w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
|
||||
} else {
|
||||
ok, _ = ValidateRequest(user, r)
|
||||
if ok {
|
||||
h.handler.ServeHTTP(w, r)
|
||||
} else {
|
||||
error := getErrorCode(AccessDenied)
|
||||
errorResponse := getErrorResponse(error, "")
|
||||
setCommonHeaders(w, getContentTypeString(acceptsContentType))
|
||||
w.WriteHeader(error.HTTPStatusCode)
|
||||
w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
|
||||
}
|
||||
}
|
||||
if acceptsContentType == unknownContentType {
|
||||
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
// verify for if bucket is private or public
|
||||
vars := mux.Vars(r)
|
||||
bucket, ok := vars["bucket"]
|
||||
if ok {
|
||||
bucketMetadata, err := h.driver.GetBucketMetadata(bucket)
|
||||
if err != nil {
|
||||
writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
} else {
|
||||
if accessKey == "" && bucketMetadata.ACL.IsPrivate() {
|
||||
writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
switch true {
|
||||
case accessKey != "":
|
||||
if err := h.conf.ReadConfig(); err != nil {
|
||||
writeErrorResponse(w, r, InternalError, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
user, ok := h.conf.Users[accessKey]
|
||||
if !ok {
|
||||
writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
ok, _ = ValidateRequest(user, r)
|
||||
if !ok {
|
||||
writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
|
||||
return
|
||||
}
|
||||
// Success
|
||||
h.handler.ServeHTTP(w, r)
|
||||
default:
|
||||
// Control reaches when no access key is found, ideally we would
|
||||
// like to throw back `403`. But for now with our tests lacking
|
||||
// this functionality it is better for us to be serving anonymous
|
||||
|
||||
Reference in New Issue
Block a user