Bring in full fledged acl support

This commit is contained in:
Harshavardhana
2015-04-22 18:19:20 -07:00
parent 2c1455af1b
commit c8713fd650
5 changed files with 82 additions and 61 deletions
+46 -30
View File
@@ -20,11 +20,14 @@ import (
"net/http"
"strings"
"github.com/gorilla/mux"
"github.com/minio-io/minio/pkg/api/config"
"github.com/minio-io/minio/pkg/storage/drivers"
)
type vHandler struct {
conf config.Config
driver drivers.Driver
handler http.Handler
}
@@ -47,43 +50,56 @@ func stripAccessKey(r *http.Request) string {
// Validate handler is wrapper handler used for API request validation with authorization header.
// Current authorization layer supports S3's standard HMAC based signature request.
func validateHandler(conf config.Config, h http.Handler) http.Handler {
return vHandler{conf, h}
func validateHandler(conf config.Config, driver drivers.Driver, h http.Handler) http.Handler {
return vHandler{
conf: conf,
driver: driver,
handler: h,
}
}
// Validate handler ServeHTTP() wrapper
func (h vHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
accessKey := stripAccessKey(r)
acceptsContentType := getContentType(r)
if accessKey != "" {
if err := h.conf.ReadConfig(); err != nil {
error := getErrorCode(InternalError)
errorResponse := getErrorResponse(error, "")
setCommonHeaders(w, getContentTypeString(acceptsContentType))
w.WriteHeader(error.HTTPStatusCode)
w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
} else {
user, ok := h.conf.Users[accessKey]
if ok == false {
error := getErrorCode(AccessDenied)
errorResponse := getErrorResponse(error, "")
setCommonHeaders(w, getContentTypeString(acceptsContentType))
w.WriteHeader(error.HTTPStatusCode)
w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
} else {
ok, _ = ValidateRequest(user, r)
if ok {
h.handler.ServeHTTP(w, r)
} else {
error := getErrorCode(AccessDenied)
errorResponse := getErrorResponse(error, "")
setCommonHeaders(w, getContentTypeString(acceptsContentType))
w.WriteHeader(error.HTTPStatusCode)
w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
}
}
if acceptsContentType == unknownContentType {
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
return
}
// verify for if bucket is private or public
vars := mux.Vars(r)
bucket, ok := vars["bucket"]
if ok {
bucketMetadata, err := h.driver.GetBucketMetadata(bucket)
if err != nil {
writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
return
}
} else {
if accessKey == "" && bucketMetadata.ACL.IsPrivate() {
writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
return
}
}
switch true {
case accessKey != "":
if err := h.conf.ReadConfig(); err != nil {
writeErrorResponse(w, r, InternalError, acceptsContentType, r.URL.Path)
return
}
user, ok := h.conf.Users[accessKey]
if !ok {
writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
return
}
ok, _ = ValidateRequest(user, r)
if !ok {
writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
return
}
// Success
h.handler.ServeHTTP(w, r)
default:
// Control reaches when no access key is found, ideally we would
// like to throw back `403`. But for now with our tests lacking
// this functionality it is better for us to be serving anonymous