2020-08-19 23:36:17 +00:00
|
|
|
package handler
|
|
|
|
|
|
|
|
import (
|
2021-08-30 19:44:53 +00:00
|
|
|
"bytes"
|
|
|
|
"encoding/base64"
|
|
|
|
"encoding/json"
|
2021-07-16 12:35:07 +00:00
|
|
|
"encoding/xml"
|
2021-08-30 19:44:53 +00:00
|
|
|
"fmt"
|
|
|
|
"io"
|
2021-08-06 13:05:57 +00:00
|
|
|
"net"
|
2020-08-19 23:36:17 +00:00
|
|
|
"net/http"
|
2021-08-17 11:57:24 +00:00
|
|
|
"net/url"
|
2021-08-30 19:44:53 +00:00
|
|
|
"strconv"
|
2021-06-23 20:21:15 +00:00
|
|
|
"strings"
|
2021-08-30 19:44:53 +00:00
|
|
|
"time"
|
2020-08-19 23:36:17 +00:00
|
|
|
|
2021-05-18 11:10:08 +00:00
|
|
|
"github.com/nspcc-dev/neofs-s3-gw/api"
|
2021-08-30 19:44:53 +00:00
|
|
|
"github.com/nspcc-dev/neofs-s3-gw/api/auth"
|
2021-09-10 06:56:56 +00:00
|
|
|
"github.com/nspcc-dev/neofs-s3-gw/api/data"
|
2021-07-21 11:59:46 +00:00
|
|
|
"github.com/nspcc-dev/neofs-s3-gw/api/errors"
|
2021-05-18 11:10:08 +00:00
|
|
|
"github.com/nspcc-dev/neofs-s3-gw/api/layer"
|
2021-10-19 15:08:07 +00:00
|
|
|
"github.com/nspcc-dev/neofs-s3-gw/creds/accessbox"
|
2021-11-15 12:56:16 +00:00
|
|
|
"github.com/nspcc-dev/neofs-sdk-go/eacl"
|
2022-04-18 15:35:25 +00:00
|
|
|
"github.com/nspcc-dev/neofs-sdk-go/session"
|
2020-08-19 23:36:17 +00:00
|
|
|
"go.uber.org/zap"
|
|
|
|
)
|
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
type postPolicy struct {
|
|
|
|
Expiration time.Time `json:"expiration"`
|
|
|
|
Conditions []*policyCondition `json:"conditions"`
|
|
|
|
empty bool
|
|
|
|
}
|
|
|
|
|
|
|
|
func (p *postPolicy) condition(key string) *policyCondition {
|
|
|
|
for _, condition := range p.Conditions {
|
|
|
|
if condition.Key == key {
|
|
|
|
return condition
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (p *postPolicy) CheckContentLength(size int64) bool {
|
|
|
|
if p.empty {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
for _, condition := range p.Conditions {
|
|
|
|
if condition.Matching == "content-length-range" {
|
|
|
|
length := strconv.FormatInt(size, 10)
|
|
|
|
return condition.Key <= length && length <= condition.Value
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
func (p *policyCondition) match(value string) bool {
|
|
|
|
switch p.Matching {
|
|
|
|
case "eq":
|
|
|
|
p.Matched = p.Value == value
|
|
|
|
case "starts-with":
|
|
|
|
if p.Key == api.ContentType {
|
|
|
|
p.Matched = true
|
|
|
|
for _, contentType := range strings.Split(value, ",") {
|
|
|
|
if !strings.HasPrefix(contentType, p.Value) {
|
|
|
|
p.Matched = false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
p.Matched = strings.HasPrefix(value, p.Value)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return p.Matched
|
|
|
|
}
|
|
|
|
|
|
|
|
func (p *postPolicy) CheckField(key string, value string) error {
|
|
|
|
if p.empty {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
cond := p.condition(key)
|
|
|
|
if cond == nil {
|
|
|
|
return errors.GetAPIError(errors.ErrPostPolicyConditionInvalidFormat)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !cond.match(value) {
|
|
|
|
return errors.GetAPIError(errors.ErrPostPolicyConditionInvalidFormat)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (p *postPolicy) AllConditionMatched() bool {
|
|
|
|
for _, condition := range p.Conditions {
|
|
|
|
if !condition.Matched {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
type policyCondition struct {
|
|
|
|
Matching string
|
|
|
|
Key string
|
|
|
|
Value string
|
|
|
|
Matched bool
|
|
|
|
}
|
|
|
|
|
|
|
|
var errInvalidCondition = fmt.Errorf("invalid condition")
|
|
|
|
|
|
|
|
func (p *policyCondition) UnmarshalJSON(data []byte) error {
|
|
|
|
var (
|
|
|
|
ok bool
|
|
|
|
v interface{}
|
|
|
|
)
|
|
|
|
|
|
|
|
if err := json.Unmarshal(data, &v); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
switch v := v.(type) {
|
|
|
|
case []interface{}:
|
|
|
|
if len(v) != 3 {
|
|
|
|
return errInvalidCondition
|
|
|
|
}
|
|
|
|
if p.Matching, ok = v[0].(string); !ok {
|
|
|
|
return errInvalidCondition
|
|
|
|
}
|
|
|
|
|
|
|
|
if p.Matching == "content-length-range" {
|
|
|
|
min, ok := v[1].(float64)
|
|
|
|
max, ok2 := v[2].(float64)
|
|
|
|
if !ok || !ok2 {
|
|
|
|
return errInvalidCondition
|
|
|
|
}
|
|
|
|
p.Key = strconv.FormatFloat(min, 'f', 0, 32)
|
|
|
|
p.Value = strconv.FormatFloat(max, 'f', 0, 32)
|
|
|
|
} else {
|
|
|
|
key, ok2 := v[1].(string)
|
|
|
|
p.Value, ok = v[2].(string)
|
|
|
|
if !ok || !ok2 {
|
|
|
|
return errInvalidCondition
|
|
|
|
}
|
|
|
|
p.Key = strings.ToLower(strings.TrimPrefix(key, "$"))
|
|
|
|
}
|
|
|
|
|
|
|
|
case map[string]interface{}:
|
|
|
|
p.Matching = "eq"
|
|
|
|
for key, val := range v {
|
|
|
|
p.Key = strings.ToLower(key)
|
|
|
|
if p.Value, ok = val.(string); !ok {
|
|
|
|
return errInvalidCondition
|
|
|
|
}
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("unknown condition type")
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-06-23 20:21:15 +00:00
|
|
|
// keywords of predefined basic ACL values.
|
|
|
|
const (
|
2021-07-21 11:59:46 +00:00
|
|
|
basicACLPrivate = "private"
|
|
|
|
basicACLReadOnly = "public-read"
|
|
|
|
basicACLPublic = "public-read-write"
|
|
|
|
cannedACLAuthRead = "authenticated-read"
|
2021-06-23 20:21:15 +00:00
|
|
|
)
|
|
|
|
|
2021-07-16 12:35:07 +00:00
|
|
|
type createBucketParams struct {
|
|
|
|
XMLName xml.Name `xml:"http://s3.amazonaws.com/doc/2006-03-01/ CreateBucketConfiguration" json:"-"`
|
|
|
|
LocationConstraint string
|
|
|
|
}
|
|
|
|
|
2020-08-19 23:36:17 +00:00
|
|
|
func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
|
2022-04-18 15:35:25 +00:00
|
|
|
var (
|
|
|
|
err error
|
|
|
|
newEaclTable *eacl.Table
|
2022-05-04 12:29:11 +00:00
|
|
|
sessionTokenEACL *session.Container
|
2022-04-18 15:35:25 +00:00
|
|
|
containsACL = containsACLHeaders(r)
|
|
|
|
reqInfo = api.GetReqInfo(r.Context())
|
|
|
|
)
|
|
|
|
|
|
|
|
if containsACL {
|
|
|
|
if sessionTokenEACL, err = getSessionTokenSetEACL(r.Context()); err != nil {
|
|
|
|
h.logAndSendError(w, "could not get eacl session token from a box", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-17 11:57:24 +00:00
|
|
|
tagSet, err := parseTaggingHeader(r.Header)
|
|
|
|
if err != nil {
|
|
|
|
h.logAndSendError(w, "could not parse tagging header", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
2020-08-19 23:36:17 +00:00
|
|
|
|
2022-03-18 13:04:09 +00:00
|
|
|
bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
|
2021-08-30 07:55:42 +00:00
|
|
|
if err != nil {
|
2022-03-18 13:04:09 +00:00
|
|
|
h.logAndSendError(w, "could not get bucket info", reqInfo, err)
|
2021-08-30 07:55:42 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
metadata := parseMetadata(r)
|
|
|
|
if contentType := r.Header.Get(api.ContentType); len(contentType) > 0 {
|
|
|
|
metadata[api.ContentType] = contentType
|
|
|
|
}
|
2022-01-27 13:37:43 +00:00
|
|
|
if cacheControl := r.Header.Get(api.CacheControl); len(cacheControl) > 0 {
|
|
|
|
metadata[api.CacheControl] = cacheControl
|
|
|
|
}
|
|
|
|
if expires := r.Header.Get(api.Expires); len(expires) > 0 {
|
|
|
|
metadata[api.Expires] = expires
|
|
|
|
}
|
2021-08-30 07:55:42 +00:00
|
|
|
|
|
|
|
params := &layer.PutObjectParams{
|
2022-03-18 13:04:09 +00:00
|
|
|
BktInfo: bktInfo,
|
|
|
|
Object: reqInfo.ObjectName,
|
|
|
|
Reader: r.Body,
|
|
|
|
Size: r.ContentLength,
|
|
|
|
Header: metadata,
|
2021-08-30 07:55:42 +00:00
|
|
|
}
|
|
|
|
|
2022-02-28 10:22:07 +00:00
|
|
|
settings, err := h.obj.GetBucketSettings(r.Context(), bktInfo)
|
|
|
|
if err != nil {
|
|
|
|
h.logAndSendError(w, "could not get bucket settings", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-01 15:07:15 +00:00
|
|
|
params.Lock, err = formObjectLock(bktInfo, settings.LockConfiguration, r.Header)
|
|
|
|
if err != nil {
|
2022-02-28 10:22:07 +00:00
|
|
|
h.logAndSendError(w, "could not form object lock", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-08-30 07:55:42 +00:00
|
|
|
info, err := h.obj.PutObject(r.Context(), params)
|
|
|
|
if err != nil {
|
|
|
|
h.logAndSendError(w, "could not upload object", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-04-29 13:08:22 +00:00
|
|
|
s := &SendNotificationParams{
|
|
|
|
Event: EventObjectCreatedPut,
|
2022-03-31 06:21:38 +00:00
|
|
|
ObjInfo: info,
|
|
|
|
BktInfo: bktInfo,
|
|
|
|
ReqInfo: reqInfo,
|
|
|
|
}
|
2022-04-29 13:08:22 +00:00
|
|
|
if err = h.sendNotifications(r.Context(), s); err != nil {
|
2022-03-31 06:21:38 +00:00
|
|
|
h.log.Error("couldn't send notification: %w", zap.Error(err))
|
|
|
|
}
|
|
|
|
|
2022-04-18 15:35:25 +00:00
|
|
|
if containsACL {
|
2022-03-18 13:04:09 +00:00
|
|
|
if newEaclTable, err = h.getNewEAclTable(r, bktInfo, info); err != nil {
|
2021-08-30 19:44:53 +00:00
|
|
|
h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
|
2021-08-19 14:14:19 +00:00
|
|
|
return
|
|
|
|
}
|
2022-04-18 15:35:25 +00:00
|
|
|
newEaclTable.SetSessionToken(sessionTokenEACL)
|
2021-08-30 19:44:53 +00:00
|
|
|
}
|
2021-07-21 11:59:46 +00:00
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
if tagSet != nil {
|
|
|
|
if err = h.obj.PutObjectTagging(r.Context(), &layer.PutTaggingParams{ObjectInfo: info, TagSet: tagSet}); err != nil {
|
|
|
|
h.logAndSendError(w, "could not upload object tagging", reqInfo, err)
|
|
|
|
return
|
2021-08-30 07:55:42 +00:00
|
|
|
}
|
2021-08-30 19:44:53 +00:00
|
|
|
}
|
2021-08-30 07:55:42 +00:00
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
if newEaclTable != nil {
|
|
|
|
p := &layer.PutBucketACLParams{
|
2022-03-18 13:04:09 +00:00
|
|
|
BktInfo: bktInfo,
|
|
|
|
EACL: newEaclTable,
|
2021-08-30 19:44:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
|
|
|
h.logAndSendError(w, "could not put bucket acl", reqInfo, err)
|
2021-08-19 14:14:19 +00:00
|
|
|
return
|
|
|
|
}
|
2021-08-30 19:44:53 +00:00
|
|
|
}
|
|
|
|
|
2022-03-31 16:25:33 +00:00
|
|
|
if settings.VersioningEnabled {
|
2021-08-30 19:44:53 +00:00
|
|
|
w.Header().Set(api.AmzVersionID, info.Version())
|
|
|
|
}
|
|
|
|
|
|
|
|
w.Header().Set(api.ETag, info.HashSum)
|
|
|
|
api.WriteSuccessResponseHeadersOnly(w)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var (
|
2022-04-18 15:35:25 +00:00
|
|
|
newEaclTable *eacl.Table
|
|
|
|
tagSet map[string]string
|
2022-05-04 12:29:11 +00:00
|
|
|
sessionTokenEACL *session.Container
|
2022-04-18 15:35:25 +00:00
|
|
|
reqInfo = api.GetReqInfo(r.Context())
|
|
|
|
metadata = make(map[string]string)
|
|
|
|
containsACL = containsACLHeaders(r)
|
2021-08-30 19:44:53 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
policy, err := checkPostPolicy(r, reqInfo, metadata)
|
|
|
|
if err != nil {
|
|
|
|
h.logAndSendError(w, "failed check policy", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
2021-07-21 11:59:46 +00:00
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
if tagging := auth.MultipartFormValue(r, "tagging"); tagging != "" {
|
|
|
|
buffer := bytes.NewBufferString(tagging)
|
|
|
|
tagSet, err = readTagSet(buffer)
|
2021-08-19 14:14:19 +00:00
|
|
|
if err != nil {
|
2021-08-30 19:44:53 +00:00
|
|
|
h.logAndSendError(w, "could not read tag set", reqInfo, err)
|
2021-08-19 14:14:19 +00:00
|
|
|
return
|
|
|
|
}
|
2021-08-30 19:44:53 +00:00
|
|
|
}
|
2021-07-21 11:59:46 +00:00
|
|
|
|
2022-04-18 15:35:25 +00:00
|
|
|
if containsACL {
|
|
|
|
if sessionTokenEACL, err = getSessionTokenSetEACL(r.Context()); err != nil {
|
|
|
|
h.logAndSendError(w, "could not get eacl session token from a box", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
var contentReader io.Reader
|
|
|
|
var size int64
|
|
|
|
if content, ok := r.MultipartForm.Value["file"]; ok {
|
|
|
|
contentReader = bytes.NewBufferString(content[0])
|
|
|
|
size = int64(len(content[0]))
|
|
|
|
} else {
|
|
|
|
file, head, err := r.FormFile("file")
|
2021-08-19 14:14:19 +00:00
|
|
|
if err != nil {
|
2021-08-30 19:44:53 +00:00
|
|
|
h.logAndSendError(w, "could get uploading file", reqInfo, err)
|
2021-08-19 14:14:19 +00:00
|
|
|
return
|
|
|
|
}
|
2021-08-30 19:44:53 +00:00
|
|
|
contentReader = file
|
|
|
|
size = head.Size
|
|
|
|
reqInfo.ObjectName = strings.ReplaceAll(reqInfo.ObjectName, "${filename}", head.Filename)
|
|
|
|
}
|
|
|
|
if !policy.CheckContentLength(size) {
|
|
|
|
h.logAndSendError(w, "invalid content-length", reqInfo, errors.GetAPIError(errors.ErrInvalidArgument))
|
|
|
|
return
|
|
|
|
}
|
2021-07-21 11:59:46 +00:00
|
|
|
|
2022-03-18 13:04:09 +00:00
|
|
|
bktInfo, err := h.obj.GetBucketInfo(r.Context(), reqInfo.BucketName)
|
|
|
|
if err != nil {
|
|
|
|
h.logAndSendError(w, "could not get bucket info", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
params := &layer.PutObjectParams{
|
2022-03-18 13:04:09 +00:00
|
|
|
BktInfo: bktInfo,
|
|
|
|
Object: reqInfo.ObjectName,
|
|
|
|
Reader: contentReader,
|
|
|
|
Size: size,
|
|
|
|
Header: metadata,
|
2021-08-30 19:44:53 +00:00
|
|
|
}
|
2021-07-21 11:59:46 +00:00
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
info, err := h.obj.PutObject(r.Context(), params)
|
|
|
|
if err != nil {
|
|
|
|
h.logAndSendError(w, "could not upload object", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-04-29 13:08:22 +00:00
|
|
|
s := &SendNotificationParams{
|
|
|
|
Event: EventObjectCreatedPost,
|
2022-03-31 06:21:38 +00:00
|
|
|
ObjInfo: info,
|
|
|
|
BktInfo: bktInfo,
|
|
|
|
ReqInfo: reqInfo,
|
|
|
|
}
|
2022-04-29 13:08:22 +00:00
|
|
|
if err = h.sendNotifications(r.Context(), s); err != nil {
|
2022-03-31 06:21:38 +00:00
|
|
|
h.log.Error("couldn't send notification: %w", zap.Error(err))
|
|
|
|
}
|
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
if acl := auth.MultipartFormValue(r, "acl"); acl != "" {
|
|
|
|
r.Header.Set(api.AmzACL, acl)
|
|
|
|
r.Header.Set(api.AmzGrantFullControl, "")
|
|
|
|
r.Header.Set(api.AmzGrantWrite, "")
|
|
|
|
r.Header.Set(api.AmzGrantRead, "")
|
|
|
|
|
2022-03-18 13:04:09 +00:00
|
|
|
if newEaclTable, err = h.getNewEAclTable(r, bktInfo, info); err != nil {
|
2021-08-30 19:44:53 +00:00
|
|
|
h.logAndSendError(w, "could not get new eacl table", reqInfo, err)
|
|
|
|
return
|
2021-07-21 11:59:46 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-17 11:57:24 +00:00
|
|
|
if tagSet != nil {
|
|
|
|
if err = h.obj.PutObjectTagging(r.Context(), &layer.PutTaggingParams{ObjectInfo: info, TagSet: tagSet}); err != nil {
|
|
|
|
h.logAndSendError(w, "could not upload object tagging", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-19 14:14:19 +00:00
|
|
|
if newEaclTable != nil {
|
2022-04-18 15:35:25 +00:00
|
|
|
newEaclTable.SetSessionToken(sessionTokenEACL)
|
|
|
|
|
2021-07-21 11:59:46 +00:00
|
|
|
p := &layer.PutBucketACLParams{
|
2022-03-18 13:04:09 +00:00
|
|
|
BktInfo: bktInfo,
|
|
|
|
EACL: newEaclTable,
|
2021-07-21 11:59:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err = h.obj.PutBucketACL(r.Context(), p); err != nil {
|
|
|
|
h.logAndSendError(w, "could not put bucket acl", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-02-28 08:02:05 +00:00
|
|
|
if settings, err := h.obj.GetBucketSettings(r.Context(), bktInfo); err != nil {
|
2021-08-19 06:55:22 +00:00
|
|
|
h.log.Warn("couldn't get bucket versioning", zap.String("bucket name", reqInfo.BucketName), zap.Error(err))
|
2022-02-28 08:02:05 +00:00
|
|
|
} else if settings.VersioningEnabled {
|
2021-08-19 06:55:22 +00:00
|
|
|
w.Header().Set(api.AmzVersionID, info.Version())
|
|
|
|
}
|
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
if redirectURL := auth.MultipartFormValue(r, "success_action_redirect"); redirectURL != "" {
|
|
|
|
http.Redirect(w, r, redirectURL, http.StatusTemporaryRedirect)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
status := http.StatusNoContent
|
|
|
|
if statusStr := auth.MultipartFormValue(r, "success_action_status"); statusStr != "" {
|
|
|
|
switch statusStr {
|
|
|
|
case "200":
|
|
|
|
status = http.StatusOK
|
|
|
|
case "201":
|
|
|
|
status = http.StatusCreated
|
|
|
|
resp := &PostResponse{
|
|
|
|
Bucket: info.Bucket,
|
|
|
|
Key: info.Name,
|
|
|
|
ETag: info.HashSum,
|
|
|
|
}
|
|
|
|
w.WriteHeader(status)
|
|
|
|
if _, err = w.Write(api.EncodeResponse(resp)); err != nil {
|
|
|
|
h.logAndSendError(w, "something went wrong", reqInfo, err)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-29 13:40:26 +00:00
|
|
|
w.Header().Set(api.ETag, info.HashSum)
|
2021-08-30 19:44:53 +00:00
|
|
|
w.WriteHeader(status)
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkPostPolicy(r *http.Request, reqInfo *api.ReqInfo, metadata map[string]string) (*postPolicy, error) {
|
2022-01-17 12:25:29 +00:00
|
|
|
policy := &postPolicy{empty: true}
|
2021-08-30 19:44:53 +00:00
|
|
|
if policyStr := auth.MultipartFormValue(r, "policy"); policyStr != "" {
|
|
|
|
policyData, err := base64.StdEncoding.DecodeString(policyStr)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not decode policy: %w", err)
|
|
|
|
}
|
|
|
|
if err = json.Unmarshal(policyData, policy); err != nil {
|
|
|
|
return nil, fmt.Errorf("could not unmarshal policy: %w", err)
|
|
|
|
}
|
|
|
|
if policy.Expiration.Before(time.Now()) {
|
|
|
|
return nil, fmt.Errorf("policy is expired: %w", errors.GetAPIError(errors.ErrInvalidArgument))
|
|
|
|
}
|
2022-01-17 12:25:29 +00:00
|
|
|
policy.empty = false
|
2021-08-30 19:44:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for key, v := range r.MultipartForm.Value {
|
|
|
|
value := v[0]
|
|
|
|
if key == "file" || key == "policy" || key == "x-amz-signature" || strings.HasPrefix(key, "x-ignore-") {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if err := policy.CheckField(key, value); err != nil {
|
|
|
|
return nil, fmt.Errorf("'%s' form field doesn't match the policy: %w", key, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
prefix := strings.ToLower(api.MetadataPrefix)
|
|
|
|
if strings.HasPrefix(key, prefix) {
|
|
|
|
metadata[strings.TrimPrefix(key, prefix)] = value
|
|
|
|
}
|
|
|
|
|
|
|
|
if key == "content-type" {
|
|
|
|
metadata[api.ContentType] = value
|
|
|
|
}
|
|
|
|
|
|
|
|
if key == "key" {
|
|
|
|
reqInfo.ObjectName = value
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, cond := range policy.Conditions {
|
|
|
|
if cond.Key == "bucket" {
|
|
|
|
if !cond.match(reqInfo.BucketName) {
|
|
|
|
return nil, errors.GetAPIError(errors.ErrPostPolicyConditionInvalidFormat)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return policy, nil
|
2020-08-19 23:36:17 +00:00
|
|
|
}
|
2021-06-23 20:21:15 +00:00
|
|
|
|
2021-08-19 14:14:19 +00:00
|
|
|
func containsACLHeaders(r *http.Request) bool {
|
|
|
|
return r.Header.Get(api.AmzACL) != "" || r.Header.Get(api.AmzGrantRead) != "" ||
|
|
|
|
r.Header.Get(api.AmzGrantFullControl) != "" || r.Header.Get(api.AmzGrantWrite) != ""
|
|
|
|
}
|
|
|
|
|
2022-03-18 13:04:09 +00:00
|
|
|
func (h *handler) getNewEAclTable(r *http.Request, bktInfo *data.BucketInfo, objInfo *data.ObjectInfo) (*eacl.Table, error) {
|
2021-08-30 19:44:53 +00:00
|
|
|
var newEaclTable *eacl.Table
|
2022-04-06 08:27:47 +00:00
|
|
|
key, err := h.bearerTokenIssuerKey(r.Context())
|
2021-10-19 15:08:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-06 08:27:47 +00:00
|
|
|
objectACL, err := parseACLHeaders(r.Header, key)
|
2021-08-30 19:44:53 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not parse object acl: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
resInfo := &resourceInfo{
|
|
|
|
Bucket: objInfo.Bucket,
|
|
|
|
Object: objInfo.Name,
|
|
|
|
Version: objInfo.Version(),
|
|
|
|
}
|
|
|
|
|
|
|
|
bktPolicy, err := aclToPolicy(objectACL, resInfo)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not translate object acl to bucket policy: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
astChild, err := policyToAst(bktPolicy)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not translate policy to ast: %w", err)
|
|
|
|
}
|
|
|
|
|
2022-03-18 13:04:09 +00:00
|
|
|
bacl, err := h.obj.GetBucketACL(r.Context(), bktInfo)
|
2021-08-30 19:44:53 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not get bucket eacl: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
parentAst := tableToAst(bacl.EACL, objInfo.Bucket)
|
2022-05-25 17:25:43 +00:00
|
|
|
strCID := bacl.Info.CID.EncodeToString()
|
|
|
|
|
2021-08-30 19:44:53 +00:00
|
|
|
for _, resource := range parentAst.Resources {
|
2022-05-25 17:25:43 +00:00
|
|
|
if resource.Bucket == strCID {
|
2021-08-30 19:44:53 +00:00
|
|
|
resource.Bucket = objInfo.Bucket
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if resAst, updated := mergeAst(parentAst, astChild); updated {
|
|
|
|
if newEaclTable, err = astToTable(resAst); err != nil {
|
|
|
|
return nil, fmt.Errorf("could not translate ast to table: %w", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return newEaclTable, nil
|
|
|
|
}
|
|
|
|
|
2021-08-17 11:57:24 +00:00
|
|
|
func parseTaggingHeader(header http.Header) (map[string]string, error) {
|
|
|
|
var tagSet map[string]string
|
|
|
|
if tagging := header.Get(api.AmzTagging); len(tagging) > 0 {
|
|
|
|
queries, err := url.ParseQuery(tagging)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.GetAPIError(errors.ErrInvalidArgument)
|
|
|
|
}
|
|
|
|
if len(queries) > maxTags {
|
|
|
|
return nil, errors.GetAPIError(errors.ErrInvalidTagsSizeExceed)
|
|
|
|
}
|
|
|
|
tagSet = make(map[string]string, len(queries))
|
|
|
|
for k, v := range queries {
|
|
|
|
tag := Tag{Key: k, Value: v[0]}
|
|
|
|
if err = checkTag(tag); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
tagSet[tag.Key] = tag.Value
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return tagSet, nil
|
|
|
|
}
|
|
|
|
|
2021-07-07 14:52:36 +00:00
|
|
|
func parseMetadata(r *http.Request) map[string]string {
|
|
|
|
res := make(map[string]string)
|
|
|
|
for k, v := range r.Header {
|
|
|
|
if strings.HasPrefix(k, api.MetadataPrefix) {
|
2021-08-06 11:46:19 +00:00
|
|
|
key := strings.ToLower(strings.TrimPrefix(k, api.MetadataPrefix))
|
2021-07-07 14:52:36 +00:00
|
|
|
res[key] = v[0]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return res
|
|
|
|
}
|
|
|
|
|
2021-06-23 20:21:15 +00:00
|
|
|
func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var (
|
2021-08-05 09:18:52 +00:00
|
|
|
reqInfo = api.GetReqInfo(r.Context())
|
2022-06-10 01:59:17 +00:00
|
|
|
p = layer.CreateBucketParams{
|
|
|
|
Name: reqInfo.BucketName,
|
|
|
|
}
|
2021-06-23 20:21:15 +00:00
|
|
|
)
|
2021-08-05 09:18:52 +00:00
|
|
|
|
2021-07-21 11:59:46 +00:00
|
|
|
if err := checkBucketName(reqInfo.BucketName); err != nil {
|
2021-08-06 13:05:57 +00:00
|
|
|
h.logAndSendError(w, "invalid bucket name", reqInfo, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-04-06 08:27:47 +00:00
|
|
|
key, err := h.bearerTokenIssuerKey(r.Context())
|
2021-10-19 15:08:07 +00:00
|
|
|
if err != nil {
|
2022-04-06 08:27:47 +00:00
|
|
|
h.logAndSendError(w, "couldn't get bearer token signature key", reqInfo, err)
|
2021-10-19 15:08:07 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-04-06 08:27:47 +00:00
|
|
|
bktACL, err := parseACLHeaders(r.Header, key)
|
2021-07-21 11:59:46 +00:00
|
|
|
if err != nil {
|
|
|
|
h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
|
|
|
|
return
|
2021-06-23 20:21:15 +00:00
|
|
|
}
|
2021-08-30 07:55:42 +00:00
|
|
|
resInfo := &resourceInfo{Bucket: reqInfo.BucketName}
|
2021-06-23 20:21:15 +00:00
|
|
|
|
2021-08-30 07:55:42 +00:00
|
|
|
p.EACL, err = bucketACLToTable(bktACL, resInfo)
|
2021-06-23 20:21:15 +00:00
|
|
|
if err != nil {
|
2021-07-21 11:59:46 +00:00
|
|
|
h.logAndSendError(w, "could translate bucket acl to eacl", reqInfo, err)
|
2021-07-09 08:57:44 +00:00
|
|
|
return
|
2021-06-23 20:21:15 +00:00
|
|
|
}
|
|
|
|
|
2021-07-16 12:35:07 +00:00
|
|
|
createParams, err := parseLocationConstraint(r)
|
2021-06-23 20:21:15 +00:00
|
|
|
if err != nil {
|
2021-08-05 09:18:52 +00:00
|
|
|
h.logAndSendError(w, "could not parse body", reqInfo, err)
|
2021-07-09 08:57:44 +00:00
|
|
|
return
|
2021-06-23 20:21:15 +00:00
|
|
|
}
|
|
|
|
|
2021-10-19 15:08:07 +00:00
|
|
|
var policies []*accessbox.ContainerPolicy
|
|
|
|
boxData, err := layer.GetBoxData(r.Context())
|
|
|
|
if err == nil {
|
|
|
|
policies = boxData.Policies
|
2022-01-26 09:09:28 +00:00
|
|
|
p.SessionToken = boxData.Gate.SessionTokenForPut()
|
2022-04-18 15:35:25 +00:00
|
|
|
p.EACL.SetSessionToken(boxData.Gate.SessionTokenForSetEACL())
|
|
|
|
}
|
|
|
|
|
|
|
|
if p.SessionToken == nil {
|
|
|
|
h.logAndSendError(w, "couldn't find session token for put", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if p.EACL.SessionToken() == nil {
|
|
|
|
h.logAndSendError(w, "couldn't find session token for setEACL", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
|
|
|
|
return
|
2021-07-16 12:35:07 +00:00
|
|
|
}
|
2021-06-23 20:21:15 +00:00
|
|
|
|
2022-06-15 19:31:41 +00:00
|
|
|
useDefaultPolicy := true
|
2021-07-16 12:35:07 +00:00
|
|
|
if createParams.LocationConstraint != "" {
|
2021-10-19 15:08:07 +00:00
|
|
|
for _, placementPolicy := range policies {
|
2021-07-16 12:35:07 +00:00
|
|
|
if placementPolicy.LocationConstraint == createParams.LocationConstraint {
|
|
|
|
p.Policy = placementPolicy.Policy
|
2022-01-11 12:33:09 +00:00
|
|
|
p.LocationConstraint = createParams.LocationConstraint
|
2022-06-15 19:31:41 +00:00
|
|
|
useDefaultPolicy = false
|
2021-07-16 12:35:07 +00:00
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2022-06-15 19:31:41 +00:00
|
|
|
if useDefaultPolicy {
|
2021-08-23 18:39:15 +00:00
|
|
|
p.Policy = h.cfg.DefaultPolicy
|
2021-07-16 12:35:07 +00:00
|
|
|
}
|
|
|
|
|
2022-02-25 09:06:40 +00:00
|
|
|
p.ObjectLockEnabled = isLockEnabled(r.Header)
|
|
|
|
|
2022-03-18 13:04:09 +00:00
|
|
|
bktInfo, err := h.obj.CreateBucket(r.Context(), &p)
|
2021-07-16 12:35:07 +00:00
|
|
|
if err != nil {
|
2021-08-05 09:18:52 +00:00
|
|
|
h.logAndSendError(w, "could not create bucket", reqInfo, err)
|
2021-07-07 14:56:29 +00:00
|
|
|
return
|
2021-06-23 20:21:15 +00:00
|
|
|
}
|
|
|
|
|
2022-02-25 09:06:40 +00:00
|
|
|
if p.ObjectLockEnabled {
|
2022-02-28 08:02:05 +00:00
|
|
|
sp := &layer.PutSettingsParams{
|
|
|
|
BktInfo: bktInfo,
|
|
|
|
Settings: &data.BucketSettings{VersioningEnabled: true},
|
|
|
|
}
|
|
|
|
if err = h.obj.PutBucketSettings(r.Context(), sp); err != nil {
|
|
|
|
h.logAndSendError(w, "couldn't enable bucket versioning", reqInfo, err,
|
2022-03-18 13:04:09 +00:00
|
|
|
zap.Stringer("container_id", bktInfo.CID))
|
2022-02-28 08:02:05 +00:00
|
|
|
return
|
2022-02-25 09:06:40 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-18 13:04:09 +00:00
|
|
|
h.log.Info("bucket is created", zap.Stringer("container_id", bktInfo.CID))
|
2021-06-23 20:21:15 +00:00
|
|
|
|
|
|
|
api.WriteSuccessResponseHeadersOnly(w)
|
|
|
|
}
|
|
|
|
|
2022-02-25 09:06:40 +00:00
|
|
|
func isLockEnabled(header http.Header) bool {
|
|
|
|
lockEnabledStr := header.Get(api.AmzBucketObjectLockEnabled)
|
|
|
|
lockEnabled, _ := strconv.ParseBool(lockEnabledStr)
|
|
|
|
return lockEnabled
|
|
|
|
}
|
|
|
|
|
2021-08-06 13:05:57 +00:00
|
|
|
func checkBucketName(bucketName string) error {
|
|
|
|
if len(bucketName) < 3 || len(bucketName) > 63 {
|
2021-08-09 08:53:58 +00:00
|
|
|
return errors.GetAPIError(errors.ErrInvalidBucketName)
|
2021-08-06 13:05:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if strings.HasPrefix(bucketName, "xn--") || strings.HasSuffix(bucketName, "-s3alias") {
|
2021-08-09 08:53:58 +00:00
|
|
|
return errors.GetAPIError(errors.ErrInvalidBucketName)
|
2021-08-06 13:05:57 +00:00
|
|
|
}
|
|
|
|
if net.ParseIP(bucketName) != nil {
|
2021-08-09 08:53:58 +00:00
|
|
|
return errors.GetAPIError(errors.ErrInvalidBucketName)
|
2021-08-06 13:05:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
labels := strings.Split(bucketName, ".")
|
|
|
|
for _, label := range labels {
|
|
|
|
if len(label) == 0 {
|
2021-08-09 08:53:58 +00:00
|
|
|
return errors.GetAPIError(errors.ErrInvalidBucketName)
|
2021-08-06 13:05:57 +00:00
|
|
|
}
|
|
|
|
for i, r := range label {
|
|
|
|
if !isAlphaNum(r) && r != '-' {
|
2021-08-09 08:53:58 +00:00
|
|
|
return errors.GetAPIError(errors.ErrInvalidBucketName)
|
2021-08-06 13:05:57 +00:00
|
|
|
}
|
|
|
|
if (i == 0 || i == len(label)-1) && r == '-' {
|
2021-08-09 08:53:58 +00:00
|
|
|
return errors.GetAPIError(errors.ErrInvalidBucketName)
|
2021-08-06 13:05:57 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func isAlphaNum(char int32) bool {
|
|
|
|
return 'a' <= char && char <= 'z' || '0' <= char && char <= '9'
|
|
|
|
}
|
|
|
|
|
2021-07-16 12:35:07 +00:00
|
|
|
func parseLocationConstraint(r *http.Request) (*createBucketParams, error) {
|
|
|
|
if r.ContentLength == 0 {
|
|
|
|
return new(createBucketParams), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
params := new(createBucketParams)
|
|
|
|
if err := xml.NewDecoder(r.Body).Decode(params); err != nil {
|
2022-01-19 20:20:07 +00:00
|
|
|
return nil, errors.GetAPIError(errors.ErrMalformedXML)
|
2021-07-16 12:35:07 +00:00
|
|
|
}
|
|
|
|
return params, nil
|
|
|
|
}
|