2018-07-18 02:37:09 -07:00
|
|
|
package s3api
|
|
|
|
|
|
|
|
|
|
import (
|
2022-03-07 02:00:14 -08:00
|
|
|
"context"
|
2020-07-28 08:47:24 -07:00
|
|
|
"fmt"
|
2022-03-07 02:00:14 -08:00
|
|
|
"net"
|
2020-02-09 14:30:02 -08:00
|
|
|
"net/http"
|
2020-10-21 20:48:51 +05:00
|
|
|
"strings"
|
2020-12-07 00:10:29 -08:00
|
|
|
"time"
|
2020-02-09 14:30:02 -08:00
|
|
|
|
2025-07-02 18:03:17 -07:00
|
|
|
"github.com/seaweedfs/seaweedfs/weed/credential"
|
2023-12-20 18:21:11 -06:00
|
|
|
"github.com/seaweedfs/seaweedfs/weed/filer"
|
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/s3_pb"
|
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/util/grace"
|
|
|
|
|
|
2018-07-18 02:37:09 -07:00
|
|
|
"github.com/gorilla/mux"
|
2022-07-29 00:17:28 -07:00
|
|
|
"github.com/seaweedfs/seaweedfs/weed/pb"
|
|
|
|
|
. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
|
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/security"
|
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/util"
|
2024-07-17 09:14:09 +03:00
|
|
|
util_http "github.com/seaweedfs/seaweedfs/weed/util/http"
|
|
|
|
|
util_http_client "github.com/seaweedfs/seaweedfs/weed/util/http/client"
|
2024-08-21 10:55:39 -07:00
|
|
|
"google.golang.org/grpc"
|
2018-07-18 02:37:09 -07:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type S3ApiServerOption struct {
|
2022-03-30 22:46:13 +05:00
|
|
|
Filer pb.ServerAddress
|
|
|
|
|
Port int
|
|
|
|
|
Config string
|
|
|
|
|
DomainName string
|
2023-12-20 18:21:11 -06:00
|
|
|
AllowedOrigins []string
|
2022-03-30 22:46:13 +05:00
|
|
|
BucketsPath string
|
|
|
|
|
GrpcDialOption grpc.DialOption
|
|
|
|
|
AllowEmptyFolder bool
|
|
|
|
|
AllowDeleteBucketNotEmpty bool
|
2022-09-01 22:33:23 +05:00
|
|
|
LocalFilerSocket string
|
2022-08-05 05:35:00 +05:00
|
|
|
DataCenter string
|
2023-05-16 20:09:43 +03:30
|
|
|
FilerGroup string
|
2018-07-18 02:37:09 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type S3ApiServer struct {
|
2022-05-15 00:43:37 -07:00
|
|
|
s3_pb.UnimplementedSeaweedS3Server
|
2025-07-02 18:03:17 -07:00
|
|
|
option *S3ApiServerOption
|
|
|
|
|
iam *IdentityAccessManagement
|
|
|
|
|
cb *CircuitBreaker
|
|
|
|
|
randomClientId int32
|
|
|
|
|
filerGuard *security.Guard
|
|
|
|
|
client util_http_client.HTTPClientInterface
|
|
|
|
|
bucketRegistry *BucketRegistry
|
|
|
|
|
credentialManager *credential.CredentialManager
|
2025-07-09 01:51:45 -07:00
|
|
|
bucketConfigCache *BucketConfigCache
|
2018-07-18 02:37:09 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer *S3ApiServer, err error) {
|
2025-07-02 18:03:17 -07:00
|
|
|
return NewS3ApiServerWithStore(router, option, "")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, explicitStore string) (s3ApiServer *S3ApiServer, err error) {
|
2024-09-26 23:31:57 +08:00
|
|
|
startTsNs := time.Now().UnixNano()
|
|
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-29 19:47:53 +01:00
|
|
|
v := util.GetViper()
|
|
|
|
|
signingKey := v.GetString("jwt.filer_signing.key")
|
|
|
|
|
v.SetDefault("jwt.filer_signing.expires_after_seconds", 10)
|
|
|
|
|
expiresAfterSec := v.GetInt("jwt.filer_signing.expires_after_seconds")
|
|
|
|
|
|
|
|
|
|
readSigningKey := v.GetString("jwt.filer_signing.read.key")
|
|
|
|
|
v.SetDefault("jwt.filer_signing.read.expires_after_seconds", 60)
|
|
|
|
|
readExpiresAfterSec := v.GetInt("jwt.filer_signing.read.expires_after_seconds")
|
|
|
|
|
|
2023-12-20 18:21:11 -06:00
|
|
|
v.SetDefault("cors.allowed_origins.values", "*")
|
|
|
|
|
|
2025-07-02 18:03:17 -07:00
|
|
|
if len(option.AllowedOrigins) == 0 {
|
2023-12-20 18:21:11 -06:00
|
|
|
allowedOrigins := v.GetString("cors.allowed_origins.values")
|
|
|
|
|
domains := strings.Split(allowedOrigins, ",")
|
|
|
|
|
option.AllowedOrigins = domains
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-02 18:03:17 -07:00
|
|
|
var iam *IdentityAccessManagement
|
|
|
|
|
|
|
|
|
|
iam = NewIdentityAccessManagementWithStore(option, explicitStore)
|
|
|
|
|
|
2018-07-18 02:37:09 -07:00
|
|
|
s3ApiServer = &S3ApiServer{
|
2025-07-02 18:03:17 -07:00
|
|
|
option: option,
|
|
|
|
|
iam: iam,
|
|
|
|
|
randomClientId: util.RandomInt32(),
|
|
|
|
|
filerGuard: security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec),
|
|
|
|
|
cb: NewCircuitBreaker(option),
|
|
|
|
|
credentialManager: iam.credentialManager,
|
2025-07-18 02:19:50 -07:00
|
|
|
bucketConfigCache: NewBucketConfigCache(60 * time.Minute), // Increased TTL since cache is now event-driven
|
2018-07-18 02:37:09 -07:00
|
|
|
}
|
2025-07-02 18:03:17 -07:00
|
|
|
|
2023-10-19 11:26:49 +05:00
|
|
|
if option.Config != "" {
|
|
|
|
|
grace.OnReload(func() {
|
|
|
|
|
if err := s3ApiServer.iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
|
|
|
|
|
glog.Errorf("fail to load config file %s: %v", option.Config, err)
|
|
|
|
|
} else {
|
2023-10-19 08:10:33 -07:00
|
|
|
glog.V(0).Infof("Loaded %d identities from config file %s", len(s3ApiServer.iam.identities), option.Config)
|
2023-10-19 11:26:49 +05:00
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
2022-09-30 03:29:01 +08:00
|
|
|
s3ApiServer.bucketRegistry = NewBucketRegistry(s3ApiServer)
|
2022-09-01 22:33:23 +05:00
|
|
|
if option.LocalFilerSocket == "" {
|
2024-07-17 09:14:09 +03:00
|
|
|
if s3ApiServer.client, err = util_http.NewGlobalHttpClient(); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-03-07 02:00:14 -08:00
|
|
|
} else {
|
|
|
|
|
s3ApiServer.client = &http.Client{
|
|
|
|
|
Transport: &http.Transport{
|
|
|
|
|
DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
|
2022-09-01 22:33:23 +05:00
|
|
|
return net.Dial("unix", option.LocalFilerSocket)
|
2022-03-07 02:00:14 -08:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-07-18 02:37:09 -07:00
|
|
|
|
|
|
|
|
s3ApiServer.registerRouter(router)
|
|
|
|
|
|
2024-09-26 23:31:57 +08:00
|
|
|
go s3ApiServer.subscribeMetaEvents("s3", startTsNs, filer.DirectoryEtcRoot, []string{option.BucketsPath})
|
2018-07-18 02:37:09 -07:00
|
|
|
return s3ApiServer, nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-15 00:23:54 -07:00
|
|
|
// handleCORSOriginValidation handles the common CORS origin validation logic
|
|
|
|
|
func (s3a *S3ApiServer) handleCORSOriginValidation(w http.ResponseWriter, r *http.Request) bool {
|
|
|
|
|
origin := r.Header.Get("Origin")
|
|
|
|
|
if origin != "" {
|
|
|
|
|
if len(s3a.option.AllowedOrigins) == 0 || s3a.option.AllowedOrigins[0] == "*" {
|
|
|
|
|
origin = "*"
|
|
|
|
|
} else {
|
|
|
|
|
originFound := false
|
|
|
|
|
for _, allowedOrigin := range s3a.option.AllowedOrigins {
|
|
|
|
|
if origin == allowedOrigin {
|
|
|
|
|
originFound = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !originFound {
|
|
|
|
|
writeFailureResponse(w, r, http.StatusForbidden)
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.Header().Set("Access-Control-Allow-Origin", origin)
|
|
|
|
|
w.Header().Set("Access-Control-Expose-Headers", "*")
|
|
|
|
|
w.Header().Set("Access-Control-Allow-Methods", "*")
|
|
|
|
|
w.Header().Set("Access-Control-Allow-Headers", "*")
|
|
|
|
|
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-18 02:37:09 -07:00
|
|
|
func (s3a *S3ApiServer) registerRouter(router *mux.Router) {
|
|
|
|
|
// API Router
|
|
|
|
|
apiRouter := router.PathPrefix("/").Subrouter()
|
2021-08-10 13:42:46 +03:00
|
|
|
|
|
|
|
|
// Readiness Probe
|
2024-07-01 13:00:39 +05:00
|
|
|
apiRouter.Methods(http.MethodGet).Path("/status").HandlerFunc(s3a.StatusHandler)
|
2024-08-21 10:55:39 -07:00
|
|
|
apiRouter.Methods(http.MethodGet).Path("/healthz").HandlerFunc(s3a.StatusHandler)
|
2021-08-10 13:42:46 +03:00
|
|
|
|
2018-07-18 02:37:09 -07:00
|
|
|
var routers []*mux.Router
|
|
|
|
|
if s3a.option.DomainName != "" {
|
2020-10-21 20:48:51 +05:00
|
|
|
domainNames := strings.Split(s3a.option.DomainName, ",")
|
|
|
|
|
for _, domainName := range domainNames {
|
|
|
|
|
routers = append(routers, apiRouter.Host(
|
|
|
|
|
fmt.Sprintf("%s.%s:%d", "{bucket:.+}", domainName, s3a.option.Port)).Subrouter())
|
|
|
|
|
routers = append(routers, apiRouter.Host(
|
|
|
|
|
fmt.Sprintf("%s.%s", "{bucket:.+}", domainName)).Subrouter())
|
|
|
|
|
}
|
2018-07-18 02:37:09 -07:00
|
|
|
}
|
|
|
|
|
routers = append(routers, apiRouter.PathPrefix("/{bucket}").Subrouter())
|
|
|
|
|
|
2025-07-15 00:23:54 -07:00
|
|
|
// Get CORS middleware instance with caching
|
|
|
|
|
corsMiddleware := s3a.getCORSMiddleware()
|
|
|
|
|
|
2018-07-18 02:37:09 -07:00
|
|
|
for _, bucket := range routers {
|
2025-07-15 00:23:54 -07:00
|
|
|
// Apply CORS middleware to bucket routers for automatic CORS header handling
|
|
|
|
|
bucket.Use(corsMiddleware.Handler)
|
|
|
|
|
|
|
|
|
|
// Bucket-specific OPTIONS handler for CORS preflight requests
|
|
|
|
|
// Use PathPrefix to catch all bucket-level preflight routes including /bucket/object
|
|
|
|
|
bucket.PathPrefix("/").Methods(http.MethodOptions).HandlerFunc(corsMiddleware.HandleOptionsRequest)
|
2018-07-21 10:39:02 -07:00
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// each case should follow the next rule:
|
|
|
|
|
// - requesting object with query must precede any other methods
|
|
|
|
|
// - requesting object must precede any methods with buckets
|
|
|
|
|
// - requesting bucket with query must precede raw methods with buckets
|
|
|
|
|
// - requesting bucket must be processed in the end
|
|
|
|
|
|
|
|
|
|
// objects with query
|
2018-07-22 02:04:07 -07:00
|
|
|
|
2020-01-31 00:11:08 -08:00
|
|
|
// CopyObjectPart
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).Path("/{object:.+}").HeadersRegexp("X-Amz-Copy-Source", `.*?(\/|%2F).*?`).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.CopyObjectPartHandler, ACTION_WRITE)), "PUT")).Queries("partNumber", "{partNumber:[0-9]+}", "uploadId", "{uploadId:.*}")
|
2018-09-03 11:38:10 -07:00
|
|
|
// PutObjectPart
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutObjectPartHandler, ACTION_WRITE)), "PUT")).Queries("partNumber", "{partNumber:[0-9]+}", "uploadId", "{uploadId:.*}")
|
2018-09-03 11:38:10 -07:00
|
|
|
// CompleteMultipartUpload
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPost).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.CompleteMultipartUploadHandler, ACTION_WRITE)), "POST")).Queries("uploadId", "{uploadId:.*}")
|
2018-09-03 11:38:10 -07:00
|
|
|
// NewMultipartUpload
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPost).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.NewMultipartUploadHandler, ACTION_WRITE)), "POST")).Queries("uploads", "")
|
2018-09-03 11:38:10 -07:00
|
|
|
// AbortMultipartUpload
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodDelete).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.AbortMultipartUploadHandler, ACTION_WRITE)), "DELETE")).Queries("uploadId", "{uploadId:.*}")
|
2018-09-03 11:38:10 -07:00
|
|
|
// ListObjectParts
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.ListObjectPartsHandler, ACTION_READ)), "GET")).Queries("uploadId", "{uploadId:.*}")
|
2018-09-03 11:38:10 -07:00
|
|
|
// ListMultipartUploads
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.ListMultipartUploadsHandler, ACTION_READ)), "GET")).Queries("uploads", "")
|
2018-09-03 11:38:10 -07:00
|
|
|
|
2020-10-02 22:21:51 -07:00
|
|
|
// GetObjectTagging
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetObjectTaggingHandler, ACTION_READ)), "GET")).Queries("tagging", "")
|
2020-10-02 22:21:51 -07:00
|
|
|
// PutObjectTagging
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutObjectTaggingHandler, ACTION_TAGGING)), "PUT")).Queries("tagging", "")
|
2020-10-02 22:21:51 -07:00
|
|
|
// DeleteObjectTagging
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodDelete).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteObjectTaggingHandler, ACTION_TAGGING)), "DELETE")).Queries("tagging", "")
|
2020-10-02 22:21:51 -07:00
|
|
|
|
2021-09-19 03:24:47 -07:00
|
|
|
// PutObjectACL
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutObjectAclHandler, ACTION_WRITE_ACP)), "PUT")).Queries("acl", "")
|
2021-09-19 03:24:47 -07:00
|
|
|
// PutObjectRetention
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutObjectRetentionHandler, ACTION_WRITE)), "PUT")).Queries("retention", "")
|
2021-09-19 03:24:47 -07:00
|
|
|
// PutObjectLegalHold
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutObjectLegalHoldHandler, ACTION_WRITE)), "PUT")).Queries("legal-hold", "")
|
2021-09-19 03:24:47 -07:00
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// GetObjectACL
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetObjectAclHandler, ACTION_READ_ACP)), "GET")).Queries("acl", "")
|
2025-07-12 21:58:55 -07:00
|
|
|
// GetObjectRetention
|
|
|
|
|
bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetObjectRetentionHandler, ACTION_READ)), "GET")).Queries("retention", "")
|
|
|
|
|
// GetObjectLegalHold
|
|
|
|
|
bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetObjectLegalHoldHandler, ACTION_READ)), "GET")).Queries("legal-hold", "")
|
2022-02-04 15:14:48 +03:00
|
|
|
|
|
|
|
|
// objects with query
|
|
|
|
|
|
|
|
|
|
// raw objects
|
|
|
|
|
|
|
|
|
|
// HeadObject
|
2025-07-22 01:07:15 -07:00
|
|
|
bucket.Methods(http.MethodHead).Path("/{object:.+}").HandlerFunc(track(s3a.AuthWithPublicRead(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
limitedHandler, _ := s3a.cb.Limit(s3a.HeadObjectHandler, ACTION_READ)
|
|
|
|
|
limitedHandler(w, r)
|
|
|
|
|
}, ACTION_READ), "GET"))
|
2022-02-04 15:14:48 +03:00
|
|
|
|
|
|
|
|
// GetObject, but directory listing is not supported
|
2025-07-22 01:07:15 -07:00
|
|
|
bucket.Methods(http.MethodGet).Path("/{object:.+}").HandlerFunc(track(s3a.AuthWithPublicRead(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
limitedHandler, _ := s3a.cb.Limit(s3a.GetObjectHandler, ACTION_READ)
|
|
|
|
|
limitedHandler(w, r)
|
|
|
|
|
}, ACTION_READ), "GET"))
|
2022-02-04 15:14:48 +03:00
|
|
|
|
2020-01-31 00:11:08 -08:00
|
|
|
// CopyObject
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).Path("/{object:.+}").HeadersRegexp("X-Amz-Copy-Source", ".*?(\\/|%2F).*?").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.CopyObjectHandler, ACTION_WRITE)), "COPY"))
|
2018-09-12 00:46:12 -07:00
|
|
|
// PutObject
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutObjectHandler, ACTION_WRITE)), "PUT"))
|
2018-07-21 18:49:47 -07:00
|
|
|
// DeleteObject
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodDelete).Path("/{object:.+}").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteObjectHandler, ACTION_WRITE)), "DELETE"))
|
2018-07-18 02:37:09 -07:00
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// raw objects
|
2018-07-22 01:14:36 -07:00
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// buckets with query
|
2020-09-19 20:14:19 -07:00
|
|
|
|
2018-09-04 00:42:44 -07:00
|
|
|
// DeleteMultipleObjects
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPost).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteMultipleObjectsHandler, ACTION_WRITE)), "DELETE")).Queries("delete", "")
|
2021-10-11 15:03:56 +05:00
|
|
|
|
|
|
|
|
// GetBucketACL
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketAclHandler, ACTION_READ_ACP)), "GET")).Queries("acl", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
// PutBucketACL
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketAclHandler, ACTION_WRITE_ACP)), "PUT")).Queries("acl", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// GetBucketPolicy
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketPolicyHandler, ACTION_READ)), "GET")).Queries("policy", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
// PutBucketPolicy
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketPolicyHandler, ACTION_WRITE)), "PUT")).Queries("policy", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
// DeleteBucketPolicy
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketPolicyHandler, ACTION_WRITE)), "DELETE")).Queries("policy", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
|
|
|
|
|
// GetBucketCors
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketCorsHandler, ACTION_READ)), "GET")).Queries("cors", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
// PutBucketCors
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketCorsHandler, ACTION_WRITE)), "PUT")).Queries("cors", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
// DeleteBucketCors
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketCorsHandler, ACTION_WRITE)), "DELETE")).Queries("cors", "")
|
2022-02-04 15:14:48 +03:00
|
|
|
|
|
|
|
|
// GetBucketLifecycleConfiguration
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketLifecycleConfigurationHandler, ACTION_READ)), "GET")).Queries("lifecycle", "")
|
2022-02-04 15:14:48 +03:00
|
|
|
// PutBucketLifecycleConfiguration
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketLifecycleConfigurationHandler, ACTION_WRITE)), "PUT")).Queries("lifecycle", "")
|
2022-02-04 15:14:48 +03:00
|
|
|
// DeleteBucketLifecycleConfiguration
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketLifecycleHandler, ACTION_WRITE)), "DELETE")).Queries("lifecycle", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
|
|
|
|
|
// GetBucketLocation
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketLocationHandler, ACTION_READ)), "GET")).Queries("location", "")
|
2022-02-03 17:17:05 +03:00
|
|
|
|
|
|
|
|
// GetBucketRequestPayment
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketRequestPaymentHandler, ACTION_READ)), "GET")).Queries("requestPayment", "")
|
2021-10-11 15:03:56 +05:00
|
|
|
|
2023-11-13 15:25:17 +05:00
|
|
|
// GetBucketVersioning
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketVersioningHandler, ACTION_READ)), "GET")).Queries("versioning", "")
|
|
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketVersioningHandler, ACTION_WRITE)), "PUT")).Queries("versioning", "")
|
2023-11-13 15:25:17 +05:00
|
|
|
|
2025-07-12 21:58:55 -07:00
|
|
|
// GetObjectLockConfiguration / PutObjectLockConfiguration (bucket-level operations)
|
2025-07-18 02:19:50 -07:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetObjectLockConfigurationHandler, ACTION_READ)), "GET")).Queries("object-lock", "")
|
|
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutObjectLockConfigurationHandler, ACTION_WRITE)), "PUT")).Queries("object-lock", "")
|
2025-07-12 21:58:55 -07:00
|
|
|
|
2024-10-04 22:59:14 +05:00
|
|
|
// GetBucketTagging
|
|
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketTaggingHandler, ACTION_TAGGING)), "GET")).Queries("tagging", "")
|
|
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketTaggingHandler, ACTION_TAGGING)), "PUT")).Queries("tagging", "")
|
|
|
|
|
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketTaggingHandler, ACTION_TAGGING)), "DELETE")).Queries("tagging", "")
|
|
|
|
|
|
2024-10-03 20:10:43 +05:00
|
|
|
// GetBucketEncryption
|
|
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketEncryptionHandler, ACTION_ADMIN)), "GET")).Queries("encryption", "")
|
|
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketEncryptionHandler, ACTION_ADMIN)), "PUT")).Queries("encryption", "")
|
|
|
|
|
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketEncryptionHandler, ACTION_ADMIN)), "DELETE")).Queries("encryption", "")
|
|
|
|
|
|
2024-10-04 22:59:14 +05:00
|
|
|
// GetPublicAccessBlockHandler
|
|
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetPublicAccessBlockHandler, ACTION_ADMIN)), "GET")).Queries("publicAccessBlock", "")
|
|
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutPublicAccessBlockHandler, ACTION_ADMIN)), "PUT")).Queries("publicAccessBlock", "")
|
|
|
|
|
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeletePublicAccessBlockHandler, ACTION_ADMIN)), "DELETE")).Queries("publicAccessBlock", "")
|
|
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// ListObjectsV2
|
2025-07-22 01:07:15 -07:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.AuthWithPublicRead(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
limitedHandler, _ := s3a.cb.Limit(s3a.ListObjectsV2Handler, ACTION_LIST)
|
|
|
|
|
limitedHandler(w, r)
|
|
|
|
|
}, ACTION_LIST), "LIST")).Queries("list-type", "2")
|
2021-10-11 15:03:56 +05:00
|
|
|
|
2025-07-09 01:51:45 -07:00
|
|
|
// ListObjectVersions
|
|
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.ListObjectVersionsHandler, ACTION_LIST)), "LIST")).Queries("versions", "")
|
|
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// buckets with query
|
2022-10-02 10:18:00 +08:00
|
|
|
// PutBucketOwnershipControls
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.PutBucketOwnershipControls, ACTION_ADMIN), "PUT")).Queries("ownershipControls", "")
|
2022-10-02 10:18:00 +08:00
|
|
|
|
|
|
|
|
//GetBucketOwnershipControls
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.GetBucketOwnershipControls, ACTION_READ), "GET")).Queries("ownershipControls", "")
|
2022-10-02 10:18:00 +08:00
|
|
|
|
|
|
|
|
//DeleteBucketOwnershipControls
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.DeleteBucketOwnershipControls, ACTION_ADMIN), "DELETE")).Queries("ownershipControls", "")
|
2021-10-11 15:03:56 +05:00
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// raw buckets
|
2021-10-11 15:03:56 +05:00
|
|
|
|
2022-02-04 15:14:48 +03:00
|
|
|
// PostPolicy
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPost).HeadersRegexp("Content-Type", "multipart/form-data*").HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PostPolicyBucketHandler, ACTION_WRITE)), "POST"))
|
2022-02-04 15:14:48 +03:00
|
|
|
|
|
|
|
|
// HeadBucket
|
2025-07-22 01:07:15 -07:00
|
|
|
bucket.Methods(http.MethodHead).HandlerFunc(track(s3a.AuthWithPublicRead(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
limitedHandler, _ := s3a.cb.Limit(s3a.HeadBucketHandler, ACTION_READ)
|
|
|
|
|
limitedHandler(w, r)
|
|
|
|
|
}, ACTION_READ), "GET"))
|
2021-10-28 18:30:33 +05:00
|
|
|
|
|
|
|
|
// PutBucket
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketHandler, ACTION_ADMIN)), "PUT"))
|
2024-02-19 19:07:48 +08:00
|
|
|
|
2021-10-28 18:30:33 +05:00
|
|
|
// DeleteBucket
|
2024-07-01 13:00:39 +05:00
|
|
|
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketHandler, ACTION_DELETE_BUCKET)), "DELETE"))
|
2022-02-04 15:14:48 +03:00
|
|
|
|
|
|
|
|
// ListObjectsV1 (Legacy)
|
2025-07-22 01:07:15 -07:00
|
|
|
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.AuthWithPublicRead(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
limitedHandler, _ := s3a.cb.Limit(s3a.ListObjectsV1Handler, ACTION_LIST)
|
|
|
|
|
limitedHandler(w, r)
|
|
|
|
|
}, ACTION_LIST), "LIST"))
|
2022-02-04 15:14:48 +03:00
|
|
|
|
|
|
|
|
// raw buckets
|
|
|
|
|
|
2018-07-18 02:37:09 -07:00
|
|
|
}
|
|
|
|
|
|
2025-07-15 00:23:54 -07:00
|
|
|
// Global OPTIONS handler for service-level requests (non-bucket requests)
|
|
|
|
|
// This handles requests like OPTIONS /, OPTIONS /status, OPTIONS /healthz
|
|
|
|
|
// Place this after bucket handlers to avoid interfering with bucket CORS middleware
|
|
|
|
|
apiRouter.Methods(http.MethodOptions).PathPrefix("/").HandlerFunc(
|
|
|
|
|
func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
// Only handle if this is not a bucket-specific request
|
|
|
|
|
vars := mux.Vars(r)
|
|
|
|
|
bucket := vars["bucket"]
|
|
|
|
|
if bucket != "" {
|
|
|
|
|
// This is a bucket-specific request, let bucket CORS middleware handle it
|
|
|
|
|
http.NotFound(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if s3a.handleCORSOriginValidation(w, r) {
|
|
|
|
|
writeSuccessResponseEmpty(w, r)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
2018-07-18 02:37:09 -07:00
|
|
|
// ListBuckets
|
2024-07-01 13:00:39 +05:00
|
|
|
apiRouter.Methods(http.MethodGet).Path("/").HandlerFunc(track(s3a.ListBucketsHandler, "LIST"))
|
2018-07-18 02:37:09 -07:00
|
|
|
|
|
|
|
|
// NotFound
|
2021-06-10 21:50:21 -07:00
|
|
|
apiRouter.NotFoundHandler = http.HandlerFunc(s3err.NotFoundHandler)
|
2018-07-18 02:37:09 -07:00
|
|
|
|
|
|
|
|
}
|