diff options
author | Alex Auvolat <alex@adnab.me> | 2022-01-07 16:23:04 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-01-13 17:27:16 +0100 |
commit | bed3106c6a4cbdc7257eb88060fc04ec84340ee4 (patch) | |
tree | 6237fb5a7a49208c3c990b1b7b3955d35124da19 /src/web | |
parent | 60c0033c8bbd3dbc18f8c91f15674a60fd8acdc0 (diff) | |
download | garage-bed3106c6a4cbdc7257eb88060fc04ec84340ee4.tar.gz garage-bed3106c6a4cbdc7257eb88060fc04ec84340ee4.zip |
Implement {Put,Get,Delete}BucketCors and CORS in web server
Diffstat (limited to 'src/web')
-rw-r--r-- | src/web/web_server.rs | 175 |
1 files changed, 121 insertions, 54 deletions
diff --git a/src/web/web_server.rs b/src/web/web_server.rs index 834f31e8..bf330e85 100644 --- a/src/web/web_server.rs +++ b/src/web/web_server.rs @@ -2,19 +2,22 @@ use std::{borrow::Cow, convert::Infallible, net::SocketAddr, sync::Arc}; use futures::future::Future; +use http::header::{ACCESS_CONTROL_REQUEST_HEADERS, ACCESS_CONTROL_REQUEST_METHOD}; use hyper::{ header::{HeaderValue, HOST}, server::conn::AddrStream, service::{make_service_fn, service_fn}, - Body, Method, Request, Response, Server, + Body, Method, Request, Response, Server, StatusCode, }; use crate::error::*; -use garage_api::error::{Error as ApiError, OkOrBadRequest}; +use garage_api::error::{Error as ApiError, OkOrBadRequest, OkOrInternalError}; use garage_api::helpers::{authority_to_host, host_to_bucket}; +use garage_api::s3_cors::{add_cors_headers, cors_rule_matches}; use garage_api::s3_get::{handle_get, handle_head}; +use garage_model::bucket_table::Bucket; use garage_model::garage::Garage; use garage_table::*; @@ -132,72 +135,136 @@ async fn serve_file(garage: Arc<Garage>, req: &Request<Body>) -> Result<Response ); let ret_doc = match *req.method() { - Method::HEAD => handle_head(garage.clone(), req, bucket_id, &key).await, + Method::OPTIONS => return handle_options(&bucket, req), + Method::HEAD => { + return handle_head(garage.clone(), req, bucket_id, &key) + .await + .map_err(Error::from) + } Method::GET => handle_get(garage.clone(), req, bucket_id, &key).await, _ => Err(ApiError::BadRequest("HTTP method not supported".into())), } .map_err(Error::from); - if let Err(error) = ret_doc { - if *req.method() == Method::HEAD || !error.http_status_code().is_client_error() { - // Do not return the error document in the following cases: - // - the error is not a 4xx error code - // - the request is a HEAD method - // In this case we just return the error code and the error message in the body, - // by relying on err_to_res that is called above when we return an Err. - return Err(error); - } + match ret_doc { + Err(error) => { + // For a HEAD or OPTIONS method, we don't return the error document + // as content, we return above and just return the error message + // by relying on err_to_res that is called when we return an Err. + assert!(*req.method() != Method::HEAD && *req.method() != Method::OPTIONS); + + if !error.http_status_code().is_client_error() { + // Do not return the error document if it is not a 4xx error code. + return Err(error); + } - // Same if no error document is set: just return the error directly - let error_document = match &website_config.error_document { - Some(ed) => ed.trim_start_matches('/').to_owned(), - None => return Err(error), - }; - - // We want to return the error document - // Create a fake HTTP request with path = the error document - let req2 = Request::builder() - .uri(format!("http://{}/{}", host, &error_document)) - .body(Body::empty()) - .unwrap(); - - match handle_get(garage, &req2, bucket_id, &error_document).await { - Ok(mut error_doc) => { - // The error won't be logged back in handle_request, - // so log it here - info!( - "{} {} {} {}", - req.method(), - req.uri(), - error.http_status_code(), - error - ); - - *error_doc.status_mut() = error.http_status_code(); - error.add_headers(error_doc.headers_mut()); - - // Preserve error message in a special header - for error_line in error.to_string().split('\n') { - if let Ok(v) = HeaderValue::from_bytes(error_line.as_bytes()) { - error_doc.headers_mut().append("X-Garage-Error", v); + // If no error document is set: just return the error directly + let error_document = match &website_config.error_document { + Some(ed) => ed.trim_start_matches('/').to_owned(), + None => return Err(error), + }; + + // We want to return the error document + // Create a fake HTTP request with path = the error document + let req2 = Request::builder() + .uri(format!("http://{}/{}", host, &error_document)) + .body(Body::empty()) + .unwrap(); + + match handle_get(garage, &req2, bucket_id, &error_document).await { + Ok(mut error_doc) => { + // The error won't be logged back in handle_request, + // so log it here + info!( + "{} {} {} {}", + req.method(), + req.uri(), + error.http_status_code(), + error + ); + + *error_doc.status_mut() = error.http_status_code(); + error.add_headers(error_doc.headers_mut()); + + // Preserve error message in a special header + for error_line in error.to_string().split('\n') { + if let Ok(v) = HeaderValue::from_bytes(error_line.as_bytes()) { + error_doc.headers_mut().append("X-Garage-Error", v); + } } - } - Ok(error_doc) + Ok(error_doc) + } + Err(error_doc_error) => { + warn!( + "Couldn't get error document {} for bucket {:?}: {}", + error_document, bucket_id, error_doc_error + ); + Err(error) + } } - Err(error_doc_error) => { - warn!( - "Couldn't get error document {} for bucket {:?}: {}", - error_document, bucket_id, error_doc_error - ); - Err(error) + } + Ok(mut resp) => { + // Maybe add CORS headers + if let Some(cors_config) = bucket.params().unwrap().cors_config.get() { + if let Some(origin) = req.headers().get("Origin") { + let origin = origin.to_str()?; + let request_headers = match req.headers().get(ACCESS_CONTROL_REQUEST_HEADERS) { + Some(h) => h.to_str()?.split(',').map(|h| h.trim()).collect::<Vec<_>>(), + None => vec![], + }; + let matching_rule = cors_config.iter().find(|rule| { + cors_rule_matches( + rule, + origin, + &req.method().to_string(), + request_headers.iter(), + ) + }); + if let Some(rule) = matching_rule { + add_cors_headers(&mut resp, rule) + .ok_or_internal_error("Invalid CORS configuration")?; + } + } } + Ok(resp) } - } else { - ret_doc } } +fn handle_options(bucket: &Bucket, req: &Request<Body>) -> Result<Response<Body>, Error> { + let origin = req + .headers() + .get("Origin") + .ok_or_bad_request("Missing Origin header")? + .to_str()?; + let request_method = req + .headers() + .get(ACCESS_CONTROL_REQUEST_METHOD) + .ok_or_bad_request("Missing Access-Control-Request-Method header")? + .to_str()?; + let request_headers = match req.headers().get(ACCESS_CONTROL_REQUEST_HEADERS) { + Some(h) => h.to_str()?.split(',').map(|h| h.trim()).collect::<Vec<_>>(), + None => vec![], + }; + + if let Some(cors_config) = bucket.params().unwrap().cors_config.get() { + let matching_rule = cors_config + .iter() + .find(|rule| cors_rule_matches(rule, origin, request_method, request_headers.iter())); + if let Some(rule) = matching_rule { + let mut resp = Response::builder() + .status(StatusCode::OK) + .body(Body::empty()) + .map_err(ApiError::from)?; + add_cors_headers(&mut resp, rule).ok_or_internal_error("Invalid CORS configuration")?; + return Ok(resp); + } + } + + Err(ApiError::Forbidden("No matching CORS rule".into()).into()) +} + /// Path to key /// /// Convert the provided path to the internal key |