aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/api/s3/post_object.rs13
-rw-r--r--src/garage/main.rs32
-rw-r--r--src/garage/repair/offline.rs2
-rw-r--r--src/garage/server.rs2
-rw-r--r--src/util/config.rs35
5 files changed, 59 insertions, 25 deletions
diff --git a/src/api/s3/post_object.rs b/src/api/s3/post_object.rs
index 542b7a81..f9eccb7f 100644
--- a/src/api/s3/post_object.rs
+++ b/src/api/s3/post_object.rs
@@ -15,6 +15,7 @@ use serde::Deserialize;
use garage_model::garage::Garage;
+use crate::s3::cors::*;
use crate::s3::error::*;
use crate::s3::put::{get_headers, save_stream};
use crate::s3::xml as s3_xml;
@@ -242,7 +243,7 @@ pub async fn handle_post_object(
let etag = format!("\"{}\"", md5);
- let resp = if let Some(mut target) = params
+ let mut resp = if let Some(mut target) = params
.get("success_action_redirect")
.and_then(|h| h.to_str().ok())
.and_then(|u| url::Url::parse(u).ok())
@@ -262,8 +263,7 @@ pub async fn handle_post_object(
} else {
let path = head
.uri
- .into_parts()
- .path_and_query
+ .path_and_query()
.map(|paq| paq.path().to_string())
.unwrap_or_else(|| "/".to_string());
let authority = head
@@ -308,6 +308,13 @@ pub async fn handle_post_object(
}
};
+ let matching_cors_rule =
+ find_matching_cors_rule(&bucket, &Request::from_parts(head, Body::empty()))?;
+ if let Some(rule) = matching_cors_rule {
+ add_cors_headers(&mut resp, rule)
+ .ok_or_internal_error("Invalid bucket CORS configuration")?;
+ }
+
Ok(resp)
}
diff --git a/src/garage/main.rs b/src/garage/main.rs
index 66403d05..4ee63fa9 100644
--- a/src/garage/main.rs
+++ b/src/garage/main.rs
@@ -28,7 +28,7 @@ use structopt::StructOpt;
use netapp::util::parse_and_resolve_peer_addr;
use netapp::NetworkKey;
-use garage_util::config::Config;
+use garage_util::config::{read_secret_file, Config};
use garage_util::error::*;
use garage_rpc::system::*;
@@ -73,15 +73,30 @@ pub struct Secrets {
#[structopt(short = "s", long = "rpc-secret", env = "GARAGE_RPC_SECRET")]
pub rpc_secret: Option<String>,
- /// Metrics API authentication token, replaces admin.metrics_token in config.toml when
+ /// RPC secret network key, used to replace rpc_secret in config.toml and rpc-secret
+ /// when running the daemon or doing admin operations
+ #[structopt(long = "rpc-secret-file", env = "GARAGE_RPC_SECRET_FILE")]
+ pub rpc_secret_file: Option<String>,
+
+ /// Admin API authentication token, replaces admin.admin_token in config.toml when
/// running the Garage daemon
#[structopt(long = "admin-token", env = "GARAGE_ADMIN_TOKEN")]
pub admin_token: Option<String>,
+ /// Admin API authentication token file path, replaces admin.admin_token in config.toml
+ /// and admin-token when running the Garage daemon
+ #[structopt(long = "admin-token-file", env = "GARAGE_ADMIN_TOKEN_FILE")]
+ pub admin_token_file: Option<String>,
+
/// Metrics API authentication token, replaces admin.metrics_token in config.toml when
/// running the Garage daemon
#[structopt(long = "metrics-token", env = "GARAGE_METRICS_TOKEN")]
pub metrics_token: Option<String>,
+
+ /// Metrics API authentication token file path, replaces admin.metrics_token in config.toml
+ /// and metrics-token when running the Garage daemon
+ #[structopt(long = "metrics-token-file", env = "GARAGE_METRICS_TOKEN_FILE")]
+ pub metrics_token_file: Option<String>,
}
#[tokio::main]
@@ -262,15 +277,24 @@ async fn cli_command(opt: Opt) -> Result<(), Error> {
}
}
-fn fill_secrets(mut config: Config, secrets: Secrets) -> Config {
+fn fill_secrets(mut config: Config, secrets: Secrets) -> Result<Config, Error> {
if secrets.rpc_secret.is_some() {
config.rpc_secret = secrets.rpc_secret;
+ } else if secrets.rpc_secret_file.is_some() {
+ config.rpc_secret = Some(read_secret_file(&secrets.rpc_secret_file.unwrap())?);
}
+
if secrets.admin_token.is_some() {
config.admin.admin_token = secrets.admin_token;
+ } else if secrets.admin_token_file.is_some() {
+ config.admin.admin_token = Some(read_secret_file(&secrets.admin_token_file.unwrap())?);
}
+
if secrets.metrics_token.is_some() {
config.admin.metrics_token = secrets.metrics_token;
+ } else if secrets.metrics_token_file.is_some() {
+ config.admin.metrics_token = Some(read_secret_file(&secrets.metrics_token_file.unwrap())?);
}
- config
+
+ Ok(config)
}
diff --git a/src/garage/repair/offline.rs b/src/garage/repair/offline.rs
index f4edcf03..beb48d65 100644
--- a/src/garage/repair/offline.rs
+++ b/src/garage/repair/offline.rs
@@ -20,7 +20,7 @@ pub async fn offline_repair(
}
info!("Loading configuration...");
- let config = fill_secrets(read_config(config_file)?, secrets);
+ let config = fill_secrets(read_config(config_file)?, secrets)?;
info!("Initializing Garage main data store...");
let garage = Garage::new(config)?;
diff --git a/src/garage/server.rs b/src/garage/server.rs
index 3ad10b72..96ea900d 100644
--- a/src/garage/server.rs
+++ b/src/garage/server.rs
@@ -29,7 +29,7 @@ async fn wait_from(mut chan: watch::Receiver<bool>) {
pub async fn run_server(config_file: PathBuf, secrets: Secrets) -> Result<(), Error> {
info!("Loading configuration...");
- let config = fill_secrets(read_config(config_file)?, secrets);
+ let config = fill_secrets(read_config(config_file)?, secrets)?;
// ---- Initialize Garage internals ----
diff --git a/src/util/config.rs b/src/util/config.rs
index ad5c8e1f..365f3245 100644
--- a/src/util/config.rs
+++ b/src/util/config.rs
@@ -265,6 +265,24 @@ pub fn read_config(config_file: PathBuf) -> Result<Config, Error> {
Ok(parsed_config)
}
+pub fn read_secret_file(file_path: &String) -> Result<String, Error> {
+ #[cfg(unix)]
+ if std::env::var("GARAGE_ALLOW_WORLD_READABLE_SECRETS").as_deref() != Ok("true") {
+ use std::os::unix::fs::MetadataExt;
+ let metadata = std::fs::metadata(file_path)?;
+ if metadata.mode() & 0o077 != 0 {
+ return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into());
+ }
+ }
+ let mut file = std::fs::OpenOptions::new().read(true).open(file_path)?;
+ let mut secret_buf = String::new();
+ file.read_to_string(&mut secret_buf)?;
+
+ // trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`.
+ // also editors sometimes add a trailing newline
+ Ok(String::from(secret_buf.trim_end()))
+}
+
fn secret_from_file(
secret: &mut Option<String>,
secret_file: &Option<String>,
@@ -277,22 +295,7 @@ fn secret_from_file(
(Some(_), Some(_)) => {
return Err(format!("only one of `{}` and `{}_file` can be set", name, name).into());
}
- (None, Some(file_path)) => {
- #[cfg(unix)]
- if std::env::var("GARAGE_ALLOW_WORLD_READABLE_SECRETS").as_deref() != Ok("true") {
- use std::os::unix::fs::MetadataExt;
- let metadata = std::fs::metadata(file_path)?;
- if metadata.mode() & 0o077 != 0 {
- return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into());
- }
- }
- let mut file = std::fs::OpenOptions::new().read(true).open(file_path)?;
- let mut secret_buf = String::new();
- file.read_to_string(&mut secret_buf)?;
- // trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`.
- // also editors sometimes add a trailing newline
- *secret = Some(String::from(secret_buf.trim_end()));
- }
+ (None, Some(file_path)) => *secret = Some(read_secret_file(file_path)?),
}
Ok(())
}