minio/cmd/routers.go

/*
 * MinIO Cloud Storage, (C) 2015, 2016 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"net/http"

	"github.com/gorilla/mux"
)

// Composed function registering routers for only distributed Erasure setup.
func registerDistErasureRouters(router *mux.Router, endpointZones EndpointZones) {
	// Register storage REST router only if its a distributed setup.
	registerStorageRESTHandlers(router, endpointZones)

	// Register peer REST router only if its a distributed setup.
	registerPeerRESTHandlers(router)

	// Register bootstrap REST router for distributed setups.
	registerBootstrapRESTHandlers(router)

	// Register distributed namespace lock routers.
	registerLockRESTHandlers(router, endpointZones)
}

// List of some generic handlers which are applied for all incoming requests.
var globalHandlers = []MiddlewareFunc{
	// set x-amz-request-id header.
	addCustomHeaders,
	// set HTTP security headers such as Content-Security-Policy.
	addSecurityHeaders,
	// Forward path style requests to actual host in a bucket federated setup.
	setBucketForwardingHandler,
	// Validate all the incoming requests.
	setRequestValidityHandler,
	// Network statistics
	setHTTPStatsHandler,
	// Limits all requests size to a maximum fixed limit
	setRequestSizeLimitHandler,
	// Limits all header sizes to a maximum fixed limit
	setRequestHeaderSizeLimitHandler,
	// Adds 'crossdomain.xml' policy handler to serve legacy flash clients.
	setCrossDomainPolicy,
	// Redirect some pre-defined browser request paths to a static location prefix.
	setBrowserRedirectHandler,
	// Validates if incoming request is for restricted buckets.
	setReservedBucketHandler,
	// Adds cache control for all browser requests.
	setBrowserCacheControlHandler,
	// Validates all incoming requests to have a valid date header.
	setTimeValidityHandler,
	// CORS setting for all browser API requests.
	setCorsHandler,
	// Validates all incoming URL resources, for invalid/unsupported
	// resources client receives a HTTP error.
	setIgnoreResourcesHandler,
	// Auth handler verifies incoming authorization headers and
	// routes them accordingly. Client receives a HTTP error for
	// invalid/unsupported signatures.
	setAuthHandler,
	// Enforce rules specific for TLS requests
	setSSETLSHandler,
	// filters HTTP headers which are treated as metadata and are reserved
	// for internal use only.
	filterReservedMetadata,
	// Add new handlers here.
}

// configureServer handler returns final handler for the http server.
func configureServerHandler(endpointZones EndpointZones) (http.Handler, error) {
	// Initialize router. `SkipClean(true)` stops gorilla/mux from
	// normalizing URL path minio/minio#3256
	router := mux.NewRouter().SkipClean(true).UseEncodedPath()

	// Initialize distributed NS lock.
	if globalIsDistErasure {
		registerDistErasureRouters(router, endpointZones)
	}

	// Add STS router always.
	registerSTSRouter(router)

	// Add Admin router, all APIs are enabled in server mode.
	registerAdminRouter(router, true, true)

	// Add healthcheck router
	registerHealthCheckRouter(router)

	// Add server metrics router
	registerMetricsRouter(router)

	// Register web router when its enabled.
	if globalBrowserEnabled {
		if err := registerWebRouter(router); err != nil {
			return nil, err
		}
	}

	// Add API router, additionally all server mode support encryption
	// but don't allow SSE-KMS.
	registerAPIRouter(router, true, false)

	// If none of the routes match add default error handler routes
	router.NotFoundHandler = http.HandlerFunc(httpTraceAll(errorResponseHandler))
	router.MethodNotAllowedHandler = http.HandlerFunc(httpTraceAll(errorResponseHandler))

	router.Use(registerMiddlewares)
	return router, nil
}
Restructure API handlers, add JSON RPC simple HelloService right now. 2015-07-01 11:15:48 +08:00			`/*`
Replace Minio refs in docs with MinIO and links (#7494) 2019-04-10 02:39:42 +08:00			`* MinIO Cloud Storage, (C) 2015, 2016 MinIO, Inc.`
Restructure API handlers, add JSON RPC simple HelloService right now. 2015-07-01 11:15:48 +08:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

server: Move all the top level files into cmd folder. (#2490) This change brings a change which was done for the 'mc' package to allow for clean repo and have a cleaner github drop in experience. 2016-08-19 07:23:42 +08:00			`package cmd`
Restructure API handlers, add JSON RPC simple HelloService right now. 2015-07-01 11:15:48 +08:00
			`import (`
			`"net/http"`

use package name correctly (#5827) 2018-04-22 10:23:54 +08:00			`"github.com/gorilla/mux"`
Restructure API handlers, add JSON RPC simple HelloService right now. 2015-07-01 11:15:48 +08:00			`)`

Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111 2020-06-13 11:04:01 +08:00			`// Composed function registering routers for only distributed Erasure setup.`
			`func registerDistErasureRouters(router *mux.Router, endpointZones EndpointZones) {`
Add bootstrap REST handler for verifying server config (#8550) 2019-11-23 04:45:13 +08:00			`// Register storage REST router only if its a distributed setup.`
Implement bucket expansion (#8509) 2019-11-20 09:42:27 +08:00			`registerStorageRESTHandlers(router, endpointZones)`
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422 2016-12-10 16:42:22 +08:00
Use REST api for inter node communication (#7205) 2019-03-15 07:27:31 +08:00			`// Register peer REST router only if its a distributed setup.`
			`registerPeerRESTHandlers(router)`

Add bootstrap REST handler for verifying server config (#8550) 2019-11-23 04:45:13 +08:00			`// Register bootstrap REST router for distributed setups.`
			`registerBootstrapRESTHandlers(router)`
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422 2016-12-10 16:42:22 +08:00
Add bootstrap REST handler for verifying server config (#8550) 2019-11-23 04:45:13 +08:00			`// Register distributed namespace lock routers.`
			`registerLockRESTHandlers(router, endpointZones)`
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422 2016-12-10 16:42:22 +08:00			`}`

Add missing healthcheck router for gateway (#5764) 2018-04-05 10:07:54 +08:00			`// List of some generic handlers which are applied for all incoming requests.`
Allow idiomatic usage of middlewares in gorilla/mux (#9802) Historically due to lack of support for middlewares we ended up writing wrapped handlers for all middlewares on top of the gorilla/mux, this causes multiple issues when we want to let's say - Overload r.Body with some custom implementation to track the incoming Reads() - Add other sort of top level checks to avoid DDOSing the server with large incoming HTTP bodies. Since 1.7.x release gorilla/mux provides proper use of middlewares, which are honored by the muxer directly. This makes sure that Go can honor its own internal ServeHTTP(w, r) implementation where Go net/http can wrap into its own customer readers. This PR as a side-affect fixes rare issues of client hangs which were reported in the wild but never really understood or fixed in our codebase. Fixes #9759 Fixes #7266 Fixes #6540 Fixes #5455 Fixes #5150 Refer https://github.com/boto/botocore/pull/1328 for one variation of the same issue in #9759 2020-06-11 23:19:55 +08:00			`var globalHandlers = []MiddlewareFunc{`
Remove DeploymentID from response headers (#7815) Response headers need not contain deployment ID. 2019-07-02 03:22:01 +08:00			`// set x-amz-request-id header.`
Refactor logging in more Go idiomatic style (#6816) This refactor brings a change which allows targets to be added in a cleaner way and also audit is now moved out. This PR also simplifies logger dependency for auditing 2018-11-20 06:47:03 +08:00			`addCustomHeaders,`
add some security HTTP headers (#5814) This change adds some security headers like Content-Security-Policy. It does not set the HSTS header because Content-Security-Policy prevents mixed HTTP and HTTPS content and the server does not use cookies. However it is a header which could be added later on. It also moves some header added by #5805 from a vendored file to a generic handler. Fixes ##5813 2018-04-13 06:57:41 +08:00			`// set HTTP security headers such as Content-Security-Policy.`
			`addSecurityHeaders,`
Add functionality to add old buckets to etcd on startup Buckets already present on a Minio server before it joins a bucket federated deployment will now be added to etcd during startup. In case of a bucket name collision, admin is informed via Minio server console message. Added configuration migration for configuration stored in etcd backend. Also, environment variables are updated and ListBucket path style request is no longer forwarded. 2018-04-05 23:18:42 +08:00			`// Forward path style requests to actual host in a bucket federated setup.`
Bring etcd support for bucket DNS federation - Supports centralized `config.json` - Supports centralized `bucket` service records for client lookups - implement a new proxy forwarder 2018-02-03 10:18:52 +08:00			`setBucketForwardingHandler,`
Validate and reject unusual requests (#7258) 2019-02-20 13:02:41 +08:00			`// Validate all the incoming requests.`
			`setRequestValidityHandler,`
Add missing healthcheck router for gateway (#5764) 2018-04-05 10:07:54 +08:00			`// Network statistics`
			`setHTTPStatsHandler,`
			`// Limits all requests size to a maximum fixed limit`
			`setRequestSizeLimitHandler,`
			`// Limits all header sizes to a maximum fixed limit`
			`setRequestHeaderSizeLimitHandler,`
			`// Adds 'crossdomain.xml' policy handler to serve legacy flash clients.`
			`setCrossDomainPolicy,`
			`// Redirect some pre-defined browser request paths to a static location prefix.`
			`setBrowserRedirectHandler,`
			`// Validates if incoming request is for restricted buckets.`
			`setReservedBucketHandler,`
			`// Adds cache control for all browser requests.`
			`setBrowserCacheControlHandler,`
			`// Validates all incoming requests to have a valid date header.`
			`setTimeValidityHandler,`
			`// CORS setting for all browser API requests.`
			`setCorsHandler,`
			`// Validates all incoming URL resources, for invalid/unsupported`
			`// resources client receives a HTTP error.`
			`setIgnoreResourcesHandler,`
			`// Auth handler verifies incoming authorization headers and`
			`// routes them accordingly. Client receives a HTTP error for`
			`// invalid/unsupported signatures.`
			`setAuthHandler,`
move SSE-C TLS enforcement into generic handler (#6639) This commit moves the check that SSE-C requests must be made over TLS into a generic HTTP handler. Since the HTTP server uses custom TCP connection handling it is not possible to use `http.Request.TLS` to check for TLS connections. So using `globalIsSSL` is the only option to detect whether the request is made over TLS. By extracting this check into a separate handler it's possible to refactor other parts of the SSE handling code further. 2018-10-17 10:22:09 +08:00			`// Enforce rules specific for TLS requests`
			`setSSETLSHandler,`
Add missing healthcheck router for gateway (#5764) 2018-04-05 10:07:54 +08:00			`// filters HTTP headers which are treated as metadata and are reserved`
			`// for internal use only.`
			`filterReservedMetadata,`
			`// Add new handlers here.`
			`}`

routers: Fix a crash while initializing network fs. (#1382) Crash happens when 'minio server filename' a file name is provided instead of a directory on command line argument. ``` panic: runtime error: slice bounds out of range goroutine 1 [running]: panic(0x5eb460, 0xc82000e0b0) /usr/local/opt/go/libexec/src/runtime/panic.go:464 +0x3e6 main.splitNetPath(0x7fff5fbff9bd, 0x7, 0x0, 0x0, 0x0, 0x0) /Users/harsha/mygo/src/github.com/minio/minio/network-fs.go:49 +0xb7 main.newNetworkFS(0x7fff5fbff9bd, 0x7, 0x0, 0x0, 0x0, 0x0) /Users/harsha/mygo/src/github.com/minio/minio/network-fs.go:90 +0x20a main.configureServerHandler(0xc82024e1c8, 0x5, 0xc8200640e0, 0x1, 0x1, 0x0, 0x0) /Users/harsha/mygo/src/github.com/minio/minio/routers.go:43 +0x6ce main.configureServer(0xc82024e1c8, 0x5, 0xc8200640e0, 0x1, 0x1, 0x5) /Users/harsha/mygo/src/github.com/minio/minio/server-main.go:86 +0x67 ``` 2016-04-26 09:10:40 +08:00			`// configureServer handler returns final handler for the http server.`
Disable crawler in FS/NAS gateway mode (#9695) No one really uses FS for large scale accounting usage, neither we crawl in NAS gateway mode. It is worthwhile to simply disable this feature as its not useful for anyone. Bonus disable bucket quota ops as well in, FS and gateway mode 2020-05-25 15:17:52 +08:00			`func configureServerHandler(endpointZones EndpointZones) (http.Handler, error) {`
Prevent gorilla mux from normalizing path (Fixes #3256) (#3268) Also fix test to not use a bucket name with a leading slash - this causes the bucket name to become empty and go to an unintended API call (listbuckets). 2016-11-17 08:23:22 +08:00			// Initialize router. `SkipClean(true)` stops gorilla/mux from
			`// normalizing URL path minio/minio#3256`
fix routing issue for esoteric characters in gorilla/mux (#8967) First step is to ensure that Path component is not decoded by gorilla/mux to avoid routing issues while handling certain characters while uploading through PutObject() Delay the decoding and use PathUnescape() to escape the `object` path component. Thanks to @buengese and @ncw for neat test cases for us to test with. Fixes #8950 Fixes #8647 2020-02-12 11:38:02 +08:00			`router := mux.NewRouter().SkipClean(true).UseEncodedPath()`
routers: Move API and Web routers into their own files. This is done to ensure we have a clean way to add new routers such as - diskRouter - configRouter - lockRouter 2016-03-28 03:37:21 +08:00
control: Fix controller CLI handling with distributed server object layer. Object layer initialization is done lazily fix it. 2016-08-19 05:50:50 +08:00			`// Initialize distributed NS lock.`
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111 2020-06-13 11:04:01 +08:00			`if globalIsDistErasure {`
			`registerDistErasureRouters(router, endpointZones)`
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422 2016-12-10 16:42:22 +08:00			`}`
rpc: Add RPC client tests. (#2858) 2016-10-06 17:30:54 +08:00
Add support for AssumeRoleWithWebIdentity (#6985) 2019-01-05 05:48:12 +08:00			`// Add STS router always.`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 2018-10-10 05:00:01 +08:00			`registerSTSRouter(router)`

Return proper errors when admin API is not initialized (#6988) Especially in gateway IAM admin APIs are not enabled if etcd is not enabled, we should enable admin API though but only enable IAM and Config APIs with etcd configured. 2018-12-19 05:03:26 +08:00			`// Add Admin router, all APIs are enabled in server mode.`
Disable crawler in FS/NAS gateway mode (#9695) No one really uses FS for large scale accounting usage, neither we crawl in NAS gateway mode. It is worthwhile to simply disable this feature as its not useful for anyone. Bonus disable bucket quota ops as well in, FS and gateway mode 2020-05-25 15:17:52 +08:00			`registerAdminRouter(router, true, true)`
Move admin APIs to new path and add redesigned heal APIs (#5351) - Changes related to moving admin APIs - admin APIs now have an endpoint under /minio/admin - admin APIs are now versioned - a new API to server the version is added at "GET /minio/admin/version" and all API operations have the path prefix /minio/admin/v1/<operation> - new service stop API added - credentials change API is moved to /minio/admin/v1/config/credential - credentials change API and configuration get/set API now require TLS so that credentials are protected - all API requests now receive JSON - heal APIs are disabled as they will be changed substantially - Heal API changes Heal API is now provided at a single endpoint with the ability for a client to start a heal sequence on all the data in the server, a single bucket, or under a prefix within a bucket. When a heal sequence is started, the server returns a unique token that needs to be used for subsequent 'status' requests to fetch heal results. On each status request from the client, the server returns heal result records that it has accumulated since the previous status request. The server accumulates upto 1000 records and pauses healing further objects until the client requests for status. If the client does not request any further records for a long time, the server aborts the heal sequence automatically. A heal result record is returned for each entity healed on the server, such as system metadata, object metadata, buckets and objects, and has information about the before and after states on each disk. A client may request to force restart a heal sequence - this causes the running heal sequence to be aborted at the next safe spot and starts a new heal sequence. 2018-01-23 06:54:55 +08:00
Add healthcheck endpoints (#5543) This PR adds readiness and liveness endpoints to probe Minio server instance health. Endpoints can only be accessed without authentication and the paths are /minio/health/live and /minio/health/ready for liveness and readiness respectively. The new healthcheck liveness endpoint is used for Docker healthcheck now. Fixes #5357 Fixes #5514 2018-03-12 14:16:53 +08:00			`// Add healthcheck router`
use package name correctly (#5827) 2018-04-22 10:23:54 +08:00			`registerHealthCheckRouter(router)`
Add healthcheck endpoints (#5543) This PR adds readiness and liveness endpoints to probe Minio server instance health. Endpoints can only be accessed without authentication and the paths are /minio/health/live and /minio/health/ready for liveness and readiness respectively. The new healthcheck liveness endpoint is used for Docker healthcheck now. Fixes #5357 Fixes #5514 2018-03-12 14:16:53 +08:00
Introduce new unauthenticated endpoint /metric (#5723) (#5829) /metric exposes Promethus compatible data for scraping metrics Fixes: #5723 2018-04-19 07:01:42 +08:00			`// Add server metrics router`
use package name correctly (#5827) 2018-04-22 10:23:54 +08:00			`registerMetricsRouter(router)`
Introduce new unauthenticated endpoint /metric (#5723) (#5829) /metric exposes Promethus compatible data for scraping metrics Fixes: #5723 2018-04-19 07:01:42 +08:00
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422 2016-12-10 16:42:22 +08:00			`// Register web router when its enabled.`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing. 2019-10-23 13:59:13 +08:00			`if globalBrowserEnabled {`
use package name correctly (#5827) 2018-04-22 10:23:54 +08:00			`if err := registerWebRouter(router); err != nil {`
Handle err returned by rpc.Server.RegisterName (#2910) 2016-10-13 14:13:24 +08:00			`return nil, err`
			`}`
server: Add more elaborate startup messages. (#2731) These messages based on our prep stage during XL and prints more informative message regarding drive information. This change also does a much needed refactoring. 2016-10-06 03:48:07 +08:00			`}`
web-browser: disable minio browser when environmental variable MINIO_BROWSER=off (#2315) fixes #2314 2016-07-28 19:00:33 +08:00
enable SSE-KMS pass-through on S3 gateway (#7788) This commit relaxes the restriction that the MinIO gateway does not accept SSE-KMS headers. Now, the S3 gateway allows SSE-KMS headers for PUT and MULTIPART PUT requests and forwards them to the S3 gateway backend (AWS). This is considered SSE pass-through mode. Fixes #7753 2019-06-20 08:37:08 +08:00			`// Add API router, additionally all server mode support encryption`
			`// but don't allow SSE-KMS.`
			`registerAPIRouter(router, true, false)`
routers: Move API and Web routers into their own files. This is done to ensure we have a clean way to add new routers such as - diskRouter - configRouter - lockRouter 2016-03-28 03:37:21 +08:00
Add bootstrap REST handler for verifying server config (#8550) 2019-11-23 04:45:13 +08:00			`// If none of the routes match add default error handler routes`
			`router.NotFoundHandler = http.HandlerFunc(httpTraceAll(errorResponseHandler))`
			`router.MethodNotAllowedHandler = http.HandlerFunc(httpTraceAll(errorResponseHandler))`

Allow idiomatic usage of middlewares in gorilla/mux (#9802) Historically due to lack of support for middlewares we ended up writing wrapped handlers for all middlewares on top of the gorilla/mux, this causes multiple issues when we want to let's say - Overload r.Body with some custom implementation to track the incoming Reads() - Add other sort of top level checks to avoid DDOSing the server with large incoming HTTP bodies. Since 1.7.x release gorilla/mux provides proper use of middlewares, which are honored by the muxer directly. This makes sure that Go can honor its own internal ServeHTTP(w, r) implementation where Go net/http can wrap into its own customer readers. This PR as a side-affect fixes rare issues of client hangs which were reported in the wild but never really understood or fixed in our codebase. Fixes #9759 Fixes #7266 Fixes #6540 Fixes #5455 Fixes #5150 Refer https://github.com/boto/botocore/pull/1328 for one variation of the same issue in #9759 2020-06-11 23:19:55 +08:00			`router.Use(registerMiddlewares)`
			`return router, nil`
Restructure API handlers, add JSON RPC simple HelloService right now. 2015-07-01 11:15:48 +08:00			`}`