root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
minio/cmd/generic-handlers_test.go

252 lines
7.0 KiB
Go
Raw Normal View History

env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
/*
Replace Minio refs in docs with MinIO and links (#7494)
2019-04-10 02:39:42 +08:00
* MinIO Cloud Storage, (C) 2016 MinIO, Inc.
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cmd
import (
"net/http"
move SSE-C TLS enforcement into generic handler (#6639) This commit moves the check that SSE-C requests must be made over TLS into a generic HTTP handler. Since the HTTP server uses custom TCP connection handling it is not possible to use `http.Request.TLS` to check for TLS connections. So using `globalIsSSL` is the only option to detect whether the request is made over TLS. By extracting this check into a separate handler it's possible to refactor other parts of the SSE handling code further.
2018-10-17 10:22:09 +08:00
"net/http/httptest"
Return error response header only for HEAD method (#6709)
2018-10-27 09:03:17 +08:00
"net/url"
restirct max size of http header and user metadata (#4634) (#4680) S3 only allows http headers with a size of 8 KB and user-defined metadata with a size of 2 KB. This change adds a new API error and returns this error to clients which sends to large http requests. Fixes #4634
2017-08-23 07:53:35 +08:00
"strconv"
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
"testing"
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-18 03:52:14 +08:00
"github.com/minio/minio/cmd/crypto"
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
)
// Tests getRedirectLocation function for all its criteria.
func TestRedirectLocation(t *testing.T) {
testCases := []struct {
urlPath string
location string
}{
{
// 1. When urlPath is '/minio'
fs: Do not return reservedBucket names in ListBuckets() (#3754) Make sure to skip reserved bucket names in `ListBuckets()` current code didn't skip this properly and also generalize this behavior for both XL and FS.
2017-02-17 06:52:14 +08:00
urlPath: minioReservedBucketPath,
Use const slashSeparator instead of "/" everywhere (#8028)
2019-08-07 03:08:58 +08:00
location: minioReservedBucketPath + SlashSeparator,
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
},
{
// 2. When urlPath is '/'
Use const slashSeparator instead of "/" everywhere (#8028)
2019-08-07 03:08:58 +08:00
urlPath: SlashSeparator,
location: minioReservedBucketPath + SlashSeparator,
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
},
{
// 3. When urlPath is '/webrpc'
urlPath: "/webrpc",
fs: Do not return reservedBucket names in ListBuckets() (#3754) Make sure to skip reserved bucket names in `ListBuckets()` current code didn't skip this properly and also generalize this behavior for both XL and FS.
2017-02-17 06:52:14 +08:00
location: minioReservedBucketPath + "/webrpc",
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
},
{
// 4. When urlPath is '/login'
urlPath: "/login",
fs: Do not return reservedBucket names in ListBuckets() (#3754) Make sure to skip reserved bucket names in `ListBuckets()` current code didn't skip this properly and also generalize this behavior for both XL and FS.
2017-02-17 06:52:14 +08:00
location: minioReservedBucketPath + "/login",
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
},
{
[web-router] update the white list for favicons (#8024)
2019-08-12 13:17:02 +08:00
// 5. When urlPath is '/favicon-16x16.png'
urlPath: "/favicon-16x16.png",
location: minioReservedBucketPath + "/favicon-16x16.png",
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
},
{
[web-router] update the white list for favicons (#8024)
2019-08-12 13:17:02 +08:00
// 6. When urlPath is '/favicon-16x16.png'
urlPath: "/favicon-32x32.png",
location: minioReservedBucketPath + "/favicon-32x32.png",
},
{
// 7. When urlPath is '/favicon-96x96.png'
urlPath: "/favicon-96x96.png",
location: minioReservedBucketPath + "/favicon-96x96.png",
},
{
// 8. When urlPath is '/unknown'
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
urlPath: "/unknown",
location: "",
},
}
// Validate all conditions.
for i, testCase := range testCases {
loc := getRedirectLocation(testCase.urlPath)
if testCase.location != loc {
t.Errorf("Test %d: Unexpected location expected %s, got %s", i+1, testCase.location, loc)
}
}
}
Ignore reservedBucket checks for net/rpc requests (#4884) All `net/rpc` requests go to `/minio`, so the existing generic handler for reserved bucket check would essentially erroneously send errors leading to distributed setups to wait infinitely. For `net/rpc` requests alone we should skip this check and allow resource bucket names to be from `/minio` .
2017-09-02 03:16:54 +08:00
// Tests request guess function for net/rpc requests.
func TestGuessIsRPC(t *testing.T) {
if guessIsRPCReq(nil) {
t.Fatal("Unexpected return for nil request")
}
fix: Better check of RPC type requests (#6927) guessIsRPCReq() considers all POST requests as RPC but doesn't check if this is an object operation API or not, which is actually confusing bucket forwarder handler when it receives a new multipart upload API which is a POST http request. Due to this bug, users having a federated setup are not able to upload a multipart object using an endpoint which doesn't actually contain the specified bucket that will store the object. Hence this commit will fix the described issue.
2018-12-06 06:28:48 +08:00
u, err := url.Parse("http://localhost:9000/minio/lock")
if err != nil {
t.Fatal(err)
}
Ignore reservedBucket checks for net/rpc requests (#4884) All `net/rpc` requests go to `/minio`, so the existing generic handler for reserved bucket check would essentially erroneously send errors leading to distributed setups to wait infinitely. For `net/rpc` requests alone we should skip this check and allow resource bucket names to be from `/minio` .
2017-09-02 03:16:54 +08:00
r := &http.Request{
Proto: "HTTP/1.0",
Implement HTTP POST based RPC (#5840) Added support for new RPC support using HTTP POST. RPC's arguments and reply are Gob encoded and sent as HTTP request/response body. This patch also removes Go RPC based implementation.
2018-06-06 16:51:56 +08:00
Method: http.MethodPost,
fix: Better check of RPC type requests (#6927) guessIsRPCReq() considers all POST requests as RPC but doesn't check if this is an object operation API or not, which is actually confusing bucket forwarder handler when it receives a new multipart upload API which is a POST http request. Due to this bug, users having a federated setup are not able to upload a multipart object using an endpoint which doesn't actually contain the specified bucket that will store the object. Hence this commit will fix the described issue.
2018-12-06 06:28:48 +08:00
URL: u,
Ignore reservedBucket checks for net/rpc requests (#4884) All `net/rpc` requests go to `/minio`, so the existing generic handler for reserved bucket check would essentially erroneously send errors leading to distributed setups to wait infinitely. For `net/rpc` requests alone we should skip this check and allow resource bucket names to be from `/minio` .
2017-09-02 03:16:54 +08:00
}
if !guessIsRPCReq(r) {
t.Fatal("Test shouldn't fail for a possible net/rpc request.")
}
r = &http.Request{
Proto: "HTTP/1.1",
Method: http.MethodGet,
}
if guessIsRPCReq(r) {
t.Fatal("Test shouldn't report as net/rpc for a non net/rpc request.")
}
}
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
// Tests browser request guess function.
func TestGuessIsBrowser(t *testing.T) {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 13:59:13 +08:00
globalBrowserEnabled = true
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
if guessIsBrowserReq(nil) {
t.Fatal("Unexpected return for nil request")
}
r := &http.Request{
Header: http.Header{},
Valid if bucket names are internal (#7476) This commit fixes a privilege escalation issue against the S3 and web handlers. An authenticated IAM user can: - Read from or write to the internal '.minio.sys' bucket by simply sending a properly signed S3 GET or PUT request. Further, the user can - Read from or write to the internal '.minio.sys' bucket using the 'Upload'/'Download'/'DownloadZIP' API by sending a "browser" request authenticated with its JWT token.
2019-04-04 14:10:37 +08:00
URL: &url.URL{},
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
}
r.Header.Set("User-Agent", "Mozilla")
if !guessIsBrowserReq(r) {
Valid if bucket names are internal (#7476) This commit fixes a privilege escalation issue against the S3 and web handlers. An authenticated IAM user can: - Read from or write to the internal '.minio.sys' bucket by simply sending a properly signed S3 GET or PUT request. Further, the user can - Read from or write to the internal '.minio.sys' bucket using the 'Upload'/'Download'/'DownloadZIP' API by sending a "browser" request authenticated with its JWT token.
2019-04-04 14:10:37 +08:00
t.Fatal("Test shouldn't fail for a possible browser request anonymous user")
}
r.Header.Set("Authorization", "Bearer token")
if !guessIsBrowserReq(r) {
t.Fatal("Test shouldn't fail for a possible browser request JWT user")
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
}
r = &http.Request{
Header: http.Header{},
Valid if bucket names are internal (#7476) This commit fixes a privilege escalation issue against the S3 and web handlers. An authenticated IAM user can: - Read from or write to the internal '.minio.sys' bucket by simply sending a properly signed S3 GET or PUT request. Further, the user can - Read from or write to the internal '.minio.sys' bucket using the 'Upload'/'Download'/'DownloadZIP' API by sending a "browser" request authenticated with its JWT token.
2019-04-04 14:10:37 +08:00
URL: &url.URL{},
env: Bring back MINIO_BROWSER env. (#3423) Set MINIO_BROWSER=off to disable web browser completely. Fixes #3422
2016-12-10 16:42:22 +08:00
}
r.Header.Set("User-Agent", "mc")
if guessIsBrowserReq(r) {
t.Fatal("Test shouldn't report as browser for a non browser request.")
}
}
restirct max size of http header and user metadata (#4634) (#4680) S3 only allows http headers with a size of 8 KB and user-defined metadata with a size of 2 KB. This change adds a new API error and returns this error to clients which sends to large http requests. Fixes #4634
2017-08-23 07:53:35 +08:00
var isHTTPHeaderSizeTooLargeTests = []struct {
header http.Header
shouldFail bool
}{
{header: generateHeader(0, 0), shouldFail: false},
{header: generateHeader(1024, 0), shouldFail: false},
{header: generateHeader(2048, 0), shouldFail: false},
{header: generateHeader(8*1024+1, 0), shouldFail: true},
{header: generateHeader(0, 1024), shouldFail: false},
{header: generateHeader(0, 2048), shouldFail: true},
{header: generateHeader(0, 2048+1), shouldFail: true},
}
func generateHeader(size, usersize int) http.Header {
header := http.Header{}
for i := 0; i < size; i++ {
header.Add(strconv.Itoa(i), "")
}
userlength := 0
for i := 0; userlength < usersize; i++ {
userlength += len(userMetadataKeyPrefixes[0] + strconv.Itoa(i))
header.Add(userMetadataKeyPrefixes[0]+strconv.Itoa(i), "")
}
return header
}
func TestIsHTTPHeaderSizeTooLarge(t *testing.T) {
for i, test := range isHTTPHeaderSizeTooLargeTests {
if res := isHTTPHeaderSizeTooLarge(test.header); res != test.shouldFail {
t.Errorf("Test %d: Expected %v got %v", i, res, test.shouldFail)
}
}
}
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 07:18:59 +08:00
var containsReservedMetadataTests = []struct {
header http.Header
shouldFail bool
}{
{
header: http.Header{"X-Minio-Key": []string{"value"}},
},
{
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-18 03:52:14 +08:00
header: http.Header{crypto.SSEIV: []string{"iv"}},
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 07:18:59 +08:00
shouldFail: true,
},
{
remove the unused code for decrypting `io.Writer` (#8277) This commit removes unused code for decrypting `io.Writer` since the actual implementation only decrypts `io.Reader`
2019-09-20 17:21:07 +08:00
header: http.Header{crypto.SSESealAlgorithm: []string{crypto.InsecureSealAlgorithm}},
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 07:18:59 +08:00
shouldFail: true,
},
{
Add support for SSE-S3 server side encryption with vault (#6192) Add support for sse-s3 encryption with vault as KMS. Also refactoring code to make use of headers and functions defined in crypto package and clean up duplicated code.
2018-08-18 03:52:14 +08:00
header: http.Header{crypto.SSECSealedKey: []string{"mac"}},
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 07:18:59 +08:00
shouldFail: true,
},
{
header: http.Header{ReservedMetadataPrefix + "Key": []string{"value"}},
shouldFail: true,
},
}
func TestContainsReservedMetadata(t *testing.T) {
Support bucket versioning (#9377) - Implement a new xl.json 2.0.0 format to support, this moves the entire marshaling logic to POSIX layer, top layer always consumes a common FileInfo construct which simplifies the metadata reads. - Implement list object versions - Migrate to siphash from crchash for new deployments for object placements. Fixes #2111
2020-06-13 11:04:01 +08:00
for _, test := range containsReservedMetadataTests {
test := test
t.Run("", func(t *testing.T) {
contains := containsReservedMetadata(test.header)
if contains && !test.shouldFail {
t.Errorf("contains reserved header but should not fail")
} else if !contains && test.shouldFail {
t.Errorf("does not contain reserved header but failed")
}
})
add SSE-C support for HEAD, GET, PUT (#4894) This change adds server-side-encryption support for HEAD, GET and PUT operations. This PR only addresses single-part PUTs and GETs without HTTP ranges. Further this change adds the concept of reserved object metadata which is required to make encrypted objects tamper-proof and provide API compatibility to AWS S3. This PR adds the following reserved metadata entries: - X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property) - X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future) - X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility) The prefix `X-Minio_Internal` specifies an internal metadata entry which must not send to clients. All client requests containing a metadata key starting with `X-Minio-Internal` must also rejected. This is implemented by a generic-handler. This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt server-side-encrypted objects on the client-side. However, clients can encrypted the same object with CSE and SSE-C. This PR does not address: - SSE-C Copy and Copy part - SSE-C GET with HTTP ranges - SSE-C multipart PUT - SSE-C Gateway Each point must be addressed in a separate PR. Added to vendor dir: - x/crypto/chacha20poly1305 - x/crypto/poly1305 - github.com/minio/sio
2017-11-08 07:18:59 +08:00
}
}
move SSE-C TLS enforcement into generic handler (#6639) This commit moves the check that SSE-C requests must be made over TLS into a generic HTTP handler. Since the HTTP server uses custom TCP connection handling it is not possible to use `http.Request.TLS` to check for TLS connections. So using `globalIsSSL` is the only option to detect whether the request is made over TLS. By extracting this check into a separate handler it's possible to refactor other parts of the SSE handling code further.
2018-10-17 10:22:09 +08:00
var sseTLSHandlerTests = []struct {
Return error response header only for HEAD method (#6709)
2018-10-27 09:03:17 +08:00
URL *url.URL
move SSE-C TLS enforcement into generic handler (#6639) This commit moves the check that SSE-C requests must be made over TLS into a generic HTTP handler. Since the HTTP server uses custom TCP connection handling it is not possible to use `http.Request.TLS` to check for TLS connections. So using `globalIsSSL` is the only option to detect whether the request is made over TLS. By extracting this check into a separate handler it's possible to refactor other parts of the SSE handling code further.
2018-10-17 10:22:09 +08:00
Header http.Header
IsTLS, ShouldFail bool
}{
Return error response header only for HEAD method (#6709)
2018-10-27 09:03:17 +08:00
{URL: &url.URL{}, Header: http.Header{}, IsTLS: false, ShouldFail: false}, // 0
{URL: &url.URL{}, Header: http.Header{crypto.SSECAlgorithm: []string{"AES256"}}, IsTLS: false, ShouldFail: true}, // 1
{URL: &url.URL{}, Header: http.Header{crypto.SSECAlgorithm: []string{"AES256"}}, IsTLS: true, ShouldFail: false}, // 2
{URL: &url.URL{}, Header: http.Header{crypto.SSECKey: []string{""}}, IsTLS: true, ShouldFail: false}, // 3
{URL: &url.URL{}, Header: http.Header{crypto.SSECopyAlgorithm: []string{""}}, IsTLS: false, ShouldFail: true}, // 4
move SSE-C TLS enforcement into generic handler (#6639) This commit moves the check that SSE-C requests must be made over TLS into a generic HTTP handler. Since the HTTP server uses custom TCP connection handling it is not possible to use `http.Request.TLS` to check for TLS connections. So using `globalIsSSL` is the only option to detect whether the request is made over TLS. By extracting this check into a separate handler it's possible to refactor other parts of the SSE handling code further.
2018-10-17 10:22:09 +08:00
}
func TestSSETLSHandler(t *testing.T) {
defer func(isSSL bool) { globalIsSSL = isSSL }(globalIsSSL) // reset globalIsSSL after test
var okHandler http.HandlerFunc = func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}
for i, test := range sseTLSHandlerTests {
globalIsSSL = test.IsTLS
w := httptest.NewRecorder()
r := new(http.Request)
r.Header = test.Header
Return error response header only for HEAD method (#6709)
2018-10-27 09:03:17 +08:00
r.URL = test.URL
move SSE-C TLS enforcement into generic handler (#6639) This commit moves the check that SSE-C requests must be made over TLS into a generic HTTP handler. Since the HTTP server uses custom TCP connection handling it is not possible to use `http.Request.TLS` to check for TLS connections. So using `globalIsSSL` is the only option to detect whether the request is made over TLS. By extracting this check into a separate handler it's possible to refactor other parts of the SSE handling code further.
2018-10-17 10:22:09 +08:00
h := setSSETLSHandler(okHandler)
h.ServeHTTP(w, r)
switch {
case test.ShouldFail && w.Code == http.StatusOK:
t.Errorf("Test %d: should fail but status code is HTTP %d", i, w.Code)
case !test.ShouldFail && w.Code != http.StatusOK:
t.Errorf("Test %d: should not fail but status code is HTTP %d and not 200 OK", i, w.Code)
}
}
}