2018-07-22 01:39:02 +08:00
|
|
|
package s3api
|
|
|
|
|
|
|
|
import (
|
2021-10-14 18:03:11 +08:00
|
|
|
"bytes"
|
2018-07-22 01:39:02 +08:00
|
|
|
"fmt"
|
2024-07-05 02:00:41 +08:00
|
|
|
"github.com/seaweedfs/seaweedfs/weed/filer"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
2018-07-22 16:15:11 +08:00
|
|
|
"io"
|
2018-07-22 08:39:10 +08:00
|
|
|
"net/http"
|
2021-03-11 05:19:28 +08:00
|
|
|
"net/url"
|
2018-07-23 16:15:59 +08:00
|
|
|
"strings"
|
2021-05-24 18:43:55 +08:00
|
|
|
"time"
|
2018-09-12 15:46:12 +08:00
|
|
|
|
2022-10-25 00:25:48 +08:00
|
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
2022-07-29 15:17:28 +08:00
|
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
|
2024-04-29 21:23:42 +08:00
|
|
|
"github.com/seaweedfs/seaweedfs/weed/util/mem"
|
2020-10-21 01:25:16 +08:00
|
|
|
|
2022-07-29 15:17:28 +08:00
|
|
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
2024-07-17 14:14:09 +08:00
|
|
|
util_http "github.com/seaweedfs/seaweedfs/weed/util/http"
|
2018-07-22 01:39:02 +08:00
|
|
|
)
|
|
|
|
|
2021-10-14 18:03:11 +08:00
|
|
|
func mimeDetect(r *http.Request, dataReader io.Reader) io.ReadCloser {
|
|
|
|
mimeBuffer := make([]byte, 512)
|
2021-10-18 19:27:57 +08:00
|
|
|
size, _ := dataReader.Read(mimeBuffer)
|
|
|
|
if size > 0 {
|
2021-10-19 01:47:39 +08:00
|
|
|
r.Header.Set("Content-Type", http.DetectContentType(mimeBuffer[:size]))
|
2021-10-18 19:27:57 +08:00
|
|
|
return io.NopCloser(io.MultiReader(bytes.NewReader(mimeBuffer[:size]), dataReader))
|
|
|
|
}
|
|
|
|
return io.NopCloser(dataReader)
|
2021-10-14 18:03:11 +08:00
|
|
|
}
|
|
|
|
|
2022-10-30 08:54:30 +08:00
|
|
|
func urlEscapeObject(object string) string {
|
|
|
|
t := urlPathEscape(removeDuplicateSlashes(object))
|
|
|
|
if strings.HasPrefix(t, "/") {
|
|
|
|
return t
|
|
|
|
}
|
|
|
|
return "/" + t
|
|
|
|
}
|
|
|
|
|
2024-07-05 02:00:41 +08:00
|
|
|
func entryUrlEncode(dir string, entry string, encodingTypeUrl bool) (dirName string, entryName string, prefix string) {
|
|
|
|
if !encodingTypeUrl {
|
|
|
|
return dir, entry, entry
|
|
|
|
}
|
|
|
|
return urlPathEscape(dir), url.QueryEscape(entry), urlPathEscape(entry)
|
|
|
|
}
|
|
|
|
|
2021-03-12 01:49:40 +08:00
|
|
|
func urlPathEscape(object string) string {
|
2021-03-11 05:19:28 +08:00
|
|
|
var escapedParts []string
|
|
|
|
for _, part := range strings.Split(object, "/") {
|
2024-07-05 02:00:41 +08:00
|
|
|
escapedParts = append(escapedParts, strings.ReplaceAll(url.PathEscape(part), "+", "%2B"))
|
2021-03-11 05:19:28 +08:00
|
|
|
}
|
2021-03-12 01:49:40 +08:00
|
|
|
return strings.Join(escapedParts, "/")
|
2021-03-11 05:19:28 +08:00
|
|
|
}
|
|
|
|
|
2022-08-15 23:19:28 +08:00
|
|
|
func removeDuplicateSlashes(object string) string {
|
|
|
|
result := strings.Builder{}
|
|
|
|
result.Grow(len(object))
|
|
|
|
|
|
|
|
isLastSlash := false
|
|
|
|
for _, r := range object {
|
|
|
|
switch r {
|
|
|
|
case '/':
|
|
|
|
if !isLastSlash {
|
|
|
|
result.WriteRune(r)
|
|
|
|
}
|
|
|
|
isLastSlash = true
|
|
|
|
default:
|
|
|
|
result.WriteRune(r)
|
|
|
|
isLastSlash = false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return result.String()
|
|
|
|
}
|
|
|
|
|
2024-07-05 02:00:41 +08:00
|
|
|
func newListEntry(entry *filer_pb.Entry, key string, dir string, name string, bucketPrefix string, fetchOwner bool, isDirectory bool, encodingTypeUrl bool) (listEntry ListEntry) {
|
|
|
|
storageClass := "STANDARD"
|
|
|
|
if v, ok := entry.Extended[s3_constants.AmzStorageClass]; ok {
|
|
|
|
storageClass = string(v)
|
|
|
|
}
|
|
|
|
keyFormat := "%s/%s"
|
|
|
|
if isDirectory {
|
|
|
|
keyFormat += "/"
|
|
|
|
}
|
|
|
|
if key == "" {
|
|
|
|
key = fmt.Sprintf(keyFormat, dir, name)[len(bucketPrefix):]
|
|
|
|
}
|
|
|
|
if encodingTypeUrl {
|
|
|
|
key = urlPathEscape(key)
|
|
|
|
}
|
|
|
|
listEntry = ListEntry{
|
|
|
|
Key: key,
|
|
|
|
LastModified: time.Unix(entry.Attributes.Mtime, 0).UTC(),
|
|
|
|
ETag: "\"" + filer.ETag(entry) + "\"",
|
|
|
|
Size: int64(filer.FileSize(entry)),
|
|
|
|
StorageClass: StorageClass(storageClass),
|
|
|
|
}
|
|
|
|
if fetchOwner {
|
|
|
|
listEntry.Owner = CanonicalUser{
|
|
|
|
ID: fmt.Sprintf("%x", entry.Attributes.Uid),
|
|
|
|
DisplayName: entry.Attributes.UserName,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return listEntry
|
|
|
|
}
|
|
|
|
|
2022-03-07 17:59:01 +08:00
|
|
|
func (s3a *S3ApiServer) toFilerUrl(bucket, object string) string {
|
2022-08-15 23:19:28 +08:00
|
|
|
object = urlPathEscape(removeDuplicateSlashes(object))
|
2022-03-07 17:59:01 +08:00
|
|
|
destUrl := fmt.Sprintf("http://%s%s/%s%s",
|
2022-08-15 23:19:28 +08:00
|
|
|
s3a.option.Filer.ToHttpAddress(), s3a.option.BucketsPath, bucket, object)
|
2022-03-07 17:59:01 +08:00
|
|
|
return destUrl
|
|
|
|
}
|
|
|
|
|
2018-07-22 09:49:47 +08:00
|
|
|
func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
2022-05-31 13:57:41 +08:00
|
|
|
bucket, object := s3_constants.GetBucketAndObject(r)
|
2021-09-19 15:28:22 +08:00
|
|
|
glog.V(3).Infof("GetObjectHandler %s %s", bucket, object)
|
2018-09-20 13:01:41 +08:00
|
|
|
|
2018-07-23 16:15:59 +08:00
|
|
|
if strings.HasSuffix(r.URL.Path, "/") {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
|
2018-07-23 16:15:59 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-07 17:59:01 +08:00
|
|
|
destUrl := s3a.toFilerUrl(bucket, object)
|
2018-07-22 09:49:47 +08:00
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
s3a.proxyToFiler(w, r, destUrl, false, passThroughResponse)
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s3a *S3ApiServer) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
2022-05-31 13:57:41 +08:00
|
|
|
bucket, object := s3_constants.GetBucketAndObject(r)
|
2021-09-19 15:28:22 +08:00
|
|
|
glog.V(3).Infof("HeadObjectHandler %s %s", bucket, object)
|
2018-09-20 13:01:41 +08:00
|
|
|
|
2022-03-07 17:59:01 +08:00
|
|
|
destUrl := s3a.toFilerUrl(bucket, object)
|
2018-07-22 09:49:47 +08:00
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
s3a.proxyToFiler(w, r, destUrl, false, passThroughResponse)
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
|
|
|
|
FEATURE: add JWT to HTTP endpoints of Filer and use them in S3 Client
- one JWT for reading and one for writing, analogous to how the JWT
between Master and Volume Server works
- I did not implement IP `whiteList` parameter on the filer
Additionally, because http_util.DownloadFile now sets the JWT,
the `download` command should now work when `jwt.signing.read` is
configured. By looking at the code, I think this case did not work
before.
## Docs to be adjusted after a release
Page `Amazon-S3-API`:
```
# Authentication with Filer
You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
explained in [Security-Configuration](Security-Configuration) -
controlled by the `grpc.*` configuration in `security.toml`.
Starting with version XX, it is also possible to authenticate the HTTP
operations between the S3-API-Proxy and the Filer (especially
uploading new files). This is configured by setting
`filer_jwt.signing.key` and `filer_jwt.signing.read.key` in
`security.toml`.
With both configurations (gRPC and JWT), it is possible to have Filer
and S3 communicate in fully authenticated fashion; so Filer will reject
any unauthenticated communication.
```
Page `Security Overview`:
```
The following items are not covered, yet:
- master server http REST services
Starting with version XX, the Filer HTTP REST services can be secured
with a JWT, by setting `filer_jwt.signing.key` and
`filer_jwt.signing.read.key` in `security.toml`.
...
Before version XX: "weed filer -disableHttp", disable http operations, only gRPC operations are allowed. This works with "weed mount" by FUSE. It does **not work** with the [S3 Gateway](Amazon S3 API), as this does HTTP calls to the Filer.
Starting with version XX: secured by JWT, by setting `filer_jwt.signing.key` and `filer_jwt.signing.read.key` in `security.toml`. **This now works with the [S3 Gateway](Amazon S3 API).**
...
# Securing Filer HTTP with JWT
To enable JWT-based access control for the Filer,
1. generate `security.toml` file by `weed scaffold -config=security`
2. set `filer_jwt.signing.key` to a secret string - and optionally filer_jwt.signing.read.key` as well to a secret string
3. copy the same `security.toml` file to the filers and all S3 proxies.
If `filer_jwt.signing.key` is configured: When sending upload/update/delete HTTP operations to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.key`.
If `filer_jwt.signing.read.key` is configured: When sending GET or HEAD requests to a filer server, the request header `Authorization` should be the JWT string (`Authorization: Bearer [JwtToken]`). The operation is authorized after the filer validates the JWT with `filer_jwt.signing.read.key`.
The S3 API Gateway reads the above JWT keys and sends authenticated
HTTP requests to the filer.
```
Page `Security Configuration`:
```
(update scaffold file)
...
[filer_jwt.signing]
key = "blahblahblahblah"
[filer_jwt.signing.read]
key = "blahblahblahblah"
```
Resolves: #158
2021-12-30 02:47:53 +08:00
|
|
|
func (s3a *S3ApiServer) proxyToFiler(w http.ResponseWriter, r *http.Request, destUrl string, isWrite bool, responseFn func(proxyResponse *http.Response, w http.ResponseWriter) (statusCode int)) {
|
2018-07-22 09:49:47 +08:00
|
|
|
|
2021-09-19 15:18:59 +08:00
|
|
|
glog.V(3).Infof("s3 proxying %s to %s", r.Method, destUrl)
|
2023-08-21 15:42:39 +08:00
|
|
|
start := time.Now()
|
2018-07-22 09:49:47 +08:00
|
|
|
|
|
|
|
proxyReq, err := http.NewRequest(r.Method, destUrl, r.Body)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
glog.Errorf("NewRequest %s: %v", destUrl, err)
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
|
2018-07-22 09:49:47 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
proxyReq.Header.Set("X-Forwarded-For", r.RemoteAddr)
|
2021-12-16 05:18:53 +08:00
|
|
|
for k, v := range r.URL.Query() {
|
2022-05-31 13:57:41 +08:00
|
|
|
if _, ok := s3_constants.PassThroughHeaders[strings.ToLower(k)]; ok {
|
2021-12-16 05:18:53 +08:00
|
|
|
proxyReq.Header[k] = v
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
2024-04-15 01:41:32 +08:00
|
|
|
if k == "partNumber" {
|
|
|
|
proxyReq.Header[s3_constants.SeaweedFSPartNumber] = v
|
|
|
|
}
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|
2021-12-16 05:18:53 +08:00
|
|
|
for header, values := range r.Header {
|
|
|
|
proxyReq.Header[header] = values
|
|
|
|
}
|
2018-07-22 09:49:47 +08:00
|
|
|
|
2022-01-01 05:06:18 +08:00
|
|
|
// ensure that the Authorization header is overriding any previous
|
|
|
|
// Authorization header which might be already present in proxyReq
|
|
|
|
s3a.maybeAddFilerJwtAuthorization(proxyReq, isWrite)
|
2022-03-07 18:00:14 +08:00
|
|
|
resp, postErr := s3a.client.Do(proxyReq)
|
2018-07-22 09:49:47 +08:00
|
|
|
|
|
|
|
if postErr != nil {
|
|
|
|
glog.Errorf("post to filer: %v", postErr)
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
|
2018-07-22 09:49:47 +08:00
|
|
|
return
|
|
|
|
}
|
2024-07-17 14:14:09 +08:00
|
|
|
defer util_http.CloseResponse(resp)
|
2021-03-18 02:41:34 +08:00
|
|
|
|
2021-05-24 19:59:44 +08:00
|
|
|
if resp.StatusCode == http.StatusPreconditionFailed {
|
2021-11-01 09:05:34 +08:00
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrPreconditionFailed)
|
2021-05-24 19:59:44 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-06-08 16:25:13 +08:00
|
|
|
if resp.StatusCode == http.StatusRequestedRangeNotSatisfiable {
|
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRange)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2024-07-01 16:00:39 +08:00
|
|
|
if r.Method == http.MethodDelete {
|
2022-08-15 14:52:35 +08:00
|
|
|
if resp.StatusCode == http.StatusNotFound {
|
|
|
|
// this is normal
|
|
|
|
responseStatusCode := responseFn(resp, w)
|
|
|
|
s3err.PostLog(r, responseStatusCode, s3err.ErrNone)
|
2021-02-03 16:35:44 +08:00
|
|
|
return
|
|
|
|
}
|
2020-11-18 03:23:13 +08:00
|
|
|
}
|
2022-08-18 17:13:58 +08:00
|
|
|
if resp.StatusCode == http.StatusNotFound {
|
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchKey)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-08-21 15:42:39 +08:00
|
|
|
TimeToFirstByte(r.Method, start, r)
|
2024-04-15 01:41:32 +08:00
|
|
|
if resp.Header.Get(s3_constants.SeaweedFSIsDirectoryKey) == "true" {
|
2022-08-23 16:16:46 +08:00
|
|
|
responseStatusCode := responseFn(resp, w)
|
|
|
|
s3err.PostLog(r, responseStatusCode, s3err.ErrNone)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-07-22 22:22:38 +08:00
|
|
|
if resp.StatusCode == http.StatusInternalServerError {
|
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-08-18 17:13:58 +08:00
|
|
|
// when HEAD a directory, it should be reported as no such key
|
|
|
|
// https://github.com/seaweedfs/seaweedfs/issues/3457
|
|
|
|
if resp.ContentLength == -1 && resp.StatusCode != http.StatusNotModified {
|
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchKey)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2024-04-15 01:41:32 +08:00
|
|
|
if resp.StatusCode == http.StatusBadRequest {
|
|
|
|
resp_body, _ := io.ReadAll(resp.Body)
|
|
|
|
switch string(resp_body) {
|
|
|
|
case "InvalidPart":
|
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidPart)
|
|
|
|
default:
|
|
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
|
|
|
|
}
|
|
|
|
resp.Body.Close()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-10-25 08:29:52 +08:00
|
|
|
setUserMetadataKeyToLowercase(resp)
|
|
|
|
|
2021-12-07 21:20:52 +08:00
|
|
|
responseStatusCode := responseFn(resp, w)
|
|
|
|
s3err.PostLog(r, responseStatusCode, s3err.ErrNone)
|
2018-07-22 10:12:44 +08:00
|
|
|
}
|
2020-09-25 09:09:52 +08:00
|
|
|
|
2022-10-25 08:29:52 +08:00
|
|
|
func setUserMetadataKeyToLowercase(resp *http.Response) {
|
|
|
|
for key, value := range resp.Header {
|
|
|
|
if strings.HasPrefix(key, s3_constants.AmzUserMetaPrefix) {
|
|
|
|
resp.Header[strings.ToLower(key)] = value
|
2022-10-30 08:54:30 +08:00
|
|
|
delete(resp.Header, key)
|
2022-10-25 08:29:52 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-12-07 21:20:52 +08:00
|
|
|
func passThroughResponse(proxyResponse *http.Response, w http.ResponseWriter) (statusCode int) {
|
2020-06-12 01:53:25 +08:00
|
|
|
for k, v := range proxyResponse.Header {
|
2018-07-22 09:49:47 +08:00
|
|
|
w.Header()[k] = v
|
|
|
|
}
|
2021-05-20 14:45:21 +08:00
|
|
|
if proxyResponse.Header.Get("Content-Range") != "" && proxyResponse.StatusCode == 200 {
|
|
|
|
w.WriteHeader(http.StatusPartialContent)
|
2021-12-07 21:20:52 +08:00
|
|
|
statusCode = http.StatusPartialContent
|
2021-05-20 14:45:21 +08:00
|
|
|
} else {
|
2021-12-07 21:20:52 +08:00
|
|
|
statusCode = proxyResponse.StatusCode
|
2021-05-20 14:45:21 +08:00
|
|
|
}
|
2021-12-07 21:20:52 +08:00
|
|
|
w.WriteHeader(statusCode)
|
2022-03-03 12:15:28 +08:00
|
|
|
buf := mem.Allocate(128 * 1024)
|
|
|
|
defer mem.Free(buf)
|
|
|
|
if n, err := io.CopyBuffer(w, proxyResponse.Body, buf); err != nil {
|
2021-12-30 14:21:02 +08:00
|
|
|
glog.V(1).Infof("passthrough response read %d bytes: %v", n, err)
|
|
|
|
}
|
2021-12-07 21:20:52 +08:00
|
|
|
return statusCode
|
2018-07-22 09:49:47 +08:00
|
|
|
}
|