diff options
| author | chrislu <chris.lu@gmail.com> | 2023-12-22 11:33:02 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2023-12-22 11:33:02 -0800 |
| commit | ee1c9bc314970931ebbc018e70bd7ad39bd84602 (patch) | |
| tree | 3aa6ad7b157cd4ac93d5a76f9d1aa2fd3ee81e73 /weed/s3api | |
| parent | 034db049a080d9a07a8527894e0aa58e8412207e (diff) | |
| parent | c278f49bca0b8253914c5490a17ac4b50b8abe2b (diff) | |
| download | seaweedfs-ee1c9bc314970931ebbc018e70bd7ad39bd84602.tar.xz seaweedfs-ee1c9bc314970931ebbc018e70bd7ad39bd84602.zip | |
Merge branch 'master' of https://github.com/seaweedfs/seaweedfs
Diffstat (limited to 'weed/s3api')
| -rw-r--r-- | weed/s3api/s3api_handlers.go | 4 | ||||
| -rw-r--r-- | weed/s3api/s3api_server.go | 38 |
2 files changed, 37 insertions, 5 deletions
diff --git a/weed/s3api/s3api_handlers.go b/weed/s3api/s3api_handlers.go index 81d7017dc..c146a8b15 100644 --- a/weed/s3api/s3api_handlers.go +++ b/weed/s3api/s3api_handlers.go @@ -40,6 +40,10 @@ func writeSuccessResponseEmpty(w http.ResponseWriter, r *http.Request) { s3err.WriteEmptyResponse(w, r, http.StatusOK) } +func writeFailureResponse(w http.ResponseWriter, r *http.Request, errCode s3err.ErrorCode) { + s3err.WriteErrorResponse(w, r, errCode) +} + func validateContentMd5(h http.Header) ([]byte, error) { md5B64, ok := h["Content-Md5"] if ok { diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index e90c334aa..37ae54f1b 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -3,15 +3,16 @@ package s3api import ( "context" "fmt" - "github.com/seaweedfs/seaweedfs/weed/filer" - "github.com/seaweedfs/seaweedfs/weed/glog" - "github.com/seaweedfs/seaweedfs/weed/pb/s3_pb" - "github.com/seaweedfs/seaweedfs/weed/util/grace" "net" "net/http" "strings" "time" + "github.com/seaweedfs/seaweedfs/weed/filer" + "github.com/seaweedfs/seaweedfs/weed/glog" + "github.com/seaweedfs/seaweedfs/weed/pb/s3_pb" + "github.com/seaweedfs/seaweedfs/weed/util/grace" + "github.com/gorilla/mux" "github.com/seaweedfs/seaweedfs/weed/pb" . "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants" @@ -26,6 +27,7 @@ type S3ApiServerOption struct { Port int Config string DomainName string + AllowedOrigins []string BucketsPath string GrpcDialOption grpc.DialOption AllowEmptyFolder bool @@ -56,6 +58,14 @@ func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer v.SetDefault("jwt.filer_signing.read.expires_after_seconds", 60) readExpiresAfterSec := v.GetInt("jwt.filer_signing.read.expires_after_seconds") + v.SetDefault("cors.allowed_origins.values", "*") + + if (option.AllowedOrigins == nil) || (len(option.AllowedOrigins) == 0) { + allowedOrigins := v.GetString("cors.allowed_origins.values") + domains := strings.Split(allowedOrigins, ",") + option.AllowedOrigins = domains + } + s3ApiServer = &S3ApiServer{ option: option, iam: NewIdentityAccessManagement(option), @@ -103,7 +113,25 @@ func (s3a *S3ApiServer) registerRouter(router *mux.Router) { apiRouter.Methods("OPTIONS").HandlerFunc( func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Access-Control-Allow-Origin", "*") + origin := r.Header.Get("Origin") + if origin != "" { + if s3a.option.AllowedOrigins == nil || len(s3a.option.AllowedOrigins) == 0 || s3a.option.AllowedOrigins[0] == "*" { + origin = "*" + } else { + originFound := false + for _, allowedOrigin := range s3a.option.AllowedOrigins { + if origin == allowedOrigin { + originFound = true + } + } + if !originFound { + writeFailureResponse(w, r, http.StatusForbidden) + return + } + } + } + + w.Header().Set("Access-Control-Allow-Origin", origin) w.Header().Set("Access-Control-Expose-Headers", "*") w.Header().Set("Access-Control-Allow-Methods", "*") w.Header().Set("Access-Control-Allow-Headers", "*") |