Adding HTTP verb whitelisting options.

6 files changed, 83 insertions, 49 deletions

diff --git a/weed/server/filer_server.go b/weed/server/filer_server.go
index 3c7c1fd9e..2a432af65 100644
--- a/weed/server/filer_server.go
+++ b/weed/server/filer_server.go
@@ -30,6 +30,11 @@ type FilerServer struct {
 	filer              filer.Filer
 	maxMB		   int
 	masterNodes        *storage.MasterNodes
+	get_guard          *security.Guard
+	head_guard         *security.Guard
+	delete_guard       *security.Guard
+	put_guard          *security.Guard
+	post_guard         *security.Guard
 }
 
 func NewFilerServer(r *http.ServeMux, ip string, port int, master string, dir string, collection string,
@@ -38,6 +43,9 @@ func NewFilerServer(r *http.ServeMux, ip string, port int, master string, dir st
 	secret string,
 	cassandra_server string, cassandra_keyspace string,
 	redis_server string, redis_password string, redis_database int,
+	get_ip_whitelist []string, head_ip_whitelist []string, delete_ip_whitelist []string, put_ip_whitelist []string, post_ip_whitelist []string,
+	get_root_whitelist []string, head_root_whitelist []string, delete_root_whitelist []string, put_root_whitelist []string, post_root_whitelist []string,
+	get_secure_key string, head_secure_key string, delete_secure_key string, put_secure_key string, post_secure_key string,
 ) (fs *FilerServer, err error) {
 	fs = &FilerServer{
 		master:             master,
@@ -46,6 +54,11 @@ func NewFilerServer(r *http.ServeMux, ip string, port int, master string, dir st
 		redirectOnRead:     redirectOnRead,
 		disableDirListing:  disableDirListing,
 		maxMB:		    maxMB,
+		get_guard:          security.NewGuard(get_ip_whitelist, get_root_whitelist, get_secure_key),
+		head_guard:         security.NewGuard(head_ip_whitelist, head_root_whitelist, head_secure_key),
+		delete_guard:       security.NewGuard(delete_ip_whitelist, delete_root_whitelist, delete_secure_key),
+		put_guard:          security.NewGuard(put_ip_whitelist, put_root_whitelist, put_secure_key),
+		post_guard:         security.NewGuard(post_ip_whitelist, post_root_whitelist, post_secure_key),
 		port:               ip + ":" + strconv.Itoa(port),
 	}
 
diff --git a/weed/server/filer_server_handlers.go b/weed/server/filer_server_handlers.go
index 4e39258af..4db170590 100644
--- a/weed/server/filer_server_handlers.go
+++ b/weed/server/filer_server_handlers.go
@@ -7,14 +7,14 @@ import (
 func (fs *FilerServer) filerHandler(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case "GET":
-		fs.GetOrHeadHandler(w, r, true)
+		fs.get_guard.WhiteList2(fs.GetOrHeadHandler)(w, r, true)
 	case "HEAD":
-		fs.GetOrHeadHandler(w, r, false)
+		fs.head_guard.WhiteList2(fs.GetOrHeadHandler)(w, r, false)
 	case "DELETE":
-		fs.DeleteHandler(w, r)
+		fs.delete_guard.WhiteList(fs.DeleteHandler)(w, r)
 	case "PUT":
-		fs.PostHandler(w, r)
+		fs.put_guard.WhiteList(fs.PostHandler)(w, r)
 	case "POST":
-		fs.PostHandler(w, r)
+		fs.post_guard.WhiteList(fs.PostHandler)(w, r)
 	}
 }
diff --git a/weed/server/master_server.go b/weed/server/master_server.go
index 61bda6988..3bd77c819 100644
--- a/weed/server/master_server.go
+++ b/weed/server/master_server.go
@@ -23,7 +23,8 @@ type MasterServer struct {
 	pulseSeconds            int
 	defaultReplicaPlacement string
 	garbageThreshold        string
-	guard                   *security.Guard
+	read_guard              *security.Guard
+	write_guard             *security.Guard
 
 	Topo   *topology.Topology
 	vg     *topology.VolumeGrowth
@@ -38,7 +39,9 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
 	confFile string,
 	defaultReplicaPlacement string,
 	garbageThreshold string,
-	whiteList []string,
+	ipReadWhiteList []string,
+	ipWriteWhiteList []string,
+        rootWhiteList []string,
 	secureKey string,
 ) *MasterServer {
 	ms := &MasterServer{
@@ -58,24 +61,25 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string,
 	ms.vg = topology.NewDefaultVolumeGrowth()
 	glog.V(0).Infoln("Volume Size Limit is", volumeSizeLimitMB, "MB")
 
-	ms.guard = security.NewGuard(whiteList, secureKey)
+	ms.read_guard = security.NewGuard(ipReadWhiteList, rootWhiteList, secureKey)
+	ms.write_guard = security.NewGuard(ipWriteWhiteList, rootWhiteList, secureKey)
 
 	r.HandleFunc("/", ms.uiStatusHandler)
-	r.HandleFunc("/ui/index.html", ms.uiStatusHandler)
-	r.HandleFunc("/dir/assign", ms.proxyToLeader(ms.guard.WhiteList(ms.dirAssignHandler)))
-	r.HandleFunc("/dir/lookup", ms.proxyToLeader(ms.guard.WhiteList(ms.dirLookupHandler)))
-	r.HandleFunc("/dir/join", ms.proxyToLeader(ms.guard.WhiteList(ms.dirJoinHandler)))
-	r.HandleFunc("/dir/status", ms.proxyToLeader(ms.guard.WhiteList(ms.dirStatusHandler)))
-	r.HandleFunc("/col/delete", ms.proxyToLeader(ms.guard.WhiteList(ms.collectionDeleteHandler)))
-	r.HandleFunc("/vol/lookup", ms.proxyToLeader(ms.guard.WhiteList(ms.volumeLookupHandler)))
-	r.HandleFunc("/vol/grow", ms.proxyToLeader(ms.guard.WhiteList(ms.volumeGrowHandler)))
-	r.HandleFunc("/vol/status", ms.proxyToLeader(ms.guard.WhiteList(ms.volumeStatusHandler)))
-	r.HandleFunc("/vol/vacuum", ms.proxyToLeader(ms.guard.WhiteList(ms.volumeVacuumHandler)))
-	r.HandleFunc("/submit", ms.guard.WhiteList(ms.submitFromMasterServerHandler))
-	r.HandleFunc("/delete", ms.guard.WhiteList(ms.deleteFromMasterServerHandler))
-	r.HandleFunc("/{fileId}", ms.proxyToLeader(ms.redirectHandler))
-	r.HandleFunc("/stats/counter", ms.guard.WhiteList(statsCounterHandler))
-	r.HandleFunc("/stats/memory", ms.guard.WhiteList(statsMemoryHandler))
+	r.HandleFunc("/ui/index.html", ms.read_guard.WhiteList(ms.uiStatusHandler))
+	r.HandleFunc("/dir/assign", ms.proxyToLeader(ms.write_guard.WhiteList(ms.dirAssignHandler)))
+	r.HandleFunc("/dir/lookup", ms.proxyToLeader(ms.read_guard.WhiteList(ms.dirLookupHandler)))
+	r.HandleFunc("/dir/join", ms.proxyToLeader(ms.write_guard.WhiteList(ms.dirJoinHandler)))
+	r.HandleFunc("/dir/status", ms.proxyToLeader(ms.read_guard.WhiteList(ms.dirStatusHandler)))
+	r.HandleFunc("/col/delete", ms.proxyToLeader(ms.write_guard.WhiteList(ms.collectionDeleteHandler)))
+	r.HandleFunc("/vol/lookup", ms.proxyToLeader(ms.read_guard.WhiteList(ms.volumeLookupHandler)))
+	r.HandleFunc("/vol/grow", ms.proxyToLeader(ms.write_guard.WhiteList(ms.volumeGrowHandler)))
+	r.HandleFunc("/vol/status", ms.proxyToLeader(ms.read_guard.WhiteList(ms.volumeStatusHandler)))
+	r.HandleFunc("/vol/vacuum", ms.proxyToLeader(ms.write_guard.WhiteList(ms.volumeVacuumHandler)))
+	r.HandleFunc("/submit", ms.write_guard.WhiteList(ms.submitFromMasterServerHandler))
+	r.HandleFunc("/delete", ms.write_guard.WhiteList(ms.deleteFromMasterServerHandler))
+	r.HandleFunc("/{fileId}", ms.proxyToLeader(ms.read_guard.WhiteList(ms.redirectHandler)))
+	r.HandleFunc("/stats/counter", ms.read_guard.WhiteList(statsCounterHandler))
+	r.HandleFunc("/stats/memory", ms.read_guard.WhiteList(statsMemoryHandler))
 
 	ms.Topo.StartRefreshWritableVolumes(garbageThreshold)
 
diff --git a/weed/server/master_server_handlers_admin.go b/weed/server/master_server_handlers_admin.go
index a762bf416..385290079 100644
--- a/weed/server/master_server_handlers_admin.go
+++ b/weed/server/master_server_handlers_admin.go
@@ -61,7 +61,7 @@ func (ms *MasterServer) dirJoinHandler(w http.ResponseWriter, r *http.Request) {
 	ms.Topo.ProcessJoinMessage(joinMessage)
 	writeJsonQuiet(w, r, http.StatusOK, operation.JoinResult{
 		VolumeSizeLimit: uint64(ms.volumeSizeLimitMB) * 1024 * 1024,
-		SecretKey:       string(ms.guard.SecretKey),
+		SecretKey:       string(ms.write_guard.SecretKey),
 	})
 }
 
diff --git a/weed/server/volume_server.go b/weed/server/volume_server.go
index 79a4276b1..a40eeb9c0 100644
--- a/weed/server/volume_server.go
+++ b/weed/server/volume_server.go
@@ -9,6 +9,7 @@ import (
 	"github.com/chrislusf/seaweedfs/weed/glog"
 	"github.com/chrislusf/seaweedfs/weed/security"
 	"github.com/chrislusf/seaweedfs/weed/storage"
+	//"net/http/pprof"
 )
 
 type VolumeServer struct {
@@ -18,7 +19,8 @@ type VolumeServer struct {
 	dataCenter   string
 	rack         string
 	store        *storage.Store
-	guard        *security.Guard
+	read_guard   *security.Guard
+	write_guard  *security.Guard
 
 	needleMapKind     storage.NeedleMapType
 	FixJpgOrientation bool
@@ -31,7 +33,9 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
 	needleMapKind storage.NeedleMapType,
 	masterNode string, pulseSeconds int,
 	dataCenter string, rack string,
-	whiteList []string,
+	ipReadWhiteList []string,
+	ipWriteWhiteList []string,
+	rootWhiteList []string,
 	fixJpgOrientation bool,
 	readRedirect bool) *VolumeServer {
 	vs := &VolumeServer{
@@ -45,28 +49,40 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
 	vs.SetMasterNode(masterNode)
 	vs.store = storage.NewStore(port, ip, publicUrl, folders, maxCounts, vs.needleMapKind)
 
-	vs.guard = security.NewGuard(whiteList, "")
+	vs.read_guard = security.NewGuard(ipReadWhiteList, rootWhiteList, "")
+	vs.write_guard = security.NewGuard(ipWriteWhiteList, rootWhiteList, "")
 
-	adminMux.HandleFunc("/ui/index.html", vs.uiStatusHandler)
-	adminMux.HandleFunc("/status", vs.guard.WhiteList(vs.statusHandler))
-	adminMux.HandleFunc("/admin/assign_volume", vs.guard.WhiteList(vs.assignVolumeHandler))
-	adminMux.HandleFunc("/admin/vacuum/check", vs.guard.WhiteList(vs.vacuumVolumeCheckHandler))
-	adminMux.HandleFunc("/admin/vacuum/compact", vs.guard.WhiteList(vs.vacuumVolumeCompactHandler))
-	adminMux.HandleFunc("/admin/vacuum/commit", vs.guard.WhiteList(vs.vacuumVolumeCommitHandler))
-	adminMux.HandleFunc("/admin/delete_collection", vs.guard.WhiteList(vs.deleteCollectionHandler))
-	adminMux.HandleFunc("/admin/sync/status", vs.guard.WhiteList(vs.getVolumeSyncStatusHandler))
-	adminMux.HandleFunc("/admin/sync/index", vs.guard.WhiteList(vs.getVolumeIndexContentHandler))
-	adminMux.HandleFunc("/admin/sync/data", vs.guard.WhiteList(vs.getVolumeDataContentHandler))
-	adminMux.HandleFunc("/stats/counter", vs.guard.WhiteList(statsCounterHandler))
-	adminMux.HandleFunc("/stats/memory", vs.guard.WhiteList(statsMemoryHandler))
-	adminMux.HandleFunc("/stats/disk", vs.guard.WhiteList(vs.statsDiskHandler))
-	adminMux.HandleFunc("/delete", vs.guard.WhiteList(vs.batchDeleteHandler))
-	adminMux.HandleFunc("/", vs.privateStoreHandler)
+	adminMux.HandleFunc("/ui/index.html", vs.read_guard.WhiteList(vs.uiStatusHandler))
+	adminMux.HandleFunc("/status", vs.read_guard.WhiteList(vs.statusHandler))
+	adminMux.HandleFunc("/admin/assign_volume", vs.write_guard.WhiteList(vs.assignVolumeHandler))
+	adminMux.HandleFunc("/admin/vacuum/check", vs.write_guard.WhiteList(vs.vacuumVolumeCheckHandler))
+	adminMux.HandleFunc("/admin/vacuum/compact", vs.write_guard.WhiteList(vs.vacuumVolumeCompactHandler))
+	adminMux.HandleFunc("/admin/vacuum/commit", vs.write_guard.WhiteList(vs.vacuumVolumeCommitHandler))
+	adminMux.HandleFunc("/admin/delete_collection", vs.write_guard.WhiteList(vs.deleteCollectionHandler))
+	adminMux.HandleFunc("/admin/sync/status", vs.read_guard.WhiteList(vs.getVolumeSyncStatusHandler))
+	adminMux.HandleFunc("/admin/sync/index", vs.write_guard.WhiteList(vs.getVolumeIndexContentHandler))
+	adminMux.HandleFunc("/admin/sync/data", vs.write_guard.WhiteList(vs.getVolumeDataContentHandler))
+	adminMux.HandleFunc("/stats/counter", vs.read_guard.WhiteList(statsCounterHandler))
+	adminMux.HandleFunc("/stats/memory", vs.read_guard.WhiteList(statsMemoryHandler))
+	adminMux.HandleFunc("/stats/disk", vs.read_guard.WhiteList(vs.statsDiskHandler))
+	adminMux.HandleFunc("/delete", vs.write_guard.WhiteList(vs.batchDeleteHandler))
+	adminMux.HandleFunc("/", vs.read_guard.WhiteList(vs.privateStoreHandler))
 	if publicMux != adminMux {
 		// separated admin and public port
 		publicMux.HandleFunc("/favicon.ico", vs.faviconHandler)
 		publicMux.HandleFunc("/", vs.publicReadOnlyHandler)
 	}
+	/*
+	// add in profiling support
+	adminMux.HandleFunc("/debug/pprof/", pprof.Index)
+	adminMux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+	adminMux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+	adminMux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+	adminMux.Handle("/debug/pprof/goroutine", pprof.Handler("goroutine"))
+	adminMux.Handle("/debug/pprof/heap", pprof.Handler("heap"))
+	adminMux.Handle("/debug/pprof/threadcreate", pprof.Handler("threadcreate"))
+	adminMux.Handle("/debug/pprof/block", pprof.Handler("block"))
+	*/
 
 	go func() {
 		connected := true
@@ -82,7 +98,8 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string,
 				if !connected {
 					connected = true
 					vs.SetMasterNode(master)
-					vs.guard.SecretKey = secretKey
+					vs.read_guard.SecretKey = secretKey
+					vs.write_guard.SecretKey = secretKey
 					glog.V(0).Infoln("Volume Server Connected with master at", master)
 				}
 			} else {
@@ -121,5 +138,5 @@ func (vs *VolumeServer) Shutdown() {
 }
 
 func (vs *VolumeServer) jwt(fileId string) security.EncodedJwt {
-	return security.GenJwt(vs.guard.SecretKey, fileId)
+	return security.GenJwt(vs.read_guard.SecretKey, fileId)
 }
diff --git a/weed/server/volume_server_handlers.go b/weed/server/volume_server_handlers.go
index 2d6fe7849..f223af6c0 100644
--- a/weed/server/volume_server_handlers.go
+++ b/weed/server/volume_server_handlers.go
@@ -25,19 +25,19 @@ func (vs *VolumeServer) privateStoreHandler(w http.ResponseWriter, r *http.Reque
 	switch r.Method {
 	case "GET":
 		stats.ReadRequest()
-		vs.GetOrHeadHandler(w, r)
+		vs.write_guard.WhiteList(vs.GetOrHeadHandler)(w, r)
 	case "HEAD":
 		stats.ReadRequest()
-		vs.GetOrHeadHandler(w, r)
+		vs.write_guard.WhiteList(vs.GetOrHeadHandler)(w, r)
 	case "DELETE":
 		stats.DeleteRequest()
-		vs.guard.WhiteList(vs.DeleteHandler)(w, r)
+		vs.write_guard.WhiteList(vs.DeleteHandler)(w, r)
 	case "PUT":
 		stats.WriteRequest()
-		vs.guard.WhiteList(vs.PostHandler)(w, r)
+		vs.write_guard.WhiteList(vs.PostHandler)(w, r)
 	case "POST":
 		stats.WriteRequest()
-		vs.guard.WhiteList(vs.PostHandler)(w, r)
+		vs.write_guard.WhiteList(vs.PostHandler)(w, r)
 	}
 }