more complete admin API #298
22 changed files with 209 additions and 259 deletions
|
@ -114,13 +114,9 @@ impl ApiHandler for AdminApiServer {
|
||||||
|
|
||||||
if let Some(h) = expected_auth_header {
|
if let Some(h) = expected_auth_header {
|
||||||
match req.headers().get("Authorization") {
|
match req.headers().get("Authorization") {
|
||||||
None => Err(Error::Forbidden(
|
None => Err(Error::forbidden("Authorization token must be provided")),
|
||||||
"Authorization token must be provided".into(),
|
|
||||||
)),
|
|
||||||
Some(v) if v.to_str().map(|hv| hv == h).unwrap_or(false) => Ok(()),
|
Some(v) if v.to_str().map(|hv| hv == h).unwrap_or(false) => Ok(()),
|
||||||
_ => Err(Error::Forbidden(
|
_ => Err(Error::forbidden("Invalid authorization token provided")),
|
||||||
"Invalid authorization token provided".into(),
|
|
||||||
)),
|
|
||||||
}?;
|
}?;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -18,6 +18,7 @@ use garage_model::s3::object_table::ObjectFilter;
|
||||||
|
|
||||||
use crate::admin::error::*;
|
use crate::admin::error::*;
|
||||||
use crate::admin::key::ApiBucketKeyPerm;
|
use crate::admin::key::ApiBucketKeyPerm;
|
||||||
|
use crate::common_error::CommonError;
|
||||||
use crate::helpers::parse_json_body;
|
use crate::helpers::parse_json_body;
|
||||||
|
|
||||||
pub async fn handle_list_buckets(garage: &Arc<Garage>) -> Result<Response<Body>, Error> {
|
pub async fn handle_list_buckets(garage: &Arc<Garage>) -> Result<Response<Body>, Error> {
|
||||||
|
@ -233,7 +234,7 @@ pub async fn handle_create_bucket(
|
||||||
|
|
||||||
if let Some(alias) = garage.bucket_alias_table.get(&EmptyKey, ga).await? {
|
if let Some(alias) = garage.bucket_alias_table.get(&EmptyKey, ga).await? {
|
||||||
if alias.state.get().is_some() {
|
if alias.state.get().is_some() {
|
||||||
return Err(Error::BucketAlreadyExists);
|
return Err(CommonError::BucketAlreadyExists.into());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -333,7 +334,7 @@ pub async fn handle_delete_bucket(
|
||||||
)
|
)
|
||||||
.await?;
|
.await?;
|
||||||
if !objects.is_empty() {
|
if !objects.is_empty() {
|
||||||
return Err(Error::BucketNotEmpty);
|
return Err(CommonError::BucketNotEmpty.into());
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- done checking, now commit ---
|
// --- done checking, now commit ---
|
||||||
|
|
|
@ -4,9 +4,9 @@ use hyper::{Body, HeaderMap, StatusCode};
|
||||||
|
|
||||||
use garage_model::helper::error::Error as HelperError;
|
use garage_model::helper::error::Error as HelperError;
|
||||||
|
|
||||||
use crate::generic_server::ApiError;
|
|
||||||
use crate::common_error::CommonError;
|
use crate::common_error::CommonError;
|
||||||
pub use crate::common_error::{OkOrBadRequest, OkOrInternalError};
|
pub use crate::common_error::{CommonErrorDerivative, OkOrBadRequest, OkOrInternalError};
|
||||||
|
use crate::generic_server::ApiError;
|
||||||
|
|
||||||
/// Errors of this crate
|
/// Errors of this crate
|
||||||
#[derive(Debug, Error)]
|
#[derive(Debug, Error)]
|
||||||
|
@ -16,30 +16,9 @@ pub enum Error {
|
||||||
CommonError(CommonError),
|
CommonError(CommonError),
|
||||||
|
|
||||||
// Category: cannot process
|
// Category: cannot process
|
||||||
/// No proper api key was used, or the signature was invalid
|
|
||||||
#[error(display = "Forbidden: {}", _0)]
|
|
||||||
Forbidden(String),
|
|
||||||
|
|
||||||
/// The API access key does not exist
|
/// The API access key does not exist
|
||||||
#[error(display = "Access key not found")]
|
#[error(display = "Access key not found")]
|
||||||
NoSuchAccessKey,
|
NoSuchAccessKey,
|
||||||
|
|
||||||
/// The bucket requested don't exists
|
|
||||||
#[error(display = "Bucket not found")]
|
|
||||||
NoSuchBucket,
|
|
||||||
|
|
||||||
/// Tried to create a bucket that already exist
|
|
||||||
#[error(display = "Bucket already exists")]
|
|
||||||
BucketAlreadyExists,
|
|
||||||
|
|
||||||
/// Tried to delete a non-empty bucket
|
|
||||||
#[error(display = "Tried to delete a non-empty bucket")]
|
|
||||||
BucketNotEmpty,
|
|
||||||
|
|
||||||
// Category: bad request
|
|
||||||
/// Bucket name is not valid according to AWS S3 specs
|
|
||||||
#[error(display = "Invalid bucket name")]
|
|
||||||
InvalidBucketName,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<T> From<T> for Error
|
impl<T> From<T> for Error
|
||||||
|
@ -51,14 +30,16 @@ where
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl CommonErrorDerivative for Error {}
|
||||||
|
|
||||||
impl From<HelperError> for Error {
|
impl From<HelperError> for Error {
|
||||||
fn from(err: HelperError) -> Self {
|
fn from(err: HelperError) -> Self {
|
||||||
match err {
|
match err {
|
||||||
HelperError::Internal(i) => Self::CommonError(CommonError::InternalError(i)),
|
HelperError::Internal(i) => Self::CommonError(CommonError::InternalError(i)),
|
||||||
HelperError::BadRequest(b) => Self::CommonError(CommonError::BadRequest(b)),
|
HelperError::BadRequest(b) => Self::CommonError(CommonError::BadRequest(b)),
|
||||||
HelperError::InvalidBucketName(_) => Self::InvalidBucketName,
|
HelperError::InvalidBucketName(_) => Self::CommonError(CommonError::InvalidBucketName),
|
||||||
|
HelperError::NoSuchBucket(_) => Self::CommonError(CommonError::NoSuchBucket),
|
||||||
HelperError::NoSuchAccessKey(_) => Self::NoSuchAccessKey,
|
HelperError::NoSuchAccessKey(_) => Self::NoSuchAccessKey,
|
||||||
HelperError::NoSuchBucket(_) => Self::NoSuchBucket,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -68,10 +49,7 @@ impl ApiError for Error {
|
||||||
fn http_status_code(&self) -> StatusCode {
|
fn http_status_code(&self) -> StatusCode {
|
||||||
match self {
|
match self {
|
||||||
Error::CommonError(c) => c.http_status_code(),
|
Error::CommonError(c) => c.http_status_code(),
|
||||||
Error::NoSuchAccessKey | Error::NoSuchBucket => StatusCode::NOT_FOUND,
|
Error::NoSuchAccessKey => StatusCode::NOT_FOUND,
|
||||||
Error::BucketNotEmpty | Error::BucketAlreadyExists => StatusCode::CONFLICT,
|
|
||||||
Error::Forbidden(_) => StatusCode::FORBIDDEN,
|
|
||||||
Error::InvalidBucketName => StatusCode::BAD_REQUEST,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -80,15 +58,10 @@ impl ApiError for Error {
|
||||||
}
|
}
|
||||||
|
|
||||||
fn http_body(&self, garage_region: &str, path: &str) -> Body {
|
fn http_body(&self, garage_region: &str, path: &str) -> Body {
|
||||||
|
// TODO nice json error
|
||||||
Body::from(format!(
|
Body::from(format!(
|
||||||
"ERROR: {}\n\ngarage region: {}\npath: {}",
|
"ERROR: {}\n\ngarage region: {}\npath: {}",
|
||||||
self, garage_region, path
|
self, garage_region, path
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Error {
|
|
||||||
pub fn bad_request<M: ToString>(msg: M) -> Self {
|
|
||||||
Self::CommonError(CommonError::BadRequest(msg.to_string()))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -6,7 +6,7 @@ use garage_util::error::Error as GarageError;
|
||||||
/// Errors of this crate
|
/// Errors of this crate
|
||||||
#[derive(Debug, Error)]
|
#[derive(Debug, Error)]
|
||||||
pub enum CommonError {
|
pub enum CommonError {
|
||||||
// Category: internal error
|
// ---- INTERNAL ERRORS ----
|
||||||
/// Error related to deeper parts of Garage
|
/// Error related to deeper parts of Garage
|
||||||
#[error(display = "Internal error: {}", _0)]
|
#[error(display = "Internal error: {}", _0)]
|
||||||
InternalError(#[error(source)] GarageError),
|
InternalError(#[error(source)] GarageError),
|
||||||
|
@ -19,9 +19,34 @@ pub enum CommonError {
|
||||||
#[error(display = "Internal error (HTTP error): {}", _0)]
|
#[error(display = "Internal error (HTTP error): {}", _0)]
|
||||||
Http(#[error(source)] http::Error),
|
Http(#[error(source)] http::Error),
|
||||||
|
|
||||||
/// The client sent an invalid request
|
// ---- GENERIC CLIENT ERRORS ----
|
||||||
|
/// Proper authentication was not provided
|
||||||
|
#[error(display = "Forbidden: {}", _0)]
|
||||||
|
Forbidden(String),
|
||||||
|
|
||||||
|
/// Generic bad request response with custom message
|
||||||
#[error(display = "Bad request: {}", _0)]
|
#[error(display = "Bad request: {}", _0)]
|
||||||
BadRequest(String),
|
BadRequest(String),
|
||||||
|
|
||||||
|
// ---- SPECIFIC ERROR CONDITIONS ----
|
||||||
|
// These have to be error codes referenced in the S3 spec here:
|
||||||
|
// https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#ErrorCodeList
|
||||||
|
/// The bucket requested don't exists
|
||||||
|
#[error(display = "Bucket not found")]
|
||||||
|
NoSuchBucket,
|
||||||
|
|
||||||
|
/// Tried to create a bucket that already exist
|
||||||
|
#[error(display = "Bucket already exists")]
|
||||||
|
BucketAlreadyExists,
|
||||||
|
|
||||||
|
/// Tried to delete a non-empty bucket
|
||||||
|
#[error(display = "Tried to delete a non-empty bucket")]
|
||||||
|
BucketNotEmpty,
|
||||||
|
|
||||||
|
// Category: bad request
|
||||||
|
/// Bucket name is not valid according to AWS S3 specs
|
||||||
|
#[error(display = "Invalid bucket name")]
|
||||||
|
InvalidBucketName,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl CommonError {
|
impl CommonError {
|
||||||
|
@ -36,15 +61,53 @@ impl CommonError {
|
||||||
StatusCode::INTERNAL_SERVER_ERROR
|
StatusCode::INTERNAL_SERVER_ERROR
|
||||||
}
|
}
|
||||||
CommonError::BadRequest(_) => StatusCode::BAD_REQUEST,
|
CommonError::BadRequest(_) => StatusCode::BAD_REQUEST,
|
||||||
|
CommonError::Forbidden(_) => StatusCode::FORBIDDEN,
|
||||||
|
CommonError::NoSuchBucket => StatusCode::NOT_FOUND,
|
||||||
|
CommonError::BucketNotEmpty | CommonError::BucketAlreadyExists => StatusCode::CONFLICT,
|
||||||
|
CommonError::InvalidBucketName => StatusCode::BAD_REQUEST,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn aws_code(&self) -> &'static str {
|
||||||
|
match self {
|
||||||
|
CommonError::Forbidden(_) => "AccessDenied",
|
||||||
|
CommonError::InternalError(
|
||||||
|
GarageError::Timeout
|
||||||
|
| GarageError::RemoteError(_)
|
||||||
|
| GarageError::Quorum(_, _, _, _),
|
||||||
|
) => "ServiceUnavailable",
|
||||||
|
CommonError::InternalError(_) | CommonError::Hyper(_) | CommonError::Http(_) => {
|
||||||
|
"InternalError"
|
||||||
|
}
|
||||||
|
CommonError::BadRequest(_) => "InvalidRequest",
|
||||||
|
CommonError::NoSuchBucket => "NoSuchBucket",
|
||||||
|
CommonError::BucketAlreadyExists => "BucketAlreadyExists",
|
||||||
|
CommonError::BucketNotEmpty => "BucketNotEmpty",
|
||||||
|
CommonError::InvalidBucketName => "InvalidBucketName",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub fn bad_request<M: ToString>(msg: M) -> Self {
|
pub fn bad_request<M: ToString>(msg: M) -> Self {
|
||||||
CommonError::BadRequest(msg.to_string())
|
CommonError::BadRequest(msg.to_string())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub trait CommonErrorDerivative: From<CommonError> {
|
||||||
|
fn internal_error<M: ToString>(msg: M) -> Self {
|
||||||
|
Self::from(CommonError::InternalError(GarageError::Message(
|
||||||
|
msg.to_string(),
|
||||||
|
)))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn bad_request<M: ToString>(msg: M) -> Self {
|
||||||
|
Self::from(CommonError::BadRequest(msg.to_string()))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn forbidden<M: ToString>(msg: M) -> Self {
|
||||||
|
Self::from(CommonError::Forbidden(msg.to_string()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/// Trait to map error to the Bad Request error code
|
/// Trait to map error to the Bad Request error code
|
||||||
pub trait OkOrBadRequest {
|
pub trait OkOrBadRequest {
|
||||||
type S;
|
type S;
|
||||||
|
|
|
@ -2,7 +2,7 @@ use hyper::{Body, Request};
|
||||||
use idna::domain_to_unicode;
|
use idna::domain_to_unicode;
|
||||||
use serde::Deserialize;
|
use serde::Deserialize;
|
||||||
|
|
||||||
use crate::common_error::{*, CommonError as Error};
|
use crate::common_error::{CommonError as Error, *};
|
||||||
|
|
||||||
/// What kind of authorization is required to perform a given action
|
/// What kind of authorization is required to perform a given action
|
||||||
#[derive(Debug, Clone, PartialEq, Eq)]
|
#[derive(Debug, Clone, PartialEq, Eq)]
|
||||||
|
|
|
@ -7,13 +7,12 @@ use hyper::{Body, Method, Request, Response};
|
||||||
|
|
||||||
use opentelemetry::{trace::SpanRef, KeyValue};
|
use opentelemetry::{trace::SpanRef, KeyValue};
|
||||||
|
|
||||||
use garage_table::util::*;
|
|
||||||
use garage_util::error::Error as GarageError;
|
use garage_util::error::Error as GarageError;
|
||||||
|
|
||||||
use garage_model::garage::Garage;
|
use garage_model::garage::Garage;
|
||||||
|
|
||||||
use crate::k2v::error::*;
|
|
||||||
use crate::generic_server::*;
|
use crate::generic_server::*;
|
||||||
|
use crate::k2v::error::*;
|
||||||
|
|
||||||
use crate::signature::payload::check_payload_signature;
|
use crate::signature::payload::check_payload_signature;
|
||||||
use crate::signature::streaming::*;
|
use crate::signature::streaming::*;
|
||||||
|
@ -84,14 +83,14 @@ impl ApiHandler for K2VApiServer {
|
||||||
|
|
||||||
// The OPTIONS method is procesed early, before we even check for an API key
|
// The OPTIONS method is procesed early, before we even check for an API key
|
||||||
if let Endpoint::Options = endpoint {
|
if let Endpoint::Options = endpoint {
|
||||||
return Ok(handle_options_s3api(garage, &req, Some(bucket_name)).await
|
return Ok(handle_options_s3api(garage, &req, Some(bucket_name))
|
||||||
|
.await
|
||||||
.ok_or_bad_request("Error handling OPTIONS")?);
|
.ok_or_bad_request("Error handling OPTIONS")?);
|
||||||
}
|
}
|
||||||
|
|
||||||
let (api_key, mut content_sha256) = check_payload_signature(&garage, "k2v", &req).await?;
|
let (api_key, mut content_sha256) = check_payload_signature(&garage, "k2v", &req).await?;
|
||||||
let api_key = api_key.ok_or_else(|| {
|
let api_key = api_key
|
||||||
Error::Forbidden("Garage does not support anonymous access yet".to_string())
|
.ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?;
|
||||||
})?;
|
|
||||||
|
|
||||||
let req = parse_streaming_body(
|
let req = parse_streaming_body(
|
||||||
&api_key,
|
&api_key,
|
||||||
|
@ -101,13 +100,14 @@ impl ApiHandler for K2VApiServer {
|
||||||
"k2v",
|
"k2v",
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
let bucket_id = garage.bucket_helper().resolve_bucket(&bucket_name, &api_key).await?;
|
let bucket_id = garage
|
||||||
|
.bucket_helper()
|
||||||
|
.resolve_bucket(&bucket_name, &api_key)
|
||||||
|
.await?;
|
||||||
let bucket = garage
|
let bucket = garage
|
||||||
.bucket_table
|
.bucket_helper()
|
||||||
.get(&EmptyKey, &bucket_id)
|
.get_existing_bucket(bucket_id)
|
||||||
.await?
|
.await?;
|
||||||
.filter(|b| !b.state.is_deleted())
|
|
||||||
.ok_or(Error::NoSuchBucket)?;
|
|
||||||
|
|
||||||
let allowed = match endpoint.authorization_type() {
|
let allowed = match endpoint.authorization_type() {
|
||||||
Authorization::Read => api_key.allow_read(&bucket_id),
|
Authorization::Read => api_key.allow_read(&bucket_id),
|
||||||
|
@ -117,9 +117,7 @@ impl ApiHandler for K2VApiServer {
|
||||||
};
|
};
|
||||||
|
|
||||||
if !allowed {
|
if !allowed {
|
||||||
return Err(Error::Forbidden(
|
return Err(Error::forbidden("Operation is not allowed for this key."));
|
||||||
"Operation is not allowed for this key.".to_string(),
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Look up what CORS rule might apply to response.
|
// Look up what CORS rule might apply to response.
|
||||||
|
|
|
@ -12,8 +12,8 @@ use garage_model::garage::Garage;
|
||||||
use garage_model::k2v::causality::*;
|
use garage_model::k2v::causality::*;
|
||||||
use garage_model::k2v::item_table::*;
|
use garage_model::k2v::item_table::*;
|
||||||
|
|
||||||
use crate::k2v::error::*;
|
|
||||||
use crate::helpers::*;
|
use crate::helpers::*;
|
||||||
|
use crate::k2v::error::*;
|
||||||
use crate::k2v::range::read_range;
|
use crate::k2v::range::read_range;
|
||||||
|
|
||||||
pub async fn handle_insert_batch(
|
pub async fn handle_insert_batch(
|
||||||
|
|
|
@ -5,7 +5,7 @@ use hyper::{Body, HeaderMap, StatusCode};
|
||||||
use garage_model::helper::error::Error as HelperError;
|
use garage_model::helper::error::Error as HelperError;
|
||||||
|
|
||||||
use crate::common_error::CommonError;
|
use crate::common_error::CommonError;
|
||||||
pub use crate::common_error::{OkOrBadRequest, OkOrInternalError};
|
pub use crate::common_error::{CommonErrorDerivative, OkOrBadRequest, OkOrInternalError};
|
||||||
use crate::generic_server::ApiError;
|
use crate::generic_server::ApiError;
|
||||||
use crate::signature::error::Error as SignatureError;
|
use crate::signature::error::Error as SignatureError;
|
||||||
|
|
||||||
|
@ -17,10 +17,6 @@ pub enum Error {
|
||||||
CommonError(CommonError),
|
CommonError(CommonError),
|
||||||
|
|
||||||
// Category: cannot process
|
// Category: cannot process
|
||||||
/// No proper api key was used, or the signature was invalid
|
|
||||||
#[error(display = "Forbidden: {}", _0)]
|
|
||||||
Forbidden(String),
|
|
||||||
|
|
||||||
/// Authorization Header Malformed
|
/// Authorization Header Malformed
|
||||||
#[error(display = "Authorization header malformed, expected scope: {}", _0)]
|
#[error(display = "Authorization header malformed, expected scope: {}", _0)]
|
||||||
AuthorizationHeaderMalformed(String),
|
AuthorizationHeaderMalformed(String),
|
||||||
|
@ -29,10 +25,6 @@ pub enum Error {
|
||||||
#[error(display = "Key not found")]
|
#[error(display = "Key not found")]
|
||||||
NoSuchKey,
|
NoSuchKey,
|
||||||
|
|
||||||
/// The bucket requested don't exists
|
|
||||||
#[error(display = "Bucket not found")]
|
|
||||||
NoSuchBucket,
|
|
||||||
|
|
||||||
/// Some base64 encoded data was badly encoded
|
/// Some base64 encoded data was badly encoded
|
||||||
#[error(display = "Invalid base64: {}", _0)]
|
#[error(display = "Invalid base64: {}", _0)]
|
||||||
InvalidBase64(#[error(source)] base64::DecodeError),
|
InvalidBase64(#[error(source)] base64::DecodeError),
|
||||||
|
@ -59,11 +51,15 @@ where
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl CommonErrorDerivative for Error {}
|
||||||
|
|
||||||
impl From<HelperError> for Error {
|
impl From<HelperError> for Error {
|
||||||
fn from(err: HelperError) -> Self {
|
fn from(err: HelperError) -> Self {
|
||||||
match err {
|
match err {
|
||||||
HelperError::Internal(i) => Self::CommonError(CommonError::InternalError(i)),
|
HelperError::Internal(i) => Self::CommonError(CommonError::InternalError(i)),
|
||||||
HelperError::BadRequest(b) => Self::CommonError(CommonError::BadRequest(b)),
|
HelperError::BadRequest(b) => Self::CommonError(CommonError::BadRequest(b)),
|
||||||
|
HelperError::InvalidBucketName(_) => Self::CommonError(CommonError::InvalidBucketName),
|
||||||
|
HelperError::NoSuchBucket(_) => Self::CommonError(CommonError::NoSuchBucket),
|
||||||
e => Self::CommonError(CommonError::BadRequest(format!("{}", e))),
|
e => Self::CommonError(CommonError::BadRequest(format!("{}", e))),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -73,35 +69,26 @@ impl From<SignatureError> for Error {
|
||||||
fn from(err: SignatureError) -> Self {
|
fn from(err: SignatureError) -> Self {
|
||||||
match err {
|
match err {
|
||||||
SignatureError::CommonError(c) => Self::CommonError(c),
|
SignatureError::CommonError(c) => Self::CommonError(c),
|
||||||
SignatureError::AuthorizationHeaderMalformed(c) => Self::AuthorizationHeaderMalformed(c),
|
SignatureError::AuthorizationHeaderMalformed(c) => {
|
||||||
SignatureError::Forbidden(f) => Self::Forbidden(f),
|
Self::AuthorizationHeaderMalformed(c)
|
||||||
|
}
|
||||||
SignatureError::InvalidUtf8Str(i) => Self::InvalidUtf8Str(i),
|
SignatureError::InvalidUtf8Str(i) => Self::InvalidUtf8Str(i),
|
||||||
SignatureError::InvalidHeader(h) => Self::InvalidHeader(h),
|
SignatureError::InvalidHeader(h) => Self::InvalidHeader(h),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Error {
|
|
||||||
//pub fn internal_error<M: ToString>(msg: M) -> Self {
|
|
||||||
// Self::CommonError(CommonError::InternalError(GarageError::Message(
|
|
||||||
// msg.to_string(),
|
|
||||||
// )))
|
|
||||||
//}
|
|
||||||
|
|
||||||
pub fn bad_request<M: ToString>(msg: M) -> Self {
|
|
||||||
Self::CommonError(CommonError::BadRequest(msg.to_string()))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl ApiError for Error {
|
impl ApiError for Error {
|
||||||
/// Get the HTTP status code that best represents the meaning of the error for the client
|
/// Get the HTTP status code that best represents the meaning of the error for the client
|
||||||
fn http_status_code(&self) -> StatusCode {
|
fn http_status_code(&self) -> StatusCode {
|
||||||
match self {
|
match self {
|
||||||
Error::CommonError(c) => c.http_status_code(),
|
Error::CommonError(c) => c.http_status_code(),
|
||||||
Error::NoSuchKey | Error::NoSuchBucket => StatusCode::NOT_FOUND,
|
Error::NoSuchKey => StatusCode::NOT_FOUND,
|
||||||
Error::Forbidden(_) => StatusCode::FORBIDDEN,
|
|
||||||
Error::NotAcceptable(_) => StatusCode::NOT_ACCEPTABLE,
|
Error::NotAcceptable(_) => StatusCode::NOT_ACCEPTABLE,
|
||||||
_ => StatusCode::BAD_REQUEST,
|
Error::AuthorizationHeaderMalformed(_)
|
||||||
|
| Error::InvalidBase64(_)
|
||||||
|
| Error::InvalidHeader(_)
|
||||||
|
| Error::InvalidUtf8Str(_) => StatusCode::BAD_REQUEST,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -110,6 +97,7 @@ impl ApiError for Error {
|
||||||
}
|
}
|
||||||
|
|
||||||
fn http_body(&self, garage_region: &str, path: &str) -> Body {
|
fn http_body(&self, garage_region: &str, path: &str) -> Body {
|
||||||
|
// TODO nice json error
|
||||||
Body::from(format!(
|
Body::from(format!(
|
||||||
"ERROR: {}\n\ngarage region: {}\npath: {}",
|
"ERROR: {}\n\ngarage region: {}\npath: {}",
|
||||||
self, garage_region, path
|
self, garage_region, path
|
||||||
|
|
|
@ -7,8 +7,8 @@ use std::sync::Arc;
|
||||||
use garage_table::replication::TableShardedReplication;
|
use garage_table::replication::TableShardedReplication;
|
||||||
use garage_table::*;
|
use garage_table::*;
|
||||||
|
|
||||||
use crate::k2v::error::*;
|
|
||||||
use crate::helpers::key_after_prefix;
|
use crate::helpers::key_after_prefix;
|
||||||
|
use crate::k2v::error::*;
|
||||||
|
|
||||||
/// Read range in a Garage table.
|
/// Read range in a Garage table.
|
||||||
/// Returns (entries, more?, nextStart)
|
/// Returns (entries, more?, nextStart)
|
||||||
|
|
|
@ -8,14 +8,13 @@ use hyper::{Body, Method, Request, Response};
|
||||||
|
|
||||||
use opentelemetry::{trace::SpanRef, KeyValue};
|
use opentelemetry::{trace::SpanRef, KeyValue};
|
||||||
|
|
||||||
use garage_table::util::*;
|
|
||||||
use garage_util::error::Error as GarageError;
|
use garage_util::error::Error as GarageError;
|
||||||
|
|
||||||
use garage_model::garage::Garage;
|
use garage_model::garage::Garage;
|
||||||
use garage_model::key_table::Key;
|
use garage_model::key_table::Key;
|
||||||
|
|
||||||
use crate::s3::error::*;
|
|
||||||
use crate::generic_server::*;
|
use crate::generic_server::*;
|
||||||
|
use crate::s3::error::*;
|
||||||
|
|
||||||
use crate::signature::payload::check_payload_signature;
|
use crate::signature::payload::check_payload_signature;
|
||||||
use crate::signature::streaming::*;
|
use crate::signature::streaming::*;
|
||||||
|
@ -119,14 +118,14 @@ impl ApiHandler for S3ApiServer {
|
||||||
return handle_post_object(garage, req, bucket_name.unwrap()).await;
|
return handle_post_object(garage, req, bucket_name.unwrap()).await;
|
||||||
}
|
}
|
||||||
if let Endpoint::Options = endpoint {
|
if let Endpoint::Options = endpoint {
|
||||||
return handle_options_s3api(garage, &req, bucket_name).await
|
return handle_options_s3api(garage, &req, bucket_name)
|
||||||
|
.await
|
||||||
.map_err(Error::from);
|
.map_err(Error::from);
|
||||||
}
|
}
|
||||||
|
|
||||||
let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?;
|
let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?;
|
||||||
let api_key = api_key.ok_or_else(|| {
|
let api_key = api_key
|
||||||
Error::Forbidden("Garage does not support anonymous access yet".to_string())
|
.ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?;
|
||||||
})?;
|
|
||||||
|
|
||||||
let req = parse_streaming_body(
|
let req = parse_streaming_body(
|
||||||
&api_key,
|
&api_key,
|
||||||
|
@ -150,13 +149,14 @@ impl ApiHandler for S3ApiServer {
|
||||||
return handle_create_bucket(&garage, req, content_sha256, api_key, bucket_name).await;
|
return handle_create_bucket(&garage, req, content_sha256, api_key, bucket_name).await;
|
||||||
}
|
}
|
||||||
|
|
||||||
let bucket_id = garage.bucket_helper().resolve_bucket(&bucket_name, &api_key).await?;
|
let bucket_id = garage
|
||||||
|
.bucket_helper()
|
||||||
|
.resolve_bucket(&bucket_name, &api_key)
|
||||||
|
.await?;
|
||||||
let bucket = garage
|
let bucket = garage
|
||||||
.bucket_table
|
.bucket_helper()
|
||||||
.get(&EmptyKey, &bucket_id)
|
.get_existing_bucket(bucket_id)
|
||||||
.await?
|
.await?;
|
||||||
.filter(|b| !b.state.is_deleted())
|
|
||||||
.ok_or(Error::NoSuchBucket)?;
|
|
||||||
|
|
||||||
let allowed = match endpoint.authorization_type() {
|
let allowed = match endpoint.authorization_type() {
|
||||||
Authorization::Read => api_key.allow_read(&bucket_id),
|
Authorization::Read => api_key.allow_read(&bucket_id),
|
||||||
|
@ -166,9 +166,7 @@ impl ApiHandler for S3ApiServer {
|
||||||
};
|
};
|
||||||
|
|
||||||
if !allowed {
|
if !allowed {
|
||||||
return Err(Error::Forbidden(
|
return Err(Error::forbidden("Operation is not allowed for this key."));
|
||||||
"Operation is not allowed for this key.".to_string(),
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Look up what CORS rule might apply to response.
|
// Look up what CORS rule might apply to response.
|
||||||
|
|
|
@ -14,6 +14,7 @@ use garage_util::crdt::*;
|
||||||
use garage_util::data::*;
|
use garage_util::data::*;
|
||||||
use garage_util::time::*;
|
use garage_util::time::*;
|
||||||
|
|
||||||
|
use crate::common_error::CommonError;
|
||||||
use crate::s3::error::*;
|
use crate::s3::error::*;
|
||||||
use crate::s3::xml as s3_xml;
|
use crate::s3::xml as s3_xml;
|
||||||
use crate::signature::verify_signed_content;
|
use crate::signature::verify_signed_content;
|
||||||
|
@ -158,7 +159,7 @@ pub async fn handle_create_bucket(
|
||||||
// otherwise return a forbidden error.
|
// otherwise return a forbidden error.
|
||||||
let kp = api_key.bucket_permissions(&bucket_id);
|
let kp = api_key.bucket_permissions(&bucket_id);
|
||||||
if !(kp.allow_write || kp.allow_owner) {
|
if !(kp.allow_write || kp.allow_owner) {
|
||||||
return Err(Error::BucketAlreadyExists);
|
return Err(CommonError::BucketAlreadyExists.into());
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// Create the bucket!
|
// Create the bucket!
|
||||||
|
@ -239,7 +240,7 @@ pub async fn handle_delete_bucket(
|
||||||
)
|
)
|
||||||
.await?;
|
.await?;
|
||||||
if !objects.is_empty() {
|
if !objects.is_empty() {
|
||||||
return Err(Error::BucketNotEmpty);
|
return Err(CommonError::BucketNotEmpty.into());
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- done checking, now commit ---
|
// --- done checking, now commit ---
|
||||||
|
|
|
@ -18,8 +18,8 @@ use garage_model::s3::block_ref_table::*;
|
||||||
use garage_model::s3::object_table::*;
|
use garage_model::s3::object_table::*;
|
||||||
use garage_model::s3::version_table::*;
|
use garage_model::s3::version_table::*;
|
||||||
|
|
||||||
|
use crate::helpers::parse_bucket_key;
|
||||||
use crate::s3::error::*;
|
use crate::s3::error::*;
|
||||||
use crate::helpers::{parse_bucket_key};
|
|
||||||
use crate::s3::put::{decode_upload_id, get_headers};
|
use crate::s3::put::{decode_upload_id, get_headers};
|
||||||
use crate::s3::xml::{self as s3_xml, xmlns_tag};
|
use crate::s3::xml::{self as s3_xml, xmlns_tag};
|
||||||
|
|
||||||
|
@ -413,10 +413,13 @@ async fn get_copy_source(
|
||||||
let copy_source = percent_encoding::percent_decode_str(copy_source).decode_utf8()?;
|
let copy_source = percent_encoding::percent_decode_str(copy_source).decode_utf8()?;
|
||||||
|
|
||||||
let (source_bucket, source_key) = parse_bucket_key(©_source, None)?;
|
let (source_bucket, source_key) = parse_bucket_key(©_source, None)?;
|
||||||
let source_bucket_id = garage.bucket_helper().resolve_bucket(&source_bucket.to_string(), api_key).await?;
|
let source_bucket_id = garage
|
||||||
|
.bucket_helper()
|
||||||
|
.resolve_bucket(&source_bucket.to_string(), api_key)
|
||||||
|
.await?;
|
||||||
|
|
||||||
if !api_key.allow_read(&source_bucket_id) {
|
if !api_key.allow_read(&source_bucket_id) {
|
||||||
return Err(Error::Forbidden(format!(
|
return Err(Error::forbidden(format!(
|
||||||
"Reading from bucket {} not allowed for this key",
|
"Reading from bucket {} not allowed for this key",
|
||||||
source_bucket
|
source_bucket
|
||||||
)));
|
)));
|
||||||
|
|
|
@ -15,7 +15,6 @@ use crate::signature::verify_signed_content;
|
||||||
|
|
||||||
use garage_model::bucket_table::{Bucket, CorsRule as GarageCorsRule};
|
use garage_model::bucket_table::{Bucket, CorsRule as GarageCorsRule};
|
||||||
use garage_model::garage::Garage;
|
use garage_model::garage::Garage;
|
||||||
use garage_table::*;
|
|
||||||
use garage_util::data::*;
|
use garage_util::data::*;
|
||||||
|
|
||||||
pub async fn handle_get_cors(bucket: &Bucket) -> Result<Response<Body>, Error> {
|
pub async fn handle_get_cors(bucket: &Bucket) -> Result<Response<Body>, Error> {
|
||||||
|
@ -48,14 +47,11 @@ pub async fn handle_delete_cors(
|
||||||
bucket_id: Uuid,
|
bucket_id: Uuid,
|
||||||
) -> Result<Response<Body>, Error> {
|
) -> Result<Response<Body>, Error> {
|
||||||
let mut bucket = garage
|
let mut bucket = garage
|
||||||
.bucket_table
|
.bucket_helper()
|
||||||
.get(&EmptyKey, &bucket_id)
|
.get_existing_bucket(bucket_id)
|
||||||
.await?
|
.await?;
|
||||||
.ok_or(Error::NoSuchBucket)?;
|
|
||||||
|
|
||||||
let param = bucket
|
let param = bucket.params_mut().unwrap();
|
||||||
.params_mut()
|
|
||||||
.ok_or_internal_error("Bucket should not be deleted at this point")?;
|
|
||||||
|
|
||||||
param.cors_config.update(None);
|
param.cors_config.update(None);
|
||||||
garage.bucket_table.insert(&bucket).await?;
|
garage.bucket_table.insert(&bucket).await?;
|
||||||
|
@ -78,14 +74,11 @@ pub async fn handle_put_cors(
|
||||||
}
|
}
|
||||||
|
|
||||||
let mut bucket = garage
|
let mut bucket = garage
|
||||||
.bucket_table
|
.bucket_helper()
|
||||||
.get(&EmptyKey, &bucket_id)
|
.get_existing_bucket(bucket_id)
|
||||||
.await?
|
.await?;
|
||||||
.ok_or(Error::NoSuchBucket)?;
|
|
||||||
|
|
||||||
let param = bucket
|
let param = bucket.params_mut().unwrap();
|
||||||
.params_mut()
|
|
||||||
.ok_or_internal_error("Bucket should not be deleted at this point")?;
|
|
||||||
|
|
||||||
let conf: CorsConfiguration = from_reader(&body as &[u8])?;
|
let conf: CorsConfiguration = from_reader(&body as &[u8])?;
|
||||||
conf.validate()?;
|
conf.validate()?;
|
||||||
|
@ -119,12 +112,7 @@ pub async fn handle_options_s3api(
|
||||||
let helper = garage.bucket_helper();
|
let helper = garage.bucket_helper();
|
||||||
let bucket_id = helper.resolve_global_bucket_name(&bn).await?;
|
let bucket_id = helper.resolve_global_bucket_name(&bn).await?;
|
||||||
if let Some(id) = bucket_id {
|
if let Some(id) = bucket_id {
|
||||||
let bucket = garage
|
let bucket = garage.bucket_helper().get_existing_bucket(id).await?;
|
||||||
.bucket_table
|
|
||||||
.get(&EmptyKey, &id)
|
|
||||||
.await?
|
|
||||||
.filter(|b| !b.state.is_deleted())
|
|
||||||
.ok_or(Error::NoSuchBucket)?;
|
|
||||||
handle_options_for_bucket(req, &bucket)
|
handle_options_for_bucket(req, &bucket)
|
||||||
} else {
|
} else {
|
||||||
// If there is a bucket name in the request, but that name
|
// If there is a bucket name in the request, but that name
|
||||||
|
@ -185,7 +173,7 @@ pub fn handle_options_for_bucket(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Err(Error::Forbidden("This CORS request is not allowed.".into()))
|
Err(Error::forbidden("This CORS request is not allowed."))
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn find_matching_cors_rule<'a>(
|
pub fn find_matching_cors_rule<'a>(
|
||||||
|
|
|
@ -5,10 +5,9 @@ use hyper::header::HeaderValue;
|
||||||
use hyper::{Body, HeaderMap, StatusCode};
|
use hyper::{Body, HeaderMap, StatusCode};
|
||||||
|
|
||||||
use garage_model::helper::error::Error as HelperError;
|
use garage_model::helper::error::Error as HelperError;
|
||||||
use garage_util::error::Error as GarageError;
|
|
||||||
|
|
||||||
use crate::common_error::CommonError;
|
use crate::common_error::CommonError;
|
||||||
pub use crate::common_error::{OkOrBadRequest, OkOrInternalError};
|
pub use crate::common_error::{CommonErrorDerivative, OkOrBadRequest, OkOrInternalError};
|
||||||
use crate::generic_server::ApiError;
|
use crate::generic_server::ApiError;
|
||||||
use crate::s3::xml as s3_xml;
|
use crate::s3::xml as s3_xml;
|
||||||
use crate::signature::error::Error as SignatureError;
|
use crate::signature::error::Error as SignatureError;
|
||||||
|
@ -21,10 +20,6 @@ pub enum Error {
|
||||||
CommonError(CommonError),
|
CommonError(CommonError),
|
||||||
|
|
||||||
// Category: cannot process
|
// Category: cannot process
|
||||||
/// No proper api key was used, or the signature was invalid
|
|
||||||
#[error(display = "Forbidden: {}", _0)]
|
|
||||||
Forbidden(String),
|
|
||||||
|
|
||||||
/// Authorization Header Malformed
|
/// Authorization Header Malformed
|
||||||
#[error(display = "Authorization header malformed, expected scope: {}", _0)]
|
#[error(display = "Authorization header malformed, expected scope: {}", _0)]
|
||||||
AuthorizationHeaderMalformed(String),
|
AuthorizationHeaderMalformed(String),
|
||||||
|
@ -33,22 +28,10 @@ pub enum Error {
|
||||||
#[error(display = "Key not found")]
|
#[error(display = "Key not found")]
|
||||||
NoSuchKey,
|
NoSuchKey,
|
||||||
|
|
||||||
/// The bucket requested don't exists
|
|
||||||
#[error(display = "Bucket not found")]
|
|
||||||
NoSuchBucket,
|
|
||||||
|
|
||||||
/// The multipart upload requested don't exists
|
/// The multipart upload requested don't exists
|
||||||
#[error(display = "Upload not found")]
|
#[error(display = "Upload not found")]
|
||||||
NoSuchUpload,
|
NoSuchUpload,
|
||||||
|
|
||||||
/// Tried to create a bucket that already exist
|
|
||||||
#[error(display = "Bucket already exists")]
|
|
||||||
BucketAlreadyExists,
|
|
||||||
|
|
||||||
/// Tried to delete a non-empty bucket
|
|
||||||
#[error(display = "Tried to delete a non-empty bucket")]
|
|
||||||
BucketNotEmpty,
|
|
||||||
|
|
||||||
/// Precondition failed (e.g. x-amz-copy-source-if-match)
|
/// Precondition failed (e.g. x-amz-copy-source-if-match)
|
||||||
#[error(display = "At least one of the preconditions you specified did not hold")]
|
#[error(display = "At least one of the preconditions you specified did not hold")]
|
||||||
PreconditionFailed,
|
PreconditionFailed,
|
||||||
|
@ -75,14 +58,6 @@ pub enum Error {
|
||||||
#[error(display = "Invalid UTF-8: {}", _0)]
|
#[error(display = "Invalid UTF-8: {}", _0)]
|
||||||
InvalidUtf8String(#[error(source)] std::string::FromUtf8Error),
|
InvalidUtf8String(#[error(source)] std::string::FromUtf8Error),
|
||||||
|
|
||||||
/// Some base64 encoded data was badly encoded
|
|
||||||
#[error(display = "Invalid base64: {}", _0)]
|
|
||||||
InvalidBase64(#[error(source)] base64::DecodeError),
|
|
||||||
|
|
||||||
/// Bucket name is not valid according to AWS S3 specs
|
|
||||||
#[error(display = "Invalid bucket name")]
|
|
||||||
InvalidBucketName,
|
|
||||||
|
|
||||||
/// The client sent invalid XML data
|
/// The client sent invalid XML data
|
||||||
#[error(display = "Invalid XML: {}", _0)]
|
#[error(display = "Invalid XML: {}", _0)]
|
||||||
InvalidXml(String),
|
InvalidXml(String),
|
||||||
|
@ -95,10 +70,6 @@ pub enum Error {
|
||||||
#[error(display = "Invalid HTTP range: {:?}", _0)]
|
#[error(display = "Invalid HTTP range: {:?}", _0)]
|
||||||
InvalidRange(#[error(from)] (http_range::HttpRangeParseError, u64)),
|
InvalidRange(#[error(from)] (http_range::HttpRangeParseError, u64)),
|
||||||
|
|
||||||
/// The client asked for an invalid return format (invalid Accept header)
|
|
||||||
#[error(display = "Not acceptable: {}", _0)]
|
|
||||||
NotAcceptable(String),
|
|
||||||
|
|
||||||
/// The client sent a request for an action not supported by garage
|
/// The client sent a request for an action not supported by garage
|
||||||
#[error(display = "Unimplemented action: {}", _0)]
|
#[error(display = "Unimplemented action: {}", _0)]
|
||||||
NotImplemented(String),
|
NotImplemented(String),
|
||||||
|
@ -113,6 +84,20 @@ where
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl CommonErrorDerivative for Error {}
|
||||||
|
|
||||||
|
impl From<HelperError> for Error {
|
||||||
|
fn from(err: HelperError) -> Self {
|
||||||
|
match err {
|
||||||
|
HelperError::Internal(i) => Self::CommonError(CommonError::InternalError(i)),
|
||||||
|
HelperError::BadRequest(b) => Self::CommonError(CommonError::BadRequest(b)),
|
||||||
|
HelperError::InvalidBucketName(_) => Self::CommonError(CommonError::InvalidBucketName),
|
||||||
|
HelperError::NoSuchBucket(_) => Self::CommonError(CommonError::NoSuchBucket),
|
||||||
|
e => Self::bad_request(format!("{}", e)),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl From<roxmltree::Error> for Error {
|
impl From<roxmltree::Error> for Error {
|
||||||
fn from(err: roxmltree::Error) -> Self {
|
fn from(err: roxmltree::Error) -> Self {
|
||||||
Self::InvalidXml(format!("{}", err))
|
Self::InvalidXml(format!("{}", err))
|
||||||
|
@ -125,22 +110,13 @@ impl From<quick_xml::de::DeError> for Error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl From<HelperError> for Error {
|
|
||||||
fn from(err: HelperError) -> Self {
|
|
||||||
match err {
|
|
||||||
HelperError::Internal(i) => Self::CommonError(CommonError::InternalError(i)),
|
|
||||||
HelperError::BadRequest(b) => Self::CommonError(CommonError::BadRequest(b)),
|
|
||||||
e => Self::CommonError(CommonError::BadRequest(format!("{}", e))),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl From<SignatureError> for Error {
|
impl From<SignatureError> for Error {
|
||||||
fn from(err: SignatureError) -> Self {
|
fn from(err: SignatureError) -> Self {
|
||||||
match err {
|
match err {
|
||||||
SignatureError::CommonError(c) => Self::CommonError(c),
|
SignatureError::CommonError(c) => Self::CommonError(c),
|
||||||
SignatureError::AuthorizationHeaderMalformed(c) => Self::AuthorizationHeaderMalformed(c),
|
SignatureError::AuthorizationHeaderMalformed(c) => {
|
||||||
SignatureError::Forbidden(f) => Self::Forbidden(f),
|
Self::AuthorizationHeaderMalformed(c)
|
||||||
|
}
|
||||||
SignatureError::InvalidUtf8Str(i) => Self::InvalidUtf8Str(i),
|
SignatureError::InvalidUtf8Str(i) => Self::InvalidUtf8Str(i),
|
||||||
SignatureError::InvalidHeader(h) => Self::InvalidHeader(h),
|
SignatureError::InvalidHeader(h) => Self::InvalidHeader(h),
|
||||||
}
|
}
|
||||||
|
@ -156,39 +132,22 @@ impl From<multer::Error> for Error {
|
||||||
impl Error {
|
impl Error {
|
||||||
pub fn aws_code(&self) -> &'static str {
|
pub fn aws_code(&self) -> &'static str {
|
||||||
match self {
|
match self {
|
||||||
|
Error::CommonError(c) => c.aws_code(),
|
||||||
Error::NoSuchKey => "NoSuchKey",
|
Error::NoSuchKey => "NoSuchKey",
|
||||||
Error::NoSuchBucket => "NoSuchBucket",
|
|
||||||
Error::NoSuchUpload => "NoSuchUpload",
|
Error::NoSuchUpload => "NoSuchUpload",
|
||||||
Error::BucketAlreadyExists => "BucketAlreadyExists",
|
|
||||||
Error::BucketNotEmpty => "BucketNotEmpty",
|
|
||||||
Error::PreconditionFailed => "PreconditionFailed",
|
Error::PreconditionFailed => "PreconditionFailed",
|
||||||
Error::InvalidPart => "InvalidPart",
|
Error::InvalidPart => "InvalidPart",
|
||||||
Error::InvalidPartOrder => "InvalidPartOrder",
|
Error::InvalidPartOrder => "InvalidPartOrder",
|
||||||
Error::EntityTooSmall => "EntityTooSmall",
|
Error::EntityTooSmall => "EntityTooSmall",
|
||||||
Error::Forbidden(_) => "AccessDenied",
|
|
||||||
Error::AuthorizationHeaderMalformed(_) => "AuthorizationHeaderMalformed",
|
Error::AuthorizationHeaderMalformed(_) => "AuthorizationHeaderMalformed",
|
||||||
Error::NotImplemented(_) => "NotImplemented",
|
Error::NotImplemented(_) => "NotImplemented",
|
||||||
Error::CommonError(CommonError::InternalError(
|
Error::InvalidXml(_) => "MalformedXML",
|
||||||
GarageError::Timeout
|
Error::InvalidRange(_) => "InvalidRange",
|
||||||
| GarageError::RemoteError(_)
|
Error::InvalidUtf8Str(_) | Error::InvalidUtf8String(_) | Error::InvalidHeader(_) => {
|
||||||
| GarageError::Quorum(_, _, _, _),
|
"InvalidRequest"
|
||||||
)) => "ServiceUnavailable",
|
}
|
||||||
Error::CommonError(
|
|
||||||
CommonError::InternalError(_) | CommonError::Hyper(_) | CommonError::Http(_),
|
|
||||||
) => "InternalError",
|
|
||||||
_ => "InvalidRequest",
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn internal_error<M: ToString>(msg: M) -> Self {
|
|
||||||
Self::CommonError(CommonError::InternalError(GarageError::Message(
|
|
||||||
msg.to_string(),
|
|
||||||
)))
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn bad_request<M: ToString>(msg: M) -> Self {
|
|
||||||
Self::CommonError(CommonError::BadRequest(msg.to_string()))
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
impl ApiError for Error {
|
impl ApiError for Error {
|
||||||
|
@ -196,14 +155,18 @@ impl ApiError for Error {
|
||||||
fn http_status_code(&self) -> StatusCode {
|
fn http_status_code(&self) -> StatusCode {
|
||||||
match self {
|
match self {
|
||||||
Error::CommonError(c) => c.http_status_code(),
|
Error::CommonError(c) => c.http_status_code(),
|
||||||
Error::NoSuchKey | Error::NoSuchBucket | Error::NoSuchUpload => StatusCode::NOT_FOUND,
|
Error::NoSuchKey | Error::NoSuchUpload => StatusCode::NOT_FOUND,
|
||||||
Error::BucketNotEmpty | Error::BucketAlreadyExists => StatusCode::CONFLICT,
|
|
||||||
Error::PreconditionFailed => StatusCode::PRECONDITION_FAILED,
|
Error::PreconditionFailed => StatusCode::PRECONDITION_FAILED,
|
||||||
Error::Forbidden(_) => StatusCode::FORBIDDEN,
|
|
||||||
Error::NotAcceptable(_) => StatusCode::NOT_ACCEPTABLE,
|
|
||||||
Error::InvalidRange(_) => StatusCode::RANGE_NOT_SATISFIABLE,
|
Error::InvalidRange(_) => StatusCode::RANGE_NOT_SATISFIABLE,
|
||||||
Error::NotImplemented(_) => StatusCode::NOT_IMPLEMENTED,
|
Error::NotImplemented(_) => StatusCode::NOT_IMPLEMENTED,
|
||||||
_ => StatusCode::BAD_REQUEST,
|
Error::AuthorizationHeaderMalformed(_)
|
||||||
|
| Error::InvalidPart
|
||||||
|
| Error::InvalidPartOrder
|
||||||
|
| Error::EntityTooSmall
|
||||||
|
| Error::InvalidXml(_)
|
||||||
|
| Error::InvalidUtf8Str(_)
|
||||||
|
| Error::InvalidUtf8String(_)
|
||||||
|
| Error::InvalidHeader(_) => StatusCode::BAD_REQUEST,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -16,8 +16,8 @@ use garage_model::s3::version_table::Version;
|
||||||
use garage_table::{EmptyKey, EnumerationOrder};
|
use garage_table::{EmptyKey, EnumerationOrder};
|
||||||
|
|
||||||
use crate::encoding::*;
|
use crate::encoding::*;
|
||||||
use crate::s3::error::*;
|
|
||||||
use crate::helpers::key_after_prefix;
|
use crate::helpers::key_after_prefix;
|
||||||
|
use crate::s3::error::*;
|
||||||
use crate::s3::put as s3_put;
|
use crate::s3::put as s3_put;
|
||||||
use crate::s3::xml as s3_xml;
|
use crate::s3::xml as s3_xml;
|
||||||
|
|
||||||
|
@ -582,11 +582,17 @@ impl ListObjectsQuery {
|
||||||
// representing the key to start with.
|
// representing the key to start with.
|
||||||
(Some(token), _) => match &token[..1] {
|
(Some(token), _) => match &token[..1] {
|
||||||
"[" => Ok(RangeBegin::IncludingKey {
|
"[" => Ok(RangeBegin::IncludingKey {
|
||||||
key: String::from_utf8(base64::decode(token[1..].as_bytes())?)?,
|
key: String::from_utf8(
|
||||||
|
base64::decode(token[1..].as_bytes())
|
||||||
|
.ok_or_bad_request("Invalid continuation token")?,
|
||||||
|
)?,
|
||||||
fallback_key: None,
|
fallback_key: None,
|
||||||
}),
|
}),
|
||||||
"]" => Ok(RangeBegin::AfterKey {
|
"]" => Ok(RangeBegin::AfterKey {
|
||||||
key: String::from_utf8(base64::decode(token[1..].as_bytes())?)?,
|
key: String::from_utf8(
|
||||||
|
base64::decode(token[1..].as_bytes())
|
||||||
|
.ok_or_bad_request("Invalid continuation token")?,
|
||||||
|
)?,
|
||||||
}),
|
}),
|
||||||
_ => Err(Error::bad_request("Invalid continuation token".to_string())),
|
_ => Err(Error::bad_request("Invalid continuation token".to_string())),
|
||||||
},
|
},
|
||||||
|
|
|
@ -89,9 +89,7 @@ pub async fn handle_post_object(
|
||||||
.to_str()?;
|
.to_str()?;
|
||||||
let credential = params
|
let credential = params
|
||||||
.get("x-amz-credential")
|
.get("x-amz-credential")
|
||||||
.ok_or_else(|| {
|
.ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?
|
||||||
Error::Forbidden("Garage does not support anonymous access yet".to_string())
|
|
||||||
})?
|
|
||||||
.to_str()?;
|
.to_str()?;
|
||||||
let policy = params
|
let policy = params
|
||||||
.get("policy")
|
.get("policy")
|
||||||
|
@ -128,15 +126,16 @@ pub async fn handle_post_object(
|
||||||
)
|
)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
let bucket_id = garage.bucket_helper().resolve_bucket(&bucket, &api_key).await?;
|
let bucket_id = garage
|
||||||
|
.bucket_helper()
|
||||||
|
.resolve_bucket(&bucket, &api_key)
|
||||||
|
.await?;
|
||||||
|
|
||||||
if !api_key.allow_write(&bucket_id) {
|
if !api_key.allow_write(&bucket_id) {
|
||||||
return Err(Error::Forbidden(
|
return Err(Error::forbidden("Operation is not allowed for this key."));
|
||||||
"Operation is not allowed for this key.".to_string(),
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
let decoded_policy = base64::decode(&policy)?;
|
let decoded_policy = base64::decode(&policy).ok_or_bad_request("Invalid policy")?;
|
||||||
let decoded_policy: Policy =
|
let decoded_policy: Policy =
|
||||||
serde_json::from_slice(&decoded_policy).ok_or_bad_request("Invalid policy")?;
|
serde_json::from_slice(&decoded_policy).ok_or_bad_request("Invalid policy")?;
|
||||||
|
|
||||||
|
|
|
@ -3,9 +3,9 @@ use std::borrow::Cow;
|
||||||
use hyper::header::HeaderValue;
|
use hyper::header::HeaderValue;
|
||||||
use hyper::{HeaderMap, Method, Request};
|
use hyper::{HeaderMap, Method, Request};
|
||||||
|
|
||||||
use crate::s3::error::{Error, OkOrBadRequest};
|
|
||||||
use crate::helpers::Authorization;
|
use crate::helpers::Authorization;
|
||||||
use crate::router_macros::{generateQueryParameters, router_match};
|
use crate::router_macros::{generateQueryParameters, router_match};
|
||||||
|
use crate::s3::error::*;
|
||||||
|
|
||||||
router_match! {@func
|
router_match! {@func
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,6 @@ use crate::signature::verify_signed_content;
|
||||||
|
|
||||||
use garage_model::bucket_table::*;
|
use garage_model::bucket_table::*;
|
||||||
use garage_model::garage::Garage;
|
use garage_model::garage::Garage;
|
||||||
use garage_table::*;
|
|
||||||
use garage_util::data::*;
|
use garage_util::data::*;
|
||||||
|
|
||||||
pub async fn handle_get_website(bucket: &Bucket) -> Result<Response<Body>, Error> {
|
pub async fn handle_get_website(bucket: &Bucket) -> Result<Response<Body>, Error> {
|
||||||
|
@ -47,14 +46,11 @@ pub async fn handle_delete_website(
|
||||||
bucket_id: Uuid,
|
bucket_id: Uuid,
|
||||||
) -> Result<Response<Body>, Error> {
|
) -> Result<Response<Body>, Error> {
|
||||||
let mut bucket = garage
|
let mut bucket = garage
|
||||||
.bucket_table
|
.bucket_helper()
|
||||||
.get(&EmptyKey, &bucket_id)
|
.get_existing_bucket(bucket_id)
|
||||||
.await?
|
.await?;
|
||||||
.ok_or(Error::NoSuchBucket)?;
|
|
||||||
|
|
||||||
let param = bucket
|
let param = bucket.params_mut().unwrap();
|
||||||
.params_mut()
|
|
||||||
.ok_or_internal_error("Bucket should not be deleted at this point")?;
|
|
||||||
|
|
||||||
param.website_config.update(None);
|
param.website_config.update(None);
|
||||||
garage.bucket_table.insert(&bucket).await?;
|
garage.bucket_table.insert(&bucket).await?;
|
||||||
|
@ -77,14 +73,11 @@ pub async fn handle_put_website(
|
||||||
}
|
}
|
||||||
|
|
||||||
let mut bucket = garage
|
let mut bucket = garage
|
||||||
.bucket_table
|
.bucket_helper()
|
||||||
.get(&EmptyKey, &bucket_id)
|
.get_existing_bucket(bucket_id)
|
||||||
.await?
|
.await?;
|
||||||
.ok_or(Error::NoSuchBucket)?;
|
|
||||||
|
|
||||||
let param = bucket
|
let param = bucket.params_mut().unwrap();
|
||||||
.params_mut()
|
|
||||||
.ok_or_internal_error("Bucket should not be deleted at this point")?;
|
|
||||||
|
|
||||||
let conf: WebsiteConfiguration = from_reader(&body as &[u8])?;
|
let conf: WebsiteConfiguration = from_reader(&body as &[u8])?;
|
||||||
conf.validate()?;
|
conf.validate()?;
|
||||||
|
|
|
@ -1,9 +1,7 @@
|
||||||
use err_derive::Error;
|
use err_derive::Error;
|
||||||
|
|
||||||
use garage_util::error::Error as GarageError;
|
|
||||||
|
|
||||||
use crate::common_error::CommonError;
|
use crate::common_error::CommonError;
|
||||||
pub use crate::common_error::{OkOrBadRequest, OkOrInternalError};
|
pub use crate::common_error::{CommonErrorDerivative, OkOrBadRequest, OkOrInternalError};
|
||||||
|
|
||||||
/// Errors of this crate
|
/// Errors of this crate
|
||||||
#[derive(Debug, Error)]
|
#[derive(Debug, Error)]
|
||||||
|
@ -16,10 +14,6 @@ pub enum Error {
|
||||||
#[error(display = "Authorization header malformed, expected scope: {}", _0)]
|
#[error(display = "Authorization header malformed, expected scope: {}", _0)]
|
||||||
AuthorizationHeaderMalformed(String),
|
AuthorizationHeaderMalformed(String),
|
||||||
|
|
||||||
/// No proper api key was used, or the signature was invalid
|
|
||||||
#[error(display = "Forbidden: {}", _0)]
|
|
||||||
Forbidden(String),
|
|
||||||
|
|
||||||
// Category: bad request
|
// Category: bad request
|
||||||
/// The request contained an invalid UTF-8 sequence in its path or in other parameters
|
/// The request contained an invalid UTF-8 sequence in its path or in other parameters
|
||||||
#[error(display = "Invalid UTF-8: {}", _0)]
|
#[error(display = "Invalid UTF-8: {}", _0)]
|
||||||
|
@ -39,16 +33,4 @@ where
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl CommonErrorDerivative for Error {}
|
||||||
impl Error {
|
|
||||||
pub fn internal_error<M: ToString>(msg: M) -> Self {
|
|
||||||
Self::CommonError(CommonError::InternalError(GarageError::Message(
|
|
||||||
msg.to_string(),
|
|
||||||
)))
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn bad_request<M: ToString>(msg: M) -> Self {
|
|
||||||
Self::CommonError(CommonError::BadRequest(msg.to_string()))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -303,7 +303,7 @@ pub async fn verify_v4(
|
||||||
.get(&EmptyKey, &key_id)
|
.get(&EmptyKey, &key_id)
|
||||||
.await?
|
.await?
|
||||||
.filter(|k| !k.state.is_deleted())
|
.filter(|k| !k.state.is_deleted())
|
||||||
.ok_or_else(|| Error::Forbidden(format!("No such key: {}", &key_id)))?;
|
.ok_or_else(|| Error::forbidden(format!("No such key: {}", &key_id)))?;
|
||||||
let key_p = key.params().unwrap();
|
let key_p = key.params().unwrap();
|
||||||
|
|
||||||
let mut hmac = signing_hmac(
|
let mut hmac = signing_hmac(
|
||||||
|
@ -316,7 +316,7 @@ pub async fn verify_v4(
|
||||||
hmac.update(payload);
|
hmac.update(payload);
|
||||||
let our_signature = hex::encode(hmac.finalize().into_bytes());
|
let our_signature = hex::encode(hmac.finalize().into_bytes());
|
||||||
if signature != our_signature {
|
if signature != our_signature {
|
||||||
return Err(Error::Forbidden("Invalid signature".to_string()));
|
return Err(Error::forbidden("Invalid signature".to_string()));
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(key)
|
Ok(key)
|
||||||
|
|
|
@ -6,10 +6,10 @@ use garage_util::time::*;
|
||||||
|
|
||||||
use crate::bucket_alias_table::*;
|
use crate::bucket_alias_table::*;
|
||||||
use crate::bucket_table::*;
|
use crate::bucket_table::*;
|
||||||
use crate::key_table::*;
|
|
||||||
use crate::garage::Garage;
|
use crate::garage::Garage;
|
||||||
use crate::helper::error::*;
|
use crate::helper::error::*;
|
||||||
use crate::helper::key::KeyHelper;
|
use crate::helper::key::KeyHelper;
|
||||||
|
use crate::key_table::*;
|
||||||
use crate::permission::BucketKeyPerm;
|
use crate::permission::BucketKeyPerm;
|
||||||
|
|
||||||
pub struct BucketHelper<'a>(pub(crate) &'a Garage);
|
pub struct BucketHelper<'a>(pub(crate) &'a Garage);
|
||||||
|
@ -51,11 +51,7 @@ impl<'a> BucketHelper<'a> {
|
||||||
}
|
}
|
||||||
|
|
||||||
#[allow(clippy::ptr_arg)]
|
#[allow(clippy::ptr_arg)]
|
||||||
pub async fn resolve_bucket(
|
pub async fn resolve_bucket(&self, bucket_name: &String, api_key: &Key) -> Result<Uuid, Error> {
|
||||||
&self,
|
|
||||||
bucket_name: &String,
|
|
||||||
api_key: &Key,
|
|
||||||
) -> Result<Uuid, Error> {
|
|
||||||
let api_key_params = api_key
|
let api_key_params = api_key
|
||||||
.state
|
.state
|
||||||
.as_option()
|
.as_option()
|
||||||
|
@ -64,8 +60,8 @@ impl<'a> BucketHelper<'a> {
|
||||||
if let Some(Some(bucket_id)) = api_key_params.local_aliases.get(bucket_name) {
|
if let Some(Some(bucket_id)) = api_key_params.local_aliases.get(bucket_name) {
|
||||||
Ok(*bucket_id)
|
Ok(*bucket_id)
|
||||||
} else {
|
} else {
|
||||||
Ok(self.
|
Ok(self
|
||||||
resolve_global_bucket_name(bucket_name)
|
.resolve_global_bucket_name(bucket_name)
|
||||||
.await?
|
.await?
|
||||||
.ok_or_else(|| Error::NoSuchBucket(bucket_name.to_string()))?)
|
.ok_or_else(|| Error::NoSuchBucket(bucket_name.to_string()))?)
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,9 +18,11 @@ use opentelemetry::{
|
||||||
|
|
||||||
use crate::error::*;
|
use crate::error::*;
|
||||||
|
|
||||||
use garage_api::s3::error::{Error as ApiError, OkOrBadRequest, OkOrInternalError};
|
|
||||||
use garage_api::helpers::{authority_to_host, host_to_bucket};
|
use garage_api::helpers::{authority_to_host, host_to_bucket};
|
||||||
use garage_api::s3::cors::{add_cors_headers, find_matching_cors_rule, handle_options_for_bucket};
|
use garage_api::s3::cors::{add_cors_headers, find_matching_cors_rule, handle_options_for_bucket};
|
||||||
|
use garage_api::s3::error::{
|
||||||
|
CommonErrorDerivative, Error as ApiError, OkOrBadRequest, OkOrInternalError,
|
||||||
|
};
|
||||||
use garage_api::s3::get::{handle_get, handle_head};
|
use garage_api::s3::get::{handle_get, handle_head};
|
||||||
|
|
||||||
use garage_model::garage::Garage;
|
use garage_model::garage::Garage;
|
||||||
|
|
Loading…
Reference in a new issue