From 9bba39a8111ad6767d0ddaf5139f7c53c935fa3e Mon Sep 17 00:00:00 2001 From: Nugraha Date: Mon, 5 Dec 2022 01:53:52 +0700 Subject: [PATCH] all: initial files --- .config/example.env | 19 ++++ .dockerignore | 1 + .drone.yml | 5 + .env.example | 13 +++ .gitignore | 1 + .vscode/launch.json | 22 ++++ .vscode/tasks.json | 11 ++ Dockerfile | 18 ++++ LICENSE | 201 +++++++++++++++++++++++++++++++++++++ Makefile | 24 +++++ README.md | 16 +++ docker/.gitkeep | 0 docker/Makefile | 4 + docker/default.vcl | 113 +++++++++++++++++++++ docker/docker-compose.yaml | 62 ++++++++++++ go.mod | 34 +++++++ go.sum | 107 ++++++++++++++++++++ main.go | 88 ++++++++++++++++ obs.go | 102 +++++++++++++++++++ obs_test.go | 29 ++++++ server.go | 146 +++++++++++++++++++++++++++ util.go | 25 +++++ util_test.go | 13 +++ 23 files changed, 1054 insertions(+) create mode 100644 .config/example.env create mode 100644 .dockerignore create mode 100644 .drone.yml create mode 100644 .env.example create mode 100644 .gitignore create mode 100644 .vscode/launch.json create mode 100644 .vscode/tasks.json create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 Makefile create mode 100644 README.md create mode 100644 docker/.gitkeep create mode 100644 docker/Makefile create mode 100644 docker/default.vcl create mode 100644 docker/docker-compose.yaml create mode 100644 go.mod create mode 100644 go.sum create mode 100644 main.go create mode 100644 obs.go create mode 100644 obs_test.go create mode 100644 server.go create mode 100644 util.go create mode 100644 util_test.go diff --git a/.config/example.env b/.config/example.env new file mode 100644 index 0000000..47c2571 --- /dev/null +++ b/.config/example.env @@ -0,0 +1,19 @@ +## obs-access-signer +# +HTTP_ADDR=0.0.0.0:9002 +OBS_ENDPOINT=minio:9000 +OBS_BUCKET_NAME=test-bucket +OBS_SECURE=false +LOG_LEVEL=DEBUG +AWS_ACCESS_KEY=example-minio-access +AWS_SECRET_KEY=example-minio-secret +# AWS_SESSION_TOKEN + +# accessible S3 gateway +OBS_HOST_REDIRECT=127.0.0.1:9000 + + +## Infra +# minio, mc +MINIO_ACCESS_KEY=example-minio-access +MINIO_SECRET_KEY=example-minio-secret \ No newline at end of file diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..4032ec6 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +.git/ \ No newline at end of file diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..dac6c08 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,5 @@ +kind: pipeline +type: docker +name: default + +steps: [] \ No newline at end of file diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..e50fd82 --- /dev/null +++ b/.env.example @@ -0,0 +1,13 @@ +## obs-access-signer +# +HTTP_ADDR=127.0.0.1:9003 +OBS_ENDPOINT=127.0.0.1:9000 +OBS_BUCKET_NAME=test-bucket +OBS_SECURE=false +LOG_LEVEL=DEBUG +AWS_ACCESS_KEY=example-minio-access +AWS_SECRET_KEY=example-minio-secret +# AWS_SESSION_TOKEN + +# accessible S3 gateway +OBS_HOST_REDIRECT=127.0.0.1:9000 \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2eea525 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.env \ No newline at end of file diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 0000000..4018789 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,22 @@ +{ + "configurations": [ + { + "name": "Launch server on external", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "${workspaceFolder}", + "host": "127.0.0.1", + "port": 10500, + "showGlobalVariables": true, + }, + { + "name": "Launch server", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "${workspaceFolder}", + "showGlobalVariables": true, + } + ] +} \ No newline at end of file diff --git a/.vscode/tasks.json b/.vscode/tasks.json new file mode 100644 index 0000000..7cec688 --- /dev/null +++ b/.vscode/tasks.json @@ -0,0 +1,11 @@ +{ + "version": "2.0.0", + "tasks": [ + { + "label": "Run dlv", + "type": "shell", + "command": "dlv dap --check-go-version --listen 127.0.0.1:10500", + "group": "build", + }, + ], +} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..18a1029 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,18 @@ +FROM ii64/golang-zig:go1.18-alpine3.15-zig AS builder + +WORKDIR /build +COPY . /build + +RUN apk add --no-cache \ + make + +RUN --mount=type=cache,mode=0755,target=/go/pkg/mod make dep +RUN make build + + +FROM gcr.io/distroless/static-debian11 + +WORKDIR /app +COPY --from=builder /build/obs-access-signer /app/obs-access-signer + +ENTRYPOINT [ "/app/obs-access-signer" ] \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f49a4e1 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..d27b0d5 --- /dev/null +++ b/Makefile @@ -0,0 +1,24 @@ +all: build + +export DOCKER_BUILDKIT=1 + +IMAGE := obs-access-signer:dev + +# use zig cc/c++ to statically link deps +TARGET_TRIPLE := x86_64-linux + +CFLAGS ?= +CFLAGS += -target $(TARGET_TRIPLE) +CXXFLAGS ?= +CXXFLAGS += -target $(TARGET_TRIPLE) +GOFLAGS ?= +GOFLAGS += -x -trimpath + +dep: + go mod download + +build: + CGO_ENABLED=0 CC="zig cc $(CFLAGS)" CXX="zig c++ $(CXXFLAGS)" go build $(GOFLAGS) . + +build.docker: + "docker" build --progress=plain -t $(IMAGE) . \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..c8571f3 --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +# obs-access-signer + +S3 Object Storage access signer. + +Run `obs-access-signer` behind a gateway/cache proxy is preferred as the response is static. + +There's an example of using it with Varnish Cache, you can see [here](docker/docker-compose.yaml). + +## Why? + +Some S3-compatible gateway might not support ACL endpoints but they are support presigned access. Currently, the behavior of `obs-access-signer` is similar to `public-read` ACL where clients can access objects anonymously and redirect them (permanently) to presigned url with `Expires` set to the max signed value of `int64` which has roughly 250yrs lifetime since unix time started. + + +## License + +Apache-2.0 diff --git a/docker/.gitkeep b/docker/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/docker/Makefile b/docker/Makefile new file mode 100644 index 0000000..1fd6fef --- /dev/null +++ b/docker/Makefile @@ -0,0 +1,4 @@ + + +gen-minio-access: + docker compose run --rm minio \ No newline at end of file diff --git a/docker/default.vcl b/docker/default.vcl new file mode 100644 index 0000000..7458769 --- /dev/null +++ b/docker/default.vcl @@ -0,0 +1,113 @@ +# +# This is an example VCL file for Varnish. +# +# It does not do anything by default, delegating control to the +# builtin VCL. The builtin VCL is called when there is no explicit +# return statement. +# +# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/ +# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples. + +# Marker to tell the VCL compiler that this VCL has been adapted to the +# new 4.0 format. +vcl 4.0; + +# Default backend definition. Set this to point to your content server. +backend default { + .host = "obs-access-signer"; + .port = "9002"; + .connect_timeout = 300s; + .first_byte_timeout = 300s; + .between_bytes_timeout = 300s; + .max_connections = 800; +} + +sub vcl_hash { + hash_data(req.url); + if (req.http.Host) { + hash_data(req.http.Host); + } else { + hash_data(server.ip); + } +} + +sub vcl_recv { + # Happens before we check if we have this in cache already. + # + # Typically you clean up the request here, removing cookies you don't need, + # rewriting the request, etc. + + if (req.method == "PRI") { + /* We do not support SPDY or HTTP/2.0 */ + return (synth(405)); + } + + # remove port from Host + set req.http.Host = regsub(req.http.Host, ":[0-9]+", ""); + + /* Backend accept HEAD and GET only */ + if (req.method != "GET" && req.method != "HEAD") { + return (synth(405)); + } + + # Ignore the query string + set req.url = regsub(req.url, "\?.*$", ""); + + return (hash); +} + +sub vcl_backend_response { + # Happens after we have read the response headers from the backend. + # + # Here you clean the response headers, removing silly Set-Cookie headers + # and other mistakes your backend does. + + # Don't cache 400s + if (beresp.status >= 400) { + set beresp.uncacheable = true; + set beresp.http.X-Cacheable = "NO: beresp.status"; + set beresp.ttl = 0s; + return (deliver); + } + + # keep last content in case backend goes down. + set beresp.grace = 6h; + + # cache timeout + set beresp.ttl = 1h; + + return (deliver); +} + +sub vcl_deliver { + # Happens when we have all the pieces we need, and are about to send the + # response to the client. + # + # You can do accounting or modifying the final object here. + + set resp.http.Via = regsuball(resp.http.Via, "\s\([a-zA-Z0-9\/.]+\)", ""); + set resp.http.Server = "VOAS"; + + # Debug header to see if it's a HIT/MISS and the number of hits + if (obj.hits > 0) { + set resp.http.X-Cache = "HIT"; + } else { + set resp.http.X-Cache = "MISS"; + } + + # Please note that obj.hits behaviour changed in 4.0, now it counts per objecthead, not per object + # and obj.hits may not be reset in some cases where bans are in use. See bug 1492 for details. + # So take hits with a grain of salt + set resp.http.X-Cache-Hits = obj.hits; + + unset resp.http.Date; + unset resp.http.Age; + # unset resp.http.Server; + # unset resp.http.Via; + + return (deliver); +} + +sub vcl_backend_error { + return (retry); +} \ No newline at end of file diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml new file mode 100644 index 0000000..9ebe65b --- /dev/null +++ b/docker/docker-compose.yaml @@ -0,0 +1,62 @@ +version: '3' + +services: + # obs access signer + obs-access-signer: + image: obs-access-signer:dev + networks: + - obs + build: + context: .. + env_file: + - ../.config/example.env + ports: + - "127.0.0.1:9002:9002" + + # Varnish cache proxy + varnish: + image: varnish:stable + networks: + - obs + volumes: + - ./default.vcl:/etc/varnish/default.vcl:ro + ports: + - "127.0.0.1:8080:80" + - "127.0.0.1:8443:8443" + + # intended as S3-compatible gateway test + minio: + image: quay.io/minio/minio + networks: + - obs + env_file: + - ../.config/example.env + command: + - server + - /data + - --console-address + - :9001 + ports: + - "127.0.0.1:9000:9000" + - "127.0.0.1:9001:9001" + + # setup minio bucket + mc-create-bucket: + image: minio/mc + networks: + - obs + env_file: + - ../.config/example.env + entrypoint: + - sh + - -c + - | + mc config host add min http://minio:9000 $$MINIO_ACCESS_KEY $$MINIO_SECRET_KEY + mc rm -r --force min/$$OBS_BUCKET_NAME + mc mb min/$$OBS_BUCKET_NAME + mc policy download min/$$OBS_BUCKET_NAME + depends_on: + - minio + +networks: + obs: {} \ No newline at end of file diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..cd66fe5 --- /dev/null +++ b/go.mod @@ -0,0 +1,34 @@ +module github.com/ii64/obs-access-signer + +go 1.19 + +require ( + github.com/joho/godotenv v1.4.0 + github.com/minio/minio-go/v7 v7.0.45 + github.com/valyala/fasthttp v1.43.0 + go.uber.org/zap v1.24.0 +) + +require ( + github.com/andybalholm/brotli v1.0.4 // indirect + github.com/dustin/go-humanize v1.0.0 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.15.9 // indirect + github.com/klauspost/cpuid/v2 v2.1.0 // indirect + github.com/minio/md5-simd v1.1.2 // indirect + github.com/minio/sha256-simd v1.0.0 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/rs/xid v1.4.0 // indirect + github.com/sirupsen/logrus v1.9.0 // indirect + github.com/valyala/bytebufferpool v1.0.0 // indirect + go.uber.org/atomic v1.7.0 // indirect + go.uber.org/goleak v1.1.12 // indirect + go.uber.org/multierr v1.6.0 // indirect + golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect + golang.org/x/net v0.0.0-20220906165146-f3363e06e74c // indirect + golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect + golang.org/x/text v0.3.7 // indirect + gopkg.in/ini.v1 v1.66.6 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..d7884b6 --- /dev/null +++ b/go.sum @@ -0,0 +1,107 @@ +github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= +github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= +github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg= +github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY= +github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= +github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= +github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= +github.com/klauspost/cpuid/v2 v2.1.0 h1:eyi1Ad2aNJMW95zcSbmGg7Cg6cq3ADwLpMAP96d8rF0= +github.com/klauspost/cpuid/v2 v2.1.0/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34= +github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM= +github.com/minio/minio-go/v7 v7.0.45 h1:g4IeM9M9pW/Lo8AGGNOjBZYlvmtlE1N5TQEYWXRWzIs= +github.com/minio/minio-go/v7 v7.0.45/go.mod h1:nCrRzjoSUQh8hgKKtu3Y708OLvRLtuASMg2/nvmbarw= +github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g= +github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rs/xid v1.4.0 h1:qd7wPTDkN6KQx2VmMBLrpHkiyQwgFXRnkOLacUiaSNY= +github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= +github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= +github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasthttp v1.43.0 h1:Gy4sb32C98fbzVWZlTM1oTMdLWGyvxR03VhM6cBIU4g= +github.com/valyala/fasthttp v1.43.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY= +github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= +go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220906165146-f3363e06e74c h1:yKufUcDwucU5urd+50/Opbt4AYpqthk7wHpHok8f1lo= +golang.org/x/net v0.0.0-20220906165146-f3363e06e74c/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/ini.v1 v1.66.6 h1:LATuAqN/shcYAOkv3wl2L4rkaKqkcgTBQjOyYDvcPKI= +gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= diff --git a/main.go b/main.go new file mode 100644 index 0000000..8c81e53 --- /dev/null +++ b/main.go @@ -0,0 +1,88 @@ +package main + +import ( + "flag" + "os" + "strconv" + + _ "github.com/joho/godotenv/autoload" + "go.uber.org/zap" + "go.uber.org/zap/zapcore" +) + +var ( + httpAddr string + logLevel string + // obsSignedUrlExpiry time.Duration + zapLogLevel zapcore.Level + postFlagParse = []func(){} +) + +func init() { + var err error + _ = err + + // app + flag.StringVar(&httpAddr, "addr", os.Getenv("HTTP_ADDR"), "Server address") + + // log + flag.StringVar(&logLevel, "log-level", os.Getenv("LOG_LEVEL"), "Log level") + qpostFlagParse(func() { + err := zapLogLevel.UnmarshalText([]byte(logLevel)) + if err != nil { + zapLogLevel = zapcore.InfoLevel + } + }) + + // OBS + flag.StringVar(&defaultObsOpts.Endpoint, "obs-endpoint", os.Getenv("OBS_ENDPOINT"), "OBS host") + flag.StringVar(&defaultObsOpts.Region, "obs-region", os.Getenv("OBS_REGION"), "OBS region") + flag.BoolVar(&defaultObsOpts.Secure, "obs-secure", ok1(strconv.ParseBool(os.Getenv("OBS_SECURE"))), "OBS secure transport") + flag.StringVar(&defaultObsOpts.BucketName, "obs-bucket", os.Getenv("OBS_BUCKET_NAME"), "OBS bucket name") + + flag.StringVar(&defaultObsOpts.HostRedirect, "obs-host-redirect", os.Getenv("OBS_HOST_REDIRECT"), "OBS host redirect") + + // obsSignedUrlExpiry, err = time.ParseDuration(os.Getenv("OBS_SIGNED_URL_EXPIRY")) + // if err != nil { + // // max signed value + // obsSignedUrlExpiry = time.Duration(^uint64(0) / 2) + // } + // flag.DurationVar(&obsSignedUrlExpiry, "obs-signed-url-expiry", obsSignedUrlExpiry, "OBS ") +} + +func qpostFlagParse(f func()) { + postFlagParse = append(postFlagParse, f) +} +func qpostFlagParseInvoke() { + for _, f := range postFlagParse { + f() + } +} + +func main() { + flag.Parse() + qpostFlagParseInvoke() + + zcfg := zap.NewProductionConfig() + zcfg.Level = zap.NewAtomicLevelAt(zapLogLevel) + + logger := unwrap1(zcfg.Build()) + defer logger.Sync() + + sug := logger.Named("main").Sugar() + sug.Infow("starting", + "log_level", zapLogLevel, + "obs_endpoint", defaultObsOpts.Endpoint, + "obs_host_redirect", defaultObsOpts.HostRedirect, + ) + + client := unwrap1(newObsClient(defaultObsOpts)) + srv.Init(serverOptions{ + Addr: httpAddr, + Logger: logger.Named("server"), + OBS: &defaultObsOpts, + S3: client, + }) + + srv.Run() +} diff --git a/obs.go b/obs.go new file mode 100644 index 0000000..2ef2071 --- /dev/null +++ b/obs.go @@ -0,0 +1,102 @@ +package main + +import ( + "context" + "io" + "net/http" + "net/url" + "reflect" + "unsafe" + + "github.com/minio/minio-go/v7" + "github.com/minio/minio-go/v7/pkg/credentials" + + _ "unsafe" +) + +type obsOptions struct { + Endpoint string + Region string + Secure bool + BucketName string + + HostRedirect string +} + +var defaultObsOpts obsOptions + +func newObsClient(opts obsOptions) (*minio.Client, error) { + client, err := minio.New(opts.Endpoint, &minio.Options{ + Creds: credentials.NewEnvAWS(), + BucketLookup: minio.BucketLookupAuto, // vhost / path + Region: opts.Region, + Secure: opts.Secure, + }) + if err != nil { + return nil, err + } + setOverrideSignerType(client, credentials.SignatureV2) + return client, nil +} + +var ( + offsetCredsProvider uintptr + offsetOverrideSignerType uintptr +) + +func init() { + vt := reflect.TypeOf(minio.Client{}) + if field, ok := vt.FieldByName("credsProvider"); ok { + offsetCredsProvider = field.Offset + } else { + panic("cannot find credsProvider field") + } + + if field, ok := vt.FieldByName("overrideSignerType"); ok { + offsetOverrideSignerType = field.Offset + } else { + panic("cannot find overrideSignerType field") + } +} + +func getCredsProvider(client *minio.Client) *credentials.Credentials { + return *(**credentials.Credentials)(unsafe.Add(unsafe.Pointer(client), offsetCredsProvider)) +} + +func setOverrideSignerType(client *minio.Client, signerType credentials.SignatureType) { + ptr := (*credentials.SignatureType)(unsafe.Add(unsafe.Pointer(client), offsetOverrideSignerType)) + *ptr = signerType +} + +//go:linkname isVirtualHostStyleRequest github.com/minio/minio-go/v7.(*Client).isVirtualHostStyleRequest +func isVirtualHostStyleRequest(client *minio.Client, url url.URL, bucketName string) bool + +//go:linkname makeTargetURL github.com/minio/minio-go/v7.(*Client).makeTargetURL +func makeTargetURL(client *minio.Client, bucketName, objectName, bucketLocation string, isVirtualHostStyle bool, queryValues url.Values) (*url.URL, error) + +// requestMetadata - is container for all the values to make a request. +type requestMetadata struct { + // If set newRequest presigns the URL. + presignURL bool + + // User supplied. + bucketName string + objectName string + queryValues url.Values + customHeader http.Header + extraPresignHeader http.Header + expires int64 + + // Generated by our internal code. + bucketLocation string + contentBody io.Reader + contentLength int64 + contentMD5Base64 string // carries base64 encoded md5sum + contentSHA256Hex string // carries hex encoded sha256sum + streamSha256 bool + addCrc bool + trailer http.Header // (http.Request).Trailer. Requires v4 signature. +} + +//go:linkname newRequest github.com/minio/minio-go/v7.(*Client).newRequest +func newRequest(client *minio.Client, ctx context.Context, method string, metadata requestMetadata) (req *http.Request, err error) diff --git a/obs_test.go b/obs_test.go new file mode 100644 index 0000000..f7a2556 --- /dev/null +++ b/obs_test.go @@ -0,0 +1,29 @@ +package main + +import ( + "fmt" + "net/http" + "strconv" + "testing" + + "github.com/minio/minio-go/v7/pkg/s3utils" + "github.com/minio/minio-go/v7/pkg/signer" +) + +func TestObsSignerV2(t *testing.T) { + req, err := http.NewRequest(http.MethodGet, "/test/mk/603d83c0-5083-44b0-87cb-7030ef28c43f.jpg", nil) + if err != nil { + t.Fail() + } + + exp := strconv.FormatInt(int64(^uint64(0)/2), 10) // ~250years + req.Header.Set("Expires", exp) + req.URL.RawQuery = "" + reqVal := signer.PreSignV2(*req, "asd", "asdasd", 0, true) + query := reqVal.URL.Query() + query.Set("Expires", exp) + reqVal.URL.RawQuery = s3utils.QueryEncode(query) + + fmt.Println(reqVal.URL) + +} diff --git a/server.go b/server.go new file mode 100644 index 0000000..c5bf48d --- /dev/null +++ b/server.go @@ -0,0 +1,146 @@ +package main + +import ( + "bytes" + "net/http" + "net/url" + "strconv" + "time" + + "github.com/minio/minio-go/v7" + "github.com/minio/minio-go/v7/pkg/s3utils" + "github.com/minio/minio-go/v7/pkg/signer" + "github.com/valyala/fasthttp" + "go.uber.org/zap" +) + +var ( + MethodGet = []byte(http.MethodGet) + MethodHead = []byte(http.MethodHead) +) + +type serverOptions struct { + Addr string + Logger *zap.Logger + OBS *obsOptions + + ObjectExpiry time.Duration + + S3 *minio.Client +} + +type server struct { + opts serverOptions + logger *zap.SugaredLogger +} + +var srv server + +func (s *server) Init(opts serverOptions) { + s.opts = opts + s.logger = opts.Logger.Sugar() +} + +func (s *server) reportError(ctx *fasthttp.RequestCtx, errType string, err any) { + s.logger.Errorw("handler error", + "kind", errType, + "err", err) + ctx.Response.Header.Set("x-error-code", errType) + switch errVal := err.(type) { + case []byte: + ctx.Response.Header.Set("x-error-message", unsafeByteSliceToString(errVal)) + case string: + ctx.Response.Header.Set("x-error-message", errVal) + case error: + ctx.Response.Header.Set("x-error-message", errVal.Error()) + default: + ctx.Response.Header.Set("x-error-message", "unknown error") + } +} + +var ( + ErrKind_ResourceNotFound = "OBS_RESOURCE_NOT_FOUND" + ErrKind_MethodNotAllowed = "OBS_METHOD_NOT_ALLOWED" + ErrKind_S3ComposeRequest = "S3_COMPOSE_REQUEST" + ErrKind_S3CredsProvider = "S3_CREDS_PROVIDER" +) + +func (s *server) handle(ctx *fasthttp.RequestCtx) { + ctx.Response.Header.Set("server", "obs-access-signer") + isMethodGet := bytes.Equal(ctx.Method(), MethodGet) + isMethodHead := bytes.Equal(ctx.Method(), MethodHead) + if !isMethodGet && !isMethodHead { + ctx.SetStatusCode(http.StatusMethodNotAllowed) + s.reportError(ctx, ErrKind_MethodNotAllowed, "") + return + } + + if isMethodHead { + // Doc: https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.2-1 + ctx.Response.Header.Set("Content-Length", "0") + } + + bucketName := s.opts.OBS.BucketName + isVirtualHostStyle := isVirtualHostStyleRequest(s.opts.S3, *s.opts.S3.EndpointURL(), bucketName) + + path := ctx.Path() + _path := bytes.TrimLeft(path, "/") + objectName := unsafeByteSliceToString(_path) + if _, _objectName, found := bytes.Cut(_path, []byte(bucketName)); !isVirtualHostStyle && + bytes.HasPrefix(_path, []byte(bucketName)) && + found { + _objectName = bytes.TrimLeft(_objectName, "/") + objectName = unsafeByteSliceToString(_objectName) + } + + // check if we had acess to the object + if _, err := s.opts.S3.StatObject(ctx, bucketName, objectName, minio.GetObjectOptions{}); err != nil { + ctx.SetStatusCode(http.StatusNotFound) + s.reportError(ctx, ErrKind_ResourceNotFound, err) + return + } + + // compose initial request + req, err := newRequest(s.opts.S3, ctx, http.MethodGet, requestMetadata{ + presignURL: true, + bucketName: bucketName, + objectName: objectName, + expires: 1, // to trigger presigned generator + queryValues: url.Values{}, + }) + if err != nil { + ctx.SetStatusCode(http.StatusInternalServerError) + s.reportError(ctx, ErrKind_S3ComposeRequest, err) + return + } + + // grab creds from provider + value, err := getCredsProvider(s.opts.S3).Get() + if err != nil { + ctx.SetStatusCode(http.StatusInternalServerError) + s.reportError(ctx, ErrKind_S3CredsProvider, err) + return + } + + // clear given params, set max signed value for expire, and re-presign. + exp := strconv.FormatInt(int64(^uint64(0)/2), 10) // ~250years + req.Header.Set("Expires", exp) + req.URL.RawQuery = "" + req = signer.PreSignV2(*req, value.AccessKeyID, value.SecretAccessKey, 0, isVirtualHostStyle) + + // re-encode query string with Expires hack. + query := req.URL.Query() + query.Set("Expires", exp) + req.URL.RawQuery = s3utils.QueryEncode(query) + if hostRedirect := s.opts.OBS.HostRedirect; hostRedirect != "" { + req.URL.Host = hostRedirect + } + + ctx.Redirect(req.URL.String(), http.StatusMovedPermanently) +} + +func (s *server) Run() { + s.logger.Infow("running server", + "addr", s.opts.Addr) + fasthttp.ListenAndServe(s.opts.Addr, s.handle) +} diff --git a/util.go b/util.go new file mode 100644 index 0000000..02fe5d9 --- /dev/null +++ b/util.go @@ -0,0 +1,25 @@ +package main + +import "unsafe" + +func ok1[T any](res T, err error) T { + return res +} + +func option1[T any](res T, err error) (T, bool) { + return res, err != nil +} + +func unwrap0(err error) { + if err != nil { + panic(err) + } +} +func unwrap1[T any](res T, err error) T { + unwrap0(err) + return res +} + +func unsafeByteSliceToString(b []byte) string { + return *(*string)(unsafe.Pointer(&b)) +} diff --git a/util_test.go b/util_test.go new file mode 100644 index 0000000..8c2fe52 --- /dev/null +++ b/util_test.go @@ -0,0 +1,13 @@ +package main + +import "testing" + +func TestUnsafeByteSliceToString(t *testing.T) { + exp := "foo bar" + act := unsafeByteSliceToString([]byte(exp)) + if exp != act { // cmp str + t.Fail() + } + println(&exp, &act) + println(exp, act) +}