350 lines
9.0 KiB
Go
350 lines
9.0 KiB
Go
// This file is part of MinIO Console Server
|
|
// Copyright (c) 2021 MinIO, Inc.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package operatorapi
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha1"
|
|
"crypto/tls"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"net/http"
|
|
"net/http/cookiejar"
|
|
url2 "net/url"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gorilla/websocket"
|
|
|
|
v2 "github.com/minio/operator/pkg/apis/minio.min.io/v2"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"github.com/minio/console/cluster"
|
|
|
|
"github.com/minio/console/pkg/auth"
|
|
)
|
|
|
|
func serveProxy(responseWriter http.ResponseWriter, req *http.Request) {
|
|
urlParts := strings.Split(req.URL.Path, "/")
|
|
// Either proxy or hop, will decide the type of session
|
|
proxyMethod := urlParts[2]
|
|
|
|
if len(urlParts) < 5 {
|
|
log.Println(len(urlParts))
|
|
return
|
|
}
|
|
namespace := urlParts[3]
|
|
tenantName := urlParts[4]
|
|
|
|
// validate the tenantName
|
|
|
|
token, err := auth.GetTokenFromRequest(req)
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(401)
|
|
return
|
|
}
|
|
claims, err := auth.SessionTokenAuthenticate(token)
|
|
if err != nil {
|
|
log.Printf("Unable to validate the session token %s: %v\n", token, err)
|
|
responseWriter.WriteHeader(401)
|
|
|
|
return
|
|
}
|
|
|
|
STSSessionToken := claims.STSSessionToken
|
|
|
|
opClientClientSet, err := cluster.OperatorClient(STSSessionToken)
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(404)
|
|
return
|
|
}
|
|
opClient := operatorClient{
|
|
client: opClientClientSet,
|
|
}
|
|
tenant, err := opClient.TenantGet(req.Context(), namespace, tenantName, metav1.GetOptions{})
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(502)
|
|
return
|
|
}
|
|
|
|
nsTenant := fmt.Sprintf("%s/%s", tenant.Namespace, tenant.Name)
|
|
|
|
tenantSchema := "http"
|
|
tenantPort := fmt.Sprintf(":%d", v2.ConsolePort)
|
|
if tenant.AutoCert() || tenant.ExternalCert() {
|
|
tenantSchema = "https"
|
|
tenantPort = fmt.Sprintf(":%d", v2.ConsoleTLSPort)
|
|
}
|
|
|
|
tenantURL := fmt.Sprintf("%s://%s.%s.svc.%s%s", tenantSchema, tenant.ConsoleCIServiceName(), tenant.Namespace, v2.GetClusterDomain(), tenantPort)
|
|
// for development
|
|
//tenantURL = "http://localhost:9091"
|
|
//tenantURL = "https://localhost:9443"
|
|
|
|
h := sha1.New()
|
|
h.Write([]byte(nsTenant))
|
|
tenantCookieName := fmt.Sprintf("token-%s-%s-%x", proxyMethod, claims.AccountAccessKey, string(h.Sum(nil)))
|
|
tenantCookie, err := req.Cookie(tenantCookieName)
|
|
if err != nil {
|
|
// login to tenantName
|
|
loginURL := fmt.Sprintf("%s/api/v1/login", tenantURL)
|
|
|
|
// get the tenant credentials
|
|
clientSet, err := cluster.K8sClient(STSSessionToken)
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(500)
|
|
return
|
|
}
|
|
|
|
k8sClient := k8sClient{
|
|
client: clientSet,
|
|
}
|
|
tenantConfiguration, err := GetTenantConfiguration(req.Context(), &k8sClient, tenant)
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(500)
|
|
return
|
|
}
|
|
|
|
data := map[string]interface{}{
|
|
"accessKey": tenantConfiguration["accesskey"],
|
|
"secretKey": tenantConfiguration["secretkey"],
|
|
}
|
|
// if this a proxy request hide the menu
|
|
if proxyMethod == "proxy" {
|
|
data["features"] = map[string]bool{
|
|
"hide_menu": true,
|
|
}
|
|
}
|
|
payload, _ := json.Marshal(data)
|
|
|
|
loginReq, err := http.NewRequest(http.MethodPost, loginURL, bytes.NewReader(payload))
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(500)
|
|
return
|
|
}
|
|
loginReq.Header.Add("Content-Type", "application/json")
|
|
|
|
// FIXME: in the future we should use restapi.GetConsoleHTTPClient()
|
|
tr := &http.Transport{
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
}
|
|
client := &http.Client{Transport: tr}
|
|
|
|
loginResp, err := client.Do(loginReq)
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(500)
|
|
return
|
|
}
|
|
|
|
if loginResp.StatusCode < 200 && loginResp.StatusCode <= 299 {
|
|
log.Println(fmt.Printf("Status: %d. Couldn't complete login", loginResp.StatusCode))
|
|
responseWriter.WriteHeader(500)
|
|
return
|
|
}
|
|
|
|
for _, c := range loginResp.Cookies() {
|
|
if c.Name == "token" {
|
|
tenantCookie = c
|
|
c := &http.Cookie{
|
|
Name: tenantCookieName,
|
|
Value: c.Value,
|
|
Path: c.Path,
|
|
Expires: c.Expires,
|
|
HttpOnly: c.HttpOnly,
|
|
}
|
|
|
|
http.SetCookie(responseWriter, c)
|
|
break
|
|
}
|
|
}
|
|
defer loginResp.Body.Close()
|
|
}
|
|
|
|
if tenantCookie == nil {
|
|
log.Println(errors.New("couldn't login to tenant and get cookie"))
|
|
responseWriter.WriteHeader(403)
|
|
return
|
|
}
|
|
// at this point we have a valid cookie ready to either route HTTP or WS
|
|
// now we need to know if we are doing an /api/ call (http) or /ws/ call (ws)
|
|
callType := urlParts[5]
|
|
|
|
targetURL, err := url2.Parse(tenantURL)
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(500)
|
|
return
|
|
}
|
|
tenantBase := fmt.Sprintf("/api/%s/%s/%s", proxyMethod, tenant.Namespace, tenant.Name)
|
|
targetURL.Path = strings.Replace(req.URL.Path, tenantBase, "", -1)
|
|
|
|
proxiedCookie := &http.Cookie{
|
|
Name: "token",
|
|
Value: tenantCookie.Value,
|
|
Path: tenantCookie.Path,
|
|
Expires: tenantCookie.Expires,
|
|
HttpOnly: tenantCookie.HttpOnly,
|
|
}
|
|
|
|
proxyCookieJar, _ := cookiejar.New(nil)
|
|
proxyCookieJar.SetCookies(targetURL, []*http.Cookie{proxiedCookie})
|
|
switch callType {
|
|
case "ws":
|
|
handleWSRequest(responseWriter, req, proxyCookieJar, targetURL, tenantSchema)
|
|
default:
|
|
handleHTTPRequest(responseWriter, req, proxyCookieJar, tenantBase, targetURL)
|
|
}
|
|
|
|
}
|
|
|
|
func handleHTTPRequest(responseWriter http.ResponseWriter, req *http.Request, proxyCookieJar *cookiejar.Jar, tenantBase string, targetURL *url2.URL) {
|
|
tr := &http.Transport{
|
|
// FIXME: use restapi.GetConsoleHTTPClient()
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
}
|
|
client := &http.Client{Transport: tr,
|
|
Jar: proxyCookieJar,
|
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
|
return http.ErrUseLastResponse
|
|
}}
|
|
|
|
// are we proxying something with cp=y? (console proxy) then add cpb (console proxy base) so the console
|
|
// on the other side updates the <base href="" /> to this value overriding sub path or root
|
|
if v := req.URL.Query().Get("cp"); v == "y" {
|
|
q := req.URL.Query()
|
|
q.Add("cpb", tenantBase)
|
|
req.URL.RawQuery = q.Encode()
|
|
}
|
|
// copy query params
|
|
targetURL.RawQuery = req.URL.Query().Encode()
|
|
|
|
proxRequest, err := http.NewRequest(req.Method, targetURL.String(), req.Body)
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(500)
|
|
return
|
|
}
|
|
|
|
for _, v := range req.Header.Values("Content-Type") {
|
|
proxRequest.Header.Add("Content-Type", v)
|
|
}
|
|
|
|
resp, err := client.Do(proxRequest)
|
|
if err != nil {
|
|
log.Println(err)
|
|
responseWriter.WriteHeader(500)
|
|
return
|
|
}
|
|
|
|
for hk, hv := range resp.Header {
|
|
if hk != "X-Frame-Options" {
|
|
for _, v := range hv {
|
|
responseWriter.Header().Add(hk, v)
|
|
}
|
|
}
|
|
}
|
|
// Allow iframes
|
|
responseWriter.Header().Set("X-Frame-Options", "SAMEORIGIN")
|
|
responseWriter.Header().Set("X-XSS-Protection", "1; mode=block")
|
|
// Pass HTTP status code to proxy response
|
|
responseWriter.WriteHeader(resp.StatusCode)
|
|
|
|
io.Copy(responseWriter, resp.Body)
|
|
}
|
|
|
|
var upgrader = websocket.Upgrader{
|
|
ReadBufferSize: 0,
|
|
WriteBufferSize: 1024,
|
|
}
|
|
|
|
func handleWSRequest(responseWriter http.ResponseWriter, req *http.Request, proxyCookieJar *cookiejar.Jar, targetURL *url2.URL, schema string) {
|
|
dialer := &websocket.Dialer{
|
|
Proxy: http.ProxyFromEnvironment,
|
|
HandshakeTimeout: 45 * time.Second,
|
|
Jar: proxyCookieJar,
|
|
}
|
|
|
|
upgrader.CheckOrigin = func(r *http.Request) bool {
|
|
return true
|
|
}
|
|
|
|
c, err := upgrader.Upgrade(responseWriter, req, nil)
|
|
if err != nil {
|
|
log.Print("error upgrade connection:", err)
|
|
return
|
|
}
|
|
defer c.Close()
|
|
if schema == "http" {
|
|
targetURL.Scheme = "ws"
|
|
} else {
|
|
targetURL.Scheme = "wss"
|
|
}
|
|
|
|
// establish a websocket to the tenant
|
|
tenantConn, _, err := dialer.Dial(targetURL.String(), nil)
|
|
if err != nil {
|
|
log.Println("dial:", err)
|
|
return
|
|
}
|
|
defer tenantConn.Close()
|
|
|
|
doneTenant := make(chan struct{})
|
|
done := make(chan struct{})
|
|
|
|
// start read pump from tenant connection
|
|
go func() {
|
|
defer close(doneTenant)
|
|
for {
|
|
msgType, message, err := tenantConn.ReadMessage()
|
|
if err != nil {
|
|
log.Println("error read from tenant:", err)
|
|
return
|
|
}
|
|
c.WriteMessage(msgType, message)
|
|
}
|
|
}()
|
|
|
|
// start read pump from tenant connection
|
|
go func() {
|
|
defer close(done)
|
|
for {
|
|
msgType, message, err := c.ReadMessage()
|
|
if err != nil {
|
|
log.Println("error read from client:", err)
|
|
return
|
|
}
|
|
tenantConn.WriteMessage(msgType, message)
|
|
}
|
|
}()
|
|
|
|
select {
|
|
case <-done:
|
|
case <-doneTenant:
|
|
}
|
|
}
|