gitea/vendor/github.com/minio/minio-go/v7/api-presigned.go

/*
 * MinIO Go Library for Amazon S3 Compatible Cloud Storage
 * Copyright 2015-2017 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package minio

import (
	"context"
	"errors"
	"net/http"
	"net/url"
	"time"

	"github.com/minio/minio-go/v7/pkg/s3utils"
	"github.com/minio/minio-go/v7/pkg/signer"
)

// presignURL - Returns a presigned URL for an input 'method'.
// Expires maximum is 7days - ie. 604800 and minimum is 1.
func (c Client) presignURL(ctx context.Context, method string, bucketName string, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) {
	// Input validation.
	if method == "" {
		return nil, errInvalidArgument("method cannot be empty.")
	}
	if err = s3utils.CheckValidBucketName(bucketName); err != nil {
		return nil, err
	}
	if err = isValidExpiry(expires); err != nil {
		return nil, err
	}

	// Convert expires into seconds.
	expireSeconds := int64(expires / time.Second)
	reqMetadata := requestMetadata{
		presignURL:  true,
		bucketName:  bucketName,
		objectName:  objectName,
		expires:     expireSeconds,
		queryValues: reqParams,
	}

	// Instantiate a new request.
	// Since expires is set newRequest will presign the request.
	var req *http.Request
	if req, err = c.newRequest(ctx, method, reqMetadata); err != nil {
		return nil, err
	}
	return req.URL, nil
}

// PresignedGetObject - Returns a presigned URL to access an object
// data without credentials. URL can have a maximum expiry of
// upto 7days or a minimum of 1sec. Additionally you can override
// a set of response headers using the query parameters.
func (c Client) PresignedGetObject(ctx context.Context, bucketName string, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) {
	if err = s3utils.CheckValidObjectName(objectName); err != nil {
		return nil, err
	}
	return c.presignURL(ctx, http.MethodGet, bucketName, objectName, expires, reqParams)
}

// PresignedHeadObject - Returns a presigned URL to access
// object metadata without credentials. URL can have a maximum expiry
// of upto 7days or a minimum of 1sec. Additionally you can override
// a set of response headers using the query parameters.
func (c Client) PresignedHeadObject(ctx context.Context, bucketName string, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) {
	if err = s3utils.CheckValidObjectName(objectName); err != nil {
		return nil, err
	}
	return c.presignURL(ctx, http.MethodHead, bucketName, objectName, expires, reqParams)
}

// PresignedPutObject - Returns a presigned URL to upload an object
// without credentials. URL can have a maximum expiry of upto 7days
// or a minimum of 1sec.
func (c Client) PresignedPutObject(ctx context.Context, bucketName string, objectName string, expires time.Duration) (u *url.URL, err error) {
	if err = s3utils.CheckValidObjectName(objectName); err != nil {
		return nil, err
	}
	return c.presignURL(ctx, http.MethodPut, bucketName, objectName, expires, nil)
}

// Presign - returns a presigned URL for any http method of your choice
// along with custom request params. URL can have a maximum expiry of
// upto 7days or a minimum of 1sec.
func (c Client) Presign(ctx context.Context, method string, bucketName string, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) {
	return c.presignURL(ctx, method, bucketName, objectName, expires, reqParams)
}

// PresignedPostPolicy - Returns POST urlString, form data to upload an object.
func (c Client) PresignedPostPolicy(ctx context.Context, p *PostPolicy) (u *url.URL, formData map[string]string, err error) {
	// Validate input arguments.
	if p.expiration.IsZero() {
		return nil, nil, errors.New("Expiration time must be specified")
	}
	if _, ok := p.formData["key"]; !ok {
		return nil, nil, errors.New("object key must be specified")
	}
	if _, ok := p.formData["bucket"]; !ok {
		return nil, nil, errors.New("bucket name must be specified")
	}

	bucketName := p.formData["bucket"]
	// Fetch the bucket location.
	location, err := c.getBucketLocation(ctx, bucketName)
	if err != nil {
		return nil, nil, err
	}

	isVirtualHost := c.isVirtualHostStyleRequest(*c.endpointURL, bucketName)

	u, err = c.makeTargetURL(bucketName, "", location, isVirtualHost, nil)
	if err != nil {
		return nil, nil, err
	}

	// Get credentials from the configured credentials provider.
	credValues, err := c.credsProvider.Get()
	if err != nil {
		return nil, nil, err
	}

	var (
		signerType      = credValues.SignerType
		sessionToken    = credValues.SessionToken
		accessKeyID     = credValues.AccessKeyID
		secretAccessKey = credValues.SecretAccessKey
	)

	if signerType.IsAnonymous() {
		return nil, nil, errInvalidArgument("Presigned operations are not supported for anonymous credentials")
	}

	// Keep time.
	t := time.Now().UTC()
	// For signature version '2' handle here.
	if signerType.IsV2() {
		policyBase64 := p.base64()
		p.formData["policy"] = policyBase64
		// For Google endpoint set this value to be 'GoogleAccessId'.
		if s3utils.IsGoogleEndpoint(*c.endpointURL) {
			p.formData["GoogleAccessId"] = accessKeyID
		} else {
			// For all other endpoints set this value to be 'AWSAccessKeyId'.
			p.formData["AWSAccessKeyId"] = accessKeyID
		}
		// Sign the policy.
		p.formData["signature"] = signer.PostPresignSignatureV2(policyBase64, secretAccessKey)
		return u, p.formData, nil
	}

	// Add date policy.
	if err = p.addNewPolicy(policyCondition{
		matchType: "eq",
		condition: "$x-amz-date",
		value:     t.Format(iso8601DateFormat),
	}); err != nil {
		return nil, nil, err
	}

	// Add algorithm policy.
	if err = p.addNewPolicy(policyCondition{
		matchType: "eq",
		condition: "$x-amz-algorithm",
		value:     signV4Algorithm,
	}); err != nil {
		return nil, nil, err
	}

	// Add a credential policy.
	credential := signer.GetCredential(accessKeyID, location, t, signer.ServiceTypeS3)
	if err = p.addNewPolicy(policyCondition{
		matchType: "eq",
		condition: "$x-amz-credential",
		value:     credential,
	}); err != nil {
		return nil, nil, err
	}

	if sessionToken != "" {
		if err = p.addNewPolicy(policyCondition{
			matchType: "eq",
			condition: "$x-amz-security-token",
			value:     sessionToken,
		}); err != nil {
			return nil, nil, err
		}
	}

	// Get base64 encoded policy.
	policyBase64 := p.base64()

	// Fill in the form data.
	p.formData["policy"] = policyBase64
	p.formData["x-amz-algorithm"] = signV4Algorithm
	p.formData["x-amz-credential"] = credential
	p.formData["x-amz-date"] = t.Format(iso8601DateFormat)
	if sessionToken != "" {
		p.formData["x-amz-security-token"] = sessionToken
	}
	p.formData["x-amz-signature"] = signer.PostPresignSignatureV4(policyBase64, t, secretAccessKey, location)
	return u, p.formData, nil
}
Add a storage layer for attachments (#11387) * Add a storage layer for attachments * Fix some bug * fix test * Fix copyright head and lint * Fix bug * Add setting for minio and flags for migrate-storage * Add documents * fix lint * Add test for minio store type on attachments * fix test * fix test * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Add warning when storage migrated successfully * Fix drone * fix test * rebase * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * refactor the codes * add trace * Fix test * remove log on xorm * Fi download bug * Add a storage layer for attachments * Add setting for minio and flags for migrate-storage * fix lint * Add test for minio store type on attachments * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Fix drone * fix test * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * refactor the codes * add trace * Fix test * Add URL function to serve attachments directly from S3/Minio * Add ability to enable/disable redirection in attachment configuration * Fix typo * Add a storage layer for attachments * Add setting for minio and flags for migrate-storage * fix lint * Add test for minio store type on attachments * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Fix drone * fix test * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * don't change unrelated files * Fix lint * Fix build * update go.mod and go.sum * Use github.com/minio/minio-go/v6 * Remove unused function * Upgrade minio to v7 and some other improvements * fix lint * Fix go mod Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: Tyler <tystuyfzand@gmail.com> 4 years ago			`/*`
			`* MinIO Go Library for Amazon S3 Compatible Cloud Storage`
			`* Copyright 2015-2017 MinIO, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package minio`

			`import (`
			`"context"`
			`"errors"`
			`"net/http"`
			`"net/url"`
			`"time"`

			`"github.com/minio/minio-go/v7/pkg/s3utils"`
			`"github.com/minio/minio-go/v7/pkg/signer"`
			`)`

			`// presignURL - Returns a presigned URL for an input 'method'.`
			`// Expires maximum is 7days - ie. 604800 and minimum is 1.`
			`func (c Client) presignURL(ctx context.Context, method string, bucketName string, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) {`
			`// Input validation.`
			`if method == "" {`
			`return nil, errInvalidArgument("method cannot be empty.")`
			`}`
			`if err = s3utils.CheckValidBucketName(bucketName); err != nil {`
			`return nil, err`
			`}`
			`if err = isValidExpiry(expires); err != nil {`
			`return nil, err`
			`}`

			`// Convert expires into seconds.`
			`expireSeconds := int64(expires / time.Second)`
			`reqMetadata := requestMetadata{`
			`presignURL: true,`
			`bucketName: bucketName,`
			`objectName: objectName,`
			`expires: expireSeconds,`
			`queryValues: reqParams,`
			`}`

			`// Instantiate a new request.`
			`// Since expires is set newRequest will presign the request.`
			`var req *http.Request`
			`if req, err = c.newRequest(ctx, method, reqMetadata); err != nil {`
			`return nil, err`
			`}`
			`return req.URL, nil`
			`}`

			`// PresignedGetObject - Returns a presigned URL to access an object`
			`// data without credentials. URL can have a maximum expiry of`
			`// upto 7days or a minimum of 1sec. Additionally you can override`
			`// a set of response headers using the query parameters.`
			`func (c Client) PresignedGetObject(ctx context.Context, bucketName string, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) {`
			`if err = s3utils.CheckValidObjectName(objectName); err != nil {`
			`return nil, err`
			`}`
			`return c.presignURL(ctx, http.MethodGet, bucketName, objectName, expires, reqParams)`
			`}`

			`// PresignedHeadObject - Returns a presigned URL to access`
			`// object metadata without credentials. URL can have a maximum expiry`
			`// of upto 7days or a minimum of 1sec. Additionally you can override`
			`// a set of response headers using the query parameters.`
			`func (c Client) PresignedHeadObject(ctx context.Context, bucketName string, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) {`
			`if err = s3utils.CheckValidObjectName(objectName); err != nil {`
			`return nil, err`
			`}`
			`return c.presignURL(ctx, http.MethodHead, bucketName, objectName, expires, reqParams)`
			`}`

			`// PresignedPutObject - Returns a presigned URL to upload an object`
			`// without credentials. URL can have a maximum expiry of upto 7days`
			`// or a minimum of 1sec.`
			`func (c Client) PresignedPutObject(ctx context.Context, bucketName string, objectName string, expires time.Duration) (u *url.URL, err error) {`
			`if err = s3utils.CheckValidObjectName(objectName); err != nil {`
			`return nil, err`
			`}`
			`return c.presignURL(ctx, http.MethodPut, bucketName, objectName, expires, nil)`
			`}`

			`// Presign - returns a presigned URL for any http method of your choice`
			`// along with custom request params. URL can have a maximum expiry of`
			`// upto 7days or a minimum of 1sec.`
			`func (c Client) Presign(ctx context.Context, method string, bucketName string, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) {`
			`return c.presignURL(ctx, method, bucketName, objectName, expires, reqParams)`
			`}`

			`// PresignedPostPolicy - Returns POST urlString, form data to upload an object.`
			`func (c Client) PresignedPostPolicy(ctx context.Context, p PostPolicy) (u url.URL, formData map[string]string, err error) {`
			`// Validate input arguments.`
			`if p.expiration.IsZero() {`
			`return nil, nil, errors.New("Expiration time must be specified")`
			`}`
			`if _, ok := p.formData["key"]; !ok {`
			`return nil, nil, errors.New("object key must be specified")`
			`}`
			`if _, ok := p.formData["bucket"]; !ok {`
			`return nil, nil, errors.New("bucket name must be specified")`
			`}`

			`bucketName := p.formData["bucket"]`
			`// Fetch the bucket location.`
			`location, err := c.getBucketLocation(ctx, bucketName)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`isVirtualHost := c.isVirtualHostStyleRequest(*c.endpointURL, bucketName)`

			`u, err = c.makeTargetURL(bucketName, "", location, isVirtualHost, nil)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`// Get credentials from the configured credentials provider.`
			`credValues, err := c.credsProvider.Get()`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`var (`
			`signerType = credValues.SignerType`
			`sessionToken = credValues.SessionToken`
			`accessKeyID = credValues.AccessKeyID`
			`secretAccessKey = credValues.SecretAccessKey`
			`)`

			`if signerType.IsAnonymous() {`
			`return nil, nil, errInvalidArgument("Presigned operations are not supported for anonymous credentials")`
			`}`

			`// Keep time.`
			`t := time.Now().UTC()`
			`// For signature version '2' handle here.`
			`if signerType.IsV2() {`
			`policyBase64 := p.base64()`
			`p.formData["policy"] = policyBase64`
			`// For Google endpoint set this value to be 'GoogleAccessId'.`
			`if s3utils.IsGoogleEndpoint(*c.endpointURL) {`
			`p.formData["GoogleAccessId"] = accessKeyID`
			`} else {`
			`// For all other endpoints set this value to be 'AWSAccessKeyId'.`
			`p.formData["AWSAccessKeyId"] = accessKeyID`
			`}`
			`// Sign the policy.`
			`p.formData["signature"] = signer.PostPresignSignatureV2(policyBase64, secretAccessKey)`
			`return u, p.formData, nil`
			`}`

			`// Add date policy.`
			`if err = p.addNewPolicy(policyCondition{`
			`matchType: "eq",`
			`condition: "$x-amz-date",`
			`value: t.Format(iso8601DateFormat),`
			`}); err != nil {`
			`return nil, nil, err`
			`}`

			`// Add algorithm policy.`
			`if err = p.addNewPolicy(policyCondition{`
			`matchType: "eq",`
			`condition: "$x-amz-algorithm",`
			`value: signV4Algorithm,`
			`}); err != nil {`
			`return nil, nil, err`
			`}`

			`// Add a credential policy.`
			`credential := signer.GetCredential(accessKeyID, location, t, signer.ServiceTypeS3)`
			`if err = p.addNewPolicy(policyCondition{`
			`matchType: "eq",`
			`condition: "$x-amz-credential",`
			`value: credential,`
			`}); err != nil {`
			`return nil, nil, err`
			`}`

			`if sessionToken != "" {`
			`if err = p.addNewPolicy(policyCondition{`
			`matchType: "eq",`
			`condition: "$x-amz-security-token",`
			`value: sessionToken,`
			`}); err != nil {`
			`return nil, nil, err`
			`}`
			`}`

			`// Get base64 encoded policy.`
			`policyBase64 := p.base64()`

			`// Fill in the form data.`
			`p.formData["policy"] = policyBase64`
			`p.formData["x-amz-algorithm"] = signV4Algorithm`
			`p.formData["x-amz-credential"] = credential`
			`p.formData["x-amz-date"] = t.Format(iso8601DateFormat)`
			`if sessionToken != "" {`
			`p.formData["x-amz-security-token"] = sessionToken`
			`}`
			`p.formData["x-amz-signature"] = signer.PostPresignSignatureV4(policyBase64, t, secretAccessKey, location)`
			`return u, p.formData, nil`
			`}`