From: Peter Amstutz <peter.amstutz@curii.com>
Date: Mon, 30 Nov 2020 16:03:53 +0000 (-0500)
Subject: Merge branch '16774-keep-web-errors' refs #16774
X-Git-Tag: 2.2.0~205
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/c75f2e9b8a29bcdadcb092122f6d30e2930c08a3

Merge branch '16774-keep-web-errors' refs #16774

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>
---

c75f2e9b8a29bcdadcb092122f6d30e2930c08a3
diff --cc services/keep-web/s3.go
index 373fd9a25d,37fee37604..7fb90789a5
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@@ -186,9 -170,36 +186,36 @@@ func (h *handler) checks3signature(r *h
  	} else if expect != signature {
  		return "", fmt.Errorf("signature does not match (scope %q signedHeaders %q stringToSign %q)", scope, signedHeaders, stringToSign)
  	}
 -	return secret, nil
 +	return aca.TokenV2(), nil
  }
  
+ func s3ErrorResponse(w http.ResponseWriter, s3code string, message string, resource string, code int) {
+ 	w.Header().Set("Content-Type", "application/xml")
+ 	w.Header().Set("X-Content-Type-Options", "nosniff")
+ 	w.WriteHeader(code)
+ 	var errstruct struct {
+ 		Code      string
+ 		Message   string
+ 		Resource  string
+ 		RequestId string
+ 	}
+ 	errstruct.Code = s3code
+ 	errstruct.Message = message
+ 	errstruct.Resource = resource
+ 	errstruct.RequestId = ""
+ 	enc := xml.NewEncoder(w)
+ 	fmt.Fprint(w, xml.Header)
+ 	enc.EncodeElement(errstruct, xml.StartElement{Name: xml.Name{Local: "Error"}})
+ }
+ 
+ var NoSuchKey = "NoSuchKey"
+ var NoSuchBucket = "NoSuchBucket"
+ var InvalidArgument = "InvalidArgument"
+ var InternalError = "InternalError"
+ var UnauthorizedAccess = "UnauthorizedAccess"
+ var InvalidRequest = "InvalidRequest"
+ var SignatureDoesNotMatch = "SignatureDoesNotMatch"
+ 
  // serveS3 handles r and returns true if r is a request from an S3
  // client, otherwise it returns false.
  func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
@@@ -196,10 -207,10 +223,10 @@@
  	if auth := r.Header.Get("Authorization"); strings.HasPrefix(auth, "AWS ") {
  		split := strings.SplitN(auth[4:], ":", 2)
  		if len(split) < 2 {
- 			http.Error(w, "malformed Authorization header", http.StatusUnauthorized)
+ 			s3ErrorResponse(w, InvalidRequest, "malformed Authorization header", r.URL.Path, http.StatusUnauthorized)
  			return true
  		}
 -		token = split[0]
 +		token = unescapeKey(split[0])
  	} else if strings.HasPrefix(auth, s3SignAlgorithm+" ") {
  		t, err := h.checks3signature(r)
  		if err != nil {
@@@ -275,9 -279,10 +302,9 @@@
  		return true
  	case r.Method == http.MethodPut:
  		if !objectNameGiven {
- 			http.Error(w, "missing object name in PUT request", http.StatusBadRequest)
+ 			s3ErrorResponse(w, InvalidArgument, "Missing object name in PUT request.", r.URL.Path, http.StatusBadRequest)
  			return true
  		}
 -		fspath := "by_id" + r.URL.Path
  		var objectIsDir bool
  		if strings.HasSuffix(fspath, "/") {
  			if !h.Config.cluster.Collections.S3FolderObjects {
@@@ -369,9 -374,10 +396,9 @@@
  		return true
  	case r.Method == http.MethodDelete:
  		if !objectNameGiven || r.URL.Path == "/" {
- 			http.Error(w, "missing object name in DELETE request", http.StatusBadRequest)
+ 			s3ErrorResponse(w, InvalidArgument, "missing object name in DELETE request", r.URL.Path, http.StatusBadRequest)
  			return true
  		}
 -		fspath := "by_id" + r.URL.Path
  		if strings.HasSuffix(fspath, "/") {
  			fspath = strings.TrimSuffix(fspath, "/")
  			fi, err := fs.Stat(fspath)