diff --git a/cmd/console/server.go b/cmd/console/server.go index 530c0dee63..195473468b 100644 --- a/cmd/console/server.go +++ b/cmd/console/server.go @@ -130,9 +130,8 @@ func StartServer(ctx *cli.Context) error { server.Host = ctx.String("host") server.Port = ctx.Int("port") - - restapi.Hostname = ctx.String("host") - restapi.Port = strconv.Itoa(ctx.Int("port")) + restapi.Hostname = server.Host + restapi.Port = strconv.Itoa(server.Port) // Set all certs and CAs directories path certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get) @@ -149,21 +148,21 @@ func StartServer(ctx *cli.Context) error { // TLS flags from swagger server, used to support VMware vsphere operator version. swaggerServerCertificate := ctx.String("tls-certificate") swaggerServerCertificateKey := ctx.String("tls-key") - SwaggerServerCACertificate := ctx.String("tls-ca") + swaggerServerCACertificate := ctx.String("tls-ca") // load tls cert and key from swagger server tls-certificate and tls-key flags if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" { - if errAddCert := certs.AddCertificate(context.Background(), - restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil { - log.Println(errAddCert) + if err = certs.AddCertificate(context.Background(), + restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); err != nil { + log.Fatalln(err) } - if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil { + if x509Certs, err := certs.ParsePublicCertFile(swaggerServerCertificate); err == nil { restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...) } } // load ca cert from swagger server tls-ca flag - if SwaggerServerCACertificate != "" { - caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate) + if swaggerServerCACertificate != "" { + caCert, caCertErr := ioutil.ReadFile(swaggerServerCACertificate) if caCertErr == nil { restapi.GlobalRootCAs.AppendCertsFromPEM(caCert) } @@ -175,9 +174,8 @@ func StartServer(ctx *cli.Context) error { // plain HTTP connections to HTTPS server server.EnabledListeners = []string{"http", "https"} server.TLSPort = ctx.Int("tls-port") - server.TLSHost = ctx.String("tls-host") // Need to store tls-port, tls-host un config variables so secure.middleware can read from there - restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port")) + restapi.TLSPort = strconv.Itoa(server.TLSPort) restapi.Hostname = ctx.String("host") restapi.TLSRedirect = ctx.String("tls-redirect") } diff --git a/pkg/auth/token.go b/pkg/auth/token.go index a0946a3529..7da8fa04ff 100644 --- a/pkg/auth/token.go +++ b/pkg/auth/token.go @@ -32,8 +32,8 @@ import ( "log" "net/http" "strings" + "time" - "github.com/go-openapi/swag" "github.com/minio/console/models" "github.com/minio/console/pkg/auth/token" "github.com/minio/minio-go/v7/pkg/credentials" @@ -43,8 +43,10 @@ import ( "golang.org/x/crypto/pbkdf2" ) +// Session token errors var ( - errNoAuthToken = errors.New("session token missing") + ErrNoAuthToken = errors.New("session token missing") + errTokenExpired = errors.New("session token has expired") errReadingToken = errors.New("session token internal data is malformed") errClaimsFormat = errors.New("encrypted session token claims not in the right format") errorGeneric = errors.New("an error has occurred") @@ -82,7 +84,7 @@ type TokenClaims struct { // } func SessionTokenAuthenticate(token string) (*TokenClaims, error) { if token == "" { - return nil, errNoAuthToken + return nil, ErrNoAuthToken } // decrypt encrypted token claimTokens, err := decryptClaims(token) @@ -289,25 +291,18 @@ func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) { // either defined on a cookie `token` or on Authorization header. // // Authorization Header needs to be like "Authorization Bearer " -func GetTokenFromRequest(r *http.Request) (*string, error) { - // Get Auth token - var reqToken string - +func GetTokenFromRequest(r *http.Request) (string, error) { // Token might come either as a Cookie or as a Header // if not set in cookie, check if it is set on Header. tokenCookie, err := r.Cookie("token") if err != nil { - headerToken := r.Header.Get("Authorization") - // reqToken should come as "Bearer " - splitHeaderToken := strings.Split(headerToken, "Bearer") - if len(splitHeaderToken) <= 1 { - return nil, errNoAuthToken - } - reqToken = strings.TrimSpace(splitHeaderToken[1]) - } else { - reqToken = strings.TrimSpace(tokenCookie.Value) + return "", ErrNoAuthToken + } + currentTime := time.Now() + if tokenCookie.Expires.After(currentTime) { + return "", errTokenExpired } - return swag.String(reqToken), nil + return strings.TrimSpace(tokenCookie.Value), nil } func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) { @@ -317,7 +312,7 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) { } // Perform decryption of the session token, if Console is able to decrypt the session token that means a valid session // was used in the first place to get it - claims, err := SessionTokenAuthenticate(*sessionID) + claims, err := SessionTokenAuthenticate(sessionID) if err != nil { return nil, err } diff --git a/restapi/admin_info.go b/restapi/admin_info.go index 1f9b34dfec..90d46a7fa0 100644 --- a/restapi/admin_info.go +++ b/restapi/admin_info.go @@ -151,7 +151,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "time() - max(minio_node_process_starttime_seconds)", + Expr: `time() - max(minio_node_process_starttime_seconds{job="${jobid}"})`, LegendFormat: "{{instance}}", Step: 60, }, @@ -177,7 +177,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "sum by (instance) (minio_s3_traffic_received_bytes{job=\"minio-job\"})", + Expr: `sum by (instance) (minio_s3_traffic_received_bytes{job="${jobid}"})`, LegendFormat: "{{instance}}", Step: 60, }, @@ -203,7 +203,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "topk(1, sum(minio_cluster_capacity_usable_free_bytes) by (instance))", + Expr: `topk(1, sum(minio_cluster_capacity_usable_free_bytes{job="${jobid}"}) by (instance))`, LegendFormat: "", Step: 300, }, @@ -221,7 +221,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "sum(minio_bucket_usage_total_bytes) by (instance)", + Expr: `sum(minio_bucket_usage_total_bytes{job="${jobid}"}) by (instance)`, LegendFormat: "Used Capacity", }, }, @@ -245,7 +245,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "max by (range) (minio_bucket_objects_size_distribution)", + Expr: `max by (range) (minio_bucket_objects_size_distribution{job="${jobid}"})`, LegendFormat: "{{range}}", Step: 300, }, @@ -271,7 +271,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "sum (minio_node_file_descriptor_open_total)", + Expr: `sum(minio_node_file_descriptor_open_total{job="${jobid}"})`, LegendFormat: "", Step: 60, }, @@ -297,7 +297,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "sum by (instance) (minio_s3_traffic_sent_bytes{job=\"minio-job\"})", + Expr: `sum by (instance) (minio_s3_traffic_sent_bytes{job="${jobid}"})`, LegendFormat: "", Step: 60, }, @@ -323,7 +323,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "sum without (server,instance) (minio_node_go_routine_total)", + Expr: `sum without (server,instance) (minio_node_go_routine_total{job="${jobid}"})`, LegendFormat: "", Step: 60, }, @@ -349,7 +349,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_cluster_nodes_online_total", + Expr: `minio_cluster_nodes_online_total{job="${jobid}"}`, LegendFormat: "", Step: 60, }, @@ -375,7 +375,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_cluster_disk_online_total", + Expr: `minio_cluster_disk_online_total{job="${jobid}"}`, LegendFormat: "Total online disks in MinIO Cluster", Step: 60, }, @@ -401,7 +401,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "count(count by (bucket) (minio_bucket_usage_total_bytes))", + Expr: `count(count by (bucket) (minio_bucket_usage_total_bytes{job="${jobid}"}))`, LegendFormat: "", }, }, @@ -418,7 +418,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "sum by (server) (rate(minio_s3_traffic_received_bytes[$__interval]))", + Expr: `sum by (server) (rate(minio_s3_traffic_received_bytes{job="${jobid}"}[$__interval]))`, LegendFormat: "Data Received [{{server}}]", }, }, @@ -435,7 +435,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "sum by (server) (rate(minio_s3_traffic_sent_bytes[$__interval]))", + Expr: `sum by (server) (rate(minio_s3_traffic_sent_bytes{job="${jobid}"}[$__interval]))`, LegendFormat: "Data Sent [{{server}}]", }, }, @@ -460,7 +460,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_cluster_nodes_offline_total", + Expr: `minio_cluster_nodes_offline_total{job="${jobid}"}`, LegendFormat: "", Step: 60, }, @@ -486,7 +486,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_cluster_disk_offline_total", + Expr: `minio_cluster_disk_offline_total{job="${jobid}"}`, LegendFormat: "", Step: 60, }, @@ -512,7 +512,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "topk(1, sum(minio_bucket_usage_object_total) by (instance))", + Expr: `topk(1, sum(minio_bucket_usage_object_total{job="${jobid}"}) by (instance))`, LegendFormat: "", }, }, @@ -537,7 +537,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_heal_time_last_activity_nano_seconds", + Expr: `minio_heal_time_last_activity_nano_seconds{job="${jobid}"}`, LegendFormat: "{{server}}", Step: 60, }, @@ -563,7 +563,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_usage_last_activity_nano_seconds", + Expr: `minio_usage_last_activity_nano_seconds{job="${jobid}"}`, LegendFormat: "{{server}}", Step: 60, }, @@ -581,7 +581,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "sum by (server,api) (rate(minio_s3_requests_total[$__interval]))", + Expr: `sum by (server,api) (rate(minio_s3_requests_total{job="${jobid}"}[$__interval]))`, LegendFormat: "{{server,api}}", }, }, @@ -598,7 +598,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "rate(minio_s3_requests_errors_total[$__interval])", + Expr: `rate(minio_s3_requests_errors_total{job="${jobid}"}[$__interval])`, LegendFormat: "{{server,api}}", }, }, @@ -615,13 +615,13 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "rate(minio_inter_node_traffic_sent_bytes{job=\"minio-job\"}[$__interval])", + Expr: `rate(minio_inter_node_traffic_sent_bytes{job="${jobid}"}[$__interval])`, LegendFormat: "Internode Bytes Received [{{server}}]", Step: 4, }, { - Expr: "rate(minio_inter_node_traffic_sent_bytes{job=\"minio-job\"}[$__interval])", + Expr: `rate(minio_inter_node_traffic_sent_bytes{job="${jobid}"}[$__interval])`, LegendFormat: "Internode Bytes Received [{{server}}]", }, }, @@ -638,7 +638,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "rate(minio_node_process_cpu_total_seconds[$__interval])", + Expr: `rate(minio_node_process_cpu_total_seconds{job="${jobid}"}[$__interval])`, LegendFormat: "CPU Usage Rate [{{server}}]", }, }, @@ -655,7 +655,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_node_process_resident_memory_bytes", + Expr: `minio_node_process_resident_memory_bytes{job="${jobid}"}`, LegendFormat: "Memory Used [{{server}}]", }, }, @@ -672,7 +672,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_node_disk_used_bytes", + Expr: `minio_node_disk_used_bytes{job="${jobid}"}`, LegendFormat: "Used Capacity [{{server}}:{{disk}}]", }, }, @@ -689,7 +689,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_cluster_disk_free_inodes", + Expr: `minio_cluster_disk_free_inodes{job="${jobid}"}`, LegendFormat: "Free Inodes [{{server}}:{{disk}}]", }, }, @@ -706,13 +706,13 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "rate(minio_node_syscall_read_total[$__interval])", + Expr: `rate(minio_node_syscall_read_total{job="${jobid}"}[$__interval])`, LegendFormat: "Read Syscalls [{{server}}]", Step: 60, }, { - Expr: "rate(minio_node_syscall_read_total[$__interval])", + Expr: `rate(minio_node_syscall_read_total{job="${jobid}"}[$__interval])`, LegendFormat: "Read Syscalls [{{server}}]", }, }, @@ -729,7 +729,7 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "minio_node_file_descriptor_open_total", + Expr: `minio_node_file_descriptor_open_total{job="${jobid}"}`, LegendFormat: "Open FDs [{{server}}]", }, }, @@ -746,12 +746,12 @@ var widgets = []Metric{ }, Targets: []Target{ { - Expr: "rate(minio_node_io_rchar_bytes[$__interval])", + Expr: `rate(minio_node_io_rchar_bytes{job="${jobid}"}[$__interval])`, LegendFormat: "Node RChar [{{server}}]", }, { - Expr: "rate(minio_node_io_rchar_bytes[$__interval])", + Expr: `rate(minio_node_io_rchar_bytes{job="${jobid}"}[$__interval])`, LegendFormat: "Node RChar [{{server}}]", }, }, @@ -786,8 +786,6 @@ type LabelResults struct { Response LabelResponse } -var jobRegex = regexp.MustCompile(`(?m)\{[a-z]+\=\".*?\"\}`) - // getAdminInfoResponse returns the response containing total buckets, objects and usage. func getAdminInfoResponse(session *models.Principal) (*models.AdminInfoResponse, *models.Error) { prometheusURL := getPrometheusURL() @@ -846,6 +844,7 @@ func getAdminInfoResponse(session *models.Principal) (*models.AdminInfoResponse, func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) (*models.WidgetDetails, *models.Error) { prometheusURL := getPrometheusURL() + prometheusJobID := getPrometheusJobID() labelResultsCh := make(chan LabelResults) @@ -858,14 +857,9 @@ func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) ( log.Println(err) return } - defer func() { - if err := resp.Body.Close(); err != nil { - log.Println(err) - } - }() - if resp.StatusCode != 200 { body, err := ioutil.ReadAll(resp.Body) + resp.Body.Close() if err != nil { log.Println(err) return @@ -878,7 +872,9 @@ func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) ( var response LabelResponse jd := json.NewDecoder(resp.Body) - if err = jd.Decode(&response); err != nil { + err = jd.Decode(&response) + resp.Body.Close() + if err != nil { log.Println(err) return } @@ -947,13 +943,8 @@ LabelsWaitLoop: } } - // replace the weird {job="asd"} in the exp - if strings.Contains(queryExpr, "job=") { - queryExpr = jobRegex.ReplaceAllString(queryExpr, "") - } - - endpoint := fmt.Sprintf("%s/api/v1/%s?query=%s%s", getPrometheusURL(), apiType, url.QueryEscape(queryExpr), extraParamters) - + queryExpr = strings.Replace(queryExpr, "${jobid}", prometheusJobID, -1) + endpoint := fmt.Sprintf("%s/api/v1/%s?query=%s%s", prometheusURL, apiType, url.QueryEscape(queryExpr), extraParamters) resp, err := http.Get(endpoint) if err != nil { log.Println(err) @@ -983,11 +974,6 @@ LabelsWaitLoop: log.Println(err) return } - //body, _ := ioutil.ReadAll(resp.Body) - //err = json.Unmarshal(body, &response) - //if err != nil { - // log.Println(err) - //} targetResult := models.ResultTarget{ LegendFormat: target.LegendFormat, @@ -1000,15 +986,6 @@ LabelsWaitLoop: }) } - //xx, err := json.Marshal(response) - //if err != nil { - // log.Println(err) - //} - //log.Println("----", m.Title) - //log.Println(string(body)) - //log.Println(string(xx)) - //log.Println("=====") - targetResults <- &targetResult }(target, params) diff --git a/restapi/admin_subscription.go b/restapi/admin_subscription.go index d35965b512..1353370e47 100644 --- a/restapi/admin_subscription.go +++ b/restapi/admin_subscription.go @@ -412,24 +412,22 @@ func RefreshLicense() error { if err != nil { return err } + if refreshedLicenseKey == "" { + return errors.New("license expired, please open a support ticket at https://subnet.min.io/") + } // store new license in memory for console ui LicenseKey = refreshedLicenseKey - // Update in memory license and update k8s secret - if refreshedLicenseKey != "" { - if acl.GetOperatorMode() { - ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) - defer cancel() - clientSet, err := cluster.K8sClient(saK8SToken) - if err != nil { - return err - } - k8sClient := k8sClient{ - client: clientSet, - } - if err = saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey); err != nil { - return err - } + if acl.GetOperatorMode() { + ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) + defer cancel() + clientSet, err := cluster.K8sClient(saK8SToken) + if err != nil { + return err + } + k8sClient := k8sClient{ + client: clientSet, } + return saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey) } return nil } diff --git a/restapi/config.go b/restapi/config.go index 1c340dcca3..29ce062e5d 100644 --- a/restapi/config.go +++ b/restapi/config.go @@ -22,7 +22,6 @@ import ( "net" "strconv" "strings" - "sync" "time" "github.com/minio/pkg/certs" @@ -53,14 +52,21 @@ var ( ) var ( - logSearchAPI string - logSearchURL string - prometheusURL string - consoleImage string - - once sync.Once + logSearchAPI string + logSearchURL string + prometheusURL string + prometheusJobID string + consoleImage string ) +func init() { + logSearchAPI = env.Get(LogSearchQueryAuthToken, "") + logSearchURL = env.Get(LogSearchURL, "http://localhost:8080") + prometheusURL = env.Get(PrometheusURL, "") + prometheusJobID = env.Get(PrometheusJobID, "minio-job") + consoleImage = env.Get(ConsoleOperatorConsoleImage, ConsoleImageDefaultVersion) +} + func getMinIOServer() string { return strings.TrimSpace(env.Get(ConsoleMinIOServer, "http://localhost:9000")) } @@ -238,26 +244,21 @@ func getSecureExpectCTHeader() string { } func getLogSearchAPIToken() string { - once.Do(func() { - initVars() - }) return logSearchAPI } func getLogSearchURL() string { - once.Do(func() { - initVars() - }) return logSearchURL } func getPrometheusURL() string { - once.Do(func() { - initVars() - }) return prometheusURL } +func getPrometheusJobID() string { + return prometheusJobID +} + // GetSubnetLicense returns the current subnet jwt license func GetSubnetLicense() string { // if we have a license key in memory return that @@ -269,13 +270,6 @@ func GetSubnetLicense() string { return LicenseKey } -func initVars() { - logSearchAPI = env.Get(LogSearchQueryAuthToken, "") - logSearchURL = env.Get(LogSearchURL, "http://localhost:8080") - prometheusURL = env.Get(PrometheusURL, "") - consoleImage = env.Get(ConsoleOperatorConsoleImage, ConsoleImageDefaultVersion) -} - var ( // GlobalRootCAs is CA root certificates, a nil value means system certs pool will be used GlobalRootCAs *x509.CertPool @@ -296,8 +290,5 @@ func getK8sSAToken() string { } func getConsoleImage() string { - once.Do(func() { - initVars() - }) return consoleImage } diff --git a/restapi/configure_console.go b/restapi/configure_console.go index 5e03f7562b..3df07d128f 100644 --- a/restapi/configure_console.go +++ b/restapi/configure_console.go @@ -21,7 +21,6 @@ package restapi import ( "bytes" "crypto/tls" - "fmt" "io" "io/fs" "log" @@ -169,13 +168,6 @@ func configureTLS(tlsConfig *tls.Config) { } } -// As soon as server is initialized but not run yet, this function will be called. -// If you need to modify a config, store server instance to stop it individually later, this is the place. -// This function can be called multiple times, depending on the number of serving schemes. -// scheme value will be set accordingly: "http", "https" or "unix" -func configureServer(s *http.Server, scheme, addr string) { -} - // The middleware configuration is for the handler executors. These do not apply to the swagger.json document. // The middleware executes after routing but before authentication, binding and validation func setupMiddlewares(handler http.Handler) http.Handler { @@ -215,30 +207,22 @@ func setupGlobalMiddleware(handler http.Handler) http.Handler { IsDevelopment: !getProductionMode(), } secureMiddleware := secure.New(secureOptions) - app := secureMiddleware.Handler(next) - return app + return secureMiddleware.Handler(next) } func AuthenticationMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // prioritize authorization header and skip - if r.Header.Get("Authorization") != "" { - next.ServeHTTP(w, r) + token, err := auth.GetTokenFromRequest(r) + if err != nil && err != auth.ErrNoAuthToken { + http.Error(w, err.Error(), http.StatusUnauthorized) return } - tokenCookie, err := r.Cookie("token") - if err != nil { - next.ServeHTTP(w, r) - return - } - currentTime := time.Now() - if tokenCookie.Expires.After(currentTime) { - next.ServeHTTP(w, r) - return - } - token := tokenCookie.Value + // All handlers handle appropriately to return errors + // based on their swagger rules, we do not need to + // additionally return error here, let the next ServeHTTPs + // handle it appropriately. if token != "" { - r.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token)) + r.Header.Add("Authorization", "Bearer "+token) } next.ServeHTTP(w, r) }) @@ -259,7 +243,6 @@ func FileServerMiddleware(next http.Handler) http.Handler { panic(err) } wrapHandlerSinglePageApplication(http.FileServer(http.FS(buildFs))).ServeHTTP(w, r) - } }) } diff --git a/restapi/consts.go b/restapi/consts.go index 160ed473c6..10dfd34ebc 100644 --- a/restapi/consts.go +++ b/restapi/consts.go @@ -52,6 +52,7 @@ const ( ConsoleOperatorConsoleImage = "CONSOLE_OPERATOR_CONSOLE_IMAGE" LogSearchURL = "CONSOLE_LOG_QUERY_URL" PrometheusURL = "CONSOLE_PROMETHEUS_URL" + PrometheusJobID = "CONSOLE_PROMETHEUS_JOB_ID" LogSearchQueryAuthToken = "LOGSEARCH_QUERY_AUTH_TOKEN" // Constants for prometheus annotations diff --git a/restapi/server.go b/restapi/server.go index 872d926e97..2ae6fa282a 100644 --- a/restapi/server.go +++ b/restapi/server.go @@ -38,9 +38,7 @@ import ( "time" "github.com/go-openapi/runtime/flagext" - "github.com/go-openapi/swag" flags "github.com/jessevdk/go-flags" - "golang.org/x/net/netutil" "github.com/minio/console/restapi/operations" ) @@ -48,7 +46,6 @@ import ( const ( schemeHTTP = "http" schemeHTTPS = "https" - schemeUnix = "unix" ) var defaultSchemes []string @@ -86,30 +83,19 @@ func (s *Server) ConfigureFlags() { // Server for the console API type Server struct { EnabledListeners []string `long:"scheme" description:"the listeners to enable, this can be repeated and defaults to the schemes in the swagger spec"` - CleanupTimeout time.Duration `long:"cleanup-timeout" description:"grace period for which to wait before killing idle connections" default:"10s"` GracefulTimeout time.Duration `long:"graceful-timeout" description:"grace period for which to wait before shutting down the server" default:"15s"` MaxHeaderSize flagext.ByteSize `long:"max-header-size" description:"controls the maximum number of bytes the server will read parsing the request header's keys and values, including the request line. It does not limit the size of the request body." default:"1MiB"` - SocketPath flags.Filename `long:"socket-path" description:"the unix socket to listen on" default:"/var/run/console.sock"` - domainSocketL net.Listener - - Host string `long:"host" description:"the IP to listen on" default:"localhost" env:"HOST"` - Port int `long:"port" description:"the port to listen on for insecure connections, defaults to a random value" env:"PORT"` - ListenLimit int `long:"listen-limit" description:"limit the number of outstanding requests"` - KeepAlive time.Duration `long:"keep-alive" description:"sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download)" default:"3m"` + Host string `long:"host" description:"the IP to listen on"` + Port int `long:"port" description:"the port to listen on for insecure connections, defaults to 9090"` ReadTimeout time.Duration `long:"read-timeout" description:"maximum duration before timing out read of the request" default:"30s"` WriteTimeout time.Duration `long:"write-timeout" description:"maximum duration before timing out write of the response" default:"60s"` httpServerL net.Listener - TLSHost string `long:"tls-host" description:"the IP to listen on for tls, when not specified it's the same as --host" env:"TLS_HOST"` - TLSPort int `long:"tls-port" description:"the port to listen on for secure connections, defaults to a random value" env:"TLS_PORT"` - TLSCertificate flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections" env:"TLS_CERTIFICATE"` - TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure connections" env:"TLS_PRIVATE_KEY"` - TLSCACertificate flags.Filename `long:"tls-ca" description:"the certificate authority file to be used with mutual tls auth" env:"TLS_CA_CERTIFICATE"` - TLSListenLimit int `long:"tls-listen-limit" description:"limit the number of outstanding requests"` - TLSKeepAlive time.Duration `long:"tls-keep-alive" description:"sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download)"` - TLSReadTimeout time.Duration `long:"tls-read-timeout" description:"maximum duration before timing out read of the request"` - TLSWriteTimeout time.Duration `long:"tls-write-timeout" description:"maximum duration before timing out write of the response"` + TLSPort int `long:"tls-port" description:"the port to listen on for secure connections, defaults to 9443"` + TLSCertificate flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections"` + TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure connections"` + TLSCACertificate flags.Filename `long:"tls-ca" description:"the certificate authority file to be used to trust MinIO server"` httpsServerL net.Listener api *operations.ConsoleAPI @@ -191,46 +177,13 @@ func (s *Server) Serve() (err error) { servers := []*http.Server{} - if s.hasScheme(schemeUnix) { - domainSocket := new(http.Server) - domainSocket.MaxHeaderBytes = int(s.MaxHeaderSize) - domainSocket.Handler = s.handler - if int64(s.CleanupTimeout) > 0 { - domainSocket.IdleTimeout = s.CleanupTimeout - } - - configureServer(domainSocket, "unix", string(s.SocketPath)) - - servers = append(servers, domainSocket) - wg.Add(1) - s.Logf("Serving console at unix://%s", s.SocketPath) - go func(l net.Listener) { - defer wg.Done() - if err := domainSocket.Serve(l); err != nil && err != http.ErrServerClosed { - s.Fatalf("%v", err) - } - s.Logf("Stopped serving console at unix://%s", s.SocketPath) - }(s.domainSocketL) - } - if s.hasScheme(schemeHTTP) { httpServer := new(http.Server) httpServer.MaxHeaderBytes = int(s.MaxHeaderSize) httpServer.ReadTimeout = s.ReadTimeout httpServer.WriteTimeout = s.WriteTimeout - httpServer.SetKeepAlivesEnabled(int64(s.KeepAlive) > 0) - if s.ListenLimit > 0 { - s.httpServerL = netutil.LimitListener(s.httpServerL, s.ListenLimit) - } - - if int64(s.CleanupTimeout) > 0 { - httpServer.IdleTimeout = s.CleanupTimeout - } - httpServer.Handler = s.handler - configureServer(httpServer, "http", s.httpServerL.Addr().String()) - servers = append(servers, httpServer) wg.Add(1) s.Logf("Serving console at http://%s", s.httpServerL.Addr()) @@ -246,15 +199,8 @@ func (s *Server) Serve() (err error) { if s.hasScheme(schemeHTTPS) { httpsServer := new(http.Server) httpsServer.MaxHeaderBytes = int(s.MaxHeaderSize) - httpsServer.ReadTimeout = s.TLSReadTimeout - httpsServer.WriteTimeout = s.TLSWriteTimeout - httpsServer.SetKeepAlivesEnabled(int64(s.TLSKeepAlive) > 0) - if s.TLSListenLimit > 0 { - s.httpsServerL = netutil.LimitListener(s.httpsServerL, s.TLSListenLimit) - } - if int64(s.CleanupTimeout) > 0 { - httpsServer.IdleTimeout = s.CleanupTimeout - } + httpsServer.ReadTimeout = s.ReadTimeout + httpsServer.WriteTimeout = s.WriteTimeout httpsServer.Handler = s.handler // Inspired by https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go @@ -307,7 +253,7 @@ func (s *Server) Serve() (err error) { // call custom TLS configurator configureTLS(httpsServer.TLSConfig) - if len(httpsServer.TLSConfig.Certificates) == 0 && httpsServer.TLSConfig.GetCertificate == nil { + if len(httpsServer.TLSConfig.Certificates) == 0 || httpsServer.TLSConfig.GetCertificate == nil { // after standard and custom config are passed, this ends up with no certificate if s.TLSCertificate == "" { if s.TLSCertificateKey == "" { @@ -325,8 +271,6 @@ func (s *Server) Serve() (err error) { // must have at least one certificate or panics httpsServer.TLSConfig.BuildNameToCertificate() - configureServer(httpsServer, "https", s.httpsServerL.Addr().String()) - servers = append(servers, httpsServer) wg.Add(1) s.Logf("Serving console at https://%s", s.httpsServerL.Addr()) @@ -340,7 +284,7 @@ func (s *Server) Serve() (err error) { } wg.Add(1) - go s.handleShutdown(wg, &servers) + go s.handleShutdown(wg, servers) wg.Wait() return nil @@ -352,65 +296,19 @@ func (s *Server) Listen() error { return nil } - if s.hasScheme(schemeHTTPS) { - // Use http host if https host wasn't defined - if s.TLSHost == "" { - s.TLSHost = s.Host - } - // Use http listen limit if https listen limit wasn't defined - if s.TLSListenLimit == 0 { - s.TLSListenLimit = s.ListenLimit - } - // Use http tcp keep alive if https tcp keep alive wasn't defined - if int64(s.TLSKeepAlive) == 0 { - s.TLSKeepAlive = s.KeepAlive - } - // Use http read timeout if https read timeout wasn't defined - if int64(s.TLSReadTimeout) == 0 { - s.TLSReadTimeout = s.ReadTimeout - } - // Use http write timeout if https write timeout wasn't defined - if int64(s.TLSWriteTimeout) == 0 { - s.TLSWriteTimeout = s.WriteTimeout - } - } - - if s.hasScheme(schemeUnix) { - domSockListener, err := net.Listen("unix", string(s.SocketPath)) - if err != nil { - return err - } - s.domainSocketL = domSockListener - } - + var err error if s.hasScheme(schemeHTTP) { - listener, err := net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.Port))) - if err != nil { - return err - } - - h, p, err := swag.SplitHostPort(listener.Addr().String()) + s.httpServerL, err = net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.Port))) if err != nil { return err } - s.Host = h - s.Port = p - s.httpServerL = listener } if s.hasScheme(schemeHTTPS) { - tlsListener, err := net.Listen("tcp", net.JoinHostPort(s.TLSHost, strconv.Itoa(s.TLSPort))) + s.httpsServerL, err = net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.TLSPort))) if err != nil { return err } - - sh, sp, err := swag.SplitHostPort(tlsListener.Addr().String()) - if err != nil { - return err - } - s.TLSHost = sh - s.TLSPort = sp - s.httpsServerL = tlsListener } s.hasListeners = true @@ -425,16 +323,14 @@ func (s *Server) Shutdown() error { return nil } -func (s *Server) handleShutdown(wg *sync.WaitGroup, serversPtr *[]*http.Server) { +func (s *Server) handleShutdown(wg *sync.WaitGroup, servers []*http.Server) { // wg.Done must occur last, after s.api.ServerShutdown() // (to preserve old behaviour) defer wg.Done() <-s.shutdown - servers := *serversPtr - - ctx, cancel := context.WithTimeout(context.TODO(), s.GracefulTimeout) + ctx, cancel := context.WithTimeout(context.Background(), s.GracefulTimeout) defer cancel() // first execute the pre-shutdown hook @@ -477,16 +373,6 @@ func (s *Server) SetHandler(handler http.Handler) { s.handler = handler } -// UnixListener returns the domain socket listener -func (s *Server) UnixListener() (net.Listener, error) { - if !s.hasListeners { - if err := s.Listen(); err != nil { - return nil, err - } - } - return s.domainSocketL, nil -} - // HTTPListener returns the http listener func (s *Server) HTTPListener() (net.Listener, error) { if !s.hasListeners {