s3/iam: reuse one request id per request (#8538)
* request_id: add shared request middleware
* s3err: preserve request ids in responses and logs
* iam: reuse request ids in XML responses
* sts: reuse request ids in XML responses
* request_id: drop legacy header fallback
* request_id: use AWS-style request id format
* iam: fix AWS-compatible XML format for ErrorResponse and field ordering
- ErrorResponse uses bare <RequestId> at root level instead of
<ResponseMetadata> wrapper, matching the AWS IAM error response spec
- Move CommonResponse to last field in success response structs so
<ResponseMetadata> serializes after result elements
- Add randomness to request ID generation to avoid collisions
- Add tests for XML ordering and ErrorResponse format
* iam: remove duplicate error_response_test.go
Test is already covered by responses_test.go.
* address PR review comments
- Guard against typed nil pointers in SetResponseRequestID before
interface assertion (CodeRabbit)
- Use regexp instead of strings.Index in test helpers for extracting
request IDs (Gemini)
* request_id: prevent spoofing, fix nil-error branch, thread reqID to error writers
- Ensure() now always generates a server-side ID, ignoring client-sent
x-amz-request-id headers to prevent request ID spoofing. Uses a
private context key (contextKey{}) instead of the header string.
- writeIamErrorResponse in both iamapi and embedded IAM now accepts
reqID as a parameter instead of calling Ensure() internally, ensuring
a single request ID per request lifecycle.
- The nil-iamError branch in writeIamErrorResponse now writes a 500
Internal Server Error response instead of returning silently.
- Updated tests to set request IDs via context (not headers) and added
tests for spoofing prevention and context reuse.
* sts: add request-id consistency assertions to ActionInBody tests
* test: update admin test to expect server-generated request IDs
The test previously sent a client x-amz-request-id header and expected
it echoed back. Since Ensure() now ignores client headers to prevent
spoofing, update the test to verify the server returns a non-empty
server-generated request ID instead.
* iam: add generic WithRequestID helper alongside reflection-based fallback
Add WithRequestID[T] that uses generics to take the address of a value
type, satisfying the pointer receiver on SetRequestId without reflection.
The existing SetResponseRequestID is kept for the two call sites that
operate on interface{} (from large action switches where the concrete
type varies at runtime). Generics cannot replace reflection there since
Go cannot infer type parameters from interface{}.
* Remove reflection and generics from request ID setting
Call SetRequestId directly on concrete response types in each switch
branch before boxing into interface{}, eliminating the need for
WithRequestID (generics) and SetResponseRequestID (reflection).
* iam: return pointer responses in action dispatch
* Fix IAM error handling consistency and ensure request IDs on all responses
- UpdateUser/CreatePolicy error branches: use writeIamErrorResponse instead
of s3err.WriteErrorResponse to preserve IAM formatting and request ID
- ExecuteAction: accept reqID parameter and generate one if empty, ensuring
every response carries a RequestId regardless of caller
* Clean up inline policies on DeleteUser and UpdateUser rename
DeleteUser: remove InlinePolicies[userName] from policy storage before
removing the identity, so policies are not orphaned.
UpdateUser: move InlinePolicies[userName] to InlinePolicies[newUserName]
when renaming, so GetUserPolicy/DeleteUserPolicy work under the new name.
Both operations persist the updated policies and return an error if
the storage write fails, preventing partial state.
This commit is contained in:
Chris Lu
@@ -2,20 +2,25 @@ package request_id
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"time"
|
||||
)
|
||||
|
||||
const AmzRequestIDHeader = "x-amz-request-id"
|
||||
|
||||
type contextKey struct{}
|
||||
|
||||
func Set(ctx context.Context, id string) context.Context {
|
||||
return context.WithValue(ctx, AmzRequestIDHeader, id)
|
||||
return context.WithValue(ctx, contextKey{}, id)
|
||||
}
|
||||
|
||||
func Get(ctx context.Context) string {
|
||||
if ctx == nil {
|
||||
return ""
|
||||
}
|
||||
id, _ := ctx.Value(AmzRequestIDHeader).(string)
|
||||
id, _ := ctx.Value(contextKey{}).(string)
|
||||
return id
|
||||
}
|
||||
|
||||
@@ -24,3 +29,42 @@ func InjectToRequest(ctx context.Context, req *http.Request) {
|
||||
req.Header.Set(AmzRequestIDHeader, Get(ctx))
|
||||
}
|
||||
}
|
||||
|
||||
func New() string {
|
||||
var buf [4]byte
|
||||
rand.Read(buf[:])
|
||||
return fmt.Sprintf("%X%08X", time.Now().UTC().UnixNano(), buf)
|
||||
}
|
||||
|
||||
// GetFromRequest returns the server-generated request ID from the context.
|
||||
func GetFromRequest(r *http.Request) string {
|
||||
if r == nil {
|
||||
return ""
|
||||
}
|
||||
return Get(r.Context())
|
||||
}
|
||||
|
||||
// Ensure guarantees a server-generated request ID exists in the context.
|
||||
// It always generates a new ID if one is not already present in the context,
|
||||
// ignoring any client-sent x-amz-request-id header to prevent spoofing.
|
||||
func Ensure(r *http.Request) (*http.Request, string) {
|
||||
if r == nil {
|
||||
return nil, ""
|
||||
}
|
||||
if id := Get(r.Context()); id != "" {
|
||||
return r, id
|
||||
}
|
||||
id := New()
|
||||
r = r.WithContext(Set(r.Context(), id))
|
||||
return r, id
|
||||
}
|
||||
|
||||
func Middleware(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
r, reqID := Ensure(r)
|
||||
if w.Header().Get(AmzRequestIDHeader) == "" {
|
||||
w.Header().Set(AmzRequestIDHeader, reqID)
|
||||
}
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
50
weed/util/request_id/request_id_test.go
Normal file
50
weed/util/request_id/request_id_test.go
Normal file
@@ -0,0 +1,50 @@
|
||||
package request_id
|
||||
|
||||
import (
|
||||
"net/http/httptest"
|
||||
"regexp"
|
||||
"testing"
|
||||
)
|
||||
|
||||
var requestIDPattern = regexp.MustCompile(`^[0-9A-F]+$`)
|
||||
|
||||
func TestNewUsesUppercaseHexFormat(t *testing.T) {
|
||||
id := New()
|
||||
if !requestIDPattern.MatchString(id) {
|
||||
t.Fatalf("expected uppercase hex request id, got %q", id)
|
||||
}
|
||||
if len(id) < 24 {
|
||||
t.Fatalf("expected request id to be at least 24 characters, got %q (len=%d)", id, len(id))
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewIsUnique(t *testing.T) {
|
||||
a := New()
|
||||
b := New()
|
||||
if a == b {
|
||||
t.Fatalf("expected unique request ids, got %q twice", a)
|
||||
}
|
||||
}
|
||||
|
||||
func TestEnsureIgnoresClientHeader(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
req.Header.Set(AmzRequestIDHeader, "spoofed-id")
|
||||
|
||||
req, id := Ensure(req)
|
||||
if id == "spoofed-id" {
|
||||
t.Fatal("Ensure should not trust client-sent x-amz-request-id header")
|
||||
}
|
||||
if !requestIDPattern.MatchString(id) {
|
||||
t.Fatalf("expected server-generated hex id, got %q", id)
|
||||
}
|
||||
}
|
||||
|
||||
func TestEnsureReusesContextID(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
req = req.WithContext(Set(req.Context(), "ctx-id-123"))
|
||||
|
||||
req, id := Ensure(req)
|
||||
if id != "ctx-id-123" {
|
||||
t.Fatalf("expected context id ctx-id-123, got %q", id)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user