for tests Unauthenticated user. Be paranoid.
(rw http.ResponseWriter, req *http.Request, blobRef blob.Ref)
| 163 | |
| 164 | // Unauthenticated user. Be paranoid. |
| 165 | func (h *shareHandler) handleGetViaSharing(rw http.ResponseWriter, req *http.Request, |
| 166 | blobRef blob.Ref) error { |
| 167 | ctx := req.Context() |
| 168 | if !httputil.IsGet(req) { |
| 169 | return &shareError{code: invalidMethod, response: badRequest, message: "Invalid method"} |
| 170 | } |
| 171 | |
| 172 | rw.Header().Set("Access-Control-Allow-Origin", "*") |
| 173 | |
| 174 | viaPathOkay := false |
| 175 | startTime := time.Now() |
| 176 | defer func() { |
| 177 | if !viaPathOkay { |
| 178 | // Insert a delay, to hide timing attacks probing |
| 179 | // for the existence of blobs. |
| 180 | sleep := fetchFailureDelay - time.Since(startTime) |
| 181 | timeSleep(sleep) |
| 182 | } |
| 183 | }() |
| 184 | viaBlobs := make([]blob.Ref, 0) |
| 185 | if via := req.FormValue("via"); via != "" { |
| 186 | for _, vs := range strings.Split(via, ",") { |
| 187 | if br, ok := blob.Parse(vs); ok { |
| 188 | viaBlobs = append(viaBlobs, br) |
| 189 | } else { |
| 190 | return &shareError{code: invalidVia, response: badRequest, message: "Malformed blobref in via param"} |
| 191 | } |
| 192 | } |
| 193 | } |
| 194 | |
| 195 | fetchChain := make([]blob.Ref, 0) |
| 196 | fetchChain = append(fetchChain, viaBlobs...) |
| 197 | fetchChain = append(fetchChain, blobRef) |
| 198 | isTransitive := false |
| 199 | for i, br := range fetchChain { |
| 200 | switch i { |
| 201 | case 0: |
| 202 | if h.idx != nil { |
| 203 | h.idx.RLock() |
| 204 | isDeleted := h.idx.IsDeleted(br) |
| 205 | h.idx.RUnlock() |
| 206 | if isDeleted { |
| 207 | return unauthorized(shareDeleted, "Share was deleted") |
| 208 | } |
| 209 | } |
| 210 | file, size, err := h.fetcher.Fetch(ctx, br) |
| 211 | if err != nil { |
| 212 | return unauthorized(shareFetchFailed, "Fetch chain 0 of %s failed: %v", br, err) |
| 213 | } |
| 214 | defer file.Close() |
| 215 | if size > schema.MaxSchemaBlobSize { |
| 216 | return unauthorized(shareBlobTooLarge, "Fetch chain 0 of %s too large", br) |
| 217 | } |
| 218 | blob, err := schema.BlobFromReader(br, file) |
| 219 | if err != nil { |
| 220 | return unauthorized(shareReadFailed, "Can't create a blob from %v: %v", br, err) |
| 221 | } |
| 222 | share, ok := blob.AsShare() |
no test coverage detected