diff --git a/api/handler/api.go b/api/handler/api.go index 5253af7..0b64b65 100644 --- a/api/handler/api.go +++ b/api/handler/api.go @@ -29,6 +29,8 @@ type ( DefaultMaxAge int NotificatorEnabled bool CopiesNumber uint32 + ResolveZoneList []string + IsResolveListAllow bool // True if ResolveZoneList contains allowed zones } PlacementPolicy interface { diff --git a/api/handler/head.go b/api/handler/head.go index 0bead4b..58d2d85 100644 --- a/api/handler/head.go +++ b/api/handler/head.go @@ -123,8 +123,13 @@ func (h *handler) HeadBucketHandler(w http.ResponseWriter, r *http.Request) { } w.Header().Set(api.ContainerID, bktInfo.CID.EncodeToString()) - w.Header().Set(api.ContainerName, bktInfo.Name) w.Header().Set(api.AmzBucketRegion, bktInfo.LocationConstraint) + + if isAvailableToResolve(bktInfo.Zone, h.cfg.ResolveZoneList, h.cfg.IsResolveListAllow) { + w.Header().Set(api.ContainerName, bktInfo.Name) + w.Header().Set(api.ContainerZone, bktInfo.Zone) + } + api.WriteResponse(w, http.StatusOK, nil, api.MimeNone) } @@ -158,3 +163,25 @@ func writeLockHeaders(h http.Header, legalHold *data.LegalHold, retention *data. h.Set(api.AmzObjectLockMode, retention.Mode) } } + +func isAvailableToResolve(zone string, list []string, isAllowList bool) bool { + // empty zone means container doesn't have proper system name, + // so we don't have to resolve it + if len(zone) == 0 { + return false + } + + var zoneInList bool + for _, t := range list { + if t == zone { + zoneInList = true + break + } + } + // InList | IsAllowList | Result + // 0 0 1 + // 0 1 0 + // 1 0 0 + // 1 1 1 + return zoneInList == isAllowList +} diff --git a/api/handler/head_test.go b/api/handler/head_test.go index f9d01ad..40078f8 100644 --- a/api/handler/head_test.go +++ b/api/handler/head_test.go @@ -86,6 +86,26 @@ func TestInvalidAccessThroughCache(t *testing.T) { assertStatus(t, w, http.StatusForbidden) } +func TestIsAvailableToResolve(t *testing.T) { + list := []string{"container", "s3"} + + for i, testCase := range [...]struct { + isAllowList bool + list []string + zone string + expected bool + }{ + {isAllowList: true, list: list, zone: "container", expected: true}, + {isAllowList: true, list: list, zone: "sftp", expected: false}, + {isAllowList: false, list: list, zone: "s3", expected: false}, + {isAllowList: false, list: list, zone: "system", expected: true}, + {isAllowList: true, list: list, zone: "", expected: false}, + } { + result := isAvailableToResolve(testCase.zone, testCase.list, testCase.isAllowList) + require.Equal(t, testCase.expected, result, "case %d", i+1) + } +} + func newTestAccessBox(t *testing.T, key *keys.PrivateKey) *accessbox.Box { var err error if key == nil { diff --git a/api/headers.go b/api/headers.go index 8f5307e..db9fc2a 100644 --- a/api/headers.go +++ b/api/headers.go @@ -64,6 +64,7 @@ const ( ContainerID = "X-Container-Id" ContainerName = "X-Container-Name" + ContainerZone = "X-Container-Zone" AccessControlAllowOrigin = "Access-Control-Allow-Origin" AccessControlAllowMethods = "Access-Control-Allow-Methods" diff --git a/cmd/s3-gw/app.go b/cmd/s3-gw/app.go index b1c8c74..5a0b950 100644 --- a/cmd/s3-gw/app.go +++ b/cmd/s3-gw/app.go @@ -642,6 +642,12 @@ func (a *App) initHandler() { cfg.CopiesNumber = val } + cfg.ResolveZoneList = a.cfg.GetStringSlice(cfgResolveBucketAllow) + cfg.IsResolveListAllow = len(cfg.ResolveZoneList) > 0 + if !cfg.IsResolveListAllow { + cfg.ResolveZoneList = a.cfg.GetStringSlice(cfgResolveBucketDeny) + } + var err error a.api, err = handler.New(a.log, a.obj, a.nc, cfg) if err != nil { diff --git a/cmd/s3-gw/app_settings.go b/cmd/s3-gw/app_settings.go index 3cb9fef..cd8a3af 100644 --- a/cmd/s3-gw/app_settings.go +++ b/cmd/s3-gw/app_settings.go @@ -130,6 +130,10 @@ const ( // Settings. // List of allowed AccessKeyID prefixes. cfgAllowedAccessKeyIDPrefixes = "allowed_access_key_id_prefixes" + // Bucket resolving options. + cfgResolveBucketAllow = "resolve_bucket.allow" + cfgResolveBucketDeny = "resolve_bucket.deny" + // envPrefix is an environment variables prefix used for configuration. envPrefix = "S3_GW" )