[TrueCloudLab#25] Process allow and deny lists of zones in bucket head requests

Signed-off-by: Alex Vanin <a.vanin@yadro.com>
2023-02-10 15:19:29 +03:00 · 2023-02-10 15:19:29 +03:00 · 45686c5bdf
commit 45686c5bdf
parent 4d4114e1d2
6 changed files with 61 additions and 1 deletions
--- a/api/handler/api.go
+++ b/api/handler/api.go
@ -29,6 +29,8 @@ type (
 		DefaultMaxAge      int
 		NotificatorEnabled bool
 		CopiesNumber       uint32
+		ResolveZoneList    []string
+		IsResolveListAllow bool // True if ResolveZoneList contains allowed zones
 	}

 	PlacementPolicy interface {
--- a/api/handler/head.go
+++ b/api/handler/head.go
@ -123,8 +123,13 @@ func (h *handler) HeadBucketHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	w.Header().Set(api.ContainerID, bktInfo.CID.EncodeToString())
-	w.Header().Set(api.ContainerName, bktInfo.Name)
 	w.Header().Set(api.AmzBucketRegion, bktInfo.LocationConstraint)
+
+	if isAvailableToResolve(bktInfo.Zone, h.cfg.ResolveZoneList, h.cfg.IsResolveListAllow) {
+		w.Header().Set(api.ContainerName, bktInfo.Name)
+		w.Header().Set(api.ContainerZone, bktInfo.Zone)
+	}
+
 	api.WriteResponse(w, http.StatusOK, nil, api.MimeNone)
 }

@ -158,3 +163,25 @@ func writeLockHeaders(h http.Header, legalHold *data.LegalHold, retention *data.
 		h.Set(api.AmzObjectLockMode, retention.Mode)
 	}
 }
+
+func isAvailableToResolve(zone string, list []string, isAllowList bool) bool {
+	// empty zone means container doesn't have proper system name,
+	// so we don't have to resolve it
+	if len(zone) == 0 {
+		return false
+	}
+
+	var zoneInList bool
+	for _, t := range list {
+		if t == zone {
+			zoneInList = true
+			break
+		}
+	}
+	// InList | IsAllowList | Result
+	//    0         0          1
+	//    0         1          0
+	//    1         0          0
+	//    1         1          1
+	return zoneInList == isAllowList
+}
--- a/api/handler/head_test.go
+++ b/api/handler/head_test.go
@ -86,6 +86,26 @@ func TestInvalidAccessThroughCache(t *testing.T) {
 	assertStatus(t, w, http.StatusForbidden)
 }

+func TestIsAvailableToResolve(t *testing.T) {
+	list := []string{"container", "s3"}
+
+	for i, testCase := range [...]struct {
+		isAllowList bool
+		list        []string
+		zone        string
+		expected    bool
+	}{
+		{isAllowList: true, list: list, zone: "container", expected: true},
+		{isAllowList: true, list: list, zone: "sftp", expected: false},
+		{isAllowList: false, list: list, zone: "s3", expected: false},
+		{isAllowList: false, list: list, zone: "system", expected: true},
+		{isAllowList: true, list: list, zone: "", expected: false},
+	} {
+		result := isAvailableToResolve(testCase.zone, testCase.list, testCase.isAllowList)
+		require.Equal(t, testCase.expected, result, "case %d", i+1)
+	}
+}
+
 func newTestAccessBox(t *testing.T, key *keys.PrivateKey) *accessbox.Box {
 	var err error
 	if key == nil {
--- a/api/headers.go
+++ b/api/headers.go
@ -64,6 +64,7 @@ const (

 	ContainerID   = "X-Container-Id"
 	ContainerName = "X-Container-Name"
+	ContainerZone = "X-Container-Zone"

 	AccessControlAllowOrigin      = "Access-Control-Allow-Origin"
 	AccessControlAllowMethods     = "Access-Control-Allow-Methods"
--- a/cmd/s3-gw/app.go
+++ b/cmd/s3-gw/app.go
@ -642,6 +642,12 @@ func (a *App) initHandler() {
 		cfg.CopiesNumber = val
 	}

+	cfg.ResolveZoneList = a.cfg.GetStringSlice(cfgResolveBucketAllow)
+	cfg.IsResolveListAllow = len(cfg.ResolveZoneList) > 0
+	if !cfg.IsResolveListAllow {
+		cfg.ResolveZoneList = a.cfg.GetStringSlice(cfgResolveBucketDeny)
+	}
+
 	var err error
 	a.api, err = handler.New(a.log, a.obj, a.nc, cfg)
 	if err != nil {
--- a/cmd/s3-gw/app_settings.go
+++ b/cmd/s3-gw/app_settings.go
@ -130,6 +130,10 @@ const ( // Settings.
 	// List of allowed AccessKeyID prefixes.
 	cfgAllowedAccessKeyIDPrefixes = "allowed_access_key_id_prefixes"

+	// Bucket resolving options.
+	cfgResolveBucketAllow = "resolve_bucket.allow"
+	cfgResolveBucketDeny  = "resolve_bucket.deny"
+
 	// envPrefix is an environment variables prefix used for configuration.
 	envPrefix = "S3_GW"
 )