[TrueCloudLab#34] Fix resolve_bucket format in docs

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

CHANGELOG.md

@@ -4,12 +4,14 @@ This document outlines major changes between releases.
 
 ## [Unreleased]
 
+### Fixed
+- Get empty bucket CORS from frostfs (TrueCloudLab#36)
+
 ### Added
 - Return container name in `head-bucket` response (TrueCloudLab#18)
 - Billing metrics (TrueCloudLab#5)
 - Multiple configs support (TrueCloudLab#21)
 - Bucket name resolving policy (TrueCloudLab#25)
-- Support string `Action` and `Resource` fields in `bucketPolicy.Statement` (TrueCloudLab#32)
 
 ### Changed
 - Update neo-go to v0.101.0 (#14)

api/handler/acl.go

@@ -158,90 +158,6 @@ func (s ServiceRecord) ToEACLRecord() *eacl.Record {
 	return serviceRecord
 }
 
-var (
-	errInvalidStatement = stderrors.New("invalid statement")
-	errInvalidPrincipal = stderrors.New("invalid principal")
-)
-
-func (s *statement) UnmarshalJSON(data []byte) error {
-	var statementMap map[string]interface{}
-	if err := json.Unmarshal(data, &statementMap); err != nil {
-		return err
-	}
-
-	sidField, ok := statementMap["Sid"]
-	if ok {
-		if s.Sid, ok = sidField.(string); !ok {
-			return errInvalidStatement
-		}
-	}
-
-	effectField, ok := statementMap["Effect"]
-	if ok {
-		if s.Effect, ok = effectField.(string); !ok {
-			return errInvalidStatement
-		}
-	}
-
-	principalField, ok := statementMap["Principal"]
-	if ok {
-		principalMap, ok := principalField.(map[string]interface{})
-		if !ok {
-			return errInvalidPrincipal
-		}
-
-		awsField, ok := principalMap["AWS"]
-		if ok {
-			if s.Principal.AWS, ok = awsField.(string); !ok {
-				return fmt.Errorf("%w: 'AWS' field must be string", errInvalidPrincipal)
-			}
-		}
-
-		canonicalUserField, ok := principalMap["CanonicalUser"]
-		if ok {
-			if s.Principal.CanonicalUser, ok = canonicalUserField.(string); !ok {
-				return errInvalidPrincipal
-			}
-		}
-	}
-
-	actionField, ok := statementMap["Action"]
-	if ok {
-		switch actionField := actionField.(type) {
-		case []interface{}:
-			s.Action = make([]string, len(actionField))
-			for i, action := range actionField {
-				if s.Action[i], ok = action.(string); !ok {
-					return errInvalidStatement
-				}
-			}
-		case string:
-			s.Action = []string{actionField}
-		default:
-			return errInvalidStatement
-		}
-	}
-
-	resourceField, ok := statementMap["Resource"]
-	if ok {
-		switch resourceField := resourceField.(type) {
-		case []interface{}:
-			s.Resource = make([]string, len(resourceField))
-			for i, action := range resourceField {
-				if s.Resource[i], ok = action.(string); !ok {
-					return errInvalidStatement
-				}
-			}
-		case string:
-			s.Resource = []string{resourceField}
-		default:
-			return errInvalidStatement
-		}
-	}
-
-	return nil
-}
-
 func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) {
 	reqInfo := api.GetReqInfo(r.Context())
 

api/handler/acl_test.go

@@ -1352,85 +1352,6 @@ func TestBucketPolicy(t *testing.T) {
 	}
 }
 
-func TestBucketPolicyUnmarshal(t *testing.T) {
-	for _, tc := range []struct {
-		name   string
-		policy string
-	}{
-		{
-			name: "action/resource array",
-			policy: `
-{
-	"Version": "2012-10-17",
-	"Statement": [{
-		"Principal": {
-			"AWS": "arn:aws:iam::111122223333:role/JohnDoe"
-		},
-		"Effect": "Allow",
-		"Action": [
-			"s3:GetObject", 
-			"s3:GetObjectVersion"
-		],
-		"Resource": [
-			"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
-			"arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*"
-		]
-	}]
-}
-`,
-		},
-		{
-			name: "action/resource string",
-			policy: `
-{
-	"Version": "2012-10-17",
-	"Statement": [{
-		"Principal": {
-			"AWS": "arn:aws:iam::111122223333:role/JohnDoe"
-		},
-		"Effect": "Deny",
-		"Action": "s3:GetObject",
-		"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
-	}]
-}
-`,
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			bktPolicy := &bucketPolicy{}
-			err := json.Unmarshal([]byte(tc.policy), bktPolicy)
-			require.NoError(t, err)
-		})
-	}
-}
-
-func TestPutBucketPolicy(t *testing.T) {
-	bktPolicy := `
-{
-	"Version": "2012-10-17",
-	"Statement": [{
-		"Principal": {
-			"AWS": "*"
-		},
-		"Effect": "Deny",
-		"Action": "s3:GetObject",
-		"Resource": "arn:aws:s3:::bucket-for-policy/*"
-	}]
-}
-`
-	hc := prepareHandlerContext(t)
-	bktName := "bucket-for-policy"
-
-	box, _ := createAccessBox(t)
-	createBucket(t, hc, bktName, box)
-
-	w, r := prepareTestPayloadRequest(hc, bktName, "", bytes.NewReader([]byte(bktPolicy)))
-	ctx := context.WithValue(r.Context(), api.BoxData, box)
-	r = r.WithContext(ctx)
-	hc.Handler().PutBucketPolicyHandler(w, r)
-	assertStatus(hc.t, w, http.StatusOK)
-}
-
 func getBucketPolicy(hc *handlerContext, bktName string) *bucketPolicy {
 	w, r := prepareTestRequest(hc, bktName, "", nil)
 	hc.Handler().GetBucketPolicyHandler(w, r)

api/handler/cors_test.go

@@ -0,0 +1,41 @@
+package handler
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/TrueCloudLab/frostfs-s3-gw/api"
+)
+
+func TestCORSOriginWildcard(t *testing.T) {
+	body := `
+<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
+	<CORSRule>
+		<AllowedMethod>GET</AllowedMethod>
+		<AllowedOrigin>*</AllowedOrigin>
+	</CORSRule>
+</CORSConfiguration>
+`
+	hc := prepareHandlerContext(t)
+
+	bktName := "bucket-for-cors"
+	box, _ := createAccessBox(t)
+	w, r := prepareTestRequest(hc, bktName, "", nil)
+	ctx := context.WithValue(r.Context(), api.BoxData, box)
+	r = r.WithContext(ctx)
+	r.Header.Add(api.AmzACL, "public-read")
+	hc.Handler().CreateBucketHandler(w, r)
+	assertStatus(t, w, http.StatusOK)
+
+	w, r = prepareTestPayloadRequest(hc, bktName, "", strings.NewReader(body))
+	ctx = context.WithValue(r.Context(), api.BoxData, box)
+	r = r.WithContext(ctx)
+	hc.Handler().PutBucketCorsHandler(w, r)
+	assertStatus(t, w, http.StatusOK)
+
+	w, r = prepareTestPayloadRequest(hc, bktName, "", nil)
+	hc.Handler().GetBucketCorsHandler(w, r)
+	assertStatus(t, w, http.StatusOK)
+}

api/layer/cors.go

@@ -39,7 +39,7 @@ func (n *layer) PutBucketCORS(ctx context.Context, p *PutCORSParams) error {
 	prm := PrmObjectCreate{
 		Container:    p.BktInfo.CID,
 		Creator:      p.BktInfo.Owner,
-		Payload:      p.Reader,
+		Payload:      &buf,
 		Filepath:     p.BktInfo.CORSObjectName(),
 		CreationTime: TimeNow(ctx),
 		CopiesNumber: p.CopiesNumber,

api/layer/neofs_mock.go

@@ -144,7 +144,7 @@ func (t *TestFrostFS) ReadObject(ctx context.Context, prm PrmObjectRead) (*Objec
 
 	if obj, ok := t.objects[sAddr]; ok {
 		owner := getOwner(ctx)
-		if !obj.OwnerID().Equals(owner) {
+		if !obj.OwnerID().Equals(owner) && !t.isPublicRead(prm.Container) {
 			return nil, ErrAccessDenied
 		}
 
@@ -282,6 +282,25 @@ func (t *TestFrostFS) ContainerEACL(_ context.Context, cnrID cid.ID) (*eacl.Tabl
 	return table, nil
 }
 
+func (t *TestFrostFS) isPublicRead(cnrID cid.ID) bool {
+	table, ok := t.eaclTables[cnrID.EncodeToString()]
+	if !ok {
+		return false
+	}
+
+	for _, rec := range table.Records() {
+		if rec.Operation() == eacl.OperationGet && len(rec.Filters()) == 0 {
+			for _, trgt := range rec.Targets() {
+				if trgt.Role() == eacl.RoleOthers {
+					return rec.Action() == eacl.ActionAllow
+				}
+			}
+		}
+	}
+
+	return false
+}
+
 func getOwner(ctx context.Context) user.ID {
 	if bd, ok := ctx.Value(api.BoxData).(*accessbox.Box); ok && bd != nil && bd.Gate != nil && bd.Gate.BearerToken != nil {
 		return bearer.ResolveIssuer(*bd.Gate.BearerToken)

api/layer/tree_mock.go

@@ -109,11 +109,32 @@ func (t *TreeServiceMock) PutNotificationConfigurationNode(ctx context.Context,
 }
 
 func (t *TreeServiceMock) GetBucketCORS(ctx context.Context, bktInfo *data.BucketInfo) (oid.ID, error) {
-	panic("implement me")
+	systemMap, ok := t.system[bktInfo.CID.EncodeToString()]
+	if !ok {
+		return oid.ID{}, nil
+	}
+
+	node, ok := systemMap["cors"]
+	if !ok {
+		return oid.ID{}, nil
+	}
+
+	return node.OID, nil
 }
 
 func (t *TreeServiceMock) PutBucketCORS(ctx context.Context, bktInfo *data.BucketInfo, objID oid.ID) (oid.ID, error) {
-	panic("implement me")
+	systemMap, ok := t.system[bktInfo.CID.EncodeToString()]
+	if !ok {
+		systemMap = make(map[string]*data.BaseNodeVersion)
+	}
+
+	systemMap["cors"] = &data.BaseNodeVersion{
+		OID: objID,
+	}
+
+	t.system[bktInfo.CID.EncodeToString()] = systemMap
+
+	return oid.ID{}, ErrNoNodeToRemove
 }
 
 func (t *TreeServiceMock) DeleteBucketCORS(ctx context.Context, bktInfo *data.BucketInfo) (oid.ID, error) {

docs/configuration.md

@@ -486,9 +486,9 @@ Bucket name resolving parameters from and to container ID with `HEAD` request.
 
 ```yaml
 resolve_bucket:
-allow:
-  - container
-deny:
+  allow:
+    - container
+  deny:
 ```
 
 | Parameter | Type       | Default value | Description                                                                                                              |