forked from TrueCloudLab/frostfs-s3-gw
[TrueCloudLab#25] Process allow and deny lists of zones in bucket head requests
Signed-off-by: Alex Vanin <a.vanin@yadro.com>
This commit is contained in:
parent
8ac630ee71
commit
aadefd98b6
6 changed files with 61 additions and 1 deletions
|
@ -29,6 +29,8 @@ type (
|
|||
DefaultMaxAge int
|
||||
NotificatorEnabled bool
|
||||
CopiesNumber uint32
|
||||
ResolveZoneList []string
|
||||
IsResolveListAllow bool // True if ResolveZoneList contains allowed zones
|
||||
}
|
||||
|
||||
PlacementPolicy interface {
|
||||
|
|
|
@ -123,8 +123,13 @@ func (h *handler) HeadBucketHandler(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
w.Header().Set(api.ContainerID, bktInfo.CID.EncodeToString())
|
||||
w.Header().Set(api.ContainerName, bktInfo.Name)
|
||||
w.Header().Set(api.AmzBucketRegion, bktInfo.LocationConstraint)
|
||||
|
||||
if isAvailableToResolve(bktInfo.Zone, h.cfg.ResolveZoneList, h.cfg.IsResolveListAllow) {
|
||||
w.Header().Set(api.ContainerName, bktInfo.Name)
|
||||
w.Header().Set(api.ContainerZone, bktInfo.Zone)
|
||||
}
|
||||
|
||||
api.WriteResponse(w, http.StatusOK, nil, api.MimeNone)
|
||||
}
|
||||
|
||||
|
@ -158,3 +163,25 @@ func writeLockHeaders(h http.Header, legalHold *data.LegalHold, retention *data.
|
|||
h.Set(api.AmzObjectLockMode, retention.Mode)
|
||||
}
|
||||
}
|
||||
|
||||
func isAvailableToResolve(zone string, list []string, isAllowList bool) bool {
|
||||
// empty zone means container doesn't have proper system name,
|
||||
// so we don't have to resolve it
|
||||
if len(zone) == 0 {
|
||||
return false
|
||||
}
|
||||
|
||||
var zoneInList bool
|
||||
for _, t := range list {
|
||||
if t == zone {
|
||||
zoneInList = true
|
||||
break
|
||||
}
|
||||
}
|
||||
// InList | IsAllowList | Result
|
||||
// 0 0 1
|
||||
// 0 1 0
|
||||
// 1 0 0
|
||||
// 1 1 1
|
||||
return zoneInList == isAllowList
|
||||
}
|
||||
|
|
|
@ -86,6 +86,26 @@ func TestInvalidAccessThroughCache(t *testing.T) {
|
|||
assertStatus(t, w, http.StatusForbidden)
|
||||
}
|
||||
|
||||
func TestIsAvailableToResolve(t *testing.T) {
|
||||
list := []string{"container", "s3"}
|
||||
|
||||
for i, testCase := range [...]struct {
|
||||
isAllowList bool
|
||||
list []string
|
||||
zone string
|
||||
expected bool
|
||||
}{
|
||||
{isAllowList: true, list: list, zone: "container", expected: true},
|
||||
{isAllowList: true, list: list, zone: "sftp", expected: false},
|
||||
{isAllowList: false, list: list, zone: "s3", expected: false},
|
||||
{isAllowList: false, list: list, zone: "system", expected: true},
|
||||
{isAllowList: true, list: list, zone: "", expected: false},
|
||||
} {
|
||||
result := isAvailableToResolve(testCase.zone, testCase.list, testCase.isAllowList)
|
||||
require.Equal(t, testCase.expected, result, "case %d", i+1)
|
||||
}
|
||||
}
|
||||
|
||||
func newTestAccessBox(t *testing.T, key *keys.PrivateKey) *accessbox.Box {
|
||||
var err error
|
||||
if key == nil {
|
||||
|
|
|
@ -64,6 +64,7 @@ const (
|
|||
|
||||
ContainerID = "X-Container-Id"
|
||||
ContainerName = "X-Container-Name"
|
||||
ContainerZone = "X-Container-Zone"
|
||||
|
||||
AccessControlAllowOrigin = "Access-Control-Allow-Origin"
|
||||
AccessControlAllowMethods = "Access-Control-Allow-Methods"
|
||||
|
|
|
@ -642,6 +642,12 @@ func (a *App) initHandler() {
|
|||
cfg.CopiesNumber = val
|
||||
}
|
||||
|
||||
cfg.ResolveZoneList = a.cfg.GetStringSlice(cfgResolveBucketAllow)
|
||||
cfg.IsResolveListAllow = len(cfg.ResolveZoneList) > 0
|
||||
if !cfg.IsResolveListAllow {
|
||||
cfg.ResolveZoneList = a.cfg.GetStringSlice(cfgResolveBucketDeny)
|
||||
}
|
||||
|
||||
var err error
|
||||
a.api, err = handler.New(a.log, a.obj, a.nc, cfg)
|
||||
if err != nil {
|
||||
|
|
|
@ -130,6 +130,10 @@ const ( // Settings.
|
|||
// List of allowed AccessKeyID prefixes.
|
||||
cfgAllowedAccessKeyIDPrefixes = "allowed_access_key_id_prefixes"
|
||||
|
||||
// Bucket resolving options.
|
||||
cfgResolveBucketAllow = "resolve_bucket.allow"
|
||||
cfgResolveBucketDeny = "resolve_bucket.deny"
|
||||
|
||||
// envPrefix is an environment variables prefix used for configuration.
|
||||
envPrefix = "S3_GW"
|
||||
)
|
||||
|
|
Loading…
Reference in a new issue