[#535] Support public access block operations

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
2025-04-03 13:51:16 +03:00 · 2025-04-03 13:51:16 +03:00 · a7ce40d745
commit a7ce40d745
parent 4f0f2ca7bd
23 changed files with 940 additions and 87 deletions
--- a/api/handler/access_block.go
+++ b/api/handler/access_block.go
@ -0,0 +1,217 @@
+package handler
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
+	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
+	s3common "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/policy-engine/common"
+	"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
+	"go.uber.org/zap"
+)
+
+func (h *handler) PutPublicAccessBlockHandler(w http.ResponseWriter, r *http.Request) {
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutPublicAccessBlock")
+	defer span.End()
+
+	var buf bytes.Buffer
+
+	tee := io.TeeReader(r.Body, &buf)
+	reqInfo := middleware.GetReqInfo(ctx)
+
+	cfg := new(data.PublicAccessBlockConfiguration)
+	if err := h.cfg.NewXMLDecoder(tee, r.UserAgent()).Decode(cfg); err != nil {
+		h.logAndSendError(ctx, w, "could not decode body", reqInfo, fmt.Errorf("%w: %s", apierr.GetAPIError(apierr.ErrMalformedXML), err.Error()))
+		return
+	}
+
+	if _, ok := r.Header[api.ContentMD5]; ok {
+		headerMD5, err := base64.StdEncoding.DecodeString(r.Header.Get(api.ContentMD5))
+		if err != nil {
+			h.logAndSendError(ctx, w, "invalid Content-MD5", reqInfo, apierr.GetAPIError(apierr.ErrInvalidDigest))
+			return
+		}
+
+		bodyMD5, err := getContentMD5(&buf)
+		if err != nil {
+			h.logAndSendError(ctx, w, "could not get content md5", reqInfo, err)
+			return
+		}
+
+		if !bytes.Equal(headerMD5, bodyMD5) {
+			h.logAndSendError(ctx, w, "Content-MD5 does not match", reqInfo, apierr.GetAPIError(apierr.ErrInvalidDigest))
+			return
+		}
+	}
+
+	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
+	if err != nil {
+		h.logAndSendError(ctx, w, "could not get bucket info", reqInfo, err)
+		return
+	}
+
+	settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
+	if err != nil {
+		h.logAndSendError(ctx, w, "couldn't get bucket settings", reqInfo, err)
+		return
+	}
+
+	// Delete ACL chains if IgnorePublicAcls is set to true
+	if (settings.PublicAccessBlock == nil || !settings.PublicAccessBlock.IgnorePublicAcls) && cfg.IgnorePublicAcls && settings.CannedACL != basicACLPrivate {
+		if err = h.policyEngine.APE.DeleteACLChains(bktInfo.CID.EncodeToString(), []chain.ID{
+			getBucketCannedChainID(chain.S3, bktInfo.CID),
+			getBucketCannedChainID(chain.Ingress, bktInfo.CID),
+		}); err != nil {
+			h.logAndSendError(ctx, w, "failed to delete morph rule chains", reqInfo, err)
+			return
+		}
+	}
+
+	// Set ACL chains if IgnorePublicAcls is set to false
+	if settings.PublicAccessBlock != nil && settings.PublicAccessBlock.IgnorePublicAcls && !cfg.IgnorePublicAcls {
+		chainRules := bucketCannedACLToAPERules(settings.CannedACL, reqInfo, bktInfo.CID)
+		if err = h.policyEngine.APE.SaveACLChains(bktInfo.CID.EncodeToString(), chainRules); err != nil {
+			h.logAndSendError(ctx, w, "failed to add morph rule chains", reqInfo, err)
+			return
+		}
+	}
+
+	newSettings := *settings
+	newSettings.PublicAccessBlock = cfg
+	sp := &layer.PutSettingsParams{
+		BktInfo:  bktInfo,
+		Settings: &newSettings,
+	}
+
+	if err = h.obj.PutBucketSettings(ctx, sp); err != nil {
+		h.logAndSendError(ctx, w, "couldn't save bucket settings", reqInfo, err,
+			zap.String("container_id", bktInfo.CID.EncodeToString()))
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}
+
+func (h *handler) GetPublicAccessBlockHandler(w http.ResponseWriter, r *http.Request) {
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetPublicAccessBlock")
+	defer span.End()
+
+	reqInfo := middleware.GetReqInfo(ctx)
+
+	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
+	if err != nil {
+		h.logAndSendError(ctx, w, "could not get bucket info", reqInfo, err)
+		return
+	}
+
+	settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
+	if err != nil {
+		h.logAndSendError(ctx, w, "couldn't get bucket settings", reqInfo, err)
+		return
+	}
+
+	if settings.PublicAccessBlock == nil {
+		h.logAndSendError(ctx, w, "no public access block", reqInfo, apierr.GetAPIError(apierr.ErrNoSuchPublicAccessBlockConfiguration))
+		return
+	}
+
+	if err = middleware.EncodeToResponse(w, settings.PublicAccessBlock); err != nil {
+		h.logAndSendError(ctx, w, "something went wrong", reqInfo, err)
+		return
+	}
+}
+
+func (h *handler) DeletePublicAccessBlockHandler(w http.ResponseWriter, r *http.Request) {
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeletePublicAccessBlock")
+	defer span.End()
+
+	reqInfo := middleware.GetReqInfo(ctx)
+
+	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
+	if err != nil {
+		h.logAndSendError(ctx, w, "could not get bucket info", reqInfo, err)
+		return
+	}
+
+	settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
+	if err != nil {
+		h.logAndSendError(ctx, w, "couldn't get bucket settings", reqInfo, err)
+		return
+	}
+
+	if settings.PublicAccessBlock == nil {
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	// Set ACL chains if IgnorePublicAcls was set to true
+	if settings.PublicAccessBlock.IgnorePublicAcls {
+		chainRules := bucketCannedACLToAPERules(settings.CannedACL, reqInfo, bktInfo.CID)
+		if err = h.policyEngine.APE.SaveACLChains(bktInfo.CID.EncodeToString(), chainRules); err != nil {
+			h.logAndSendError(ctx, w, "failed to add morph rule chains", reqInfo, err)
+			return
+		}
+	}
+
+	newSettings := *settings
+	newSettings.PublicAccessBlock = nil
+	sp := &layer.PutSettingsParams{
+		BktInfo:  bktInfo,
+		Settings: &newSettings,
+	}
+	if err = h.obj.PutBucketSettings(ctx, sp); err != nil {
+		h.logAndSendError(ctx, w, "couldn't save bucket settings", reqInfo, err,
+			zap.String("container_id", bktInfo.CID.EncodeToString()))
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func (h *handler) CheckRestrictPublicBuckets(ctx context.Context) error {
+	reqInfo := middleware.GetReqInfo(ctx)
+
+	bktInfo, err := h.obj.GetBucketInfo(ctx, reqInfo.BucketName)
+	if err != nil {
+		return fmt.Errorf("get bucket info: %w", err)
+	}
+
+	settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
+	if err != nil {
+		return fmt.Errorf("get bucket settings: %w", err)
+	}
+
+	if settings.PublicAccessBlock != nil && settings.PublicAccessBlock.RestrictPublicBuckets {
+		jsonPolicy, err := h.policyEngine.APE.GetBucketPolicy(reqInfo.Namespace, bktInfo.CID)
+		if err != nil {
+			if strings.Contains(err.Error(), "not found") {
+				return nil
+			}
+			return fmt.Errorf("get bucket policy: %w", err)
+		}
+
+		var bktPolicy s3common.Policy
+		if err = json.Unmarshal(jsonPolicy, &bktPolicy); err != nil {
+			return fmt.Errorf("unmarshal bucket policy: %w", err)
+		}
+
+		// Check whether bucket policy is public and namespaces of bucket and user are equal
+		if getPolicyStatus(bktPolicy) == PolicyStatusIsPublicTrue &&
+			(reqInfo.UserNamespace == nil || *reqInfo.UserNamespace != reqInfo.Namespace) {
+			return fmt.Errorf("public buckets are restricted: %w", apierr.GetAPIError(apierr.ErrAccessDenied))
+		}
+	}
+
+	return nil
+}