[#535] Support public access block operations

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>

api/router.go

@@ -88,9 +88,13 @@ type (
 		ListPartsHandler(w http.ResponseWriter, r *http.Request)
 		ListMultipartUploadsHandler(http.ResponseWriter, *http.Request)
 		PatchObjectHandler(http.ResponseWriter, *http.Request)
+		PutPublicAccessBlockHandler(http.ResponseWriter, *http.Request)
+		GetPublicAccessBlockHandler(http.ResponseWriter, *http.Request)
+		DeletePublicAccessBlockHandler(http.ResponseWriter, *http.Request)
 
 		ResolveBucket(ctx context.Context, bucket string) (*data.BucketInfo, error)
 		ResolveCID(ctx context.Context, bucket string) (cid.ID, error)
+		CheckRestrictPublicBuckets(ctx context.Context) error
 	}
 )
 
@@ -156,11 +160,11 @@ func NewRouter(cfg Config) *chi.Mux {
 	}))
 
 	defaultRouter := chi.NewRouter()
-	defaultRouter.Mount("/{bucket}", bucketRouter(cfg.Handler))
+	defaultRouter.Mount("/{bucket}", bucketRouter(cfg.Handler, cfg.Log))
 	defaultRouter.Get("/", named(s3middleware.ListBucketsOperation, cfg.Handler.ListBucketsHandler))
 	attachErrorHandler(defaultRouter)
 
-	vhsRouter := newDomainRouter(cfg.Handler)
+	vhsRouter := newDomainRouter(cfg.Handler, cfg.Log)
 	router := newGlobalRouter(defaultRouter, vhsRouter)
 
 	api.Mount("/", router)
@@ -175,7 +179,7 @@ type domainRouter struct {
 	defaultRouter chi.Router
 }
 
-func newDomainRouter(handler Handler) *domainRouter {
+func newDomainRouter(handler Handler, log *zap.Logger) *domainRouter {
 	defaultRouter := chi.NewRouter()
 	defaultRouter.Group(func(r chi.Router) {
 		r.Method(http.MethodGet, "/", NewHandlerFilter().
@@ -188,7 +192,7 @@ func newDomainRouter(handler Handler) *domainRouter {
 	attachErrorHandler(defaultRouter)
 
 	return &domainRouter{
-		bucketRouter:  bucketRouter(handler),
+		bucketRouter:  bucketRouter(handler, log),
 		defaultRouter: defaultRouter,
 	}
 }
@@ -289,9 +293,13 @@ func attachErrorHandler(api *chi.Mux) {
 	api.MethodNotAllowed(named("MethodNotAllowed", errorHandler))
 }
 
-func bucketRouter(h Handler) chi.Router {
+func bucketRouter(h Handler, log *zap.Logger) chi.Router {
 	bktRouter := chi.NewRouter()
 
+	bktRouter.Use(
+		s3middleware.RestrictPublicBuckets(h, log),
+	)
+
 	bktRouter.Mount("/", objectRouter(h))
 
 	bktRouter.Options("/", named(s3middleware.OptionsBucketOperation, h.Preflight))
@@ -368,6 +376,9 @@ func bucketRouter(h Handler) chi.Router {
 				AllowedQueries(s3middleware.QueryDelimiter, s3middleware.QueryMaxKeys, s3middleware.QueryPrefix,
 					s3middleware.QueryMarker, s3middleware.QueryEncodingType).
 				Handler(named(s3middleware.ListObjectsV1Operation, h.ListObjectsV1Handler))).
+			Add(NewFilter().
+				Queries(s3middleware.PublicAccessBlockQuery).
+				Handler(named(s3middleware.GetPublicAccessBlockOperation, h.GetPublicAccessBlockHandler))).
 			DefaultHandler(notSupportedHandler()))
 	})
 
@@ -401,6 +412,9 @@ func bucketRouter(h Handler) chi.Router {
 			Add(NewFilter().
 				Queries(s3middleware.NotificationQuery).
 				Handler(named(s3middleware.PutBucketNotificationOperation, h.PutBucketNotificationHandler))).
+			Add(NewFilter().
+				Queries(s3middleware.PublicAccessBlockQuery).
+				Handler(named(s3middleware.PutPublicAccessBlockOperation, h.PutPublicAccessBlockHandler))).
 			Add(NewFilter().
 				NoQueries().
 				Handler(named(s3middleware.CreateBucketOperation, h.CreateBucketHandler))).
@@ -438,6 +452,9 @@ func bucketRouter(h Handler) chi.Router {
 			Add(NewFilter().
 				Queries(s3middleware.EncryptionQuery).
 				Handler(named(s3middleware.DeleteBucketEncryptionOperation, h.DeleteBucketEncryptionHandler))).
+			Add(NewFilter().
+				Queries(s3middleware.PublicAccessBlockQuery).
+				Handler(named(s3middleware.DeletePublicAccessBlockOperation, h.DeletePublicAccessBlockHandler))).
 			Add(NewFilter().
 				NoQueries().
 				Handler(named(s3middleware.DeleteBucketOperation, h.DeleteBucketHandler))).