forked from TrueCloudLab/frostfs-s3-gw
217 lines
6.9 KiB
Go
217 lines
6.9 KiB
Go
package handler
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
|
|
apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
|
|
"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
|
|
s3common "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/pkg/policy-engine/common"
|
|
"git.frostfs.info/TrueCloudLab/policy-engine/pkg/chain"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
func (h *handler) PutPublicAccessBlockHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutPublicAccessBlock")
|
|
defer span.End()
|
|
|
|
var buf bytes.Buffer
|
|
|
|
tee := io.TeeReader(r.Body, &buf)
|
|
reqInfo := middleware.GetReqInfo(ctx)
|
|
|
|
cfg := new(data.PublicAccessBlockConfiguration)
|
|
if err := h.cfg.NewXMLDecoder(tee, r.UserAgent()).Decode(cfg); err != nil {
|
|
h.logAndSendError(ctx, w, "could not decode body", reqInfo, fmt.Errorf("%w: %s", apierr.GetAPIError(apierr.ErrMalformedXML), err.Error()))
|
|
return
|
|
}
|
|
|
|
if _, ok := r.Header[api.ContentMD5]; ok {
|
|
headerMD5, err := base64.StdEncoding.DecodeString(r.Header.Get(api.ContentMD5))
|
|
if err != nil {
|
|
h.logAndSendError(ctx, w, "invalid Content-MD5", reqInfo, apierr.GetAPIError(apierr.ErrInvalidDigest))
|
|
return
|
|
}
|
|
|
|
bodyMD5, err := getContentMD5(&buf)
|
|
if err != nil {
|
|
h.logAndSendError(ctx, w, "could not get content md5", reqInfo, err)
|
|
return
|
|
}
|
|
|
|
if !bytes.Equal(headerMD5, bodyMD5) {
|
|
h.logAndSendError(ctx, w, "Content-MD5 does not match", reqInfo, apierr.GetAPIError(apierr.ErrInvalidDigest))
|
|
return
|
|
}
|
|
}
|
|
|
|
bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
|
|
if err != nil {
|
|
h.logAndSendError(ctx, w, "could not get bucket info", reqInfo, err)
|
|
return
|
|
}
|
|
|
|
settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
|
|
if err != nil {
|
|
h.logAndSendError(ctx, w, "couldn't get bucket settings", reqInfo, err)
|
|
return
|
|
}
|
|
|
|
// Delete ACL chains if IgnorePublicAcls is set to true
|
|
if (settings.PublicAccessBlock == nil || !settings.PublicAccessBlock.IgnorePublicAcls) && cfg.IgnorePublicAcls && settings.CannedACL != basicACLPrivate {
|
|
if err = h.policyEngine.APE.DeleteACLChains(bktInfo.CID.EncodeToString(), []chain.ID{
|
|
getBucketCannedChainID(chain.S3, bktInfo.CID),
|
|
getBucketCannedChainID(chain.Ingress, bktInfo.CID),
|
|
}); err != nil {
|
|
h.logAndSendError(ctx, w, "failed to delete morph rule chains", reqInfo, err)
|
|
return
|
|
}
|
|
}
|
|
|
|
// Set ACL chains if IgnorePublicAcls is set to false
|
|
if settings.PublicAccessBlock != nil && settings.PublicAccessBlock.IgnorePublicAcls && !cfg.IgnorePublicAcls {
|
|
chainRules := bucketCannedACLToAPERules(settings.CannedACL, reqInfo, bktInfo.CID)
|
|
if err = h.policyEngine.APE.SaveACLChains(bktInfo.CID.EncodeToString(), chainRules); err != nil {
|
|
h.logAndSendError(ctx, w, "failed to add morph rule chains", reqInfo, err)
|
|
return
|
|
}
|
|
}
|
|
|
|
newSettings := *settings
|
|
newSettings.PublicAccessBlock = cfg
|
|
sp := &layer.PutSettingsParams{
|
|
BktInfo: bktInfo,
|
|
Settings: &newSettings,
|
|
}
|
|
|
|
if err = h.obj.PutBucketSettings(ctx, sp); err != nil {
|
|
h.logAndSendError(ctx, w, "couldn't save bucket settings", reqInfo, err,
|
|
zap.String("container_id", bktInfo.CID.EncodeToString()))
|
|
return
|
|
}
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
}
|
|
|
|
func (h *handler) GetPublicAccessBlockHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetPublicAccessBlock")
|
|
defer span.End()
|
|
|
|
reqInfo := middleware.GetReqInfo(ctx)
|
|
|
|
bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
|
|
if err != nil {
|
|
h.logAndSendError(ctx, w, "could not get bucket info", reqInfo, err)
|
|
return
|
|
}
|
|
|
|
settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
|
|
if err != nil {
|
|
h.logAndSendError(ctx, w, "couldn't get bucket settings", reqInfo, err)
|
|
return
|
|
}
|
|
|
|
if settings.PublicAccessBlock == nil {
|
|
h.logAndSendError(ctx, w, "no public access block", reqInfo, apierr.GetAPIError(apierr.ErrNoSuchPublicAccessBlockConfiguration))
|
|
return
|
|
}
|
|
|
|
if err = middleware.EncodeToResponse(w, settings.PublicAccessBlock); err != nil {
|
|
h.logAndSendError(ctx, w, "something went wrong", reqInfo, err)
|
|
return
|
|
}
|
|
}
|
|
|
|
func (h *handler) DeletePublicAccessBlockHandler(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeletePublicAccessBlock")
|
|
defer span.End()
|
|
|
|
reqInfo := middleware.GetReqInfo(ctx)
|
|
|
|
bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
|
|
if err != nil {
|
|
h.logAndSendError(ctx, w, "could not get bucket info", reqInfo, err)
|
|
return
|
|
}
|
|
|
|
settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
|
|
if err != nil {
|
|
h.logAndSendError(ctx, w, "couldn't get bucket settings", reqInfo, err)
|
|
return
|
|
}
|
|
|
|
if settings.PublicAccessBlock == nil {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
|
|
// Set ACL chains if IgnorePublicAcls was set to true
|
|
if settings.PublicAccessBlock.IgnorePublicAcls {
|
|
chainRules := bucketCannedACLToAPERules(settings.CannedACL, reqInfo, bktInfo.CID)
|
|
if err = h.policyEngine.APE.SaveACLChains(bktInfo.CID.EncodeToString(), chainRules); err != nil {
|
|
h.logAndSendError(ctx, w, "failed to add morph rule chains", reqInfo, err)
|
|
return
|
|
}
|
|
}
|
|
|
|
newSettings := *settings
|
|
newSettings.PublicAccessBlock = nil
|
|
sp := &layer.PutSettingsParams{
|
|
BktInfo: bktInfo,
|
|
Settings: &newSettings,
|
|
}
|
|
if err = h.obj.PutBucketSettings(ctx, sp); err != nil {
|
|
h.logAndSendError(ctx, w, "couldn't save bucket settings", reqInfo, err,
|
|
zap.String("container_id", bktInfo.CID.EncodeToString()))
|
|
return
|
|
}
|
|
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
func (h *handler) CheckRestrictPublicBuckets(ctx context.Context) error {
|
|
reqInfo := middleware.GetReqInfo(ctx)
|
|
|
|
bktInfo, err := h.obj.GetBucketInfo(ctx, reqInfo.BucketName)
|
|
if err != nil {
|
|
return fmt.Errorf("get bucket info: %w", err)
|
|
}
|
|
|
|
settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
|
|
if err != nil {
|
|
return fmt.Errorf("get bucket settings: %w", err)
|
|
}
|
|
|
|
if settings.PublicAccessBlock != nil && settings.PublicAccessBlock.RestrictPublicBuckets {
|
|
jsonPolicy, err := h.policyEngine.APE.GetBucketPolicy(reqInfo.Namespace, bktInfo.CID)
|
|
if err != nil {
|
|
if strings.Contains(err.Error(), "not found") {
|
|
return nil
|
|
}
|
|
return fmt.Errorf("get bucket policy: %w", err)
|
|
}
|
|
|
|
var bktPolicy s3common.Policy
|
|
if err = json.Unmarshal(jsonPolicy, &bktPolicy); err != nil {
|
|
return fmt.Errorf("unmarshal bucket policy: %w", err)
|
|
}
|
|
|
|
// Check whether bucket policy is public and namespaces of bucket and user are equal
|
|
if getPolicyStatus(bktPolicy) == PolicyStatusIsPublicTrue &&
|
|
(reqInfo.UserNamespace == nil || *reqInfo.UserNamespace != reqInfo.Namespace) {
|
|
return fmt.Errorf("public buckets are restricted: %w", apierr.GetAPIError(apierr.ErrAccessDenied))
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|