Merge remote-tracking branch 'origin/w/7.70/improvement/CLDSRV-436-bp-conditions' into w/8.6/improvement/CLDSRV-436-bp-conditions

.eslintrc

@@ -1,8 +1,5 @@
 {
     "extends": "scality",
-    "plugins": [
-        "mocha"
-    ],
     "rules": {
         "import/extensions": "off",
         "lines-around-directive": "off",
@@ -45,8 +42,7 @@
         "no-restricted-properties": "off",
         "new-parens": "off",
         "no-multi-spaces": "off",
-        "quote-props": "off",
+        "quote-props": "off"
-        "mocha/no-exclusive-tests": "error",
     },
     "parserOptions": {
         "ecmaVersion": 2020

.github/actions/setup-ci/action.yaml

@@ -16,14 +16,14 @@ runs:
       run: |-
         set -exu;
         mkdir -p /tmp/artifacts/${JOB_NAME}/;
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@v2
       with:
         node-version: '16'
         cache: 'yarn'
     - name: install dependencies
       shell: bash
       run: yarn install --ignore-engines --frozen-lockfile --network-concurrency 1
-    - uses: actions/cache@v3
+    - uses: actions/cache@v2
       with:
         path: ~/.cache/pip
         key: ${{ runner.os }}-pip
@@ -35,9 +35,3 @@ runs:
       run: |
         sudo apt-get install -y libdigest-hmac-perl
         pip install 's3cmd==2.3.0'
-    - name: fix sproxyd.conf permissions
-      shell: bash
-      run: sudo chown root:root .github/docker/sproxyd/conf/sproxyd0.conf
-    - name: ensure fuse kernel module is loaded (for sproxyd)
-      shell: bash
-      run: sudo modprobe fuse

.github/docker/docker-compose.yaml

@@ -40,11 +40,6 @@ services:
       - DEFAULT_BUCKET_KEY_FORMAT
       - METADATA_MAX_CACHED_BUCKETS
       - ENABLE_NULL_VERSION_COMPAT_MODE
-      - SCUBA_HOST
-      - SCUBA_PORT
-      - SCUBA_HEALTHCHECK_FREQUENCY
-      - S3QUOTA
-      - QUOTA_ENABLE_INFLIGHTS
     env_file:
       - creds.env
     depends_on:
@@ -72,21 +67,14 @@ services:
   pykmip:
     network_mode: "host"
     profiles: ['pykmip']
-    image: ${PYKMIP_IMAGE:-ghcr.io/scality/cloudserver/pykmip}
+    image: registry.scality.com/cloudserver-dev/pykmip
     volumes:
       - /tmp/artifacts/${JOB_NAME}:/artifacts
   mongo:
     network_mode: "host"
     profiles: ['mongo', 'ceph']
-    image: ${MONGODB_IMAGE}
+    image: scality/ci-mongo:3.6.8
   ceph: 
     network_mode: "host"
     profiles: ['ceph']
     image: ghcr.io/scality/cloudserver/ci-ceph 
-  sproxyd:
-    network_mode: "host"
-    profiles: ['sproxyd']
-    image: sproxyd-standalone
-    build: ./sproxyd
-    user: 0:0
-    privileged: yes

.github/docker/mongodb/Dockerfile

@@ -1,28 +0,0 @@
-FROM mongo:5.0.21
-
-ENV USER=scality \
-    HOME_DIR=/home/scality \
-    CONF_DIR=/conf \
-    DATA_DIR=/data
-
-# Set up directories and permissions
-RUN mkdir -p /data/db /data/configdb && chown -R mongodb:mongodb /data/db /data/configdb; \
-    mkdir /logs; \
-    adduser --uid 1000 --disabled-password --gecos --quiet --shell /bin/bash scality
-
-# Set up environment variables and directories for scality user
-RUN mkdir ${CONF_DIR} && \
-    chown -R ${USER} ${CONF_DIR} && \
-    chown -R ${USER} ${DATA_DIR}
-
-# copy the mongo config file
-COPY /conf/mongod.conf /conf/mongod.conf
-COPY /conf/mongo-run.sh /conf/mongo-run.sh
-COPY /conf/initReplicaSet /conf/initReplicaSet.js
-
-EXPOSE 27017/tcp
-EXPOSE 27018
-
-# Set up CMD
-ENTRYPOINT ["bash", "/conf/mongo-run.sh"]
-CMD ["bash", "/conf/mongo-run.sh"]

.github/docker/mongodb/conf/initReplicaSet

@@ -1,4 +0,0 @@
-rs.initiate({
-    _id: "rs0",
-    members: [{ _id: 0, host: "127.0.0.1:27018" }]
-});

.github/docker/mongodb/conf/mongo-run.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-set -exo pipefail
-
-init_RS() {
-  sleep 5
-  mongo --port 27018 /conf/initReplicaSet.js
-}
-init_RS &
-
-mongod --bind_ip_all --config=/conf/mongod.conf

.github/docker/mongodb/conf/mongod.conf

@@ -1,15 +0,0 @@
-storage:
-   journal:
-      enabled: true
-   engine: wiredTiger
-   dbPath: "/data/db"
-processManagement:
-   fork: false
-net:
-   port: 27018
-   bindIp: 0.0.0.0
-replication:
-   replSetName: "rs0"
-   enableMajorityReadConcern: true
-security:
-    authorization: disabled

.github/docker/sproxyd/Dockerfile

@@ -1,3 +0,0 @@
-FROM ghcr.io/scality/federation/sproxyd:7.10.6.8
-ADD ./conf/supervisord.conf ./conf/nginx.conf ./conf/fastcgi_params ./conf/sproxyd0.conf /conf/
-RUN chown root:root /conf/sproxyd0.conf

.github/docker/sproxyd/conf/fastcgi_params

@@ -1,26 +0,0 @@
-fastcgi_param  QUERY_STRING       $query_string;
-fastcgi_param  REQUEST_METHOD     $request_method;
-fastcgi_param  CONTENT_TYPE       $content_type;
-fastcgi_param  CONTENT_LENGTH     $content_length;
-
-#fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
-fastcgi_param  SCRIPT_NAME        /var/www;
-fastcgi_param  PATH_INFO          $document_uri;
-
-fastcgi_param  REQUEST_URI        $request_uri;
-fastcgi_param  DOCUMENT_URI       $document_uri;
-fastcgi_param  DOCUMENT_ROOT      $document_root;
-fastcgi_param  SERVER_PROTOCOL    $server_protocol;
-fastcgi_param  HTTPS              $https if_not_empty;
-
-fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
-fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
-
-fastcgi_param  REMOTE_ADDR        $remote_addr;
-fastcgi_param  REMOTE_PORT        $remote_port;
-fastcgi_param  SERVER_ADDR        $server_addr;
-fastcgi_param  SERVER_PORT        $server_port;
-fastcgi_param  SERVER_NAME        $server_name;
-
-# PHP only, required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param  REDIRECT_STATUS    200;

.github/docker/sproxyd/conf/nginx.conf

@@ -1,88 +0,0 @@
-worker_processes 1;
-error_log  /logs/error.log;
-user root root;
-events {
-    worker_connections  1000;
-    reuse_port on;
-    multi_accept on;
-}
-worker_rlimit_nofile    20000;
-http {
-    root /var/www/;
-    upstream sproxyds {
-        least_conn;
-        keepalive 40;
-        server 127.0.0.1:20000;
-    }
-    server {
-        client_max_body_size 0;
-        client_body_timeout 150;
-        client_header_timeout 150;
-        postpone_output 0;
-        client_body_postpone_size 0;
-        keepalive_requests 1100;
-        keepalive_timeout 300s;
-        server_tokens off;
-        default_type application/octet-stream;
-        gzip off;
-        tcp_nodelay on;
-        tcp_nopush  on;
-        sendfile on;
-        listen 81;
-        server_name localhost;
-        rewrite ^/arc/(.*)$ /dc1/$1 permanent;
-        location ~* ^/proxy/(.*)$ {
-            rewrite ^/proxy/(.*)$ /$1 last;
-        }
-        allow 127.0.0.1;
-
-        deny all;
-        set $usermd '-';
-        set $sentusermd '-';
-    	set $elapsed_ms '-';
-    	set $now '-';
-    	log_by_lua '
-    		if not(ngx.var.http_x_scal_usermd == nil) and  string.len(ngx.var.http_x_scal_usermd) > 2 then
-    			ngx.var.usermd = string.sub(ngx.decode_base64(ngx.var.http_x_scal_usermd),1,-3)
-    		end
-                    if not(ngx.var.sent_http_x_scal_usermd == nil) and string.len(ngx.var.sent_http_x_scal_usermd) > 2 then
-                            ngx.var.sentusermd = string.sub(ngx.decode_base64(ngx.var.sent_http_x_scal_usermd),1,-3)
-                    end
-    		local elapsed_ms = tonumber(ngx.var.request_time)
-    		if not (  elapsed_ms == nil) then
-    			elapsed_ms = elapsed_ms * 1000
-    			ngx.var.elapsed_ms = tostring(elapsed_ms)
-    		end
-    		local time = tonumber(ngx.var.msec) * 1000
-    		ngx.var.now = time
-    	';
-        log_format irm '{ "time":"$now","connection":"$connection","request":"$connection_requests","hrtime":"$msec",'
-                       '"httpMethod":"$request_method","httpURL":"$uri","elapsed_ms":$elapsed_ms,'
-                       '"httpCode":$status,"requestLength":$request_length,"bytesSent":$bytes_sent,'
-		       '"contentLength":"$content_length","sentContentLength":"$sent_http_content_length",'
-		       '"contentType":"$content_type","s3Address":"$remote_addr",'
-		       '"requestUserMd":"$usermd","responseUserMd":"$sentusermd",'
-                       '"ringKeyVersion":"$sent_http_x_scal_version","ringStatus":"$sent_http_x_scal_ring_status",'
-		       '"s3Port":"$remote_port","sproxydStatus":"$upstream_status","req_id":"$http_x_scal_request_uids",'
-		       '"ifMatch":"$http_if_match","ifNoneMatch":"$http_if_none_match",'
-                       '"range":"$http_range","contentRange":"$sent_http_content_range","nginxPID":$PID,'
-                       '"sproxydAddress":"$upstream_addr","sproxydResponseTime_s":"$upstream_response_time" }';
-        access_log /dev/stdout irm;
-    	error_log  /dev/stdout error;
-        location / {
-            proxy_request_buffering off;
-            fastcgi_request_buffering off;
-            fastcgi_no_cache 1;
-            fastcgi_cache_bypass 1;
-            fastcgi_buffering off;
-            fastcgi_ignore_client_abort on;
-            fastcgi_keep_conn on;
-            include fastcgi_params;
-            fastcgi_pass sproxyds;
-            fastcgi_next_upstream error timeout;
-            fastcgi_send_timeout 285s;
-            fastcgi_read_timeout 285s;
-        }
-    }
-}
-

.github/docker/sproxyd/conf/sproxyd0.conf

@@ -1,12 +0,0 @@
-{
-    "general": {
-        "ring": "DATA",
-        "port": 20000,
-        "syslog_facility": "local0"
-    },
-    "ring_driver:0": {
-        "alias": "dc1",
-        "type": "local",
-        "queue_path": "/tmp/ring-objs"
-    },
-}

.github/docker/sproxyd/conf/supervisord.conf

@@ -1,43 +0,0 @@
-[supervisord]
-nodaemon = true
-loglevel = info
-logfile  = %(ENV_LOG_DIR)s/supervisord.log
-pidfile  = %(ENV_SUP_RUN_DIR)s/supervisord.pid
-logfile_maxbytes = 20MB
-logfile_backups = 2
-
-[unix_http_server]
-file = %(ENV_SUP_RUN_DIR)s/supervisor.sock
-
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl = unix://%(ENV_SUP_RUN_DIR)s/supervisor.sock
-
-[program:nginx]
-directory=%(ENV_SUP_RUN_DIR)s
-command=bash -c "/usr/sbin/nginx -c %(ENV_CONF_DIR)s/nginx.conf -g 'daemon off;'"
-stdout_logfile = %(ENV_LOG_DIR)s/%(program_name)s-%(process_num)s.log
-stderr_logfile = %(ENV_LOG_DIR)s/%(program_name)s-%(process_num)s-stderr.log
-stdout_logfile_maxbytes=100MB
-stdout_logfile_backups=7
-stderr_logfile_maxbytes=100MB
-stderr_logfile_backups=7
-autorestart=true
-autostart=true
-user=root
-
-[program:sproxyd]
-directory=%(ENV_SUP_RUN_DIR)s
-process_name=%(program_name)s-%(process_num)s
-numprocs=1
-numprocs_start=0
-command=/usr/bin/sproxyd -dlw -V127 -c %(ENV_CONF_DIR)s/sproxyd%(process_num)s.conf -P /run%(process_num)s
-stdout_logfile = %(ENV_LOG_DIR)s/%(program_name)s-%(process_num)s.log
-stdout_logfile_maxbytes=100MB
-stdout_logfile_backups=7
-redirect_stderr=true
-autorestart=true
-autostart=true
-user=root

.github/workflows/alerts.yaml

@@ -1,10 +1,7 @@
 name: Test alerts
 
 on:
-  push:
+  push
-    branches-ignore:
-      - 'development/**'
-      - 'q/*/**'
 
 jobs:
   run-alert-tests:
@@ -20,16 +17,13 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
 
       - name: Render and test ${{ matrix.tests.name }}
-        uses: scality/action-prom-render-test@1.0.3
+        uses: scality/action-prom-render-test@1.0.1
         with:
           alert_file_path: monitoring/alerts.yaml
           test_file_path: ${{ matrix.tests.file }}
-          alert_inputs: |
+          alert_inputs: >-
-            namespace=zenko
+            namespace=zenko,service=artesca-data-connector-s3api-metrics,replicas=3
-            service=artesca-data-connector-s3api-metrics
-            reportJob=artesca-data-ops-report-handler
-            replicas=3
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeql.yaml

@@ -3,7 +3,7 @@ name: codeQL
 
 on:
   push:
-    branches: [w/**, q/*]
+    branches: [development/*, stabilization/*, hotfix/*]
   pull_request:
     branches: [development/*, stabilization/*, hotfix/*]
   workflow_dispatch:
@@ -14,12 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v2
         with:
           languages: javascript, python, ruby
 
       - name: Build and analyze
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v2

.github/workflows/dependency-review.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@v3

.github/workflows/release.yaml

@@ -1,6 +1,5 @@
 ---
 name: release
-run-name: release ${{ inputs.tag }}
 
 on:
   workflow_dispatch:
@@ -10,69 +9,58 @@ on:
         required: true
 
 env:
+  REGISTRY_NAME: registry.scality.com
   PROJECT_NAME: ${{ github.event.repository.name }}
 
 jobs:
   build-federation-image:
-    runs-on: ubuntu-20.04
+    uses: scality/workflows/.github/workflows/docker-build.yaml@v1
-    steps:
+    secrets: inherit
-      - name: Checkout
+    with:
-        uses: actions/checkout@v4
+      push: true
-      - name: Set up Docker Buildx
+      registry: registry.scality.com
-        uses: docker/setup-buildx-action@v3
+      namespace: ${{ github.event.repository.name }}
-      - name: Login to GitHub Registry
+      name: ${{ github.event.repository.name }}
-        uses: docker/login-action@v3
+      context: .
-        with:
+      file: images/svc-base/Dockerfile
-          registry: ghcr.io
+      tag: ${{ github.event.inputs.tag }}-svc-base
-          username: ${{ github.repository_owner }}
-          password: ${{ github.token }}
-      - name: Build and push image for federation
-        uses: docker/build-push-action@v5
-        with:
-          push: true
-          context: .
-          file: images/svc-base/Dockerfile
-          tags: |
-            ghcr.io/${{ github.repository }}:${{ github.event.inputs.tag }}-svc-base
-          cache-from: type=gha,scope=federation
-          cache-to: type=gha,mode=max,scope=federation
 
   release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
 
       - name: Set up Docker Buildk
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v1
 
       - name: Login to Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v1
         with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY_NAME }}
-          username: ${{ github.repository_owner }}
+          username: ${{ secrets.REGISTRY_LOGIN }}
-          password: ${{ github.token }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
 
       - name: Push dashboards into the production namespace
         run: |
-          oras push ghcr.io/${{ github.repository }}/${{ env.PROJECT_NAME }}-dashboards:${{ github.event.inputs.tag }} \
+          oras push ${{ env.REGISTRY_NAME }}/${{ env.PROJECT_NAME }}/${{ env.PROJECT_NAME }}-dashboards:${{ github.event.inputs.tag }} \
             dashboard.json:application/grafana-dashboard+json \
             alerts.yaml:application/prometheus-alerts+yaml
         working-directory: monitoring
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v2
         with:
           context: .
           push: true
-          tags: ghcr.io/${{ github.repository }}:${{ github.event.inputs.tag }}
+          tags: ${{ env.REGISTRY_NAME }}/${{ env.PROJECT_NAME }}/${{ env.PROJECT_NAME }}:${{ github.event.inputs.tag }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v1
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           name: Release ${{ github.event.inputs.tag }}
           tag_name: ${{ github.event.inputs.tag }}

.github/workflows/tests.yaml

@@ -2,8 +2,6 @@
 name: tests
 
 on:
-  workflow_dispatch:
-
   push:
     branches-ignore:
       - 'development/**'
@@ -67,24 +65,23 @@ env:
   ENABLE_LOCAL_CACHE: "true"
   REPORT_TOKEN: "report-token-1"
   REMOTE_MANAGEMENT_DISABLE: "1"
-  # https://github.com/git-lfs/git-lfs/issues/5749
+
-  GIT_CLONE_PROTECTION_ACTIVE: 'false'
 jobs:
   linting-coverage:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v2
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@v2
       with:
         node-version: '16'
         cache: yarn
     - name: install dependencies
       run: yarn install --frozen-lockfile --network-concurrency 1
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.9'
-    - uses: actions/cache@v4
+    - uses: actions/cache@v2
       with:
         path: ~/.cache/pip
         key: ${{ runner.os }}-pip
@@ -117,7 +114,7 @@ jobs:
         find . -name "*junit*.xml" -exec cp {} artifacts/junit/ ";"
       if: always()
     - name: Upload files to artifacts
-      uses: scality/action-artifacts@v4
+      uses: scality/action-artifacts@v2
       with:
         method: upload
         url: https://artifacts.scality.net
@@ -128,88 +125,61 @@ jobs:
 
   build:
     runs-on: ubuntu-20.04
-    permissions:
-      contents: read
-      packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v1.6.0
       - name: Login to GitHub Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v1.10.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ github.token }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Registry
+        uses: docker/login-action@v1
+        with:
+          registry: registry.scality.com
+          username: ${{ secrets.REGISTRY_LOGIN }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
       - name: Build and push cloudserver image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v3
         with:
           push: true
           context: .
           provenance: false
           tags: |
-            ghcr.io/${{ github.repository }}:${{ github.sha }}
+            ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
-          labels: |
+            registry.scality.com/cloudserver-dev/cloudserver:${{ github.sha }}
-            git.repository=${{ github.repository }}
-            git.commit-sha=${{ github.sha }}
           cache-from: type=gha,scope=cloudserver
           cache-to: type=gha,mode=max,scope=cloudserver
-      - name: Build and push pykmip image
-        uses: docker/build-push-action@v5
-        with:
-          push: true
-          context: .github/pykmip
-          tags: |
-            ghcr.io/${{ github.repository }}/pykmip:${{ github.sha }}
-          labels: |
-            git.repository=${{ github.repository }}
-            git.commit-sha=${{ github.sha }}
-          cache-from: type=gha,scope=pykmip
-          cache-to: type=gha,mode=max,scope=pykmip
-      - name: Build and push MongoDB
-        uses: docker/build-push-action@v5
-        with:
-          push: true
-          context: .github/docker/mongodb
-          tags: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
-          cache-from: type=gha,scope=mongodb
-          cache-to: type=gha,mode=max,scope=mongodb
 
   multiple-backend:
     runs-on: ubuntu-latest
     needs: build
     env:
-      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
-      MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
       S3BACKEND: mem
       S3_LOCATION_FILE: /usr/src/app/tests/locationConfig/locationConfigTests.json
       S3DATA: multiple
       JOB_NAME: ${{ github.job }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
-    - name: Login to Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ github.token }}
     - name: Setup CI environment
       uses: ./.github/actions/setup-ci
     - name: Setup CI services
-      run: docker compose --profile sproxyd up -d
+      run: docker compose up -d
       working-directory: .github/docker
     - name: Run multiple backend test
       run: |-
         set -o pipefail;
         bash wait_for_local_port.bash 8000 40
-        bash wait_for_local_port.bash 81 40
         yarn run multiple_backend_test | tee /tmp/artifacts/${{ github.job }}/tests.log
       env:
         S3_LOCATION_FILE: tests/locationConfig/locationConfigTests.json
     - name: Upload logs to artifacts
-      uses: scality/action-artifacts@v4
+      uses: scality/action-artifacts@v3
       with:
         method: upload
         url: https://artifacts.scality.net
@@ -228,12 +198,11 @@ jobs:
       S3KMS: file
       S3_LOCATION_FILE: /usr/src/app/tests/locationConfig/locationConfigTests.json
       DEFAULT_BUCKET_KEY_FORMAT: v0
-      MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
-      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
       JOB_NAME: ${{ github.job }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Setup CI environment
       uses: ./.github/actions/setup-ci
     - name: Setup CI services
@@ -247,7 +216,7 @@ jobs:
       env:
         S3_LOCATION_FILE: tests/locationConfig/locationConfigTests.json
     - name: Upload logs to artifacts
-      uses: scality/action-artifacts@v4
+      uses: scality/action-artifacts@v3
       with:
         method: upload
         url: https://artifacts.scality.net
@@ -267,12 +236,11 @@ jobs:
       S3_LOCATION_FILE: /usr/src/app/tests/locationConfig/locationConfigTests.json
       DEFAULT_BUCKET_KEY_FORMAT: v1
       METADATA_MAX_CACHED_BUCKETS: 1
-      MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
-      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
       JOB_NAME: ${{ github.job }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Setup CI environment
       uses: ./.github/actions/setup-ci
     - name: Setup CI services
@@ -287,7 +255,7 @@ jobs:
       env:
         S3_LOCATION_FILE: tests/locationConfig/locationConfigTests.json
     - name: Upload logs to artifacts
-      uses: scality/action-artifacts@v4
+      uses: scality/action-artifacts@v3
       with:
         method: upload
         url: https://artifacts.scality.net
@@ -307,13 +275,12 @@ jobs:
     env:
       S3BACKEND: file
       S3VAULT: mem
-      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
-      MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
       MPU_TESTING: "yes"
       JOB_NAME: ${{ matrix.job-name }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Setup CI environment
       uses: ./.github/actions/setup-ci
     - name: Setup matrix job artifacts directory
@@ -330,7 +297,7 @@ jobs:
         bash wait_for_local_port.bash 8000 40
         yarn run ft_test | tee /tmp/artifacts/${{ matrix.job-name }}/tests.log
     - name: Upload logs to artifacts
-      uses: scality/action-artifacts@v4
+      uses: scality/action-artifacts@v3
       with:
         method: upload
         url: https://artifacts.scality.net
@@ -344,14 +311,13 @@ jobs:
     needs: build
     env:
       ENABLE_UTAPI_V2: t
-      S3BACKEND: mem
+      S3BACKEND: mem 
       BUCKET_DENY_FILTER: utapi-event-filter-deny-bucket
-      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
-      MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
       JOB_NAME: ${{ github.job }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Setup CI environment
       uses: ./.github/actions/setup-ci
     - name: Setup CI services
@@ -363,51 +329,7 @@ jobs:
         bash wait_for_local_port.bash 8000 40
         yarn run test_utapi_v2 | tee /tmp/artifacts/${{ github.job }}/tests.log
     - name: Upload logs to artifacts
-      uses: scality/action-artifacts@v4
+      uses: scality/action-artifacts@v3
-      with:
-        method: upload
-        url: https://artifacts.scality.net
-        user: ${{ secrets.ARTIFACTS_USER }}
-        password: ${{ secrets.ARTIFACTS_PASSWORD }}
-        source: /tmp/artifacts
-      if: always()
-
-  quota-tests:
-    runs-on: ubuntu-latest
-    needs: build
-    strategy:
-      matrix:
-        inflights:
-          - name: "With Inflights"
-            value: "true"
-          - name: "Without Inflights"
-            value: "false"
-    env:
-      S3METADATA: mongodb
-      S3BACKEND: mem
-      S3QUOTA: scuba
-      QUOTA_ENABLE_INFLIGHTS: ${{ matrix.inflights.value }}
-      SCUBA_HOST: localhost
-      SCUBA_PORT: 8100
-      SCUBA_HEALTHCHECK_FREQUENCY: 100
-      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
-      MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
-      JOB_NAME: ${{ github.job }}
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Setup CI environment
-      uses: ./.github/actions/setup-ci
-    - name: Setup CI services
-      run: docker compose --profile mongo up -d
-      working-directory: .github/docker
-    - name: Run quota tests
-      run: |-
-        set -ex -o pipefail;
-        bash wait_for_local_port.bash 8000 40
-        yarn run test_quota | tee /tmp/artifacts/${{ github.job }}/tests.log
-    - name: Upload logs to artifacts
-      uses: scality/action-artifacts@v4
       with:
         method: upload
         url: https://artifacts.scality.net
@@ -423,13 +345,11 @@ jobs:
       S3BACKEND: file
       S3VAULT: mem
       MPU_TESTING: "yes" 
-      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
-      PYKMIP_IMAGE: ghcr.io/${{ github.repository }}/pykmip:${{ github.sha }}
-      MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
       JOB_NAME: ${{ github.job }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Setup CI environment
       uses: ./.github/actions/setup-ci
     - name: Copy KMIP certs
@@ -445,7 +365,7 @@ jobs:
         bash wait_for_local_port.bash 5696 40
         yarn run ft_kmip | tee /tmp/artifacts/${{ github.job }}/tests.log
     - name: Upload logs to artifacts
-      uses: scality/action-artifacts@v4
+      uses: scality/action-artifacts@v3
       with:
         method: upload
         url: https://artifacts.scality.net
@@ -453,7 +373,7 @@ jobs:
         password: ${{ secrets.ARTIFACTS_PASSWORD }}
         source: /tmp/artifacts
       if: always()
-
+  
   ceph-backend-test:
     runs-on: ubuntu-latest
     needs: build
@@ -464,26 +384,25 @@ jobs:
       CI_CEPH: 'true'
       MPU_TESTING: "yes" 
       S3_LOCATION_FILE: /usr/src/app/tests/locationConfig/locationConfigCeph.json
-      MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
-      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
       JOB_NAME: ${{ github.job }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Login to GitHub Registry
-      uses: docker/login-action@v3
+      uses: docker/login-action@v1.10.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
-        password: ${{ github.token }}
+        password: ${{ secrets.GITHUB_TOKEN }}
     - name: Setup CI environment
       uses: ./.github/actions/setup-ci
     - uses: ruby/setup-ruby@v1
       with:
-        ruby-version: '2.5.9'
+        ruby-version: '2.5.0'
     - name: Install Ruby dependencies
       run: |
-        gem install nokogiri:1.12.5 excon:0.109.0 fog-aws:1.3.0 json mime-types:3.1 rspec:3.5
+        gem install nokogiri:1.12.5 fog-aws:1.3.0 json mime-types:3.1 rspec:3.5
     - name: Install Java dependencies
       run: |
         sudo apt-get update && sudo apt-get install -y --fix-missing default-jdk maven
@@ -510,7 +429,7 @@ jobs:
     - name: Run Ruby tests
       run: |-
         set -ex -o pipefail;
-        rspec -fd --backtrace tests.rb | tee /tmp/artifacts/${{ github.job }}/ruby-tests.log
+        rspec tests.rb | tee /tmp/artifacts/${{ github.job }}/ruby-tests.log
       working-directory: tests/functional/fog
     - name: Run Javascript AWS SDK tests
       run: |-
@@ -523,7 +442,7 @@ jobs:
         S3VAULT: mem
         S3METADATA: mongodb
     - name: Upload logs to artifacts
-      uses: scality/action-artifacts@v4
+      uses: scality/action-artifacts@v3
       with:
         method: upload
         url: https://artifacts.scality.net

Dockerfile

@@ -1,4 +1,4 @@
-ARG NODE_VERSION=16.20-bullseye-slim
+ARG NODE_VERSION=16.17.1-bullseye-slim
 
 FROM node:${NODE_VERSION} as builder
 
@@ -23,7 +23,6 @@ RUN apt-get update \
 
 ENV PYTHON=python3
 COPY package.json yarn.lock /usr/src/app/
-RUN npm install typescript -g
 RUN yarn install --production --ignore-optional --frozen-lockfile --ignore-engines --network-concurrency 1
 
 ################################################################################
@@ -43,7 +42,6 @@ EXPOSE 8002
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         jq \
-        tini \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /usr/src/app
@@ -55,6 +53,6 @@ COPY --from=builder /usr/src/app/node_modules ./node_modules/
 
 VOLUME ["/usr/src/app/localData","/usr/src/app/localMetadata"]
 
-ENTRYPOINT ["tini", "--", "/usr/src/app/docker-entrypoint.sh"]
+ENTRYPOINT ["/usr/src/app/docker-entrypoint.sh"]
 
 CMD [ "yarn", "start" ]

README.md

@@ -1,7 +1,10 @@
-# Zenko CloudServer with Vitastor Backend
+# Zenko CloudServer
 
 ![Zenko CloudServer logo](res/scality-cloudserver-logo.png)
 
+[![Docker Pulls][badgedocker]](https://hub.docker.com/r/zenko/cloudserver)
+[![Docker Pulls][badgetwitter]](https://twitter.com/zenko)
+
 ## Overview
 
 CloudServer (formerly S3 Server) is an open-source Amazon S3-compatible
@@ -11,71 +14,137 @@ Scality’s Open Source Multi-Cloud Data Controller.
 CloudServer provides a single AWS S3 API interface to access multiple
 backend data storage both on-premise or public in the cloud.
 
-This repository contains a fork of CloudServer with [Vitastor](https://git.yourcmc.ru/vitalif/vitastor)
+CloudServer is useful for Developers, either to run as part of a
-backend support.
+continous integration test environment to emulate the AWS S3 service locally
+or as an abstraction layer to develop object storage enabled
+application on the go.
 
-## Quick Start with Vitastor
+## Learn more at [www.zenko.io/cloudserver](https://www.zenko.io/cloudserver/)
 
-Vitastor Backend is in experimental status, however you can already try to
+## [May I offer you some lovely documentation?](http://s3-server.readthedocs.io/en/latest/)
-run it and write or read something, or even mount it with [GeeseFS](https://github.com/yandex-cloud/geesefs),
-it works too 😊.
 
-Installation instructions:
+## Docker
 
-### Install Vitastor
+[Run your Zenko CloudServer with Docker](https://hub.docker.com/r/zenko/cloudserver/)
 
-Refer to [Vitastor Quick Start Manual](https://git.yourcmc.ru/vitalif/vitastor/src/branch/master/docs/intro/quickstart.en.md).
+## Contributing
 
-### Install Zenko with Vitastor Backend
+In order to contribute, please follow the
+[Contributing Guidelines](
+https://github.com/scality/Guidelines/blob/master/CONTRIBUTING.md).
 
-- Clone this repository: `git clone https://git.yourcmc.ru/vitalif/zenko-cloudserver-vitastor`
+## Installation
-- Install dependencies: `npm install --omit dev` or just `npm install`
-- Clone Vitastor repository: `git clone https://git.yourcmc.ru/vitalif/vitastor`
-- Build Vitastor node.js binding by running `npm install` in `node-binding` subdirectory of Vitastor repository.
-  You need `node-gyp` and `vitastor-client-dev` (Vitastor client library) for it to succeed.
-- Symlink Vitastor module to Zenko: `ln -s /path/to/vitastor/node-binding /path/to/zenko/node_modules/vitastor`
 
-### Install and Configure MongoDB
+### Dependencies
 
-Refer to [MongoDB Manual](https://www.mongodb.com/docs/manual/installation/).
+Building and running the Zenko CloudServer requires node.js 10.x and yarn v1.17.x
+. Up-to-date versions can be found at
+[Nodesource](https://github.com/nodesource/distributions).
 
-### Setup Zenko
+### Clone source code
 
-- Create a separate pool for S3 object data in your Vitastor cluster: `vitastor-cli create-pool s3-data`
+```shell
-- Retrieve ID of the new pool from `vitastor-cli ls-pools --detail s3-data`
+git clone https://github.com/scality/S3.git
-- In another pool, create an image for storing Vitastor volume metadata: `vitastor-cli create -s 10G s3-volume-meta`
-- Copy `config.json.vitastor` to `config.json`, adjust it to match your domain
-- Copy `authdata.json.example` to `authdata.json` - this is where you set S3 access & secret keys,
-  and also adjust them if you want to. Scality seems to use a separate auth service "Scality Vault" for
-  access keys, but it's not published, so let's use a file for now.
-- Copy `locationConfig.json.vitastor` to `locationConfig.json` - this is where you set Vitastor cluster access data.
-  You should put correct values for `pool_id` (pool ID from the second step) and `metadata_image` (from the third step)
-  in this file.
-
-Note: `locationConfig.json` in this version corresponds to storage classes (like STANDARD, COLD, etc)
-instead of "locations" (zones like us-east-1) as it was in original Zenko CloudServer.
-
-### Start Zenko
-
-Start the S3 server with: `node index.js`
-
-If you use default settings, Zenko CloudServer starts on port 8000.
-The default access key is `accessKey1` with a secret key of `verySecretKey1`.
-
-Now you can access your S3 with `s3cmd` or `geesefs`:
-
-```
-s3cmd --access_key=accessKey1 --secret_key=verySecretKey1 --host=http://localhost:8000 mb s3://testbucket
 ```
 
-```
+### Install js dependencies
-AWS_ACCESS_KEY_ID=accessKey1 \
+
-    AWS_SECRET_ACCESS_KEY=verySecretKey1 \
+Go to the ./S3 folder,
-    geesefs --endpoint http://localhost:8000 testbucket mountdir
+
+```shell
+yarn install --frozen-lockfile
 ```
 
-# Author & License
+If you get an error regarding installation of the diskUsage module,
+please install g++.
 
-- [Zenko CloudServer](https://s3-server.readthedocs.io/en/latest/) author is Scality, licensed under [Apache License, version 2.0](https://www.apache.org/licenses/LICENSE-2.0)
+If you get an error regarding level-down bindings, try clearing your yarn cache:
-- [Vitastor](https://git.yourcmc.ru/vitalif/vitastor/) and Zenko Vitastor backend author is Vitaliy Filippov, licensed under [VNPL-1.1](https://git.yourcmc.ru/vitalif/vitastor/src/branch/master/VNPL-1.1.txt)
+
-  (a "network copyleft" license based on AGPL/SSPL, but worded in a better way)
+```shell
+yarn cache clean
+```
+
+## Run it with a file backend
+
+```shell
+yarn start
+```
+
+This starts a Zenko CloudServer on port 8000. Two additional ports 9990 and
+9991 are also open locally for internal transfer of metadata and data,
+respectively.
+
+The default access key is accessKey1 with
+a secret key of verySecretKey1.
+
+By default the metadata files will be saved in the
+localMetadata directory and the data files will be saved
+in the localData directory within the ./S3 directory on your
+machine.  These directories have been pre-created within the
+repository.  If you would like to save the data or metadata in
+different locations of your choice, you must specify them with absolute paths.
+So, when starting the server:
+
+```shell
+mkdir -m 700 $(pwd)/myFavoriteDataPath
+mkdir -m 700 $(pwd)/myFavoriteMetadataPath
+export S3DATAPATH="$(pwd)/myFavoriteDataPath"
+export S3METADATAPATH="$(pwd)/myFavoriteMetadataPath"
+yarn start
+```
+
+## Run it with multiple data backends
+
+```shell
+export S3DATA='multiple'
+yarn start
+```
+
+This starts a Zenko CloudServer on port 8000.
+The default access key is accessKey1 with
+a secret key of verySecretKey1.
+
+With multiple backends, you have the ability to
+choose where each object will be saved by setting
+the following header with a locationConstraint on
+a PUT request:
+
+```shell
+'x-amz-meta-scal-location-constraint':'myLocationConstraint'
+```
+
+If no header is sent with a PUT object request, the
+location constraint of the bucket will determine
+where the data is saved. If the bucket has no location
+constraint, the endpoint of the PUT request will be
+used to determine location.
+
+See the Configuration section in our documentation
+[here](http://s3-server.readthedocs.io/en/latest/GETTING_STARTED/#configuration)
+to learn how to set location constraints.
+
+## Run it with an in-memory backend
+
+```shell
+yarn run mem_backend
+```
+
+This starts a Zenko CloudServer on port 8000.
+The default access key is accessKey1 with
+a secret key of verySecretKey1.
+
+## Run it with Vault user management
+
+Note: Vault is proprietary and must be accessed separately.
+
+```shell
+export S3VAULT=vault
+yarn start
+```
+
+This starts a Zenko CloudServer using Vault for user management.
+
+[badgetwitter]: https://img.shields.io/twitter/follow/zenko.svg?style=social&label=Follow
+[badgedocker]: https://img.shields.io/docker/pulls/scality/s3server.svg
+[badgepub]: https://circleci.com/gh/scality/S3.svg?style=svg
+[badgepriv]: http://ci.ironmann.io/gh/scality/S3.svg?style=svg&circle-token=1f105b7518b53853b5b7cf72302a3f75d8c598ae

bin/metrics_server.js

@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+'use strict'; // eslint-disable-line strict
+
+const {
+    startWSManagementClient,
+    startPushConnectionHealthCheckServer,
+} = require('../lib/management/push');
+
+const logger = require('../lib/utilities/logger');
+
+const {
+    PUSH_ENDPOINT: pushEndpoint,
+    INSTANCE_ID: instanceId,
+    MANAGEMENT_TOKEN: managementToken,
+} = process.env;
+
+if (!pushEndpoint) {
+    logger.error('missing push endpoint env var');
+    process.exit(1);
+}
+
+if (!instanceId) {
+    logger.error('missing instance id env var');
+    process.exit(1);
+}
+
+if (!managementToken) {
+    logger.error('missing management token env var');
+    process.exit(1);
+}
+
+startPushConnectionHealthCheckServer(err => {
+    if (err) {
+        logger.error('could not start healthcheck server', { error: err });
+        process.exit(1);
+    }
+    const url = `${pushEndpoint}/${instanceId}/ws?metrics=1`;
+    startWSManagementClient(url, managementToken, err => {
+        if (err) {
+            logger.error('connection failed, exiting', { error: err });
+            process.exit(1);
+        }
+        logger.info('no more connection, exiting');
+        process.exit(0);
+    });
+});

bin/secure_channel_proxy.js

@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+'use strict'; // eslint-disable-line strict
+
+const {
+    startWSManagementClient,
+    startPushConnectionHealthCheckServer,
+} = require('../lib/management/push');
+
+const logger = require('../lib/utilities/logger');
+
+const {
+    PUSH_ENDPOINT: pushEndpoint,
+    INSTANCE_ID: instanceId,
+    MANAGEMENT_TOKEN: managementToken,
+} = process.env;
+
+if (!pushEndpoint) {
+    logger.error('missing push endpoint env var');
+    process.exit(1);
+}
+
+if (!instanceId) {
+    logger.error('missing instance id env var');
+    process.exit(1);
+}
+
+if (!managementToken) {
+    logger.error('missing management token env var');
+    process.exit(1);
+}
+
+startPushConnectionHealthCheckServer(err => {
+    if (err) {
+        logger.error('could not start healthcheck server', { error: err });
+        process.exit(1);
+    }
+    const url = `${pushEndpoint}/${instanceId}/ws?proxy=1`;
+    startWSManagementClient(url, managementToken, err => {
+        if (err) {
+            logger.error('connection failed, exiting', { error: err });
+            process.exit(1);
+        }
+        logger.info('no more connection, exiting');
+        process.exit(0);
+    });
+});

config.json

@@ -4,7 +4,6 @@
     "metricsPort": 8002,
     "metricsListenOn": [],
     "replicationGroupId": "RG001",
-    "workers": 4,
     "restEndpoints": {
         "localhost": "us-east-1",
         "127.0.0.1": "us-east-1",
@@ -102,14 +101,6 @@
         "readPreference": "primary",
         "database": "metadata"
     },
-    "authdata": "authdata.json",
-    "backends": {
-        "auth": "file",
-        "data": "file",
-        "metadata": "mongodb",
-        "kms": "file",
-        "quota": "none"
-    },
     "externalBackends": {
         "aws_s3": {
             "httpAgent": {

config.json.vitastor

@@ -1,71 +0,0 @@
-{
-    "port": 8000,
-    "listenOn": [],
-    "metricsPort": 8002,
-    "metricsListenOn": [],
-    "replicationGroupId": "RG001",
-    "restEndpoints": {
-        "localhost": "STANDARD",
-        "127.0.0.1": "STANDARD",
-        "yourhostname.ru": "STANDARD"
-    },
-    "websiteEndpoints": [
-        "static.yourhostname.ru"
-    ],
-    "replicationEndpoints": [ {
-        "site": "zenko",
-        "servers": ["127.0.0.1:8000"],
-        "default": true
-    } ],
-    "log": {
-        "logLevel": "info",
-        "dumpLevel": "error"
-    },
-    "healthChecks": {
-        "allowFrom": ["127.0.0.1/8", "::1"]
-    },
-    "backends": {
-        "metadata": "mongodb"
-    },
-    "mongodb": {
-        "replicaSetHosts": "127.0.0.1:27017",
-        "writeConcern": "majority",
-        "replicaSet": "rs0",
-        "readPreference": "primary",
-        "database": "s3",
-        "authCredentials": {
-            "username": "s3",
-            "password": ""
-        }
-    },
-    "externalBackends": {
-        "aws_s3": {
-            "httpAgent": {
-                "keepAlive": false,
-                "keepAliveMsecs": 1000,
-                "maxFreeSockets": 256,
-                "maxSockets": null
-            }
-        },
-        "gcp": {
-            "httpAgent": {
-                "keepAlive": true,
-                "keepAliveMsecs": 1000,
-                "maxFreeSockets": 256,
-                "maxSockets": null
-            }
-        }
-    },
-    "requests": {
-        "viaProxy": false,
-        "trustedProxyCIDRs": [],
-        "extractClientIPFromHeader": ""
-    },
-    "bucketNotificationDestinations": [
-        {
-            "resource": "target1",
-            "type": "dummy",
-            "host": "localhost:6000"
-        }
-    ]
-}

constants.js

@@ -116,7 +116,7 @@ const constants = {
     ],
 
     // user metadata header to set object locationConstraint
-    objectLocationConstraintHeader: 'x-amz-storage-class',
+    objectLocationConstraintHeader: 'x-amz-meta-scal-location-constraint',
     lastModifiedHeader: 'x-amz-meta-x-scal-last-modified',
     legacyLocations: ['sproxyd', 'legacy'],
     // declare here all existing service accounts and their properties
@@ -130,7 +130,7 @@ const constants = {
         },
     },
     /* eslint-disable camelcase */
-    externalBackends: { aws_s3: true, azure: true, gcp: true, pfs: true, dmf: true, azure_archive: true },
+    externalBackends: { aws_s3: true, azure: true, gcp: true, pfs: true, dmf: true },
     // some of the available data backends  (if called directly rather
     // than through the multiple backend gateway) need a key provided
     // as a string as first parameter of the get/delete methods.
@@ -205,6 +205,9 @@ const constants = {
     ],
     allowedUtapiEventFilterStates: ['allow', 'deny'],
     allowedRestoreObjectRequestTierValues: ['Standard'],
+    validStorageClasses: [
+        'STANDARD',
+    ],
     lifecycleListing: {
         CURRENT_TYPE: 'current',
         NON_CURRENT_TYPE: 'noncurrent',
@@ -217,7 +220,6 @@ const constants = {
         'owner-id',
         'versionId',
         'isNull',
-        'isDeleteMarker',
     ],
     unsupportedSignatureChecksums: new Set([
         'STREAMING-UNSIGNED-PAYLOAD-TRAILER',
@@ -229,20 +231,6 @@ const constants = {
         'UNSIGNED-PAYLOAD',
         'STREAMING-AWS4-HMAC-SHA256-PAYLOAD',
     ]),
-    ipv4Regex: /^(\d{1,3}\.){3}\d{1,3}(\/(3[0-2]|[12]?\d))?$/,
-    ipv6Regex: /^([\da-f]{1,4}:){7}[\da-f]{1,4}$/i,
-    // The AWS assumed Role resource type
-    assumedRoleArnResourceType: 'assumed-role',
-    // Session name of the backbeat lifecycle assumed role session.
-    backbeatLifecycleSessionName: 'backbeat-lifecycle',
-    actionsToConsiderAsObjectPut: [
-        'initiateMultipartUpload',
-        'objectPutPart',
-        'completeMultipartUpload',
-    ],
-    // if requester is not bucket owner, bucket policy actions should be denied with
-    // MethodNotAllowed error
-    onlyOwnerAllowed: ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'],
 };
 
 module.exports = constants;

docs/RELEASE.md

@@ -2,12 +2,11 @@
 
 ## Docker Image Generation
 
-Docker images are hosted on [ghcri.io](https://github.com/orgs/scality/packages).
+Docker images are hosted on [registry.scality.com](registry.scality.com).
-CloudServer has a few images there:
+CloudServer has two namespaces there:
 
-* Cloudserver container image: ghcr.io/scality/cloudserver
+* Production Namespace: registry.scality.com/cloudserver
-* Dashboard oras image: ghcr.io/scality/cloudserver/cloudser-dashboard
+* Dev Namespace: registry.scality.com/cloudserver-dev
-* Policies oras image: ghcr.io/scality/cloudserver/cloudser-dashboard
 
 With every CI build, the CI will push images, tagging the
 content with the developer branch's short SHA-1 commit hash.
@@ -19,8 +18,8 @@ Tagged versions of cloudserver will be stored in the production namespace.
 ## How to Pull Docker Images
 
 ```sh
-docker pull ghcr.io/scality/cloudserver:<commit hash>
+docker pull registry.scality.com/cloudserver-dev/cloudserver:<commit hash>
-docker pull ghcr.io/scality/cloudserver:<tag>
+docker pull registry.scality.com/cloudserver/cloudserver:<tag>
 ```
 
 ## Release Process

images/svc-base/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/scality/federation/nodesvc-base:7.10.6.0
+FROM registry.scality.com/federation/nodesvc-base:7.10.6.0
 
 ENV S3_CONFIG_FILE=${CONF_DIR}/config.json
 ENV S3_LOCATION_FILE=${CONF_DIR}/locationConfig.json
@@ -14,10 +14,8 @@ RUN rm -f ~/.gitconfig && \
     git config --global --add safe.directory . && \
     git lfs install && \
     GIT_LFS_SKIP_SMUDGE=1 && \
-    yarn global add typescript && \
     yarn install --frozen-lockfile --production --network-concurrency 1 && \
-    yarn cache clean --all && \
+    yarn cache clean --all
-    yarn global remove typescript
 
 # run symlinking separately to avoid yarn installation errors
 # we might have to check if the symlinking is really needed!

index.js

@@ -1,10 +1,10 @@
 'use strict'; // eslint-disable-line strict
 
-require('werelogs').stderrUtils.catchAndTimestampStderr(
+/**
-    undefined,
+ * Catch uncaught exceptions and add timestamp to aid debugging
-    // Do not exit as workers have their own listener that will exit
+ */
-    // But primary don't have another listener
+process.on('uncaughtException', err => {
-    require('cluster').isPrimary ? 1 : null,
+    process.stderr.write(`${new Date().toISOString()}: Uncaught exception: \n${err.stack}`);
-);
+});
 
 require('./lib/server.js')();

lib/Config.js

@@ -8,17 +8,15 @@ const crypto = require('crypto');
 const { v4: uuidv4 } = require('uuid');
 const cronParser = require('cron-parser');
 const joi = require('@hapi/joi');
-const { s3routes, auth: arsenalAuth, s3middleware } = require('arsenal');
+
-const { isValidBucketName } = s3routes.routesUtils;
+const { isValidBucketName } = require('arsenal').s3routes.routesUtils;
-const validateAuthConfig = arsenalAuth.inMemory.validateAuthConfig;
+const validateAuthConfig = require('arsenal').auth.inMemory.validateAuthConfig;
 const { buildAuthDataAccount } = require('./auth/in_memory/builder');
 const validExternalBackends = require('../constants').externalBackends;
 const { azureAccountNameRegex, base64Regex,
     allowedUtapiEventFilterFields, allowedUtapiEventFilterStates,
 } = require('../constants');
 const { utapiVersion } = require('utapi');
-const { scaleMsPerDay } = s3middleware.objectUtils;
-
 const constants = require('../constants');
 
 // config paths
@@ -107,47 +105,6 @@ function parseSproxydConfig(configSproxyd) {
     return joi.attempt(configSproxyd, joiSchema, 'bad config');
 }
 
-function parseRedisConfig(redisConfig) {
-    const joiSchema = joi.object({
-        password: joi.string().allow(''),
-        host: joi.string(),
-        port: joi.number(),
-        retry: joi.object({
-            connectBackoff: joi.object({
-                min: joi.number().required(),
-                max: joi.number().required(),
-                jitter: joi.number().required(),
-                factor: joi.number().required(),
-                deadline: joi.number().required(),
-            }),
-        }),
-        // sentinel config
-        sentinels: joi.alternatives().try(
-            joi.string()
-                .pattern(/^[a-zA-Z0-9.-]+:[0-9]+(,[a-zA-Z0-9.-]+:[0-9]+)*$/)
-                .custom(hosts => hosts.split(',').map(item => {
-                    const [host, port] = item.split(':');
-                    return { host, port: Number.parseInt(port, 10) };
-                })),
-            joi.array().items(
-                joi.object({
-                    host: joi.string().required(),
-                    port: joi.number().required(),
-                })
-            ).min(1),
-        ),
-        name: joi.string(),
-        sentinelPassword: joi.string().allow(''),
-    })
-          .and('host', 'port')
-          .and('sentinels', 'name')
-          .xor('host', 'sentinels')
-          .without('sentinels', ['host', 'port'])
-          .without('host', ['sentinels', 'sentinelPassword']);
-
-    return joi.attempt(redisConfig, joiSchema, 'bad config');
-}
-
 function restEndpointsAssert(restEndpoints, locationConstraints) {
     assert(typeof restEndpoints === 'object',
         'bad config: restEndpoints must be an object of endpoints');
@@ -280,60 +237,6 @@ function hdClientLocationConstraintAssert(configHd) {
     return hdclientFields;
 }
 
-function azureArchiveLocationConstraintAssert(locationObj) {
-    const checkedFields = [
-        'azureContainerName',
-        'azureStorageEndpoint',
-    ];
-    if (Object.keys(locationObj.details).length === 0 ||
-        !checkedFields.every(field => field in locationObj.details)) {
-        return;
-    }
-    const {
-        azureContainerName,
-        azureStorageEndpoint,
-    } = locationObj.details;
-    const stringFields = [
-        azureContainerName,
-        azureStorageEndpoint,
-    ];
-    stringFields.forEach(field => {
-        assert(typeof field === 'string',
-            `bad config: ${field} must be a string`);
-    });
-
-    let hasAuthMethod = false;
-    if (locationObj.details.sasToken !== undefined) {
-        assert(typeof locationObj.details.sasToken === 'string',
-            `bad config: ${locationObj.details.sasToken} must be a string`);
-        hasAuthMethod = true;
-    }
-
-    if (locationObj.details.azureStorageAccountName !== undefined &&
-        locationObj.details.azureStorageAccessKey !== undefined) {
-        assert(typeof locationObj.details.azureStorageAccountName === 'string',
-            `bad config: ${locationObj.details.azureStorageAccountName} must be a string`);
-        assert(typeof locationObj.details.azureStorageAccessKey === 'string',
-            `bad config: ${locationObj.details.azureStorageAccessKey} must be a string`);
-        assert(!hasAuthMethod, 'Multiple authentication methods are not allowed');
-        hasAuthMethod = true;
-    }
-
-    if (locationObj.details.tenantId !== undefined &&
-        locationObj.details.clientId !== undefined &&
-        locationObj.details.clientKey !== undefined) {
-        assert(typeof locationObj.details.tenantId === 'string',
-            `bad config: ${locationObj.details.tenantId} must be a string`);
-        assert(typeof locationObj.details.clientId === 'string',
-            `bad config: ${locationObj.details.clientId} must be a string`);
-        assert(typeof locationObj.details.clientKey === 'string',
-            `bad config: ${locationObj.details.clientKey} must be a string`);
-        assert(!hasAuthMethod, 'Multiple authentication methods are not allowed');
-        hasAuthMethod = true;
-    }
-    assert(hasAuthMethod, 'Missing authentication method');
-}
-
 function dmfLocationConstraintAssert(locationObj) {
     const checkedFields = [
         'endpoint',
@@ -377,7 +280,7 @@ function dmfLocationConstraintAssert(locationObj) {
 function locationConstraintAssert(locationConstraints) {
     const supportedBackends =
           ['mem', 'file', 'scality',
-           'mongodb', 'dmf', 'azure_archive', 'vitastor'].concat(Object.keys(validExternalBackends));
+           'mongodb', 'dmf'].concat(Object.keys(validExternalBackends));
     assert(typeof locationConstraints === 'object',
         'bad config: locationConstraints must be an object');
     Object.keys(locationConstraints).forEach(l => {
@@ -488,9 +391,6 @@ function locationConstraintAssert(locationConstraints) {
         if (locationConstraints[l].type === 'dmf') {
             dmfLocationConstraintAssert(locationConstraints[l]);
         }
-        if (locationConstraints[l].type === 'azure_archive') {
-            azureArchiveLocationConstraintAssert(locationConstraints[l]);
-        }
         if (locationConstraints[l].type === 'pfs') {
             assert(typeof details.pfsDaemonEndpoint === 'object',
             'bad config: pfsDaemonEndpoint is mandatory and must be an object');
@@ -502,23 +402,27 @@ function locationConstraintAssert(locationConstraints) {
                 locationConstraints[l].details.connector.hdclient);
         }
     });
+    assert(Object.keys(locationConstraints)
+        .includes('us-east-1'), 'bad locationConfig: must ' +
+        'include us-east-1 as a locationConstraint');
 }
 
 function parseUtapiReindex(config) {
     const {
         enabled,
         schedule,
-        redis,
+        sentinel,
         bucketd,
         onlyCountLatestWhenObjectLocked,
     } = config;
     assert(typeof enabled === 'boolean',
-           'bad config: utapi.reindex.enabled must be a boolean');
+        'bad config: utapi.reindex.enabled must be a boolean');
-
+    assert(typeof sentinel === 'object',
-    const parsedRedis = parseRedisConfig(redis);
+        'bad config: utapi.reindex.sentinel must be an object');
-    assert(Array.isArray(parsedRedis.sentinels),
+    assert(typeof sentinel.port === 'number',
-           'bad config: utapi reindex redis config requires a list of sentinels');
+        'bad config: utapi.reindex.sentinel.port must be a number');
-
+    assert(typeof sentinel.name === 'string',
+        'bad config: utapi.reindex.sentinel.name must be a string');
     assert(typeof bucketd === 'object',
         'bad config: utapi.reindex.bucketd must be an object');
     assert(typeof bucketd.port === 'number',
@@ -536,13 +440,6 @@ function parseUtapiReindex(config) {
             'bad config: utapi.reindex.schedule must be a valid ' +
             `cron schedule. ${e.message}.`);
     }
-    return {
-        enabled,
-        schedule,
-        redis: parsedRedis,
-        bucketd,
-        onlyCountLatestWhenObjectLocked,
-    };
 }
 
 function requestsConfigAssert(requestsConfig) {
@@ -630,6 +527,7 @@ class Config extends EventEmitter {
         // Read config automatically
         this._getLocationConfig();
         this._getConfig();
+        this._configureBackends();
     }
 
     _getLocationConfig() {
@@ -841,11 +739,11 @@ class Config extends EventEmitter {
             this.websiteEndpoints = config.websiteEndpoints;
         }
 
-        this.workers = false;
+        this.clusters = false;
-        if (config.workers !== undefined) {
+        if (config.clusters !== undefined) {
-            assert(Number.isInteger(config.workers) && config.workers > 0,
+            assert(Number.isInteger(config.clusters) && config.clusters > 0,
-                   'bad config: workers must be a positive integer');
+                   'bad config: clusters must be a positive integer');
-            this.workers = config.workers;
+            this.clusters = config.clusters;
         }
 
         if (config.usEastBehavior !== undefined) {
@@ -1083,7 +981,8 @@ class Config extends EventEmitter {
                 assert(typeof config.localCache.port === 'number',
                       'config: bad port for localCache. port must be a number');
                 if (config.localCache.password !== undefined) {
-                    assert(typeof config.localCache.password === 'string',
+                    assert(
+                        this._verifyRedisPassword(config.localCache.password),
                         'config: vad password for localCache. password must' +
                     ' be a string');
                 }
@@ -1109,46 +1008,56 @@ class Config extends EventEmitter {
         }
 
         if (config.redis) {
-            this.redis = parseRedisConfig(config.redis);
+            if (config.redis.sentinels) {
-        }
+                this.redis = { sentinels: [], name: null };
-        if (config.scuba) {
+
-            this.scuba = {};
+                assert(typeof config.redis.name === 'string',
-            if (config.scuba.host) {
+                    'bad config: redis sentinel name must be a string');
-                assert(typeof config.scuba.host === 'string',
+                this.redis.name = config.redis.name;
-                    'bad config: scuba host must be a string');
+                assert(Array.isArray(config.redis.sentinels) ||
-                this.scuba.host = config.scuba.host;
+                    typeof config.redis.sentinels === 'string',
+                    'bad config: redis sentinels must be an array or string');
+
+                if (typeof config.redis.sentinels === 'string') {
+                    config.redis.sentinels.split(',').forEach(item => {
+                        const [host, port] = item.split(':');
+                        this.redis.sentinels.push({ host,
+                            port: Number.parseInt(port, 10) });
+                    });
+                } else if (Array.isArray(config.redis.sentinels)) {
+                    config.redis.sentinels.forEach(item => {
+                        const { host, port } = item;
+                        assert(typeof host === 'string',
+                            'bad config: redis sentinel host must be a string');
+                        assert(typeof port === 'number',
+                            'bad config: redis sentinel port must be a number');
+                        this.redis.sentinels.push({ host, port });
+                    });
+                }
+
+                if (config.redis.sentinelPassword !== undefined) {
+                    assert(
+                    this._verifyRedisPassword(config.redis.sentinelPassword));
+                    this.redis.sentinelPassword = config.redis.sentinelPassword;
+                }
+            } else {
+                // check for standalone configuration
+                this.redis = {};
+                assert(typeof config.redis.host === 'string',
+                    'bad config: redis.host must be a string');
+                assert(typeof config.redis.port === 'number',
+                    'bad config: redis.port must be a number');
+                this.redis.host = config.redis.host;
+                this.redis.port = config.redis.port;
             }
-            if (config.scuba.port) {
+            if (config.redis.password !== undefined) {
-                assert(Number.isInteger(config.scuba.port)
+                assert(
-                    && config.scuba.port > 0,
+                    this._verifyRedisPassword(config.redis.password),
-                    'bad config: scuba port must be a positive integer');
+                    'bad config: invalid password for redis. password must ' +
-                this.scuba.port = config.scuba.port;
+                    'be a string');
+                this.redis.password = config.redis.password;
             }
         }
-        if (process.env.SCUBA_HOST && process.env.SCUBA_PORT) {
-            assert(typeof process.env.SCUBA_HOST === 'string',
-                'bad config: scuba host must be a string');
-            assert(Number.isInteger(Number(process.env.SCUBA_PORT))
-                && Number(process.env.SCUBA_PORT) > 0,
-                'bad config: scuba port must be a positive integer');
-            this.scuba = {
-                host: process.env.SCUBA_HOST,
-                port: Number(process.env.SCUBA_PORT),
-            };
-        }
-        if (this.scuba) {
-            this.quotaEnabled = true;
-        }
-        const maxStaleness = Number(process.env.QUOTA_MAX_STALENESS_MS) ||
-            config.quota?.maxStatenessMS ||
-            24 * 60 * 60 * 1000;
-        assert(Number.isInteger(maxStaleness), 'bad config: maxStalenessMS must be an integer');
-        const enableInflights = process.env.QUOTA_ENABLE_INFLIGHTS === 'true' ||
-            config.quota?.enableInflights || false;
-        this.quota = {
-            maxStaleness,
-            enableInflights,
-        };
         if (config.utapi) {
             this.utapi = { component: 's3' };
             if (config.utapi.host) {
@@ -1177,8 +1086,50 @@ class Config extends EventEmitter {
                 assert(config.redis, 'missing required property of utapi ' +
                     'configuration: redis');
                 if (config.utapi.redis) {
-                    this.utapi.redis = parseRedisConfig(config.utapi.redis);
+                    if (config.utapi.redis.sentinels) {
-                    if (this.utapi.redis.retry === undefined) {
+                        this.utapi.redis = { sentinels: [], name: null };
+
+                        assert(typeof config.utapi.redis.name === 'string',
+                            'bad config: redis sentinel name must be a string');
+                        this.utapi.redis.name = config.utapi.redis.name;
+
+                        assert(Array.isArray(config.utapi.redis.sentinels),
+                            'bad config: redis sentinels must be an array');
+                        config.utapi.redis.sentinels.forEach(item => {
+                            const { host, port } = item;
+                            assert(typeof host === 'string',
+                                'bad config: redis sentinel host must be a string');
+                            assert(typeof port === 'number',
+                                'bad config: redis sentinel port must be a number');
+                            this.utapi.redis.sentinels.push({ host, port });
+                        });
+                    } else {
+                        // check for standalone configuration
+                        this.utapi.redis = {};
+                        assert(typeof config.utapi.redis.host === 'string',
+                            'bad config: redis.host must be a string');
+                        assert(typeof config.utapi.redis.port === 'number',
+                            'bad config: redis.port must be a number');
+                        this.utapi.redis.host = config.utapi.redis.host;
+                        this.utapi.redis.port = config.utapi.redis.port;
+                    }
+                    if (config.utapi.redis.retry !== undefined) {
+                        if (config.utapi.redis.retry.connectBackoff !== undefined) {
+                            const { min, max, jitter, factor, deadline } = config.utapi.redis.retry.connectBackoff;
+                            assert.strictEqual(typeof min, 'number',
+                            'utapi.redis.retry.connectBackoff: min must be a number');
+                            assert.strictEqual(typeof max, 'number',
+                            'utapi.redis.retry.connectBackoff: max must be a number');
+                            assert.strictEqual(typeof jitter, 'number',
+                            'utapi.redis.retry.connectBackoff: jitter must be a number');
+                            assert.strictEqual(typeof factor, 'number',
+                            'utapi.redis.retry.connectBackoff: factor must be a number');
+                            assert.strictEqual(typeof deadline, 'number',
+                            'utapi.redis.retry.connectBackoff: deadline must be a number');
+                        }
+
+                        this.utapi.redis.retry = config.utapi.redis.retry;
+                    } else {
                         this.utapi.redis.retry = {
                             connectBackoff: {
                                 min: 10,
@@ -1189,6 +1140,22 @@ class Config extends EventEmitter {
                             },
                         };
                     }
+                    if (config.utapi.redis.password !== undefined) {
+                        assert(
+                            this._verifyRedisPassword(config.utapi.redis.password),
+                            'config: invalid password for utapi redis. password' +
+                            ' must be a string');
+                        this.utapi.redis.password = config.utapi.redis.password;
+                    }
+                        if (config.utapi.redis.sentinelPassword !== undefined) {
+                            assert(
+                        this._verifyRedisPassword(
+                            config.utapi.redis.sentinelPassword),
+                            'config: invalid password for utapi redis. password' +
+                            ' must be a string');
+                        this.utapi.redis.sentinelPassword =
+                            config.utapi.redis.sentinelPassword;
+                    }
                 }
                 if (config.utapi.metrics) {
                     this.utapi.metrics = config.utapi.metrics;
@@ -1258,7 +1225,8 @@ class Config extends EventEmitter {
                 }
 
                 if (config.utapi && config.utapi.reindex) {
-                    this.utapi.reindex = parseUtapiReindex(config.utapi.reindex);
+                    parseUtapiReindex(config.utapi.reindex);
+                    this.utapi.reindex = config.utapi.reindex;
                 }
             }
 
@@ -1303,8 +1271,6 @@ class Config extends EventEmitter {
             }
         }
 
-        this.authdata = config.authdata || 'authdata.json';
-
         this.kms = {};
         if (config.kms) {
             assert(typeof config.kms.userName === 'string');
@@ -1524,6 +1490,25 @@ class Config extends EventEmitter {
             this.outboundProxy.certs = certObj.certs;
         }
 
+        this.managementAgent = {};
+        this.managementAgent.port = 8010;
+        this.managementAgent.host = 'localhost';
+        if (config.managementAgent !== undefined) {
+            if (config.managementAgent.port !== undefined) {
+                assert(Number.isInteger(config.managementAgent.port)
+                       && config.managementAgent.port > 0,
+                       'bad config: managementAgent port must be a positive ' +
+                       'integer');
+                this.managementAgent.port = config.managementAgent.port;
+            }
+            if (config.managementAgent.host !== undefined) {
+                assert.strictEqual(typeof config.managementAgent.host, 'string',
+                                   'bad config: management agent host must ' +
+                                   'be a string');
+                this.managementAgent.host = config.managementAgent.host;
+            }
+        }
+
         // Ephemeral token to protect the reporting endpoint:
         // try inherited from parent first, then hardcoded in conf file,
         // then create a fresh one as last resort.
@@ -1589,7 +1574,6 @@ class Config extends EventEmitter {
         // Version of the configuration we're running under
         this.overlayVersion = config.overlayVersion || 0;
 
-        this._setTimeOptions();
         this.multiObjectDeleteConcurrency = constants.multiObjectDeleteConcurrency;
         const extractedNumber = Number.parseInt(config.multiObjectDeleteConcurrency, 10);
         if (!isNaN(extractedNumber) && extractedNumber > 0 && extractedNumber < 1000) {
@@ -1613,83 +1597,43 @@ class Config extends EventEmitter {
                 'bad config: maxScannedLifecycleListingEntries must be greater than 2');
             this.maxScannedLifecycleListingEntries = config.maxScannedLifecycleListingEntries;
         }
-
-        this._configureBackends(config);
-    }
-
-    _setTimeOptions() {
-        // NOTE: EXPIRE_ONE_DAY_EARLIER and TRANSITION_ONE_DAY_EARLIER are deprecated in favor of
-        // TIME_PROGRESSION_FACTOR which decreases the weight attributed to a day in order to among other things
-        // expedite the lifecycle of objects.
-
-        // moves lifecycle expiration deadlines 1 day earlier, mostly for testing
-        const expireOneDayEarlier = process.env.EXPIRE_ONE_DAY_EARLIER === 'true';
-        // moves lifecycle transition deadlines 1 day earlier, mostly for testing
-        const transitionOneDayEarlier = process.env.TRANSITION_ONE_DAY_EARLIER === 'true';
-        // decreases the weight attributed to a day in order to expedite the lifecycle of objects.
-        const timeProgressionFactor = Number.parseInt(process.env.TIME_PROGRESSION_FACTOR, 10) || 1;
-
-        const isIncompatible = (expireOneDayEarlier || transitionOneDayEarlier) && (timeProgressionFactor > 1);
-        assert(!isIncompatible, 'The environment variables "EXPIRE_ONE_DAY_EARLIER" or ' +
-        '"TRANSITION_ONE_DAY_EARLIER" are not compatible with the "TIME_PROGRESSION_FACTOR" variable.');
-
-        // The scaledMsPerDay value is initially set to the number of milliseconds per day
-        // (24 * 60 * 60 * 1000)  as the default value.
-        // However, during testing, if the timeProgressionFactor is defined and greater than 1,
-        // the scaledMsPerDay value is decreased. This adjustment allows for simulating actions occurring
-        // earlier in time.
-        const scaledMsPerDay = scaleMsPerDay(timeProgressionFactor);
-
-        this.timeOptions = {
-            expireOneDayEarlier,
-            transitionOneDayEarlier,
-            timeProgressionFactor,
-            scaledMsPerDay,
-        };
-    }
-
-    getTimeOptions() {
-        return this.timeOptions;
     }
 
     _getAuthData() {
-        return JSON.parse(fs.readFileSync(findConfigFile(process.env.S3AUTH_CONFIG || this.authdata), { encoding: 'utf-8' }));
+        return require(findConfigFile(process.env.S3AUTH_CONFIG || 'authdata.json'));
     }
 
-    _configureBackends(config) {
+    _configureBackends() {
-        const backends = config.backends || {};
         /**
          * Configure the backends for Authentication, Data and Metadata.
          */
-        let auth = backends.auth || 'mem';
+        let auth = 'mem';
-        let data = backends.data || 'multiple';
+        let data = 'multiple';
-        let metadata = backends.metadata || 'file';
+        let metadata = 'file';
-        let kms = backends.kms || 'file';
+        let kms = 'file';
-        let quota = backends.quota || 'none';
         if (process.env.S3BACKEND) {
             const validBackends = ['mem', 'file', 'scality', 'cdmi'];
             assert(validBackends.indexOf(process.env.S3BACKEND) > -1,
                 'bad environment variable: S3BACKEND environment variable ' +
                 'should be one of mem/file/scality/cdmi'
             );
-            auth = process.env.S3BACKEND == 'scality' ? 'scality' : 'mem';
+            auth = process.env.S3BACKEND;
             data = process.env.S3BACKEND;
             metadata = process.env.S3BACKEND;
             kms = process.env.S3BACKEND;
         }
         if (process.env.S3VAULT) {
             auth = process.env.S3VAULT;
-            auth = (auth === 'file' || auth === 'mem' || auth === 'cdmi' ? 'mem' : auth);
         }
-
         if (auth === 'file' || auth === 'mem' || auth === 'cdmi') {
             // Auth only checks for 'mem' since mem === file
+            auth = 'mem';
             let authData;
             if (process.env.SCALITY_ACCESS_KEY_ID &&
-                process.env.SCALITY_SECRET_ACCESS_KEY) {
+            process.env.SCALITY_SECRET_ACCESS_KEY) {
                 authData = buildAuthDataAccount(
-                    process.env.SCALITY_ACCESS_KEY_ID,
+                  process.env.SCALITY_ACCESS_KEY_ID,
-                    process.env.SCALITY_SECRET_ACCESS_KEY);
+                  process.env.SCALITY_SECRET_ACCESS_KEY);
             } else {
                 authData = this._getAuthData();
             }
@@ -1697,7 +1641,7 @@ class Config extends EventEmitter {
                 throw new Error('bad config: invalid auth config file.');
             }
             this.authData = authData;
-        } else if (auth === 'multiple') {
+        }  else if (auth === 'multiple') {
             const authData = this._getAuthData();
             if (validateAuthConfig(authData)) {
                 throw new Error('bad config: invalid auth config file.');
@@ -1712,9 +1656,9 @@ class Config extends EventEmitter {
                 'should be one of mem/file/scality/multiple'
             );
             data = process.env.S3DATA;
-            if (data === 'scality' || data === 'multiple') {
+        }
-                data = 'multiple';
+        if (data === 'scality' || data === 'multiple') {
-            }
+            data = 'multiple';
         }
         assert(this.locationConstraints !== undefined &&
             this.restEndpoints !== undefined,
@@ -1727,18 +1671,18 @@ class Config extends EventEmitter {
         if (process.env.S3KMS) {
             kms = process.env.S3KMS;
         }
-        if (process.env.S3QUOTA) {
-            quota = process.env.S3QUOTA;
-        }
         this.backends = {
             auth,
             data,
             metadata,
             kms,
-            quota,
         };
     }
 
+    _verifyRedisPassword(password) {
+        return typeof password === 'string';
+    }
+
     setAuthDataAccounts(accounts) {
         this.authData.accounts = accounts;
         this.emit('authdata-update');
@@ -1861,19 +1805,10 @@ class Config extends EventEmitter {
                                 .update(instanceId)
                                 .digest('hex');
     }
-
-    isQuotaEnabled() {
-        return !!this.quotaEnabled;
-    }
-
-    isQuotaInflightEnabled() {
-        return this.quota.enableInflights;
-    }
 }
 
 module.exports = {
     parseSproxydConfig,
-    parseRedisConfig,
     locationConstraintAssert,
     ConfigObject: Config,
     config: new Config(),
@@ -1881,5 +1816,4 @@ module.exports = {
     bucketNotifAssert,
     azureGetStorageAccountName,
     azureGetLocationCredentials,
-    azureArchiveLocationConstraintAssert,
 };

lib/api/api.js

@@ -7,7 +7,6 @@ const bucketDeleteEncryption = require('./bucketDeleteEncryption');
 const bucketDeleteWebsite = require('./bucketDeleteWebsite');
 const bucketDeleteLifecycle = require('./bucketDeleteLifecycle');
 const bucketDeletePolicy = require('./bucketDeletePolicy');
-const bucketDeleteQuota = require('./bucketDeleteQuota');
 const { bucketGet } = require('./bucketGet');
 const bucketGetACL = require('./bucketGetACL');
 const bucketGetCors = require('./bucketGetCors');
@@ -18,7 +17,6 @@ const bucketGetLifecycle = require('./bucketGetLifecycle');
 const bucketGetNotification = require('./bucketGetNotification');
 const bucketGetObjectLock = require('./bucketGetObjectLock');
 const bucketGetPolicy = require('./bucketGetPolicy');
-const bucketGetQuota = require('./bucketGetQuota');
 const bucketGetEncryption = require('./bucketGetEncryption');
 const bucketHead = require('./bucketHead');
 const { bucketPut } = require('./bucketPut');
@@ -35,7 +33,6 @@ const bucketPutNotification = require('./bucketPutNotification');
 const bucketPutEncryption = require('./bucketPutEncryption');
 const bucketPutPolicy = require('./bucketPutPolicy');
 const bucketPutObjectLock = require('./bucketPutObjectLock');
-const bucketUpdateQuota = require('./bucketUpdateQuota');
 const bucketGetReplication = require('./bucketGetReplication');
 const bucketDeleteReplication = require('./bucketDeleteReplication');
 const corsPreflight = require('./corsPreflight');
@@ -47,7 +44,7 @@ const metadataSearch = require('./metadataSearch');
 const { multiObjectDelete } = require('./multiObjectDelete');
 const multipartDelete = require('./multipartDelete');
 const objectCopy = require('./objectCopy');
-const { objectDelete } = require('./objectDelete');
+const objectDelete = require('./objectDelete');
 const objectDeleteTagging = require('./objectDeleteTagging');
 const objectGet = require('./objectGet');
 const objectGetACL = require('./objectGetACL');
@@ -67,7 +64,8 @@ const prepareRequestContexts
     = require('./apiUtils/authorization/prepareRequestContexts');
 const serviceGet = require('./serviceGet');
 const vault = require('../auth/vault');
-const website = require('./website');
+const websiteGet = require('./websiteGet');
+const websiteHead = require('./websiteHead');
 const writeContinue = require('../utilities/writeContinue');
 const validateQueryAndHeaders = require('../utilities/validateQueryAndHeaders');
 const parseCopySource = require('./apiUtils/object/parseCopySource');
@@ -85,10 +83,6 @@ const api = {
         // Attach the apiMethod method to the request, so it can used by monitoring in the server
         // eslint-disable-next-line no-param-reassign
         request.apiMethod = apiMethod;
-        // Array of end of API callbacks, used to perform some logic
-        // at the end of an API.
-        // eslint-disable-next-line no-param-reassign
-        request.finalizerHooks = [];
 
         const actionLog = monitoringMap[apiMethod];
         if (!actionLog &&
@@ -197,17 +191,14 @@ const api = {
 
         return async.waterfall([
             next => auth.server.doAuth(
-                request, log, (err, userInfo, authorizationResults, streamingV4Params, infos) => {
+                request, log, (err, userInfo, authorizationResults, streamingV4Params) => {
                     if (err) {
-                        // VaultClient returns standard errors, but the route requires
-                        // Arsenal errors
-                        const arsenalError = err.metadata ? err : errors[err.code] || errors.InternalError;
                         log.trace('authentication error', { error: err });
-                        return next(arsenalError);
+                        return next(err);
                     }
-                    return next(null, userInfo, authorizationResults, streamingV4Params, infos);
+                    return next(null, userInfo, authorizationResults, streamingV4Params);
                 }, 's3', requestContexts),
-            (userInfo, authorizationResults, streamingV4Params, infos, next) => {
+            (userInfo, authorizationResults, streamingV4Params, next) => {
                 const authNames = { accountName: userInfo.getAccountDisplayName() };
                 if (userInfo.isRequesterAnIAMUser()) {
                     authNames.userName = userInfo.getIAMdisplayName();
@@ -217,7 +208,7 @@ const api = {
                 }
                 log.addDefaultFields(authNames);
                 if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
-                    return next(null, userInfo, authorizationResults, streamingV4Params, infos);
+                    return next(null, userInfo, authorizationResults, streamingV4Params);
                 }
                 // issue 100 Continue to the client
                 writeContinue(request, response);
@@ -248,12 +239,12 @@ const api = {
                     }
                     // Convert array of post buffers into one string
                     request.post = Buffer.concat(post, postLength).toString();
-                    return next(null, userInfo, authorizationResults, streamingV4Params, infos);
+                    return next(null, userInfo, authorizationResults, streamingV4Params);
                 });
                 return undefined;
             },
             // Tag condition keys require information from CloudServer for evaluation
-            (userInfo, authorizationResults, streamingV4Params, infos, next) => tagConditionKeyAuth(
+            (userInfo, authorizationResults, streamingV4Params, next) => tagConditionKeyAuth(
                 authorizationResults,
                 request,
                 requestContexts,
@@ -264,14 +255,13 @@ const api = {
                         log.trace('tag authentication error', { error: err });
                         return next(err);
                     }
-                    return next(null, userInfo, authResultsWithTags, streamingV4Params, infos);
+                    return next(null, userInfo, authResultsWithTags, streamingV4Params);
                 },
             ),
-        ], (err, userInfo, authorizationResults, streamingV4Params, infos) => {
+        ], (err, userInfo, authorizationResults, streamingV4Params) => {
             if (err) {
                 return callback(err);
             }
-            request.accountQuotas = infos?.accountQuota;
             if (authorizationResults) {
                 const checkedResults = checkAuthResults(authorizationResults);
                 if (checkedResults instanceof Error) {
@@ -288,23 +278,19 @@ const api = {
                     return acc;
                 }, {});
             }
-            const methodCallback = (err, ...results) => async.forEachLimit(request.finalizerHooks, 5,
-                    (hook, done) => hook(err, done),
-                    () => callback(err, ...results));
-
             if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
                 request._response = response;
                 return this[apiMethod](userInfo, request, streamingV4Params,
-                    log, methodCallback, authorizationResults);
+                    log, callback, authorizationResults);
             }
             if (apiMethod === 'objectCopy' || apiMethod === 'objectPutCopyPart') {
                 return this[apiMethod](userInfo, request, sourceBucket,
-                    sourceObject, sourceVersionId, log, methodCallback);
+                    sourceObject, sourceVersionId, log, callback);
             }
             if (apiMethod === 'objectGet') {
                 return this[apiMethod](userInfo, request, returnTagCount, log, callback);
             }
-            return this[apiMethod](userInfo, request, log, methodCallback);
+            return this[apiMethod](userInfo, request, log, callback);
         });
     },
     bucketDelete,
@@ -331,14 +317,11 @@ const api = {
     bucketPutReplication,
     bucketGetReplication,
     bucketDeleteReplication,
-    bucketDeleteQuota,
     bucketPutLifecycle,
-    bucketUpdateQuota,
     bucketGetLifecycle,
     bucketDeleteLifecycle,
     bucketPutPolicy,
     bucketGetPolicy,
-    bucketGetQuota,
     bucketDeletePolicy,
     bucketPutObjectLock,
     bucketPutNotification,
@@ -370,8 +353,8 @@ const api = {
     objectPutRetention,
     objectRestore,
     serviceGet,
-    websiteGet: website,
+    websiteGet,
-    websiteHead: website,
+    websiteHead,
 };
 
 module.exports = api;

lib/api/apiUtils/authorization/permissionChecks.js

@@ -1,19 +1,8 @@
 const { evaluators, actionMaps, RequestContext, requestUtils } = require('arsenal').policies;
-const { errors } = require('arsenal');
-const { parseCIDR, isValid } = require('ipaddr.js');
 const constants = require('../../../../constants');
 const { config } = require('../../../Config');
 
-const {
+const { allAuthedUsersId, bucketOwnerActions, logId, publicId, arrayOfAllowed } = constants;
-    allAuthedUsersId,
-    bucketOwnerActions,
-    logId,
-    publicId,
-    arrayOfAllowed,
-    assumedRoleArnResourceType,
-    backbeatLifecycleSessionName,
-    actionsToConsiderAsObjectPut,
-} = constants;
 
 // whitelist buckets to allow public read on objects
 const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS
@@ -51,21 +40,17 @@ function isRequesterNonAccountUser(authInfo) {
 
 function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
     // Same logic applies on the Versioned APIs, so let's simplify it.
-    let requestTypeParsed = requestType.endsWith('Version') ?
+    const requestTypeParsed = requestType.endsWith('Version') ?
         requestType.slice(0, 'Version'.length * -1) : requestType;
-    requestTypeParsed = actionsToConsiderAsObjectPut.includes(requestTypeParsed) ?
-        'objectPut' : requestTypeParsed;
-    const parsedMainApiCall = actionsToConsiderAsObjectPut.includes(mainApiCall) ?
-        'objectPut' : mainApiCall;
     if (bucket.getOwner() === canonicalID) {
         return true;
     }
-    if (parsedMainApiCall === 'objectGet') {
+    if (mainApiCall === 'objectGet') {
         if (requestTypeParsed === 'objectGetTagging') {
             return true;
         }
     }
-    if (parsedMainApiCall === 'objectPut') {
+    if (mainApiCall === 'objectPut') {
         if (arrayOfAllowed.includes(requestTypeParsed)) {
             return true;
         }
@@ -141,18 +126,14 @@ function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
     // authorization check should just return true so can move on to check
     // rights at the object level.
     return (requestTypeParsed === 'objectPutACL' || requestTypeParsed === 'objectGetACL'
-    || requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
+        || requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
 }
 
 function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
     isUserUnauthenticated, mainApiCall) {
     const bucketOwner = bucket.getOwner();
-    const requestTypeParsed = actionsToConsiderAsObjectPut.includes(requestType) ?
-        'objectPut' : requestType;
-    const parsedMainApiCall = actionsToConsiderAsObjectPut.includes(mainApiCall) ?
-        'objectPut' : mainApiCall;
     // acls don't distinguish between users and accounts, so both should be allowed
-    if (bucketOwnerActions.includes(requestTypeParsed)
+    if (bucketOwnerActions.includes(requestType)
         && (bucketOwner === canonicalID)) {
         return true;
     }
@@ -161,9 +142,9 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
     }
 
     // Backward compatibility
-    if (parsedMainApiCall === 'objectGet') {
+    if (mainApiCall === 'objectGet') {
         if ((isUserUnauthenticated || (requesterIsNotUser && bucketOwner === objectMD['owner-id']))
-            && requestTypeParsed === 'objectGetTagging') {
+            && requestType === 'objectGetTagging') {
             return true;
         }
     }
@@ -172,7 +153,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
         return false;
     }
 
-    if (requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead') {
+    if (requestType === 'objectGet' || requestType === 'objectHead') {
         if (objectMD.acl.Canned === 'public-read'
             || objectMD.acl.Canned === 'public-read-write'
             || (objectMD.acl.Canned === 'authenticated-read'
@@ -198,11 +179,11 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
 
     // User is already authorized on the bucket for FULL_CONTROL or WRITE or
     // bucket has canned ACL public-read-write
-    if (requestTypeParsed === 'objectPut' || requestTypeParsed === 'objectDelete') {
+    if (requestType === 'objectPut' || requestType === 'objectDelete') {
         return true;
     }
 
-    if (requestTypeParsed === 'objectPutACL') {
+    if (requestType === 'objectPutACL') {
         if ((objectMD.acl.Canned === 'bucket-owner-full-control'
             && bucketOwner === canonicalID)
             || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
@@ -218,7 +199,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
         }
     }
 
-    if (requestTypeParsed === 'objectGetACL') {
+    if (requestType === 'objectGetACL') {
         if ((objectMD.acl.Canned === 'bucket-owner-full-control'
             && bucketOwner === canonicalID)
             || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
@@ -239,7 +220,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
     const bucketAcl = bucket.getAcl();
     const allowPublicReads = publicReadBuckets.includes(bucket.getName())
         && bucketAcl.Canned === 'public-read'
-        && (requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
+        && (requestType === 'objectGet' || requestType === 'objectHead');
     if (allowPublicReads) {
         return true;
     }
@@ -373,7 +354,7 @@ function processBucketPolicy(requestType, bucket, canonicalID, arn, bucketOwner,
 }
 
 function isBucketAuthorized(bucket, requestTypesInput, canonicalID, authInfo, log, request,
-    actionImplicitDeniesInput = {}, isWebsite = false) {
+    actionImplicitDeniesInput = {}) {
     const requestTypes = Array.isArray(requestTypesInput) ? requestTypesInput : [requestTypesInput];
     const actionImplicitDenies = !actionImplicitDeniesInput ? {} : actionImplicitDeniesInput;
     const mainApiCall = requestTypes[0];
@@ -397,15 +378,6 @@ function isBucketAuthorized(bucket, requestTypesInput, canonicalID, authInfo, lo
             return results[_requestType];
         }
         const aclPermission = checkBucketAcls(bucket, _requestType, canonicalID, mainApiCall);
-        // In case of error bucket access is checked with bucketGet
-        // For website, bucket policy only uses objectGet and ignores bucketGet
-        // https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html
-        // bucketGet should be used to check acl but switched to objectGet for bucket policy
-        if (isWebsite && _requestType === 'bucketGet') {
-            // eslint-disable-next-line no-param-reassign
-            _requestType = 'objectGet';
-            actionImplicitDenies.objectGet = actionImplicitDenies.objectGet || false;
-        }
         return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
             request, aclPermission, results, actionImplicitDenies);
     });
@@ -425,12 +397,12 @@ function evaluateBucketPolicyWithIAM(bucket, requestTypesInput, canonicalID, aut
             arn = authInfo.getArn();
         }
         return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
-        request, true, results, actionImplicitDenies);
+            request, true, results, actionImplicitDenies);
     });
 }
 
 function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authInfo, log, request,
-    actionImplicitDeniesInput = {}, isWebsite = false) {
+    actionImplicitDeniesInput = {}) {
     const requestTypes = Array.isArray(requestTypesInput) ? requestTypesInput : [requestTypesInput];
     const actionImplicitDenies = !actionImplicitDeniesInput ? {} : actionImplicitDeniesInput;
     const results = {};
@@ -443,20 +415,16 @@ function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authI
             ? _requestType.slice(0, -7) : _requestType;
         const bucketOwner = bucket.getOwner();
         if (!objectMD) {
-            // check bucket has read access
-            // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
-            let permission = 'bucketGet';
-            if (actionsToConsiderAsObjectPut.includes(_requestType)) {
-                permission = 'objectPut';
-            }
-            results[_requestType] = isBucketAuthorized(bucket, permission, canonicalID, authInfo, log, request,
-                actionImplicitDenies, isWebsite);
             // User is already authorized on the bucket for FULL_CONTROL or WRITE or
             // bucket has canned ACL public-read-write
-            if ((parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete')
+            if (parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete') {
-                && results[_requestType] === false) {
                 results[_requestType] = actionImplicitDenies[_requestType] === false;
+                return results[_requestType];
             }
+            // check bucket has read access
+            // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
+            results[_requestType] = isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request,
+                actionImplicitDenies);
             return results[_requestType];
         }
         let requesterIsNotUser = true;
@@ -476,8 +444,8 @@ function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authI
         // - account is the bucket owner
         // - requester is account, not user
         if (bucketOwnerActions.includes(parsedMethodName)
-        && (bucketOwner === canonicalID)
+            && (bucketOwner === canonicalID)
-        && requesterIsNotUser) {
+            && requesterIsNotUser) {
             results[_requestType] = actionImplicitDenies[_requestType] === false;
             return results[_requestType];
         }
@@ -515,46 +483,11 @@ function validatePolicyResource(bucketName, policy) {
 }
 
 function checkIp(value) {
-    const errString = 'Invalid IP address in Conditions';
+    const isValid = /^(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?$/.test(value);
-
+    if (isValid) {
-    const values = Array.isArray(value) ? value : [value];
+        return null;
-
-    for (let i = 0; i < values.length; i++) {
-        // these preliminary checks are validating the provided
-        // ip address against ipaddr.js, the library we use when
-        // evaluating IP condition keys. It ensures compatibility,
-        // but additional checks are required to enforce the right
-        // notation (e.g., xxx.xxx.xxx.xxx/xx for IPv4). Otherwise,
-        // we would accept different ip formats, which is not
-        // standard in an AWS use case.
-        try {
-            try {
-                parseCIDR(values[i]);
-            } catch (err) {
-                isValid(values[i]);
-            }
-        } catch (err) {
-            return errString;
-        }
-
-        // Apply the existing IP validation logic to each element
-        const validateIpRegex = ip => {
-            if (constants.ipv4Regex.test(ip)) {
-                return ip.split('.').every(part => parseInt(part, 10) <= 255);
-            }
-            if (constants.ipv6Regex.test(ip)) {
-                return ip.split(':').every(part => part.length <= 4);
-            }
-            return false;
-        };
-
-        if (validateIpRegex(values[i]) !== true) {
-            return errString;
-        }
     }
-
+    return 'Invalid IP address in Conditions';
-    // If the function hasn't returned by now, all elements are valid
-    return null;
 }
 
 // This function checks all bucket policy conditions if the values provided
@@ -567,33 +500,29 @@ function validatePolicyConditions(policy) {
     // keys where value type does not seem to be checked by AWS:
     // - s3:object-lock-remaining-retention-days
 
-    if (!policy.Statement || !Array.isArray(policy.Statement) || policy.Statement.length === 0) {
-        return null;
-    }
-
     // there can be multiple statements in the policy, each with a Condition enclosure
     for (let i = 0; i < policy.Statement.length; i++) {
         const s = policy.Statement[i];
         if (s.Condition) {
             const conditionOperators = Object.keys(s.Condition);
             // there can be multiple condition operations in the Condition enclosure
-            // eslint-disable-next-line no-restricted-syntax
+            for (let j = 0; j < conditionOperators.length; j++) {
-            for (const conditionOperator of conditionOperators) {
+                const conditionOperator = conditionOperators[j];
                 const conditionKey = Object.keys(s.Condition[conditionOperator])[0];
                 const conditionValue = s.Condition[conditionOperator][conditionKey];
                 const validCondition = validConditions.find(validCondition =>
                     validCondition.conditionKey === conditionKey
                 );
-                // AWS returns does not return an error if the condition starts with 'aws:'
+                // this is the seen behaviour on AWS... don't ask me why
-                // so we reproduce this behaviour
                 if (!validCondition && !conditionKey.startsWith('aws:')) {
-                    return errors.MalformedPolicy.customizeDescription('Policy has an invalid condition key');
+                    return 'Policy has an invalid condition key';
                 }
+                let conditionValueTypeError;
                 if (validCondition && validCondition.conditionValueTypeChecker) {
-                    const conditionValueTypeError = validCondition.conditionValueTypeChecker(conditionValue);
+                    conditionValueTypeError = validCondition.conditionValueTypeChecker(conditionValue);
-                    if (conditionValueTypeError) {
+                }
-                        return errors.MalformedPolicy.customizeDescription(conditionValueTypeError);
+                if (conditionValueTypeError) {
-                    }
+                    return conditionValueTypeError;
                 }
             }
         }

lib/api/apiUtils/authorization/prepareRequestContexts.js

@@ -52,7 +52,7 @@ function prepareRequestContexts(apiMethod, request, sourceBucket,
             apiMethod, 's3');
     }
 
-    if (apiMethod === 'bucketPut') {
+    if (apiMethod === 'multiObjectDelete' || apiMethod === 'bucketPut') {
         return null;
     }
 
@@ -65,17 +65,7 @@ function prepareRequestContexts(apiMethod, request, sourceBucket,
 
     const requestContexts = [];
 
-    if (apiMethod === 'multiObjectDelete') {
+    if (apiMethodAfterVersionCheck === 'objectCopy'
-        // MultiObjectDelete does not require any authorization when evaluating
-        // the API. Instead, we authorize each object passed.
-        // But in order to get any relevant information from the authorization service
-        // for example, the account quota, we must send a request context object
-        // with no `specificResource`. We expect the result to be an implicit deny.
-        // In the API, we then ignore these authorization results, and we can use
-        // any information returned, e.g., the quota.
-        const requestContextMultiObjectDelete = generateRequestContext('objectDelete');
-          requestContexts.push(requestContextMultiObjectDelete);
-    } else if (apiMethodAfterVersionCheck === 'objectCopy'
         || apiMethodAfterVersionCheck === 'objectPutCopyPart') {
         const objectGetAction = sourceVersionId ? 'objectGetVersion' :
           'objectGet';

lib/api/apiUtils/bucket/bucketShield.js

@@ -30,9 +30,6 @@ function bucketShield(bucket, requestType) {
      // Otherwise return an error to the client
     if ((bucket.hasDeletedFlag() || bucket.hasTransientFlag()) &&
         (requestType !== 'objectPut' &&
-        requestType !== 'initiateMultipartUpload' &&
-        requestType !== 'objectPutPart' &&
-        requestType !== 'completeMultipartUpload' &&
         requestType !== 'bucketPutACL' &&
         requestType !== 'bucketDelete')) {
         return true;

lib/api/apiUtils/object/abortMultipartUpload.js

@@ -14,7 +14,7 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
         bucketName,
         objectKey,
         uploadId,
-        preciseRequestType: request.apiMethods || 'multipartDelete',
+        preciseRequestType: 'multipartDelete',
         request,
     };
     // For validating the request at the destinationBucket level

lib/api/apiUtils/object/coldStorage.js

@@ -2,13 +2,11 @@
  * Code based on Yutaka Oishi (Fujifilm) contributions
  * Date: 11 Sep 2020
  */
-const { ObjectMDArchive } = require('arsenal').models;
+const ObjectMDArchive = require('arsenal').models.ObjectMDArchive;
 const errors = require('arsenal').errors;
 const { config } = require('../../../Config');
 const { locationConstraints } = config;
 
-const { scaledMsPerDay } = config.getTimeOptions();
-
 /**
  * Get response header "x-amz-restore"
  * Be called by objectHead.js
@@ -34,6 +32,7 @@ function getAmzRestoreResHeader(objMD) {
     return undefined;
 }
 
+
 /**
  * Check if restore can be done.
  *
@@ -42,23 +41,6 @@ function getAmzRestoreResHeader(objMD) {
  * @return {ArsenalError|undefined} - undefined if the conditions for RestoreObject are fulfilled
  */
 function _validateStartRestore(objectMD, log) {
-    if (objectMD.archive?.restoreCompletedAt) {
-        if (new Date(objectMD.archive?.restoreWillExpireAt) < new Date(Date.now())) {
-            // return InvalidObjectState error if the restored object is expired
-            // but restore info md of this object has not yet been cleared
-            log.debug('The restored object already expired.',
-                {
-                    archive: objectMD.archive,
-                    method: '_validateStartRestore',
-                });
-            return errors.InvalidObjectState;
-        }
-
-        // If object is already restored, no further check is needed
-        // Furthermore, we cannot check if the location is cold, as the `dataStoreName` would have
-        // been reset.
-        return undefined;
-    }
     const isLocationCold = locationConstraints[objectMD.dataStoreName]?.isCold;
     if (!isLocationCold) {
         // return InvalidObjectState error if the object is not in cold storage,
@@ -70,7 +52,18 @@ function _validateStartRestore(objectMD, log) {
             });
         return errors.InvalidObjectState;
     }
-    if (objectMD.archive?.restoreRequestedAt) {
+    if (objectMD.archive?.restoreCompletedAt
+        && new Date(objectMD.archive?.restoreWillExpireAt) < new Date(Date.now())) {
+        // return InvalidObjectState error if the restored object is expired
+        // but restore info md of this object has not yet been cleared
+        log.debug('The restored object already expired.',
+            {
+                archive: objectMD.archive,
+                method: '_validateStartRestore',
+            });
+        return errors.InvalidObjectState;
+    }
+    if (objectMD.archive?.restoreRequestedAt && !objectMD.archive?.restoreCompletedAt) {
         // return RestoreAlreadyInProgress error if the object is currently being restored
         // check if archive.restoreRequestAt exists and archive.restoreCompletedAt not yet exists
         log.debug('The object is currently being restored.',
@@ -127,36 +120,22 @@ function validatePutVersionId(objMD, versionId, log) {
 }
 
 /**
- * Check if the object is already restored, and update the expiration date accordingly:
+ * Check if the object is already restored
- * > After restoring an archived object, you can update the restoration period by reissuing the
- * > request with a new period. Amazon S3 updates the restoration period relative to the current
- * > time.
  *
  * @param {ObjectMD} objectMD - object metadata
  * @param {object} log - werelogs logger
  * @return {boolean} - true if the object is already restored
  */
-function _updateObjectExpirationDate(objectMD, log) {
+function isObjectAlreadyRestored(objectMD, log) {
-    // Check if restoreCompletedAt field exists
+    //  check if restoreCompletedAt field exists
-    // Normally, we should check `archive.restoreWillExpireAt > current time`; however this is
+    //  and archive.restoreWillExpireAt > current time
-    // checked earlier in the process, so checking again here would create weird states
+    const isObjectAlreadyRestored = objectMD.archive?.restoreCompletedAt
-    const isObjectAlreadyRestored = !!objectMD.archive.restoreCompletedAt;
+        && new Date(objectMD.archive?.restoreWillExpireAt) >= new Date(Date.now());
-    log.debug('The restore status of the object.', {
+    log.debug('The restore status of the object.',
-        isObjectAlreadyRestored,
+        {
-        method: 'isObjectAlreadyRestored'
+            isObjectAlreadyRestored,
-    });
+            method: 'isObjectAlreadyRestored'
-    if (isObjectAlreadyRestored) {
+        });
-        const expiryDate = new Date(objectMD.archive.restoreRequestedAt);
-        expiryDate.setTime(expiryDate.getTime() + (objectMD.archive.restoreRequestedDays * scaledMsPerDay));
-
-        /* eslint-disable no-param-reassign */
-        objectMD.archive.restoreWillExpireAt = expiryDate;
-        objectMD['x-amz-restore'] = {
-            'ongoing-request': false,
-            'expiry-date': expiryDate,
-        };
-        /* eslint-enable no-param-reassign */
-    }
     return isObjectAlreadyRestored;
 }
 
@@ -216,32 +195,12 @@ function startRestore(objectMD, restoreParam, log, cb) {
     if (updateResultError) {
         return cb(updateResultError);
     }
-    const isObjectAlreadyRestored = _updateObjectExpirationDate(objectMD, log);
+    return cb(null, isObjectAlreadyRestored(objectMD, log));
-    return cb(null, isObjectAlreadyRestored);
 }
 
-/**
- * checks if object data is available or if it's in cold storage
- * @param {ObjectMD} objMD Object metadata
- * @returns {ArsenalError|null} error if object data is not available
- */
-function verifyColdObjectAvailable(objMD) {
-    // return error when object is cold
-    if (objMD.archive &&
-        // Object is in cold backend
-        (!objMD.archive.restoreRequestedAt ||
-            // Object is being restored
-            (objMD.archive.restoreRequestedAt && !objMD.archive.restoreCompletedAt))) {
-        const err = errors.InvalidObjectState
-            .customizeDescription('The operation is not valid for the object\'s storage class');
-        return err;
-    }
-    return null;
-}
 
 module.exports = {
     startRestore,
     getAmzRestoreResHeader,
     validatePutVersionId,
-    verifyColdObjectAvailable,
 };

lib/api/apiUtils/object/createAndStoreObject.js

@@ -5,6 +5,7 @@ const getMetaHeaders = s3middleware.userMetadata.getMetaHeaders;
 const constants = require('../../../../constants');
 const { data } = require('../../../data/wrapper');
 const services = require('../../../services');
+const logger = require('../../../utilities/logger');
 const { dataStore } = require('./storeObject');
 const locationConstraintCheck = require('./locationConstraintCheck');
 const { versioningPreprocessing, overwritingVersioning } = require('./versioning');
@@ -20,7 +21,7 @@ const externalVersioningErrorMessage = 'We do not currently support putting ' +
 'a versioned object to a location-constraint of type Azure or GCP.';
 
 function _storeInMDandDeleteData(bucketName, dataGetInfo, cipherBundle,
-    metadataStoreParams, dataToDelete, log, requestMethod, callback) {
+    metadataStoreParams, dataToDelete, deleteLog, requestMethod, callback) {
     services.metadataStoreObject(bucketName, dataGetInfo,
         cipherBundle, metadataStoreParams, (err, result) => {
             if (err) {
@@ -30,7 +31,7 @@ function _storeInMDandDeleteData(bucketName, dataGetInfo, cipherBundle,
                 const newDataStoreName = Array.isArray(dataGetInfo) ?
                     dataGetInfo[0].dataStoreName : null;
                 return data.batchDelete(dataToDelete, requestMethod,
-                    newDataStoreName, log, err => callback(err, result));
+                    newDataStoreName, deleteLog, err => callback(err, result));
             }
             return callback(null, result);
         });
@@ -52,7 +53,6 @@ function _storeInMDandDeleteData(bucketName, dataGetInfo, cipherBundle,
  * credentialScope (to be used for streaming v4 auth if applicable)
  * @param {(object|null)} overheadField - fields to be included in metadata overhead
  * @param {RequestLogger} log - logger instance
- * @param {string} originOp - Origin operation
  * @param {function} callback - callback function
  * @return {undefined} and call callback with (err, result) -
  * result.contentMD5 - content md5 of new object or version
@@ -60,7 +60,7 @@ function _storeInMDandDeleteData(bucketName, dataGetInfo, cipherBundle,
  */
 function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
         canonicalID, cipherBundle, request, isDeleteMarker, streamingV4Params,
-        overheadField, log, originOp, callback) {
+        overheadField, log, callback) {
     const putVersionId = request.headers['x-scal-s3-version-id'];
     const isPutVersion = putVersionId || putVersionId === '';
 
@@ -143,7 +143,7 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
             removeAWSChunked(request.headers['content-encoding']);
         metadataStoreParams.expires = request.headers.expires;
         metadataStoreParams.tagging = request.headers['x-amz-tagging'];
-        metadataStoreParams.originOp = originOp;
+        metadataStoreParams.originOp = 's3:ObjectCreated:Put';
         const defaultObjectLockConfiguration
             = bucketMD.getObjectLockConfiguration();
         if (defaultObjectLockConfiguration) {
@@ -158,7 +158,7 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
         // eslint-disable-next-line no-param-reassign
         request.headers[constants.objectLocationConstraintHeader] =
             objMD[constants.objectLocationConstraintHeader];
-        metadataStoreParams.originOp = originOp;
+        metadataStoreParams.originOp = 's3:ObjectRemoved:DeleteMarkerCreated';
     }
 
     const backendInfoObj =
@@ -197,9 +197,10 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
     const dontSkipBackend = externalBackends;
     /* eslint-enable camelcase */
 
+    const requestLogger =
+        logger.newRequestLoggerFromSerializedUids(log.getSerializedUids());
     const mdOnlyHeader = request.headers['x-amz-meta-mdonly'];
     const mdOnlySize = request.headers['x-amz-meta-size'];
-
     return async.waterfall([
         function storeData(next) {
             if (size === 0) {
@@ -294,7 +295,7 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
             }
             return _storeInMDandDeleteData(bucketName, infoArr,
                 cipherBundle, metadataStoreParams,
-                options.dataToDelete, log, requestMethod, next);
+                options.dataToDelete, requestLogger, requestMethod, next);
         },
     ], callback);
 }

lib/api/apiUtils/object/expirationHeaders.js

@@ -4,25 +4,23 @@ const {
     LifecycleDateTime,
     LifecycleUtils,
 } = require('arsenal').s3middleware.lifecycleHelpers;
-const { config } = require('../../../Config');
 
-const {
+// moves lifecycle transition deadlines 1 day earlier, mostly for testing
-    expireOneDayEarlier,
+const transitionOneDayEarlier = process.env.TRANSITION_ONE_DAY_EARLIER === 'true';
-    transitionOneDayEarlier,
+// moves lifecycle expiration deadlines 1 day earlier, mostly for testing
-    timeProgressionFactor,
+const expireOneDayEarlier = process.env.EXPIRE_ONE_DAY_EARLIER === 'true';
-    scaledMsPerDay,
-} = config.getTimeOptions();
 
 const lifecycleDateTime = new LifecycleDateTime({
     transitionOneDayEarlier,
     expireOneDayEarlier,
-    timeProgressionFactor,
 });
 
-const lifecycleUtils = new LifecycleUtils(supportedLifecycleRules, lifecycleDateTime, timeProgressionFactor);
+const lifecycleUtils = new LifecycleUtils(supportedLifecycleRules, lifecycleDateTime);
+
+const oneDay = 24 * 60 * 60 * 1000; // Milliseconds in a day.
 
 function calculateDate(objDate, expDays, datetime) {
-    return new Date(datetime.getTimestamp(objDate) + (expDays * scaledMsPerDay));
+    return new Date(datetime.getTimestamp(objDate) + expDays * oneDay);
 }
 
 function formatExpirationHeader(date, id) {

lib/api/apiUtils/object/objectLockHelpers.js

@@ -5,7 +5,6 @@ const { config } = require('../../../Config');
 const vault = require('../../../auth/vault');
 const { evaluateBucketPolicyWithIAM } = require('../authorization/permissionChecks');
 
-const { scaledMsPerDay } = config.getTimeOptions();
 /**
  * Calculates retain until date for the locked object version
  * @param {object} retention - includes days or years retention period
@@ -21,9 +20,8 @@ function calculateRetainUntilDate(retention) {
     const date = moment();
     // Calculate the number of days to retain the lock on the object
     const retainUntilDays = days || years * 365;
-    const retainUntilDaysInMs = retainUntilDays * scaledMsPerDay;
     const retainUntilDate
-        = date.add(retainUntilDaysInMs, 'ms');
+        = date.add(retainUntilDays, 'days');
     return retainUntilDate.toISOString();
 }
 /**
@@ -306,7 +304,7 @@ function checkUserGovernanceBypass(request, authInfo, bucketMD, objectKey, log,
                 return cb(err);
             }
             const explicitDenyExists = authorizationResults.some(
-                authzResult => authzResult.isAllowed === false && !authzResult.isImplicit);
+                authzResult => authzResult.isAllowed === false && authzResult.isImplicit === false);
             if (explicitDenyExists) {
                 log.trace('authorization check failed for user',
                     {

lib/api/apiUtils/object/objectRestore.js

@@ -8,7 +8,7 @@ const { pushMetric } = require('../../../utapi/utilities');
 const { decodeVersionId } = require('./versioning');
 const collectCorsHeaders = require('../../../utilities/collectCorsHeaders');
 const { parseRestoreRequestXml } = s3middleware.objectRestore;
-const { processBytesToWrite, validateQuotas } = require('../quotas/quotaUtils');
+
 
 /**
  * Check if tier is supported
@@ -58,15 +58,7 @@ function objectRestore(metadata, mdUtils, userInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId: decodedVidResult,
-        requestType: request.apiMethods || 'restoreObject',
+        requestType: 'restoreObject',
-        /**
-         * Restoring an object might not cause any impact on
-         * the storage, if the object is already restored: in
-         * this case, the duration is extended. We disable the
-         * quota evaluation and trigger it manually.
-         */
-        checkQuota: false,
-        request,
     };
 
     return async.waterfall([
@@ -124,16 +116,6 @@ function objectRestore(metadata, mdUtils, userInfo, request, log, callback) {
                         return next(err, bucketMD, objectMD);
                     });
             },
-            function evaluateQuotas(bucketMD, objectMD, next) {
-                if (isObjectRestored) {
-                    return next(null, bucketMD, objectMD);
-                }
-                const actions = Array.isArray(mdValueParams.requestType) ?
-                    mdValueParams.requestType : [mdValueParams.requestType];
-                const bytes = processBytesToWrite(request.apiMethod, bucketMD, mdValueParams.versionId, 0, objectMD);
-                return validateQuotas(request, bucketMD, request.accountQuotas, actions, request.apiMethod, bytes,
-                    false, log, err => next(err, bucketMD, objectMD));
-            },
             function updateObjectMD(bucketMD, objectMD, next) {
                 const params = objectMD.versionId ? { versionId: objectMD.versionId } : {};
                 metadata.putObjectMD(bucketMD.getName(), objectKey, objectMD, params,

lib/api/apiUtils/object/versioning.js

@@ -4,7 +4,7 @@ const async = require('async');
 const metadata = require('../../../metadata/wrapper');
 const { config } = require('../../../Config');
 
-const { scaledMsPerDay } = config.getTimeOptions();
+const oneDay = 24 * 60 * 60 * 1000;
 
 const versionIdUtils = versioning.VersionID;
 // Use Arsenal function to generate a version ID used internally by metadata
@@ -210,7 +210,7 @@ function processVersioningState(mst, vstat, nullVersionCompatMode) {
             // null keys are used, which is used as an optimization to
             // avoid having to check the versioned key since there can
             // be no more versioned key to clean up
-            if (mst.isNull && mst.versionId && !mst.isNull2) {
+            if (mst.isNull && !mst.isNull2) {
                 const delOptions = { versionId: mst.versionId };
                 return { options, delOptions };
             }
@@ -241,7 +241,7 @@ function processVersioningState(mst, vstat, nullVersionCompatMode) {
     if (masterIsNull) {
         // if master is a null version or a non-versioned key,
         // copy it to a new null key
-        const nullVersionId = (mst.isNull && mst.versionId) ? mst.versionId : nonVersionedObjId;
+        const nullVersionId = mst.isNull ? mst.versionId : nonVersionedObjId;
         if (nullVersionCompatMode) {
             options.extraMD = {
                 nullVersionId,
@@ -460,47 +460,6 @@ function preprocessingVersioningDelete(bucketName, bucketMD, objectMD, reqVersio
     return options;
 }
 
-/**
- * Keep metadatas when the object is restored from cold storage
- * but remove the specific ones we don't want to keep
- * @param {object} objMD - obj metadata
- * @param {object} metadataStoreParams - custom built object containing resource details.
- * @return {undefined}
- */
-function restoreMetadata(objMD, metadataStoreParams) {
-    /* eslint-disable no-param-reassign */
-    const userMDToSkip = ['x-amz-meta-scal-s3-restore-attempt'];
-    // We need to keep user metadata and tags
-    Object.keys(objMD).forEach(key => {
-        if (key.startsWith('x-amz-meta-') && !userMDToSkip.includes(key)) {
-            metadataStoreParams.metaHeaders[key] = objMD[key];
-        }
-    });
-
-    if (objMD['x-amz-website-redirect-location']) {
-        if (!metadataStoreParams.headers) {
-            metadataStoreParams.headers = {};
-        }
-        metadataStoreParams.headers['x-amz-website-redirect-location'] = objMD['x-amz-website-redirect-location'];
-    }
-
-    if (objMD.replicationInfo) {
-        metadataStoreParams.replicationInfo = objMD.replicationInfo;
-    }
-
-    if (objMD.legalHold) {
-        metadataStoreParams.legalHold = objMD.legalHold;
-    }
-
-    if (objMD.acl) {
-        metadataStoreParams.acl = objMD.acl;
-    }
-
-    metadataStoreParams.creationTime = objMD['creation-time'];
-    metadataStoreParams.lastModifiedDate = objMD['last-modified'];
-    metadataStoreParams.taggingCopy = objMD.tags;
-}
-
 /** overwritingVersioning - return versioning information for S3 to handle
  * storing version metadata with a specific version id.
  * @param {object} objMD - obj metadata
@@ -512,8 +471,10 @@ function restoreMetadata(objMD, metadataStoreParams) {
  *  version id of the null version
  */
 function overwritingVersioning(objMD, metadataStoreParams) {
+    /* eslint-disable no-param-reassign */
+    metadataStoreParams.creationTime = objMD['creation-time'];
+    metadataStoreParams.lastModifiedDate = objMD['last-modified'];
     metadataStoreParams.updateMicroVersionId = true;
-    metadataStoreParams.amzStorageClass = objMD['x-amz-storage-class'];
 
     // set correct originOp
     metadataStoreParams.originOp = 's3:ObjectRestore:Completed';
@@ -526,7 +487,7 @@ function overwritingVersioning(objMD, metadataStoreParams) {
         restoreRequestedAt: objMD.archive?.restoreRequestedAt,
         restoreRequestedDays: objMD.archive?.restoreRequestedDays,
         restoreCompletedAt: new Date(now),
-        restoreWillExpireAt: new Date(now + (days * scaledMsPerDay)),
+        restoreWillExpireAt: new Date(now + (days * oneDay)),
     };
 
     /* eslint-enable no-param-reassign */
@@ -542,8 +503,6 @@ function overwritingVersioning(objMD, metadataStoreParams) {
         };
     }
 
-    restoreMetadata(objMD, metadataStoreParams);
-
     return options;
 }
 

lib/api/apiUtils/object/websiteServing.js

@@ -101,33 +101,8 @@ function validateWebsiteHeader(header) {
     header.startsWith('http://') || header.startsWith('https://'));
 }
 
-/**
- * appendWebsiteIndexDocument - append index to objectKey if necessary
- * @param {object} request - normalized request object
- * @param {string} indexDocumentSuffix - index document from website config
- * @param {boolean} force - flag to force append index
- * @return {undefined}
- */
-function appendWebsiteIndexDocument(request, indexDocumentSuffix, force = false) {
-    const reqObjectKey = request.objectKey ? request.objectKey : '';
-    /* eslint-disable no-param-reassign */
-
-    // find index document if "directory" sent in request
-    if (reqObjectKey.endsWith('/')) {
-        request.objectKey += indexDocumentSuffix;
-    // find index document if no key provided
-    } else if (reqObjectKey === '') {
-        request.objectKey = indexDocumentSuffix;
-    // force for redirect 302 on folder without trailing / that has an index
-    } else if (force) {
-        request.objectKey += `/${indexDocumentSuffix}`;
-    }
-    /* eslint-enable no-param-reassign */
-}
-
 module.exports = {
     findRoutingRule,
     extractRedirectInfo,
     validateWebsiteHeader,
-    appendWebsiteIndexDocument,
 };

lib/api/apiUtils/quotas/quotaUtils.js

@@ -1,314 +0,0 @@
-const async = require('async');
-const { errors } = require('arsenal');
-const monitoring = require('../../../utilities/monitoringHandler');
-const {
-    actionNeedQuotaCheckCopy,
-    actionNeedQuotaCheck,
-    actionWithDataDeletion,
-} = require('arsenal').policies;
-const { config } = require('../../../Config');
-const QuotaService = require('../../../quotas/quotas');
-
-/**
- * Process the bytes to write based on the request and object metadata
- * @param {string} apiMethod - api method
- * @param {BucketInfo} bucket - bucket info
- * @param {string} versionId - version id of the object
- * @param {number} contentLength - content length of the object
- * @param {object} objMD - object metadata
- * @param {object} destObjMD - destination object metadata
- * @return {number} processed content length
- */
-function processBytesToWrite(apiMethod, bucket, versionId, contentLength, objMD, destObjMD = null) {
-    let bytes = contentLength;
-    if (apiMethod === 'objectRestore') {
-        // object is being restored
-        bytes = Number.parseInt(objMD['content-length'], 10);
-    } else if (!bytes && objMD?.['content-length']) {
-        if (apiMethod === 'objectCopy' || apiMethod === 'objectPutCopyPart') {
-            if (!destObjMD || bucket.isVersioningEnabled()) {
-                // object is being copied
-                bytes = Number.parseInt(objMD['content-length'], 10);
-            } else if (!bucket.isVersioningEnabled()) {
-                // object is being copied and replaces the target
-                bytes = Number.parseInt(objMD['content-length'], 10) -
-                    Number.parseInt(destObjMD['content-length'], 10);
-            }
-        } else if (!bucket.isVersioningEnabled() || bucket.isVersioningEnabled() && versionId) {
-            // object is being deleted
-            bytes = -Number.parseInt(objMD['content-length'], 10);
-        }
-    } else if (bytes && objMD?.['content-length'] && !bucket.isVersioningEnabled()) {
-        // object is being replaced: store the diff, if the bucket is not versioned
-        bytes = bytes - Number.parseInt(objMD['content-length'], 10);
-    }
-    return bytes || 0;
-}
-
-/**
- * Checks if a metric is stale based on the provided parameters.
- *
- * @param {Object} metric - The metric object to check.
- * @param {string} resourceType - The type of the resource.
- * @param {string} resourceName - The name of the resource.
- * @param {string} action - The action being performed.
- * @param {number} inflight - The number of inflight requests.
- * @param {Object} log - The logger object.
- * @returns {boolean} Returns true if the metric is stale, false otherwise.
- */
-function isMetricStale(metric, resourceType, resourceName, action, inflight, log) {
-    if (metric.date && Date.now() - new Date(metric.date).getTime() >
-        QuotaService.maxStaleness) {
-        log.warn('Stale metrics from the quota service, allowing the request', {
-            resourceType,
-            resourceName,
-            action,
-            inflight,
-        });
-        monitoring.requestWithQuotaMetricsUnavailable.inc();
-        return true;
-    }
-    return false;
-}
-
-/**
- * Evaluates quotas for a bucket and an account and update inflight count.
- *
- * @param {number} bucketQuota - The quota limit for the bucket.
- * @param {number} accountQuota - The quota limit for the account.
- * @param {object} bucket - The bucket object.
- * @param {object} account - The account object.
- * @param {number} inflight - The number of inflight requests.
- * @param {number} inflightForCheck - The number of inflight requests for checking quotas.
- * @param {string} action - The action being performed.
- * @param {object} log - The logger object.
- * @param {function} callback - The callback function to be called when evaluation is complete.
- * @returns {object} - The result of the evaluation.
- */
-function _evaluateQuotas(
-    bucketQuota,
-    accountQuota,
-    bucket,
-    account,
-    inflight,
-    inflightForCheck,
-    action,
-    log,
-    callback,
-) {
-    let bucketQuotaExceeded = false;
-    let accountQuotaExceeded = false;
-    const creationDate = new Date(bucket.getCreationDate()).getTime();
-    return async.parallel({
-        bucketQuota: parallelDone => {
-            if (bucketQuota > 0) {
-                return QuotaService.getUtilizationMetrics('bucket',
-                    `${bucket.getName()}_${creationDate}`, null, {
-                    action,
-                    inflight,
-                }, (err, bucketMetrics) => {
-                    if (err || inflight < 0) {
-                        return parallelDone(err);
-                    }
-                    if (!isMetricStale(bucketMetrics, 'bucket', bucket.getName(), action, inflight, log) &&
-                        bucketMetrics.bytesTotal + inflightForCheck > bucketQuota) {
-                        log.debug('Bucket quota exceeded', {
-                            bucket: bucket.getName(),
-                            action,
-                            inflight,
-                            quota: bucketQuota,
-                            bytesTotal: bucketMetrics.bytesTotal,
-                        });
-                        bucketQuotaExceeded = true;
-                    }
-                    return parallelDone();
-                });
-            }
-            return parallelDone();
-        },
-        accountQuota: parallelDone => {
-            if (accountQuota > 0 && account?.account) {
-                return QuotaService.getUtilizationMetrics('account',
-                    account.account, null, {
-                    action,
-                    inflight,
-                }, (err, accountMetrics) => {
-                    if (err || inflight < 0) {
-                        return parallelDone(err);
-                    }
-                    if (!isMetricStale(accountMetrics, 'account', account.account, action, inflight, log) &&
-                        accountMetrics.bytesTotal + inflightForCheck > accountQuota) {
-                        log.debug('Account quota exceeded', {
-                            accountId: account.account,
-                            action,
-                            inflight,
-                            quota: accountQuota,
-                            bytesTotal: accountMetrics.bytesTotal,
-                        });
-                        accountQuotaExceeded = true;
-                    }
-                    return parallelDone();
-                });
-            }
-            return parallelDone();
-        },
-    }, err => {
-        if (err) {
-            log.warn('Error evaluating quotas', {
-                error: err.name,
-                description: err.message,
-                isInflightDeletion: inflight < 0,
-            });
-        }
-        return callback(err, bucketQuotaExceeded, accountQuotaExceeded);
-    });
-}
-
-/**
- * Monitors the duration of quota evaluation for a specific API method.
- *
- * @param {string} apiMethod - The name of the API method being monitored.
- * @param {string} type - The type of quota being evaluated.
- * @param {string} code - The code associated with the quota being evaluated.
- * @param {number} duration - The duration of the quota evaluation in nanoseconds.
- * @returns {undefined} - Returns nothing.
- */
-function monitorQuotaEvaluationDuration(apiMethod, type, code, duration) {
-    monitoring.quotaEvaluationDuration.labels({
-        action: apiMethod,
-        type,
-        code,
-    }).observe(duration / 1e9);
-}
-
-/**
- *
- * @param {Request} request - request object
- * @param {BucketInfo} bucket - bucket object
- * @param {Account} account - account object
- * @param {array} apiNames - action names: operations to authorize
- * @param {string} apiMethod - the main API call
- * @param {number} inflight - inflight bytes
- * @param {boolean} isStorageReserved - Flag to check if the current quota, minus
- * the incoming bytes, are under the limit.
- * @param {Logger} log - logger
- * @param {function} callback - callback function
- * @returns {boolean} - true if the quota is valid, false otherwise
- */
-function validateQuotas(request, bucket, account, apiNames, apiMethod, inflight, isStorageReserved, log, callback) {
-    if (!config.isQuotaEnabled() || (!inflight && isStorageReserved)) {
-        return callback(null);
-    }
-    let type;
-    let bucketQuotaExceeded = false;
-    let accountQuotaExceeded = false;
-    let quotaEvaluationDuration;
-    const requestStartTime = process.hrtime.bigint();
-    const bucketQuota = bucket.getQuota();
-    const accountQuota = account?.quota || 0;
-    const shouldSendInflights = config.isQuotaInflightEnabled();
-
-    if (bucketQuota && accountQuota) {
-        type = 'bucket+account';
-    } else if (bucketQuota) {
-        type = 'bucket';
-    } else {
-        type = 'account';
-    }
-
-    if (actionWithDataDeletion[apiMethod]) {
-        type = 'delete';
-    }
-
-    if ((bucketQuota <= 0 && accountQuota <= 0) || !QuotaService?.enabled) {
-        if (bucketQuota > 0 || accountQuota > 0) {
-            log.warn('quota is set for a bucket, but the quota service is disabled', {
-                bucketName: bucket.getName(),
-            });
-            monitoring.requestWithQuotaMetricsUnavailable.inc();
-        }
-        return callback(null);
-    }
-
-    if (isStorageReserved) {
-        // eslint-disable-next-line no-param-reassign
-        inflight = 0;
-    }
-
-    return async.forEach(apiNames, (apiName, done) => {
-        // Object copy operations first check the target object,
-        // meaning the source object, containing the current bytes,
-        // is checked second. This logic handles these APIs calls by
-        // ensuring the bytes are positives (i.e., not an object
-        // replacement).
-        if (actionNeedQuotaCheckCopy(apiName, apiMethod)) {
-            // eslint-disable-next-line no-param-reassign
-            inflight = Math.abs(inflight);
-        } else if (!actionNeedQuotaCheck[apiName] && !actionWithDataDeletion[apiName]) {
-            return done();
-        }
-        // When inflights are disabled, the sum of the current utilization metrics
-        // and the current bytes are compared with the quota. The current bytes
-        // are not sent to the utilization service. When inflights are enabled,
-        // the sum of the current utilization metrics only are compared with the
-        // quota. They include the current inflight bytes sent in the request.
-        let _inflights = shouldSendInflights ? inflight : undefined;
-        const inflightForCheck = shouldSendInflights ? 0 : inflight;
-        return _evaluateQuotas(bucketQuota, accountQuota, bucket, account, _inflights,
-            inflightForCheck, apiName, log,
-            (err, _bucketQuotaExceeded, _accountQuotaExceeded) => {
-                if (err) {
-                    return done(err);
-                }
-
-                bucketQuotaExceeded = _bucketQuotaExceeded;
-                accountQuotaExceeded = _accountQuotaExceeded;
-
-                // Inflights are inverted: in case of cleanup, we just re-issue
-                // the same API call.
-                if (_inflights) {
-                    _inflights = -_inflights;
-                }
-
-                request.finalizerHooks.push((errorFromAPI, _done) => {
-                    const code = (bucketQuotaExceeded || accountQuotaExceeded) ? 429 : 200;
-                    const quotaCleanUpStartTime = process.hrtime.bigint();
-                    // Quotas are cleaned only in case of error in the API
-                    async.waterfall([
-                        cb => {
-                            if (errorFromAPI) {
-                                return _evaluateQuotas(bucketQuota, accountQuota, bucket, account, _inflights,
-                                    null, apiName, log, cb);
-                            }
-                            return cb();
-                        },
-                    ], () => {
-                        monitorQuotaEvaluationDuration(apiMethod, type, code, quotaEvaluationDuration +
-                            Number(process.hrtime.bigint() - quotaCleanUpStartTime));
-                        return _done();
-                    });
-                });
-
-                return done();
-            });
-    }, err => {
-        quotaEvaluationDuration = Number(process.hrtime.bigint() - requestStartTime);
-        if (err) {
-            log.warn('Error getting metrics from the quota service, allowing the request', {
-                error: err.name,
-                description: err.message,
-            });
-        }
-        if (!actionWithDataDeletion[apiMethod] &&
-            (bucketQuotaExceeded || accountQuotaExceeded)) {
-            return callback(errors.QuotaExceeded);
-        }
-        return callback();
-    });
-}
-
-module.exports = {
-    processBytesToWrite,
-    isMetricStale,
-    validateQuotas,
-};

lib/api/bucketDeleteCors.js

@@ -38,8 +38,8 @@ function bucketDeleteCors(authInfo, request, log, callback) {
         }
         log.trace('found bucket in metadata');
 
-        if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
-            authInfo, log, request, request.actionImplicitDenies)) {
+            request.actionImplicitDenies)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketDeleteCors',

lib/api/bucketDeleteEncryption.js

@@ -21,7 +21,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketDeleteEncryption',
+        requestType: 'bucketDeleteEncryption',
         request,
     };
 

lib/api/bucketDeleteLifecycle.js

@@ -18,7 +18,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketDeleteLifecycle',
+        requestType: 'bucketDeleteLifecycle',
         request,
     };
     return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {

lib/api/bucketDeletePolicy.js

@@ -16,7 +16,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketDeletePolicy',
+        requestType: 'bucketDeletePolicy',
         request,
     };
     return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {

lib/api/bucketDeleteQuota.js

@@ -1,58 +0,0 @@
-const { waterfall } = require('async');
-const collectCorsHeaders = require('../utilities/collectCorsHeaders');
-const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
-const metadata = require('../metadata/wrapper');
-const { pushMetric } = require('../utapi/utilities');
-const monitoring = require('../utilities/monitoringHandler');
-
-const requestType = 'bucketDeleteQuota';
-
-/**
- * Bucket Update Quota - Update bucket quota
- * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
- * @param {object} request - http request object
- * @param {object} log - Werelogs logger
- * @param {function} callback - callback to server
- * @return {undefined}
- */
-function bucketDeleteQuota(authInfo, request, log, callback) {
-    log.debug('processing request', { method: 'bucketDeleteQuota' });
-
-    const { bucketName } = request;
-    const metadataValParams = {
-        authInfo,
-        bucketName,
-        requestType: request.apiMethods || requestType,
-        request,
-    };
-    return waterfall([
-        next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
-            (err, bucket) => next(err, bucket)),
-        (bucket, next) => {
-            bucket.setQuota(0);
-            metadata.updateBucket(bucket.getName(), bucket, log, err =>
-                next(err, bucket));
-        },
-    ], (err, bucket) => {
-        const corsHeaders = collectCorsHeaders(request.headers.origin,
-            request.method, bucket);
-        if (err) {
-            log.debug('error processing request', {
-                error: err,
-                method: 'bucketDeleteQuota'
-            });
-            monitoring.promMetrics('DELETE', bucketName, err.code,
-                'bucketDeleteQuota');
-            return callback(err, err.code, corsHeaders);
-        }
-        monitoring.promMetrics(
-            'DELETE', bucketName, '204', 'bucketDeleteQuota');
-        pushMetric('bucketDeleteQuota', log, {
-            authInfo,
-            bucket: bucketName,
-        });
-        return callback(null, 204, corsHeaders);
-    });
-}
-
-module.exports = bucketDeleteQuota;

lib/api/bucketDeleteReplication.js

@@ -18,7 +18,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketDeleteReplication',
+        requestType: 'bucketDeleteReplication',
         request,
     };
     return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {

lib/api/bucketDeleteTagging.js

@@ -21,19 +21,15 @@ function bucketDeleteTagging(authInfo, request, log, callback) {
         authInfo,
         bucketName,
         requestType: request.apiMethods || 'bucketDeleteTagging',
-        request,
     };
 
     let bucket = null;
     return waterfall([
         next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
             (err, b) => {
-                if (err) {
-                    return next(err);
-                }
                 bucket = b;
                 bucket.setTags([]);
-                return next();
+                return next(err);
             }),
         next => metadata.updateBucket(bucket.getName(), bucket, log, next),
     ], err => {

lib/api/bucketDeleteWebsite.js

@@ -30,8 +30,8 @@ function bucketDeleteWebsite(authInfo, request, log, callback) {
         }
         log.trace('found bucket in metadata');
 
-        if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
-            authInfo, log, request, request.actionImplicitDenies)) {
+            request.actionImplicitDenies)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketDeleteWebsite',

lib/api/bucketGet.js

@@ -322,7 +322,7 @@ function bucketGet(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGet',
+        requestType: 'bucketGet',
         request,
     };
     const listParams = {

lib/api/bucketGetACL.js

@@ -44,7 +44,7 @@ function bucketGetACL(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGetACL',
+        requestType: 'bucketGetACL',
         request,
     };
     const grantInfo = {

lib/api/bucketGetCors.js

@@ -39,8 +39,8 @@ function bucketGetCors(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
 
-        if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log,
-            authInfo, log, request, request.actionImplicitDenies)) {
+            request, request.actionImplicitDenies)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketGetCors',

lib/api/bucketGetEncryption.js

@@ -22,7 +22,7 @@ function bucketGetEncryption(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGetEncryption',
+        requestType: 'bucketGetEncryption',
         request,
     };
 

lib/api/bucketGetLifecycle.js

@@ -21,7 +21,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGetLifecycle',
+        requestType: 'bucketGetLifecycle',
         request,
     };
     return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {

lib/api/bucketGetLocation.js

@@ -41,8 +41,8 @@ function bucketGetLocation(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
 
-        if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
-            authInfo, log, request, request.actionImplicitDenies)) {
+            request.actionImplicitDenies)) {
             log.debug('access denied for account on bucket', {
                 requestType,
                 method: 'bucketGetLocation',

lib/api/bucketGetNotification.js

@@ -37,7 +37,7 @@ function bucketGetNotification(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGetNotification',
+        requestType: 'bucketGetNotification',
         request,
     };
 

lib/api/bucketGetObjectLock.js

@@ -33,7 +33,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGetObjectLock',
+        requestType: 'bucketGetObjectLock',
         request,
     };
     return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {

lib/api/bucketGetPolicy.js

@@ -17,7 +17,7 @@ function bucketGetPolicy(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGetPolicy',
+        requestType: 'bucketGetPolicy',
         request,
     };
 

lib/api/bucketGetQuota.js

@@ -1,58 +0,0 @@
-const { errors } = require('arsenal');
-const { pushMetric } = require('../utapi/utilities');
-const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
-const collectCorsHeaders = require('../utilities/collectCorsHeaders');
-
-/**
- * bucketGetQuota - Get the bucket quota
- * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
- * @param {object} request - http request object
- * @param {object} log - Werelogs logger
- * @param {function} callback - callback to server
- * @return {undefined}
- */
-function bucketGetQuota(authInfo, request, log, callback) {
-    log.debug('processing request', { method: 'bucketGetQuota' });
-    const { bucketName, headers, method } = request;
-    const metadataValParams = {
-        authInfo,
-        bucketName,
-        requestType: request.apiMethods || 'bucketGetQuota',
-        request,
-    };
-    const xml = [];
-
-    return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
-        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
-        if (err) {
-            log.debug('error processing request', {
-                error: err,
-                method: 'bucketGetQuota',
-            });
-            return callback(err, null, corsHeaders);
-        }
-        xml.push(
-            '<?xml version="1.0" encoding="UTF-8"?>',
-            '<GetBucketQuota>',
-            '<Name>', bucket.getName(), '</Name>',
-        );
-        const bucketQuota = bucket.getQuota();
-        if (!bucketQuota) {
-            log.debug('bucket has no quota', {
-                method: 'bucketGetQuota',
-            });
-            return callback(errors.NoSuchQuota, null,
-                corsHeaders);
-        }
-        xml.push('<Quota>', bucketQuota, '</Quota>',
-            '</GetBucketQuota>');
-
-        pushMetric('getBucketQuota', log, {
-            authInfo,
-            bucket: bucketName,
-        });
-        return callback(null, xml.join(''), corsHeaders);
-    });
-}
-
-module.exports = bucketGetQuota;

lib/api/bucketGetReplication.js

@@ -21,7 +21,7 @@ function bucketGetReplication(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGetReplication',
+        requestType: 'bucketGetReplication',
         request,
     };
     return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {

lib/api/bucketGetTagging.js

@@ -37,7 +37,7 @@ const escapeForXml = s3middleware.escapeForXml;
 function tagsToXml(tags) {
     const xml = [];
 
-    xml.push('<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Tagging> <TagSet>');
+    xml.push('<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Tagging><TagSet>');
 
     tags.forEach(tag => {
         xml.push('<Tag>');
@@ -46,7 +46,7 @@ function tagsToXml(tags) {
         xml.push('</Tag>');
     });
 
-    xml.push('</TagSet> </Tagging>');
+    xml.push('</TagSet></Tagging>');
 
     return xml.join('');
 }

lib/api/bucketGetVersioning.js

@@ -54,7 +54,7 @@ function bucketGetVersioning(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketGetVersioning',
+        requestType: 'bucketGetVersioning',
         request,
     };
 

lib/api/bucketGetWebsite.js

@@ -39,8 +39,8 @@ function bucketGetWebsite(authInfo, request, log, callback) {
 
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
-        if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log,
-            authInfo, log, request, request.actionImplicitDenies)) {
+            request, request.actionImplicitDenies)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketGetWebsite',

lib/api/bucketHead.js

@@ -19,7 +19,7 @@ function bucketHead(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketHead',
+        requestType: 'bucketHead',
         request,
     };
     standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {

lib/api/bucketPut.js

@@ -45,8 +45,9 @@ function checkLocationConstraint(request, locationConstraint, log) {
     } else if (parsedHost && restEndpoints[parsedHost]) {
         locationConstraintChecked = restEndpoints[parsedHost];
     } else {
-        locationConstraintChecked = Object.keys(locationConstrains)[0];
+        log.trace('no location constraint provided on bucket put;' +
-        log.trace('no location constraint provided on bucket put; setting '+locationConstraintChecked);
+            'setting us-east-1');
+        locationConstraintChecked = 'us-east-1';
     }
 
     if (!locationConstraints[locationConstraintChecked]) {

lib/api/bucketPutCors.js

@@ -70,8 +70,8 @@ function bucketPutCors(authInfo, request, log, callback) {
             });
         },
         function validateBucketAuthorization(bucket, rules, corsHeaders, next) {
-            if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
+            if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
-                authInfo, log, request, request.actionImplicitDenies)) {
+                log, request, request.actionImplicitDenies)) {
                 log.debug('access denied for account on bucket', {
                     requestType,
                 });

lib/api/bucketPutObjectLock.js

@@ -26,7 +26,7 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'bucketPutObjectLock',
+        requestType: 'bucketPutObjectLock',
         request,
     };
     return waterfall([

lib/api/bucketPutPolicy.js

@@ -1,5 +1,6 @@
 const async = require('async');
 const { errors, models } = require('arsenal');
+
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const metadata = require('../metadata/wrapper');
 const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
@@ -65,7 +66,17 @@ function bucketPutPolicy(authInfo, request, log, callback) {
                     return next(errors.MalformedPolicy.customizeDescription(
                         'Policy has invalid resource'));
                 }
-                return next(validatePolicyConditions(bucketPolicy), bucketPolicy);
+                return next(null, bucketPolicy);
+            });
+        },
+        (bucketPolicy, next) => {
+            process.nextTick(() => {
+                // if policy contains conditions, validate them, and return relevant error if there is one
+                const conditionsError = validatePolicyConditions(bucketPolicy);
+                if (conditionsError) {
+                    return next(errors.MalformedPolicy.customizeDescription(conditionsError));
+                }
+                return next(null, bucketPolicy);
             });
         },
         (bucketPolicy, next) => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,

lib/api/bucketPutTagging.js

@@ -39,7 +39,6 @@ function bucketPutTagging(authInfo, request, log, callback) {
         authInfo,
         bucketName,
         requestType: request.apiMethods || 'bucketPutTagging',
-        request,
     };
     let bucket = null;
     return waterfall([

lib/api/bucketPutWebsite.js

@@ -49,8 +49,8 @@ function bucketPutWebsite(authInfo, request, log, callback) {
             });
         },
         function validateBucketAuthorization(bucket, config, next) {
-            if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
+            if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
-                authInfo, log, request, request.actionImplicitDenies)) {
+                log, request, request.actionImplicitDenies)) {
                 log.debug('access denied for user on bucket', {
                     requestType,
                     method: 'bucketPutWebsite',

lib/api/bucketUpdateQuota.js

@@ -1,85 +0,0 @@
-const { waterfall } = require('async');
-const { errors } = require('arsenal');
-const collectCorsHeaders = require('../utilities/collectCorsHeaders');
-const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
-const metadata = require('../metadata/wrapper');
-const { pushMetric } = require('../utapi/utilities');
-const monitoring = require('../utilities/monitoringHandler');
-const { parseString } = require('xml2js');
-
-function validateBucketQuotaProperty(requestBody, next) {
-    const quota = requestBody.quota;
-    const quotaValue = parseInt(quota, 10);
-    if (Number.isNaN(quotaValue)) {
-        return next(errors.InvalidArgument.customizeDescription('Quota Value should be a number'));
-    }
-    if (quotaValue <= 0) {
-        return next(errors.InvalidArgument.customizeDescription('Quota value must be a positive number'));
-    }
-    return next(null, quotaValue);
-}
-
-function parseRequestBody(requestBody, next) {
-    try {
-        const jsonData = JSON.parse(requestBody);
-        if (typeof jsonData !== 'object') {
-            throw new Error('Invalid JSON');
-        }
-        return next(null, jsonData);
-    } catch (jsonError) {
-        return parseString(requestBody, (xmlError, xmlData) => {
-            if (xmlError) {
-                return next(errors.InvalidArgument.customizeDescription('Request body must be a JSON object'));
-            }
-            return next(null, xmlData);
-        });
-    }
-}
-
-function bucketUpdateQuota(authInfo, request, log, callback) {
-    log.debug('processing request', { method: 'bucketUpdateQuota' });
-
-    const { bucketName } = request;
-    const metadataValParams = {
-        authInfo,
-        bucketName,
-        requestType: request.apiMethods || 'bucketUpdateQuota',
-        request,
-    };
-    let bucket = null;
-    return waterfall([
-        next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
-            (err, b) => {
-                bucket = b;
-                return next(err, bucket);
-            }),
-        (bucket, next) => parseRequestBody(request.post, (err, requestBody) => next(err, bucket, requestBody)),
-        (bucket, requestBody, next) => validateBucketQuotaProperty(requestBody, (err, quotaValue) =>
-            next(err, bucket, quotaValue)),
-        (bucket, quotaValue, next) => {
-            bucket.setQuota(quotaValue);
-            return metadata.updateBucket(bucket.getName(), bucket, log, next);
-        },
-    ], (err, bucket) => {
-        const corsHeaders = collectCorsHeaders(request.headers.origin,
-            request.method, bucket);
-        if (err) {
-            log.debug('error processing request', {
-                error: err,
-                method: 'bucketUpdateQuota'
-            });
-            monitoring.promMetrics('PUT', bucketName, err.code,
-                'updateBucketQuota');
-            return callback(err, err.code, corsHeaders);
-        }
-        monitoring.promMetrics(
-            'PUT', bucketName, '200', 'updateBucketQuota');
-        pushMetric('updateBucketQuota', log, {
-            authInfo,
-            bucket: bucketName,
-        });
-        return callback(null, corsHeaders);
-    });
-}
-
-module.exports = bucketUpdateQuota;

lib/api/completeMultipartUpload.js

@@ -21,6 +21,8 @@ const { validateAndFilterMpuParts, generateMpuPartStorageInfo } =
 const locationKeysHaveChanged
     = require('./apiUtils/object/locationKeysHaveChanged');
 const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
+
+const logger = require('../utilities/logger');
 const { validatePutVersionId } = require('./apiUtils/object/coldStorage');
 
 const versionIdUtils = versioning.VersionID;
@@ -80,7 +82,7 @@ function completeMultipartUpload(authInfo, request, log, callback) {
         uploadId,
         // Note: permissions for completing a multipart upload are the
         // same as putting a part.
-        requestType: request.apiMethods || 'putPart or complete',
+        requestType: 'putPart or complete',
         log,
         request,
     };
@@ -131,9 +133,8 @@ function completeMultipartUpload(authInfo, request, log, callback) {
                 bucketName,
                 // Required permissions for this action
                 // at the destinationBucket level are same as objectPut
-                requestType: request.apiMethods || 'completeMultipartUpload',
+                requestType: 'objectPut',
                 versionId,
-                request,
             };
             standardMetadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, next);
         },
@@ -474,9 +475,12 @@ function completeMultipartUpload(authInfo, request, log, callback) {
                         const newDataStoreName =
                             Array.isArray(dataLocations) && dataLocations[0] ?
                             dataLocations[0].dataStoreName : null;
+                        const delLog =
+                            logger.newRequestLoggerFromSerializedUids(log
+                            .getSerializedUids());
                         return data.batchDelete(dataToDelete,
                             request.method,
-                            newDataStoreName, log, err => {
+                            newDataStoreName, delLog, err => {
                                 if (err) {
                                     return next(err);
                                 }
@@ -499,8 +503,10 @@ function completeMultipartUpload(authInfo, request, log, callback) {
         function batchDeleteExtraParts(extraPartLocations, destinationBucket,
             aggregateETag, generatedVersionId, next) {
             if (extraPartLocations && extraPartLocations.length > 0) {
+                const delLog = logger.newRequestLoggerFromSerializedUids(
+                    log.getSerializedUids());
                 return data.batchDelete(extraPartLocations, request.method,
-                    null, log, err => {
+                    null, delLog, err => {
                         if (err) {
                             return next(err);
                         }

lib/api/initiateMultipartUpload.js

@@ -6,7 +6,6 @@ const convertToXml = s3middleware.convertToXml;
 const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const { hasNonPrintables } = require('../utilities/stringChecks');
-const { config } = require('../Config');
 const { cleanUpBucket } = require('./apiUtils/bucket/bucketCreation');
 const constants = require('../../constants');
 const services = require('../services');
@@ -66,7 +65,7 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
     const websiteRedirectHeader =
         request.headers['x-amz-website-redirect-location'];
     if (request.headers['x-amz-storage-class'] &&
-        !config.locationConstraints[request.headers['x-amz-storage-class']]) {
+        !constants.validStorageClasses.includes(request.headers['x-amz-storage-class'])) {
         log.trace('invalid storage-class header');
         monitoring.promMetrics('PUT', bucketName,
             errors.InvalidStorageClass.code, 'initiateMultipartUpload');
@@ -106,7 +105,7 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
         authInfo,
         bucketName,
         // Required permissions for this action are same as objectPut
-        requestType: request.apiMethods || 'initiateMultipartUpload',
+        requestType: 'objectPut',
         request,
     };
     const accountCanonicalID = authInfo.getCanonicalID();

lib/api/listMultipartUploads.js

@@ -96,8 +96,8 @@ function listMultipartUploads(authInfo, request, log, callback) {
         // to list the multipart uploads so we have provided here that
         // the authorization to list multipart uploads is the same
         // as listing objects in a bucket.
-        requestType: request.apiMethods || 'bucketGet',
+        requestType: 'bucketGet',
-        preciseRequestType: request.apiMethods || 'listMultipartUploads',
+        preciseRequestType: 'listMultipartUploads',
         request,
     };
 

lib/api/listParts.js

@@ -97,7 +97,7 @@ function listParts(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         uploadId,
-        preciseRequestType: request.apiMethods || 'listParts',
+        preciseRequestType: 'listParts',
         request,
     };
     // For validating the request at the destinationBucket level

lib/api/metadataSearch.js

@@ -71,7 +71,7 @@ function metadataSearch(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: request.apiMethods || 'metadataSearch',
+        requestType: 'metadataSearch',
         request,
     };
     const listParams = {

lib/api/multiObjectDelete.js

@@ -23,15 +23,13 @@ const { isRequesterNonAccountUser } = require('./apiUtils/authorization/permissi
 const { hasGovernanceBypassHeader, checkUserGovernanceBypass, ObjectLockInfo }
     = require('./apiUtils/object/objectLockHelpers');
 const requestUtils = policies.requestUtils;
-const { validObjectKeys } = require('../routes/routeVeeam');
+const { data } = require('../data/wrapper');
-const { deleteVeeamCapabilities } = require('../routes/veeam/delete');
+const logger = require('../utilities/logger');
 const { _bucketRequiresOplogUpdate } = require('./apiUtils/object/deleteObject');
 const { overheadField } = require('../../constants');
 
 const versionIdUtils = versioning.VersionID;
-const { data } = require('../data/wrapper');
+
-const logger = require('../utilities/logger');
-const { validateQuotas } = require('./apiUtils/quotas/quotaUtils');
 
 /*
    Format of xml request:
@@ -333,9 +331,6 @@ function getObjMetadataAndDelete(authInfo, canonicalID, request,
 
                     return callback(null, objMD, versionId);
                 },
-                (objMD, versionId, callback) => validateQuotas(
-                    request, bucket, request.accountQuotas, ['objectDelete'], 'objectDelete',
-                        -objMD?.['content-length'] || 0, false, log, err => callback(err, objMD, versionId)),
                 (objMD, versionId, callback) => {
                     const options = preprocessingVersioningDelete(
                         bucketName, bucket, objMD, versionId, config.nullVersionCompatMode);
@@ -351,8 +346,7 @@ function getObjMetadataAndDelete(authInfo, canonicalID, request,
                             options.replayId = objMD.uploadId;
                         }
                         return services.deleteObject(bucketName, objMD,
-                            entry.key, options, config.multiObjectDeleteEnableOptimizations, log,
+                            entry.key, options, config.multiObjectDeleteEnableOptimizations, log, (err, toDelete) => {
-                            's3:ObjectRemoved:Delete', (err, toDelete) => {
                                 if (err) {
                                     return callback(err);
                                 }
@@ -366,9 +360,8 @@ function getObjMetadataAndDelete(authInfo, canonicalID, request,
                     // This call will create a delete-marker
                     return createAndStoreObject(bucketName, bucket, entry.key,
                         objMD, authInfo, canonicalID, null, request,
-                        deleteInfo.newDeleteMarker, null, overheadField, log,
+                        deleteInfo.newDeleteMarker, null, overheadField, log, (err, result) =>
-                        's3:ObjectRemoved:DeleteMarkerCreated', (err, result) =>
+                        callback(err, objMD, deleteInfo, result.versionId));
-                            callback(err, objMD, deleteInfo, result.versionId));
                 },
             ], (err, objMD, deleteInfo, versionId) => {
                 if (err === skipError) {
@@ -482,7 +475,6 @@ function multiObjectDelete(authInfo, request, log, callback) {
         return callback(errors.BadDigest);
     }
 
-    const inPlayInternal = [];
     const bucketName = request.bucketName;
     const canonicalID = authInfo.getCanonicalID();
 
@@ -508,9 +500,8 @@ function multiObjectDelete(authInfo, request, log, callback) {
                 if (bucketShield(bucketMD, 'objectDelete')) {
                     return next(errors.NoSuchBucket);
                 }
-                // The implicit deny flag is ignored in the DeleteObjects API, as authorization only
+                if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, log, request,
-                // affects the objects.
+                    request.actionImplicitDenies)) {
-                if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, log, request)) {
                     log.trace("access denied due to bucket acl's");
                     // if access denied at the bucket level, no access for
                     // any of the objects so all results will be error results
@@ -640,11 +631,7 @@ function multiObjectDelete(authInfo, request, log, callback) {
                             request);
 
                         if (areAllActionsAllowed) {
-                            if (validObjectKeys.includes(entry.key)) {
+                            inPlay.push(entry);
-                                inPlayInternal.push(entry.key);
-                            } else {
-                                inPlay.push(entry);
-                            }
                         } else {
                             errorResults.push({
                                 entry,
@@ -655,11 +642,6 @@ function multiObjectDelete(authInfo, request, log, callback) {
                     return next(null, quietSetting, errorResults, inPlay, bucketMD);
                 });
         },
-        function handleInternalFiles(quietSetting, errorResults, inPlay, bucketMD, next) {
-            return async.each(inPlayInternal,
-                (localInPlay, next) => deleteVeeamCapabilities(bucketName, localInPlay, bucketMD, log, next),
-                err => next(err, quietSetting, errorResults, inPlay, bucketMD));
-        },
         function getObjMetadataAndDeleteStep(quietSetting, errorResults, inPlay,
             bucket, next) {
             return getObjMetadataAndDelete(authInfo, canonicalID, request,

lib/api/objectCopy.js

@@ -12,6 +12,7 @@ const { checkQueryVersionId, versioningPreprocessing }
     = require('./apiUtils/object/versioning');
 const getReplicationInfo = require('./apiUtils/object/getReplicationInfo');
 const { data } = require('../data/wrapper');
+const logger = require('../utilities/logger');
 const services = require('../services');
 const { pushMetric } = require('../utapi/utilities');
 const removeAWSChunked = require('./apiUtils/object/removeAWSChunked');
@@ -23,7 +24,6 @@ const monitoring = require('../utilities/monitoringHandler');
 const applyZenkoUserMD = require('./apiUtils/object/applyZenkoUserMD');
 const { getObjectSSEConfiguration } = require('./apiUtils/bucket/bucketEncryption');
 const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
-const { verifyColdObjectAvailable } = require('./apiUtils/object/coldStorage');
 
 const versionIdUtils = versioning.VersionID;
 const locationHeader = constants.objectLocationConstraintHeader;
@@ -220,14 +220,6 @@ function objectCopy(authInfo, request, sourceBucket,
         versionId: sourceVersionId,
         getDeleteMarker: true,
         requestType: 'objectGet',
-        /**
-         * Authorization will first check the target object, with an objectPut
-         * action. But in this context, the source object metadata is still
-         * unknown. In the context of quotas, to know the number of bytes that
-         * are being written, we explicitly enable the quota evaluation logic
-         * during the objectGet action instead.
-         */
-        checkQuota: true,
         request,
     };
     const valPutParams = {
@@ -235,7 +227,6 @@ function objectCopy(authInfo, request, sourceBucket,
         bucketName: destBucketName,
         objectKey: destObjectKey,
         requestType: 'objectPut',
-        checkQuota: false,
         request,
     };
     const dataStoreContext = {
@@ -249,7 +240,7 @@ function objectCopy(authInfo, request, sourceBucket,
     const responseHeaders = {};
 
     if (request.headers['x-amz-storage-class'] &&
-        !config.locationConstraints[request.headers['x-amz-storage-class']]) {
+        !constants.validStorageClasses.includes(request.headers['x-amz-storage-class'])) {
         log.trace('invalid storage-class header');
         monitoring.promMetrics('PUT', destBucketName,
             errors.InvalidStorageClass.code, 'copyObject');
@@ -287,10 +278,7 @@ function objectCopy(authInfo, request, sourceBucket,
                 });
         },
         function checkSourceAuthorization(destBucketMD, destObjMD, next) {
-            return standardMetadataValidateBucketAndObj({
+            return standardMetadataValidateBucketAndObj(valGetParams, request.actionImplicitDenies, log,
-                ...valGetParams,
-                destObjMD,
-            }, request.actionImplicitDenies, log,
                 (err, sourceBucketMD, sourceObjMD) => {
                     if (err) {
                         log.debug('error validating get part of request',
@@ -303,11 +291,6 @@ function objectCopy(authInfo, request, sourceBucket,
                         log.debug('no source object', { sourceObject });
                         return next(err, null, destBucketMD);
                     }
-                    // check if object data is in a cold storage
-                    const coldErr = verifyColdObjectAvailable(sourceObjMD);
-                    if (coldErr) {
-                        return next(coldErr, null);
-                    }
                     if (sourceObjMD.isDeleteMarker) {
                         log.debug('delete marker on source object',
                         { sourceObject });
@@ -544,8 +527,10 @@ function objectCopy(authInfo, request, sourceBucket,
             // the same as the destination
             if (!sourceIsDestination && dataToDelete) {
                 const newDataStoreName = storeMetadataParams.dataStoreName;
+                const delLog = logger.newRequestLoggerFromSerializedUids(
+                    log.getSerializedUids());
                 return data.batchDelete(dataToDelete, request.method,
-                    newDataStoreName, log, err => {
+                    newDataStoreName, delLog, err => {
                         if (err) {
                             // if error, log the error and move on as it is not
                             // relevant to the client as the client's

lib/api/objectDelete.js

@@ -21,17 +21,16 @@ const objectLockedError = new Error('object locked');
 const { overheadField } = require('../../constants');
 
 /**
- * objectDeleteInternal - DELETE an object from a bucket
+ * objectDelete - DELETE an object from a bucket
  * @param {AuthInfo} authInfo - requester's infos
  * @param {object} request - request object given by router,
  *                           includes normalized headers
  * @param {Logger} log - werelogs request instance
- * @param {boolean} isExpiration - true if the call comes from LifecycleExpiration
  * @param {function} cb - final cb to call with the result and response headers
  * @return {undefined}
  */
-function objectDeleteInternal(authInfo, request, log, isExpiration, cb) {
+function objectDelete(authInfo, request, log, cb) {
-    log.debug('processing request', { method: 'objectDeleteInternal' });
+    log.debug('processing request', { method: 'objectDelete' });
     if (authInfo.isRequesterPublicUser()) {
         log.debug('operation not available for public user');
         monitoring.promMetrics(
@@ -56,7 +55,7 @@ function objectDeleteInternal(authInfo, request, log, isExpiration, cb) {
         bucketName,
         objectKey,
         versionId: reqVersionId,
-        requestType: request.apiMethods || 'objectDelete',
+        requestType: 'objectDelete',
         request,
     };
 
@@ -167,10 +166,7 @@ function objectDeleteInternal(authInfo, request, log, isExpiration, cb) {
                 // source does not have versioning.
                 return createAndStoreObject(bucketName, bucketMD, objectKey,
                     objectMD, authInfo, canonicalID, null, request, true, null,
-                    log, isExpiration ?
+                    log, err => {
-                        's3:LifecycleExpiration:DeleteMarkerCreated' :
-                        's3:ObjectRemoved:DeleteMarkerCreated',
-                    err => {
                         if (err) {
                             return next(err);
                         }
@@ -180,11 +176,9 @@ function objectDeleteInternal(authInfo, request, log, isExpiration, cb) {
                             deleteInfo.removeDeleteMarker = true;
                         }
                         return services.deleteObject(bucketName, objectMD,
-                            objectKey, delOptions, false, log, isExpiration ?
+                            objectKey, delOptions, log, (err, delResult) =>
-                                's3:LifecycleExpiration:Delete' :
+                            next(err, bucketMD, objectMD, delResult,
-                                's3:ObjectRemoved:Delete',
+                                deleteInfo));
-                            (err, delResult) =>
-                                next(err, bucketMD, objectMD, delResult,  deleteInfo));
                     });
             }
             if (delOptions && delOptions.deleteData) {
@@ -205,20 +199,14 @@ function objectDeleteInternal(authInfo, request, log, isExpiration, cb) {
                 }
 
                 return services.deleteObject(bucketName, objectMD, objectKey,
-                    delOptions, false, log, isExpiration ?
+                    delOptions, false, log, (err, delResult) => next(err, bucketMD,
-                        's3:LifecycleExpiration:Delete' :
+                    objectMD, delResult, deleteInfo));
-                        's3:ObjectRemoved:Delete',
-                    (err, delResult) => next(err, bucketMD,
-                        objectMD, delResult, deleteInfo));
             }
             // putting a new delete marker
             deleteInfo.newDeleteMarker = true;
             return createAndStoreObject(bucketName, bucketMD,
                 objectKey, objectMD, authInfo, canonicalID, null, request,
-                deleteInfo.newDeleteMarker, null, overheadField, log, isExpiration ?
+                deleteInfo.newDeleteMarker, null, overheadField, log, (err, newDelMarkerRes) => {
-                    's3:LifecycleExpiration:DeleteMarkerCreated' :
-                    's3:ObjectRemoved:DeleteMarkerCreated',
-                (err, newDelMarkerRes) => {
                     next(err, bucketMD, objectMD, newDelMarkerRes, deleteInfo);
                 });
         },
@@ -307,21 +295,4 @@ function objectDeleteInternal(authInfo, request, log, isExpiration, cb) {
     });
 }
 
-/**
+module.exports = objectDelete;
- * This function is used to delete an object from a bucket. The bucket must
- * already exist and the user must have permission to delete the object.
- * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
- * @param {object} request - http request object
- * @param {werelogs.Logger} log - Logger object
- * @param {function} cb - callback to server
- * @return {undefined}
- */
-function objectDelete(authInfo, request, log, cb) {
-    log.debug('processing request', { method: 'objectDelete' });
-    return objectDeleteInternal(authInfo, request, log, false, cb);
-}
-
-module.exports = {
-    objectDelete,
-    objectDeleteInternal,
-};

lib/api/objectDeleteTagging.js

@@ -44,7 +44,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
         objectKey,
         versionId: reqVersionId,
         getDeleteMarker: true,
-        requestType: request.apiMethods || 'objectDeleteTagging',
+        requestType: 'objectDeleteTagging',
         request,
     };
 
@@ -91,7 +91,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
         },
         (bucket, objectMD, next) =>
             // if external backends handles tagging
-            data.objectTagging('Delete', objectKey, bucket.getName(), objectMD,
+            data.objectTagging('Delete', objectKey, bucket, objectMD,
             log, err => next(err, bucket, objectMD)),
     ], (err, bucket, objectMD) => {
         const additionalResHeaders = collectCorsHeaders(request.headers.origin,

lib/api/objectGet.js

@@ -21,7 +21,6 @@ const { locationConstraints } = config;
 const monitoring = require('../utilities/monitoringHandler');
 const { getPartCountFromMd5 } = require('./apiUtils/object/partInfo');
 const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
-const { verifyColdObjectAvailable } = require('./apiUtils/object/coldStorage');
 
 const validateHeaders = s3middleware.validateConditionalHeaders;
 
@@ -66,7 +65,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
         objectKey,
         versionId,
         getDeleteMarker: true,
-        requestType: request.apiMethods || 'objectGet',
+        requestType: 'objectGet',
         request,
     };
 
@@ -90,12 +89,16 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
             return callback(err, null, corsHeaders);
         }
         const verCfg = bucket.getVersioningConfiguration();
-        // check if object data is in a cold storage
+        if (objMD.archive &&
-        const coldErr = verifyColdObjectAvailable(objMD);
+            // Object is in cold backend
-        if (coldErr) {
+            (!objMD.archive.restoreRequestedAt ||
+            // Object is being restored
+            (objMD.archive.restoreRequestedAt &&
+                !objMD.archive.restoreCompletedAt))) {
+            const error = errors.InvalidObjectState;
             monitoring.promMetrics(
-                'GET', bucketName, coldErr.code, 'getObject');
+                'GET', bucketName, error.code, 'getObject');
-            return callback(coldErr, null, corsHeaders);
+            return callback(error, null, corsHeaders);
         }
         if (objMD.isDeleteMarker) {
             const responseMetaHeaders = Object.assign({},

lib/api/objectGetACL.js

@@ -61,7 +61,7 @@ function objectGetACL(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId,
-        requestType: request.apiMethods || 'objectGetACL',
+        requestType: 'objectGetACL',
         request,
     };
     const grantInfo = {

lib/api/objectGetLegalHold.js

@@ -40,7 +40,7 @@ function objectGetLegalHold(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId,
-        requestType: request.apiMethods || 'objectGetLegalHold',
+        requestType: 'objectGetLegalHold',
         request,
     };
 

lib/api/objectGetRetention.js

@@ -40,7 +40,7 @@ function objectGetRetention(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId: reqVersionId,
-        requestType: request.apiMethods || 'objectGetRetention',
+        requestType: 'objectGetRetention',
         request,
     };
 

lib/api/objectGetTagging.js

@@ -41,7 +41,7 @@ function objectGetTagging(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId: reqVersionId,
-        requestType: request.apiMethods || 'objectGetTagging',
+        requestType: 'objectGetTagging',
         request,
     };
 

lib/api/objectHead.js

@@ -48,7 +48,7 @@ function objectHead(authInfo, request, log, callback) {
         objectKey,
         versionId,
         getDeleteMarker: true,
-        requestType: request.apiMethods || 'objectHead',
+        requestType: 'objectHead',
         request,
     };
 

lib/api/objectPut.js

@@ -3,7 +3,6 @@ const { errors, versioning } = require('arsenal');
 
 const constants = require('../../constants');
 const aclUtils = require('../utilities/aclUtils');
-const { config } = require('../Config');
 const { cleanUpBucket } = require('./apiUtils/bucket/bucketCreation');
 const { getObjectSSEConfiguration } = require('./apiUtils/bucket/bucketEncryption');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
@@ -72,7 +71,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
         query,
     } = request;
     if (headers['x-amz-storage-class'] &&
-        !config.locationConstraints[headers['x-amz-storage-class']]) {
+        !constants.validStorageClasses.includes(headers['x-amz-storage-class'])) {
         log.trace('invalid storage-class header');
         monitoring.promMetrics('PUT', request.bucketName,
             errors.InvalidStorageClass.code, 'putObject');
@@ -99,7 +98,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
         'The encryption method specified is not supported');
     const requestType = request.apiMethods || 'objectPut';
     const valParams = { authInfo, bucketName, objectKey, versionId,
-        requestType, request, withVersionId: isPutVersion };
+        requestType, request };
     const canonicalID = authInfo.getCanonicalID();
 
     if (hasNonPrintables(objectKey)) {
@@ -175,7 +174,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
                 writeContinue(request, request._response);
                 return createAndStoreObject(bucketName,
                 bucket, objectKey, objMD, authInfo, canonicalID, cipherBundle,
-                request, false, streamingV4Params, overheadField, log, 's3:ObjectCreated:Put', next);
+                request, false, streamingV4Params, overheadField, log, next);
             },
         ], (err, storingResult) => {
             if (err) {
@@ -243,14 +242,6 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
             monitoring.promMetrics('PUT', bucketName, '200',
                 'putObject', newByteLength, oldByteLength, isVersionedObj,
                 null, ingestSize);
-
-            if (isPutVersion) {
-                const durationMs = Date.now() - new Date(objMD.archive.restoreRequestedAt);
-                monitoring.lifecycleDuration.observe(
-                    { type: 'restore', location: objMD.dataStoreName },
-                    durationMs / 1000);
-            }
-
             return callback(null, responseHeaders);
         });
     });

lib/api/objectPutACL.js

@@ -88,7 +88,6 @@ function objectPutACL(authInfo, request, log, cb) {
         versionId: reqVersionId,
         getDeleteMarker: true,
         requestType: request.apiMethods || 'objectPutACL',
-        request,
     };
 
     const possibleGrants = ['FULL_CONTROL', 'WRITE_ACP', 'READ', 'READ_ACP'];

lib/api/objectPutCopyPart.js

@@ -9,12 +9,11 @@ const locationConstraintCheck =
     require('./apiUtils/object/locationConstraintCheck');
 const metadata = require('../metadata/wrapper');
 const { pushMetric } = require('../utapi/utilities');
+const logger = require('../utilities/logger');
 const services = require('../services');
 const setUpCopyLocator = require('./apiUtils/object/setUpCopyLocator');
 const { standardMetadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const monitoring = require('../utilities/monitoringHandler');
-const { verifyColdObjectAvailable } = require('./apiUtils/object/coldStorage');
-const { validateQuotas } = require('./apiUtils/quotas/quotaUtils');
 
 const versionIdUtils = versioning.VersionID;
 
@@ -46,14 +45,6 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
         versionId: reqVersionId,
         getDeleteMarker: true,
         requestType: 'objectGet',
-        /**
-         * Authorization will first check the target object, with an objectPut
-         * action. But in this context, the source object metadata is still
-         * unknown. In the context of quotas, to know the number of bytes that
-         * are being written, we explicitly enable the quota evaluation logic
-         * during the objectGet action instead.
-         */
-        checkQuota: true,
         request,
     };
 
@@ -76,8 +67,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
         authInfo,
         bucketName: destBucketName,
         objectKey: destObjectKey,
-        requestType: 'objectPutPart',
+        requestType: 'objectPut',
-        checkQuota: false,
         request,
     };
 
@@ -98,7 +88,6 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
         objectKey: destObjectKey,
         partNumber: paddedPartNumber,
         uploadId,
-        enableQuota: true,
     };
 
     return async.waterfall([
@@ -145,11 +134,6 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                         sourceLocationConstraintName =
                             sourceObjMD.location[0].dataStoreName;
                     }
-                    // check if object data is in a cold storage
-                    const coldErr = verifyColdObjectAvailable(sourceObjMD);
-                    if (coldErr) {
-                        return next(coldErr, null);
-                    }
                     if (sourceObjMD.isDeleteMarker) {
                         log.debug('delete marker on source object',
                         { sourceObject });
@@ -192,16 +176,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                     }
                     return next(null, copyLocator.dataLocator, destBucketMD,
                         copyLocator.copyObjectSize, sourceVerId,
-                        sourceLocationConstraintName, sourceObjMD);
+                        sourceLocationConstraintName);
                 });
         },
-        function _validateQuotas(dataLocator, destBucketMD,
-            copyObjectSize, sourceVerId,
-            sourceLocationConstraintName, sourceObjMD, next) {
-            return validateQuotas(request, destBucketMD, request.accountQuotas, valPutParams.requestType,
-                request.apiMethod, sourceObjMD?.['content-length'] || 0, false, log, err =>
-                next(err, dataLocator, destBucketMD, copyObjectSize, sourceVerId, sourceLocationConstraintName));
-        },
         // get MPU shadow bucket to get splitter based on MD version
         function getMpuShadowBucket(dataLocator, destBucketMD,
             copyObjectSize, sourceVerId,
@@ -399,8 +376,10 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
             // Clean up the old data now that new metadata (with new
             // data locations) has been stored
             if (oldLocationsToDelete) {
+                const delLog = logger.newRequestLoggerFromSerializedUids(
+                    log.getSerializedUids());
                 return data.batchDelete(oldLocationsToDelete, request.method, null,
-                    log, err => {
+                    delLog, err => {
                         if (err) {
                             // if error, log the error and move on as it is not
                             // relevant to the client as the client's

lib/api/objectPutPart.js

@@ -11,6 +11,7 @@ const { isBucketAuthorized } =
 const kms = require('../kms/wrapper');
 const metadata = require('../metadata/wrapper');
 const { pushMetric } = require('../utapi/utilities');
+const logger = require('../utilities/logger');
 const services = require('../services');
 const locationConstraintCheck
     = require('./apiUtils/object/locationConstraintCheck');
@@ -21,7 +22,6 @@ const { BackendInfo } = models;
 const writeContinue = require('../utilities/writeContinue');
 const { getObjectSSEConfiguration } = require('./apiUtils/bucket/bucketEncryption');
 const validateChecksumHeaders = require('./apiUtils/object/validateChecksumHeaders');
-const { validateQuotas } = require('./apiUtils/quotas/quotaUtils');
 
 const skipError = new Error('skip');
 
@@ -61,9 +61,6 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
     log.debug('processing request', { method: 'objectPutPart' });
     const size = request.parsedContentLength;
 
-    const putVersionId = request.headers['x-scal-s3-version-id'];
-    const isPutVersion = putVersionId || putVersionId === '';
-
     if (Number.parseInt(size, 10) > constants.maximumAllowedPartSize) {
         log.debug('put part size too large', { size });
         monitoring.promMetrics('PUT', request.bucketName, 400,
@@ -107,9 +104,6 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
     const mpuBucketName = `${constants.mpuBucketPrefix}${bucketName}`;
     const { objectKey } = request;
     const originalIdentityAuthzResults = request.actionImplicitDenies;
-    // For validating the request at the destinationBucket level the
-    // `requestType` is the general 'objectPut'.
-    const requestType = request.apiMethods || 'objectPutPart';
 
     return async.waterfall([
         // Get the destination bucket.
@@ -129,15 +123,16 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
             }),
         // Check the bucket authorization.
         (destinationBucket, next) => {
-            if (!isBucketAuthorized(destinationBucket, requestType, canonicalID, authInfo,
+            // For validating the request at the destinationBucket level the
+            // `requestType` is the general 'objectPut'.
+            const requestType = 'objectPut';
+            if (!isBucketAuthorized(destinationBucket, request.apiMethods || requestType, canonicalID, authInfo,
                 log, request, request.actionImplicitDenies)) {
                 log.debug('access denied for user on bucket', { requestType });
                 return next(errors.AccessDenied, destinationBucket);
             }
             return next(null, destinationBucket);
         },
-        (destinationBucket, next) => validateQuotas(request, destinationBucket, request.accountQuotas,
-            requestType, request.apiMethod, size, isPutVersion, log, err => next(err, destinationBucket)),
         // Get bucket server-side encryption, if it exists.
         (destinationBucket, next) => getObjectSSEConfiguration(
             request.headers, destinationBucket, log,
@@ -385,8 +380,10 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
             prevObjectSize, next) => {
             if (oldLocationsToDelete) {
                 log.trace('overwriting mpu part, deleting data');
+                const delLog = logger.newRequestLoggerFromSerializedUids(
+                    log.getSerializedUids());
                 return data.batchDelete(oldLocationsToDelete, request.method,
-                    objectLocationConstraint, log, err => {
+                    objectLocationConstraint, delLog, err => {
                         if (err) {
                             // if error, log the error and move on as it is not
                             // relevant to the client as the client's

lib/api/objectPutRetention.js

@@ -50,7 +50,37 @@ function objectPutRetention(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => {
+        next => standardMetadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
+        (err, bucket, objectMD) => {
+            if (err) {
+                log.trace('request authorization failed',
+                    { method: 'objectPutRetention', error: err });
+                return next(err);
+            }
+            if (!objectMD) {
+                const err = reqVersionId ? errors.NoSuchVersion :
+                    errors.NoSuchKey;
+                log.trace('error no object metadata found',
+                    { method: 'objectPutRetention', error: err });
+                return next(err, bucket);
+            }
+            if (objectMD.isDeleteMarker) {
+                log.trace('version is a delete marker',
+                    { method: 'objectPutRetention' });
+                // FIXME we should return a `x-amz-delete-marker: true` header,
+                // see S3C-7592
+                return next(errors.MethodNotAllowed, bucket);
+            }
+            if (!bucket.isObjectLockEnabled()) {
+                log.trace('object lock not enabled on bucket',
+                    { method: 'objectPutRetention' });
+                return next(errors.InvalidRequest.customizeDescription(
+                    'Bucket is missing Object Lock Configuration'
+                ), bucket);
+            }
+            return next(null, bucket, objectMD);
+        }),
+        (bucket, objectMD, next) => {
             log.trace('parsing retention information');
             parseRetentionXml(request.post, log,
                 (err, retentionInfo) => {

lib/api/objectPutTagging.js

@@ -96,7 +96,7 @@ function objectPutTagging(authInfo, request, log, callback) {
         },
         (bucket, objectMD, next) =>
             // if external backend handles tagging
-            data.objectTagging('Put', objectKey, bucket.getName(), objectMD,
+            data.objectTagging('Put', objectKey, bucket, objectMD,
                 log, err => next(err, bucket, objectMD)),
     ], (err, bucket, objectMD) => {
         const additionalResHeaders = collectCorsHeaders(request.headers.origin,

lib/api/website.js

@@ -1,313 +0,0 @@
-const { errors, s3middleware } = require('arsenal');
-const validateHeaders = s3middleware.validateConditionalHeaders;
-
-const collectCorsHeaders = require('../utilities/collectCorsHeaders');
-const constants = require('../../constants');
-const metadata = require('../metadata/wrapper');
-const bucketShield = require('./apiUtils/bucket/bucketShield');
-const { appendWebsiteIndexDocument, findRoutingRule, extractRedirectInfo } =
-    require('./apiUtils/object/websiteServing');
-const { isObjAuthorized, isBucketAuthorized } =
-    require('./apiUtils/authorization/permissionChecks');
-const collectResponseHeaders = require('../utilities/collectResponseHeaders');
-const { pushMetric } = require('../utapi/utilities');
-const monitoring = require('../utilities/monitoringHandler');
-
-/**
- * _errorActions - take a number of actions once have error getting obj
- * @param {object} err - arsenal errors object
- * @param {string} errorDocument - key to get error document
- * @param {object []} routingRules - array of routingRule objects
- * @param {object} bucket - bucket metadata
- * @param {string} objectKey - object key from request (or as translated in
- * website)
- * @param {object} corsHeaders - CORS-related response headers
- * @param {object} request - normalized request object
- * @param {object} log - Werelogs instance
- * @param {function} callback - callback to function in route
- * @return {undefined}
- */
-function _errorActions(err, errorDocument, routingRules,
-    bucket, objectKey, corsHeaders, request, log, callback) {
-    const bucketName = bucket.getName();
-    const errRoutingRule = findRoutingRule(routingRules,
-        objectKey, err.code);
-    if (errRoutingRule) {
-        // route will redirect
-        const action = request.method === 'HEAD' ? 'headObject' : 'getObject';
-        monitoring.promMetrics(
-            request.method, bucketName, err.code, action);
-        return callback(err, false, null, corsHeaders, errRoutingRule,
-            objectKey);
-    }
-    if (request.method === 'HEAD') {
-        monitoring.promMetrics(
-            'HEAD', bucketName, err.code, 'headObject');
-        return callback(err, false, null, corsHeaders);
-    }
-    if (errorDocument) {
-        return metadata.getObjectMD(bucketName, errorDocument, {}, log,
-            (errObjErr, errObjMD) => {
-                if (errObjErr) {
-                    // error retrieving error document so return original error
-                    // and set boolean of error retrieving user's error document
-                    // to true
-                    monitoring.promMetrics(
-                        'GET', bucketName, err.code, 'getObject');
-                    return callback(err, true, null, corsHeaders);
-                }
-                // return the default error message if the object is private
-                // rather than sending a stored error file
-                // eslint-disable-next-line no-param-reassign
-                request.objectKey = errorDocument;
-                if (!isObjAuthorized(bucket, errObjMD, request.apiMethods || 'objectGet',
-                    constants.publicId, null, log, request, request.actionImplicitDenies, true)) {
-                    log.trace('errorObj not authorized', { error: err });
-                    monitoring.promMetrics(
-                        'GET', bucketName, err.code, 'getObject');
-                    return callback(err, true, null, corsHeaders);
-                }
-                const dataLocator = errObjMD.location;
-                if (errObjMD['x-amz-server-side-encryption']) {
-                    for (let i = 0; i < dataLocator.length; i++) {
-                        dataLocator[i].masterKeyId =
-                            errObjMD['x-amz-server-side-encryption-aws-' +
-                                'kms-key-id'];
-                        dataLocator[i].algorithm =
-                            errObjMD['x-amz-server-side-encryption'];
-                    }
-                }
-
-                if (errObjMD['x-amz-website-redirect-location']) {
-                    const redirectLocation =
-                        errObjMD['x-amz-website-redirect-location'];
-                    const redirectInfo = { withError: true,
-                        location: redirectLocation };
-                    log.trace('redirecting to x-amz-website-redirect-location',
-                        { location: redirectLocation });
-                    return callback(err, false, dataLocator, corsHeaders,
-                        redirectInfo, '');
-                }
-
-                const responseMetaHeaders = collectResponseHeaders(errObjMD,
-                    corsHeaders);
-                pushMetric('getObject', log, {
-                    bucket: bucketName,
-                    newByteLength: responseMetaHeaders['Content-Length'],
-                });
-                monitoring.promMetrics(
-                    'GET', bucketName, err.code, 'getObject');
-                return callback(err, false, dataLocator, responseMetaHeaders);
-            });
-    }
-    monitoring.promMetrics(
-        'GET', bucketName, err.code, 'getObject');
-    return callback(err, false, null, corsHeaders);
-}
-
-function capitalize(str) {
-    if (!str || typeof str !== 'string') {
-        return str;
-    }
-    return str.charAt(0).toUpperCase() + str.slice(1);
-}
-
-/**
- * Callbacks have different signature for GET and HEAD
- * The website function uses GET callback signature
- * This encapsulate HEAD callback to match GET signature
- * @param {function} callback - HEAD callback
- * @returns {function} HEAD callback with GET signature
- */
-function callbackGetToHead(callback) {
-    return (err, userErrorPageFailure, dataGetInfo,
-        resMetaHeaders, redirectInfo, key) =>
-        callback(err, resMetaHeaders, redirectInfo, key);
-}
-
-/**
- * Website - Common website function for GET and HEAD
- * Gets metadata and object for website or redirects
- * @param {object} request - normalized request object
- * @param {object} log - Werelogs instance
- * @param {function} callback - callback to function in route
- * @return {undefined}
- */
-function website(request, log, callback) {
-    if (request.method === 'HEAD') {
-        // eslint-disable-next-line no-param-reassign
-        callback = callbackGetToHead(callback);
-    }
-    const methodCapitalized = capitalize(request.method);
-    const action = request.method === 'HEAD' ? 'headObject' : 'getObject';
-    log.debug('processing request', { method: `website${methodCapitalized}` });
-    const bucketName = request.bucketName;
-    const reqObjectKey = request.objectKey ? request.objectKey : '';
-
-    return metadata.getBucket(bucketName, log, (err, bucket) => {
-        if (err) {
-            log.trace('error retrieving bucket metadata', { error: err });
-            monitoring.promMetrics(
-                request.method, bucketName, err.code, action);
-            return callback(err, false);
-        }
-        if (bucketShield(bucket, `object${methodCapitalized}`)) {
-            log.trace('bucket in transient/deleted state so shielding');
-            monitoring.promMetrics(
-                request.method, bucketName, 404, action);
-            return callback(errors.NoSuchBucket, false);
-        }
-        const corsHeaders = collectCorsHeaders(request.headers.origin,
-            request.method, bucket);
-        // bucket ACL's do not matter for website head since it is always the
-        // head of an object. object ACL's are what matter
-        const websiteConfig = bucket.getWebsiteConfiguration();
-        if (!websiteConfig) {
-            monitoring.promMetrics(
-                request.method, bucketName, 404, action);
-            return callback(errors.NoSuchWebsiteConfiguration, false, null,
-            corsHeaders);
-        }
-        // any errors above would be our own created generic error html
-        // if have a website config, error going forward would be user's
-        // redirect or error page if they set either in the config
-
-        // handle redirect all
-        if (websiteConfig.getRedirectAllRequestsTo()) {
-            return callback(null, false, null, corsHeaders,
-                websiteConfig.getRedirectAllRequestsTo(), reqObjectKey);
-        }
-
-        // check whether need to redirect based on key
-        const routingRules = websiteConfig.getRoutingRules();
-        const keyRoutingRule = findRoutingRule(routingRules, reqObjectKey);
-
-        if (keyRoutingRule) {
-            // TODO: optimize by not rerouting if only routing
-            // rule is to change out key
-            return callback(null, false, null, corsHeaders,
-                keyRoutingRule, reqObjectKey);
-        }
-
-        appendWebsiteIndexDocument(request, websiteConfig.getIndexDocument());
-
-        /**
-         * Recursive function with 1 recursive call to look for index
-         * in case of error for potential redirect to folder notation
-         * if there is not already an index appended
-         * @param {Error} [originalError] - presence of this argument
-         * differentiates original user request from recursive call to /index.
-         * This error is returned if /index is not found
-         * @returns {undefined}
-         */
-        function runWebsite(originalError) {
-            // get object metadata and check authorization and header
-            // validation
-            return metadata.getObjectMD(bucketName, request.objectKey, {}, log,
-                (err, objMD) => {
-                    // Note: In case of error, we intentionally send the original
-                    // object key to _errorActions as in case of a redirect, we do
-                    // not want to append index key to redirect location
-                    if (err) {
-                        log.trace('error retrieving object metadata',
-                        { error: err });
-                        let returnErr = err;
-                        const bucketAuthorized = isBucketAuthorized(bucket, request.apiMethods || 'bucketGet',
-                        constants.publicId, null, log, request, request.actionImplicitDenies, true);
-                        // if index object does not exist and bucket is private AWS
-                        // returns 403 - AccessDenied error.
-                        if (err.is.NoSuchKey && !bucketAuthorized) {
-                            returnErr = errors.AccessDenied;
-                        }
-
-                        // Check if key is a folder containing index for redirect 302
-                        // https://docs.aws.amazon.com/AmazonS3/latest/userguide/IndexDocumentSupport.html
-                        if (!originalError && reqObjectKey && !reqObjectKey.endsWith('/')) {
-                            appendWebsiteIndexDocument(request, websiteConfig.getIndexDocument(), true);
-                            // propagate returnErr as originalError to be used if index is not found
-                            return runWebsite(returnErr);
-                        }
-
-                        return _errorActions(originalError || returnErr,
-                        websiteConfig.getErrorDocument(), routingRules,
-                        bucket, reqObjectKey, corsHeaders, request, log,
-                        callback);
-                    }
-                    if (!isObjAuthorized(bucket, objMD, request.apiMethods || 'objectGet',
-                        constants.publicId, null, log, request, request.actionImplicitDenies, true)) {
-                        const err = errors.AccessDenied;
-                        log.trace('request not authorized', { error: err });
-                        return _errorActions(err, websiteConfig.getErrorDocument(),
-                            routingRules, bucket,
-                            reqObjectKey, corsHeaders, request, log, callback);
-                    }
-
-                    // access granted to index document, needs a redirect 302
-                    // to the original key with trailing /
-                    if (originalError) {
-                        const redirectInfo = { withError: true,
-                            location: `/${reqObjectKey}/` };
-                        return callback(errors.Found, false, null, corsHeaders,
-                            redirectInfo, '');
-                    }
-
-                    const headerValResult = validateHeaders(request.headers,
-                        objMD['last-modified'], objMD['content-md5']);
-                    if (headerValResult.error) {
-                        const err = headerValResult.error;
-                        log.trace('header validation error', { error: err });
-                        return _errorActions(err, websiteConfig.getErrorDocument(),
-                            routingRules, bucket, reqObjectKey,
-                            corsHeaders, request, log, callback);
-                    }
-                    // check if object to serve has website redirect header
-                    // Note: AWS prioritizes website configuration rules over
-                    // object key's website redirect header, so we make the
-                    // check at the end.
-                    if (objMD['x-amz-website-redirect-location']) {
-                        const redirectLocation =
-                            objMD['x-amz-website-redirect-location'];
-                        const redirectInfo =
-                            extractRedirectInfo(redirectLocation);
-                        log.trace('redirecting to x-amz-website-redirect-location',
-                            { location: redirectLocation });
-                        return callback(null, false, null, corsHeaders,
-                            redirectInfo, '');
-                    }
-                    // got obj metadata, authorized and headers validated,
-                    // good to go
-                    const responseMetaHeaders = collectResponseHeaders(objMD,
-                        corsHeaders);
-
-                    if (request.method === 'HEAD') {
-                        pushMetric('headObject', log, { bucket: bucketName });
-                        monitoring.promMetrics('HEAD',
-                            bucketName, '200', 'headObject');
-                        return callback(null, false, null, responseMetaHeaders);
-                    }
-
-                    const dataLocator = objMD.location;
-                    if (objMD['x-amz-server-side-encryption']) {
-                        for (let i = 0; i < dataLocator.length; i++) {
-                            dataLocator[i].masterKeyId =
-                                objMD['x-amz-server-side-encryption-aws-' +
-                                    'kms-key-id'];
-                            dataLocator[i].algorithm =
-                                objMD['x-amz-server-side-encryption'];
-                        }
-                    }
-                    pushMetric('getObject', log, {
-                        bucket: bucketName,
-                        newByteLength: responseMetaHeaders['Content-Length'],
-                    });
-                    monitoring.promMetrics('GET', bucketName, '200',
-                        'getObject', responseMetaHeaders['Content-Length']);
-                    return callback(null, false, dataLocator, responseMetaHeaders);
-                });
-        }
-
-        return runWebsite();
-    });
-}
-
-module.exports = website;

lib/api/websiteGet.js

@@ -0,0 +1,235 @@
+const { errors, s3middleware } = require('arsenal');
+const validateHeaders = s3middleware.validateConditionalHeaders;
+
+const collectCorsHeaders = require('../utilities/collectCorsHeaders');
+const constants = require('../../constants');
+const metadata = require('../metadata/wrapper');
+const bucketShield = require('./apiUtils/bucket/bucketShield');
+const { findRoutingRule, extractRedirectInfo } =
+    require('./apiUtils/object/websiteServing');
+const { isObjAuthorized, isBucketAuthorized } =
+    require('./apiUtils/authorization/permissionChecks');
+const collectResponseHeaders = require('../utilities/collectResponseHeaders');
+const { pushMetric } = require('../utapi/utilities');
+const monitoring = require('../utilities/monitoringHandler');
+
+/**
+ * _errorActions - take a number of actions once have error getting obj
+ * @param {object} err - arsenal errors object
+ * @param {string} errorDocument - key to get error document
+ * @param {object []} routingRules - array of routingRule objects
+ * @param {object} bucket - bucket metadata
+ * @param {string} objectKey - object key from request (or as translated in
+ * websiteGet)
+ * @param {object} corsHeaders - CORS-related response headers
+ * @param {object} request - normalized request object
+ * @param {object} log - Werelogs instance
+ * @param {function} callback - callback to function in route
+ * @return {undefined}
+ */
+function _errorActions(err, errorDocument, routingRules,
+    bucket, objectKey, corsHeaders, request, log, callback) {
+    const bucketName = bucket.getName();
+    const errRoutingRule = findRoutingRule(routingRules,
+        objectKey, err.code);
+    if (errRoutingRule) {
+        // route will redirect
+        monitoring.promMetrics(
+            'GET', bucketName, err.code, 'getObject');
+        return callback(err, false, null, corsHeaders, errRoutingRule,
+            objectKey);
+    }
+    if (errorDocument) {
+        return metadata.getObjectMD(bucketName, errorDocument, {}, log,
+            (errObjErr, errObjMD) => {
+                if (errObjErr) {
+                    // error retrieving error document so return original error
+                    // and set boolean of error retrieving user's error document
+                    // to true
+                    monitoring.promMetrics(
+                        'GET', bucketName, err.code, 'getObject');
+                    return callback(err, true, null, corsHeaders);
+                }
+                // return the default error message if the object is private
+                // rather than sending a stored error file
+                if (!isObjAuthorized(bucket, errObjMD, request.apiMethods || 'objectGet',
+                    constants.publicId, null, log, null, request.actionImplicitDenies)) {
+                    log.trace('errorObj not authorized', { error: err });
+                    monitoring.promMetrics(
+                        'GET', bucketName, err.code, 'getObject');
+                    return callback(err, true, null, corsHeaders);
+                }
+                const dataLocator = errObjMD.location;
+                if (errObjMD['x-amz-server-side-encryption']) {
+                    for (let i = 0; i < dataLocator.length; i++) {
+                        dataLocator[i].masterKeyId =
+                            errObjMD['x-amz-server-side-encryption-aws-' +
+                                'kms-key-id'];
+                        dataLocator[i].algorithm =
+                            errObjMD['x-amz-server-side-encryption'];
+                    }
+                }
+                const responseMetaHeaders = collectResponseHeaders(errObjMD,
+                    corsHeaders);
+                pushMetric('getObject', log, {
+                    bucket: bucketName,
+                    newByteLength: responseMetaHeaders['Content-Length'],
+                });
+                monitoring.promMetrics(
+                    'GET', bucketName, err.code, 'getObject');
+                return callback(err, false, dataLocator, responseMetaHeaders);
+            });
+    }
+    monitoring.promMetrics(
+        'GET', bucketName, err.code, 'getObject');
+    return callback(err, false, null, corsHeaders);
+}
+
+/**
+ * GET Website - Gets object for website or redirects
+ * @param {object} request - normalized request object
+ * @param {object} log - Werelogs instance
+ * @param {function} callback - callback to function in route
+ * @return {undefined}
+ */
+function websiteGet(request, log, callback) {
+    log.debug('processing request', { method: 'websiteGet' });
+    const bucketName = request.bucketName;
+    const reqObjectKey = request.objectKey ? request.objectKey : '';
+    let objectKey = reqObjectKey;
+
+    return metadata.getBucket(bucketName, log, (err, bucket) => {
+        if (err) {
+            log.trace('error retrieving bucket metadata', { error: err });
+            monitoring.promMetrics(
+                'GET', bucketName, err.code, 'getObject');
+            return callback(err, false);
+        }
+        if (bucketShield(bucket, 'objectGet')) {
+            log.trace('bucket in transient/deleted state so shielding');
+            monitoring.promMetrics(
+                'GET', bucketName, 404, 'getObject');
+            return callback(errors.NoSuchBucket, false);
+        }
+        const corsHeaders = collectCorsHeaders(request.headers.origin,
+            request.method, bucket);
+        const websiteConfig = bucket.getWebsiteConfiguration();
+        if (!websiteConfig) {
+            monitoring.promMetrics(
+                'GET', bucketName, 404, 'getObject');
+            return callback(errors.NoSuchWebsiteConfiguration, false, null,
+            corsHeaders);
+        }
+        // any errors above would be our own created generic error html
+        // if have a website config, error going forward would be user's
+        // redirect or error page if they set either in the config
+
+        // handle redirect all
+        if (websiteConfig.getRedirectAllRequestsTo()) {
+            return callback(null, false, null, corsHeaders,
+                websiteConfig.getRedirectAllRequestsTo(), objectKey);
+        }
+
+        // check whether need to redirect based on key
+        const routingRules = websiteConfig.getRoutingRules();
+        const keyRoutingRule = findRoutingRule(routingRules, objectKey);
+
+        if (keyRoutingRule) {
+            // TODO: optimize by not rerouting if only routing
+            // rule is to change out key
+            return callback(null, false, null, corsHeaders,
+                keyRoutingRule, objectKey);
+        }
+
+        // find index document if "directory" sent in request
+        if (reqObjectKey.endsWith('/')) {
+            objectKey += websiteConfig.getIndexDocument();
+        }
+        // find index document if no key provided
+        if (reqObjectKey === '') {
+            objectKey = websiteConfig.getIndexDocument();
+        }
+
+        // get object metadata and check authorization and header
+        // validation
+        return metadata.getObjectMD(bucketName, objectKey, {}, log,
+            (err, objMD) => {
+                // Note: In case of error, we intentionally send the original
+                // object key to _errorActions as in case of a redirect, we do
+                // not want to append index key to redirect location
+                if (err) {
+                    log.trace('error retrieving object metadata',
+                    { error: err });
+                    monitoring.promMetrics(
+                        'GET', bucketName, err.code, 'getObject');
+                    let returnErr = err;
+                    const bucketAuthorized = isBucketAuthorized(bucket, request.apiMethods || 'bucketGet',
+                    constants.publicId, null, log, request, request.actionImplicitDenies);
+                    // if index object does not exist and bucket is private AWS
+                    // returns 403 - AccessDenied error.
+                    if (err.is.NoSuchKey && !bucketAuthorized) {
+                        returnErr = errors.AccessDenied;
+                    }
+                    return _errorActions(returnErr,
+                      websiteConfig.getErrorDocument(), routingRules,
+                      bucket, reqObjectKey, corsHeaders, request, log,
+                      callback);
+                }
+                if (!isObjAuthorized(bucket, objMD, request.apiMethods || 'objectGet',
+                    constants.publicId, null, log, request, request.actionImplicitDenies)) {
+                    const err = errors.AccessDenied;
+                    log.trace('request not authorized', { error: err });
+                    return _errorActions(err, websiteConfig.getErrorDocument(),
+                        routingRules, bucket,
+                        reqObjectKey, corsHeaders, request, log, callback);
+                }
+
+                const headerValResult = validateHeaders(request.headers,
+                    objMD['last-modified'], objMD['content-md5']);
+                if (headerValResult.error) {
+                    const err = headerValResult.error;
+                    log.trace('header validation error', { error: err });
+                    return _errorActions(err, websiteConfig.getErrorDocument(),
+                        routingRules, bucket, reqObjectKey,
+                        corsHeaders, request, log, callback);
+                }
+                // check if object to serve has website redirect header
+                // Note: AWS prioritizes website configuration rules over
+                // object key's website redirect header, so we make the
+                // check at the end.
+                if (objMD['x-amz-website-redirect-location']) {
+                    const redirectLocation =
+                        objMD['x-amz-website-redirect-location'];
+                    const redirectInfo =
+                        extractRedirectInfo(redirectLocation);
+                    log.trace('redirecting to x-amz-website-redirect-location',
+                        { location: redirectLocation });
+                    return callback(null, false, null, corsHeaders,
+                        redirectInfo, '');
+                }
+                // got obj metadata, authorized and headers validated,
+                // good to go
+                const responseMetaHeaders = collectResponseHeaders(objMD,
+                    corsHeaders);
+                const dataLocator = objMD.location;
+                if (objMD['x-amz-server-side-encryption']) {
+                    for (let i = 0; i < dataLocator.length; i++) {
+                        dataLocator[i].masterKeyId =
+                            objMD['x-amz-server-side-encryption-aws-' +
+                                'kms-key-id'];
+                        dataLocator[i].algorithm =
+                            objMD['x-amz-server-side-encryption'];
+                    }
+                }
+                pushMetric('getObject', log, {
+                    bucket: bucketName,
+                    newByteLength: responseMetaHeaders['Content-Length'],
+                });
+                monitoring.promMetrics('GET', bucketName, '200',
+                    'getObject', responseMetaHeaders['Content-Length']);
+                return callback(null, false, dataLocator, responseMetaHeaders);
+            });
+    });
+}
+
+module.exports = websiteGet;

lib/api/websiteHead.js

@@ -0,0 +1,168 @@
+const { errors, s3middleware } = require('arsenal');
+const validateHeaders = s3middleware.validateConditionalHeaders;
+
+const collectCorsHeaders = require('../utilities/collectCorsHeaders');
+const constants = require('../../constants');
+const metadata = require('../metadata/wrapper');
+const bucketShield = require('./apiUtils/bucket/bucketShield');
+const { findRoutingRule, extractRedirectInfo } =
+    require('./apiUtils/object/websiteServing');
+const collectResponseHeaders = require('../utilities/collectResponseHeaders');
+const { pushMetric } = require('../utapi/utilities');
+const monitoring = require('../utilities/monitoringHandler');
+const { isBucketAuthorized, isObjAuthorized } =
+    require('./apiUtils/authorization/permissionChecks');
+
+
+/**
+ * _errorActions - take a number of actions once have error getting obj
+ * @param {object} err - arsenal errors object
+ * @param {object []} routingRules - array of routingRule objects
+ * @param {string} objectKey - object key from request (or as translated in
+ * websiteGet)
+ * @param {object} corsHeaders - CORS-related response headers
+ * @param {object} log - Werelogs instance
+ * @param {function} callback - callback to function in route
+ * @return {undefined}
+ */
+function _errorActions(err, routingRules, objectKey, corsHeaders, log,
+    callback) {
+    const errRoutingRule = findRoutingRule(routingRules, objectKey, err.code);
+    if (errRoutingRule) {
+        // route will redirect
+        return callback(err, corsHeaders, errRoutingRule, objectKey);
+    }
+    return callback(err, corsHeaders);
+}
+
+
+/**
+ * HEAD Website - Gets metadata for object for website or redirects
+ * @param {object} request - normalized request object
+ * @param {object} log - Werelogs instance
+ * @param {function} callback - callback to function in route
+ * @return {undefined}
+ */
+function websiteHead(request, log, callback) {
+    log.debug('processing request', { method: 'websiteHead' });
+    const bucketName = request.bucketName;
+    const reqObjectKey = request.objectKey ? request.objectKey : '';
+    let objectKey = reqObjectKey;
+
+    return metadata.getBucket(bucketName, log, (err, bucket) => {
+        if (err) {
+            log.trace('error retrieving bucket metadata', { error: err });
+            monitoring.promMetrics(
+                'HEAD', bucketName, err.code, 'headObject');
+            return callback(err);
+        }
+        if (bucketShield(bucket, 'objectHead')) {
+            log.trace('bucket in transient/deleted state so shielding');
+            monitoring.promMetrics(
+                'HEAD', bucketName, 404, 'headObject');
+            return callback(errors.NoSuchBucket);
+        }
+        const corsHeaders = collectCorsHeaders(request.headers.origin,
+            request.method, bucket);
+        // bucket ACL's do not matter for website head since it is always the
+        // head of an object. object ACL's are what matter
+        const websiteConfig = bucket.getWebsiteConfiguration();
+        if (!websiteConfig) {
+            monitoring.promMetrics(
+                'HEAD', bucketName, 404, 'headObject');
+            return callback(errors.NoSuchWebsiteConfiguration);
+        }
+        // any errors above would be generic header error response
+        // if have a website config, error going forward could be redirect
+        // if a redirect rule for error is in config
+
+        // handle redirect all
+        if (websiteConfig.getRedirectAllRequestsTo()) {
+            return callback(null, corsHeaders,
+                websiteConfig.getRedirectAllRequestsTo(), objectKey);
+        }
+
+        // find index document if "directory" sent in request
+        if (reqObjectKey.endsWith('/')) {
+            objectKey += websiteConfig.getIndexDocument();
+        }
+        // find index document if no key provided
+        if (reqObjectKey === '') {
+            objectKey = websiteConfig.getIndexDocument();
+        }
+        // check whether need to redirect based on key
+        const routingRules = websiteConfig.getRoutingRules();
+
+        const keyRoutingRule = findRoutingRule(routingRules, objectKey);
+
+        if (keyRoutingRule) {
+            return callback(null, corsHeaders, keyRoutingRule, reqObjectKey);
+        }
+
+        // get object metadata and check authorization and header
+        // validation
+        return metadata.getObjectMD(bucketName, objectKey, {}, log,
+            (err, objMD) => {
+                // Note: In case of error, we intentionally send the original
+                // object key to _errorActions as in case of a redirect, we do
+                // not want to append index key to redirect location
+                if (err) {
+                    log.trace('error retrieving object metadata',
+                    { error: err });
+                    let returnErr = err;
+                    const bucketAuthorized = isBucketAuthorized(bucket,
+                      'bucketGet', constants.publicId, null, log, request, request.actionImplicitDenies);
+                    // if index object does not exist and bucket is private AWS
+                    // returns 403 - AccessDenied error.
+                    if (err.is.NoSuchKey && !bucketAuthorized) {
+                        returnErr = errors.AccessDenied;
+                    }
+                    return _errorActions(returnErr, routingRules,
+                        reqObjectKey, corsHeaders, log, callback);
+                }
+                if (!isObjAuthorized(bucket, objMD, 'objectGet',
+                    constants.publicId, null, log, request, request.actionImplicitDenies)) {
+                    const err = errors.AccessDenied;
+                    log.trace('request not authorized', { error: err });
+                    return _errorActions(err, routingRules, reqObjectKey,
+                        corsHeaders, log, callback);
+                }
+
+                const headerValResult = validateHeaders(request.headers,
+                    objMD['last-modified'], objMD['content-md5']);
+                if (headerValResult.error) {
+                    const err = headerValResult.error;
+                    log.trace('header validation error', { error: err });
+                    return _errorActions(err, routingRules, reqObjectKey,
+                        corsHeaders, log, callback);
+                }
+
+                // check if object to serve has website redirect header
+                // Note: AWS prioritizes website configuration rules over
+                // object key's website redirect header, so we make the
+                // check at the end.
+                if (objMD['x-amz-website-redirect-location']) {
+                    const redirectLocation =
+                        objMD['x-amz-website-redirect-location'];
+                    const redirectInfo =
+                        extractRedirectInfo(redirectLocation);
+                    log.trace('redirecting to x-amz-website-redirect-location',
+                        { location: redirectLocation });
+                    return callback(null, corsHeaders, redirectInfo, '');
+                }
+
+                // got obj metadata, authorized and headers validated,
+                // good to go
+                const responseMetaHeaders = collectResponseHeaders(objMD,
+                    corsHeaders);
+                pushMetric('headObject', log, {
+                    bucket: bucketName,
+                });
+                monitoring.promMetrics(
+                    'HEAD', bucketName, '200', 'headObject');
+                return callback(null, responseMetaHeaders);
+            });
+    });
+}
+
+module.exports = websiteHead;

lib/auth/vault.js

@@ -1,3 +1,4 @@
+const vaultclient = require('vaultclient');
 const { auth } = require('arsenal');
 
 const { config } = require('../Config');
@@ -20,7 +21,6 @@ function getVaultClient(config) {
             port,
             https: true,
         });
-        const vaultclient = require('vaultclient');
         vaultClient = new vaultclient.Client(host, port, true, key, cert, ca);
     } else {
         logger.info('vaultclient configuration', {
@@ -28,7 +28,6 @@ function getVaultClient(config) {
             port,
             https: false,
         });
-        const vaultclient = require('vaultclient');
         vaultClient = new vaultclient.Client(host, port);
     }
 
@@ -50,6 +49,10 @@ function getMemBackend(config) {
 }
 
 switch (config.backends.auth) {
+case 'mem':
+    implName = 'vaultMem';
+    client = getMemBackend(config);
+    break;
 case 'multiple':
     implName = 'vaultChain';
     client = new ChainBackend('s3', [
@@ -57,14 +60,9 @@ case 'multiple':
         getVaultClient(config),
     ]);
     break;
-case 'vault':
+default: // vault
     implName = 'vault';
     client = getVaultClient(config);
-    break;
-default: // mem
-    implName = 'vaultMem';
-    client = getMemBackend(config);
-    break;
 }
 
 module.exports = new Vault(client, implName);

lib/kms/wrapper.js

@@ -8,6 +8,20 @@ const inMemory = require('./in_memory/backend').backend;
 const file = require('./file/backend');
 const KMIPClient = require('arsenal').network.kmipClient;
 const Common = require('./common');
+let scalityKMS;
+let scalityKMSImpl;
+try {
+     // eslint-disable-next-line import/no-unresolved
+    const ScalityKMS = require('scality-kms');
+    scalityKMS = new ScalityKMS(config.kms);
+    scalityKMSImpl = 'scalityKms';
+} catch (error) {
+    logger.warn('scality kms unavailable. ' +
+      'Using file kms backend unless mem specified.',
+      { error });
+    scalityKMS = file;
+    scalityKMSImpl = 'fileKms';
+}
 
 let client;
 let implName;
@@ -19,9 +33,8 @@ if (config.backends.kms === 'mem') {
     client = file;
     implName = 'fileKms';
 } else if (config.backends.kms === 'scality') {
-    const ScalityKMS = require('scality-kms');
+    client = scalityKMS;
-    client = new ScalityKMS(config.kms);
+    implName = scalityKMSImpl;
-    implName = 'scalityKms';
 } else if (config.backends.kms === 'kmip') {
     const kmipConfig = { kmip: config.kmip };
     if (!kmipConfig.kmip) {

lib/management/ChannelMessageV0.js

@@ -0,0 +1,131 @@
+/**
+ * Target service that should handle a message
+ * @readonly
+ * @enum {number}
+ */
+const MessageType = {
+    /** Message that contains a configuration overlay */
+    CONFIG_OVERLAY_MESSAGE: 1,
+    /** Message that requests a metrics report */
+    METRICS_REQUEST_MESSAGE: 2,
+    /** Message that contains a metrics report */
+    METRICS_REPORT_MESSAGE: 3,
+    /** Close the virtual TCP socket associated to the channel */
+    CHANNEL_CLOSE_MESSAGE: 4,
+    /** Write data to the virtual TCP socket associated to the channel */
+    CHANNEL_PAYLOAD_MESSAGE: 5,
+};
+
+/**
+ * Target service that should handle a message
+ * @readonly
+ * @enum {number}
+ */
+const TargetType = {
+    /** Let the dispatcher choose the most appropriate message */
+    TARGET_ANY: 0,
+};
+
+const headerSize = 3;
+
+class ChannelMessageV0 {
+    /**
+     * @param  {Buffer} buffer Message bytes
+     */
+    constructor(buffer) {
+        this.messageType = buffer.readUInt8(0);
+        this.channelNumber = buffer.readUInt8(1);
+        this.target = buffer.readUInt8(2);
+        this.payload = buffer.slice(headerSize);
+    }
+
+    /**
+     * @returns {number} Message type
+     */
+    getType() {
+        return this.messageType;
+    }
+
+    /**
+     * @returns {number} Channel number if applicable
+     */
+    getChannelNumber() {
+        return this.channelNumber;
+    }
+
+    /**
+     * @returns {number} Target service, or 0 to choose automatically
+     */
+    getTarget() {
+        return this.target;
+    }
+
+    /**
+     * @returns {Buffer} Message payload if applicable
+     */
+    getPayload() {
+        return this.payload;
+    }
+
+    /**
+     * Creates a wire representation of a channel close message
+     *
+     * @param  {number} channelId Channel number
+     *
+     * @returns {Buffer} wire representation
+     */
+    static encodeChannelCloseMessage(channelId) {
+        const buf = Buffer.alloc(headerSize);
+        buf.writeUInt8(MessageType.CHANNEL_CLOSE_MESSAGE, 0);
+        buf.writeUInt8(channelId, 1);
+        buf.writeUInt8(TargetType.TARGET_ANY, 2);
+        return buf;
+    }
+
+    /**
+     * Creates a wire representation of a channel data message
+     *
+     * @param  {number} channelId Channel number
+     * @param  {Buffer} data Payload
+     *
+     * @returns {Buffer} wire representation
+     */
+    static encodeChannelDataMessage(channelId, data) {
+        const buf = Buffer.alloc(data.length + headerSize);
+        buf.writeUInt8(MessageType.CHANNEL_PAYLOAD_MESSAGE, 0);
+        buf.writeUInt8(channelId, 1);
+        buf.writeUInt8(TargetType.TARGET_ANY, 2);
+        data.copy(buf, headerSize);
+        return buf;
+    }
+
+    /**
+     * Creates a wire representation of a metrics message
+     *
+     * @param  {object} body Metrics report
+     *
+     * @returns {Buffer} wire representation
+     */
+    static encodeMetricsReportMessage(body) {
+        const report = JSON.stringify(body);
+        const buf = Buffer.alloc(report.length + headerSize);
+        buf.writeUInt8(MessageType.METRICS_REPORT_MESSAGE, 0);
+        buf.writeUInt8(0, 1);
+        buf.writeUInt8(TargetType.TARGET_ANY, 2);
+        buf.write(report, headerSize);
+        return buf;
+    }
+
+    /**
+     * Protocol name used for subprotocol negociation
+     */
+    static get protocolName() {
+        return 'zenko-secure-channel-v0';
+    }
+}
+
+module.exports = {
+    ChannelMessageV0,
+    MessageType,
+    TargetType,
+};

lib/management/agentClient.js

@@ -0,0 +1,94 @@
+const WebSocket = require('ws');
+const arsenal = require('arsenal');
+
+const logger = require('../utilities/logger');
+const _config = require('../Config').config;
+const { patchConfiguration } = require('./configuration');
+const { reshapeExceptionError } = arsenal.errorUtils;
+
+
+const managementAgentMessageType = {
+    /** Message that contains the loaded overlay */
+    NEW_OVERLAY: 1,
+};
+
+const CONNECTION_RETRY_TIMEOUT_MS = 5000;
+
+
+function initManagementClient() {
+    const { host, port } = _config.managementAgent;
+
+    const ws = new WebSocket(`ws://${host}:${port}/watch`);
+
+    ws.on('open', () => {
+        logger.info('connected with management agent');
+    });
+
+    ws.on('close', (code, reason) => {
+        logger.info('disconnected from management agent', { reason });
+        setTimeout(initManagementClient, CONNECTION_RETRY_TIMEOUT_MS);
+    });
+
+    ws.on('error', error => {
+        logger.error('error on connection with management agent', { error });
+    });
+
+    ws.on('message', data => {
+        const method = 'initManagementclient::onMessage';
+        const log = logger.newRequestLogger();
+        let msg;
+
+        if (!data) {
+            log.error('message without data', { method });
+            return;
+        }
+        try {
+            msg = JSON.parse(data);
+        } catch (err) {
+            log.error('data is an invalid json', { method, err, data });
+            return;
+        }
+
+        if (msg.payload === undefined) {
+            log.error('message without payload', { method });
+            return;
+        }
+        if (typeof msg.messageType !== 'number') {
+            log.error('messageType is not an integer', {
+                type: typeof msg.messageType,
+                method,
+            });
+            return;
+        }
+
+        switch (msg.messageType) {
+        case managementAgentMessageType.NEW_OVERLAY:
+            patchConfiguration(msg.payload, log, err => {
+                if (err) {
+                    log.error('failed to patch overlay', {
+                        error: reshapeExceptionError(err),
+                        method,
+                    });
+                }
+            });
+            return;
+        default:
+            log.error('new overlay message with unmanaged message type', {
+                method,
+                type: msg.messageType,
+            });
+            return;
+        }
+    });
+}
+
+function isManagementAgentUsed() {
+    return process.env.MANAGEMENT_USE_AGENT === '1';
+}
+
+
+module.exports = {
+    managementAgentMessageType,
+    initManagementClient,
+    isManagementAgentUsed,
+};