Compare commits
666 Commits
w/8.6/impr
...
developmen
Author | SHA1 | Date |
---|---|---|
Vitaliy Filippov | b5711e9cbf | |
Vitaliy Filippov | 36dc6298d2 | |
Vitaliy Filippov | bc2d637578 | |
Vitaliy Filippov | b543695048 | |
Vitaliy Filippov | 90024d044d | |
Vitaliy Filippov | 451ab33f68 | |
Vitaliy Filippov | c86107e912 | |
Vitaliy Filippov | 0a5962f256 | |
Vitaliy Filippov | 0e292791c6 | |
Vitaliy Filippov | fc07729bd0 | |
Vitaliy Filippov | 4527dd6795 | |
Vitaliy Filippov | 05fb581023 | |
Vitaliy Filippov | 956739a04e | |
Vitaliy Filippov | 7ad0888a66 | |
Vitaliy Filippov | bf01ba4ed1 | |
Vitaliy Filippov | ab019e7e50 | |
Vitaliy Filippov | 3797695e74 | |
Vitaliy Filippov | c8084196c4 | |
bert-e | b72e918ff9 | |
bert-e | 22887f47d8 | |
bert-e | 0cd10a73f3 | |
bert-e | e139406612 | |
Maha Benzekri | d91853a38b | |
Mickael Bourgois | a7e798f909 | |
Mickael Bourgois | 3a1ba29869 | |
Mickael Bourgois | dbb9b6d787 | |
Mickael Bourgois | fce76f0934 | |
Mickael Bourgois | 0e39aaac09 | |
Mickael Bourgois | 0b14c93fac | |
Mickael Bourgois | ab2960bbf4 | |
Mickael Bourgois | 7305b112e2 | |
Mickael Bourgois | cd9e2e757b | |
Mickael Bourgois | ca0904f584 | |
Mickael Bourgois | 0dd3dd35e6 | |
bert-e | bf7e4b7e23 | |
bert-e | 92f4794727 | |
Jonathan Gramain | c6ef85e3a1 | |
Jonathan Gramain | c0fe0cfbcf | |
bert-e | 9c936f2b83 | |
bert-e | d26bac2ebc | |
Jonathan Gramain | cfb9db5178 | |
Jonathan Gramain | 2ce004751a | |
Jonathan Gramain | 539219e046 | |
Jonathan Gramain | be49e55db5 | |
bert-e | e6b240421b | |
bert-e | 81739e3ecf | |
Jonathan Gramain | c475503248 | |
bert-e | 7acbd5d2fb | |
Jonathan Gramain | 8d726322e5 | |
williamlardier | 4f7aa54886 | |
williamlardier | 0117a5b0b4 | |
williamlardier | f679831ba2 | |
williamlardier | bb162ca7d3 | |
williamlardier | 0c6dfc7b6e | |
williamlardier | d608d849df | |
williamlardier | 2cb63f58d4 | |
williamlardier | 51585712f4 | |
bert-e | 61eb24e46f | |
bert-e | a34b162782 | |
bert-e | a9e50fe046 | |
bert-e | 4150a8432e | |
Taylor McKinnon | 7e70ff9cbc | |
bert-e | 09dc45289c | |
bert-e | 47c628e0e1 | |
Nicolas Humbert | a1f4d3fe8a | |
williamlardier | 926242b077 | |
williamlardier | aa2aac5db3 | |
williamlardier | f2e2d82e51 | |
williamlardier | 88ad86b0c6 | |
bert-e | 8f25892247 | |
bert-e | 9ac207187b | |
Anurag Mittal | 624a04805f | |
Anurag Mittal | ba99933765 | |
williamlardier | 38d1ac1d2c | |
Taylor McKinnon | 4f34a34a11 | |
Taylor McKinnon | 53f2a159fa | |
Maha Benzekri | 63f6a75a86 | |
Maha Benzekri | 41acc7968e | |
williamlardier | c98c5207fc | |
williamlardier | 615ee393a4 | |
williamlardier | 97dfc699aa | |
williamlardier | 76786282d1 | |
williamlardier | a19d6524be | |
williamlardier | bbf6dfba22 | |
williamlardier | f0663fd507 | |
williamlardier | d4decbbd6c | |
williamlardier | 288b2b7b87 | |
williamlardier | ccf9b62e59 | |
williamlardier | 9fc2d552ae | |
williamlardier | d7cc4cf7d5 | |
williamlardier | 334d33ef44 | |
williamlardier | 989b0214d9 | |
williamlardier | 04d0730f97 | |
williamlardier | fbc642c022 | |
williamlardier | 104435f0b6 | |
williamlardier | a362ac202e | |
williamlardier | 1277e58150 | |
williamlardier | 7727ccf5f0 | |
williamlardier | 71860fc90c | |
williamlardier | e504b52de7 | |
Maha Benzekri | b369a47c4d | |
Maha Benzekri | b4fa81e832 | |
Maha Benzekri | 1e03d53879 | |
Maha Benzekri | 63e502d419 | |
Maha Benzekri | d2a31dc20a | |
Maha Benzekri | f24411875f | |
Maha Benzekri | 4fd7faa6a3 | |
Francois Ferrand | 118aaba702 | |
Francois Ferrand | e4442fdc52 | |
Francois Ferrand | 7fa199741f | |
Francois Ferrand | f7f95af78f | |
Francois Ferrand | 2dc053a784 | |
Francois Ferrand | cc9bb9047e | |
Francois Ferrand | b824fc0828 | |
Francois Ferrand | a2e6d91cf2 | |
Francois Ferrand | c1060853dd | |
Francois Ferrand | 227d6edd09 | |
bert-e | b4754c68ea | |
bert-e | 11aea5d93b | |
bert-e | 0c50a5952f | |
bert-e | 4a32e05855 | |
bert-e | 402ed21b14 | |
Nicolas Humbert | a22719ed47 | |
Nicolas Humbert | 41975d539d | |
Nicolas Humbert | c6724eb811 | |
Nicolas Humbert | d027006938 | |
Nicolas Humbert | 92cfd47572 | |
bert-e | 8796bf0f44 | |
bert-e | 735fcd04ef | |
Jonathan Gramain | c5522685b2 | |
Jonathan Gramain | 48df7df271 | |
Jonathan Gramain | e028eb227f | |
Nicolas Humbert | caf3146662 | |
bert-e | 1dee707eb8 | |
Jonathan Gramain | 2c8d69c20a | |
Jonathan Gramain | 0b2b6ceeb5 | |
Jonathan Gramain | f4b3f39dc6 | |
Jonathan Gramain | 84260340d0 | |
Jonathan Gramain | e531abc346 | |
Jonathan Gramain | 20f6e3089b | |
bert-e | 9dc34f2155 | |
bert-e | 08a4c3ade3 | |
Nicolas Humbert | d5c731856b | |
Nicolas Humbert | 584c94692b | |
Nicolas Humbert | a0e5257c75 | |
bert-e | 5435c14116 | |
bert-e | 38c44ea874 | |
Nicolas Humbert | 4200346dd2 | |
bert-e | 5472d0da59 | |
bert-e | cdc0bb1128 | |
Nicolas Humbert | 795f8bcf1c | |
Nicolas Humbert | 9371d8d734 | |
Nicolas Humbert | 3f31c7f3a1 | |
KillianG | 39cba3ee6c | |
KillianG | a00952712f | |
KillianG | a246e18e17 | |
KillianG | 3bb3a4d161 | |
bert-e | c6ba7f981e | |
bert-e | 69c82da878 | |
bert-e | 762ae5a0ff | |
bert-e | 89dfc794a6 | |
bert-e | 3205d117f5 | |
bert-e | 4eafae44d8 | |
bert-e | 4cab3c84f3 | |
bert-e | e3301a2db9 | |
williamlardier | 0dcc93cdbe | |
williamlardier | 2f2f91d6e8 | |
williamlardier | a28b141dfb | |
williamlardier | 46fe061895 | |
williamlardier | 34202eaa62 | |
williamlardier | 4d343fe468 | |
williamlardier | 229e641f88 | |
bert-e | 1433973e5c | |
bert-e | 201170b1ed | |
bert-e | f13985094e | |
Nicolas Humbert | 395033acd2 | |
Nicolas Humbert | 632ef26826 | |
bert-e | 242b2ec85a | |
bert-e | 3186a97113 | |
bert-e | 3861b8d317 | |
bert-e | bb278f7d7e | |
bert-e | 3b9309490d | |
Will Toozs | 0118dfabbb | |
Will Toozs | ff40dfaadf | |
Will Toozs | 9a31236da0 | |
Will Toozs | 61ebacfbf3 | |
Will Toozs | aa646ced28 | |
Will Toozs | f2ca37b5fb | |
Will Toozs | 9d74cedde8 | |
bert-e | 9c99a6980f | |
bert-e | d4e255781b | |
bert-e | f5763d012e | |
bert-e | 8fb740cf09 | |
bert-e | 55c8d89de2 | |
bert-e | 1afaaec0ac | |
bert-e | e20e458971 | |
williamlardier | 56e52de056 | |
williamlardier | d9fc4aae50 | |
williamlardier | 08de09a2ab | |
bert-e | bef9220032 | |
bert-e | de20f1efdc | |
bert-e | 4817f11f36 | |
bert-e | a6b283f5a2 | |
bert-e | 3f810a7596 | |
bert-e | b89d19c9f8 | |
Nicolas Humbert | 4dc9788629 | |
Nicolas Humbert | 65a891d6f8 | |
bert-e | 2ecca4feef | |
Nicolas Humbert | c52a3a6e44 | |
williamlardier | d82965ff78 | |
williamlardier | f488a65f15 | |
williamlardier | 40a575a717 | |
williamlardier | fea82f15ea | |
bert-e | 06dc042154 | |
bert-e | aa4643644a | |
bert-e | 89edf7e3d0 | |
Francois Ferrand | 4c7d3ae4bc | |
Francois Ferrand | 23883dae8b | |
Francois Ferrand | e616ffa374 | |
Francois Ferrand | 515c20e4cf | |
Francois Ferrand | f8eedddebf | |
Francois Ferrand | f3654e4fb8 | |
Francois Ferrand | 517fb99190 | |
Francois Ferrand | 531c83a359 | |
Francois Ferrand | b84fa851f7 | |
Francois Ferrand | 4cb1a879f7 | |
Francois Ferrand | 7ae55b20e7 | |
Francois Ferrand | d0a6fa17a5 | |
Francois Ferrand | 7275459f70 | |
Hervé Dombya | 363afcd17f | |
Frédéric Meinnel | 1cf0250ce9 | |
Frédéric Meinnel | 20d0b38d0b | |
Frédéric Meinnel | 9988a8327a | |
Frédéric Meinnel | b481d24637 | |
Frédéric Meinnel | 71625774c1 | |
Frédéric Meinnel | 9b9338f2b8 | |
Frédéric Meinnel | 601619f200 | |
Frédéric Meinnel | a92e71fd50 | |
Frédéric Meinnel | 8802ea0617 | |
Frédéric Meinnel | acc5f74787 | |
Frédéric Meinnel | e3c093f352 | |
Frédéric Meinnel | e17383a678 | |
bert-e | 43f62b847c | |
bert-e | a031905bba | |
bert-e | 13ad6881f4 | |
Mickael Bourgois | dea5173075 | |
Mickael Bourgois | b3f96198fe | |
Mickael Bourgois | 5e2dd8cccb | |
bert-e | cd2406b827 | |
bert-e | 62f707caff | |
bert-e | f01ef00a52 | |
bert-e | 30fb64e443 | |
bert-e | 054107d8fb | |
bert-e | 848bf318fe | |
bert-e | 0beb48a1fd | |
bert-e | 618d4dffc7 | |
bert-e | b5aae192f7 | |
Mickael Bourgois | 557f3dcde6 | |
Mickael Bourgois | 3291af36bb | |
Will Toozs | d274acd8ed | |
Will Toozs | e6d9e8fc35 | |
Will Toozs | b08edefad6 | |
Will Toozs | e9c353d62a | |
Will Toozs | c7c55451a1 | |
bert-e | 7bb004586d | |
bert-e | d48de67723 | |
Will Toozs | fa4dec01cb | |
Will Toozs | 4f79a9c59c | |
Will Toozs | 05c759110b | |
Will Toozs | deae294a81 | |
Will Toozs | ab587385e6 | |
Will Toozs | 6243911072 | |
Will Toozs | da804054e5 | |
Will Toozs | 493a6da773 | |
Will Toozs | 7ecdd11783 | |
Mickael Bourgois | 7e53b67c90 | |
bert-e | b141c59bb7 | |
bert-e | 0b79ecd942 | |
bert-e | 86ece5c264 | |
Mickael Bourgois | 0b79cd6af6 | |
Mickael Bourgois | a51b5e0af3 | |
bert-e | 10ca6b98fa | |
bert-e | 171925732f | |
Taylor McKinnon | 6d36f9c867 | |
Taylor McKinnon | 1a21c4f867 | |
Taylor McKinnon | 866dec1b81 | |
Mickael Bourgois | 9491e82235 | |
bert-e | 70e8b20af9 | |
bert-e | 0ec5f4fee5 | |
bert-e | 6c468a01d9 | |
bert-e | 3d2b75f344 | |
Mickael Bourgois | 5811fa5326 | |
bert-e | e600677545 | |
bert-e | 72e5da10b7 | |
Mickael Bourgois | de0e7e6449 | |
Mickael Bourgois | 97b5ed6dd3 | |
Mickael Bourgois | dad8a3ee37 | |
Mickael Bourgois | 8aca658c5c | |
bert-e | 759817c5a0 | |
bert-e | 035c7e8d7f | |
Mickael Bourgois | b8af1225d5 | |
Mickael Bourgois | 40faa5f3fa | |
Mickael Bourgois | 1fc8622614 | |
Mickael Bourgois | a0acefb4a8 | |
bert-e | de27a5b88e | |
bert-e | a4cc5e45f3 | |
bert-e | 621cb33680 | |
bert-e | b025443d21 | |
Mickael Bourgois | d502a81284 | |
bert-e | 9a8b707e82 | |
bert-e | 002dbe0019 | |
bert-e | 59e52f6df2 | |
bert-e | b52f2356ba | |
Mickael Bourgois | 60679495b6 | |
Mickael Bourgois | 9dfacd0827 | |
Mickael Bourgois | 485ef1e9bb | |
Mickael Bourgois | 5e041ca5e7 | |
Mickael Bourgois | 52137772d9 | |
Mickael Bourgois | fcf193d033 | |
Mickael Bourgois | fb61cad786 | |
Mickael Bourgois | b6367eb2b8 | |
bert-e | d803bdcadc | |
bert-e | 4f1b8f25b7 | |
bert-e | 94363482c3 | |
bert-e | 6b0a8cb9ed | |
Will Toozs | 5dbf5d965f | |
Will Toozs | ebefc4b5b0 | |
Mickael Bourgois | ac1c75e414 | |
Mickael Bourgois | fee4f3a96e | |
bert-e | e969eeaa20 | |
bert-e | 2ee78bcf6a | |
bert-e | 64273365d5 | |
bert-e | 65c6bacd34 | |
bert-e | d60d252eaf | |
bert-e | f31fe2f2bf | |
bert-e | ee47cece90 | |
Mickael Bourgois | 7a5cddacbc | |
Mickael Bourgois | baa6203b57 | |
Mickael Bourgois | 141056637b | |
Mickael Bourgois | 0f007e0489 | |
Mickael Bourgois | 2d50a76923 | |
Mickael Bourgois | 6b4f10ae56 | |
Mickael Bourgois | 23eaf89cc3 | |
Mickael Bourgois | d6a2144508 | |
Mickael Bourgois | 40dd3f37a4 | |
Mickael Bourgois | d3307654a6 | |
Mickael Bourgois | e342a90b48 | |
williamlardier | dbda5f16a6 | |
Mickael Bourgois | d4a4825668 | |
Mickael Bourgois | 83b9e9a775 | |
Maha Benzekri | 2959c950dd | |
Maha Benzekri | 462ddf7ef1 | |
Maha Benzekri | fda42e7399 | |
Maha Benzekri | edbd6caeb4 | |
Maha Benzekri | 1befaa1f28 | |
Maha Benzekri | 0cefca831d | |
Jonathan Gramain | ea7b69e313 | |
Jonathan Gramain | 8ec1c2f2db | |
Jonathan Gramain | 3af6ca5f6d | |
Jonathan Gramain | 997d71df08 | |
Jonathan Gramain | 275ebcec5c | |
Mickael Bourgois | 8b77530b2b | |
bert-e | 43f9606598 | |
bert-e | be34e5ad59 | |
Jonathan Gramain | 5bc64ede43 | |
Jonathan Gramain | 911010376e | |
Jonathan Gramain | b5ec37b38b | |
Mickael Bourgois | 3ce869cea3 | |
Mickael Bourgois | b7960784db | |
Mickael Bourgois | 5ac10cefa8 | |
Mickael Bourgois | 2dafefd77f | |
Mickael Bourgois | 36f147b441 | |
Mickael Bourgois | 8ed447ba63 | |
bert-e | bf235f3335 | |
bert-e | 569c9f4368 | |
Nicolas Humbert | 92cf03254a | |
Nicolas Humbert | c57ae9c8ea | |
Mickael Bourgois | 5bec42d051 | |
Mickael Bourgois | f427fc9b70 | |
Mickael Bourgois | 9aad4ae3ea | |
bert-e | 1a3cb8108c | |
bert-e | 042120b17e | |
bert-e | ba4593592d | |
bert-e | 6efdb627da | |
bert-e | e5b692f3db | |
bert-e | 548ae8cd12 | |
bert-e | 2a919af071 | |
bert-e | 5c300b8b6c | |
Maha Benzekri | 99068e7265 | |
Maha Benzekri | cd039d8133 | |
Maha Benzekri | 75b293df8d | |
Maha Benzekri | a855e38998 | |
Maha Benzekri | ffe4ea4afe | |
Maha Benzekri | a16cfad0fc | |
bert-e | 556163e3e9 | |
Maha Benzekri | 869d554e43 | |
Maha Benzekri | 2f8b228595 | |
Maha Benzekri | e44b7ed918 | |
Maha Benzekri | 3cb29f7f8e | |
Maha Benzekri | 4f08a4dff2 | |
Maha Benzekri | 15a1aa7965 | |
Maha Benzekri | 4470ee9125 | |
Francois Ferrand | d8c12597ea | |
Francois Ferrand | c8eb9025fa | |
Francois Ferrand | 57e0f71e6a | |
Francois Ferrand | f22f920ee2 | |
Maha Benzekri | ed1bb6301d | |
Maha Benzekri | 70dfa5b11b | |
Francois Ferrand | a4e6f9d034 | |
Maha Benzekri | cf94b9de6a | |
Maha Benzekri | da0492d2bb | |
Maha Benzekri | 979b9065ed | |
Maha Benzekri | d5a3923f74 | |
bert-e | bc291fe3a7 | |
bert-e | 8dc7432c51 | |
bert-e | 6f963bdcd9 | |
bert-e | cd9024fd32 | |
bert-e | dff7610060 | |
bert-e | 757c2537ef | |
bert-e | 4515b2adbf | |
bert-e | 50ffdd260b | |
bert-e | b5f22d8c68 | |
bert-e | 68ff54d49a | |
bert-e | 3fe5579c80 | |
bert-e | 3fdd2bce21 | |
bert-e | c9b512174f | |
bert-e | 7b48624cf7 | |
bert-e | 55b07def2e | |
bert-e | fcc9468b63 | |
bert-e | efc44a620d | |
bert-e | 1bc19b39d7 | |
bert-e | b5fa3a1fd3 | |
bert-e | c0fc958365 | |
bert-e | d3c74d2c16 | |
Kerkesni | 07eda89a3f | |
bert-e | 27b4066ca4 | |
bert-e | 2ee5b356fa | |
bert-e | f5d3433413 | |
bert-e | 62b4b9bc25 | |
bert-e | ec56c77881 | |
bert-e | d0abde3962 | |
bert-e | fdc682f2db | |
bert-e | b184606dc2 | |
Maha Benzekri | 9ce0f2c2b6 | |
Maha Benzekri | 43b4e0c713 | |
bert-e | 9185f16554 | |
bert-e | 2df9a57f9c | |
bert-e | 68535f83d6 | |
bert-e | 41d63650be | |
bert-e | 12185f7c3b | |
bert-e | 5f82ee2d0e | |
Taylor McKinnon | d72bc5c6b9 | |
Taylor McKinnon | 0e47810963 | |
bert-e | 3b36cef85f | |
Jonathan Gramain | 114b885c7f | |
williamlardier | 3b95c033d2 | |
williamlardier | 04091dc316 | |
williamlardier | 56023a80ed | |
bert-e | 2deaebd89a | |
bert-e | c706ccf9c6 | |
Francois Ferrand | 583ea8490f | |
bert-e | 85a9480793 | |
bert-e | be2f65b69e | |
bert-e | 1ee6d0a87d | |
bert-e | 224af9a5d2 | |
bert-e | 74f05377f0 | |
bert-e | 111e14cc89 | |
Florent Monjalet | 00b20f00d1 | |
Florent Monjalet | a91d53a12c | |
Florent Monjalet | 63d2637046 | |
Maha Benzekri | 5d416ad190 | |
Maha Benzekri | ff29cda03f | |
Florent Monjalet | cb8baf2dab | |
bert-e | 22f470c6eb | |
bert-e | e510473116 | |
Florent Monjalet | 17a6808fe4 | |
Florent Monjalet | df646e4802 | |
Florent Monjalet | 267770d256 | |
Florent Monjalet | 1b92dc2c05 | |
Florent Monjalet | f80bb2f34b | |
Florent Monjalet | 4f89b67bb9 | |
Florent Monjalet | 8b5630923c | |
Florent Monjalet | 9ff5e376e5 | |
Florent Monjalet | a9b5a2e3a4 | |
Florent Monjalet | 7e9ec22ae3 | |
bert-e | 9d4664ae06 | |
bert-e | 662265ba2e | |
Taylor McKinnon | 17e4f14f9c | |
Taylor McKinnon | 014b071536 | |
bert-e | 2d45f92ae1 | |
bert-e | 48452496fa | |
bert-e | 18bf6b8d4a | |
bert-e | 858c31a542 | |
bert-e | 19d3e0bc9d | |
bert-e | bac044dc8f | |
bert-e | 8c0f709014 | |
Francois Ferrand | ce92d33a5d | |
Kerkesni | 0381cce85c | |
Kerkesni | 20a08a2a4e | |
Kerkesni | ff73d8ab12 | |
Kerkesni | 1ee44bc6d3 | |
bert-e | 614e876536 | |
bert-e | b40a77d94b | |
bert-e | 3a3a73b756 | |
bert-e | 3f6e85590d | |
bert-e | bc009945d2 | |
bert-e | 3ac30d9bab | |
bert-e | 32204fbfbf | |
bert-e | 5a26e1a80d | |
bert-e | 507a2d4ff5 | |
bert-e | 1207a6fb70 | |
bert-e | 5883286864 | |
bert-e | 2a37e809d9 | |
bert-e | 86ce7691cd | |
bert-e | e466b5e92a | |
bert-e | a4bc10f730 | |
Nicolas Humbert | c480301e95 | |
Nicolas Humbert | 276be285cc | |
bert-e | 897d41392a | |
bert-e | f4e3a19d61 | |
williamlardier | 7c52fcbbb0 | |
bert-e | da52688a39 | |
bert-e | 1cb54a66f8 | |
bert-e | d9fffdad9e | |
williamlardier | 389c32f819 | |
Kerkesni | d26b8bcfcc | |
Kerkesni | e4634621ee | |
williamlardier | 0b58b3ad2a | |
bert-e | 652bf92536 | |
bert-e | 344ee8a014 | |
bert-e | b7e7f65d52 | |
bert-e | c5b7450a4d | |
Nicolas Humbert | 18c8d4ecac | |
Nicolas Humbert | c8150c6857 | |
bert-e | 399a2a53ab | |
Alexander Chan | bbad049b5f | |
bert-e | 2a4e2e1584 | |
bert-e | b304d05614 | |
bert-e | 004bd63368 | |
Nicolas Humbert | 960d736962 | |
KillianG | 32401c9a83 | |
KillianG | 5f05b676cc | |
KillianG | fd662a8c2c | |
bert-e | 5d54dd58be | |
Nicolas Humbert | 1bd0deafcf | |
Francois Ferrand | 7c788d3dbf | |
Nicolas Humbert | 50cb6a2bf1 | |
bert-e | 58f7bb2877 | |
Francois Ferrand | ea284508d7 | |
Francois Ferrand | 0981fa42f3 | |
Francois Ferrand | 7e63064a52 | |
Francois Ferrand | 71b21e40ca | |
Francois Ferrand | ff894bb545 | |
Francois Ferrand | ae9f24e1bb | |
bert-e | 2dc01ce3ed | |
Kerkesni | 9bd9bef6c7 | |
bert-e | a6a5c273d5 | |
Kerkesni | 6479076fec | |
bert-e | df45f481d0 | |
bert-e | cd8c589eba | |
williamlardier | daec2661ae | |
Francois Ferrand | 0f266371a0 | |
Francois Ferrand | 73e56963bf | |
Alexander Chan | fb11d0f42e | |
williamlardier | 9cbd9f7be8 | |
williamlardier | c2fc8873cb | |
Francois Ferrand | bee1ae04bf | |
Francois Ferrand | eb86552a57 | |
bert-e | f5d8f2fac5 | |
bert-e | 36e841b542 | |
williamlardier | 1d12a430a0 | |
williamlardier | bea27b4fb4 | |
williamlardier | 76405d9179 | |
Alexander Chan | 31b7f1e71c | |
Alexander Chan | 8674cac9f8 | |
KillianG | d5b666a246 | |
KillianG | 4360772971 | |
KillianG | 6e152e33d5 | |
KillianG | 94f34979a5 | |
bert-e | 4b0f165b46 | |
Nicolas Humbert | 3590377554 | |
bert-e | 8a08f97492 | |
bert-e | 448afa50e3 | |
bert-e | 50b738cfff | |
bert-e | 951a98fcaf | |
bert-e | 8ca770dcb7 | |
bert-e | 3585b8d5eb | |
bert-e | 0a1489ee46 | |
Xin LI | de5b4331e2 | |
bert-e | 46dff0321d | |
bert-e | ddc6ea72be | |
bert-e | d266ff4e9f | |
bert-e | 7dc2f07cb6 | |
Kerkesni | 6c22d87c55 | |
Kerkesni | 310f67d3a7 | |
Kerkesni | 49841c5e0e | |
Kerkesni | b5334baca8 | |
Kerkesni | e592671b54 | |
bert-e | 6e0b66849d | |
bert-e | 18a1bfd325 | |
bert-e | 2c999f4c10 | |
bert-e | bf7a643d45 | |
bert-e | 3f3bf0fdf0 | |
bert-e | 2a44949048 | |
bert-e | 6660626190 | |
williamlardier | 58fc0b7146 | |
williamlardier | 11e3d7ecb2 | |
williamlardier | 1bab851ce3 | |
bert-e | 0bc0341f33 | |
bert-e | b5b0f6482b | |
bert-e | 755f282f8e | |
bert-e | c4dc928de2 | |
Killian Gardahaut | a0087e8d77 | |
KillianG | 8e5bea56b6 | |
KillianG | 976e349036 | |
KillianG | de1c23ac1b | |
KillianG | 0b4d04a2a3 | |
KillianG | 049d396c8d | |
Naren | 5c04cbe6d1 | |
bert-e | 5cb63991a8 | |
Alexander Chan | c310cb3dd1 | |
bert-e | 22cda51944 | |
williamlardier | 408d0de732 | |
williamlardier | 83916c91fb | |
bert-e | 110b2a35ed | |
williamlardier | a8117ca037 | |
bert-e | 9145d1cf79 | |
bert-e | ae1b6dc3d1 | |
bert-e | b1304b5f7f | |
bert-e | 6b1f8c61ec | |
bert-e | 335bfabed1 | |
bert-e | 3398db3c0f | |
bert-e | 836e9fb22d | |
bert-e | ead7f5f7c2 | |
bert-e | c17059dc77 | |
bert-e | 8ace5b24a5 | |
bert-e | 39f7035dbd | |
williamlardier | bb62ed4fa7 | |
williamlardier | c95368858d | |
bert-e | d8ff1377fc | |
Jonathan Gramain | 28f4c5baee | |
bert-e | 0a8f846f4b | |
Jonathan Gramain | ac5de47ca1 | |
williamlardier | c147785464 | |
williamlardier | ca8c788757 | |
williamlardier | cb2af364bb | |
williamlardier | 1eb27d610b | |
williamlardier | 73b295c91d | |
williamlardier | 8186c84bf9 | |
williamlardier | 93ef2d0545 | |
williamlardier | d7d0a31bb1 | |
williamlardier | 4c69b82508 | |
williamlardier | ca13284da3 | |
williamlardier | c6ed75a1d7 | |
williamlardier | 402d0dea1a | |
williamlardier | 95faec1db0 | |
Jonathan Gramain | ca9d53f430 | |
bert-e | b1ee1f8ef7 | |
williamlardier | e882cb6781 | |
Francois Ferrand | cb7303636c | |
Francois Ferrand | 6d0f889c23 | |
Francois Ferrand | c13f2ae6a5 | |
bert-e | b6611c4711 | |
bert-e | ae4ece471b | |
williamlardier | 15b61cd947 | |
williamlardier | 91536c575f |
|
@ -1,5 +1,8 @@
|
|||
{
|
||||
"extends": "scality",
|
||||
"plugins": [
|
||||
"mocha"
|
||||
],
|
||||
"rules": {
|
||||
"import/extensions": "off",
|
||||
"lines-around-directive": "off",
|
||||
|
@ -42,7 +45,8 @@
|
|||
"no-restricted-properties": "off",
|
||||
"new-parens": "off",
|
||||
"no-multi-spaces": "off",
|
||||
"quote-props": "off"
|
||||
"quote-props": "off",
|
||||
"mocha/no-exclusive-tests": "error",
|
||||
},
|
||||
"parserOptions": {
|
||||
"ecmaVersion": 2020
|
||||
|
|
|
@ -16,14 +16,14 @@ runs:
|
|||
run: |-
|
||||
set -exu;
|
||||
mkdir -p /tmp/artifacts/${JOB_NAME}/;
|
||||
- uses: actions/setup-node@v2
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '16'
|
||||
cache: 'yarn'
|
||||
- name: install dependencies
|
||||
shell: bash
|
||||
run: yarn install --ignore-engines --frozen-lockfile --network-concurrency 1
|
||||
- uses: actions/cache@v2
|
||||
- uses: actions/cache@v3
|
||||
with:
|
||||
path: ~/.cache/pip
|
||||
key: ${{ runner.os }}-pip
|
||||
|
@ -35,3 +35,9 @@ runs:
|
|||
run: |
|
||||
sudo apt-get install -y libdigest-hmac-perl
|
||||
pip install 's3cmd==2.3.0'
|
||||
- name: fix sproxyd.conf permissions
|
||||
shell: bash
|
||||
run: sudo chown root:root .github/docker/sproxyd/conf/sproxyd0.conf
|
||||
- name: ensure fuse kernel module is loaded (for sproxyd)
|
||||
shell: bash
|
||||
run: sudo modprobe fuse
|
||||
|
|
|
@ -40,6 +40,11 @@ services:
|
|||
- DEFAULT_BUCKET_KEY_FORMAT
|
||||
- METADATA_MAX_CACHED_BUCKETS
|
||||
- ENABLE_NULL_VERSION_COMPAT_MODE
|
||||
- SCUBA_HOST
|
||||
- SCUBA_PORT
|
||||
- SCUBA_HEALTHCHECK_FREQUENCY
|
||||
- S3QUOTA
|
||||
- QUOTA_ENABLE_INFLIGHTS
|
||||
env_file:
|
||||
- creds.env
|
||||
depends_on:
|
||||
|
@ -67,14 +72,21 @@ services:
|
|||
pykmip:
|
||||
network_mode: "host"
|
||||
profiles: ['pykmip']
|
||||
image: registry.scality.com/cloudserver-dev/pykmip
|
||||
image: ${PYKMIP_IMAGE:-ghcr.io/scality/cloudserver/pykmip}
|
||||
volumes:
|
||||
- /tmp/artifacts/${JOB_NAME}:/artifacts
|
||||
mongo:
|
||||
network_mode: "host"
|
||||
profiles: ['mongo', 'ceph']
|
||||
image: scality/ci-mongo:3.6.8
|
||||
image: ${MONGODB_IMAGE}
|
||||
ceph:
|
||||
network_mode: "host"
|
||||
profiles: ['ceph']
|
||||
image: ghcr.io/scality/cloudserver/ci-ceph
|
||||
sproxyd:
|
||||
network_mode: "host"
|
||||
profiles: ['sproxyd']
|
||||
image: sproxyd-standalone
|
||||
build: ./sproxyd
|
||||
user: 0:0
|
||||
privileged: yes
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
FROM mongo:5.0.21
|
||||
|
||||
ENV USER=scality \
|
||||
HOME_DIR=/home/scality \
|
||||
CONF_DIR=/conf \
|
||||
DATA_DIR=/data
|
||||
|
||||
# Set up directories and permissions
|
||||
RUN mkdir -p /data/db /data/configdb && chown -R mongodb:mongodb /data/db /data/configdb; \
|
||||
mkdir /logs; \
|
||||
adduser --uid 1000 --disabled-password --gecos --quiet --shell /bin/bash scality
|
||||
|
||||
# Set up environment variables and directories for scality user
|
||||
RUN mkdir ${CONF_DIR} && \
|
||||
chown -R ${USER} ${CONF_DIR} && \
|
||||
chown -R ${USER} ${DATA_DIR}
|
||||
|
||||
# copy the mongo config file
|
||||
COPY /conf/mongod.conf /conf/mongod.conf
|
||||
COPY /conf/mongo-run.sh /conf/mongo-run.sh
|
||||
COPY /conf/initReplicaSet /conf/initReplicaSet.js
|
||||
|
||||
EXPOSE 27017/tcp
|
||||
EXPOSE 27018
|
||||
|
||||
# Set up CMD
|
||||
ENTRYPOINT ["bash", "/conf/mongo-run.sh"]
|
||||
CMD ["bash", "/conf/mongo-run.sh"]
|
|
@ -0,0 +1,4 @@
|
|||
rs.initiate({
|
||||
_id: "rs0",
|
||||
members: [{ _id: 0, host: "127.0.0.1:27018" }]
|
||||
});
|
|
@ -0,0 +1,10 @@
|
|||
#!/bin/bash
|
||||
set -exo pipefail
|
||||
|
||||
init_RS() {
|
||||
sleep 5
|
||||
mongo --port 27018 /conf/initReplicaSet.js
|
||||
}
|
||||
init_RS &
|
||||
|
||||
mongod --bind_ip_all --config=/conf/mongod.conf
|
|
@ -0,0 +1,15 @@
|
|||
storage:
|
||||
journal:
|
||||
enabled: true
|
||||
engine: wiredTiger
|
||||
dbPath: "/data/db"
|
||||
processManagement:
|
||||
fork: false
|
||||
net:
|
||||
port: 27018
|
||||
bindIp: 0.0.0.0
|
||||
replication:
|
||||
replSetName: "rs0"
|
||||
enableMajorityReadConcern: true
|
||||
security:
|
||||
authorization: disabled
|
|
@ -0,0 +1,3 @@
|
|||
FROM ghcr.io/scality/federation/sproxyd:7.10.6.8
|
||||
ADD ./conf/supervisord.conf ./conf/nginx.conf ./conf/fastcgi_params ./conf/sproxyd0.conf /conf/
|
||||
RUN chown root:root /conf/sproxyd0.conf
|
|
@ -0,0 +1,26 @@
|
|||
fastcgi_param QUERY_STRING $query_string;
|
||||
fastcgi_param REQUEST_METHOD $request_method;
|
||||
fastcgi_param CONTENT_TYPE $content_type;
|
||||
fastcgi_param CONTENT_LENGTH $content_length;
|
||||
|
||||
#fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_param SCRIPT_NAME /var/www;
|
||||
fastcgi_param PATH_INFO $document_uri;
|
||||
|
||||
fastcgi_param REQUEST_URI $request_uri;
|
||||
fastcgi_param DOCUMENT_URI $document_uri;
|
||||
fastcgi_param DOCUMENT_ROOT $document_root;
|
||||
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||||
fastcgi_param HTTPS $https if_not_empty;
|
||||
|
||||
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
|
||||
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
fastcgi_param REMOTE_PORT $remote_port;
|
||||
fastcgi_param SERVER_ADDR $server_addr;
|
||||
fastcgi_param SERVER_PORT $server_port;
|
||||
fastcgi_param SERVER_NAME $server_name;
|
||||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
|
@ -0,0 +1,88 @@
|
|||
worker_processes 1;
|
||||
error_log /logs/error.log;
|
||||
user root root;
|
||||
events {
|
||||
worker_connections 1000;
|
||||
reuse_port on;
|
||||
multi_accept on;
|
||||
}
|
||||
worker_rlimit_nofile 20000;
|
||||
http {
|
||||
root /var/www/;
|
||||
upstream sproxyds {
|
||||
least_conn;
|
||||
keepalive 40;
|
||||
server 127.0.0.1:20000;
|
||||
}
|
||||
server {
|
||||
client_max_body_size 0;
|
||||
client_body_timeout 150;
|
||||
client_header_timeout 150;
|
||||
postpone_output 0;
|
||||
client_body_postpone_size 0;
|
||||
keepalive_requests 1100;
|
||||
keepalive_timeout 300s;
|
||||
server_tokens off;
|
||||
default_type application/octet-stream;
|
||||
gzip off;
|
||||
tcp_nodelay on;
|
||||
tcp_nopush on;
|
||||
sendfile on;
|
||||
listen 81;
|
||||
server_name localhost;
|
||||
rewrite ^/arc/(.*)$ /dc1/$1 permanent;
|
||||
location ~* ^/proxy/(.*)$ {
|
||||
rewrite ^/proxy/(.*)$ /$1 last;
|
||||
}
|
||||
allow 127.0.0.1;
|
||||
|
||||
deny all;
|
||||
set $usermd '-';
|
||||
set $sentusermd '-';
|
||||
set $elapsed_ms '-';
|
||||
set $now '-';
|
||||
log_by_lua '
|
||||
if not(ngx.var.http_x_scal_usermd == nil) and string.len(ngx.var.http_x_scal_usermd) > 2 then
|
||||
ngx.var.usermd = string.sub(ngx.decode_base64(ngx.var.http_x_scal_usermd),1,-3)
|
||||
end
|
||||
if not(ngx.var.sent_http_x_scal_usermd == nil) and string.len(ngx.var.sent_http_x_scal_usermd) > 2 then
|
||||
ngx.var.sentusermd = string.sub(ngx.decode_base64(ngx.var.sent_http_x_scal_usermd),1,-3)
|
||||
end
|
||||
local elapsed_ms = tonumber(ngx.var.request_time)
|
||||
if not ( elapsed_ms == nil) then
|
||||
elapsed_ms = elapsed_ms * 1000
|
||||
ngx.var.elapsed_ms = tostring(elapsed_ms)
|
||||
end
|
||||
local time = tonumber(ngx.var.msec) * 1000
|
||||
ngx.var.now = time
|
||||
';
|
||||
log_format irm '{ "time":"$now","connection":"$connection","request":"$connection_requests","hrtime":"$msec",'
|
||||
'"httpMethod":"$request_method","httpURL":"$uri","elapsed_ms":$elapsed_ms,'
|
||||
'"httpCode":$status,"requestLength":$request_length,"bytesSent":$bytes_sent,'
|
||||
'"contentLength":"$content_length","sentContentLength":"$sent_http_content_length",'
|
||||
'"contentType":"$content_type","s3Address":"$remote_addr",'
|
||||
'"requestUserMd":"$usermd","responseUserMd":"$sentusermd",'
|
||||
'"ringKeyVersion":"$sent_http_x_scal_version","ringStatus":"$sent_http_x_scal_ring_status",'
|
||||
'"s3Port":"$remote_port","sproxydStatus":"$upstream_status","req_id":"$http_x_scal_request_uids",'
|
||||
'"ifMatch":"$http_if_match","ifNoneMatch":"$http_if_none_match",'
|
||||
'"range":"$http_range","contentRange":"$sent_http_content_range","nginxPID":$PID,'
|
||||
'"sproxydAddress":"$upstream_addr","sproxydResponseTime_s":"$upstream_response_time" }';
|
||||
access_log /dev/stdout irm;
|
||||
error_log /dev/stdout error;
|
||||
location / {
|
||||
proxy_request_buffering off;
|
||||
fastcgi_request_buffering off;
|
||||
fastcgi_no_cache 1;
|
||||
fastcgi_cache_bypass 1;
|
||||
fastcgi_buffering off;
|
||||
fastcgi_ignore_client_abort on;
|
||||
fastcgi_keep_conn on;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass sproxyds;
|
||||
fastcgi_next_upstream error timeout;
|
||||
fastcgi_send_timeout 285s;
|
||||
fastcgi_read_timeout 285s;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
"general": {
|
||||
"ring": "DATA",
|
||||
"port": 20000,
|
||||
"syslog_facility": "local0"
|
||||
},
|
||||
"ring_driver:0": {
|
||||
"alias": "dc1",
|
||||
"type": "local",
|
||||
"queue_path": "/tmp/ring-objs"
|
||||
},
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
[supervisord]
|
||||
nodaemon = true
|
||||
loglevel = info
|
||||
logfile = %(ENV_LOG_DIR)s/supervisord.log
|
||||
pidfile = %(ENV_SUP_RUN_DIR)s/supervisord.pid
|
||||
logfile_maxbytes = 20MB
|
||||
logfile_backups = 2
|
||||
|
||||
[unix_http_server]
|
||||
file = %(ENV_SUP_RUN_DIR)s/supervisor.sock
|
||||
|
||||
[rpcinterface:supervisor]
|
||||
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
|
||||
|
||||
[supervisorctl]
|
||||
serverurl = unix://%(ENV_SUP_RUN_DIR)s/supervisor.sock
|
||||
|
||||
[program:nginx]
|
||||
directory=%(ENV_SUP_RUN_DIR)s
|
||||
command=bash -c "/usr/sbin/nginx -c %(ENV_CONF_DIR)s/nginx.conf -g 'daemon off;'"
|
||||
stdout_logfile = %(ENV_LOG_DIR)s/%(program_name)s-%(process_num)s.log
|
||||
stderr_logfile = %(ENV_LOG_DIR)s/%(program_name)s-%(process_num)s-stderr.log
|
||||
stdout_logfile_maxbytes=100MB
|
||||
stdout_logfile_backups=7
|
||||
stderr_logfile_maxbytes=100MB
|
||||
stderr_logfile_backups=7
|
||||
autorestart=true
|
||||
autostart=true
|
||||
user=root
|
||||
|
||||
[program:sproxyd]
|
||||
directory=%(ENV_SUP_RUN_DIR)s
|
||||
process_name=%(program_name)s-%(process_num)s
|
||||
numprocs=1
|
||||
numprocs_start=0
|
||||
command=/usr/bin/sproxyd -dlw -V127 -c %(ENV_CONF_DIR)s/sproxyd%(process_num)s.conf -P /run%(process_num)s
|
||||
stdout_logfile = %(ENV_LOG_DIR)s/%(program_name)s-%(process_num)s.log
|
||||
stdout_logfile_maxbytes=100MB
|
||||
stdout_logfile_backups=7
|
||||
redirect_stderr=true
|
||||
autorestart=true
|
||||
autostart=true
|
||||
user=root
|
|
@ -1,7 +1,10 @@
|
|||
name: Test alerts
|
||||
|
||||
on:
|
||||
push
|
||||
push:
|
||||
branches-ignore:
|
||||
- 'development/**'
|
||||
- 'q/*/**'
|
||||
|
||||
jobs:
|
||||
run-alert-tests:
|
||||
|
@ -17,13 +20,16 @@ jobs:
|
|||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Render and test ${{ matrix.tests.name }}
|
||||
uses: scality/action-prom-render-test@1.0.1
|
||||
uses: scality/action-prom-render-test@1.0.3
|
||||
with:
|
||||
alert_file_path: monitoring/alerts.yaml
|
||||
test_file_path: ${{ matrix.tests.file }}
|
||||
alert_inputs: >-
|
||||
namespace=zenko,service=artesca-data-connector-s3api-metrics,replicas=3
|
||||
alert_inputs: |
|
||||
namespace=zenko
|
||||
service=artesca-data-connector-s3api-metrics
|
||||
reportJob=artesca-data-ops-report-handler
|
||||
replicas=3
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
@ -3,7 +3,7 @@ name: codeQL
|
|||
|
||||
on:
|
||||
push:
|
||||
branches: [development/*, stabilization/*, hotfix/*]
|
||||
branches: [w/**, q/*]
|
||||
pull_request:
|
||||
branches: [development/*, stabilization/*, hotfix/*]
|
||||
workflow_dispatch:
|
||||
|
@ -14,12 +14,12 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v2
|
||||
uses: github/codeql-action/init@v3
|
||||
with:
|
||||
languages: javascript, python, ruby
|
||||
|
||||
- name: Build and analyze
|
||||
uses: github/codeql-action/analyze@v2
|
||||
uses: github/codeql-action/analyze@v3
|
||||
|
|
|
@ -10,7 +10,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v3
|
||||
uses: actions/dependency-review-action@v4
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
name: release
|
||||
run-name: release ${{ inputs.tag }}
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
@ -9,58 +10,69 @@ on:
|
|||
required: true
|
||||
|
||||
env:
|
||||
REGISTRY_NAME: registry.scality.com
|
||||
PROJECT_NAME: ${{ github.event.repository.name }}
|
||||
|
||||
jobs:
|
||||
build-federation-image:
|
||||
uses: scality/workflows/.github/workflows/docker-build.yaml@v1
|
||||
secrets: inherit
|
||||
with:
|
||||
push: true
|
||||
registry: registry.scality.com
|
||||
namespace: ${{ github.event.repository.name }}
|
||||
name: ${{ github.event.repository.name }}
|
||||
context: .
|
||||
file: images/svc-base/Dockerfile
|
||||
tag: ${{ github.event.inputs.tag }}-svc-base
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
- name: Login to GitHub Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ github.token }}
|
||||
- name: Build and push image for federation
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
push: true
|
||||
context: .
|
||||
file: images/svc-base/Dockerfile
|
||||
tags: |
|
||||
ghcr.io/${{ github.repository }}:${{ github.event.inputs.tag }}-svc-base
|
||||
cache-from: type=gha,scope=federation
|
||||
cache-to: type=gha,mode=max,scope=federation
|
||||
|
||||
release:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Docker Buildk
|
||||
uses: docker/setup-buildx-action@v1
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Login to Registry
|
||||
uses: docker/login-action@v1
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ${{ env.REGISTRY_NAME }}
|
||||
username: ${{ secrets.REGISTRY_LOGIN }}
|
||||
password: ${{ secrets.REGISTRY_PASSWORD }}
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ github.token }}
|
||||
|
||||
- name: Push dashboards into the production namespace
|
||||
run: |
|
||||
oras push ${{ env.REGISTRY_NAME }}/${{ env.PROJECT_NAME }}/${{ env.PROJECT_NAME }}-dashboards:${{ github.event.inputs.tag }} \
|
||||
oras push ghcr.io/${{ github.repository }}/${{ env.PROJECT_NAME }}-dashboards:${{ github.event.inputs.tag }} \
|
||||
dashboard.json:application/grafana-dashboard+json \
|
||||
alerts.yaml:application/prometheus-alerts+yaml
|
||||
working-directory: monitoring
|
||||
|
||||
- name: Build and push
|
||||
uses: docker/build-push-action@v2
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
context: .
|
||||
push: true
|
||||
tags: ${{ env.REGISTRY_NAME }}/${{ env.PROJECT_NAME }}/${{ env.PROJECT_NAME }}:${{ github.event.inputs.tag }}
|
||||
tags: ghcr.io/${{ github.repository }}:${{ github.event.inputs.tag }}
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
|
||||
- name: Create Release
|
||||
uses: softprops/action-gh-release@v1
|
||||
uses: softprops/action-gh-release@v2
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
with:
|
||||
name: Release ${{ github.event.inputs.tag }}
|
||||
tag_name: ${{ github.event.inputs.tag }}
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
name: tests
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
push:
|
||||
branches-ignore:
|
||||
- 'development/**'
|
||||
|
@ -65,23 +67,24 @@ env:
|
|||
ENABLE_LOCAL_CACHE: "true"
|
||||
REPORT_TOKEN: "report-token-1"
|
||||
REMOTE_MANAGEMENT_DISABLE: "1"
|
||||
|
||||
# https://github.com/git-lfs/git-lfs/issues/5749
|
||||
GIT_CLONE_PROTECTION_ACTIVE: 'false'
|
||||
jobs:
|
||||
linting-coverage:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
- uses: actions/setup-node@v2
|
||||
uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: '16'
|
||||
cache: yarn
|
||||
- name: install dependencies
|
||||
run: yarn install --frozen-lockfile --network-concurrency 1
|
||||
- uses: actions/setup-python@v4
|
||||
- uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: '3.9'
|
||||
- uses: actions/cache@v2
|
||||
- uses: actions/cache@v4
|
||||
with:
|
||||
path: ~/.cache/pip
|
||||
key: ${{ runner.os }}-pip
|
||||
|
@ -114,7 +117,7 @@ jobs:
|
|||
find . -name "*junit*.xml" -exec cp {} artifacts/junit/ ";"
|
||||
if: always()
|
||||
- name: Upload files to artifacts
|
||||
uses: scality/action-artifacts@v2
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
|
@ -125,61 +128,88 @@ jobs:
|
|||
|
||||
build:
|
||||
runs-on: ubuntu-20.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v4
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v1.6.0
|
||||
uses: docker/setup-buildx-action@v3
|
||||
- name: Login to GitHub Registry
|
||||
uses: docker/login-action@v1.10.0
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Login to Registry
|
||||
uses: docker/login-action@v1
|
||||
with:
|
||||
registry: registry.scality.com
|
||||
username: ${{ secrets.REGISTRY_LOGIN }}
|
||||
password: ${{ secrets.REGISTRY_PASSWORD }}
|
||||
password: ${{ github.token }}
|
||||
- name: Build and push cloudserver image
|
||||
uses: docker/build-push-action@v3
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
push: true
|
||||
context: .
|
||||
provenance: false
|
||||
tags: |
|
||||
ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
|
||||
registry.scality.com/cloudserver-dev/cloudserver:${{ github.sha }}
|
||||
ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
labels: |
|
||||
git.repository=${{ github.repository }}
|
||||
git.commit-sha=${{ github.sha }}
|
||||
cache-from: type=gha,scope=cloudserver
|
||||
cache-to: type=gha,mode=max,scope=cloudserver
|
||||
- name: Build and push pykmip image
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
push: true
|
||||
context: .github/pykmip
|
||||
tags: |
|
||||
ghcr.io/${{ github.repository }}/pykmip:${{ github.sha }}
|
||||
labels: |
|
||||
git.repository=${{ github.repository }}
|
||||
git.commit-sha=${{ github.sha }}
|
||||
cache-from: type=gha,scope=pykmip
|
||||
cache-to: type=gha,mode=max,scope=pykmip
|
||||
- name: Build and push MongoDB
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
push: true
|
||||
context: .github/docker/mongodb
|
||||
tags: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
cache-from: type=gha,scope=mongodb
|
||||
cache-to: type=gha,mode=max,scope=mongodb
|
||||
|
||||
multiple-backend:
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
env:
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
S3BACKEND: mem
|
||||
S3_LOCATION_FILE: /usr/src/app/tests/locationConfig/locationConfigTests.json
|
||||
S3DATA: multiple
|
||||
JOB_NAME: ${{ github.job }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Login to Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ github.token }}
|
||||
- name: Setup CI environment
|
||||
uses: ./.github/actions/setup-ci
|
||||
- name: Setup CI services
|
||||
run: docker compose up -d
|
||||
run: docker compose --profile sproxyd up -d
|
||||
working-directory: .github/docker
|
||||
- name: Run multiple backend test
|
||||
run: |-
|
||||
set -o pipefail;
|
||||
bash wait_for_local_port.bash 8000 40
|
||||
bash wait_for_local_port.bash 81 40
|
||||
yarn run multiple_backend_test | tee /tmp/artifacts/${{ github.job }}/tests.log
|
||||
env:
|
||||
S3_LOCATION_FILE: tests/locationConfig/locationConfigTests.json
|
||||
- name: Upload logs to artifacts
|
||||
uses: scality/action-artifacts@v3
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
|
@ -198,11 +228,12 @@ jobs:
|
|||
S3KMS: file
|
||||
S3_LOCATION_FILE: /usr/src/app/tests/locationConfig/locationConfigTests.json
|
||||
DEFAULT_BUCKET_KEY_FORMAT: v0
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
|
||||
MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
JOB_NAME: ${{ github.job }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup CI environment
|
||||
uses: ./.github/actions/setup-ci
|
||||
- name: Setup CI services
|
||||
|
@ -216,7 +247,7 @@ jobs:
|
|||
env:
|
||||
S3_LOCATION_FILE: tests/locationConfig/locationConfigTests.json
|
||||
- name: Upload logs to artifacts
|
||||
uses: scality/action-artifacts@v3
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
|
@ -236,11 +267,12 @@ jobs:
|
|||
S3_LOCATION_FILE: /usr/src/app/tests/locationConfig/locationConfigTests.json
|
||||
DEFAULT_BUCKET_KEY_FORMAT: v1
|
||||
METADATA_MAX_CACHED_BUCKETS: 1
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
|
||||
MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
JOB_NAME: ${{ github.job }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup CI environment
|
||||
uses: ./.github/actions/setup-ci
|
||||
- name: Setup CI services
|
||||
|
@ -255,7 +287,7 @@ jobs:
|
|||
env:
|
||||
S3_LOCATION_FILE: tests/locationConfig/locationConfigTests.json
|
||||
- name: Upload logs to artifacts
|
||||
uses: scality/action-artifacts@v3
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
|
@ -275,12 +307,13 @@ jobs:
|
|||
env:
|
||||
S3BACKEND: file
|
||||
S3VAULT: mem
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
MPU_TESTING: "yes"
|
||||
JOB_NAME: ${{ matrix.job-name }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup CI environment
|
||||
uses: ./.github/actions/setup-ci
|
||||
- name: Setup matrix job artifacts directory
|
||||
|
@ -297,7 +330,7 @@ jobs:
|
|||
bash wait_for_local_port.bash 8000 40
|
||||
yarn run ft_test | tee /tmp/artifacts/${{ matrix.job-name }}/tests.log
|
||||
- name: Upload logs to artifacts
|
||||
uses: scality/action-artifacts@v3
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
|
@ -311,13 +344,14 @@ jobs:
|
|||
needs: build
|
||||
env:
|
||||
ENABLE_UTAPI_V2: t
|
||||
S3BACKEND: mem
|
||||
S3BACKEND: mem
|
||||
BUCKET_DENY_FILTER: utapi-event-filter-deny-bucket
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
JOB_NAME: ${{ github.job }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup CI environment
|
||||
uses: ./.github/actions/setup-ci
|
||||
- name: Setup CI services
|
||||
|
@ -329,7 +363,51 @@ jobs:
|
|||
bash wait_for_local_port.bash 8000 40
|
||||
yarn run test_utapi_v2 | tee /tmp/artifacts/${{ github.job }}/tests.log
|
||||
- name: Upload logs to artifacts
|
||||
uses: scality/action-artifacts@v3
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
user: ${{ secrets.ARTIFACTS_USER }}
|
||||
password: ${{ secrets.ARTIFACTS_PASSWORD }}
|
||||
source: /tmp/artifacts
|
||||
if: always()
|
||||
|
||||
quota-tests:
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
strategy:
|
||||
matrix:
|
||||
inflights:
|
||||
- name: "With Inflights"
|
||||
value: "true"
|
||||
- name: "Without Inflights"
|
||||
value: "false"
|
||||
env:
|
||||
S3METADATA: mongodb
|
||||
S3BACKEND: mem
|
||||
S3QUOTA: scuba
|
||||
QUOTA_ENABLE_INFLIGHTS: ${{ matrix.inflights.value }}
|
||||
SCUBA_HOST: localhost
|
||||
SCUBA_PORT: 8100
|
||||
SCUBA_HEALTHCHECK_FREQUENCY: 100
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
JOB_NAME: ${{ github.job }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup CI environment
|
||||
uses: ./.github/actions/setup-ci
|
||||
- name: Setup CI services
|
||||
run: docker compose --profile mongo up -d
|
||||
working-directory: .github/docker
|
||||
- name: Run quota tests
|
||||
run: |-
|
||||
set -ex -o pipefail;
|
||||
bash wait_for_local_port.bash 8000 40
|
||||
yarn run test_quota | tee /tmp/artifacts/${{ github.job }}/tests.log
|
||||
- name: Upload logs to artifacts
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
|
@ -345,11 +423,13 @@ jobs:
|
|||
S3BACKEND: file
|
||||
S3VAULT: mem
|
||||
MPU_TESTING: "yes"
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
PYKMIP_IMAGE: ghcr.io/${{ github.repository }}/pykmip:${{ github.sha }}
|
||||
MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
JOB_NAME: ${{ github.job }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup CI environment
|
||||
uses: ./.github/actions/setup-ci
|
||||
- name: Copy KMIP certs
|
||||
|
@ -365,7 +445,7 @@ jobs:
|
|||
bash wait_for_local_port.bash 5696 40
|
||||
yarn run ft_kmip | tee /tmp/artifacts/${{ github.job }}/tests.log
|
||||
- name: Upload logs to artifacts
|
||||
uses: scality/action-artifacts@v3
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
|
@ -373,7 +453,7 @@ jobs:
|
|||
password: ${{ secrets.ARTIFACTS_PASSWORD }}
|
||||
source: /tmp/artifacts
|
||||
if: always()
|
||||
|
||||
|
||||
ceph-backend-test:
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
|
@ -384,25 +464,26 @@ jobs:
|
|||
CI_CEPH: 'true'
|
||||
MPU_TESTING: "yes"
|
||||
S3_LOCATION_FILE: /usr/src/app/tests/locationConfig/locationConfigCeph.json
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}/cloudserver:${{ github.sha }}
|
||||
MONGODB_IMAGE: ghcr.io/${{ github.repository }}/ci-mongodb:${{ github.sha }}
|
||||
CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
|
||||
JOB_NAME: ${{ github.job }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
uses: actions/checkout@v4
|
||||
- name: Login to GitHub Registry
|
||||
uses: docker/login-action@v1.10.0
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
password: ${{ github.token }}
|
||||
- name: Setup CI environment
|
||||
uses: ./.github/actions/setup-ci
|
||||
- uses: ruby/setup-ruby@v1
|
||||
with:
|
||||
ruby-version: '2.5.0'
|
||||
ruby-version: '2.5.9'
|
||||
- name: Install Ruby dependencies
|
||||
run: |
|
||||
gem install nokogiri:1.12.5 fog-aws:1.3.0 json mime-types:3.1 rspec:3.5
|
||||
gem install nokogiri:1.12.5 excon:0.109.0 fog-aws:1.3.0 json mime-types:3.1 rspec:3.5
|
||||
- name: Install Java dependencies
|
||||
run: |
|
||||
sudo apt-get update && sudo apt-get install -y --fix-missing default-jdk maven
|
||||
|
@ -429,7 +510,7 @@ jobs:
|
|||
- name: Run Ruby tests
|
||||
run: |-
|
||||
set -ex -o pipefail;
|
||||
rspec tests.rb | tee /tmp/artifacts/${{ github.job }}/ruby-tests.log
|
||||
rspec -fd --backtrace tests.rb | tee /tmp/artifacts/${{ github.job }}/ruby-tests.log
|
||||
working-directory: tests/functional/fog
|
||||
- name: Run Javascript AWS SDK tests
|
||||
run: |-
|
||||
|
@ -442,7 +523,7 @@ jobs:
|
|||
S3VAULT: mem
|
||||
S3METADATA: mongodb
|
||||
- name: Upload logs to artifacts
|
||||
uses: scality/action-artifacts@v3
|
||||
uses: scality/action-artifacts@v4
|
||||
with:
|
||||
method: upload
|
||||
url: https://artifacts.scality.net
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
ARG NODE_VERSION=16.17.1-bullseye-slim
|
||||
ARG NODE_VERSION=16.20-bullseye-slim
|
||||
|
||||
FROM node:${NODE_VERSION} as builder
|
||||
|
||||
|
@ -23,6 +23,7 @@ RUN apt-get update \
|
|||
|
||||
ENV PYTHON=python3
|
||||
COPY package.json yarn.lock /usr/src/app/
|
||||
RUN npm install typescript -g
|
||||
RUN yarn install --production --ignore-optional --frozen-lockfile --ignore-engines --network-concurrency 1
|
||||
|
||||
################################################################################
|
||||
|
@ -42,6 +43,7 @@ EXPOSE 8002
|
|||
RUN apt-get update && \
|
||||
apt-get install -y --no-install-recommends \
|
||||
jq \
|
||||
tini \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
WORKDIR /usr/src/app
|
||||
|
@ -53,6 +55,6 @@ COPY --from=builder /usr/src/app/node_modules ./node_modules/
|
|||
|
||||
VOLUME ["/usr/src/app/localData","/usr/src/app/localMetadata"]
|
||||
|
||||
ENTRYPOINT ["/usr/src/app/docker-entrypoint.sh"]
|
||||
ENTRYPOINT ["tini", "--", "/usr/src/app/docker-entrypoint.sh"]
|
||||
|
||||
CMD [ "yarn", "start" ]
|
||||
|
|
175
README.md
175
README.md
|
@ -1,10 +1,7 @@
|
|||
# Zenko CloudServer
|
||||
# Zenko CloudServer with Vitastor Backend
|
||||
|
||||
![Zenko CloudServer logo](res/scality-cloudserver-logo.png)
|
||||
|
||||
[![Docker Pulls][badgedocker]](https://hub.docker.com/r/zenko/cloudserver)
|
||||
[![Docker Pulls][badgetwitter]](https://twitter.com/zenko)
|
||||
|
||||
## Overview
|
||||
|
||||
CloudServer (formerly S3 Server) is an open-source Amazon S3-compatible
|
||||
|
@ -14,137 +11,71 @@ Scality’s Open Source Multi-Cloud Data Controller.
|
|||
CloudServer provides a single AWS S3 API interface to access multiple
|
||||
backend data storage both on-premise or public in the cloud.
|
||||
|
||||
CloudServer is useful for Developers, either to run as part of a
|
||||
continous integration test environment to emulate the AWS S3 service locally
|
||||
or as an abstraction layer to develop object storage enabled
|
||||
application on the go.
|
||||
This repository contains a fork of CloudServer with [Vitastor](https://git.yourcmc.ru/vitalif/vitastor)
|
||||
backend support.
|
||||
|
||||
## Learn more at [www.zenko.io/cloudserver](https://www.zenko.io/cloudserver/)
|
||||
## Quick Start with Vitastor
|
||||
|
||||
## [May I offer you some lovely documentation?](http://s3-server.readthedocs.io/en/latest/)
|
||||
Vitastor Backend is in experimental status, however you can already try to
|
||||
run it and write or read something, or even mount it with [GeeseFS](https://github.com/yandex-cloud/geesefs),
|
||||
it works too 😊.
|
||||
|
||||
## Docker
|
||||
Installation instructions:
|
||||
|
||||
[Run your Zenko CloudServer with Docker](https://hub.docker.com/r/zenko/cloudserver/)
|
||||
### Install Vitastor
|
||||
|
||||
## Contributing
|
||||
Refer to [Vitastor Quick Start Manual](https://git.yourcmc.ru/vitalif/vitastor/src/branch/master/docs/intro/quickstart.en.md).
|
||||
|
||||
In order to contribute, please follow the
|
||||
[Contributing Guidelines](
|
||||
https://github.com/scality/Guidelines/blob/master/CONTRIBUTING.md).
|
||||
### Install Zenko with Vitastor Backend
|
||||
|
||||
## Installation
|
||||
- Clone this repository: `git clone https://git.yourcmc.ru/vitalif/zenko-cloudserver-vitastor`
|
||||
- Install dependencies: `npm install --omit dev` or just `npm install`
|
||||
- Clone Vitastor repository: `git clone https://git.yourcmc.ru/vitalif/vitastor`
|
||||
- Build Vitastor node.js binding by running `npm install` in `node-binding` subdirectory of Vitastor repository.
|
||||
You need `node-gyp` and `vitastor-client-dev` (Vitastor client library) for it to succeed.
|
||||
- Symlink Vitastor module to Zenko: `ln -s /path/to/vitastor/node-binding /path/to/zenko/node_modules/vitastor`
|
||||
|
||||
### Dependencies
|
||||
### Install and Configure MongoDB
|
||||
|
||||
Building and running the Zenko CloudServer requires node.js 10.x and yarn v1.17.x
|
||||
. Up-to-date versions can be found at
|
||||
[Nodesource](https://github.com/nodesource/distributions).
|
||||
Refer to [MongoDB Manual](https://www.mongodb.com/docs/manual/installation/).
|
||||
|
||||
### Clone source code
|
||||
### Setup Zenko
|
||||
|
||||
```shell
|
||||
git clone https://github.com/scality/S3.git
|
||||
- Create a separate pool for S3 object data in your Vitastor cluster: `vitastor-cli create-pool s3-data`
|
||||
- Retrieve ID of the new pool from `vitastor-cli ls-pools --detail s3-data`
|
||||
- In another pool, create an image for storing Vitastor volume metadata: `vitastor-cli create -s 10G s3-volume-meta`
|
||||
- Copy `config.json.vitastor` to `config.json`, adjust it to match your domain
|
||||
- Copy `authdata.json.example` to `authdata.json` - this is where you set S3 access & secret keys,
|
||||
and also adjust them if you want to. Scality seems to use a separate auth service "Scality Vault" for
|
||||
access keys, but it's not published, so let's use a file for now.
|
||||
- Copy `locationConfig.json.vitastor` to `locationConfig.json` - this is where you set Vitastor cluster access data.
|
||||
You should put correct values for `pool_id` (pool ID from the second step) and `metadata_image` (from the third step)
|
||||
in this file.
|
||||
|
||||
Note: `locationConfig.json` in this version corresponds to storage classes (like STANDARD, COLD, etc)
|
||||
instead of "locations" (zones like us-east-1) as it was in original Zenko CloudServer.
|
||||
|
||||
### Start Zenko
|
||||
|
||||
Start the S3 server with: `node index.js`
|
||||
|
||||
If you use default settings, Zenko CloudServer starts on port 8000.
|
||||
The default access key is `accessKey1` with a secret key of `verySecretKey1`.
|
||||
|
||||
Now you can access your S3 with `s3cmd` or `geesefs`:
|
||||
|
||||
```
|
||||
s3cmd --access_key=accessKey1 --secret_key=verySecretKey1 --host=http://localhost:8000 mb s3://testbucket
|
||||
```
|
||||
|
||||
### Install js dependencies
|
||||
|
||||
Go to the ./S3 folder,
|
||||
|
||||
```shell
|
||||
yarn install --frozen-lockfile
|
||||
```
|
||||
AWS_ACCESS_KEY_ID=accessKey1 \
|
||||
AWS_SECRET_ACCESS_KEY=verySecretKey1 \
|
||||
geesefs --endpoint http://localhost:8000 testbucket mountdir
|
||||
```
|
||||
|
||||
If you get an error regarding installation of the diskUsage module,
|
||||
please install g++.
|
||||
# Author & License
|
||||
|
||||
If you get an error regarding level-down bindings, try clearing your yarn cache:
|
||||
|
||||
```shell
|
||||
yarn cache clean
|
||||
```
|
||||
|
||||
## Run it with a file backend
|
||||
|
||||
```shell
|
||||
yarn start
|
||||
```
|
||||
|
||||
This starts a Zenko CloudServer on port 8000. Two additional ports 9990 and
|
||||
9991 are also open locally for internal transfer of metadata and data,
|
||||
respectively.
|
||||
|
||||
The default access key is accessKey1 with
|
||||
a secret key of verySecretKey1.
|
||||
|
||||
By default the metadata files will be saved in the
|
||||
localMetadata directory and the data files will be saved
|
||||
in the localData directory within the ./S3 directory on your
|
||||
machine. These directories have been pre-created within the
|
||||
repository. If you would like to save the data or metadata in
|
||||
different locations of your choice, you must specify them with absolute paths.
|
||||
So, when starting the server:
|
||||
|
||||
```shell
|
||||
mkdir -m 700 $(pwd)/myFavoriteDataPath
|
||||
mkdir -m 700 $(pwd)/myFavoriteMetadataPath
|
||||
export S3DATAPATH="$(pwd)/myFavoriteDataPath"
|
||||
export S3METADATAPATH="$(pwd)/myFavoriteMetadataPath"
|
||||
yarn start
|
||||
```
|
||||
|
||||
## Run it with multiple data backends
|
||||
|
||||
```shell
|
||||
export S3DATA='multiple'
|
||||
yarn start
|
||||
```
|
||||
|
||||
This starts a Zenko CloudServer on port 8000.
|
||||
The default access key is accessKey1 with
|
||||
a secret key of verySecretKey1.
|
||||
|
||||
With multiple backends, you have the ability to
|
||||
choose where each object will be saved by setting
|
||||
the following header with a locationConstraint on
|
||||
a PUT request:
|
||||
|
||||
```shell
|
||||
'x-amz-meta-scal-location-constraint':'myLocationConstraint'
|
||||
```
|
||||
|
||||
If no header is sent with a PUT object request, the
|
||||
location constraint of the bucket will determine
|
||||
where the data is saved. If the bucket has no location
|
||||
constraint, the endpoint of the PUT request will be
|
||||
used to determine location.
|
||||
|
||||
See the Configuration section in our documentation
|
||||
[here](http://s3-server.readthedocs.io/en/latest/GETTING_STARTED/#configuration)
|
||||
to learn how to set location constraints.
|
||||
|
||||
## Run it with an in-memory backend
|
||||
|
||||
```shell
|
||||
yarn run mem_backend
|
||||
```
|
||||
|
||||
This starts a Zenko CloudServer on port 8000.
|
||||
The default access key is accessKey1 with
|
||||
a secret key of verySecretKey1.
|
||||
|
||||
## Run it with Vault user management
|
||||
|
||||
Note: Vault is proprietary and must be accessed separately.
|
||||
|
||||
```shell
|
||||
export S3VAULT=vault
|
||||
yarn start
|
||||
```
|
||||
|
||||
This starts a Zenko CloudServer using Vault for user management.
|
||||
|
||||
[badgetwitter]: https://img.shields.io/twitter/follow/zenko.svg?style=social&label=Follow
|
||||
[badgedocker]: https://img.shields.io/docker/pulls/scality/s3server.svg
|
||||
[badgepub]: https://circleci.com/gh/scality/S3.svg?style=svg
|
||||
[badgepriv]: http://ci.ironmann.io/gh/scality/S3.svg?style=svg&circle-token=1f105b7518b53853b5b7cf72302a3f75d8c598ae
|
||||
- [Zenko CloudServer](https://s3-server.readthedocs.io/en/latest/) author is Scality, licensed under [Apache License, version 2.0](https://www.apache.org/licenses/LICENSE-2.0)
|
||||
- [Vitastor](https://git.yourcmc.ru/vitalif/vitastor/) and Zenko Vitastor backend author is Vitaliy Filippov, licensed under [VNPL-1.1](https://git.yourcmc.ru/vitalif/vitastor/src/branch/master/VNPL-1.1.txt)
|
||||
(a "network copyleft" license based on AGPL/SSPL, but worded in a better way)
|
||||
|
|
|
@ -1,46 +0,0 @@
|
|||
#!/usr/bin/env node
|
||||
'use strict'; // eslint-disable-line strict
|
||||
|
||||
const {
|
||||
startWSManagementClient,
|
||||
startPushConnectionHealthCheckServer,
|
||||
} = require('../lib/management/push');
|
||||
|
||||
const logger = require('../lib/utilities/logger');
|
||||
|
||||
const {
|
||||
PUSH_ENDPOINT: pushEndpoint,
|
||||
INSTANCE_ID: instanceId,
|
||||
MANAGEMENT_TOKEN: managementToken,
|
||||
} = process.env;
|
||||
|
||||
if (!pushEndpoint) {
|
||||
logger.error('missing push endpoint env var');
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (!instanceId) {
|
||||
logger.error('missing instance id env var');
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (!managementToken) {
|
||||
logger.error('missing management token env var');
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
startPushConnectionHealthCheckServer(err => {
|
||||
if (err) {
|
||||
logger.error('could not start healthcheck server', { error: err });
|
||||
process.exit(1);
|
||||
}
|
||||
const url = `${pushEndpoint}/${instanceId}/ws?metrics=1`;
|
||||
startWSManagementClient(url, managementToken, err => {
|
||||
if (err) {
|
||||
logger.error('connection failed, exiting', { error: err });
|
||||
process.exit(1);
|
||||
}
|
||||
logger.info('no more connection, exiting');
|
||||
process.exit(0);
|
||||
});
|
||||
});
|
|
@ -1,46 +0,0 @@
|
|||
#!/usr/bin/env node
|
||||
'use strict'; // eslint-disable-line strict
|
||||
|
||||
const {
|
||||
startWSManagementClient,
|
||||
startPushConnectionHealthCheckServer,
|
||||
} = require('../lib/management/push');
|
||||
|
||||
const logger = require('../lib/utilities/logger');
|
||||
|
||||
const {
|
||||
PUSH_ENDPOINT: pushEndpoint,
|
||||
INSTANCE_ID: instanceId,
|
||||
MANAGEMENT_TOKEN: managementToken,
|
||||
} = process.env;
|
||||
|
||||
if (!pushEndpoint) {
|
||||
logger.error('missing push endpoint env var');
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (!instanceId) {
|
||||
logger.error('missing instance id env var');
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (!managementToken) {
|
||||
logger.error('missing management token env var');
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
startPushConnectionHealthCheckServer(err => {
|
||||
if (err) {
|
||||
logger.error('could not start healthcheck server', { error: err });
|
||||
process.exit(1);
|
||||
}
|
||||
const url = `${pushEndpoint}/${instanceId}/ws?proxy=1`;
|
||||
startWSManagementClient(url, managementToken, err => {
|
||||
if (err) {
|
||||
logger.error('connection failed, exiting', { error: err });
|
||||
process.exit(1);
|
||||
}
|
||||
logger.info('no more connection, exiting');
|
||||
process.exit(0);
|
||||
});
|
||||
});
|
|
@ -4,6 +4,7 @@
|
|||
"metricsPort": 8002,
|
||||
"metricsListenOn": [],
|
||||
"replicationGroupId": "RG001",
|
||||
"workers": 4,
|
||||
"restEndpoints": {
|
||||
"localhost": "us-east-1",
|
||||
"127.0.0.1": "us-east-1",
|
||||
|
@ -101,6 +102,14 @@
|
|||
"readPreference": "primary",
|
||||
"database": "metadata"
|
||||
},
|
||||
"authdata": "authdata.json",
|
||||
"backends": {
|
||||
"auth": "file",
|
||||
"data": "file",
|
||||
"metadata": "mongodb",
|
||||
"kms": "file",
|
||||
"quota": "none"
|
||||
},
|
||||
"externalBackends": {
|
||||
"aws_s3": {
|
||||
"httpAgent": {
|
|
@ -0,0 +1,71 @@
|
|||
{
|
||||
"port": 8000,
|
||||
"listenOn": [],
|
||||
"metricsPort": 8002,
|
||||
"metricsListenOn": [],
|
||||
"replicationGroupId": "RG001",
|
||||
"restEndpoints": {
|
||||
"localhost": "STANDARD",
|
||||
"127.0.0.1": "STANDARD",
|
||||
"yourhostname.ru": "STANDARD"
|
||||
},
|
||||
"websiteEndpoints": [
|
||||
"static.yourhostname.ru"
|
||||
],
|
||||
"replicationEndpoints": [ {
|
||||
"site": "zenko",
|
||||
"servers": ["127.0.0.1:8000"],
|
||||
"default": true
|
||||
} ],
|
||||
"log": {
|
||||
"logLevel": "info",
|
||||
"dumpLevel": "error"
|
||||
},
|
||||
"healthChecks": {
|
||||
"allowFrom": ["127.0.0.1/8", "::1"]
|
||||
},
|
||||
"backends": {
|
||||
"metadata": "mongodb"
|
||||
},
|
||||
"mongodb": {
|
||||
"replicaSetHosts": "127.0.0.1:27017",
|
||||
"writeConcern": "majority",
|
||||
"replicaSet": "rs0",
|
||||
"readPreference": "primary",
|
||||
"database": "s3",
|
||||
"authCredentials": {
|
||||
"username": "s3",
|
||||
"password": ""
|
||||
}
|
||||
},
|
||||
"externalBackends": {
|
||||
"aws_s3": {
|
||||
"httpAgent": {
|
||||
"keepAlive": false,
|
||||
"keepAliveMsecs": 1000,
|
||||
"maxFreeSockets": 256,
|
||||
"maxSockets": null
|
||||
}
|
||||
},
|
||||
"gcp": {
|
||||
"httpAgent": {
|
||||
"keepAlive": true,
|
||||
"keepAliveMsecs": 1000,
|
||||
"maxFreeSockets": 256,
|
||||
"maxSockets": null
|
||||
}
|
||||
}
|
||||
},
|
||||
"requests": {
|
||||
"viaProxy": false,
|
||||
"trustedProxyCIDRs": [],
|
||||
"extractClientIPFromHeader": ""
|
||||
},
|
||||
"bucketNotificationDestinations": [
|
||||
{
|
||||
"resource": "target1",
|
||||
"type": "dummy",
|
||||
"host": "localhost:6000"
|
||||
}
|
||||
]
|
||||
}
|
22
constants.js
22
constants.js
|
@ -116,7 +116,7 @@ const constants = {
|
|||
],
|
||||
|
||||
// user metadata header to set object locationConstraint
|
||||
objectLocationConstraintHeader: 'x-amz-meta-scal-location-constraint',
|
||||
objectLocationConstraintHeader: 'x-amz-storage-class',
|
||||
lastModifiedHeader: 'x-amz-meta-x-scal-last-modified',
|
||||
legacyLocations: ['sproxyd', 'legacy'],
|
||||
// declare here all existing service accounts and their properties
|
||||
|
@ -130,7 +130,7 @@ const constants = {
|
|||
},
|
||||
},
|
||||
/* eslint-disable camelcase */
|
||||
externalBackends: { aws_s3: true, azure: true, gcp: true, pfs: true, dmf: true },
|
||||
externalBackends: { aws_s3: true, azure: true, gcp: true, pfs: true, dmf: true, azure_archive: true },
|
||||
// some of the available data backends (if called directly rather
|
||||
// than through the multiple backend gateway) need a key provided
|
||||
// as a string as first parameter of the get/delete methods.
|
||||
|
@ -205,9 +205,6 @@ const constants = {
|
|||
],
|
||||
allowedUtapiEventFilterStates: ['allow', 'deny'],
|
||||
allowedRestoreObjectRequestTierValues: ['Standard'],
|
||||
validStorageClasses: [
|
||||
'STANDARD',
|
||||
],
|
||||
lifecycleListing: {
|
||||
CURRENT_TYPE: 'current',
|
||||
NON_CURRENT_TYPE: 'noncurrent',
|
||||
|
@ -220,6 +217,7 @@ const constants = {
|
|||
'owner-id',
|
||||
'versionId',
|
||||
'isNull',
|
||||
'isDeleteMarker',
|
||||
],
|
||||
unsupportedSignatureChecksums: new Set([
|
||||
'STREAMING-UNSIGNED-PAYLOAD-TRAILER',
|
||||
|
@ -231,6 +229,20 @@ const constants = {
|
|||
'UNSIGNED-PAYLOAD',
|
||||
'STREAMING-AWS4-HMAC-SHA256-PAYLOAD',
|
||||
]),
|
||||
ipv4Regex: /^(\d{1,3}\.){3}\d{1,3}(\/(3[0-2]|[12]?\d))?$/,
|
||||
ipv6Regex: /^([\da-f]{1,4}:){7}[\da-f]{1,4}$/i,
|
||||
// The AWS assumed Role resource type
|
||||
assumedRoleArnResourceType: 'assumed-role',
|
||||
// Session name of the backbeat lifecycle assumed role session.
|
||||
backbeatLifecycleSessionName: 'backbeat-lifecycle',
|
||||
actionsToConsiderAsObjectPut: [
|
||||
'initiateMultipartUpload',
|
||||
'objectPutPart',
|
||||
'completeMultipartUpload',
|
||||
],
|
||||
// if requester is not bucket owner, bucket policy actions should be denied with
|
||||
// MethodNotAllowed error
|
||||
onlyOwnerAllowed: ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'],
|
||||
};
|
||||
|
||||
module.exports = constants;
|
||||
|
|
|
@ -2,11 +2,12 @@
|
|||
|
||||
## Docker Image Generation
|
||||
|
||||
Docker images are hosted on [registry.scality.com](registry.scality.com).
|
||||
CloudServer has two namespaces there:
|
||||
Docker images are hosted on [ghcri.io](https://github.com/orgs/scality/packages).
|
||||
CloudServer has a few images there:
|
||||
|
||||
* Production Namespace: registry.scality.com/cloudserver
|
||||
* Dev Namespace: registry.scality.com/cloudserver-dev
|
||||
* Cloudserver container image: ghcr.io/scality/cloudserver
|
||||
* Dashboard oras image: ghcr.io/scality/cloudserver/cloudser-dashboard
|
||||
* Policies oras image: ghcr.io/scality/cloudserver/cloudser-dashboard
|
||||
|
||||
With every CI build, the CI will push images, tagging the
|
||||
content with the developer branch's short SHA-1 commit hash.
|
||||
|
@ -18,8 +19,8 @@ Tagged versions of cloudserver will be stored in the production namespace.
|
|||
## How to Pull Docker Images
|
||||
|
||||
```sh
|
||||
docker pull registry.scality.com/cloudserver-dev/cloudserver:<commit hash>
|
||||
docker pull registry.scality.com/cloudserver/cloudserver:<tag>
|
||||
docker pull ghcr.io/scality/cloudserver:<commit hash>
|
||||
docker pull ghcr.io/scality/cloudserver:<tag>
|
||||
```
|
||||
|
||||
## Release Process
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM registry.scality.com/federation/nodesvc-base:7.10.6.0
|
||||
FROM ghcr.io/scality/federation/nodesvc-base:7.10.6.0
|
||||
|
||||
ENV S3_CONFIG_FILE=${CONF_DIR}/config.json
|
||||
ENV S3_LOCATION_FILE=${CONF_DIR}/locationConfig.json
|
||||
|
@ -14,8 +14,10 @@ RUN rm -f ~/.gitconfig && \
|
|||
git config --global --add safe.directory . && \
|
||||
git lfs install && \
|
||||
GIT_LFS_SKIP_SMUDGE=1 && \
|
||||
yarn global add typescript && \
|
||||
yarn install --frozen-lockfile --production --network-concurrency 1 && \
|
||||
yarn cache clean --all
|
||||
yarn cache clean --all && \
|
||||
yarn global remove typescript
|
||||
|
||||
# run symlinking separately to avoid yarn installation errors
|
||||
# we might have to check if the symlinking is really needed!
|
||||
|
|
12
index.js
12
index.js
|
@ -1,10 +1,10 @@
|
|||
'use strict'; // eslint-disable-line strict
|
||||
|
||||
/**
|
||||
* Catch uncaught exceptions and add timestamp to aid debugging
|
||||
*/
|
||||
process.on('uncaughtException', err => {
|
||||
process.stderr.write(`${new Date().toISOString()}: Uncaught exception: \n${err.stack}`);
|
||||
});
|
||||
require('werelogs').stderrUtils.catchAndTimestampStderr(
|
||||
undefined,
|
||||
// Do not exit as workers have their own listener that will exit
|
||||
// But primary don't have another listener
|
||||
require('cluster').isPrimary ? 1 : null,
|
||||
);
|
||||
|
||||
require('./lib/server.js')();
|
||||
|
|
406
lib/Config.js
406
lib/Config.js
|
@ -8,15 +8,17 @@ const crypto = require('crypto');
|
|||
const { v4: uuidv4 } = require('uuid');
|
||||
const cronParser = require('cron-parser');
|
||||
const joi = require('@hapi/joi');
|
||||
|
||||
const { isValidBucketName } = require('arsenal').s3routes.routesUtils;
|
||||
const validateAuthConfig = require('arsenal').auth.inMemory.validateAuthConfig;
|
||||
const { s3routes, auth: arsenalAuth, s3middleware } = require('arsenal');
|
||||
const { isValidBucketName } = s3routes.routesUtils;
|
||||
const validateAuthConfig = arsenalAuth.inMemory.validateAuthConfig;
|
||||
const { buildAuthDataAccount } = require('./auth/in_memory/builder');
|
||||
const validExternalBackends = require('../constants').externalBackends;
|
||||
const { azureAccountNameRegex, base64Regex,
|
||||
allowedUtapiEventFilterFields, allowedUtapiEventFilterStates,
|
||||
} = require('../constants');
|
||||
const { utapiVersion } = require('utapi');
|
||||
const { scaleMsPerDay } = s3middleware.objectUtils;
|
||||
|
||||
const constants = require('../constants');
|
||||
|
||||
// config paths
|
||||
|
@ -105,6 +107,47 @@ function parseSproxydConfig(configSproxyd) {
|
|||
return joi.attempt(configSproxyd, joiSchema, 'bad config');
|
||||
}
|
||||
|
||||
function parseRedisConfig(redisConfig) {
|
||||
const joiSchema = joi.object({
|
||||
password: joi.string().allow(''),
|
||||
host: joi.string(),
|
||||
port: joi.number(),
|
||||
retry: joi.object({
|
||||
connectBackoff: joi.object({
|
||||
min: joi.number().required(),
|
||||
max: joi.number().required(),
|
||||
jitter: joi.number().required(),
|
||||
factor: joi.number().required(),
|
||||
deadline: joi.number().required(),
|
||||
}),
|
||||
}),
|
||||
// sentinel config
|
||||
sentinels: joi.alternatives().try(
|
||||
joi.string()
|
||||
.pattern(/^[a-zA-Z0-9.-]+:[0-9]+(,[a-zA-Z0-9.-]+:[0-9]+)*$/)
|
||||
.custom(hosts => hosts.split(',').map(item => {
|
||||
const [host, port] = item.split(':');
|
||||
return { host, port: Number.parseInt(port, 10) };
|
||||
})),
|
||||
joi.array().items(
|
||||
joi.object({
|
||||
host: joi.string().required(),
|
||||
port: joi.number().required(),
|
||||
})
|
||||
).min(1),
|
||||
),
|
||||
name: joi.string(),
|
||||
sentinelPassword: joi.string().allow(''),
|
||||
})
|
||||
.and('host', 'port')
|
||||
.and('sentinels', 'name')
|
||||
.xor('host', 'sentinels')
|
||||
.without('sentinels', ['host', 'port'])
|
||||
.without('host', ['sentinels', 'sentinelPassword']);
|
||||
|
||||
return joi.attempt(redisConfig, joiSchema, 'bad config');
|
||||
}
|
||||
|
||||
function restEndpointsAssert(restEndpoints, locationConstraints) {
|
||||
assert(typeof restEndpoints === 'object',
|
||||
'bad config: restEndpoints must be an object of endpoints');
|
||||
|
@ -237,6 +280,60 @@ function hdClientLocationConstraintAssert(configHd) {
|
|||
return hdclientFields;
|
||||
}
|
||||
|
||||
function azureArchiveLocationConstraintAssert(locationObj) {
|
||||
const checkedFields = [
|
||||
'azureContainerName',
|
||||
'azureStorageEndpoint',
|
||||
];
|
||||
if (Object.keys(locationObj.details).length === 0 ||
|
||||
!checkedFields.every(field => field in locationObj.details)) {
|
||||
return;
|
||||
}
|
||||
const {
|
||||
azureContainerName,
|
||||
azureStorageEndpoint,
|
||||
} = locationObj.details;
|
||||
const stringFields = [
|
||||
azureContainerName,
|
||||
azureStorageEndpoint,
|
||||
];
|
||||
stringFields.forEach(field => {
|
||||
assert(typeof field === 'string',
|
||||
`bad config: ${field} must be a string`);
|
||||
});
|
||||
|
||||
let hasAuthMethod = false;
|
||||
if (locationObj.details.sasToken !== undefined) {
|
||||
assert(typeof locationObj.details.sasToken === 'string',
|
||||
`bad config: ${locationObj.details.sasToken} must be a string`);
|
||||
hasAuthMethod = true;
|
||||
}
|
||||
|
||||
if (locationObj.details.azureStorageAccountName !== undefined &&
|
||||
locationObj.details.azureStorageAccessKey !== undefined) {
|
||||
assert(typeof locationObj.details.azureStorageAccountName === 'string',
|
||||
`bad config: ${locationObj.details.azureStorageAccountName} must be a string`);
|
||||
assert(typeof locationObj.details.azureStorageAccessKey === 'string',
|
||||
`bad config: ${locationObj.details.azureStorageAccessKey} must be a string`);
|
||||
assert(!hasAuthMethod, 'Multiple authentication methods are not allowed');
|
||||
hasAuthMethod = true;
|
||||
}
|
||||
|
||||
if (locationObj.details.tenantId !== undefined &&
|
||||
locationObj.details.clientId !== undefined &&
|
||||
locationObj.details.clientKey !== undefined) {
|
||||
assert(typeof locationObj.details.tenantId === 'string',
|
||||
`bad config: ${locationObj.details.tenantId} must be a string`);
|
||||
assert(typeof locationObj.details.clientId === 'string',
|
||||
`bad config: ${locationObj.details.clientId} must be a string`);
|
||||
assert(typeof locationObj.details.clientKey === 'string',
|
||||
`bad config: ${locationObj.details.clientKey} must be a string`);
|
||||
assert(!hasAuthMethod, 'Multiple authentication methods are not allowed');
|
||||
hasAuthMethod = true;
|
||||
}
|
||||
assert(hasAuthMethod, 'Missing authentication method');
|
||||
}
|
||||
|
||||
function dmfLocationConstraintAssert(locationObj) {
|
||||
const checkedFields = [
|
||||
'endpoint',
|
||||
|
@ -280,7 +377,7 @@ function dmfLocationConstraintAssert(locationObj) {
|
|||
function locationConstraintAssert(locationConstraints) {
|
||||
const supportedBackends =
|
||||
['mem', 'file', 'scality',
|
||||
'mongodb', 'dmf'].concat(Object.keys(validExternalBackends));
|
||||
'mongodb', 'dmf', 'azure_archive', 'vitastor'].concat(Object.keys(validExternalBackends));
|
||||
assert(typeof locationConstraints === 'object',
|
||||
'bad config: locationConstraints must be an object');
|
||||
Object.keys(locationConstraints).forEach(l => {
|
||||
|
@ -391,6 +488,9 @@ function locationConstraintAssert(locationConstraints) {
|
|||
if (locationConstraints[l].type === 'dmf') {
|
||||
dmfLocationConstraintAssert(locationConstraints[l]);
|
||||
}
|
||||
if (locationConstraints[l].type === 'azure_archive') {
|
||||
azureArchiveLocationConstraintAssert(locationConstraints[l]);
|
||||
}
|
||||
if (locationConstraints[l].type === 'pfs') {
|
||||
assert(typeof details.pfsDaemonEndpoint === 'object',
|
||||
'bad config: pfsDaemonEndpoint is mandatory and must be an object');
|
||||
|
@ -402,27 +502,23 @@ function locationConstraintAssert(locationConstraints) {
|
|||
locationConstraints[l].details.connector.hdclient);
|
||||
}
|
||||
});
|
||||
assert(Object.keys(locationConstraints)
|
||||
.includes('us-east-1'), 'bad locationConfig: must ' +
|
||||
'include us-east-1 as a locationConstraint');
|
||||
}
|
||||
|
||||
function parseUtapiReindex(config) {
|
||||
const {
|
||||
enabled,
|
||||
schedule,
|
||||
sentinel,
|
||||
redis,
|
||||
bucketd,
|
||||
onlyCountLatestWhenObjectLocked,
|
||||
} = config;
|
||||
assert(typeof enabled === 'boolean',
|
||||
'bad config: utapi.reindex.enabled must be a boolean');
|
||||
assert(typeof sentinel === 'object',
|
||||
'bad config: utapi.reindex.sentinel must be an object');
|
||||
assert(typeof sentinel.port === 'number',
|
||||
'bad config: utapi.reindex.sentinel.port must be a number');
|
||||
assert(typeof sentinel.name === 'string',
|
||||
'bad config: utapi.reindex.sentinel.name must be a string');
|
||||
'bad config: utapi.reindex.enabled must be a boolean');
|
||||
|
||||
const parsedRedis = parseRedisConfig(redis);
|
||||
assert(Array.isArray(parsedRedis.sentinels),
|
||||
'bad config: utapi reindex redis config requires a list of sentinels');
|
||||
|
||||
assert(typeof bucketd === 'object',
|
||||
'bad config: utapi.reindex.bucketd must be an object');
|
||||
assert(typeof bucketd.port === 'number',
|
||||
|
@ -440,6 +536,13 @@ function parseUtapiReindex(config) {
|
|||
'bad config: utapi.reindex.schedule must be a valid ' +
|
||||
`cron schedule. ${e.message}.`);
|
||||
}
|
||||
return {
|
||||
enabled,
|
||||
schedule,
|
||||
redis: parsedRedis,
|
||||
bucketd,
|
||||
onlyCountLatestWhenObjectLocked,
|
||||
};
|
||||
}
|
||||
|
||||
function requestsConfigAssert(requestsConfig) {
|
||||
|
@ -527,7 +630,6 @@ class Config extends EventEmitter {
|
|||
// Read config automatically
|
||||
this._getLocationConfig();
|
||||
this._getConfig();
|
||||
this._configureBackends();
|
||||
}
|
||||
|
||||
_getLocationConfig() {
|
||||
|
@ -739,11 +841,11 @@ class Config extends EventEmitter {
|
|||
this.websiteEndpoints = config.websiteEndpoints;
|
||||
}
|
||||
|
||||
this.clusters = false;
|
||||
if (config.clusters !== undefined) {
|
||||
assert(Number.isInteger(config.clusters) && config.clusters > 0,
|
||||
'bad config: clusters must be a positive integer');
|
||||
this.clusters = config.clusters;
|
||||
this.workers = false;
|
||||
if (config.workers !== undefined) {
|
||||
assert(Number.isInteger(config.workers) && config.workers > 0,
|
||||
'bad config: workers must be a positive integer');
|
||||
this.workers = config.workers;
|
||||
}
|
||||
|
||||
if (config.usEastBehavior !== undefined) {
|
||||
|
@ -981,8 +1083,7 @@ class Config extends EventEmitter {
|
|||
assert(typeof config.localCache.port === 'number',
|
||||
'config: bad port for localCache. port must be a number');
|
||||
if (config.localCache.password !== undefined) {
|
||||
assert(
|
||||
this._verifyRedisPassword(config.localCache.password),
|
||||
assert(typeof config.localCache.password === 'string',
|
||||
'config: vad password for localCache. password must' +
|
||||
' be a string');
|
||||
}
|
||||
|
@ -1008,56 +1109,46 @@ class Config extends EventEmitter {
|
|||
}
|
||||
|
||||
if (config.redis) {
|
||||
if (config.redis.sentinels) {
|
||||
this.redis = { sentinels: [], name: null };
|
||||
|
||||
assert(typeof config.redis.name === 'string',
|
||||
'bad config: redis sentinel name must be a string');
|
||||
this.redis.name = config.redis.name;
|
||||
assert(Array.isArray(config.redis.sentinels) ||
|
||||
typeof config.redis.sentinels === 'string',
|
||||
'bad config: redis sentinels must be an array or string');
|
||||
|
||||
if (typeof config.redis.sentinels === 'string') {
|
||||
config.redis.sentinels.split(',').forEach(item => {
|
||||
const [host, port] = item.split(':');
|
||||
this.redis.sentinels.push({ host,
|
||||
port: Number.parseInt(port, 10) });
|
||||
});
|
||||
} else if (Array.isArray(config.redis.sentinels)) {
|
||||
config.redis.sentinels.forEach(item => {
|
||||
const { host, port } = item;
|
||||
assert(typeof host === 'string',
|
||||
'bad config: redis sentinel host must be a string');
|
||||
assert(typeof port === 'number',
|
||||
'bad config: redis sentinel port must be a number');
|
||||
this.redis.sentinels.push({ host, port });
|
||||
});
|
||||
}
|
||||
|
||||
if (config.redis.sentinelPassword !== undefined) {
|
||||
assert(
|
||||
this._verifyRedisPassword(config.redis.sentinelPassword));
|
||||
this.redis.sentinelPassword = config.redis.sentinelPassword;
|
||||
}
|
||||
} else {
|
||||
// check for standalone configuration
|
||||
this.redis = {};
|
||||
assert(typeof config.redis.host === 'string',
|
||||
'bad config: redis.host must be a string');
|
||||
assert(typeof config.redis.port === 'number',
|
||||
'bad config: redis.port must be a number');
|
||||
this.redis.host = config.redis.host;
|
||||
this.redis.port = config.redis.port;
|
||||
this.redis = parseRedisConfig(config.redis);
|
||||
}
|
||||
if (config.scuba) {
|
||||
this.scuba = {};
|
||||
if (config.scuba.host) {
|
||||
assert(typeof config.scuba.host === 'string',
|
||||
'bad config: scuba host must be a string');
|
||||
this.scuba.host = config.scuba.host;
|
||||
}
|
||||
if (config.redis.password !== undefined) {
|
||||
assert(
|
||||
this._verifyRedisPassword(config.redis.password),
|
||||
'bad config: invalid password for redis. password must ' +
|
||||
'be a string');
|
||||
this.redis.password = config.redis.password;
|
||||
if (config.scuba.port) {
|
||||
assert(Number.isInteger(config.scuba.port)
|
||||
&& config.scuba.port > 0,
|
||||
'bad config: scuba port must be a positive integer');
|
||||
this.scuba.port = config.scuba.port;
|
||||
}
|
||||
}
|
||||
if (process.env.SCUBA_HOST && process.env.SCUBA_PORT) {
|
||||
assert(typeof process.env.SCUBA_HOST === 'string',
|
||||
'bad config: scuba host must be a string');
|
||||
assert(Number.isInteger(Number(process.env.SCUBA_PORT))
|
||||
&& Number(process.env.SCUBA_PORT) > 0,
|
||||
'bad config: scuba port must be a positive integer');
|
||||
this.scuba = {
|
||||
host: process.env.SCUBA_HOST,
|
||||
port: Number(process.env.SCUBA_PORT),
|
||||
};
|
||||
}
|
||||
if (this.scuba) {
|
||||
this.quotaEnabled = true;
|
||||
}
|
||||
const maxStaleness = Number(process.env.QUOTA_MAX_STALENESS_MS) ||
|
||||
config.quota?.maxStatenessMS ||
|
||||
24 * 60 * 60 * 1000;
|
||||
assert(Number.isInteger(maxStaleness), 'bad config: maxStalenessMS must be an integer');
|
||||
const enableInflights = process.env.QUOTA_ENABLE_INFLIGHTS === 'true' ||
|
||||
config.quota?.enableInflights || false;
|
||||
this.quota = {
|
||||
maxStaleness,
|
||||
enableInflights,
|
||||
};
|
||||
if (config.utapi) {
|
||||
this.utapi = { component: 's3' };
|
||||
if (config.utapi.host) {
|
||||
|
@ -1086,50 +1177,8 @@ class Config extends EventEmitter {
|
|||
assert(config.redis, 'missing required property of utapi ' +
|
||||
'configuration: redis');
|
||||
if (config.utapi.redis) {
|
||||
if (config.utapi.redis.sentinels) {
|
||||
this.utapi.redis = { sentinels: [], name: null };
|
||||
|
||||
assert(typeof config.utapi.redis.name === 'string',
|
||||
'bad config: redis sentinel name must be a string');
|
||||
this.utapi.redis.name = config.utapi.redis.name;
|
||||
|
||||
assert(Array.isArray(config.utapi.redis.sentinels),
|
||||
'bad config: redis sentinels must be an array');
|
||||
config.utapi.redis.sentinels.forEach(item => {
|
||||
const { host, port } = item;
|
||||
assert(typeof host === 'string',
|
||||
'bad config: redis sentinel host must be a string');
|
||||
assert(typeof port === 'number',
|
||||
'bad config: redis sentinel port must be a number');
|
||||
this.utapi.redis.sentinels.push({ host, port });
|
||||
});
|
||||
} else {
|
||||
// check for standalone configuration
|
||||
this.utapi.redis = {};
|
||||
assert(typeof config.utapi.redis.host === 'string',
|
||||
'bad config: redis.host must be a string');
|
||||
assert(typeof config.utapi.redis.port === 'number',
|
||||
'bad config: redis.port must be a number');
|
||||
this.utapi.redis.host = config.utapi.redis.host;
|
||||
this.utapi.redis.port = config.utapi.redis.port;
|
||||
}
|
||||
if (config.utapi.redis.retry !== undefined) {
|
||||
if (config.utapi.redis.retry.connectBackoff !== undefined) {
|
||||
const { min, max, jitter, factor, deadline } = config.utapi.redis.retry.connectBackoff;
|
||||
assert.strictEqual(typeof min, 'number',
|
||||
'utapi.redis.retry.connectBackoff: min must be a number');
|
||||
assert.strictEqual(typeof max, 'number',
|
||||
'utapi.redis.retry.connectBackoff: max must be a number');
|
||||
assert.strictEqual(typeof jitter, 'number',
|
||||
'utapi.redis.retry.connectBackoff: jitter must be a number');
|
||||
assert.strictEqual(typeof factor, 'number',
|
||||
'utapi.redis.retry.connectBackoff: factor must be a number');
|
||||
assert.strictEqual(typeof deadline, 'number',
|
||||
'utapi.redis.retry.connectBackoff: deadline must be a number');
|
||||
}
|
||||
|
||||
this.utapi.redis.retry = config.utapi.redis.retry;
|
||||
} else {
|
||||
this.utapi.redis = parseRedisConfig(config.utapi.redis);
|
||||
if (this.utapi.redis.retry === undefined) {
|
||||
this.utapi.redis.retry = {
|
||||
connectBackoff: {
|
||||
min: 10,
|
||||
|
@ -1140,22 +1189,6 @@ class Config extends EventEmitter {
|
|||
},
|
||||
};
|
||||
}
|
||||
if (config.utapi.redis.password !== undefined) {
|
||||
assert(
|
||||
this._verifyRedisPassword(config.utapi.redis.password),
|
||||
'config: invalid password for utapi redis. password' +
|
||||
' must be a string');
|
||||
this.utapi.redis.password = config.utapi.redis.password;
|
||||
}
|
||||
if (config.utapi.redis.sentinelPassword !== undefined) {
|
||||
assert(
|
||||
this._verifyRedisPassword(
|
||||
config.utapi.redis.sentinelPassword),
|
||||
'config: invalid password for utapi redis. password' +
|
||||
' must be a string');
|
||||
this.utapi.redis.sentinelPassword =
|
||||
config.utapi.redis.sentinelPassword;
|
||||
}
|
||||
}
|
||||
if (config.utapi.metrics) {
|
||||
this.utapi.metrics = config.utapi.metrics;
|
||||
|
@ -1225,8 +1258,7 @@ class Config extends EventEmitter {
|
|||
}
|
||||
|
||||
if (config.utapi && config.utapi.reindex) {
|
||||
parseUtapiReindex(config.utapi.reindex);
|
||||
this.utapi.reindex = config.utapi.reindex;
|
||||
this.utapi.reindex = parseUtapiReindex(config.utapi.reindex);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1271,6 +1303,8 @@ class Config extends EventEmitter {
|
|||
}
|
||||
}
|
||||
|
||||
this.authdata = config.authdata || 'authdata.json';
|
||||
|
||||
this.kms = {};
|
||||
if (config.kms) {
|
||||
assert(typeof config.kms.userName === 'string');
|
||||
|
@ -1490,25 +1524,6 @@ class Config extends EventEmitter {
|
|||
this.outboundProxy.certs = certObj.certs;
|
||||
}
|
||||
|
||||
this.managementAgent = {};
|
||||
this.managementAgent.port = 8010;
|
||||
this.managementAgent.host = 'localhost';
|
||||
if (config.managementAgent !== undefined) {
|
||||
if (config.managementAgent.port !== undefined) {
|
||||
assert(Number.isInteger(config.managementAgent.port)
|
||||
&& config.managementAgent.port > 0,
|
||||
'bad config: managementAgent port must be a positive ' +
|
||||
'integer');
|
||||
this.managementAgent.port = config.managementAgent.port;
|
||||
}
|
||||
if (config.managementAgent.host !== undefined) {
|
||||
assert.strictEqual(typeof config.managementAgent.host, 'string',
|
||||
'bad config: management agent host must ' +
|
||||
'be a string');
|
||||
this.managementAgent.host = config.managementAgent.host;
|
||||
}
|
||||
}
|
||||
|
||||
// Ephemeral token to protect the reporting endpoint:
|
||||
// try inherited from parent first, then hardcoded in conf file,
|
||||
// then create a fresh one as last resort.
|
||||
|
@ -1574,6 +1589,7 @@ class Config extends EventEmitter {
|
|||
// Version of the configuration we're running under
|
||||
this.overlayVersion = config.overlayVersion || 0;
|
||||
|
||||
this._setTimeOptions();
|
||||
this.multiObjectDeleteConcurrency = constants.multiObjectDeleteConcurrency;
|
||||
const extractedNumber = Number.parseInt(config.multiObjectDeleteConcurrency, 10);
|
||||
if (!isNaN(extractedNumber) && extractedNumber > 0 && extractedNumber < 1000) {
|
||||
|
@ -1597,43 +1613,83 @@ class Config extends EventEmitter {
|
|||
'bad config: maxScannedLifecycleListingEntries must be greater than 2');
|
||||
this.maxScannedLifecycleListingEntries = config.maxScannedLifecycleListingEntries;
|
||||
}
|
||||
|
||||
this._configureBackends(config);
|
||||
}
|
||||
|
||||
_setTimeOptions() {
|
||||
// NOTE: EXPIRE_ONE_DAY_EARLIER and TRANSITION_ONE_DAY_EARLIER are deprecated in favor of
|
||||
// TIME_PROGRESSION_FACTOR which decreases the weight attributed to a day in order to among other things
|
||||
// expedite the lifecycle of objects.
|
||||
|
||||
// moves lifecycle expiration deadlines 1 day earlier, mostly for testing
|
||||
const expireOneDayEarlier = process.env.EXPIRE_ONE_DAY_EARLIER === 'true';
|
||||
// moves lifecycle transition deadlines 1 day earlier, mostly for testing
|
||||
const transitionOneDayEarlier = process.env.TRANSITION_ONE_DAY_EARLIER === 'true';
|
||||
// decreases the weight attributed to a day in order to expedite the lifecycle of objects.
|
||||
const timeProgressionFactor = Number.parseInt(process.env.TIME_PROGRESSION_FACTOR, 10) || 1;
|
||||
|
||||
const isIncompatible = (expireOneDayEarlier || transitionOneDayEarlier) && (timeProgressionFactor > 1);
|
||||
assert(!isIncompatible, 'The environment variables "EXPIRE_ONE_DAY_EARLIER" or ' +
|
||||
'"TRANSITION_ONE_DAY_EARLIER" are not compatible with the "TIME_PROGRESSION_FACTOR" variable.');
|
||||
|
||||
// The scaledMsPerDay value is initially set to the number of milliseconds per day
|
||||
// (24 * 60 * 60 * 1000) as the default value.
|
||||
// However, during testing, if the timeProgressionFactor is defined and greater than 1,
|
||||
// the scaledMsPerDay value is decreased. This adjustment allows for simulating actions occurring
|
||||
// earlier in time.
|
||||
const scaledMsPerDay = scaleMsPerDay(timeProgressionFactor);
|
||||
|
||||
this.timeOptions = {
|
||||
expireOneDayEarlier,
|
||||
transitionOneDayEarlier,
|
||||
timeProgressionFactor,
|
||||
scaledMsPerDay,
|
||||
};
|
||||
}
|
||||
|
||||
getTimeOptions() {
|
||||
return this.timeOptions;
|
||||
}
|
||||
|
||||
_getAuthData() {
|
||||
return require(findConfigFile(process.env.S3AUTH_CONFIG || 'authdata.json'));
|
||||
return JSON.parse(fs.readFileSync(findConfigFile(process.env.S3AUTH_CONFIG || this.authdata), { encoding: 'utf-8' }));
|
||||
}
|
||||
|
||||
_configureBackends() {
|
||||
_configureBackends(config) {
|
||||
const backends = config.backends || {};
|
||||
/**
|
||||
* Configure the backends for Authentication, Data and Metadata.
|
||||
*/
|
||||
let auth = 'mem';
|
||||
let data = 'multiple';
|
||||
let metadata = 'file';
|
||||
let kms = 'file';
|
||||
let auth = backends.auth || 'mem';
|
||||
let data = backends.data || 'multiple';
|
||||
let metadata = backends.metadata || 'file';
|
||||
let kms = backends.kms || 'file';
|
||||
let quota = backends.quota || 'none';
|
||||
if (process.env.S3BACKEND) {
|
||||
const validBackends = ['mem', 'file', 'scality', 'cdmi'];
|
||||
assert(validBackends.indexOf(process.env.S3BACKEND) > -1,
|
||||
'bad environment variable: S3BACKEND environment variable ' +
|
||||
'should be one of mem/file/scality/cdmi'
|
||||
);
|
||||
auth = process.env.S3BACKEND;
|
||||
auth = process.env.S3BACKEND == 'scality' ? 'scality' : 'mem';
|
||||
data = process.env.S3BACKEND;
|
||||
metadata = process.env.S3BACKEND;
|
||||
kms = process.env.S3BACKEND;
|
||||
}
|
||||
if (process.env.S3VAULT) {
|
||||
auth = process.env.S3VAULT;
|
||||
auth = (auth === 'file' || auth === 'mem' || auth === 'cdmi' ? 'mem' : auth);
|
||||
}
|
||||
|
||||
if (auth === 'file' || auth === 'mem' || auth === 'cdmi') {
|
||||
// Auth only checks for 'mem' since mem === file
|
||||
auth = 'mem';
|
||||
let authData;
|
||||
if (process.env.SCALITY_ACCESS_KEY_ID &&
|
||||
process.env.SCALITY_SECRET_ACCESS_KEY) {
|
||||
process.env.SCALITY_SECRET_ACCESS_KEY) {
|
||||
authData = buildAuthDataAccount(
|
||||
process.env.SCALITY_ACCESS_KEY_ID,
|
||||
process.env.SCALITY_SECRET_ACCESS_KEY);
|
||||
process.env.SCALITY_ACCESS_KEY_ID,
|
||||
process.env.SCALITY_SECRET_ACCESS_KEY);
|
||||
} else {
|
||||
authData = this._getAuthData();
|
||||
}
|
||||
|
@ -1641,7 +1697,7 @@ class Config extends EventEmitter {
|
|||
throw new Error('bad config: invalid auth config file.');
|
||||
}
|
||||
this.authData = authData;
|
||||
} else if (auth === 'multiple') {
|
||||
} else if (auth === 'multiple') {
|
||||
const authData = this._getAuthData();
|
||||
if (validateAuthConfig(authData)) {
|
||||
throw new Error('bad config: invalid auth config file.');
|
||||
|
@ -1656,9 +1712,9 @@ class Config extends EventEmitter {
|
|||
'should be one of mem/file/scality/multiple'
|
||||
);
|
||||
data = process.env.S3DATA;
|
||||
}
|
||||
if (data === 'scality' || data === 'multiple') {
|
||||
data = 'multiple';
|
||||
if (data === 'scality' || data === 'multiple') {
|
||||
data = 'multiple';
|
||||
}
|
||||
}
|
||||
assert(this.locationConstraints !== undefined &&
|
||||
this.restEndpoints !== undefined,
|
||||
|
@ -1671,18 +1727,18 @@ class Config extends EventEmitter {
|
|||
if (process.env.S3KMS) {
|
||||
kms = process.env.S3KMS;
|
||||
}
|
||||
if (process.env.S3QUOTA) {
|
||||
quota = process.env.S3QUOTA;
|
||||
}
|
||||
this.backends = {
|
||||
auth,
|
||||
data,
|
||||
metadata,
|
||||
kms,
|
||||
quota,
|
||||
};
|
||||
}
|
||||
|
||||
_verifyRedisPassword(password) {
|
||||
return typeof password === 'string';
|
||||
}
|
||||
|
||||
setAuthDataAccounts(accounts) {
|
||||
this.authData.accounts = accounts;
|
||||
this.emit('authdata-update');
|
||||
|
@ -1805,10 +1861,19 @@ class Config extends EventEmitter {
|
|||
.update(instanceId)
|
||||
.digest('hex');
|
||||
}
|
||||
|
||||
isQuotaEnabled() {
|
||||
return !!this.quotaEnabled;
|
||||
}
|
||||
|
||||
isQuotaInflightEnabled() {
|
||||
return this.quota.enableInflights;
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
parseSproxydConfig,
|
||||
parseRedisConfig,
|
||||
locationConstraintAssert,
|
||||
ConfigObject: Config,
|
||||
config: new Config(),
|
||||
|
@ -1816,4 +1881,5 @@ module.exports = {
|
|||
bucketNotifAssert,
|
||||
azureGetStorageAccountName,
|
||||
azureGetLocationCredentials,
|
||||
azureArchiveLocationConstraintAssert,
|
||||
};
|
||||
|
|
|
@ -7,6 +7,7 @@ const bucketDeleteEncryption = require('./bucketDeleteEncryption');
|
|||
const bucketDeleteWebsite = require('./bucketDeleteWebsite');
|
||||
const bucketDeleteLifecycle = require('./bucketDeleteLifecycle');
|
||||
const bucketDeletePolicy = require('./bucketDeletePolicy');
|
||||
const bucketDeleteQuota = require('./bucketDeleteQuota');
|
||||
const { bucketGet } = require('./bucketGet');
|
||||
const bucketGetACL = require('./bucketGetACL');
|
||||
const bucketGetCors = require('./bucketGetCors');
|
||||
|
@ -17,6 +18,7 @@ const bucketGetLifecycle = require('./bucketGetLifecycle');
|
|||
const bucketGetNotification = require('./bucketGetNotification');
|
||||
const bucketGetObjectLock = require('./bucketGetObjectLock');
|
||||
const bucketGetPolicy = require('./bucketGetPolicy');
|
||||
const bucketGetQuota = require('./bucketGetQuota');
|
||||
const bucketGetEncryption = require('./bucketGetEncryption');
|
||||
const bucketHead = require('./bucketHead');
|
||||
const { bucketPut } = require('./bucketPut');
|
||||
|
@ -33,6 +35,7 @@ const bucketPutNotification = require('./bucketPutNotification');
|
|||
const bucketPutEncryption = require('./bucketPutEncryption');
|
||||
const bucketPutPolicy = require('./bucketPutPolicy');
|
||||
const bucketPutObjectLock = require('./bucketPutObjectLock');
|
||||
const bucketUpdateQuota = require('./bucketUpdateQuota');
|
||||
const bucketGetReplication = require('./bucketGetReplication');
|
||||
const bucketDeleteReplication = require('./bucketDeleteReplication');
|
||||
const corsPreflight = require('./corsPreflight');
|
||||
|
@ -44,7 +47,7 @@ const metadataSearch = require('./metadataSearch');
|
|||
const { multiObjectDelete } = require('./multiObjectDelete');
|
||||
const multipartDelete = require('./multipartDelete');
|
||||
const objectCopy = require('./objectCopy');
|
||||
const objectDelete = require('./objectDelete');
|
||||
const { objectDelete } = require('./objectDelete');
|
||||
const objectDeleteTagging = require('./objectDeleteTagging');
|
||||
const objectGet = require('./objectGet');
|
||||
const objectGetACL = require('./objectGetACL');
|
||||
|
@ -64,8 +67,7 @@ const prepareRequestContexts
|
|||
= require('./apiUtils/authorization/prepareRequestContexts');
|
||||
const serviceGet = require('./serviceGet');
|
||||
const vault = require('../auth/vault');
|
||||
const websiteGet = require('./websiteGet');
|
||||
const websiteHead = require('./websiteHead');
|
||||
const website = require('./website');
|
||||
const writeContinue = require('../utilities/writeContinue');
|
||||
const validateQueryAndHeaders = require('../utilities/validateQueryAndHeaders');
|
||||
const parseCopySource = require('./apiUtils/object/parseCopySource');
|
||||
|
@ -83,6 +85,10 @@ const api = {
|
|||
// Attach the apiMethod method to the request, so it can used by monitoring in the server
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
request.apiMethod = apiMethod;
|
||||
// Array of end of API callbacks, used to perform some logic
|
||||
// at the end of an API.
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
request.finalizerHooks = [];
|
||||
|
||||
const actionLog = monitoringMap[apiMethod];
|
||||
if (!actionLog &&
|
||||
|
@ -191,14 +197,17 @@ const api = {
|
|||
|
||||
return async.waterfall([
|
||||
next => auth.server.doAuth(
|
||||
request, log, (err, userInfo, authorizationResults, streamingV4Params) => {
|
||||
request, log, (err, userInfo, authorizationResults, streamingV4Params, infos) => {
|
||||
if (err) {
|
||||
// VaultClient returns standard errors, but the route requires
|
||||
// Arsenal errors
|
||||
const arsenalError = err.metadata ? err : errors[err.code] || errors.InternalError;
|
||||
log.trace('authentication error', { error: err });
|
||||
return next(err);
|
||||
return next(arsenalError);
|
||||
}
|
||||
return next(null, userInfo, authorizationResults, streamingV4Params);
|
||||
return next(null, userInfo, authorizationResults, streamingV4Params, infos);
|
||||
}, 's3', requestContexts),
|
||||
(userInfo, authorizationResults, streamingV4Params, next) => {
|
||||
(userInfo, authorizationResults, streamingV4Params, infos, next) => {
|
||||
const authNames = { accountName: userInfo.getAccountDisplayName() };
|
||||
if (userInfo.isRequesterAnIAMUser()) {
|
||||
authNames.userName = userInfo.getIAMdisplayName();
|
||||
|
@ -208,7 +217,7 @@ const api = {
|
|||
}
|
||||
log.addDefaultFields(authNames);
|
||||
if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
|
||||
return next(null, userInfo, authorizationResults, streamingV4Params);
|
||||
return next(null, userInfo, authorizationResults, streamingV4Params, infos);
|
||||
}
|
||||
// issue 100 Continue to the client
|
||||
writeContinue(request, response);
|
||||
|
@ -239,12 +248,12 @@ const api = {
|
|||
}
|
||||
// Convert array of post buffers into one string
|
||||
request.post = Buffer.concat(post, postLength).toString();
|
||||
return next(null, userInfo, authorizationResults, streamingV4Params);
|
||||
return next(null, userInfo, authorizationResults, streamingV4Params, infos);
|
||||
});
|
||||
return undefined;
|
||||
},
|
||||
// Tag condition keys require information from CloudServer for evaluation
|
||||
(userInfo, authorizationResults, streamingV4Params, next) => tagConditionKeyAuth(
|
||||
(userInfo, authorizationResults, streamingV4Params, infos, next) => tagConditionKeyAuth(
|
||||
authorizationResults,
|
||||
request,
|
||||
requestContexts,
|
||||
|
@ -255,13 +264,14 @@ const api = {
|
|||
log.trace('tag authentication error', { error: err });
|
||||
return next(err);
|
||||
}
|
||||
return next(null, userInfo, authResultsWithTags, streamingV4Params);
|
||||
return next(null, userInfo, authResultsWithTags, streamingV4Params, infos);
|
||||
},
|
||||
),
|
||||
], (err, userInfo, authorizationResults, streamingV4Params) => {
|
||||
], (err, userInfo, authorizationResults, streamingV4Params, infos) => {
|
||||
if (err) {
|
||||
return callback(err);
|
||||
}
|
||||
request.accountQuotas = infos?.accountQuota;
|
||||
if (authorizationResults) {
|
||||
const checkedResults = checkAuthResults(authorizationResults);
|
||||
if (checkedResults instanceof Error) {
|
||||
|
@ -278,19 +288,23 @@ const api = {
|
|||
return acc;
|
||||
}, {});
|
||||
}
|
||||
const methodCallback = (err, ...results) => async.forEachLimit(request.finalizerHooks, 5,
|
||||
(hook, done) => hook(err, done),
|
||||
() => callback(err, ...results));
|
||||
|
||||
if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
|
||||
request._response = response;
|
||||
return this[apiMethod](userInfo, request, streamingV4Params,
|
||||
log, callback, authorizationResults);
|
||||
log, methodCallback, authorizationResults);
|
||||
}
|
||||
if (apiMethod === 'objectCopy' || apiMethod === 'objectPutCopyPart') {
|
||||
return this[apiMethod](userInfo, request, sourceBucket,
|
||||
sourceObject, sourceVersionId, log, callback);
|
||||
sourceObject, sourceVersionId, log, methodCallback);
|
||||
}
|
||||
if (apiMethod === 'objectGet') {
|
||||
return this[apiMethod](userInfo, request, returnTagCount, log, callback);
|
||||
}
|
||||
return this[apiMethod](userInfo, request, log, callback);
|
||||
return this[apiMethod](userInfo, request, log, methodCallback);
|
||||
});
|
||||
},
|
||||
bucketDelete,
|
||||
|
@ -317,11 +331,14 @@ const api = {
|
|||
bucketPutReplication,
|
||||
bucketGetReplication,
|
||||
bucketDeleteReplication,
|
||||
bucketDeleteQuota,
|
||||
bucketPutLifecycle,
|
||||
bucketUpdateQuota,
|
||||
bucketGetLifecycle,
|
||||
bucketDeleteLifecycle,
|
||||
bucketPutPolicy,
|
||||
bucketGetPolicy,
|
||||
bucketGetQuota,
|
||||
bucketDeletePolicy,
|
||||
bucketPutObjectLock,
|
||||
bucketPutNotification,
|
||||
|
@ -353,8 +370,8 @@ const api = {
|
|||
objectPutRetention,
|
||||
objectRestore,
|
||||
serviceGet,
|
||||
websiteGet,
|
||||
websiteHead,
|
||||
websiteGet: website,
|
||||
websiteHead: website,
|
||||
};
|
||||
|
||||
module.exports = api;
|
||||
|
|
|
@ -1,7 +1,19 @@
|
|||
const { evaluators, actionMaps, RequestContext } = require('arsenal').policies;
|
||||
const { evaluators, actionMaps, RequestContext, requestUtils } = require('arsenal').policies;
|
||||
const { errors } = require('arsenal');
|
||||
const { parseCIDR, isValid } = require('ipaddr.js');
|
||||
const constants = require('../../../../constants');
|
||||
const { config } = require('../../../Config');
|
||||
|
||||
const { allAuthedUsersId, bucketOwnerActions, logId, publicId, arrayOfAllowed } = constants;
|
||||
const {
|
||||
allAuthedUsersId,
|
||||
bucketOwnerActions,
|
||||
logId,
|
||||
publicId,
|
||||
arrayOfAllowed,
|
||||
assumedRoleArnResourceType,
|
||||
backbeatLifecycleSessionName,
|
||||
actionsToConsiderAsObjectPut,
|
||||
} = constants;
|
||||
|
||||
// whitelist buckets to allow public read on objects
|
||||
const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS
|
||||
|
@ -39,17 +51,21 @@ function isRequesterNonAccountUser(authInfo) {
|
|||
|
||||
function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
|
||||
// Same logic applies on the Versioned APIs, so let's simplify it.
|
||||
const requestTypeParsed = requestType.endsWith('Version') ?
|
||||
let requestTypeParsed = requestType.endsWith('Version') ?
|
||||
requestType.slice(0, 'Version'.length * -1) : requestType;
|
||||
requestTypeParsed = actionsToConsiderAsObjectPut.includes(requestTypeParsed) ?
|
||||
'objectPut' : requestTypeParsed;
|
||||
const parsedMainApiCall = actionsToConsiderAsObjectPut.includes(mainApiCall) ?
|
||||
'objectPut' : mainApiCall;
|
||||
if (bucket.getOwner() === canonicalID) {
|
||||
return true;
|
||||
}
|
||||
if (mainApiCall === 'objectGet') {
|
||||
if (parsedMainApiCall === 'objectGet') {
|
||||
if (requestTypeParsed === 'objectGetTagging') {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
if (mainApiCall === 'objectPut') {
|
||||
if (parsedMainApiCall === 'objectPut') {
|
||||
if (arrayOfAllowed.includes(requestTypeParsed)) {
|
||||
return true;
|
||||
}
|
||||
|
@ -131,8 +147,12 @@ function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
|
|||
function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
|
||||
isUserUnauthenticated, mainApiCall) {
|
||||
const bucketOwner = bucket.getOwner();
|
||||
const requestTypeParsed = actionsToConsiderAsObjectPut.includes(requestType) ?
|
||||
'objectPut' : requestType;
|
||||
const parsedMainApiCall = actionsToConsiderAsObjectPut.includes(mainApiCall) ?
|
||||
'objectPut' : mainApiCall;
|
||||
// acls don't distinguish between users and accounts, so both should be allowed
|
||||
if (bucketOwnerActions.includes(requestType)
|
||||
if (bucketOwnerActions.includes(requestTypeParsed)
|
||||
&& (bucketOwner === canonicalID)) {
|
||||
return true;
|
||||
}
|
||||
|
@ -141,9 +161,9 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
|
|||
}
|
||||
|
||||
// Backward compatibility
|
||||
if (mainApiCall === 'objectGet') {
|
||||
if (parsedMainApiCall === 'objectGet') {
|
||||
if ((isUserUnauthenticated || (requesterIsNotUser && bucketOwner === objectMD['owner-id']))
|
||||
&& requestType === 'objectGetTagging') {
|
||||
&& requestTypeParsed === 'objectGetTagging') {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
@ -152,7 +172,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
|
|||
return false;
|
||||
}
|
||||
|
||||
if (requestType === 'objectGet' || requestType === 'objectHead') {
|
||||
if (requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead') {
|
||||
if (objectMD.acl.Canned === 'public-read'
|
||||
|| objectMD.acl.Canned === 'public-read-write'
|
||||
|| (objectMD.acl.Canned === 'authenticated-read'
|
||||
|
@ -178,11 +198,11 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
|
|||
|
||||
// User is already authorized on the bucket for FULL_CONTROL or WRITE or
|
||||
// bucket has canned ACL public-read-write
|
||||
if (requestType === 'objectPut' || requestType === 'objectDelete') {
|
||||
if (requestTypeParsed === 'objectPut' || requestTypeParsed === 'objectDelete') {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (requestType === 'objectPutACL') {
|
||||
if (requestTypeParsed === 'objectPutACL') {
|
||||
if ((objectMD.acl.Canned === 'bucket-owner-full-control'
|
||||
&& bucketOwner === canonicalID)
|
||||
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||
|
@ -198,7 +218,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
|
|||
}
|
||||
}
|
||||
|
||||
if (requestType === 'objectGetACL') {
|
||||
if (requestTypeParsed === 'objectGetACL') {
|
||||
if ((objectMD.acl.Canned === 'bucket-owner-full-control'
|
||||
&& bucketOwner === canonicalID)
|
||||
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||
|
@ -219,7 +239,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIs
|
|||
const bucketAcl = bucket.getAcl();
|
||||
const allowPublicReads = publicReadBuckets.includes(bucket.getName())
|
||||
&& bucketAcl.Canned === 'public-read'
|
||||
&& (requestType === 'objectGet' || requestType === 'objectHead');
|
||||
&& (requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
|
||||
if (allowPublicReads) {
|
||||
return true;
|
||||
}
|
||||
|
@ -246,6 +266,20 @@ function _checkBucketPolicyResources(request, resource, log) {
|
|||
return evaluators.isResourceApplicable(requestContext, resource, log);
|
||||
}
|
||||
|
||||
function _checkBucketPolicyConditions(request, conditions, log) {
|
||||
const ip = request ? requestUtils.getClientIp(request, config) : undefined;
|
||||
if (!conditions) {
|
||||
return true;
|
||||
}
|
||||
// build request context from the request!
|
||||
const requestContext = new RequestContext(request.headers, request.query,
|
||||
request.bucketName, request.objectKey, ip,
|
||||
request.connection.encrypted, request.resourceType, 's3', null, null,
|
||||
null, null, null, null, null, null, null, null, null,
|
||||
request.objectLockRetentionDays);
|
||||
return evaluators.meetConditions(requestContext, conditions, log);
|
||||
}
|
||||
|
||||
function _getAccountId(arn) {
|
||||
// account or user arn is of format 'arn:aws:iam::<12-digit-acct-id>:etc...
|
||||
return arn.substr(13, 12);
|
||||
|
@ -303,12 +337,13 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
|
|||
const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal);
|
||||
const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
|
||||
const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
|
||||
const conditionsMatch = _checkBucketPolicyConditions(request, s.Condition, log);
|
||||
|
||||
if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Deny') {
|
||||
if (principalMatch && actionMatch && resourceMatch && conditionsMatch && s.Effect === 'Deny') {
|
||||
// explicit deny trumps any allows, so return immediately
|
||||
return 'explicitDeny';
|
||||
}
|
||||
if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Allow') {
|
||||
if (principalMatch && actionMatch && resourceMatch && conditionsMatch && s.Effect === 'Allow') {
|
||||
permission = 'allow';
|
||||
}
|
||||
copiedStatement = copiedStatement.splice(1);
|
||||
|
@ -338,7 +373,7 @@ function processBucketPolicy(requestType, bucket, canonicalID, arn, bucketOwner,
|
|||
}
|
||||
|
||||
function isBucketAuthorized(bucket, requestTypesInput, canonicalID, authInfo, log, request,
|
||||
actionImplicitDeniesInput = {}) {
|
||||
actionImplicitDeniesInput = {}, isWebsite = false) {
|
||||
const requestTypes = Array.isArray(requestTypesInput) ? requestTypesInput : [requestTypesInput];
|
||||
const actionImplicitDenies = !actionImplicitDeniesInput ? {} : actionImplicitDeniesInput;
|
||||
const mainApiCall = requestTypes[0];
|
||||
|
@ -362,6 +397,15 @@ function isBucketAuthorized(bucket, requestTypesInput, canonicalID, authInfo, lo
|
|||
return results[_requestType];
|
||||
}
|
||||
const aclPermission = checkBucketAcls(bucket, _requestType, canonicalID, mainApiCall);
|
||||
// In case of error bucket access is checked with bucketGet
|
||||
// For website, bucket policy only uses objectGet and ignores bucketGet
|
||||
// https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html
|
||||
// bucketGet should be used to check acl but switched to objectGet for bucket policy
|
||||
if (isWebsite && _requestType === 'bucketGet') {
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
_requestType = 'objectGet';
|
||||
actionImplicitDenies.objectGet = actionImplicitDenies.objectGet || false;
|
||||
}
|
||||
return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
|
||||
request, aclPermission, results, actionImplicitDenies);
|
||||
});
|
||||
|
@ -386,7 +430,7 @@ function evaluateBucketPolicyWithIAM(bucket, requestTypesInput, canonicalID, aut
|
|||
}
|
||||
|
||||
function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authInfo, log, request,
|
||||
actionImplicitDeniesInput = {}) {
|
||||
actionImplicitDeniesInput = {}, isWebsite = false) {
|
||||
const requestTypes = Array.isArray(requestTypesInput) ? requestTypesInput : [requestTypesInput];
|
||||
const actionImplicitDenies = !actionImplicitDeniesInput ? {} : actionImplicitDeniesInput;
|
||||
const results = {};
|
||||
|
@ -399,16 +443,20 @@ function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authI
|
|||
? _requestType.slice(0, -7) : _requestType;
|
||||
const bucketOwner = bucket.getOwner();
|
||||
if (!objectMD) {
|
||||
// User is already authorized on the bucket for FULL_CONTROL or WRITE or
|
||||
// bucket has canned ACL public-read-write
|
||||
if (parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete') {
|
||||
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
||||
return results[_requestType];
|
||||
}
|
||||
// check bucket has read access
|
||||
// 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
|
||||
results[_requestType] = isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request,
|
||||
actionImplicitDenies);
|
||||
let permission = 'bucketGet';
|
||||
if (actionsToConsiderAsObjectPut.includes(_requestType)) {
|
||||
permission = 'objectPut';
|
||||
}
|
||||
results[_requestType] = isBucketAuthorized(bucket, permission, canonicalID, authInfo, log, request,
|
||||
actionImplicitDenies, isWebsite);
|
||||
// User is already authorized on the bucket for FULL_CONTROL or WRITE or
|
||||
// bucket has canned ACL public-read-write
|
||||
if ((parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete')
|
||||
&& results[_requestType] === false) {
|
||||
results[_requestType] = actionImplicitDenies[_requestType] === false;
|
||||
}
|
||||
return results[_requestType];
|
||||
}
|
||||
let requesterIsNotUser = true;
|
||||
|
@ -466,6 +514,117 @@ function validatePolicyResource(bucketName, policy) {
|
|||
});
|
||||
}
|
||||
|
||||
function checkIp(value) {
|
||||
const errString = 'Invalid IP address in Conditions';
|
||||
|
||||
const values = Array.isArray(value) ? value : [value];
|
||||
|
||||
for (let i = 0; i < values.length; i++) {
|
||||
// these preliminary checks are validating the provided
|
||||
// ip address against ipaddr.js, the library we use when
|
||||
// evaluating IP condition keys. It ensures compatibility,
|
||||
// but additional checks are required to enforce the right
|
||||
// notation (e.g., xxx.xxx.xxx.xxx/xx for IPv4). Otherwise,
|
||||
// we would accept different ip formats, which is not
|
||||
// standard in an AWS use case.
|
||||
try {
|
||||
try {
|
||||
parseCIDR(values[i]);
|
||||
} catch (err) {
|
||||
isValid(values[i]);
|
||||
}
|
||||
} catch (err) {
|
||||
return errString;
|
||||
}
|
||||
|
||||
// Apply the existing IP validation logic to each element
|
||||
const validateIpRegex = ip => {
|
||||
if (constants.ipv4Regex.test(ip)) {
|
||||
return ip.split('.').every(part => parseInt(part, 10) <= 255);
|
||||
}
|
||||
if (constants.ipv6Regex.test(ip)) {
|
||||
return ip.split(':').every(part => part.length <= 4);
|
||||
}
|
||||
return false;
|
||||
};
|
||||
|
||||
if (validateIpRegex(values[i]) !== true) {
|
||||
return errString;
|
||||
}
|
||||
}
|
||||
|
||||
// If the function hasn't returned by now, all elements are valid
|
||||
return null;
|
||||
}
|
||||
|
||||
// This function checks all bucket policy conditions if the values provided
|
||||
// are valid for the condition type. If not it returns a relevant Malformed policy error string
|
||||
function validatePolicyConditions(policy) {
|
||||
const validConditions = [
|
||||
{ conditionKey: 'aws:SourceIp', conditionValueTypeChecker: checkIp },
|
||||
{ conditionKey: 's3:object-lock-remaining-retention-days' },
|
||||
];
|
||||
// keys where value type does not seem to be checked by AWS:
|
||||
// - s3:object-lock-remaining-retention-days
|
||||
|
||||
if (!policy.Statement || !Array.isArray(policy.Statement) || policy.Statement.length === 0) {
|
||||
return null;
|
||||
}
|
||||
|
||||
// there can be multiple statements in the policy, each with a Condition enclosure
|
||||
for (let i = 0; i < policy.Statement.length; i++) {
|
||||
const s = policy.Statement[i];
|
||||
if (s.Condition) {
|
||||
const conditionOperators = Object.keys(s.Condition);
|
||||
// there can be multiple condition operations in the Condition enclosure
|
||||
// eslint-disable-next-line no-restricted-syntax
|
||||
for (const conditionOperator of conditionOperators) {
|
||||
const conditionKey = Object.keys(s.Condition[conditionOperator])[0];
|
||||
const conditionValue = s.Condition[conditionOperator][conditionKey];
|
||||
const validCondition = validConditions.find(validCondition =>
|
||||
validCondition.conditionKey === conditionKey
|
||||
);
|
||||
// AWS returns does not return an error if the condition starts with 'aws:'
|
||||
// so we reproduce this behaviour
|
||||
if (!validCondition && !conditionKey.startsWith('aws:')) {
|
||||
return errors.MalformedPolicy.customizeDescription('Policy has an invalid condition key');
|
||||
}
|
||||
if (validCondition && validCondition.conditionValueTypeChecker) {
|
||||
const conditionValueTypeError = validCondition.conditionValueTypeChecker(conditionValue);
|
||||
if (conditionValueTypeError) {
|
||||
return errors.MalformedPolicy.customizeDescription(conditionValueTypeError);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
/** isLifecycleSession - check if it is the Lifecycle assumed role session arn.
|
||||
* @param {string} arn - Amazon resource name - example:
|
||||
* arn:aws:sts::257038443293:assumed-role/rolename/backbeat-lifecycle
|
||||
* @return {boolean} true if Lifecycle assumed role session arn, false if not.
|
||||
*/
|
||||
function isLifecycleSession(arn) {
|
||||
if (!arn) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const arnSplits = arn.split(':');
|
||||
const service = arnSplits[2];
|
||||
|
||||
const resourceNames = arnSplits[arnSplits.length - 1].split('/');
|
||||
|
||||
const resourceType = resourceNames[0];
|
||||
const sessionName = resourceNames[resourceNames.length - 1];
|
||||
|
||||
return (service === 'sts'
|
||||
&& resourceType === assumedRoleArnResourceType
|
||||
&& sessionName === backbeatLifecycleSessionName);
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
isBucketAuthorized,
|
||||
isObjAuthorized,
|
||||
|
@ -476,5 +635,7 @@ module.exports = {
|
|||
checkBucketAcls,
|
||||
checkObjectAcls,
|
||||
validatePolicyResource,
|
||||
validatePolicyConditions,
|
||||
isLifecycleSession,
|
||||
evaluateBucketPolicyWithIAM,
|
||||
};
|
||||
|
|
|
@ -52,7 +52,7 @@ function prepareRequestContexts(apiMethod, request, sourceBucket,
|
|||
apiMethod, 's3');
|
||||
}
|
||||
|
||||
if (apiMethod === 'multiObjectDelete' || apiMethod === 'bucketPut') {
|
||||
if (apiMethod === 'bucketPut') {
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -65,7 +65,17 @@ function prepareRequestContexts(apiMethod, request, sourceBucket,
|
|||
|
||||
const requestContexts = [];
|
||||
|
||||
if (apiMethodAfterVersionCheck === 'objectCopy'
|
||||
if (apiMethod === 'multiObjectDelete') {
|
||||
// MultiObjectDelete does not require any authorization when evaluating
|
||||
// the API. Instead, we authorize each object passed.
|
||||
// But in order to get any relevant information from the authorization service
|
||||
// for example, the account quota, we must send a request context object
|
||||
// with no `specificResource`. We expect the result to be an implicit deny.
|
||||
// In the API, we then ignore these authorization results, and we can use
|
||||
// any information returned, e.g., the quota.
|
||||
const requestContextMultiObjectDelete = generateRequestContext('objectDelete');
|
||||
requestContexts.push(requestContextMultiObjectDelete);
|
||||
} else if (apiMethodAfterVersionCheck === 'objectCopy'
|
||||
|| apiMethodAfterVersionCheck === 'objectPutCopyPart') {
|
||||
const objectGetAction = sourceVersionId ? 'objectGetVersion' :
|
||||
'objectGet';
|
||||
|
|
|
@ -30,6 +30,9 @@ function bucketShield(bucket, requestType) {
|
|||
// Otherwise return an error to the client
|
||||
if ((bucket.hasDeletedFlag() || bucket.hasTransientFlag()) &&
|
||||
(requestType !== 'objectPut' &&
|
||||
requestType !== 'initiateMultipartUpload' &&
|
||||
requestType !== 'objectPutPart' &&
|
||||
requestType !== 'completeMultipartUpload' &&
|
||||
requestType !== 'bucketPutACL' &&
|
||||
requestType !== 'bucketDelete')) {
|
||||
return true;
|
||||
|
|
|
@ -14,7 +14,7 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
|
|||
bucketName,
|
||||
objectKey,
|
||||
uploadId,
|
||||
preciseRequestType: 'multipartDelete',
|
||||
preciseRequestType: request.apiMethods || 'multipartDelete',
|
||||
request,
|
||||
};
|
||||
// For validating the request at the destinationBucket level
|
||||
|
|
|
@ -2,11 +2,13 @@
|
|||
* Code based on Yutaka Oishi (Fujifilm) contributions
|
||||
* Date: 11 Sep 2020
|
||||
*/
|
||||
const ObjectMDArchive = require('arsenal').models.ObjectMDArchive;
|
||||
const { ObjectMDArchive } = require('arsenal').models;
|
||||
const errors = require('arsenal').errors;
|
||||
const { config } = require('../../../Config');
|
||||
const { locationConstraints } = config;
|
||||
|
||||
const { scaledMsPerDay } = config.getTimeOptions();
|
||||
|
||||
/**
|
||||
* Get response header "x-amz-restore"
|
||||
* Be called by objectHead.js
|
||||
|
@ -32,7 +34,6 @@ function getAmzRestoreResHeader(objMD) {
|
|||
return undefined;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Check if restore can be done.
|
||||
*
|
||||
|
@ -41,6 +42,23 @@ function getAmzRestoreResHeader(objMD) {
|
|||
* @return {ArsenalError|undefined} - undefined if the conditions for RestoreObject are fulfilled
|
||||
*/
|
||||
function _validateStartRestore(objectMD, log) {
|
||||
if (objectMD.archive?.restoreCompletedAt) {
|
||||
if (new Date(objectMD.archive?.restoreWillExpireAt) < new Date(Date.now())) {
|
||||
// return InvalidObjectState error if the restored object is expired
|
||||
// but restore info md of this object has not yet been cleared
|
||||
log.debug('The restored object already expired.',
|
||||
{
|
||||
archive: objectMD.archive,
|
||||
method: '_validateStartRestore',
|
||||
});
|
||||
return errors.InvalidObjectState;
|
||||
}
|
||||
|
||||
// If object is already restored, no further check is needed
|
||||
// Furthermore, we cannot check if the location is cold, as the `dataStoreName` would have
|
||||
// been reset.
|
||||
return undefined;
|
||||
}
|
||||
const isLocationCold = locationConstraints[objectMD.dataStoreName]?.isCold;
|
||||
if (!isLocationCold) {
|
||||
// return InvalidObjectState error if the object is not in cold storage,
|
||||
|
@ -52,18 +70,7 @@ function _validateStartRestore(objectMD, log) {
|
|||
});
|
||||
return errors.InvalidObjectState;
|
||||
}
|
||||
if (objectMD.archive?.restoreCompletedAt
|
||||
&& new Date(objectMD.archive?.restoreWillExpireAt) < new Date(Date.now())) {
|
||||
// return InvalidObjectState error if the restored object is expired
|
||||
// but restore info md of this object has not yet been cleared
|
||||
log.debug('The restored object already expired.',
|
||||
{
|
||||
archive: objectMD.archive,
|
||||
method: '_validateStartRestore',
|
||||
});
|
||||
return errors.InvalidObjectState;
|
||||
}
|
||||
if (objectMD.archive?.restoreRequestedAt && !objectMD.archive?.restoreCompletedAt) {
|
||||
if (objectMD.archive?.restoreRequestedAt) {
|
||||
// return RestoreAlreadyInProgress error if the object is currently being restored
|
||||
// check if archive.restoreRequestAt exists and archive.restoreCompletedAt not yet exists
|
||||
log.debug('The object is currently being restored.',
|
||||
|
@ -120,22 +127,36 @@ function validatePutVersionId(objMD, versionId, log) {
|
|||
}
|
||||
|
||||
/**
|
||||
* Check if the object is already restored
|
||||
* Check if the object is already restored, and update the expiration date accordingly:
|
||||
* > After restoring an archived object, you can update the restoration period by reissuing the
|
||||
* > request with a new period. Amazon S3 updates the restoration period relative to the current
|
||||
* > time.
|
||||
*
|
||||
* @param {ObjectMD} objectMD - object metadata
|
||||
* @param {object} log - werelogs logger
|
||||
* @return {boolean} - true if the object is already restored
|
||||
*/
|
||||
function isObjectAlreadyRestored(objectMD, log) {
|
||||
// check if restoreCompletedAt field exists
|
||||
// and archive.restoreWillExpireAt > current time
|
||||
const isObjectAlreadyRestored = objectMD.archive?.restoreCompletedAt
|
||||
&& new Date(objectMD.archive?.restoreWillExpireAt) >= new Date(Date.now());
|
||||
log.debug('The restore status of the object.',
|
||||
{
|
||||
isObjectAlreadyRestored,
|
||||
method: 'isObjectAlreadyRestored'
|
||||
});
|
||||
function _updateObjectExpirationDate(objectMD, log) {
|
||||
// Check if restoreCompletedAt field exists
|
||||
// Normally, we should check `archive.restoreWillExpireAt > current time`; however this is
|
||||
// checked earlier in the process, so checking again here would create weird states
|
||||
const isObjectAlreadyRestored = !!objectMD.archive.restoreCompletedAt;
|
||||
log.debug('The restore status of the object.', {
|
||||
isObjectAlreadyRestored,
|
||||
method: 'isObjectAlreadyRestored'
|
||||
});
|
||||
if (isObjectAlreadyRestored) {
|
||||
const expiryDate = new Date(objectMD.archive.restoreRequestedAt);
|
||||
expiryDate.setTime(expiryDate.getTime() + (objectMD.archive.restoreRequestedDays * scaledMsPerDay));
|
||||
|
||||
/* eslint-disable no-param-reassign */
|
||||
objectMD.archive.restoreWillExpireAt = expiryDate;
|
||||
objectMD['x-amz-restore'] = {
|
||||
'ongoing-request': false,
|
||||
'expiry-date': expiryDate,
|
||||
};
|
||||
/* eslint-enable no-param-reassign */
|
||||
}
|
||||
return isObjectAlreadyRestored;
|
||||
}
|
||||
|
||||
|
@ -195,12 +216,32 @@ function startRestore(objectMD, restoreParam, log, cb) {
|
|||
if (updateResultError) {
|
||||
return cb(updateResultError);
|
||||
}
|
||||
return cb(null, isObjectAlreadyRestored(objectMD, log));
|
||||
const isObjectAlreadyRestored = _updateObjectExpirationDate(objectMD, log);
|
||||
return cb(null, isObjectAlreadyRestored);
|
||||
}
|
||||
|
||||
/**
|
||||
* checks if object data is available or if it's in cold storage
|
||||
* @param {ObjectMD} objMD Object metadata
|
||||
* @returns {ArsenalError|null} error if object data is not available
|
||||
*/
|
||||
function verifyColdObjectAvailable(objMD) {
|
||||
// return error when object is cold
|
||||
if (objMD.archive &&
|
||||
// Object is in cold backend
|
||||
(!objMD.archive.restoreRequestedAt ||
|
||||
// Object is being restored
|
||||
(objMD.archive.restoreRequestedAt && !objMD.archive.restoreCompletedAt))) {
|
||||
const err = errors.InvalidObjectState
|
||||
.customizeDescription('The operation is not valid for the object\'s storage class');
|
||||
return err;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
startRestore,
|
||||
getAmzRestoreResHeader,
|
||||
validatePutVersionId,
|
||||
verifyColdObjectAvailable,
|
||||
};
|
||||
|
|
|
@ -5,7 +5,6 @@ const getMetaHeaders = s3middleware.userMetadata.getMetaHeaders;
|
|||
const constants = require('../../../../constants');
|
||||
const { data } = require('../../../data/wrapper');
|
||||
const services = require('../../../services');
|
||||
const logger = require('../../../utilities/logger');
|
||||
const { dataStore } = require('./storeObject');
|
||||
const locationConstraintCheck = require('./locationConstraintCheck');
|
||||
const { versioningPreprocessing, overwritingVersioning } = require('./versioning');
|
||||
|
@ -21,7 +20,7 @@ const externalVersioningErrorMessage = 'We do not currently support putting ' +
|
|||
'a versioned object to a location-constraint of type Azure or GCP.';
|
||||
|
||||
function _storeInMDandDeleteData(bucketName, dataGetInfo, cipherBundle,
|
||||
metadataStoreParams, dataToDelete, deleteLog, requestMethod, callback) {
|
||||
metadataStoreParams, dataToDelete, log, requestMethod, callback) {
|
||||
services.metadataStoreObject(bucketName, dataGetInfo,
|
||||
cipherBundle, metadataStoreParams, (err, result) => {
|
||||
if (err) {
|
||||
|
@ -31,7 +30,7 @@ function _storeInMDandDeleteData(bucketName, dataGetInfo, cipherBundle,
|
|||
const newDataStoreName = Array.isArray(dataGetInfo) ?
|
||||
dataGetInfo[0].dataStoreName : null;
|
||||
return data.batchDelete(dataToDelete, requestMethod,
|
||||
newDataStoreName, deleteLog, err => callback(err, result));
|
||||
newDataStoreName, log, err => callback(err, result));
|
||||
}
|
||||
return callback(null, result);
|
||||
});
|
||||
|
@ -53,6 +52,7 @@ function _storeInMDandDeleteData(bucketName, dataGetInfo, cipherBundle,
|
|||
* credentialScope (to be used for streaming v4 auth if applicable)
|
||||
* @param {(object|null)} overheadField - fields to be included in metadata overhead
|
||||
* @param {RequestLogger} log - logger instance
|
||||
* @param {string} originOp - Origin operation
|
||||
* @param {function} callback - callback function
|
||||
* @return {undefined} and call callback with (err, result) -
|
||||
* result.contentMD5 - content md5 of new object or version
|
||||
|
@ -60,7 +60,7 @@ function _storeInMDandDeleteData(bucketName, dataGetInfo, cipherBundle,
|
|||
*/
|
||||
function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
|
||||
canonicalID, cipherBundle, request, isDeleteMarker, streamingV4Params,
|
||||
overheadField, log, callback) {
|
||||
overheadField, log, originOp, callback) {
|
||||
const putVersionId = request.headers['x-scal-s3-version-id'];
|
||||
const isPutVersion = putVersionId || putVersionId === '';
|
||||
|
||||
|
@ -143,7 +143,7 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
|
|||
removeAWSChunked(request.headers['content-encoding']);
|
||||
metadataStoreParams.expires = request.headers.expires;
|
||||
metadataStoreParams.tagging = request.headers['x-amz-tagging'];
|
||||
metadataStoreParams.originOp = 's3:ObjectCreated:Put';
|
||||
metadataStoreParams.originOp = originOp;
|
||||
const defaultObjectLockConfiguration
|
||||
= bucketMD.getObjectLockConfiguration();
|
||||
if (defaultObjectLockConfiguration) {
|
||||
|
@ -158,7 +158,7 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
|
|||
// eslint-disable-next-line no-param-reassign
|
||||
request.headers[constants.objectLocationConstraintHeader] =
|
||||
objMD[constants.objectLocationConstraintHeader];
|
||||
metadataStoreParams.originOp = 's3:ObjectRemoved:DeleteMarkerCreated';
|
||||
metadataStoreParams.originOp = originOp;
|
||||
}
|
||||
|
||||
const backendInfoObj =
|
||||
|
@ -197,10 +197,9 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
|
|||
const dontSkipBackend = externalBackends;
|
||||
/* eslint-enable camelcase */
|
||||
|
||||
const requestLogger =
|
||||
logger.newRequestLoggerFromSerializedUids(log.getSerializedUids());
|
||||
const mdOnlyHeader = request.headers['x-amz-meta-mdonly'];
|
||||
const mdOnlySize = request.headers['x-amz-meta-size'];
|
||||
|
||||
return async.waterfall([
|
||||
function storeData(next) {
|
||||
if (size === 0) {
|
||||
|
@ -295,7 +294,7 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
|
|||
}
|
||||
return _storeInMDandDeleteData(bucketName, infoArr,
|
||||
cipherBundle, metadataStoreParams,
|
||||
options.dataToDelete, requestLogger, requestMethod, next);
|
||||
options.dataToDelete, log, requestMethod, next);
|
||||
},
|
||||
], callback);
|
||||
}
|
||||
|
|
|
@ -4,23 +4,25 @@ const {
|
|||
LifecycleDateTime,
|
||||
LifecycleUtils,
|
||||
} = require('arsenal').s3middleware.lifecycleHelpers;
|
||||
const { config } = require('../../../Config');
|
||||
|
||||
// moves lifecycle transition deadlines 1 day earlier, mostly for testing
|
||||
const transitionOneDayEarlier = process.env.TRANSITION_ONE_DAY_EARLIER === 'true';
|
||||
// moves lifecycle expiration deadlines 1 day earlier, mostly for testing
|
||||
const expireOneDayEarlier = process.env.EXPIRE_ONE_DAY_EARLIER === 'true';
|
||||
const {
|
||||
expireOneDayEarlier,
|
||||
transitionOneDayEarlier,
|
||||
timeProgressionFactor,
|
||||
scaledMsPerDay,
|
||||
} = config.getTimeOptions();
|
||||
|
||||
const lifecycleDateTime = new LifecycleDateTime({
|
||||
transitionOneDayEarlier,
|
||||
expireOneDayEarlier,
|
||||
timeProgressionFactor,
|
||||
});
|
||||
|
||||
const lifecycleUtils = new LifecycleUtils(supportedLifecycleRules, lifecycleDateTime);
|
||||
|
||||
const oneDay = 24 * 60 * 60 * 1000; // Milliseconds in a day.
|
||||
const lifecycleUtils = new LifecycleUtils(supportedLifecycleRules, lifecycleDateTime, timeProgressionFactor);
|
||||
|
||||
function calculateDate(objDate, expDays, datetime) {
|
||||
return new Date(datetime.getTimestamp(objDate) + expDays * oneDay);
|
||||
return new Date(datetime.getTimestamp(objDate) + (expDays * scaledMsPerDay));
|
||||
}
|
||||
|
||||
function formatExpirationHeader(date, id) {
|
||||
|
|
|
@ -5,6 +5,7 @@ const { config } = require('../../../Config');
|
|||
const vault = require('../../../auth/vault');
|
||||
const { evaluateBucketPolicyWithIAM } = require('../authorization/permissionChecks');
|
||||
|
||||
const { scaledMsPerDay } = config.getTimeOptions();
|
||||
/**
|
||||
* Calculates retain until date for the locked object version
|
||||
* @param {object} retention - includes days or years retention period
|
||||
|
@ -20,8 +21,9 @@ function calculateRetainUntilDate(retention) {
|
|||
const date = moment();
|
||||
// Calculate the number of days to retain the lock on the object
|
||||
const retainUntilDays = days || years * 365;
|
||||
const retainUntilDaysInMs = retainUntilDays * scaledMsPerDay;
|
||||
const retainUntilDate
|
||||
= date.add(retainUntilDays, 'days');
|
||||
= date.add(retainUntilDaysInMs, 'ms');
|
||||
return retainUntilDate.toISOString();
|
||||
}
|
||||
/**
|
||||
|
@ -304,7 +306,7 @@ function checkUserGovernanceBypass(request, authInfo, bucketMD, objectKey, log,
|
|||
return cb(err);
|
||||
}
|
||||
const explicitDenyExists = authorizationResults.some(
|
||||
authzResult => authzResult.isAllowed === false && authzResult.isImplicit === false);
|
||||
authzResult => authzResult.isAllowed === false && !authzResult.isImplicit);
|
||||
if (explicitDenyExists) {
|
||||
log.trace('authorization check failed for user',
|
||||
{
|
||||
|
|
|
@ -8,7 +8,7 @@ const { pushMetric } = require('../../../utapi/utilities');
|
|||
const { decodeVersionId } = require('./versioning');
|
||||
const collectCorsHeaders = require('../../../utilities/collectCorsHeaders');
|
||||
const { parseRestoreRequestXml } = s3middleware.objectRestore;
|
||||
|
||||
const { processBytesToWrite, validateQuotas } = require('../quotas/quotaUtils');
|
||||
|
||||
/**
|
||||
* Check if tier is supported
|
||||
|
@ -58,7 +58,15 @@ function objectRestore(metadata, mdUtils, userInfo, request, log, callback) {
|
|||
bucketName,
|
||||
objectKey,
|
||||
versionId: decodedVidResult,
|
||||
requestType: 'restoreObject',
|
||||
requestType: request.apiMethods || 'restoreObject',
|
||||
/**
|
||||
* Restoring an object might not cause any impact on
|
||||
* the storage, if the object is already restored: in
|
||||
* this case, the duration is extended. We disable the
|
||||
* quota evaluation and trigger it manually.
|
||||
*/
|
||||
checkQuota: false,
|
||||
request,
|
||||
};
|
||||
|
||||
return async.waterfall([
|
||||
|
@ -116,6 +124,16 @@ function objectRestore(metadata, mdUtils, userInfo, request, log, callback) {
|
|||
return next(err, bucketMD, objectMD);
|
||||
});
|
||||
},
|
||||
function evaluateQuotas(bucketMD, objectMD, next) {
|
||||
if (isObjectRestored) {
|
||||
return next(null, bucketMD, objectMD);
|
||||
}
|
||||
const actions = Array.isArray(mdValueParams.requestType) ?
|
||||
mdValueParams.requestType : [mdValueParams.requestType];
|
||||
const bytes = processBytesToWrite(request.apiMethod, bucketMD, mdValueParams.versionId, 0, objectMD);
|
||||
return validateQuotas(request, bucketMD, request.accountQuotas, actions, request.apiMethod, bytes,
|
||||
false, log, err => next(err, bucketMD, objectMD));
|
||||
},
|
||||
function updateObjectMD(bucketMD, objectMD, next) {
|
||||
const params = objectMD.versionId ? { versionId: objectMD.versionId } : {};
|
||||
metadata.putObjectMD(bucketMD.getName(), objectKey, objectMD, params,
|
||||
|
|
|
@ -4,7 +4,7 @@ const async = require('async');
|
|||
const metadata = require('../../../metadata/wrapper');
|
||||
const { config } = require('../../../Config');
|
||||
|
||||
const oneDay = 24 * 60 * 60 * 1000;
|
||||
const { scaledMsPerDay } = config.getTimeOptions();
|
||||
|
||||
const versionIdUtils = versioning.VersionID;
|
||||
// Use Arsenal function to generate a version ID used internally by metadata
|
||||
|
@ -210,7 +210,7 @@ function processVersioningState(mst, vstat, nullVersionCompatMode) {
|
|||
// null keys are used, which is used as an optimization to
|
||||
// avoid having to check the versioned key since there can
|
||||
// be no more versioned key to clean up
|
||||
if (mst.isNull && !mst.isNull2) {
|
||||
if (mst.isNull && mst.versionId && !mst.isNull2) {
|
||||
const delOptions = { versionId: mst.versionId };
|
||||
return { options, delOptions };
|
||||
}
|
||||
|
@ -241,7 +241,7 @@ function processVersioningState(mst, vstat, nullVersionCompatMode) {
|
|||
if (masterIsNull) {
|
||||
// if master is a null version or a non-versioned key,
|
||||
// copy it to a new null key
|
||||
const nullVersionId = mst.isNull ? mst.versionId : nonVersionedObjId;
|
||||
const nullVersionId = (mst.isNull && mst.versionId) ? mst.versionId : nonVersionedObjId;
|
||||
if (nullVersionCompatMode) {
|
||||
options.extraMD = {
|
||||
nullVersionId,
|
||||
|
@ -460,6 +460,47 @@ function preprocessingVersioningDelete(bucketName, bucketMD, objectMD, reqVersio
|
|||
return options;
|
||||
}
|
||||
|
||||
/**
|
||||
* Keep metadatas when the object is restored from cold storage
|
||||
* but remove the specific ones we don't want to keep
|
||||
* @param {object} objMD - obj metadata
|
||||
* @param {object} metadataStoreParams - custom built object containing resource details.
|
||||
* @return {undefined}
|
||||
*/
|
||||
function restoreMetadata(objMD, metadataStoreParams) {
|
||||
/* eslint-disable no-param-reassign */
|
||||
const userMDToSkip = ['x-amz-meta-scal-s3-restore-attempt'];
|
||||
// We need to keep user metadata and tags
|
||||
Object.keys(objMD).forEach(key => {
|
||||
if (key.startsWith('x-amz-meta-') && !userMDToSkip.includes(key)) {
|
||||
metadataStoreParams.metaHeaders[key] = objMD[key];
|
||||
}
|
||||
});
|
||||
|
||||
if (objMD['x-amz-website-redirect-location']) {
|
||||
if (!metadataStoreParams.headers) {
|
||||
metadataStoreParams.headers = {};
|
||||
}
|
||||
metadataStoreParams.headers['x-amz-website-redirect-location'] = objMD['x-amz-website-redirect-location'];
|
||||
}
|
||||
|
||||
if (objMD.replicationInfo) {
|
||||
metadataStoreParams.replicationInfo = objMD.replicationInfo;
|
||||
}
|
||||
|
||||
if (objMD.legalHold) {
|
||||
metadataStoreParams.legalHold = objMD.legalHold;
|
||||
}
|
||||
|
||||
if (objMD.acl) {
|
||||
metadataStoreParams.acl = objMD.acl;
|
||||
}
|
||||
|
||||
metadataStoreParams.creationTime = objMD['creation-time'];
|
||||
metadataStoreParams.lastModifiedDate = objMD['last-modified'];
|
||||
metadataStoreParams.taggingCopy = objMD.tags;
|
||||
}
|
||||
|
||||
/** overwritingVersioning - return versioning information for S3 to handle
|
||||
* storing version metadata with a specific version id.
|
||||
* @param {object} objMD - obj metadata
|
||||
|
@ -471,10 +512,8 @@ function preprocessingVersioningDelete(bucketName, bucketMD, objectMD, reqVersio
|
|||
* version id of the null version
|
||||
*/
|
||||
function overwritingVersioning(objMD, metadataStoreParams) {
|
||||
/* eslint-disable no-param-reassign */
|
||||
metadataStoreParams.creationTime = objMD['creation-time'];
|
||||
metadataStoreParams.lastModifiedDate = objMD['last-modified'];
|
||||
metadataStoreParams.updateMicroVersionId = true;
|
||||
metadataStoreParams.amzStorageClass = objMD['x-amz-storage-class'];
|
||||
|
||||
// set correct originOp
|
||||
metadataStoreParams.originOp = 's3:ObjectRestore:Completed';
|
||||
|
@ -487,7 +526,7 @@ function overwritingVersioning(objMD, metadataStoreParams) {
|
|||
restoreRequestedAt: objMD.archive?.restoreRequestedAt,
|
||||
restoreRequestedDays: objMD.archive?.restoreRequestedDays,
|
||||
restoreCompletedAt: new Date(now),
|
||||
restoreWillExpireAt: new Date(now + (days * oneDay)),
|
||||
restoreWillExpireAt: new Date(now + (days * scaledMsPerDay)),
|
||||
};
|
||||
|
||||
/* eslint-enable no-param-reassign */
|
||||
|
@ -503,6 +542,8 @@ function overwritingVersioning(objMD, metadataStoreParams) {
|
|||
};
|
||||
}
|
||||
|
||||
restoreMetadata(objMD, metadataStoreParams);
|
||||
|
||||
return options;
|
||||
}
|
||||
|
||||
|
|
|
@ -101,8 +101,33 @@ function validateWebsiteHeader(header) {
|
|||
header.startsWith('http://') || header.startsWith('https://'));
|
||||
}
|
||||
|
||||
/**
|
||||
* appendWebsiteIndexDocument - append index to objectKey if necessary
|
||||
* @param {object} request - normalized request object
|
||||
* @param {string} indexDocumentSuffix - index document from website config
|
||||
* @param {boolean} force - flag to force append index
|
||||
* @return {undefined}
|
||||
*/
|
||||
function appendWebsiteIndexDocument(request, indexDocumentSuffix, force = false) {
|
||||
const reqObjectKey = request.objectKey ? request.objectKey : '';
|
||||
/* eslint-disable no-param-reassign */
|
||||
|
||||
// find index document if "directory" sent in request
|
||||
if (reqObjectKey.endsWith('/')) {
|
||||
request.objectKey += indexDocumentSuffix;
|
||||
// find index document if no key provided
|
||||
} else if (reqObjectKey === '') {
|
||||
request.objectKey = indexDocumentSuffix;
|
||||
// force for redirect 302 on folder without trailing / that has an index
|
||||
} else if (force) {
|
||||
request.objectKey += `/${indexDocumentSuffix}`;
|
||||
}
|
||||
/* eslint-enable no-param-reassign */
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
findRoutingRule,
|
||||
extractRedirectInfo,
|
||||
validateWebsiteHeader,
|
||||
appendWebsiteIndexDocument,
|
||||
};
|
||||
|
|
|
@ -0,0 +1,314 @@
|
|||
const async = require('async');
|
||||
const { errors } = require('arsenal');
|
||||
const monitoring = require('../../../utilities/monitoringHandler');
|
||||
const {
|
||||
actionNeedQuotaCheckCopy,
|
||||
actionNeedQuotaCheck,
|
||||
actionWithDataDeletion,
|
||||
} = require('arsenal').policies;
|
||||
const { config } = require('../../../Config');
|
||||
const QuotaService = require('../../../quotas/quotas');
|
||||
|
||||
/**
|
||||
* Process the bytes to write based on the request and object metadata
|
||||
* @param {string} apiMethod - api method
|
||||
* @param {BucketInfo} bucket - bucket info
|
||||
* @param {string} versionId - version id of the object
|
||||
* @param {number} contentLength - content length of the object
|
||||
* @param {object} objMD - object metadata
|
||||
* @param {object} destObjMD - destination object metadata
|
||||
* @return {number} processed content length
|
||||
*/
|
||||
function processBytesToWrite(apiMethod, bucket, versionId, contentLength, objMD, destObjMD = null) {
|
||||
let bytes = contentLength;
|
||||
if (apiMethod === 'objectRestore') {
|
||||
// object is being restored
|
||||
bytes = Number.parseInt(objMD['content-length'], 10);
|
||||
} else if (!bytes && objMD?.['content-length']) {
|
||||
if (apiMethod === 'objectCopy' || apiMethod === 'objectPutCopyPart') {
|
||||
if (!destObjMD || bucket.isVersioningEnabled()) {
|
||||
// object is being copied
|
||||
bytes = Number.parseInt(objMD['content-length'], 10);
|
||||
} else if (!bucket.isVersioningEnabled()) {
|
||||
// object is being copied and replaces the target
|
||||
bytes = Number.parseInt(objMD['content-length'], 10) -
|
||||
Number.parseInt(destObjMD['content-length'], 10);
|
||||
}
|
||||
} else if (!bucket.isVersioningEnabled() || bucket.isVersioningEnabled() && versionId) {
|
||||
// object is being deleted
|
||||
bytes = -Number.parseInt(objMD['content-length'], 10);
|
||||
}
|
||||
} else if (bytes && objMD?.['content-length'] && !bucket.isVersioningEnabled()) {
|
||||
// object is being replaced: store the diff, if the bucket is not versioned
|
||||
bytes = bytes - Number.parseInt(objMD['content-length'], 10);
|
||||
}
|
||||
return bytes || 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a metric is stale based on the provided parameters.
|
||||
*
|
||||
* @param {Object} metric - The metric object to check.
|
||||
* @param {string} resourceType - The type of the resource.
|
||||
* @param {string} resourceName - The name of the resource.
|
||||
* @param {string} action - The action being performed.
|
||||
* @param {number} inflight - The number of inflight requests.
|
||||
* @param {Object} log - The logger object.
|
||||
* @returns {boolean} Returns true if the metric is stale, false otherwise.
|
||||
*/
|
||||
function isMetricStale(metric, resourceType, resourceName, action, inflight, log) {
|
||||
if (metric.date && Date.now() - new Date(metric.date).getTime() >
|
||||
QuotaService.maxStaleness) {
|
||||
log.warn('Stale metrics from the quota service, allowing the request', {
|
||||
resourceType,
|
||||
resourceName,
|
||||
action,
|
||||
inflight,
|
||||
});
|
||||
monitoring.requestWithQuotaMetricsUnavailable.inc();
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Evaluates quotas for a bucket and an account and update inflight count.
|
||||
*
|
||||
* @param {number} bucketQuota - The quota limit for the bucket.
|
||||
* @param {number} accountQuota - The quota limit for the account.
|
||||
* @param {object} bucket - The bucket object.
|
||||
* @param {object} account - The account object.
|
||||
* @param {number} inflight - The number of inflight requests.
|
||||
* @param {number} inflightForCheck - The number of inflight requests for checking quotas.
|
||||
* @param {string} action - The action being performed.
|
||||
* @param {object} log - The logger object.
|
||||
* @param {function} callback - The callback function to be called when evaluation is complete.
|
||||
* @returns {object} - The result of the evaluation.
|
||||
*/
|
||||
function _evaluateQuotas(
|
||||
bucketQuota,
|
||||
accountQuota,
|
||||
bucket,
|
||||
account,
|
||||
inflight,
|
||||
inflightForCheck,
|
||||
action,
|
||||
log,
|
||||
callback,
|
||||
) {
|
||||
let bucketQuotaExceeded = false;
|
||||
let accountQuotaExceeded = false;
|
||||
const creationDate = new Date(bucket.getCreationDate()).getTime();
|
||||
return async.parallel({
|
||||
bucketQuota: parallelDone => {
|
||||
if (bucketQuota > 0) {
|
||||
return QuotaService.getUtilizationMetrics('bucket',
|
||||
`${bucket.getName()}_${creationDate}`, null, {
|
||||
action,
|
||||
inflight,
|
||||
}, (err, bucketMetrics) => {
|
||||
if (err || inflight < 0) {
|
||||
return parallelDone(err);
|
||||
}
|
||||
if (!isMetricStale(bucketMetrics, 'bucket', bucket.getName(), action, inflight, log) &&
|
||||
bucketMetrics.bytesTotal + inflightForCheck > bucketQuota) {
|
||||
log.debug('Bucket quota exceeded', {
|
||||
bucket: bucket.getName(),
|
||||
action,
|
||||
inflight,
|
||||
quota: bucketQuota,
|
||||
bytesTotal: bucketMetrics.bytesTotal,
|
||||
});
|
||||
bucketQuotaExceeded = true;
|
||||
}
|
||||
return parallelDone();
|
||||
});
|
||||
}
|
||||
return parallelDone();
|
||||
},
|
||||
accountQuota: parallelDone => {
|
||||
if (accountQuota > 0 && account?.account) {
|
||||
return QuotaService.getUtilizationMetrics('account',
|
||||
account.account, null, {
|
||||
action,
|
||||
inflight,
|
||||
}, (err, accountMetrics) => {
|
||||
if (err || inflight < 0) {
|
||||
return parallelDone(err);
|
||||
}
|
||||
if (!isMetricStale(accountMetrics, 'account', account.account, action, inflight, log) &&
|
||||
accountMetrics.bytesTotal + inflightForCheck > accountQuota) {
|
||||
log.debug('Account quota exceeded', {
|
||||
accountId: account.account,
|
||||
action,
|
||||
inflight,
|
||||
quota: accountQuota,
|
||||
bytesTotal: accountMetrics.bytesTotal,
|
||||
});
|
||||
accountQuotaExceeded = true;
|
||||
}
|
||||
return parallelDone();
|
||||
});
|
||||
}
|
||||
return parallelDone();
|
||||
},
|
||||
}, err => {
|
||||
if (err) {
|
||||
log.warn('Error evaluating quotas', {
|
||||
error: err.name,
|
||||
description: err.message,
|
||||
isInflightDeletion: inflight < 0,
|
||||
});
|
||||
}
|
||||
return callback(err, bucketQuotaExceeded, accountQuotaExceeded);
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Monitors the duration of quota evaluation for a specific API method.
|
||||
*
|
||||
* @param {string} apiMethod - The name of the API method being monitored.
|
||||
* @param {string} type - The type of quota being evaluated.
|
||||
* @param {string} code - The code associated with the quota being evaluated.
|
||||
* @param {number} duration - The duration of the quota evaluation in nanoseconds.
|
||||
* @returns {undefined} - Returns nothing.
|
||||
*/
|
||||
function monitorQuotaEvaluationDuration(apiMethod, type, code, duration) {
|
||||
monitoring.quotaEvaluationDuration.labels({
|
||||
action: apiMethod,
|
||||
type,
|
||||
code,
|
||||
}).observe(duration / 1e9);
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param {Request} request - request object
|
||||
* @param {BucketInfo} bucket - bucket object
|
||||
* @param {Account} account - account object
|
||||
* @param {array} apiNames - action names: operations to authorize
|
||||
* @param {string} apiMethod - the main API call
|
||||
* @param {number} inflight - inflight bytes
|
||||
* @param {boolean} isStorageReserved - Flag to check if the current quota, minus
|
||||
* the incoming bytes, are under the limit.
|
||||
* @param {Logger} log - logger
|
||||
* @param {function} callback - callback function
|
||||
* @returns {boolean} - true if the quota is valid, false otherwise
|
||||
*/
|
||||
function validateQuotas(request, bucket, account, apiNames, apiMethod, inflight, isStorageReserved, log, callback) {
|
||||
if (!config.isQuotaEnabled() || (!inflight && isStorageReserved)) {
|
||||
return callback(null);
|
||||
}
|
||||
let type;
|
||||
let bucketQuotaExceeded = false;
|
||||
let accountQuotaExceeded = false;
|
||||
let quotaEvaluationDuration;
|
||||
const requestStartTime = process.hrtime.bigint();
|
||||
const bucketQuota = bucket.getQuota();
|
||||
const accountQuota = account?.quota || 0;
|
||||
const shouldSendInflights = config.isQuotaInflightEnabled();
|
||||
|
||||
if (bucketQuota && accountQuota) {
|
||||
type = 'bucket+account';
|
||||
} else if (bucketQuota) {
|
||||
type = 'bucket';
|
||||
} else {
|
||||
type = 'account';
|
||||
}
|
||||
|
||||
if (actionWithDataDeletion[apiMethod]) {
|
||||
type = 'delete';
|
||||
}
|
||||
|
||||
if ((bucketQuota <= 0 && accountQuota <= 0) || !QuotaService?.enabled) {
|
||||
if (bucketQuota > 0 || accountQuota > 0) {
|
||||
log.warn('quota is set for a bucket, but the quota service is disabled', {
|
||||
bucketName: bucket.getName(),
|
||||
});
|
||||
monitoring.requestWithQuotaMetricsUnavailable.inc();
|
||||
}
|
||||
return callback(null);
|
||||
}
|
||||
|
||||
if (isStorageReserved) {
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
inflight = 0;
|
||||
}
|
||||
|
||||
return async.forEach(apiNames, (apiName, done) => {
|
||||
// Object copy operations first check the target object,
|
||||
// meaning the source object, containing the current bytes,
|
||||
// is checked second. This logic handles these APIs calls by
|
||||
// ensuring the bytes are positives (i.e., not an object
|
||||
// replacement).
|
||||
if (actionNeedQuotaCheckCopy(apiName, apiMethod)) {
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
inflight = Math.abs(inflight);
|
||||
} else if (!actionNeedQuotaCheck[apiName] && !actionWithDataDeletion[apiName]) {
|
||||
return done();
|
||||
}
|
||||
// When inflights are disabled, the sum of the current utilization metrics
|
||||
// and the current bytes are compared with the quota. The current bytes
|
||||
// are not sent to the utilization service. When inflights are enabled,
|
||||
// the sum of the current utilization metrics only are compared with the
|
||||
// quota. They include the current inflight bytes sent in the request.
|
||||
let _inflights = shouldSendInflights ? inflight : undefined;
|
||||
const inflightForCheck = shouldSendInflights ? 0 : inflight;
|
||||
return _evaluateQuotas(bucketQuota, accountQuota, bucket, account, _inflights,
|
||||
inflightForCheck, apiName, log,
|
||||
(err, _bucketQuotaExceeded, _accountQuotaExceeded) => {
|
||||
if (err) {
|
||||
return done(err);
|
||||
}
|
||||
|
||||
bucketQuotaExceeded = _bucketQuotaExceeded;
|
||||
accountQuotaExceeded = _accountQuotaExceeded;
|
||||
|
||||
// Inflights are inverted: in case of cleanup, we just re-issue
|
||||
// the same API call.
|
||||
if (_inflights) {
|
||||
_inflights = -_inflights;
|
||||
}
|
||||
|
||||
request.finalizerHooks.push((errorFromAPI, _done) => {
|
||||
const code = (bucketQuotaExceeded || accountQuotaExceeded) ? 429 : 200;
|
||||
const quotaCleanUpStartTime = process.hrtime.bigint();
|
||||
// Quotas are cleaned only in case of error in the API
|
||||
async.waterfall([
|
||||
cb => {
|
||||
if (errorFromAPI) {
|
||||
return _evaluateQuotas(bucketQuota, accountQuota, bucket, account, _inflights,
|
||||
null, apiName, log, cb);
|
||||
}
|
||||
return cb();
|
||||
},
|
||||
], () => {
|
||||
monitorQuotaEvaluationDuration(apiMethod, type, code, quotaEvaluationDuration +
|
||||
Number(process.hrtime.bigint() - quotaCleanUpStartTime));
|
||||
return _done();
|
||||
});
|
||||
});
|
||||
|
||||
return done();
|
||||
});
|
||||
}, err => {
|
||||
quotaEvaluationDuration = Number(process.hrtime.bigint() - requestStartTime);
|
||||
if (err) {
|
||||
log.warn('Error getting metrics from the quota service, allowing the request', {
|
||||
error: err.name,
|
||||
description: err.message,
|
||||
});
|
||||
}
|
||||
if (!actionWithDataDeletion[apiMethod] &&
|
||||
(bucketQuotaExceeded || accountQuotaExceeded)) {
|
||||
return callback(errors.QuotaExceeded);
|
||||
}
|
||||
return callback();
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
processBytesToWrite,
|
||||
isMetricStale,
|
||||
validateQuotas,
|
||||
};
|
|
@ -38,8 +38,8 @@ function bucketDeleteCors(authInfo, request, log, callback) {
|
|||
}
|
||||
log.trace('found bucket in metadata');
|
||||
|
||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
|
||||
request.actionImplicitDenies)) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
|
||||
authInfo, log, request, request.actionImplicitDenies)) {
|
||||
log.debug('access denied for user on bucket', {
|
||||
requestType,
|
||||
method: 'bucketDeleteCors',
|
||||
|
|
|
@ -21,7 +21,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketDeleteEncryption',
|
||||
requestType: request.apiMethods || 'bucketDeleteEncryption',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketDeleteLifecycle',
|
||||
requestType: request.apiMethods || 'bucketDeleteLifecycle',
|
||||
request,
|
||||
};
|
||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||
|
|
|
@ -16,7 +16,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketDeletePolicy',
|
||||
requestType: request.apiMethods || 'bucketDeletePolicy',
|
||||
request,
|
||||
};
|
||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
const { waterfall } = require('async');
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const monitoring = require('../utilities/monitoringHandler');
|
||||
|
||||
const requestType = 'bucketDeleteQuota';
|
||||
|
||||
/**
|
||||
* Bucket Update Quota - Update bucket quota
|
||||
* @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
|
||||
* @param {object} request - http request object
|
||||
* @param {object} log - Werelogs logger
|
||||
* @param {function} callback - callback to server
|
||||
* @return {undefined}
|
||||
*/
|
||||
function bucketDeleteQuota(authInfo, request, log, callback) {
|
||||
log.debug('processing request', { method: 'bucketDeleteQuota' });
|
||||
|
||||
const { bucketName } = request;
|
||||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: request.apiMethods || requestType,
|
||||
request,
|
||||
};
|
||||
return waterfall([
|
||||
next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
|
||||
(err, bucket) => next(err, bucket)),
|
||||
(bucket, next) => {
|
||||
bucket.setQuota(0);
|
||||
metadata.updateBucket(bucket.getName(), bucket, log, err =>
|
||||
next(err, bucket));
|
||||
},
|
||||
], (err, bucket) => {
|
||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
if (err) {
|
||||
log.debug('error processing request', {
|
||||
error: err,
|
||||
method: 'bucketDeleteQuota'
|
||||
});
|
||||
monitoring.promMetrics('DELETE', bucketName, err.code,
|
||||
'bucketDeleteQuota');
|
||||
return callback(err, err.code, corsHeaders);
|
||||
}
|
||||
monitoring.promMetrics(
|
||||
'DELETE', bucketName, '204', 'bucketDeleteQuota');
|
||||
pushMetric('bucketDeleteQuota', log, {
|
||||
authInfo,
|
||||
bucket: bucketName,
|
||||
});
|
||||
return callback(null, 204, corsHeaders);
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = bucketDeleteQuota;
|
|
@ -18,7 +18,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketDeleteReplication',
|
||||
requestType: request.apiMethods || 'bucketDeleteReplication',
|
||||
request,
|
||||
};
|
||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||
|
|
|
@ -21,15 +21,19 @@ function bucketDeleteTagging(authInfo, request, log, callback) {
|
|||
authInfo,
|
||||
bucketName,
|
||||
requestType: request.apiMethods || 'bucketDeleteTagging',
|
||||
request,
|
||||
};
|
||||
|
||||
let bucket = null;
|
||||
return waterfall([
|
||||
next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
|
||||
(err, b) => {
|
||||
if (err) {
|
||||
return next(err);
|
||||
}
|
||||
bucket = b;
|
||||
bucket.setTags([]);
|
||||
return next(err);
|
||||
return next();
|
||||
}),
|
||||
next => metadata.updateBucket(bucket.getName(), bucket, log, next),
|
||||
], err => {
|
||||
|
|
|
@ -30,8 +30,8 @@ function bucketDeleteWebsite(authInfo, request, log, callback) {
|
|||
}
|
||||
log.trace('found bucket in metadata');
|
||||
|
||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
|
||||
request.actionImplicitDenies)) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
|
||||
authInfo, log, request, request.actionImplicitDenies)) {
|
||||
log.debug('access denied for user on bucket', {
|
||||
requestType,
|
||||
method: 'bucketDeleteWebsite',
|
||||
|
|
|
@ -322,7 +322,7 @@ function bucketGet(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGet',
|
||||
requestType: request.apiMethods || 'bucketGet',
|
||||
request,
|
||||
};
|
||||
const listParams = {
|
||||
|
|
|
@ -44,7 +44,7 @@ function bucketGetACL(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGetACL',
|
||||
requestType: request.apiMethods || 'bucketGetACL',
|
||||
request,
|
||||
};
|
||||
const grantInfo = {
|
||||
|
|
|
@ -39,8 +39,8 @@ function bucketGetCors(authInfo, request, log, callback) {
|
|||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
|
||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log,
|
||||
request, request.actionImplicitDenies)) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
|
||||
authInfo, log, request, request.actionImplicitDenies)) {
|
||||
log.debug('access denied for user on bucket', {
|
||||
requestType,
|
||||
method: 'bucketGetCors',
|
||||
|
|
|
@ -22,7 +22,7 @@ function bucketGetEncryption(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGetEncryption',
|
||||
requestType: request.apiMethods || 'bucketGetEncryption',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGetLifecycle',
|
||||
requestType: request.apiMethods || 'bucketGetLifecycle',
|
||||
request,
|
||||
};
|
||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||
|
|
|
@ -41,8 +41,8 @@ function bucketGetLocation(authInfo, request, log, callback) {
|
|||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
|
||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
|
||||
request.actionImplicitDenies)) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
|
||||
authInfo, log, request, request.actionImplicitDenies)) {
|
||||
log.debug('access denied for account on bucket', {
|
||||
requestType,
|
||||
method: 'bucketGetLocation',
|
||||
|
|
|
@ -37,7 +37,7 @@ function bucketGetNotification(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGetNotification',
|
||||
requestType: request.apiMethods || 'bucketGetNotification',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGetObjectLock',
|
||||
requestType: request.apiMethods || 'bucketGetObjectLock',
|
||||
request,
|
||||
};
|
||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||
|
|
|
@ -17,7 +17,7 @@ function bucketGetPolicy(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGetPolicy',
|
||||
requestType: request.apiMethods || 'bucketGetPolicy',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
const { errors } = require('arsenal');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
|
||||
/**
|
||||
* bucketGetQuota - Get the bucket quota
|
||||
* @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
|
||||
* @param {object} request - http request object
|
||||
* @param {object} log - Werelogs logger
|
||||
* @param {function} callback - callback to server
|
||||
* @return {undefined}
|
||||
*/
|
||||
function bucketGetQuota(authInfo, request, log, callback) {
|
||||
log.debug('processing request', { method: 'bucketGetQuota' });
|
||||
const { bucketName, headers, method } = request;
|
||||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: request.apiMethods || 'bucketGetQuota',
|
||||
request,
|
||||
};
|
||||
const xml = [];
|
||||
|
||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
|
||||
if (err) {
|
||||
log.debug('error processing request', {
|
||||
error: err,
|
||||
method: 'bucketGetQuota',
|
||||
});
|
||||
return callback(err, null, corsHeaders);
|
||||
}
|
||||
xml.push(
|
||||
'<?xml version="1.0" encoding="UTF-8"?>',
|
||||
'<GetBucketQuota>',
|
||||
'<Name>', bucket.getName(), '</Name>',
|
||||
);
|
||||
const bucketQuota = bucket.getQuota();
|
||||
if (!bucketQuota) {
|
||||
log.debug('bucket has no quota', {
|
||||
method: 'bucketGetQuota',
|
||||
});
|
||||
return callback(errors.NoSuchQuota, null,
|
||||
corsHeaders);
|
||||
}
|
||||
xml.push('<Quota>', bucketQuota, '</Quota>',
|
||||
'</GetBucketQuota>');
|
||||
|
||||
pushMetric('getBucketQuota', log, {
|
||||
authInfo,
|
||||
bucket: bucketName,
|
||||
});
|
||||
return callback(null, xml.join(''), corsHeaders);
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = bucketGetQuota;
|
|
@ -21,7 +21,7 @@ function bucketGetReplication(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGetReplication',
|
||||
requestType: request.apiMethods || 'bucketGetReplication',
|
||||
request,
|
||||
};
|
||||
return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||
|
|
|
@ -37,7 +37,7 @@ const escapeForXml = s3middleware.escapeForXml;
|
|||
function tagsToXml(tags) {
|
||||
const xml = [];
|
||||
|
||||
xml.push('<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Tagging><TagSet>');
|
||||
xml.push('<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Tagging> <TagSet>');
|
||||
|
||||
tags.forEach(tag => {
|
||||
xml.push('<Tag>');
|
||||
|
@ -46,7 +46,7 @@ function tagsToXml(tags) {
|
|||
xml.push('</Tag>');
|
||||
});
|
||||
|
||||
xml.push('</TagSet></Tagging>');
|
||||
xml.push('</TagSet> </Tagging>');
|
||||
|
||||
return xml.join('');
|
||||
}
|
||||
|
|
|
@ -54,7 +54,7 @@ function bucketGetVersioning(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketGetVersioning',
|
||||
requestType: request.apiMethods || 'bucketGetVersioning',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -39,8 +39,8 @@ function bucketGetWebsite(authInfo, request, log, callback) {
|
|||
|
||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log,
|
||||
request, request.actionImplicitDenies)) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
|
||||
authInfo, log, request, request.actionImplicitDenies)) {
|
||||
log.debug('access denied for user on bucket', {
|
||||
requestType,
|
||||
method: 'bucketGetWebsite',
|
||||
|
|
|
@ -19,7 +19,7 @@ function bucketHead(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketHead',
|
||||
requestType: request.apiMethods || 'bucketHead',
|
||||
request,
|
||||
};
|
||||
standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
|
||||
|
|
|
@ -45,9 +45,8 @@ function checkLocationConstraint(request, locationConstraint, log) {
|
|||
} else if (parsedHost && restEndpoints[parsedHost]) {
|
||||
locationConstraintChecked = restEndpoints[parsedHost];
|
||||
} else {
|
||||
log.trace('no location constraint provided on bucket put;' +
|
||||
'setting us-east-1');
|
||||
locationConstraintChecked = 'us-east-1';
|
||||
locationConstraintChecked = Object.keys(locationConstrains)[0];
|
||||
log.trace('no location constraint provided on bucket put; setting '+locationConstraintChecked);
|
||||
}
|
||||
|
||||
if (!locationConstraints[locationConstraintChecked]) {
|
||||
|
|
|
@ -70,8 +70,8 @@ function bucketPutCors(authInfo, request, log, callback) {
|
|||
});
|
||||
},
|
||||
function validateBucketAuthorization(bucket, rules, corsHeaders, next) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
|
||||
log, request, request.actionImplicitDenies)) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
|
||||
authInfo, log, request, request.actionImplicitDenies)) {
|
||||
log.debug('access denied for account on bucket', {
|
||||
requestType,
|
||||
});
|
||||
|
|
|
@ -26,7 +26,7 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'bucketPutObjectLock',
|
||||
requestType: request.apiMethods || 'bucketPutObjectLock',
|
||||
request,
|
||||
};
|
||||
return waterfall([
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
const async = require('async');
|
||||
const { errors, models } = require('arsenal');
|
||||
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
|
||||
const { validatePolicyResource } =
|
||||
const { validatePolicyResource, validatePolicyConditions } =
|
||||
require('./apiUtils/authorization/permissionChecks');
|
||||
const { BucketPolicy } = models;
|
||||
|
||||
|
@ -17,9 +16,8 @@ const { BucketPolicy } = models;
|
|||
function _checkNotImplementedPolicy(policyString) {
|
||||
// bucket names and key names cannot include "", so including those
|
||||
// isolates not implemented keys
|
||||
return policyString.includes('"Condition"')
|
||||
|| policyString.includes('"Service"')
|
||||
|| policyString.includes('"Federated"');
|
||||
return policyString.includes('"Service"')
|
||||
|| policyString.includes('"Federated"');
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -67,7 +65,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
|
|||
return next(errors.MalformedPolicy.customizeDescription(
|
||||
'Policy has invalid resource'));
|
||||
}
|
||||
return next(null, bucketPolicy);
|
||||
return next(validatePolicyConditions(bucketPolicy), bucketPolicy);
|
||||
});
|
||||
},
|
||||
(bucketPolicy, next) => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
|
||||
|
|
|
@ -39,6 +39,7 @@ function bucketPutTagging(authInfo, request, log, callback) {
|
|||
authInfo,
|
||||
bucketName,
|
||||
requestType: request.apiMethods || 'bucketPutTagging',
|
||||
request,
|
||||
};
|
||||
let bucket = null;
|
||||
return waterfall([
|
||||
|
|
|
@ -49,8 +49,8 @@ function bucketPutWebsite(authInfo, request, log, callback) {
|
|||
});
|
||||
},
|
||||
function validateBucketAuthorization(bucket, config, next) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
|
||||
log, request, request.actionImplicitDenies)) {
|
||||
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID,
|
||||
authInfo, log, request, request.actionImplicitDenies)) {
|
||||
log.debug('access denied for user on bucket', {
|
||||
requestType,
|
||||
method: 'bucketPutWebsite',
|
||||
|
|
|
@ -0,0 +1,85 @@
|
|||
const { waterfall } = require('async');
|
||||
const { errors } = require('arsenal');
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const monitoring = require('../utilities/monitoringHandler');
|
||||
const { parseString } = require('xml2js');
|
||||
|
||||
function validateBucketQuotaProperty(requestBody, next) {
|
||||
const quota = requestBody.quota;
|
||||
const quotaValue = parseInt(quota, 10);
|
||||
if (Number.isNaN(quotaValue)) {
|
||||
return next(errors.InvalidArgument.customizeDescription('Quota Value should be a number'));
|
||||
}
|
||||
if (quotaValue <= 0) {
|
||||
return next(errors.InvalidArgument.customizeDescription('Quota value must be a positive number'));
|
||||
}
|
||||
return next(null, quotaValue);
|
||||
}
|
||||
|
||||
function parseRequestBody(requestBody, next) {
|
||||
try {
|
||||
const jsonData = JSON.parse(requestBody);
|
||||
if (typeof jsonData !== 'object') {
|
||||
throw new Error('Invalid JSON');
|
||||
}
|
||||
return next(null, jsonData);
|
||||
} catch (jsonError) {
|
||||
return parseString(requestBody, (xmlError, xmlData) => {
|
||||
if (xmlError) {
|
||||
return next(errors.InvalidArgument.customizeDescription('Request body must be a JSON object'));
|
||||
}
|
||||
return next(null, xmlData);
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
function bucketUpdateQuota(authInfo, request, log, callback) {
|
||||
log.debug('processing request', { method: 'bucketUpdateQuota' });
|
||||
|
||||
const { bucketName } = request;
|
||||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: request.apiMethods || 'bucketUpdateQuota',
|
||||
request,
|
||||
};
|
||||
let bucket = null;
|
||||
return waterfall([
|
||||
next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
|
||||
(err, b) => {
|
||||
bucket = b;
|
||||
return next(err, bucket);
|
||||
}),
|
||||
(bucket, next) => parseRequestBody(request.post, (err, requestBody) => next(err, bucket, requestBody)),
|
||||
(bucket, requestBody, next) => validateBucketQuotaProperty(requestBody, (err, quotaValue) =>
|
||||
next(err, bucket, quotaValue)),
|
||||
(bucket, quotaValue, next) => {
|
||||
bucket.setQuota(quotaValue);
|
||||
return metadata.updateBucket(bucket.getName(), bucket, log, next);
|
||||
},
|
||||
], (err, bucket) => {
|
||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
if (err) {
|
||||
log.debug('error processing request', {
|
||||
error: err,
|
||||
method: 'bucketUpdateQuota'
|
||||
});
|
||||
monitoring.promMetrics('PUT', bucketName, err.code,
|
||||
'updateBucketQuota');
|
||||
return callback(err, err.code, corsHeaders);
|
||||
}
|
||||
monitoring.promMetrics(
|
||||
'PUT', bucketName, '200', 'updateBucketQuota');
|
||||
pushMetric('updateBucketQuota', log, {
|
||||
authInfo,
|
||||
bucket: bucketName,
|
||||
});
|
||||
return callback(null, corsHeaders);
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = bucketUpdateQuota;
|
|
@ -21,8 +21,6 @@ const { validateAndFilterMpuParts, generateMpuPartStorageInfo } =
|
|||
const locationKeysHaveChanged
|
||||
= require('./apiUtils/object/locationKeysHaveChanged');
|
||||
const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
|
||||
|
||||
const logger = require('../utilities/logger');
|
||||
const { validatePutVersionId } = require('./apiUtils/object/coldStorage');
|
||||
|
||||
const versionIdUtils = versioning.VersionID;
|
||||
|
@ -82,7 +80,7 @@ function completeMultipartUpload(authInfo, request, log, callback) {
|
|||
uploadId,
|
||||
// Note: permissions for completing a multipart upload are the
|
||||
// same as putting a part.
|
||||
requestType: 'putPart or complete',
|
||||
requestType: request.apiMethods || 'putPart or complete',
|
||||
log,
|
||||
request,
|
||||
};
|
||||
|
@ -133,8 +131,9 @@ function completeMultipartUpload(authInfo, request, log, callback) {
|
|||
bucketName,
|
||||
// Required permissions for this action
|
||||
// at the destinationBucket level are same as objectPut
|
||||
requestType: 'objectPut',
|
||||
requestType: request.apiMethods || 'completeMultipartUpload',
|
||||
versionId,
|
||||
request,
|
||||
};
|
||||
standardMetadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, next);
|
||||
},
|
||||
|
@ -475,12 +474,9 @@ function completeMultipartUpload(authInfo, request, log, callback) {
|
|||
const newDataStoreName =
|
||||
Array.isArray(dataLocations) && dataLocations[0] ?
|
||||
dataLocations[0].dataStoreName : null;
|
||||
const delLog =
|
||||
logger.newRequestLoggerFromSerializedUids(log
|
||||
.getSerializedUids());
|
||||
return data.batchDelete(dataToDelete,
|
||||
request.method,
|
||||
newDataStoreName, delLog, err => {
|
||||
newDataStoreName, log, err => {
|
||||
if (err) {
|
||||
return next(err);
|
||||
}
|
||||
|
@ -503,10 +499,8 @@ function completeMultipartUpload(authInfo, request, log, callback) {
|
|||
function batchDeleteExtraParts(extraPartLocations, destinationBucket,
|
||||
aggregateETag, generatedVersionId, next) {
|
||||
if (extraPartLocations && extraPartLocations.length > 0) {
|
||||
const delLog = logger.newRequestLoggerFromSerializedUids(
|
||||
log.getSerializedUids());
|
||||
return data.batchDelete(extraPartLocations, request.method,
|
||||
null, delLog, err => {
|
||||
null, log, err => {
|
||||
if (err) {
|
||||
return next(err);
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@ const convertToXml = s3middleware.convertToXml;
|
|||
const { pushMetric } = require('../utapi/utilities');
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
const { hasNonPrintables } = require('../utilities/stringChecks');
|
||||
const { config } = require('../Config');
|
||||
const { cleanUpBucket } = require('./apiUtils/bucket/bucketCreation');
|
||||
const constants = require('../../constants');
|
||||
const services = require('../services');
|
||||
|
@ -65,7 +66,7 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
|
|||
const websiteRedirectHeader =
|
||||
request.headers['x-amz-website-redirect-location'];
|
||||
if (request.headers['x-amz-storage-class'] &&
|
||||
!constants.validStorageClasses.includes(request.headers['x-amz-storage-class'])) {
|
||||
!config.locationConstraints[request.headers['x-amz-storage-class']]) {
|
||||
log.trace('invalid storage-class header');
|
||||
monitoring.promMetrics('PUT', bucketName,
|
||||
errors.InvalidStorageClass.code, 'initiateMultipartUpload');
|
||||
|
@ -105,7 +106,7 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
|
|||
authInfo,
|
||||
bucketName,
|
||||
// Required permissions for this action are same as objectPut
|
||||
requestType: 'objectPut',
|
||||
requestType: request.apiMethods || 'initiateMultipartUpload',
|
||||
request,
|
||||
};
|
||||
const accountCanonicalID = authInfo.getCanonicalID();
|
||||
|
|
|
@ -96,8 +96,8 @@ function listMultipartUploads(authInfo, request, log, callback) {
|
|||
// to list the multipart uploads so we have provided here that
|
||||
// the authorization to list multipart uploads is the same
|
||||
// as listing objects in a bucket.
|
||||
requestType: 'bucketGet',
|
||||
preciseRequestType: 'listMultipartUploads',
|
||||
requestType: request.apiMethods || 'bucketGet',
|
||||
preciseRequestType: request.apiMethods || 'listMultipartUploads',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -97,7 +97,7 @@ function listParts(authInfo, request, log, callback) {
|
|||
bucketName,
|
||||
objectKey,
|
||||
uploadId,
|
||||
preciseRequestType: 'listParts',
|
||||
preciseRequestType: request.apiMethods || 'listParts',
|
||||
request,
|
||||
};
|
||||
// For validating the request at the destinationBucket level
|
||||
|
|
|
@ -71,7 +71,7 @@ function metadataSearch(authInfo, request, log, callback) {
|
|||
const metadataValParams = {
|
||||
authInfo,
|
||||
bucketName,
|
||||
requestType: 'metadataSearch',
|
||||
requestType: request.apiMethods || 'metadataSearch',
|
||||
request,
|
||||
};
|
||||
const listParams = {
|
||||
|
|
|
@ -23,13 +23,15 @@ const { isRequesterNonAccountUser } = require('./apiUtils/authorization/permissi
|
|||
const { hasGovernanceBypassHeader, checkUserGovernanceBypass, ObjectLockInfo }
|
||||
= require('./apiUtils/object/objectLockHelpers');
|
||||
const requestUtils = policies.requestUtils;
|
||||
const { data } = require('../data/wrapper');
|
||||
const logger = require('../utilities/logger');
|
||||
const { validObjectKeys } = require('../routes/routeVeeam');
|
||||
const { deleteVeeamCapabilities } = require('../routes/veeam/delete');
|
||||
const { _bucketRequiresOplogUpdate } = require('./apiUtils/object/deleteObject');
|
||||
const { overheadField } = require('../../constants');
|
||||
|
||||
const versionIdUtils = versioning.VersionID;
|
||||
|
||||
const { data } = require('../data/wrapper');
|
||||
const logger = require('../utilities/logger');
|
||||
const { validateQuotas } = require('./apiUtils/quotas/quotaUtils');
|
||||
|
||||
/*
|
||||
Format of xml request:
|
||||
|
@ -331,6 +333,9 @@ function getObjMetadataAndDelete(authInfo, canonicalID, request,
|
|||
|
||||
return callback(null, objMD, versionId);
|
||||
},
|
||||
(objMD, versionId, callback) => validateQuotas(
|
||||
request, bucket, request.accountQuotas, ['objectDelete'], 'objectDelete',
|
||||
-objMD?.['content-length'] || 0, false, log, err => callback(err, objMD, versionId)),
|
||||
(objMD, versionId, callback) => {
|
||||
const options = preprocessingVersioningDelete(
|
||||
bucketName, bucket, objMD, versionId, config.nullVersionCompatMode);
|
||||
|
@ -346,7 +351,8 @@ function getObjMetadataAndDelete(authInfo, canonicalID, request,
|
|||
options.replayId = objMD.uploadId;
|
||||
}
|
||||
return services.deleteObject(bucketName, objMD,
|
||||
entry.key, options, config.multiObjectDeleteEnableOptimizations, log, (err, toDelete) => {
|
||||
entry.key, options, config.multiObjectDeleteEnableOptimizations, log,
|
||||
's3:ObjectRemoved:Delete', (err, toDelete) => {
|
||||
if (err) {
|
||||
return callback(err);
|
||||
}
|
||||
|
@ -360,8 +366,9 @@ function getObjMetadataAndDelete(authInfo, canonicalID, request,
|
|||
// This call will create a delete-marker
|
||||
return createAndStoreObject(bucketName, bucket, entry.key,
|
||||
objMD, authInfo, canonicalID, null, request,
|
||||
deleteInfo.newDeleteMarker, null, overheadField, log, (err, result) =>
|
||||
callback(err, objMD, deleteInfo, result.versionId));
|
||||
deleteInfo.newDeleteMarker, null, overheadField, log,
|
||||
's3:ObjectRemoved:DeleteMarkerCreated', (err, result) =>
|
||||
callback(err, objMD, deleteInfo, result.versionId));
|
||||
},
|
||||
], (err, objMD, deleteInfo, versionId) => {
|
||||
if (err === skipError) {
|
||||
|
@ -475,6 +482,7 @@ function multiObjectDelete(authInfo, request, log, callback) {
|
|||
return callback(errors.BadDigest);
|
||||
}
|
||||
|
||||
const inPlayInternal = [];
|
||||
const bucketName = request.bucketName;
|
||||
const canonicalID = authInfo.getCanonicalID();
|
||||
|
||||
|
@ -500,8 +508,9 @@ function multiObjectDelete(authInfo, request, log, callback) {
|
|||
if (bucketShield(bucketMD, 'objectDelete')) {
|
||||
return next(errors.NoSuchBucket);
|
||||
}
|
||||
if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, log, request,
|
||||
request.actionImplicitDenies)) {
|
||||
// The implicit deny flag is ignored in the DeleteObjects API, as authorization only
|
||||
// affects the objects.
|
||||
if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, log, request)) {
|
||||
log.trace("access denied due to bucket acl's");
|
||||
// if access denied at the bucket level, no access for
|
||||
// any of the objects so all results will be error results
|
||||
|
@ -631,7 +640,11 @@ function multiObjectDelete(authInfo, request, log, callback) {
|
|||
request);
|
||||
|
||||
if (areAllActionsAllowed) {
|
||||
inPlay.push(entry);
|
||||
if (validObjectKeys.includes(entry.key)) {
|
||||
inPlayInternal.push(entry.key);
|
||||
} else {
|
||||
inPlay.push(entry);
|
||||
}
|
||||
} else {
|
||||
errorResults.push({
|
||||
entry,
|
||||
|
@ -642,6 +655,11 @@ function multiObjectDelete(authInfo, request, log, callback) {
|
|||
return next(null, quietSetting, errorResults, inPlay, bucketMD);
|
||||
});
|
||||
},
|
||||
function handleInternalFiles(quietSetting, errorResults, inPlay, bucketMD, next) {
|
||||
return async.each(inPlayInternal,
|
||||
(localInPlay, next) => deleteVeeamCapabilities(bucketName, localInPlay, bucketMD, log, next),
|
||||
err => next(err, quietSetting, errorResults, inPlay, bucketMD));
|
||||
},
|
||||
function getObjMetadataAndDeleteStep(quietSetting, errorResults, inPlay,
|
||||
bucket, next) {
|
||||
return getObjMetadataAndDelete(authInfo, canonicalID, request,
|
||||
|
|
|
@ -12,7 +12,6 @@ const { checkQueryVersionId, versioningPreprocessing }
|
|||
= require('./apiUtils/object/versioning');
|
||||
const getReplicationInfo = require('./apiUtils/object/getReplicationInfo');
|
||||
const { data } = require('../data/wrapper');
|
||||
const logger = require('../utilities/logger');
|
||||
const services = require('../services');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const removeAWSChunked = require('./apiUtils/object/removeAWSChunked');
|
||||
|
@ -24,6 +23,7 @@ const monitoring = require('../utilities/monitoringHandler');
|
|||
const applyZenkoUserMD = require('./apiUtils/object/applyZenkoUserMD');
|
||||
const { getObjectSSEConfiguration } = require('./apiUtils/bucket/bucketEncryption');
|
||||
const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
|
||||
const { verifyColdObjectAvailable } = require('./apiUtils/object/coldStorage');
|
||||
|
||||
const versionIdUtils = versioning.VersionID;
|
||||
const locationHeader = constants.objectLocationConstraintHeader;
|
||||
|
@ -220,6 +220,14 @@ function objectCopy(authInfo, request, sourceBucket,
|
|||
versionId: sourceVersionId,
|
||||
getDeleteMarker: true,
|
||||
requestType: 'objectGet',
|
||||
/**
|
||||
* Authorization will first check the target object, with an objectPut
|
||||
* action. But in this context, the source object metadata is still
|
||||
* unknown. In the context of quotas, to know the number of bytes that
|
||||
* are being written, we explicitly enable the quota evaluation logic
|
||||
* during the objectGet action instead.
|
||||
*/
|
||||
checkQuota: true,
|
||||
request,
|
||||
};
|
||||
const valPutParams = {
|
||||
|
@ -227,6 +235,7 @@ function objectCopy(authInfo, request, sourceBucket,
|
|||
bucketName: destBucketName,
|
||||
objectKey: destObjectKey,
|
||||
requestType: 'objectPut',
|
||||
checkQuota: false,
|
||||
request,
|
||||
};
|
||||
const dataStoreContext = {
|
||||
|
@ -240,7 +249,7 @@ function objectCopy(authInfo, request, sourceBucket,
|
|||
const responseHeaders = {};
|
||||
|
||||
if (request.headers['x-amz-storage-class'] &&
|
||||
!constants.validStorageClasses.includes(request.headers['x-amz-storage-class'])) {
|
||||
!config.locationConstraints[request.headers['x-amz-storage-class']]) {
|
||||
log.trace('invalid storage-class header');
|
||||
monitoring.promMetrics('PUT', destBucketName,
|
||||
errors.InvalidStorageClass.code, 'copyObject');
|
||||
|
@ -278,7 +287,10 @@ function objectCopy(authInfo, request, sourceBucket,
|
|||
});
|
||||
},
|
||||
function checkSourceAuthorization(destBucketMD, destObjMD, next) {
|
||||
return standardMetadataValidateBucketAndObj(valGetParams, request.actionImplicitDenies, log,
|
||||
return standardMetadataValidateBucketAndObj({
|
||||
...valGetParams,
|
||||
destObjMD,
|
||||
}, request.actionImplicitDenies, log,
|
||||
(err, sourceBucketMD, sourceObjMD) => {
|
||||
if (err) {
|
||||
log.debug('error validating get part of request',
|
||||
|
@ -291,6 +303,11 @@ function objectCopy(authInfo, request, sourceBucket,
|
|||
log.debug('no source object', { sourceObject });
|
||||
return next(err, null, destBucketMD);
|
||||
}
|
||||
// check if object data is in a cold storage
|
||||
const coldErr = verifyColdObjectAvailable(sourceObjMD);
|
||||
if (coldErr) {
|
||||
return next(coldErr, null);
|
||||
}
|
||||
if (sourceObjMD.isDeleteMarker) {
|
||||
log.debug('delete marker on source object',
|
||||
{ sourceObject });
|
||||
|
@ -527,10 +544,8 @@ function objectCopy(authInfo, request, sourceBucket,
|
|||
// the same as the destination
|
||||
if (!sourceIsDestination && dataToDelete) {
|
||||
const newDataStoreName = storeMetadataParams.dataStoreName;
|
||||
const delLog = logger.newRequestLoggerFromSerializedUids(
|
||||
log.getSerializedUids());
|
||||
return data.batchDelete(dataToDelete, request.method,
|
||||
newDataStoreName, delLog, err => {
|
||||
newDataStoreName, log, err => {
|
||||
if (err) {
|
||||
// if error, log the error and move on as it is not
|
||||
// relevant to the client as the client's
|
||||
|
|
|
@ -21,16 +21,17 @@ const objectLockedError = new Error('object locked');
|
|||
const { overheadField } = require('../../constants');
|
||||
|
||||
/**
|
||||
* objectDelete - DELETE an object from a bucket
|
||||
* objectDeleteInternal - DELETE an object from a bucket
|
||||
* @param {AuthInfo} authInfo - requester's infos
|
||||
* @param {object} request - request object given by router,
|
||||
* includes normalized headers
|
||||
* @param {Logger} log - werelogs request instance
|
||||
* @param {boolean} isExpiration - true if the call comes from LifecycleExpiration
|
||||
* @param {function} cb - final cb to call with the result and response headers
|
||||
* @return {undefined}
|
||||
*/
|
||||
function objectDelete(authInfo, request, log, cb) {
|
||||
log.debug('processing request', { method: 'objectDelete' });
|
||||
function objectDeleteInternal(authInfo, request, log, isExpiration, cb) {
|
||||
log.debug('processing request', { method: 'objectDeleteInternal' });
|
||||
if (authInfo.isRequesterPublicUser()) {
|
||||
log.debug('operation not available for public user');
|
||||
monitoring.promMetrics(
|
||||
|
@ -55,7 +56,7 @@ function objectDelete(authInfo, request, log, cb) {
|
|||
bucketName,
|
||||
objectKey,
|
||||
versionId: reqVersionId,
|
||||
requestType: 'objectDelete',
|
||||
requestType: request.apiMethods || 'objectDelete',
|
||||
request,
|
||||
};
|
||||
|
||||
|
@ -166,7 +167,10 @@ function objectDelete(authInfo, request, log, cb) {
|
|||
// source does not have versioning.
|
||||
return createAndStoreObject(bucketName, bucketMD, objectKey,
|
||||
objectMD, authInfo, canonicalID, null, request, true, null,
|
||||
log, err => {
|
||||
log, isExpiration ?
|
||||
's3:LifecycleExpiration:DeleteMarkerCreated' :
|
||||
's3:ObjectRemoved:DeleteMarkerCreated',
|
||||
err => {
|
||||
if (err) {
|
||||
return next(err);
|
||||
}
|
||||
|
@ -176,9 +180,11 @@ function objectDelete(authInfo, request, log, cb) {
|
|||
deleteInfo.removeDeleteMarker = true;
|
||||
}
|
||||
return services.deleteObject(bucketName, objectMD,
|
||||
objectKey, delOptions, log, (err, delResult) =>
|
||||
next(err, bucketMD, objectMD, delResult,
|
||||
deleteInfo));
|
||||
objectKey, delOptions, false, log, isExpiration ?
|
||||
's3:LifecycleExpiration:Delete' :
|
||||
's3:ObjectRemoved:Delete',
|
||||
(err, delResult) =>
|
||||
next(err, bucketMD, objectMD, delResult, deleteInfo));
|
||||
});
|
||||
}
|
||||
if (delOptions && delOptions.deleteData) {
|
||||
|
@ -199,14 +205,20 @@ function objectDelete(authInfo, request, log, cb) {
|
|||
}
|
||||
|
||||
return services.deleteObject(bucketName, objectMD, objectKey,
|
||||
delOptions, false, log, (err, delResult) => next(err, bucketMD,
|
||||
objectMD, delResult, deleteInfo));
|
||||
delOptions, false, log, isExpiration ?
|
||||
's3:LifecycleExpiration:Delete' :
|
||||
's3:ObjectRemoved:Delete',
|
||||
(err, delResult) => next(err, bucketMD,
|
||||
objectMD, delResult, deleteInfo));
|
||||
}
|
||||
// putting a new delete marker
|
||||
deleteInfo.newDeleteMarker = true;
|
||||
return createAndStoreObject(bucketName, bucketMD,
|
||||
objectKey, objectMD, authInfo, canonicalID, null, request,
|
||||
deleteInfo.newDeleteMarker, null, overheadField, log, (err, newDelMarkerRes) => {
|
||||
deleteInfo.newDeleteMarker, null, overheadField, log, isExpiration ?
|
||||
's3:LifecycleExpiration:DeleteMarkerCreated' :
|
||||
's3:ObjectRemoved:DeleteMarkerCreated',
|
||||
(err, newDelMarkerRes) => {
|
||||
next(err, bucketMD, objectMD, newDelMarkerRes, deleteInfo);
|
||||
});
|
||||
},
|
||||
|
@ -295,4 +307,21 @@ function objectDelete(authInfo, request, log, cb) {
|
|||
});
|
||||
}
|
||||
|
||||
module.exports = objectDelete;
|
||||
/**
|
||||
* This function is used to delete an object from a bucket. The bucket must
|
||||
* already exist and the user must have permission to delete the object.
|
||||
* @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
|
||||
* @param {object} request - http request object
|
||||
* @param {werelogs.Logger} log - Logger object
|
||||
* @param {function} cb - callback to server
|
||||
* @return {undefined}
|
||||
*/
|
||||
function objectDelete(authInfo, request, log, cb) {
|
||||
log.debug('processing request', { method: 'objectDelete' });
|
||||
return objectDeleteInternal(authInfo, request, log, false, cb);
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
objectDelete,
|
||||
objectDeleteInternal,
|
||||
};
|
||||
|
|
|
@ -44,7 +44,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
|
|||
objectKey,
|
||||
versionId: reqVersionId,
|
||||
getDeleteMarker: true,
|
||||
requestType: 'objectDeleteTagging',
|
||||
requestType: request.apiMethods || 'objectDeleteTagging',
|
||||
request,
|
||||
};
|
||||
|
||||
|
@ -91,7 +91,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
|
|||
},
|
||||
(bucket, objectMD, next) =>
|
||||
// if external backends handles tagging
|
||||
data.objectTagging('Delete', objectKey, bucket, objectMD,
|
||||
data.objectTagging('Delete', objectKey, bucket.getName(), objectMD,
|
||||
log, err => next(err, bucket, objectMD)),
|
||||
], (err, bucket, objectMD) => {
|
||||
const additionalResHeaders = collectCorsHeaders(request.headers.origin,
|
||||
|
|
|
@ -21,6 +21,7 @@ const { locationConstraints } = config;
|
|||
const monitoring = require('../utilities/monitoringHandler');
|
||||
const { getPartCountFromMd5 } = require('./apiUtils/object/partInfo');
|
||||
const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
|
||||
const { verifyColdObjectAvailable } = require('./apiUtils/object/coldStorage');
|
||||
|
||||
const validateHeaders = s3middleware.validateConditionalHeaders;
|
||||
|
||||
|
@ -65,7 +66,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
|
|||
objectKey,
|
||||
versionId,
|
||||
getDeleteMarker: true,
|
||||
requestType: 'objectGet',
|
||||
requestType: request.apiMethods || 'objectGet',
|
||||
request,
|
||||
};
|
||||
|
||||
|
@ -89,16 +90,12 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
|
|||
return callback(err, null, corsHeaders);
|
||||
}
|
||||
const verCfg = bucket.getVersioningConfiguration();
|
||||
if (objMD.archive &&
|
||||
// Object is in cold backend
|
||||
(!objMD.archive.restoreRequestedAt ||
|
||||
// Object is being restored
|
||||
(objMD.archive.restoreRequestedAt &&
|
||||
!objMD.archive.restoreCompletedAt))) {
|
||||
const error = errors.InvalidObjectState;
|
||||
// check if object data is in a cold storage
|
||||
const coldErr = verifyColdObjectAvailable(objMD);
|
||||
if (coldErr) {
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, error.code, 'getObject');
|
||||
return callback(error, null, corsHeaders);
|
||||
'GET', bucketName, coldErr.code, 'getObject');
|
||||
return callback(coldErr, null, corsHeaders);
|
||||
}
|
||||
if (objMD.isDeleteMarker) {
|
||||
const responseMetaHeaders = Object.assign({},
|
||||
|
|
|
@ -61,7 +61,7 @@ function objectGetACL(authInfo, request, log, callback) {
|
|||
bucketName,
|
||||
objectKey,
|
||||
versionId,
|
||||
requestType: 'objectGetACL',
|
||||
requestType: request.apiMethods || 'objectGetACL',
|
||||
request,
|
||||
};
|
||||
const grantInfo = {
|
||||
|
|
|
@ -40,7 +40,7 @@ function objectGetLegalHold(authInfo, request, log, callback) {
|
|||
bucketName,
|
||||
objectKey,
|
||||
versionId,
|
||||
requestType: 'objectGetLegalHold',
|
||||
requestType: request.apiMethods || 'objectGetLegalHold',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ function objectGetRetention(authInfo, request, log, callback) {
|
|||
bucketName,
|
||||
objectKey,
|
||||
versionId: reqVersionId,
|
||||
requestType: 'objectGetRetention',
|
||||
requestType: request.apiMethods || 'objectGetRetention',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ function objectGetTagging(authInfo, request, log, callback) {
|
|||
bucketName,
|
||||
objectKey,
|
||||
versionId: reqVersionId,
|
||||
requestType: 'objectGetTagging',
|
||||
requestType: request.apiMethods || 'objectGetTagging',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -48,7 +48,7 @@ function objectHead(authInfo, request, log, callback) {
|
|||
objectKey,
|
||||
versionId,
|
||||
getDeleteMarker: true,
|
||||
requestType: 'objectHead',
|
||||
requestType: request.apiMethods || 'objectHead',
|
||||
request,
|
||||
};
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@ const { errors, versioning } = require('arsenal');
|
|||
|
||||
const constants = require('../../constants');
|
||||
const aclUtils = require('../utilities/aclUtils');
|
||||
const { config } = require('../Config');
|
||||
const { cleanUpBucket } = require('./apiUtils/bucket/bucketCreation');
|
||||
const { getObjectSSEConfiguration } = require('./apiUtils/bucket/bucketEncryption');
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
|
@ -71,7 +72,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
|
|||
query,
|
||||
} = request;
|
||||
if (headers['x-amz-storage-class'] &&
|
||||
!constants.validStorageClasses.includes(headers['x-amz-storage-class'])) {
|
||||
!config.locationConstraints[headers['x-amz-storage-class']]) {
|
||||
log.trace('invalid storage-class header');
|
||||
monitoring.promMetrics('PUT', request.bucketName,
|
||||
errors.InvalidStorageClass.code, 'putObject');
|
||||
|
@ -98,7 +99,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
|
|||
'The encryption method specified is not supported');
|
||||
const requestType = request.apiMethods || 'objectPut';
|
||||
const valParams = { authInfo, bucketName, objectKey, versionId,
|
||||
requestType, request };
|
||||
requestType, request, withVersionId: isPutVersion };
|
||||
const canonicalID = authInfo.getCanonicalID();
|
||||
|
||||
if (hasNonPrintables(objectKey)) {
|
||||
|
@ -174,7 +175,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
|
|||
writeContinue(request, request._response);
|
||||
return createAndStoreObject(bucketName,
|
||||
bucket, objectKey, objMD, authInfo, canonicalID, cipherBundle,
|
||||
request, false, streamingV4Params, overheadField, log, next);
|
||||
request, false, streamingV4Params, overheadField, log, 's3:ObjectCreated:Put', next);
|
||||
},
|
||||
], (err, storingResult) => {
|
||||
if (err) {
|
||||
|
@ -242,6 +243,14 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
|
|||
monitoring.promMetrics('PUT', bucketName, '200',
|
||||
'putObject', newByteLength, oldByteLength, isVersionedObj,
|
||||
null, ingestSize);
|
||||
|
||||
if (isPutVersion) {
|
||||
const durationMs = Date.now() - new Date(objMD.archive.restoreRequestedAt);
|
||||
monitoring.lifecycleDuration.observe(
|
||||
{ type: 'restore', location: objMD.dataStoreName },
|
||||
durationMs / 1000);
|
||||
}
|
||||
|
||||
return callback(null, responseHeaders);
|
||||
});
|
||||
});
|
||||
|
|
|
@ -88,6 +88,7 @@ function objectPutACL(authInfo, request, log, cb) {
|
|||
versionId: reqVersionId,
|
||||
getDeleteMarker: true,
|
||||
requestType: request.apiMethods || 'objectPutACL',
|
||||
request,
|
||||
};
|
||||
|
||||
const possibleGrants = ['FULL_CONTROL', 'WRITE_ACP', 'READ', 'READ_ACP'];
|
||||
|
|
|
@ -9,11 +9,12 @@ const locationConstraintCheck =
|
|||
require('./apiUtils/object/locationConstraintCheck');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const logger = require('../utilities/logger');
|
||||
const services = require('../services');
|
||||
const setUpCopyLocator = require('./apiUtils/object/setUpCopyLocator');
|
||||
const { standardMetadataValidateBucketAndObj } = require('../metadata/metadataUtils');
|
||||
const monitoring = require('../utilities/monitoringHandler');
|
||||
const { verifyColdObjectAvailable } = require('./apiUtils/object/coldStorage');
|
||||
const { validateQuotas } = require('./apiUtils/quotas/quotaUtils');
|
||||
|
||||
const versionIdUtils = versioning.VersionID;
|
||||
|
||||
|
@ -45,6 +46,14 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
|||
versionId: reqVersionId,
|
||||
getDeleteMarker: true,
|
||||
requestType: 'objectGet',
|
||||
/**
|
||||
* Authorization will first check the target object, with an objectPut
|
||||
* action. But in this context, the source object metadata is still
|
||||
* unknown. In the context of quotas, to know the number of bytes that
|
||||
* are being written, we explicitly enable the quota evaluation logic
|
||||
* during the objectGet action instead.
|
||||
*/
|
||||
checkQuota: true,
|
||||
request,
|
||||
};
|
||||
|
||||
|
@ -67,7 +76,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
|||
authInfo,
|
||||
bucketName: destBucketName,
|
||||
objectKey: destObjectKey,
|
||||
requestType: 'objectPut',
|
||||
requestType: 'objectPutPart',
|
||||
checkQuota: false,
|
||||
request,
|
||||
};
|
||||
|
||||
|
@ -88,6 +98,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
|||
objectKey: destObjectKey,
|
||||
partNumber: paddedPartNumber,
|
||||
uploadId,
|
||||
enableQuota: true,
|
||||
};
|
||||
|
||||
return async.waterfall([
|
||||
|
@ -134,6 +145,11 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
|||
sourceLocationConstraintName =
|
||||
sourceObjMD.location[0].dataStoreName;
|
||||
}
|
||||
// check if object data is in a cold storage
|
||||
const coldErr = verifyColdObjectAvailable(sourceObjMD);
|
||||
if (coldErr) {
|
||||
return next(coldErr, null);
|
||||
}
|
||||
if (sourceObjMD.isDeleteMarker) {
|
||||
log.debug('delete marker on source object',
|
||||
{ sourceObject });
|
||||
|
@ -176,9 +192,16 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
|||
}
|
||||
return next(null, copyLocator.dataLocator, destBucketMD,
|
||||
copyLocator.copyObjectSize, sourceVerId,
|
||||
sourceLocationConstraintName);
|
||||
sourceLocationConstraintName, sourceObjMD);
|
||||
});
|
||||
},
|
||||
function _validateQuotas(dataLocator, destBucketMD,
|
||||
copyObjectSize, sourceVerId,
|
||||
sourceLocationConstraintName, sourceObjMD, next) {
|
||||
return validateQuotas(request, destBucketMD, request.accountQuotas, valPutParams.requestType,
|
||||
request.apiMethod, sourceObjMD?.['content-length'] || 0, false, log, err =>
|
||||
next(err, dataLocator, destBucketMD, copyObjectSize, sourceVerId, sourceLocationConstraintName));
|
||||
},
|
||||
// get MPU shadow bucket to get splitter based on MD version
|
||||
function getMpuShadowBucket(dataLocator, destBucketMD,
|
||||
copyObjectSize, sourceVerId,
|
||||
|
@ -376,10 +399,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
|||
// Clean up the old data now that new metadata (with new
|
||||
// data locations) has been stored
|
||||
if (oldLocationsToDelete) {
|
||||
const delLog = logger.newRequestLoggerFromSerializedUids(
|
||||
log.getSerializedUids());
|
||||
return data.batchDelete(oldLocationsToDelete, request.method, null,
|
||||
delLog, err => {
|
||||
log, err => {
|
||||
if (err) {
|
||||
// if error, log the error and move on as it is not
|
||||
// relevant to the client as the client's
|
||||
|
|
|
@ -11,7 +11,6 @@ const { isBucketAuthorized } =
|
|||
const kms = require('../kms/wrapper');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const logger = require('../utilities/logger');
|
||||
const services = require('../services');
|
||||
const locationConstraintCheck
|
||||
= require('./apiUtils/object/locationConstraintCheck');
|
||||
|
@ -22,6 +21,7 @@ const { BackendInfo } = models;
|
|||
const writeContinue = require('../utilities/writeContinue');
|
||||
const { getObjectSSEConfiguration } = require('./apiUtils/bucket/bucketEncryption');
|
||||
const validateChecksumHeaders = require('./apiUtils/object/validateChecksumHeaders');
|
||||
const { validateQuotas } = require('./apiUtils/quotas/quotaUtils');
|
||||
|
||||
const skipError = new Error('skip');
|
||||
|
||||
|
@ -61,6 +61,9 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
|||
log.debug('processing request', { method: 'objectPutPart' });
|
||||
const size = request.parsedContentLength;
|
||||
|
||||
const putVersionId = request.headers['x-scal-s3-version-id'];
|
||||
const isPutVersion = putVersionId || putVersionId === '';
|
||||
|
||||
if (Number.parseInt(size, 10) > constants.maximumAllowedPartSize) {
|
||||
log.debug('put part size too large', { size });
|
||||
monitoring.promMetrics('PUT', request.bucketName, 400,
|
||||
|
@ -104,6 +107,9 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
|||
const mpuBucketName = `${constants.mpuBucketPrefix}${bucketName}`;
|
||||
const { objectKey } = request;
|
||||
const originalIdentityAuthzResults = request.actionImplicitDenies;
|
||||
// For validating the request at the destinationBucket level the
|
||||
// `requestType` is the general 'objectPut'.
|
||||
const requestType = request.apiMethods || 'objectPutPart';
|
||||
|
||||
return async.waterfall([
|
||||
// Get the destination bucket.
|
||||
|
@ -123,16 +129,15 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
|||
}),
|
||||
// Check the bucket authorization.
|
||||
(destinationBucket, next) => {
|
||||
// For validating the request at the destinationBucket level the
|
||||
// `requestType` is the general 'objectPut'.
|
||||
const requestType = 'objectPut';
|
||||
if (!isBucketAuthorized(destinationBucket, request.apiMethods || requestType, canonicalID, authInfo,
|
||||
if (!isBucketAuthorized(destinationBucket, requestType, canonicalID, authInfo,
|
||||
log, request, request.actionImplicitDenies)) {
|
||||
log.debug('access denied for user on bucket', { requestType });
|
||||
return next(errors.AccessDenied, destinationBucket);
|
||||
}
|
||||
return next(null, destinationBucket);
|
||||
},
|
||||
(destinationBucket, next) => validateQuotas(request, destinationBucket, request.accountQuotas,
|
||||
requestType, request.apiMethod, size, isPutVersion, log, err => next(err, destinationBucket)),
|
||||
// Get bucket server-side encryption, if it exists.
|
||||
(destinationBucket, next) => getObjectSSEConfiguration(
|
||||
request.headers, destinationBucket, log,
|
||||
|
@ -380,10 +385,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
|||
prevObjectSize, next) => {
|
||||
if (oldLocationsToDelete) {
|
||||
log.trace('overwriting mpu part, deleting data');
|
||||
const delLog = logger.newRequestLoggerFromSerializedUids(
|
||||
log.getSerializedUids());
|
||||
return data.batchDelete(oldLocationsToDelete, request.method,
|
||||
objectLocationConstraint, delLog, err => {
|
||||
objectLocationConstraint, log, err => {
|
||||
if (err) {
|
||||
// if error, log the error and move on as it is not
|
||||
// relevant to the client as the client's
|
||||
|
|
|
@ -50,41 +50,49 @@ function objectPutRetention(authInfo, request, log, callback) {
|
|||
};
|
||||
|
||||
return async.waterfall([
|
||||
next => standardMetadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
|
||||
(err, bucket, objectMD) => {
|
||||
if (err) {
|
||||
log.trace('request authorization failed',
|
||||
{ method: 'objectPutRetention', error: err });
|
||||
return next(err);
|
||||
}
|
||||
if (!objectMD) {
|
||||
const err = reqVersionId ? errors.NoSuchVersion :
|
||||
errors.NoSuchKey;
|
||||
log.trace('error no object metadata found',
|
||||
{ method: 'objectPutRetention', error: err });
|
||||
return next(err, bucket);
|
||||
}
|
||||
if (objectMD.isDeleteMarker) {
|
||||
log.trace('version is a delete marker',
|
||||
{ method: 'objectPutRetention' });
|
||||
// FIXME we should return a `x-amz-delete-marker: true` header,
|
||||
// see S3C-7592
|
||||
return next(errors.MethodNotAllowed, bucket);
|
||||
}
|
||||
if (!bucket.isObjectLockEnabled()) {
|
||||
log.trace('object lock not enabled on bucket',
|
||||
{ method: 'objectPutRetention' });
|
||||
return next(errors.InvalidRequest.customizeDescription(
|
||||
'Bucket is missing Object Lock Configuration'
|
||||
), bucket);
|
||||
}
|
||||
return next(null, bucket, objectMD);
|
||||
}),
|
||||
(bucket, objectMD, next) => {
|
||||
next => {
|
||||
log.trace('parsing retention information');
|
||||
parseRetentionXml(request.post, log,
|
||||
(err, retentionInfo) => next(err, bucket, retentionInfo, objectMD));
|
||||
(err, retentionInfo) => {
|
||||
if (err) {
|
||||
log.trace('error parsing retention information',
|
||||
{ error: err });
|
||||
return next(err);
|
||||
}
|
||||
const remainingDays = Math.ceil(
|
||||
(new Date(retentionInfo.date) - Date.now()) / (1000 * 3600 * 24));
|
||||
metadataValParams.request.objectLockRetentionDays = remainingDays;
|
||||
return next(null, retentionInfo);
|
||||
});
|
||||
},
|
||||
(retentionInfo, next) => standardMetadataValidateBucketAndObj(metadataValParams,
|
||||
request.actionImplicitDenies, log, (err, bucket, objectMD) => {
|
||||
if (err) {
|
||||
log.trace('request authorization failed',
|
||||
{ method: 'objectPutRetention', error: err });
|
||||
return next(err);
|
||||
}
|
||||
if (!objectMD) {
|
||||
const err = reqVersionId ? errors.NoSuchVersion :
|
||||
errors.NoSuchKey;
|
||||
log.trace('error no object metadata found',
|
||||
{ method: 'objectPutRetention', error: err });
|
||||
return next(err, bucket);
|
||||
}
|
||||
if (objectMD.isDeleteMarker) {
|
||||
log.trace('version is a delete marker',
|
||||
{ method: 'objectPutRetention' });
|
||||
return next(errors.MethodNotAllowed, bucket);
|
||||
}
|
||||
if (!bucket.isObjectLockEnabled()) {
|
||||
log.trace('object lock not enabled on bucket',
|
||||
{ method: 'objectPutRetention' });
|
||||
return next(errors.InvalidRequest.customizeDescription(
|
||||
'Bucket is missing Object Lock Configuration'
|
||||
), bucket);
|
||||
}
|
||||
return next(null, bucket, retentionInfo, objectMD);
|
||||
}),
|
||||
(bucket, retentionInfo, objectMD, next) => {
|
||||
const hasGovernanceBypass = hasGovernanceBypassHeader(request.headers);
|
||||
if (hasGovernanceBypass && isRequesterNonAccountUser(authInfo)) {
|
||||
|
|
|
@ -96,7 +96,7 @@ function objectPutTagging(authInfo, request, log, callback) {
|
|||
},
|
||||
(bucket, objectMD, next) =>
|
||||
// if external backend handles tagging
|
||||
data.objectTagging('Put', objectKey, bucket, objectMD,
|
||||
data.objectTagging('Put', objectKey, bucket.getName(), objectMD,
|
||||
log, err => next(err, bucket, objectMD)),
|
||||
], (err, bucket, objectMD) => {
|
||||
const additionalResHeaders = collectCorsHeaders(request.headers.origin,
|
||||
|
|
|
@ -0,0 +1,313 @@
|
|||
const { errors, s3middleware } = require('arsenal');
|
||||
const validateHeaders = s3middleware.validateConditionalHeaders;
|
||||
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
const constants = require('../../constants');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const bucketShield = require('./apiUtils/bucket/bucketShield');
|
||||
const { appendWebsiteIndexDocument, findRoutingRule, extractRedirectInfo } =
|
||||
require('./apiUtils/object/websiteServing');
|
||||
const { isObjAuthorized, isBucketAuthorized } =
|
||||
require('./apiUtils/authorization/permissionChecks');
|
||||
const collectResponseHeaders = require('../utilities/collectResponseHeaders');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const monitoring = require('../utilities/monitoringHandler');
|
||||
|
||||
/**
|
||||
* _errorActions - take a number of actions once have error getting obj
|
||||
* @param {object} err - arsenal errors object
|
||||
* @param {string} errorDocument - key to get error document
|
||||
* @param {object []} routingRules - array of routingRule objects
|
||||
* @param {object} bucket - bucket metadata
|
||||
* @param {string} objectKey - object key from request (or as translated in
|
||||
* website)
|
||||
* @param {object} corsHeaders - CORS-related response headers
|
||||
* @param {object} request - normalized request object
|
||||
* @param {object} log - Werelogs instance
|
||||
* @param {function} callback - callback to function in route
|
||||
* @return {undefined}
|
||||
*/
|
||||
function _errorActions(err, errorDocument, routingRules,
|
||||
bucket, objectKey, corsHeaders, request, log, callback) {
|
||||
const bucketName = bucket.getName();
|
||||
const errRoutingRule = findRoutingRule(routingRules,
|
||||
objectKey, err.code);
|
||||
if (errRoutingRule) {
|
||||
// route will redirect
|
||||
const action = request.method === 'HEAD' ? 'headObject' : 'getObject';
|
||||
monitoring.promMetrics(
|
||||
request.method, bucketName, err.code, action);
|
||||
return callback(err, false, null, corsHeaders, errRoutingRule,
|
||||
objectKey);
|
||||
}
|
||||
if (request.method === 'HEAD') {
|
||||
monitoring.promMetrics(
|
||||
'HEAD', bucketName, err.code, 'headObject');
|
||||
return callback(err, false, null, corsHeaders);
|
||||
}
|
||||
if (errorDocument) {
|
||||
return metadata.getObjectMD(bucketName, errorDocument, {}, log,
|
||||
(errObjErr, errObjMD) => {
|
||||
if (errObjErr) {
|
||||
// error retrieving error document so return original error
|
||||
// and set boolean of error retrieving user's error document
|
||||
// to true
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, true, null, corsHeaders);
|
||||
}
|
||||
// return the default error message if the object is private
|
||||
// rather than sending a stored error file
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
request.objectKey = errorDocument;
|
||||
if (!isObjAuthorized(bucket, errObjMD, request.apiMethods || 'objectGet',
|
||||
constants.publicId, null, log, request, request.actionImplicitDenies, true)) {
|
||||
log.trace('errorObj not authorized', { error: err });
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, true, null, corsHeaders);
|
||||
}
|
||||
const dataLocator = errObjMD.location;
|
||||
if (errObjMD['x-amz-server-side-encryption']) {
|
||||
for (let i = 0; i < dataLocator.length; i++) {
|
||||
dataLocator[i].masterKeyId =
|
||||
errObjMD['x-amz-server-side-encryption-aws-' +
|
||||
'kms-key-id'];
|
||||
dataLocator[i].algorithm =
|
||||
errObjMD['x-amz-server-side-encryption'];
|
||||
}
|
||||
}
|
||||
|
||||
if (errObjMD['x-amz-website-redirect-location']) {
|
||||
const redirectLocation =
|
||||
errObjMD['x-amz-website-redirect-location'];
|
||||
const redirectInfo = { withError: true,
|
||||
location: redirectLocation };
|
||||
log.trace('redirecting to x-amz-website-redirect-location',
|
||||
{ location: redirectLocation });
|
||||
return callback(err, false, dataLocator, corsHeaders,
|
||||
redirectInfo, '');
|
||||
}
|
||||
|
||||
const responseMetaHeaders = collectResponseHeaders(errObjMD,
|
||||
corsHeaders);
|
||||
pushMetric('getObject', log, {
|
||||
bucket: bucketName,
|
||||
newByteLength: responseMetaHeaders['Content-Length'],
|
||||
});
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, false, dataLocator, responseMetaHeaders);
|
||||
});
|
||||
}
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, false, null, corsHeaders);
|
||||
}
|
||||
|
||||
function capitalize(str) {
|
||||
if (!str || typeof str !== 'string') {
|
||||
return str;
|
||||
}
|
||||
return str.charAt(0).toUpperCase() + str.slice(1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Callbacks have different signature for GET and HEAD
|
||||
* The website function uses GET callback signature
|
||||
* This encapsulate HEAD callback to match GET signature
|
||||
* @param {function} callback - HEAD callback
|
||||
* @returns {function} HEAD callback with GET signature
|
||||
*/
|
||||
function callbackGetToHead(callback) {
|
||||
return (err, userErrorPageFailure, dataGetInfo,
|
||||
resMetaHeaders, redirectInfo, key) =>
|
||||
callback(err, resMetaHeaders, redirectInfo, key);
|
||||
}
|
||||
|
||||
/**
|
||||
* Website - Common website function for GET and HEAD
|
||||
* Gets metadata and object for website or redirects
|
||||
* @param {object} request - normalized request object
|
||||
* @param {object} log - Werelogs instance
|
||||
* @param {function} callback - callback to function in route
|
||||
* @return {undefined}
|
||||
*/
|
||||
function website(request, log, callback) {
|
||||
if (request.method === 'HEAD') {
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
callback = callbackGetToHead(callback);
|
||||
}
|
||||
const methodCapitalized = capitalize(request.method);
|
||||
const action = request.method === 'HEAD' ? 'headObject' : 'getObject';
|
||||
log.debug('processing request', { method: `website${methodCapitalized}` });
|
||||
const bucketName = request.bucketName;
|
||||
const reqObjectKey = request.objectKey ? request.objectKey : '';
|
||||
|
||||
return metadata.getBucket(bucketName, log, (err, bucket) => {
|
||||
if (err) {
|
||||
log.trace('error retrieving bucket metadata', { error: err });
|
||||
monitoring.promMetrics(
|
||||
request.method, bucketName, err.code, action);
|
||||
return callback(err, false);
|
||||
}
|
||||
if (bucketShield(bucket, `object${methodCapitalized}`)) {
|
||||
log.trace('bucket in transient/deleted state so shielding');
|
||||
monitoring.promMetrics(
|
||||
request.method, bucketName, 404, action);
|
||||
return callback(errors.NoSuchBucket, false);
|
||||
}
|
||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
// bucket ACL's do not matter for website head since it is always the
|
||||
// head of an object. object ACL's are what matter
|
||||
const websiteConfig = bucket.getWebsiteConfiguration();
|
||||
if (!websiteConfig) {
|
||||
monitoring.promMetrics(
|
||||
request.method, bucketName, 404, action);
|
||||
return callback(errors.NoSuchWebsiteConfiguration, false, null,
|
||||
corsHeaders);
|
||||
}
|
||||
// any errors above would be our own created generic error html
|
||||
// if have a website config, error going forward would be user's
|
||||
// redirect or error page if they set either in the config
|
||||
|
||||
// handle redirect all
|
||||
if (websiteConfig.getRedirectAllRequestsTo()) {
|
||||
return callback(null, false, null, corsHeaders,
|
||||
websiteConfig.getRedirectAllRequestsTo(), reqObjectKey);
|
||||
}
|
||||
|
||||
// check whether need to redirect based on key
|
||||
const routingRules = websiteConfig.getRoutingRules();
|
||||
const keyRoutingRule = findRoutingRule(routingRules, reqObjectKey);
|
||||
|
||||
if (keyRoutingRule) {
|
||||
// TODO: optimize by not rerouting if only routing
|
||||
// rule is to change out key
|
||||
return callback(null, false, null, corsHeaders,
|
||||
keyRoutingRule, reqObjectKey);
|
||||
}
|
||||
|
||||
appendWebsiteIndexDocument(request, websiteConfig.getIndexDocument());
|
||||
|
||||
/**
|
||||
* Recursive function with 1 recursive call to look for index
|
||||
* in case of error for potential redirect to folder notation
|
||||
* if there is not already an index appended
|
||||
* @param {Error} [originalError] - presence of this argument
|
||||
* differentiates original user request from recursive call to /index.
|
||||
* This error is returned if /index is not found
|
||||
* @returns {undefined}
|
||||
*/
|
||||
function runWebsite(originalError) {
|
||||
// get object metadata and check authorization and header
|
||||
// validation
|
||||
return metadata.getObjectMD(bucketName, request.objectKey, {}, log,
|
||||
(err, objMD) => {
|
||||
// Note: In case of error, we intentionally send the original
|
||||
// object key to _errorActions as in case of a redirect, we do
|
||||
// not want to append index key to redirect location
|
||||
if (err) {
|
||||
log.trace('error retrieving object metadata',
|
||||
{ error: err });
|
||||
let returnErr = err;
|
||||
const bucketAuthorized = isBucketAuthorized(bucket, request.apiMethods || 'bucketGet',
|
||||
constants.publicId, null, log, request, request.actionImplicitDenies, true);
|
||||
// if index object does not exist and bucket is private AWS
|
||||
// returns 403 - AccessDenied error.
|
||||
if (err.is.NoSuchKey && !bucketAuthorized) {
|
||||
returnErr = errors.AccessDenied;
|
||||
}
|
||||
|
||||
// Check if key is a folder containing index for redirect 302
|
||||
// https://docs.aws.amazon.com/AmazonS3/latest/userguide/IndexDocumentSupport.html
|
||||
if (!originalError && reqObjectKey && !reqObjectKey.endsWith('/')) {
|
||||
appendWebsiteIndexDocument(request, websiteConfig.getIndexDocument(), true);
|
||||
// propagate returnErr as originalError to be used if index is not found
|
||||
return runWebsite(returnErr);
|
||||
}
|
||||
|
||||
return _errorActions(originalError || returnErr,
|
||||
websiteConfig.getErrorDocument(), routingRules,
|
||||
bucket, reqObjectKey, corsHeaders, request, log,
|
||||
callback);
|
||||
}
|
||||
if (!isObjAuthorized(bucket, objMD, request.apiMethods || 'objectGet',
|
||||
constants.publicId, null, log, request, request.actionImplicitDenies, true)) {
|
||||
const err = errors.AccessDenied;
|
||||
log.trace('request not authorized', { error: err });
|
||||
return _errorActions(err, websiteConfig.getErrorDocument(),
|
||||
routingRules, bucket,
|
||||
reqObjectKey, corsHeaders, request, log, callback);
|
||||
}
|
||||
|
||||
// access granted to index document, needs a redirect 302
|
||||
// to the original key with trailing /
|
||||
if (originalError) {
|
||||
const redirectInfo = { withError: true,
|
||||
location: `/${reqObjectKey}/` };
|
||||
return callback(errors.Found, false, null, corsHeaders,
|
||||
redirectInfo, '');
|
||||
}
|
||||
|
||||
const headerValResult = validateHeaders(request.headers,
|
||||
objMD['last-modified'], objMD['content-md5']);
|
||||
if (headerValResult.error) {
|
||||
const err = headerValResult.error;
|
||||
log.trace('header validation error', { error: err });
|
||||
return _errorActions(err, websiteConfig.getErrorDocument(),
|
||||
routingRules, bucket, reqObjectKey,
|
||||
corsHeaders, request, log, callback);
|
||||
}
|
||||
// check if object to serve has website redirect header
|
||||
// Note: AWS prioritizes website configuration rules over
|
||||
// object key's website redirect header, so we make the
|
||||
// check at the end.
|
||||
if (objMD['x-amz-website-redirect-location']) {
|
||||
const redirectLocation =
|
||||
objMD['x-amz-website-redirect-location'];
|
||||
const redirectInfo =
|
||||
extractRedirectInfo(redirectLocation);
|
||||
log.trace('redirecting to x-amz-website-redirect-location',
|
||||
{ location: redirectLocation });
|
||||
return callback(null, false, null, corsHeaders,
|
||||
redirectInfo, '');
|
||||
}
|
||||
// got obj metadata, authorized and headers validated,
|
||||
// good to go
|
||||
const responseMetaHeaders = collectResponseHeaders(objMD,
|
||||
corsHeaders);
|
||||
|
||||
if (request.method === 'HEAD') {
|
||||
pushMetric('headObject', log, { bucket: bucketName });
|
||||
monitoring.promMetrics('HEAD',
|
||||
bucketName, '200', 'headObject');
|
||||
return callback(null, false, null, responseMetaHeaders);
|
||||
}
|
||||
|
||||
const dataLocator = objMD.location;
|
||||
if (objMD['x-amz-server-side-encryption']) {
|
||||
for (let i = 0; i < dataLocator.length; i++) {
|
||||
dataLocator[i].masterKeyId =
|
||||
objMD['x-amz-server-side-encryption-aws-' +
|
||||
'kms-key-id'];
|
||||
dataLocator[i].algorithm =
|
||||
objMD['x-amz-server-side-encryption'];
|
||||
}
|
||||
}
|
||||
pushMetric('getObject', log, {
|
||||
bucket: bucketName,
|
||||
newByteLength: responseMetaHeaders['Content-Length'],
|
||||
});
|
||||
monitoring.promMetrics('GET', bucketName, '200',
|
||||
'getObject', responseMetaHeaders['Content-Length']);
|
||||
return callback(null, false, dataLocator, responseMetaHeaders);
|
||||
});
|
||||
}
|
||||
|
||||
return runWebsite();
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = website;
|
|
@ -1,235 +0,0 @@
|
|||
const { errors, s3middleware } = require('arsenal');
|
||||
const validateHeaders = s3middleware.validateConditionalHeaders;
|
||||
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
const constants = require('../../constants');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const bucketShield = require('./apiUtils/bucket/bucketShield');
|
||||
const { findRoutingRule, extractRedirectInfo } =
|
||||
require('./apiUtils/object/websiteServing');
|
||||
const { isObjAuthorized, isBucketAuthorized } =
|
||||
require('./apiUtils/authorization/permissionChecks');
|
||||
const collectResponseHeaders = require('../utilities/collectResponseHeaders');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const monitoring = require('../utilities/monitoringHandler');
|
||||
|
||||
/**
|
||||
* _errorActions - take a number of actions once have error getting obj
|
||||
* @param {object} err - arsenal errors object
|
||||
* @param {string} errorDocument - key to get error document
|
||||
* @param {object []} routingRules - array of routingRule objects
|
||||
* @param {object} bucket - bucket metadata
|
||||
* @param {string} objectKey - object key from request (or as translated in
|
||||
* websiteGet)
|
||||
* @param {object} corsHeaders - CORS-related response headers
|
||||
* @param {object} request - normalized request object
|
||||
* @param {object} log - Werelogs instance
|
||||
* @param {function} callback - callback to function in route
|
||||
* @return {undefined}
|
||||
*/
|
||||
function _errorActions(err, errorDocument, routingRules,
|
||||
bucket, objectKey, corsHeaders, request, log, callback) {
|
||||
const bucketName = bucket.getName();
|
||||
const errRoutingRule = findRoutingRule(routingRules,
|
||||
objectKey, err.code);
|
||||
if (errRoutingRule) {
|
||||
// route will redirect
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, false, null, corsHeaders, errRoutingRule,
|
||||
objectKey);
|
||||
}
|
||||
if (errorDocument) {
|
||||
return metadata.getObjectMD(bucketName, errorDocument, {}, log,
|
||||
(errObjErr, errObjMD) => {
|
||||
if (errObjErr) {
|
||||
// error retrieving error document so return original error
|
||||
// and set boolean of error retrieving user's error document
|
||||
// to true
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, true, null, corsHeaders);
|
||||
}
|
||||
// return the default error message if the object is private
|
||||
// rather than sending a stored error file
|
||||
if (!isObjAuthorized(bucket, errObjMD, request.apiMethods || 'objectGet',
|
||||
constants.publicId, null, log, null, request.actionImplicitDenies)) {
|
||||
log.trace('errorObj not authorized', { error: err });
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, true, null, corsHeaders);
|
||||
}
|
||||
const dataLocator = errObjMD.location;
|
||||
if (errObjMD['x-amz-server-side-encryption']) {
|
||||
for (let i = 0; i < dataLocator.length; i++) {
|
||||
dataLocator[i].masterKeyId =
|
||||
errObjMD['x-amz-server-side-encryption-aws-' +
|
||||
'kms-key-id'];
|
||||
dataLocator[i].algorithm =
|
||||
errObjMD['x-amz-server-side-encryption'];
|
||||
}
|
||||
}
|
||||
const responseMetaHeaders = collectResponseHeaders(errObjMD,
|
||||
corsHeaders);
|
||||
pushMetric('getObject', log, {
|
||||
bucket: bucketName,
|
||||
newByteLength: responseMetaHeaders['Content-Length'],
|
||||
});
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, false, dataLocator, responseMetaHeaders);
|
||||
});
|
||||
}
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, false, null, corsHeaders);
|
||||
}
|
||||
|
||||
/**
|
||||
* GET Website - Gets object for website or redirects
|
||||
* @param {object} request - normalized request object
|
||||
* @param {object} log - Werelogs instance
|
||||
* @param {function} callback - callback to function in route
|
||||
* @return {undefined}
|
||||
*/
|
||||
function websiteGet(request, log, callback) {
|
||||
log.debug('processing request', { method: 'websiteGet' });
|
||||
const bucketName = request.bucketName;
|
||||
const reqObjectKey = request.objectKey ? request.objectKey : '';
|
||||
let objectKey = reqObjectKey;
|
||||
|
||||
return metadata.getBucket(bucketName, log, (err, bucket) => {
|
||||
if (err) {
|
||||
log.trace('error retrieving bucket metadata', { error: err });
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
return callback(err, false);
|
||||
}
|
||||
if (bucketShield(bucket, 'objectGet')) {
|
||||
log.trace('bucket in transient/deleted state so shielding');
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, 404, 'getObject');
|
||||
return callback(errors.NoSuchBucket, false);
|
||||
}
|
||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
const websiteConfig = bucket.getWebsiteConfiguration();
|
||||
if (!websiteConfig) {
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, 404, 'getObject');
|
||||
return callback(errors.NoSuchWebsiteConfiguration, false, null,
|
||||
corsHeaders);
|
||||
}
|
||||
// any errors above would be our own created generic error html
|
||||
// if have a website config, error going forward would be user's
|
||||
// redirect or error page if they set either in the config
|
||||
|
||||
// handle redirect all
|
||||
if (websiteConfig.getRedirectAllRequestsTo()) {
|
||||
return callback(null, false, null, corsHeaders,
|
||||
websiteConfig.getRedirectAllRequestsTo(), objectKey);
|
||||
}
|
||||
|
||||
// check whether need to redirect based on key
|
||||
const routingRules = websiteConfig.getRoutingRules();
|
||||
const keyRoutingRule = findRoutingRule(routingRules, objectKey);
|
||||
|
||||
if (keyRoutingRule) {
|
||||
// TODO: optimize by not rerouting if only routing
|
||||
// rule is to change out key
|
||||
return callback(null, false, null, corsHeaders,
|
||||
keyRoutingRule, objectKey);
|
||||
}
|
||||
|
||||
// find index document if "directory" sent in request
|
||||
if (reqObjectKey.endsWith('/')) {
|
||||
objectKey += websiteConfig.getIndexDocument();
|
||||
}
|
||||
// find index document if no key provided
|
||||
if (reqObjectKey === '') {
|
||||
objectKey = websiteConfig.getIndexDocument();
|
||||
}
|
||||
|
||||
// get object metadata and check authorization and header
|
||||
// validation
|
||||
return metadata.getObjectMD(bucketName, objectKey, {}, log,
|
||||
(err, objMD) => {
|
||||
// Note: In case of error, we intentionally send the original
|
||||
// object key to _errorActions as in case of a redirect, we do
|
||||
// not want to append index key to redirect location
|
||||
if (err) {
|
||||
log.trace('error retrieving object metadata',
|
||||
{ error: err });
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'getObject');
|
||||
let returnErr = err;
|
||||
const bucketAuthorized = isBucketAuthorized(bucket, request.apiMethods || 'bucketGet',
|
||||
constants.publicId, null, log, request, request.actionImplicitDenies);
|
||||
// if index object does not exist and bucket is private AWS
|
||||
// returns 403 - AccessDenied error.
|
||||
if (err.is.NoSuchKey && !bucketAuthorized) {
|
||||
returnErr = errors.AccessDenied;
|
||||
}
|
||||
return _errorActions(returnErr,
|
||||
websiteConfig.getErrorDocument(), routingRules,
|
||||
bucket, reqObjectKey, corsHeaders, request, log,
|
||||
callback);
|
||||
}
|
||||
if (!isObjAuthorized(bucket, objMD, request.apiMethods || 'objectGet',
|
||||
constants.publicId, null, log, request, request.actionImplicitDenies)) {
|
||||
const err = errors.AccessDenied;
|
||||
log.trace('request not authorized', { error: err });
|
||||
return _errorActions(err, websiteConfig.getErrorDocument(),
|
||||
routingRules, bucket,
|
||||
reqObjectKey, corsHeaders, request, log, callback);
|
||||
}
|
||||
|
||||
const headerValResult = validateHeaders(request.headers,
|
||||
objMD['last-modified'], objMD['content-md5']);
|
||||
if (headerValResult.error) {
|
||||
const err = headerValResult.error;
|
||||
log.trace('header validation error', { error: err });
|
||||
return _errorActions(err, websiteConfig.getErrorDocument(),
|
||||
routingRules, bucket, reqObjectKey,
|
||||
corsHeaders, request, log, callback);
|
||||
}
|
||||
// check if object to serve has website redirect header
|
||||
// Note: AWS prioritizes website configuration rules over
|
||||
// object key's website redirect header, so we make the
|
||||
// check at the end.
|
||||
if (objMD['x-amz-website-redirect-location']) {
|
||||
const redirectLocation =
|
||||
objMD['x-amz-website-redirect-location'];
|
||||
const redirectInfo =
|
||||
extractRedirectInfo(redirectLocation);
|
||||
log.trace('redirecting to x-amz-website-redirect-location',
|
||||
{ location: redirectLocation });
|
||||
return callback(null, false, null, corsHeaders,
|
||||
redirectInfo, '');
|
||||
}
|
||||
// got obj metadata, authorized and headers validated,
|
||||
// good to go
|
||||
const responseMetaHeaders = collectResponseHeaders(objMD,
|
||||
corsHeaders);
|
||||
const dataLocator = objMD.location;
|
||||
if (objMD['x-amz-server-side-encryption']) {
|
||||
for (let i = 0; i < dataLocator.length; i++) {
|
||||
dataLocator[i].masterKeyId =
|
||||
objMD['x-amz-server-side-encryption-aws-' +
|
||||
'kms-key-id'];
|
||||
dataLocator[i].algorithm =
|
||||
objMD['x-amz-server-side-encryption'];
|
||||
}
|
||||
}
|
||||
pushMetric('getObject', log, {
|
||||
bucket: bucketName,
|
||||
newByteLength: responseMetaHeaders['Content-Length'],
|
||||
});
|
||||
monitoring.promMetrics('GET', bucketName, '200',
|
||||
'getObject', responseMetaHeaders['Content-Length']);
|
||||
return callback(null, false, dataLocator, responseMetaHeaders);
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = websiteGet;
|
|
@ -1,168 +0,0 @@
|
|||
const { errors, s3middleware } = require('arsenal');
|
||||
const validateHeaders = s3middleware.validateConditionalHeaders;
|
||||
|
||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||
const constants = require('../../constants');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const bucketShield = require('./apiUtils/bucket/bucketShield');
|
||||
const { findRoutingRule, extractRedirectInfo } =
|
||||
require('./apiUtils/object/websiteServing');
|
||||
const collectResponseHeaders = require('../utilities/collectResponseHeaders');
|
||||
const { pushMetric } = require('../utapi/utilities');
|
||||
const monitoring = require('../utilities/monitoringHandler');
|
||||
const { isBucketAuthorized, isObjAuthorized } =
|
||||
require('./apiUtils/authorization/permissionChecks');
|
||||
|
||||
|
||||
/**
|
||||
* _errorActions - take a number of actions once have error getting obj
|
||||
* @param {object} err - arsenal errors object
|
||||
* @param {object []} routingRules - array of routingRule objects
|
||||
* @param {string} objectKey - object key from request (or as translated in
|
||||
* websiteGet)
|
||||
* @param {object} corsHeaders - CORS-related response headers
|
||||
* @param {object} log - Werelogs instance
|
||||
* @param {function} callback - callback to function in route
|
||||
* @return {undefined}
|
||||
*/
|
||||
function _errorActions(err, routingRules, objectKey, corsHeaders, log,
|
||||
callback) {
|
||||
const errRoutingRule = findRoutingRule(routingRules, objectKey, err.code);
|
||||
if (errRoutingRule) {
|
||||
// route will redirect
|
||||
return callback(err, corsHeaders, errRoutingRule, objectKey);
|
||||
}
|
||||
return callback(err, corsHeaders);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* HEAD Website - Gets metadata for object for website or redirects
|
||||
* @param {object} request - normalized request object
|
||||
* @param {object} log - Werelogs instance
|
||||
* @param {function} callback - callback to function in route
|
||||
* @return {undefined}
|
||||
*/
|
||||
function websiteHead(request, log, callback) {
|
||||
log.debug('processing request', { method: 'websiteHead' });
|
||||
const bucketName = request.bucketName;
|
||||
const reqObjectKey = request.objectKey ? request.objectKey : '';
|
||||
let objectKey = reqObjectKey;
|
||||
|
||||
return metadata.getBucket(bucketName, log, (err, bucket) => {
|
||||
if (err) {
|
||||
log.trace('error retrieving bucket metadata', { error: err });
|
||||
monitoring.promMetrics(
|
||||
'HEAD', bucketName, err.code, 'headObject');
|
||||
return callback(err);
|
||||
}
|
||||
if (bucketShield(bucket, 'objectHead')) {
|
||||
log.trace('bucket in transient/deleted state so shielding');
|
||||
monitoring.promMetrics(
|
||||
'HEAD', bucketName, 404, 'headObject');
|
||||
return callback(errors.NoSuchBucket);
|
||||
}
|
||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
// bucket ACL's do not matter for website head since it is always the
|
||||
// head of an object. object ACL's are what matter
|
||||
const websiteConfig = bucket.getWebsiteConfiguration();
|
||||
if (!websiteConfig) {
|
||||
monitoring.promMetrics(
|
||||
'HEAD', bucketName, 404, 'headObject');
|
||||
return callback(errors.NoSuchWebsiteConfiguration);
|
||||
}
|
||||
// any errors above would be generic header error response
|
||||
// if have a website config, error going forward could be redirect
|
||||
// if a redirect rule for error is in config
|
||||
|
||||
// handle redirect all
|
||||
if (websiteConfig.getRedirectAllRequestsTo()) {
|
||||
return callback(null, corsHeaders,
|
||||
websiteConfig.getRedirectAllRequestsTo(), objectKey);
|
||||
}
|
||||
|
||||
// find index document if "directory" sent in request
|
||||
if (reqObjectKey.endsWith('/')) {
|
||||
objectKey += websiteConfig.getIndexDocument();
|
||||
}
|
||||
// find index document if no key provided
|
||||
if (reqObjectKey === '') {
|
||||
objectKey = websiteConfig.getIndexDocument();
|
||||
}
|
||||
// check whether need to redirect based on key
|
||||
const routingRules = websiteConfig.getRoutingRules();
|
||||
|
||||
const keyRoutingRule = findRoutingRule(routingRules, objectKey);
|
||||
|
||||
if (keyRoutingRule) {
|
||||
return callback(null, corsHeaders, keyRoutingRule, reqObjectKey);
|
||||
}
|
||||
|
||||
// get object metadata and check authorization and header
|
||||
// validation
|
||||
return metadata.getObjectMD(bucketName, objectKey, {}, log,
|
||||
(err, objMD) => {
|
||||
// Note: In case of error, we intentionally send the original
|
||||
// object key to _errorActions as in case of a redirect, we do
|
||||
// not want to append index key to redirect location
|
||||
if (err) {
|
||||
log.trace('error retrieving object metadata',
|
||||
{ error: err });
|
||||
let returnErr = err;
|
||||
const bucketAuthorized = isBucketAuthorized(bucket,
|
||||
'bucketGet', constants.publicId, null, log, request, request.actionImplicitDenies);
|
||||
// if index object does not exist and bucket is private AWS
|
||||
// returns 403 - AccessDenied error.
|
||||
if (err.is.NoSuchKey && !bucketAuthorized) {
|
||||
returnErr = errors.AccessDenied;
|
||||
}
|
||||
return _errorActions(returnErr, routingRules,
|
||||
reqObjectKey, corsHeaders, log, callback);
|
||||
}
|
||||
if (!isObjAuthorized(bucket, objMD, 'objectGet',
|
||||
constants.publicId, null, log, request, request.actionImplicitDenies)) {
|
||||
const err = errors.AccessDenied;
|
||||
log.trace('request not authorized', { error: err });
|
||||
return _errorActions(err, routingRules, reqObjectKey,
|
||||
corsHeaders, log, callback);
|
||||
}
|
||||
|
||||
const headerValResult = validateHeaders(request.headers,
|
||||
objMD['last-modified'], objMD['content-md5']);
|
||||
if (headerValResult.error) {
|
||||
const err = headerValResult.error;
|
||||
log.trace('header validation error', { error: err });
|
||||
return _errorActions(err, routingRules, reqObjectKey,
|
||||
corsHeaders, log, callback);
|
||||
}
|
||||
|
||||
// check if object to serve has website redirect header
|
||||
// Note: AWS prioritizes website configuration rules over
|
||||
// object key's website redirect header, so we make the
|
||||
// check at the end.
|
||||
if (objMD['x-amz-website-redirect-location']) {
|
||||
const redirectLocation =
|
||||
objMD['x-amz-website-redirect-location'];
|
||||
const redirectInfo =
|
||||
extractRedirectInfo(redirectLocation);
|
||||
log.trace('redirecting to x-amz-website-redirect-location',
|
||||
{ location: redirectLocation });
|
||||
return callback(null, corsHeaders, redirectInfo, '');
|
||||
}
|
||||
|
||||
// got obj metadata, authorized and headers validated,
|
||||
// good to go
|
||||
const responseMetaHeaders = collectResponseHeaders(objMD,
|
||||
corsHeaders);
|
||||
pushMetric('headObject', log, {
|
||||
bucket: bucketName,
|
||||
});
|
||||
monitoring.promMetrics(
|
||||
'HEAD', bucketName, '200', 'headObject');
|
||||
return callback(null, responseMetaHeaders);
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = websiteHead;
|
|
@ -1,4 +1,3 @@
|
|||
const vaultclient = require('vaultclient');
|
||||
const { auth } = require('arsenal');
|
||||
|
||||
const { config } = require('../Config');
|
||||
|
@ -21,6 +20,7 @@ function getVaultClient(config) {
|
|||
port,
|
||||
https: true,
|
||||
});
|
||||
const vaultclient = require('vaultclient');
|
||||
vaultClient = new vaultclient.Client(host, port, true, key, cert, ca);
|
||||
} else {
|
||||
logger.info('vaultclient configuration', {
|
||||
|
@ -28,6 +28,7 @@ function getVaultClient(config) {
|
|||
port,
|
||||
https: false,
|
||||
});
|
||||
const vaultclient = require('vaultclient');
|
||||
vaultClient = new vaultclient.Client(host, port);
|
||||
}
|
||||
|
||||
|
@ -49,10 +50,6 @@ function getMemBackend(config) {
|
|||
}
|
||||
|
||||
switch (config.backends.auth) {
|
||||
case 'mem':
|
||||
implName = 'vaultMem';
|
||||
client = getMemBackend(config);
|
||||
break;
|
||||
case 'multiple':
|
||||
implName = 'vaultChain';
|
||||
client = new ChainBackend('s3', [
|
||||
|
@ -60,9 +57,14 @@ case 'multiple':
|
|||
getVaultClient(config),
|
||||
]);
|
||||
break;
|
||||
default: // vault
|
||||
case 'vault':
|
||||
implName = 'vault';
|
||||
client = getVaultClient(config);
|
||||
break;
|
||||
default: // mem
|
||||
implName = 'vaultMem';
|
||||
client = getMemBackend(config);
|
||||
break;
|
||||
}
|
||||
|
||||
module.exports = new Vault(client, implName);
|
||||
|
|
|
@ -8,20 +8,6 @@ const inMemory = require('./in_memory/backend').backend;
|
|||
const file = require('./file/backend');
|
||||
const KMIPClient = require('arsenal').network.kmipClient;
|
||||
const Common = require('./common');
|
||||
let scalityKMS;
|
||||
let scalityKMSImpl;
|
||||
try {
|
||||
// eslint-disable-next-line import/no-unresolved
|
||||
const ScalityKMS = require('scality-kms');
|
||||
scalityKMS = new ScalityKMS(config.kms);
|
||||
scalityKMSImpl = 'scalityKms';
|
||||
} catch (error) {
|
||||
logger.warn('scality kms unavailable. ' +
|
||||
'Using file kms backend unless mem specified.',
|
||||
{ error });
|
||||
scalityKMS = file;
|
||||
scalityKMSImpl = 'fileKms';
|
||||
}
|
||||
|
||||
let client;
|
||||
let implName;
|
||||
|
@ -33,8 +19,9 @@ if (config.backends.kms === 'mem') {
|
|||
client = file;
|
||||
implName = 'fileKms';
|
||||
} else if (config.backends.kms === 'scality') {
|
||||
client = scalityKMS;
|
||||
implName = scalityKMSImpl;
|
||||
const ScalityKMS = require('scality-kms');
|
||||
client = new ScalityKMS(config.kms);
|
||||
implName = 'scalityKms';
|
||||
} else if (config.backends.kms === 'kmip') {
|
||||
const kmipConfig = { kmip: config.kmip };
|
||||
if (!kmipConfig.kmip) {
|
||||
|
|
|
@ -1,131 +0,0 @@
|
|||
/**
|
||||
* Target service that should handle a message
|
||||
* @readonly
|
||||
* @enum {number}
|
||||
*/
|
||||
const MessageType = {
|
||||
/** Message that contains a configuration overlay */
|
||||
CONFIG_OVERLAY_MESSAGE: 1,
|
||||
/** Message that requests a metrics report */
|
||||
METRICS_REQUEST_MESSAGE: 2,
|
||||
/** Message that contains a metrics report */
|
||||
METRICS_REPORT_MESSAGE: 3,
|
||||
/** Close the virtual TCP socket associated to the channel */
|
||||
CHANNEL_CLOSE_MESSAGE: 4,
|
||||
/** Write data to the virtual TCP socket associated to the channel */
|
||||
CHANNEL_PAYLOAD_MESSAGE: 5,
|
||||
};
|
||||
|
||||
/**
|
||||
* Target service that should handle a message
|
||||
* @readonly
|
||||
* @enum {number}
|
||||
*/
|
||||
const TargetType = {
|
||||
/** Let the dispatcher choose the most appropriate message */
|
||||
TARGET_ANY: 0,
|
||||
};
|
||||
|
||||
const headerSize = 3;
|
||||
|
||||
class ChannelMessageV0 {
|
||||
/**
|
||||
* @param {Buffer} buffer Message bytes
|
||||
*/
|
||||
constructor(buffer) {
|
||||
this.messageType = buffer.readUInt8(0);
|
||||
this.channelNumber = buffer.readUInt8(1);
|
||||
this.target = buffer.readUInt8(2);
|
||||
this.payload = buffer.slice(headerSize);
|
||||
}
|
||||
|
||||
/**
|
||||
* @returns {number} Message type
|
||||
*/
|
||||
getType() {
|
||||
return this.messageType;
|
||||
}
|
||||
|
||||
/**
|
||||
* @returns {number} Channel number if applicable
|
||||
*/
|
||||
getChannelNumber() {
|
||||
return this.channelNumber;
|
||||
}
|
||||
|
||||
/**
|
||||
* @returns {number} Target service, or 0 to choose automatically
|
||||
*/
|
||||
getTarget() {
|
||||
return this.target;
|
||||
}
|
||||
|
||||
/**
|
||||
* @returns {Buffer} Message payload if applicable
|
||||
*/
|
||||
getPayload() {
|
||||
return this.payload;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a wire representation of a channel close message
|
||||
*
|
||||
* @param {number} channelId Channel number
|
||||
*
|
||||
* @returns {Buffer} wire representation
|
||||
*/
|
||||
static encodeChannelCloseMessage(channelId) {
|
||||
const buf = Buffer.alloc(headerSize);
|
||||
buf.writeUInt8(MessageType.CHANNEL_CLOSE_MESSAGE, 0);
|
||||
buf.writeUInt8(channelId, 1);
|
||||
buf.writeUInt8(TargetType.TARGET_ANY, 2);
|
||||
return buf;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a wire representation of a channel data message
|
||||
*
|
||||
* @param {number} channelId Channel number
|
||||
* @param {Buffer} data Payload
|
||||
*
|
||||
* @returns {Buffer} wire representation
|
||||
*/
|
||||
static encodeChannelDataMessage(channelId, data) {
|
||||
const buf = Buffer.alloc(data.length + headerSize);
|
||||
buf.writeUInt8(MessageType.CHANNEL_PAYLOAD_MESSAGE, 0);
|
||||
buf.writeUInt8(channelId, 1);
|
||||
buf.writeUInt8(TargetType.TARGET_ANY, 2);
|
||||
data.copy(buf, headerSize);
|
||||
return buf;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a wire representation of a metrics message
|
||||
*
|
||||
* @param {object} body Metrics report
|
||||
*
|
||||
* @returns {Buffer} wire representation
|
||||
*/
|
||||
static encodeMetricsReportMessage(body) {
|
||||
const report = JSON.stringify(body);
|
||||
const buf = Buffer.alloc(report.length + headerSize);
|
||||
buf.writeUInt8(MessageType.METRICS_REPORT_MESSAGE, 0);
|
||||
buf.writeUInt8(0, 1);
|
||||
buf.writeUInt8(TargetType.TARGET_ANY, 2);
|
||||
buf.write(report, headerSize);
|
||||
return buf;
|
||||
}
|
||||
|
||||
/**
|
||||
* Protocol name used for subprotocol negociation
|
||||
*/
|
||||
static get protocolName() {
|
||||
return 'zenko-secure-channel-v0';
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
ChannelMessageV0,
|
||||
MessageType,
|
||||
TargetType,
|
||||
};
|
|
@ -1,94 +0,0 @@
|
|||
const WebSocket = require('ws');
|
||||
const arsenal = require('arsenal');
|
||||
|
||||
const logger = require('../utilities/logger');
|
||||
const _config = require('../Config').config;
|
||||
const { patchConfiguration } = require('./configuration');
|
||||
const { reshapeExceptionError } = arsenal.errorUtils;
|
||||
|
||||
|
||||
const managementAgentMessageType = {
|
||||
/** Message that contains the loaded overlay */
|
||||
NEW_OVERLAY: 1,
|
||||
};
|
||||
|
||||
const CONNECTION_RETRY_TIMEOUT_MS = 5000;
|
||||
|
||||
|
||||
function initManagementClient() {
|
||||
const { host, port } = _config.managementAgent;
|
||||
|
||||
const ws = new WebSocket(`ws://${host}:${port}/watch`);
|
||||
|
||||
ws.on('open', () => {
|
||||
logger.info('connected with management agent');
|
||||
});
|
||||
|
||||
ws.on('close', (code, reason) => {
|
||||
logger.info('disconnected from management agent', { reason });
|
||||
setTimeout(initManagementClient, CONNECTION_RETRY_TIMEOUT_MS);
|
||||
});
|
||||
|
||||
ws.on('error', error => {
|
||||
logger.error('error on connection with management agent', { error });
|
||||
});
|
||||
|
||||
ws.on('message', data => {
|
||||
const method = 'initManagementclient::onMessage';
|
||||
const log = logger.newRequestLogger();
|
||||
let msg;
|
||||
|
||||
if (!data) {
|
||||
log.error('message without data', { method });
|
||||
return;
|
||||
}
|
||||
try {
|
||||
msg = JSON.parse(data);
|
||||
} catch (err) {
|
||||
log.error('data is an invalid json', { method, err, data });
|
||||
return;
|
||||
}
|
||||
|
||||
if (msg.payload === undefined) {
|
||||
log.error('message without payload', { method });
|
||||
return;
|
||||
}
|
||||
if (typeof msg.messageType !== 'number') {
|
||||
log.error('messageType is not an integer', {
|
||||
type: typeof msg.messageType,
|
||||
method,
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
switch (msg.messageType) {
|
||||
case managementAgentMessageType.NEW_OVERLAY:
|
||||
patchConfiguration(msg.payload, log, err => {
|
||||
if (err) {
|
||||
log.error('failed to patch overlay', {
|
||||
error: reshapeExceptionError(err),
|
||||
method,
|
||||
});
|
||||
}
|
||||
});
|
||||
return;
|
||||
default:
|
||||
log.error('new overlay message with unmanaged message type', {
|
||||
method,
|
||||
type: msg.messageType,
|
||||
});
|
||||
return;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
function isManagementAgentUsed() {
|
||||
return process.env.MANAGEMENT_USE_AGENT === '1';
|
||||
}
|
||||
|
||||
|
||||
module.exports = {
|
||||
managementAgentMessageType,
|
||||
initManagementClient,
|
||||
isManagementAgentUsed,
|
||||
};
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue