implement flush for dedicated key, allow delete & key rotation
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
ci/woodpecker/pr/woodpecker Pipeline failed

This commit is contained in:
Quentin 2024-06-24 10:43:11 +02:00
parent e940996f0f
commit df79d11028
Signed by: quentin
GPG key ID: E9602264D639FF68
2 changed files with 77 additions and 4 deletions

View file

@ -55,6 +55,17 @@ func grgSearchKey(name string) (*garage.KeyInfo, error) {
return resp, nil
}
func grgDelKey(accessKey string) error {
client, ctx := gadmin()
_, err := client.KeyApi.DeleteKey(ctx).Id(accessKey).Execute()
if err != nil {
fmt.Printf("%+v\n", err)
return err
}
return nil
}
func grgCreateBucket(bucket string) (*garage.BucketInfo, error) {
client, ctx := gadmin()

View file

@ -134,8 +134,14 @@ func (w *WebsiteController) getDedicatedWebsiteKey(binfo *garage.BucketInfo) (*g
log.Printf("Created dedicated key %s\n", dedicatedKeyName)
}
// Check that the key name is *exactly* the one we requested
if *keyInfo.Name != dedicatedKeyName {
log.Printf("Expected key: %s, got %s. Invariant violated.\n", dedicatedKeyName, *keyInfo.Name)
return nil, ErrDedicatedKeyInvariant
}
// Check that the dedicated key does not contain any other bucket than this one
// and that this bucket key is found with correct permissions
// and report if this bucket key is found with correct permissions
permissionsOk := false
for _, buck := range keyInfo.Buckets {
if *buck.Id != *binfo.Id {
@ -167,7 +173,57 @@ func (w *WebsiteController) getDedicatedWebsiteKey(binfo *garage.BucketInfo) (*g
return keyInfo, nil
}
//@TODO: flushDedicatedWebsiteKey()
func (w *WebsiteController) flushDedicatedWebsiteKey(binfo *garage.BucketInfo) error {
// Check bucket info is not null
if binfo == nil {
return ErrFetchBucketInfo
}
// Check the bucket is owned by the user's root key
usersRootKeyFound := false
for _, bucketKeyInfo := range binfo.Keys {
if *bucketKeyInfo.AccessKeyId == *w.RootKey.AccessKeyId && *bucketKeyInfo.Permissions.Owner {
usersRootKeyFound = true
break
}
}
if !usersRootKeyFound {
log.Printf("%s is not an owner of bucket %s. Invariant violated.\n", w.User.Username, *binfo.Id)
return ErrDedicatedKeyInvariant
}
// Build the string template by concatening the username and the bucket identifier
dedicatedKeyName := fmt.Sprintf("%s:web:%s", w.User.Username, *binfo.Id)
// Fetch the dedicated key
keyInfo, err := grgSearchKey(dedicatedKeyName)
if err != nil {
return err
}
// Check that the key name is *exactly* the one we requested
if *keyInfo.Name != dedicatedKeyName {
log.Printf("Expected key: %s, got %s. Invariant violated.\n", dedicatedKeyName, *keyInfo.Name)
return ErrDedicatedKeyInvariant
}
// Check that the dedicated key contains no other bucket than this one
// (can also be empty, useful to heal a partially created key)
for _, buck := range keyInfo.Buckets {
if *buck.Id != *binfo.Id {
log.Printf("Key %s is used on bucket %s while it should be exclusive to %s. Invariant violated.\n", dedicatedKeyName, *buck.Id, *binfo.Id)
return ErrDedicatedKeyInvariant
}
}
// Finally delete this key
err = grgDelKey(*keyInfo.AccessKeyId)
if err != nil {
return err
}
log.Printf("Deleted dedicated key %s", dedicatedKeyName)
return nil
}
func (w *WebsiteController) Describe() (*WebsiteDescribe, error) {
r := make([]*WebsiteId, 0, len(w.PrettyList))
@ -243,7 +299,10 @@ func (w *WebsiteController) Patch(pretty string, patch *WebsitePatch) (*WebsiteV
}
if patch.RotateKey != nil && *patch.RotateKey {
// @TODO: rotate key by calling flush
err = w.flushDedicatedWebsiteKey(binfo)
if err != nil {
return nil, err
}
}
dedicatedKey, err := w.getDedicatedWebsiteKey(binfo)
@ -327,7 +386,10 @@ func (w *WebsiteController) Delete(pretty string) error {
}
// Delete dedicated key
// @TODO call flush
err = w.flushDedicatedWebsiteKey(binfo)
if err != nil {
return err
}
// Actually delete bucket
err = grgDeleteBucket(website.Internal)