Merge pull request 'Implemented website hosting authorization endpoint.' (#474) from jpds/garage:bucket-serving-validator into main

Reviewed-on: Deuxfleurs/garage#474
2023-01-19 12:33:16 +00:00 · 2023-01-19 12:33:16 +00:00 · aff9c264c8
commit aff9c264c8
parent fcc5033466 4962b88f8b
4 changed files with 189 additions and 0 deletions
--- a/src/api/admin/api_server.rs
+++ b/src/api/admin/api_server.rs
@ -77,6 +77,53 @@ impl AdminApiServer {
 			.body(Body::empty())?)
 	}

+	async fn handle_check_website_enabled(
+		&self,
+		req: Request<Body>,
+	) -> Result<Response<Body>, Error> {
+		let has_domain_header = req.headers().contains_key("domain");
+
+		if !has_domain_header {
+			return Err(Error::bad_request("No domain header found"));
+		}
+
+		let domain = &req
+			.headers()
+			.get("domain")
+			.ok_or_internal_error("Could not parse domain header")?;
+
+		let domain_string = String::from(
+			domain
+				.to_str()
+				.ok_or_bad_request("Invalid characters found in domain header")?,
+		);
+
+		let bucket_id = self
+			.garage
+			.bucket_helper()
+			.resolve_global_bucket_name(&domain_string)
+			.await?
+			.ok_or_else(|| HelperError::NoSuchBucket(domain_string))?;
+
+		let bucket = self
+			.garage
+			.bucket_helper()
+			.get_existing_bucket(bucket_id)
+			.await?;
+
+		let bucket_state = bucket.state.as_option().unwrap();
+		let bucket_website_config = bucket_state.website_config.get();
+
+		match bucket_website_config {
+			Some(_v) => Ok(Response::builder()
+				.status(StatusCode::OK)
+				.body(Body::from("Bucket authorized for website hosting"))?),
+			None => Err(Error::bad_request(
+				"Bucket is not authorized for website hosting",
+			)),
+		}
+	}
+
 	fn handle_health(&self) -> Result<Response<Body>, Error> {
 		let health = self.garage.system.health();

@ -174,6 +221,7 @@ impl ApiHandler for AdminApiServer {

 		match endpoint {
 			Endpoint::Options => self.handle_options(&req),
+			Endpoint::CheckWebsiteEnabled => self.handle_check_website_enabled(req).await,
 			Endpoint::Health => self.handle_health(),
 			Endpoint::Metrics => self.handle_metrics(),
 			Endpoint::GetClusterStatus => handle_get_cluster_status(&self.garage).await,
--- a/src/api/admin/router.rs
+++ b/src/api/admin/router.rs
@ -17,6 +17,7 @@ router_match! {@func
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum Endpoint {
 	Options,
+	CheckWebsiteEnabled,
 	Health,
 	Metrics,
 	GetClusterStatus,
@ -91,6 +92,7 @@ impl Endpoint {

 		let res = router_match!(@gen_path_parser (req.method(), path, query) [
 			OPTIONS _ => Options,
+			GET "/check" => CheckWebsiteEnabled,
 			GET "/health" => Health,
 			GET "/metrics" => Metrics,
 			GET "/v0/status" => GetClusterStatus,
@ -136,6 +138,7 @@ impl Endpoint {
 	pub fn authorization_type(&self) -> Authorization {
 		match self {
 			Self::Health => Authorization::None,
+			Self::CheckWebsiteEnabled => Authorization::None,
 			Self::Metrics => Authorization::MetricsToken,
 			_ => Authorization::AdminToken,
 		}
--- a/src/garage/tests/common/garage.rs
+++ b/src/garage/tests/common/garage.rs
@ -25,6 +25,7 @@ pub struct Instance {
 	pub s3_port: u16,
 	pub k2v_port: u16,
 	pub web_port: u16,
+	pub admin_port: u16,
 }

 impl Instance {
@ -105,6 +106,7 @@ api_bind_addr = "127.0.0.1:{admin_port}"
 			s3_port: port,
 			k2v_port: port + 1,
 			web_port: port + 3,
+			admin_port: port + 4,
 		}
 	}

--- a/src/garage/tests/s3/website.rs
+++ b/src/garage/tests/s3/website.rs
@ -1,5 +1,8 @@
 use crate::common;
 use crate::common::ext::*;
+use crate::k2v::json_body;
+
+use assert_json_diff::assert_json_eq;
 use aws_sdk_s3::{
 	model::{CorsConfiguration, CorsRule, ErrorDocument, IndexDocument, WebsiteConfiguration},
 	types::ByteStream,
@ -9,6 +12,7 @@ use hyper::{
 	body::{to_bytes, Body},
 	Client,
 };
+use serde_json::json;

 const BODY: &[u8; 16] = b"<h1>bonjour</h1>";
 const BODY_ERR: &[u8; 6] = b"erreur";
@ -49,6 +53,28 @@ async fn test_website() {
 		BODY.as_ref()
 	); /* check that we do not leak body */

+	let admin_req = || {
+		Request::builder()
+			.method("GET")
+			.uri(format!("http://127.0.0.1:{}/check", ctx.garage.admin_port))
+			.header("domain", format!("{}", BCKT_NAME))
+			.body(Body::empty())
+			.unwrap()
+	};
+
+	let admin_resp = client.request(admin_req()).await.unwrap();
+	assert_eq!(admin_resp.status(), StatusCode::BAD_REQUEST);
+	let res_body = json_body(admin_resp).await;
+	assert_json_eq!(
+		res_body,
+		json!({
+			"code": "InvalidRequest",
+			"message": "Bad request: Bucket is not authorized for website hosting",
+			"region": "garage-integ-test",
+			"path": "/check",
+		})
+	);
+
 	ctx.garage
 		.command()
 		.args(["bucket", "website", "--allow", BCKT_NAME])
@ -62,6 +88,22 @@ async fn test_website() {
 		BODY.as_ref()
 	);

+	let admin_req = || {
+		Request::builder()
+			.method("GET")
+			.uri(format!("http://127.0.0.1:{}/check", ctx.garage.admin_port))
+			.header("domain", format!("{}", BCKT_NAME))
+			.body(Body::empty())
+			.unwrap()
+	};
+
+	let mut admin_resp = client.request(admin_req()).await.unwrap();
+	assert_eq!(admin_resp.status(), StatusCode::OK);
+	assert_eq!(
+		to_bytes(admin_resp.body_mut()).await.unwrap().as_ref(),
+		b"Bucket authorized for website hosting"
+	);
+
 	ctx.garage
 		.command()
 		.args(["bucket", "website", "--deny", BCKT_NAME])
@ -74,6 +116,28 @@ async fn test_website() {
 		to_bytes(resp.body_mut()).await.unwrap().as_ref(),
 		BODY.as_ref()
 	); /* check that we do not leak body */
+
+	let admin_req = || {
+		Request::builder()
+			.method("GET")
+			.uri(format!("http://127.0.0.1:{}/check", ctx.garage.admin_port))
+			.header("domain", format!("{}", BCKT_NAME))
+			.body(Body::empty())
+			.unwrap()
+	};
+
+	let admin_resp = client.request(admin_req()).await.unwrap();
+	assert_eq!(admin_resp.status(), StatusCode::BAD_REQUEST);
+	let res_body = json_body(admin_resp).await;
+	assert_json_eq!(
+		res_body,
+		json!({
+			"code": "InvalidRequest",
+			"message": "Bad request: Bucket is not authorized for website hosting",
+			"region": "garage-integ-test",
+			"path": "/check",
+		})
+	);
 }

 #[tokio::test]
@ -322,3 +386,75 @@ async fn test_website_s3_api() {
 		);
 	}
 }
+
+#[tokio::test]
+async fn test_website_check_website_enabled() {
+	let ctx = common::context();
+
+	let client = Client::new();
+
+	let admin_req = || {
+		Request::builder()
+			.method("GET")
+			.uri(format!("http://127.0.0.1:{}/check", ctx.garage.admin_port))
+			.body(Body::empty())
+			.unwrap()
+	};
+
+	let admin_resp = client.request(admin_req()).await.unwrap();
+	assert_eq!(admin_resp.status(), StatusCode::BAD_REQUEST);
+	let res_body = json_body(admin_resp).await;
+	assert_json_eq!(
+		res_body,
+		json!({
+			"code": "InvalidRequest",
+			"message": "Bad request: No domain header found",
+			"region": "garage-integ-test",
+			"path": "/check",
+		})
+	);
+
+	let admin_req = || {
+		Request::builder()
+			.method("GET")
+			.uri(format!("http://127.0.0.1:{}/check", ctx.garage.admin_port))
+			.header("domain", "foobar")
+			.body(Body::empty())
+			.unwrap()
+	};
+
+	let admin_resp = client.request(admin_req()).await.unwrap();
+	assert_eq!(admin_resp.status(), StatusCode::NOT_FOUND);
+	let res_body = json_body(admin_resp).await;
+	assert_json_eq!(
+		res_body,
+		json!({
+			"code": "NoSuchBucket",
+			"message": "Bucket not found: foobar",
+			"region": "garage-integ-test",
+			"path": "/check",
+		})
+	);
+
+	let admin_req = || {
+		Request::builder()
+			.method("GET")
+			.uri(format!("http://127.0.0.1:{}/check", ctx.garage.admin_port))
+			.header("domain", "☹")
+			.body(Body::empty())
+			.unwrap()
+	};
+
+	let admin_resp = client.request(admin_req()).await.unwrap();
+	assert_eq!(admin_resp.status(), StatusCode::BAD_REQUEST);
+	let res_body = json_body(admin_resp).await;
+	assert_json_eq!(
+		res_body,
+		json!({
+			"code": "InvalidRequest",
+			"message": "Bad request: Invalid characters found in domain header: failed to convert header to a str",
+			"region": "garage-integ-test",
+			"path": "/check",
+		})
+	);
+}