Skip to content

Commit

Permalink
Unify implicit deny handling in normal and backbeat routes
Browse files Browse the repository at this point in the history
- Also split backbeat routers
- Better use the callback functions
- Do not return twice to the client in case of error and
  quota evaluation (finalizer hooks)
- Remove account quota from backbeat proxy route: as not
  used in this case.

Issue: CLDSRV-591
  • Loading branch information
williamlardier committed Dec 11, 2024
1 parent c0bb428 commit decfc8f
Show file tree
Hide file tree
Showing 3 changed files with 184 additions and 199 deletions.
46 changes: 29 additions & 17 deletions lib/api/api.js
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,26 @@ function checkAuthResults(authResults, apiMethod, log) {
}

/* eslint-disable no-param-reassign */
function handleAuthorizationResults(request, authorizationResults, apiMethod, returnTagCount, log, callback) {
if (authorizationResults) {
const checkedResults = checkAuthResults(authorizationResults, apiMethod, log);
if (checkedResults instanceof Error) {
return callback(checkedResults);
}
returnTagCount = checkedResults.returnTagCount;
request.actionImplicitDenies = checkedResults.isImplicitDeny;
} else {
// create an object of keys apiMethods with all values to false:
// for backward compatibility, all apiMethods are allowed by default
// thus it is explicitly allowed, so implicit deny is false
request.actionImplicitDenies = request.apiMethods.reduce((acc, curr) => {
acc[curr] = false;
return acc;
}, {});
}
return callback();
}

const api = {
callApiMethod(apiMethod, request, response, log, callback) {
// Attach the apiMethod method to the request, so it can used by monitoring in the server
Expand Down Expand Up @@ -148,7 +168,7 @@ const api = {
objectKey: request.objectKey,
});
}
let returnTagCount = true;
const returnTagCount = true;

const validationRes = validateQueryAndHeaders(request, log);
if (validationRes.error) {
Expand Down Expand Up @@ -263,27 +283,18 @@ const api = {
return next(null, userInfo, authResultsWithTags, streamingV4Params, infos);
},
),
(userInfo, authorizationResults, streamingV4Params, infos, next) =>
handleAuthorizationResults(request, authorizationResults, apiMethod, returnTagCount, log, err => {
if (err) {
return next(err);
}
return next(null, userInfo, authorizationResults, streamingV4Params, infos);
}),
], (err, userInfo, authorizationResults, streamingV4Params, infos) => {
if (err) {
return callback(err);
}
request.accountQuotas = infos?.accountQuota;
if (authorizationResults) {
const checkedResults = checkAuthResults(authorizationResults, apiMethod, log);
if (checkedResults instanceof Error) {
return callback(checkedResults);
}
returnTagCount = checkedResults.returnTagCount;
request.actionImplicitDenies = checkedResults.isImplicitDeny;
} else {
// create an object of keys apiMethods with all values to false:
// for backward compatibility, all apiMethods are allowed by default
// thus it is explicitly allowed, so implicit deny is false
request.actionImplicitDenies = apiMethods.reduce((acc, curr) => {
acc[curr] = false;
return acc;
}, {});
}
const methodCallback = (err, ...results) => async.forEachLimit(request.finalizerHooks, 5,
(hook, done) => hook(err, done),
() => callback(err, ...results));
Expand Down Expand Up @@ -369,6 +380,7 @@ const api = {
websiteGet: website,
websiteHead: website,
checkAuthResults,
handleAuthorizationResults,
};

module.exports = api;
Loading

0 comments on commit decfc8f

Please sign in to comment.