Skip to content

Commit

Permalink
Implementing IsAccessDeniedErr method on the objstore
Browse files Browse the repository at this point in the history
Signed-off-by: Alan Protasio <alanprot@gmail.com>
  • Loading branch information
alanprot committed Aug 16, 2023
1 parent c042a6a commit f10e813
Show file tree
Hide file tree
Showing 18 changed files with 59 additions and 44 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,5 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
- [#35](https://github.com/thanos-io/objstore/pull/35) Azure: Update Azure SDK and fix breaking changes.
- [#65](https://github.com/thanos-io/objstore/pull/65) *: Upgrade minio-go version to `v7.0.61`.
- [#70](https://github.com/thanos-io/objstore/pull/70) GCS: Update cloud.google.com/go/storage version to `v1.27.0`.

- [#71](https://github.com/thanos-io/objstore/pull/71) Replace method `IsCustomerManagedKeyError` for a more generic `IsAccessDeniedErr` on the bucket interface.
### Removed
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,8 @@ type BucketReader interface {
// IsObjNotFoundErr returns true if error means that object is not found. Relevant to Get operations.
IsObjNotFoundErr(err error) bool

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
// IsAccessDeniedErr returns true if access to object is denied.
IsAccessDeniedErr(err error) bool
```
Those interfaces represent the object storage operations your code can use from `objstore` clients.
Expand Down
4 changes: 2 additions & 2 deletions inmem.go
Original file line number Diff line number Diff line change
Expand Up @@ -207,8 +207,8 @@ func (b *InMemBucket) IsObjNotFoundErr(err error) bool {
return errors.Is(err, errNotFound)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *InMemBucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *InMemBucket) IsAccessDeniedErr(err error) bool {
return false
}

Expand Down
8 changes: 4 additions & 4 deletions objstore.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,8 @@ type BucketReader interface {
// IsObjNotFoundErr returns true if error means that object is not found. Relevant to Get operations.
IsObjNotFoundErr(err error) bool

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
IsCustomerManagedKeyError(err error) bool
// IsAccessDeniedErr returns true if acces to object is denied.
IsAccessDeniedErr(err error) bool

// Attributes returns information about the specified object.
Attributes(ctx context.Context, name string) (ObjectAttributes, error)
Expand Down Expand Up @@ -624,8 +624,8 @@ func (b *metricBucket) IsObjNotFoundErr(err error) bool {
return b.bkt.IsObjNotFoundErr(err)
}

func (b *metricBucket) IsCustomerManagedKeyError(err error) bool {
return b.bkt.IsCustomerManagedKeyError(err)
func (b *metricBucket) IsAccessDeniedErr(err error) bool {
return b.bkt.IsAccessDeniedErr(err)
}

func (b *metricBucket) Close() error {
Expand Down
6 changes: 3 additions & 3 deletions prefixed_bucket.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,9 @@ func (p *PrefixedBucket) IsObjNotFoundErr(err error) bool {
return p.bkt.IsObjNotFoundErr(err)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (p *PrefixedBucket) IsCustomerManagedKeyError(err error) bool {
return p.bkt.IsCustomerManagedKeyError(err)
// IsAccessDeniedErr returns true if access to object is denied.
func (p *PrefixedBucket) IsAccessDeniedErr(err error) bool {
return p.bkt.IsAccessDeniedErr(err)
}

// Attributes returns information about the specified object.
Expand Down
9 changes: 6 additions & 3 deletions providers/azure/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,9 +235,12 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return bloberror.HasCode(err, bloberror.BlobNotFound) || bloberror.HasCode(err, bloberror.InvalidURI)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
return false
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
if err == nil {
return false
}
return bloberror.HasCode(err, bloberror.AuthorizationPermissionMismatch) || bloberror.HasCode(err, bloberror.InsufficientAccountPermissions)
}

func (b *Bucket) getBlobReader(ctx context.Context, name string, httpRange blob.HTTPRange) (io.ReadCloser, error) {
Expand Down
4 changes: 2 additions & 2 deletions providers/bos/bos.go
Original file line number Diff line number Diff line change
Expand Up @@ -287,8 +287,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return false
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(_ error) bool {
return false
}

Expand Down
4 changes: 2 additions & 2 deletions providers/cos/cos.go
Original file line number Diff line number Diff line change
Expand Up @@ -364,8 +364,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
}
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(_ error) bool {
return false
}

Expand Down
4 changes: 2 additions & 2 deletions providers/filesystem/filesystem.go
Original file line number Diff line number Diff line change
Expand Up @@ -258,8 +258,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return os.IsNotExist(errors.Cause(err))
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(_ error) bool {
return false
}

Expand Down
9 changes: 7 additions & 2 deletions providers/gcs/gcs.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ import (
"golang.org/x/oauth2/google"
"google.golang.org/api/iterator"
"google.golang.org/api/option"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"gopkg.in/yaml.v2"

"github.com/thanos-io/objstore"
Expand Down Expand Up @@ -188,8 +190,11 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return errors.Is(err, storage.ErrObjectNotExist)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
return true
}
return false
}

Expand Down
4 changes: 2 additions & 2 deletions providers/obs/obs.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,8 +327,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return false
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(_ error) bool {
return false
}

Expand Down
8 changes: 6 additions & 2 deletions providers/oci/oci.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,8 +227,12 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return false
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
failure, isServiceError := common.IsServiceError(err)
if isServiceError {
return failure.GetHTTPStatusCode() == http.StatusForbidden
}
return false
}

Expand Down
10 changes: 8 additions & 2 deletions providers/oss/oss.go
Original file line number Diff line number Diff line change
Expand Up @@ -379,7 +379,13 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return false
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
switch aliErr := errors.Cause(err).(type) {
case alioss.ServiceError:
if aliErr.StatusCode == http.StatusForbidden {
return true
}
}
return false
}
10 changes: 3 additions & 7 deletions providers/s3/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,6 @@ const (

// Storage class header.
amzStorageClass = "X-Amz-Storage-Class"

// amzKmsKeyAccessDeniedErrorMessage is the error message returned by s3 when the permissions to the KMS key is revoked.
amzKmsKeyAccessDeniedErrorMessage = "The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."
)

var DefaultConfig = Config{
Expand Down Expand Up @@ -541,10 +538,9 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return minio.ToErrorResponse(errors.Cause(err)).Code == "NoSuchKey"
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(err error) bool {
errResponse := minio.ToErrorResponse(errors.Cause(err))
return errResponse.Code == "AccessDenied" && errResponse.Message == amzKmsKeyAccessDeniedErrorMessage
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
return minio.ToErrorResponse(errors.Cause(err)).Code == "AccessDenied"
}

func (b *Bucket) Close() error { return nil }
Expand Down
6 changes: 3 additions & 3 deletions providers/swift/swift.go
Original file line number Diff line number Diff line change
Expand Up @@ -290,9 +290,9 @@ func (c *Container) IsObjNotFoundErr(err error) bool {
return errors.Is(err, swift.ObjectNotFound)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Container) IsCustomerManagedKeyError(_ error) bool {
return false
// IsAccessDeniedErr returns true if access to object is denied.
func (c *Container) IsAccessDeniedErr(err error) bool {
return errors.Is(err, swift.Forbidden)
}

// Upload writes the contents of the reader as an object into the container.
Expand Down
4 changes: 2 additions & 2 deletions testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,6 @@ func (d *delayingBucket) IsObjNotFoundErr(err error) bool {
return d.bkt.IsObjNotFoundErr(err)
}

func (d *delayingBucket) IsCustomerManagedKeyError(err error) bool {
return d.bkt.IsCustomerManagedKeyError(err)
func (d *delayingBucket) IsAccessDeniedErr(err error) bool {
return d.bkt.IsAccessDeniedErr(err)
}
4 changes: 2 additions & 2 deletions tracing/opentelemetry/opentelemetry.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,8 @@ func (t TracingBucket) IsObjNotFoundErr(err error) bool {
return t.bkt.IsObjNotFoundErr(err)
}

func (t TracingBucket) IsCustomerManagedKeyError(err error) bool {
return t.bkt.IsCustomerManagedKeyError(err)
func (t TracingBucket) IsAccessDeniedErr(err error) bool {
return t.bkt.IsAccessDeniedErr(err)
}

func (t TracingBucket) WithExpectedErrs(expectedFunc objstore.IsOpFailureExpectedFunc) objstore.Bucket {
Expand Down
4 changes: 2 additions & 2 deletions tracing/opentracing/opentracing.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,8 @@ func (t TracingBucket) IsObjNotFoundErr(err error) bool {
return t.bkt.IsObjNotFoundErr(err)
}

func (t TracingBucket) IsCustomerManagedKeyError(err error) bool {
return t.bkt.IsCustomerManagedKeyError(err)
func (t TracingBucket) IsAccessDeniedErr(err error) bool {
return t.bkt.IsAccessDeniedErr(err)
}

func (t TracingBucket) WithExpectedErrs(expectedFunc objstore.IsOpFailureExpectedFunc) objstore.Bucket {
Expand Down

0 comments on commit f10e813

Please sign in to comment.