Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace method IsCustomerManagedKeyError for a more generic IsAccessDeniedErr on the bucket interface. #71

Merged
merged 1 commit into from
Aug 16, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,5 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
- [#35](https://github.com/thanos-io/objstore/pull/35) Azure: Update Azure SDK and fix breaking changes.
- [#65](https://github.com/thanos-io/objstore/pull/65) *: Upgrade minio-go version to `v7.0.61`.
- [#70](https://github.com/thanos-io/objstore/pull/70) GCS: Update cloud.google.com/go/storage version to `v1.27.0`.

- [#71](https://github.com/thanos-io/objstore/pull/71) Replace method `IsCustomerManagedKeyError` for a more generic `IsAccessDeniedErr` on the bucket interface.
### Removed
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,8 @@ type BucketReader interface {
// IsObjNotFoundErr returns true if error means that object is not found. Relevant to Get operations.
IsObjNotFoundErr(err error) bool

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
// IsAccessDeniedErr returns true if access to object is denied.
IsAccessDeniedErr(err error) bool
```

Those interfaces represent the object storage operations your code can use from `objstore` clients.
Expand Down
4 changes: 2 additions & 2 deletions inmem.go
Original file line number Diff line number Diff line change
Expand Up @@ -207,8 +207,8 @@ func (b *InMemBucket) IsObjNotFoundErr(err error) bool {
return errors.Is(err, errNotFound)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *InMemBucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *InMemBucket) IsAccessDeniedErr(err error) bool {
return false
}

Expand Down
8 changes: 4 additions & 4 deletions objstore.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,8 @@ type BucketReader interface {
// IsObjNotFoundErr returns true if error means that object is not found. Relevant to Get operations.
IsObjNotFoundErr(err error) bool

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
IsCustomerManagedKeyError(err error) bool
// IsAccessDeniedErr returns true if acces to object is denied.
IsAccessDeniedErr(err error) bool

// Attributes returns information about the specified object.
Attributes(ctx context.Context, name string) (ObjectAttributes, error)
Expand Down Expand Up @@ -624,8 +624,8 @@ func (b *metricBucket) IsObjNotFoundErr(err error) bool {
return b.bkt.IsObjNotFoundErr(err)
}

func (b *metricBucket) IsCustomerManagedKeyError(err error) bool {
return b.bkt.IsCustomerManagedKeyError(err)
func (b *metricBucket) IsAccessDeniedErr(err error) bool {
return b.bkt.IsAccessDeniedErr(err)
}

func (b *metricBucket) Close() error {
Expand Down
6 changes: 3 additions & 3 deletions prefixed_bucket.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,9 @@ func (p *PrefixedBucket) IsObjNotFoundErr(err error) bool {
return p.bkt.IsObjNotFoundErr(err)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (p *PrefixedBucket) IsCustomerManagedKeyError(err error) bool {
return p.bkt.IsCustomerManagedKeyError(err)
// IsAccessDeniedErr returns true if access to object is denied.
func (p *PrefixedBucket) IsAccessDeniedErr(err error) bool {
return p.bkt.IsAccessDeniedErr(err)
}

// Attributes returns information about the specified object.
Expand Down
9 changes: 6 additions & 3 deletions providers/azure/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,9 +235,12 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return bloberror.HasCode(err, bloberror.BlobNotFound) || bloberror.HasCode(err, bloberror.InvalidURI)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
return false
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
if err == nil {
return false
}
return bloberror.HasCode(err, bloberror.AuthorizationPermissionMismatch) || bloberror.HasCode(err, bloberror.InsufficientAccountPermissions)
}

func (b *Bucket) getBlobReader(ctx context.Context, name string, httpRange blob.HTTPRange) (io.ReadCloser, error) {
Expand Down
4 changes: 2 additions & 2 deletions providers/bos/bos.go
Original file line number Diff line number Diff line change
Expand Up @@ -287,8 +287,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return false
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(_ error) bool {
return false
}

Expand Down
4 changes: 2 additions & 2 deletions providers/cos/cos.go
Original file line number Diff line number Diff line change
Expand Up @@ -364,8 +364,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
}
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(_ error) bool {
return false
}

Expand Down
4 changes: 2 additions & 2 deletions providers/filesystem/filesystem.go
Original file line number Diff line number Diff line change
Expand Up @@ -258,8 +258,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return os.IsNotExist(errors.Cause(err))
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(_ error) bool {
return false
}

Expand Down
9 changes: 7 additions & 2 deletions providers/gcs/gcs.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ import (
"golang.org/x/oauth2/google"
"google.golang.org/api/iterator"
"google.golang.org/api/option"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"gopkg.in/yaml.v2"

"github.com/thanos-io/objstore"
Expand Down Expand Up @@ -188,8 +190,11 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return errors.Is(err, storage.ErrObjectNotExist)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
return true
}
return false
}

Expand Down
4 changes: 2 additions & 2 deletions providers/obs/obs.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,8 +327,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return false
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(_ error) bool {
return false
}

Expand Down
8 changes: 6 additions & 2 deletions providers/oci/oci.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,8 +227,12 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return false
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
failure, isServiceError := common.IsServiceError(err)
if isServiceError {
return failure.GetHTTPStatusCode() == http.StatusForbidden
}
return false
}

Expand Down
10 changes: 8 additions & 2 deletions providers/oss/oss.go
Original file line number Diff line number Diff line change
Expand Up @@ -379,7 +379,13 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return false
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(_ error) bool {
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
switch aliErr := errors.Cause(err).(type) {
case alioss.ServiceError:
if aliErr.StatusCode == http.StatusForbidden {
return true
}
}
return false
}
10 changes: 3 additions & 7 deletions providers/s3/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,6 @@ const (

// Storage class header.
amzStorageClass = "X-Amz-Storage-Class"

// amzKmsKeyAccessDeniedErrorMessage is the error message returned by s3 when the permissions to the KMS key is revoked.
amzKmsKeyAccessDeniedErrorMessage = "The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."
)

var DefaultConfig = Config{
Expand Down Expand Up @@ -541,10 +538,9 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool {
return minio.ToErrorResponse(errors.Cause(err)).Code == "NoSuchKey"
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Bucket) IsCustomerManagedKeyError(err error) bool {
errResponse := minio.ToErrorResponse(errors.Cause(err))
return errResponse.Code == "AccessDenied" && errResponse.Message == amzKmsKeyAccessDeniedErrorMessage
// IsAccessDeniedErr returns true if access to object is denied.
func (b *Bucket) IsAccessDeniedErr(err error) bool {
return minio.ToErrorResponse(errors.Cause(err)).Code == "AccessDenied"
}

func (b *Bucket) Close() error { return nil }
Expand Down
6 changes: 3 additions & 3 deletions providers/swift/swift.go
Original file line number Diff line number Diff line change
Expand Up @@ -290,9 +290,9 @@ func (c *Container) IsObjNotFoundErr(err error) bool {
return errors.Is(err, swift.ObjectNotFound)
}

// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked.
func (b *Container) IsCustomerManagedKeyError(_ error) bool {
return false
// IsAccessDeniedErr returns true if access to object is denied.
func (c *Container) IsAccessDeniedErr(err error) bool {
return errors.Is(err, swift.Forbidden)
}

// Upload writes the contents of the reader as an object into the container.
Expand Down
4 changes: 2 additions & 2 deletions testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,6 @@ func (d *delayingBucket) IsObjNotFoundErr(err error) bool {
return d.bkt.IsObjNotFoundErr(err)
}

func (d *delayingBucket) IsCustomerManagedKeyError(err error) bool {
return d.bkt.IsCustomerManagedKeyError(err)
func (d *delayingBucket) IsAccessDeniedErr(err error) bool {
return d.bkt.IsAccessDeniedErr(err)
}
4 changes: 2 additions & 2 deletions tracing/opentelemetry/opentelemetry.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,8 @@ func (t TracingBucket) IsObjNotFoundErr(err error) bool {
return t.bkt.IsObjNotFoundErr(err)
}

func (t TracingBucket) IsCustomerManagedKeyError(err error) bool {
return t.bkt.IsCustomerManagedKeyError(err)
func (t TracingBucket) IsAccessDeniedErr(err error) bool {
return t.bkt.IsAccessDeniedErr(err)
}

func (t TracingBucket) WithExpectedErrs(expectedFunc objstore.IsOpFailureExpectedFunc) objstore.Bucket {
Expand Down
4 changes: 2 additions & 2 deletions tracing/opentracing/opentracing.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,8 @@ func (t TracingBucket) IsObjNotFoundErr(err error) bool {
return t.bkt.IsObjNotFoundErr(err)
}

func (t TracingBucket) IsCustomerManagedKeyError(err error) bool {
return t.bkt.IsCustomerManagedKeyError(err)
func (t TracingBucket) IsAccessDeniedErr(err error) bool {
return t.bkt.IsAccessDeniedErr(err)
}

func (t TracingBucket) WithExpectedErrs(expectedFunc objstore.IsOpFailureExpectedFunc) objstore.Bucket {
Expand Down