adding header handling in routeVeam + unit tests #6022
Conversation
Hello benzekrimaha,My role is to assist you with the merge of this Available options
Available commands
Status report is not available. |
f43c0fa to
44da717
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files
@@ Coverage Diff @@
## development/9.0 #6022 +/- ##
===================================================
+ Coverage 83.38% 83.39% +0.01%
===================================================
Files 189 189
Lines 12199 12208 +9
===================================================
+ Hits 10172 10181 +9
Misses 2027 2027
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
44da717 to
51810dd
Compare
09d2c63 to
b6a169d
Compare
lib/routes/routeVeeam.js
Outdated
| // Deletion requires that the tags of the object are returned. | ||
| if (requestQueryParams && Object.keys(requestQueryParams).length > 0 | ||
| && !(method === 'GET' && (requestQueryParams['X-Amz-Credential'] || ('tagging' in requestQueryParams)))) { | ||
| const queryKeys = Object.keys(requestQueryParams || {}); |
There was a problem hiding this comment.
Here we parse 3 times the requestQueryParams with same logic (lowerCase then compare). We can maybe do eveything in one shot if this route is performance sensitive ?
There was a problem hiding this comment.
Possibly this, and also considering an early return based on the length of queryKeys or requestQueryParams ?
lib/routes/routeVeeam.js
Outdated
| if (allowedSdkQueryKeys.has(lowerKey)) { | ||
| return false; | ||
| } | ||
| if (lowerKey.startsWith('x-amz-sdk-')) { |
There was a problem hiding this comment.
Why this one and not the array at the top ? Why are we more permissive here ?
There was a problem hiding this comment.
The startsWith('x-amz-sdk-') check is a defensive fallback: AWS SDKs occasionally adds new telemetry keys under that namespace, and I wanted to avoid blocking a future patch release that introduces, say, x-amz-sdk-language if we’d rather force every key to be enumerated explicitly, I can drop the prefix guard and expand the array whenever we encounter a new one. let me know what you think
lib/routes/routeVeeam.js
Outdated
| const xIdValue = _getQueryValueCaseInsensitive(requestQueryParams, 'x-id'); | ||
| if (xIdValue && xIdValue !== apiToAction[method]) { | ||
| return errorInstances.InvalidRequest | ||
| .customizeDescription('The Veeam SOSAPI folder does not support this action.'); |
There was a problem hiding this comment.
Is veeam as strict as AWS regarding errors messages, or can we customize it some more ? :
"the x-id value you provided in the query parameter: xxx, is unexpected, it should be be xxx for this api"
There was a problem hiding this comment.
As nothing was specified I'd rather keep it that way in this PR , we can work on better error logging later on as today we only have this kind of errors
lib/routes/routeVeeam.js
Outdated
| // Reject any unsupported request, but allow downloads and deletes from UI | ||
| // Download relies on GETs calls with auth in query parameters, that can be | ||
| // checked if 'X-Amz-Credential' is included. | ||
| // Deletion requires that the tags of the object are returned. |
There was a problem hiding this comment.
This older comment is mentioning that this logic is used to allow certains apis to go through.
It mentions the Deletion apis requiring tagging. But the logic later checks that the value of method is GET. Will this work when the method is DELETE ? I see in your tests you added 3 tests that are all PutObject, I say let's test it with a DeleteObject too
There was a problem hiding this comment.
More general comment and follow up : I find it hard to reason about both the previous logic and the new one, as these logic try to fit all apis at the same time, with long if checking for method type, different headers. For example, the tagging check I only useful for the DeleteObjects if I understood correctly.
What would happen if if later we had another constraint to deal with that only applies to one of the 5 apis
Considering that we have a nice enum list "apiToAction" of all possible apis that this router will handle, I would add a function with an exhaustive switch statement to treat all 5 apis separately.
I also understand that we may not have time to do this
There was a problem hiding this comment.
I think the comment about the delete is missleading, i think this comment is still talking about the Get api, and saying that the get method should return tags in order to be able to perform the deletion later. But the way and the place where its written makes it look like we want to allow DELETE apis. anyways
There was a problem hiding this comment.
Before we touched it, the route rejected every non-GET request that carried any query parameters.That’s why our PUT started failing as soon as the SDK v3 appended ?x-id=…. The change simply teaches the validator that x-id (and the handful of SDK telemetry keys) are acceptable, while keeping the old rule for everything else.
lib/routes/routeVeeam.js
Outdated
| && (_hasQueryKeyCaseInsensitive(requestQueryParams, 'X-Amz-Credential') | ||
| || _hasQueryKeyCaseInsensitive(requestQueryParams, 'tagging'))); | ||
|
|
||
| if (!isPresignedGet && queryKeys.length > 0) { |
There was a problem hiding this comment.
With the previous logic, having !isPresignedGet && queryKeys.length > 0 was enough to return an error.
Can we return an error directly here, and do the check unsupportedKeys right after, because here the 2 are mixed but I think it's not necessary ?
SylvainSenechal
left a comment
There was a problem hiding this comment.
Some comments, I think no need for a bigger refactoring, but some simplifications could be possible ? + adding a test with method different than GET
lib/routes/routeVeeam.js
Outdated
| } | ||
| return true; | ||
| }); | ||
| if (unsupportedKeys.length > 0) { |
There was a problem hiding this comment.
Wait so here, if the api ever receive any query different than the ones listed in allowedSdkQueryKeys, we will block the apis ? Isn't it risky because it forces us to be exhaustive in the list of allowed keys, are we sure this list is now complete ?
There was a problem hiding this comment.
Before we touched it, the route rejected every non-GET request that carried any query parameters.That’s why our PUT started failing as soon as the SDK v3 appended ?x-id=…. The change simply teaches the validator that x-id (and the handful of SDK telemetry keys) are acceptable, while keeping the old rule for everything else. For the list I tried to make it as exhaustive as possible with everything I could find on official documentations
| assert.strictEqual(err, undefined); | ||
| }); | ||
|
|
||
| it('should allow AWS SDK auxiliary x-amz-sdk-* query params on PUT for system.xml', () => { |
There was a problem hiding this comment.
nit: could add a test with a wrong param x-iamwrong ?
There was a problem hiding this comment.
we're already testing a wrong value here => 51810dd#diff-7d9febf34141ec8f0c48580a4e9e899f15f34227d9ecc39fcda6c5392e87f581R108, isn't it over testing to add other headers as we already know that we reject them directly ?
There was a problem hiding this comment.
looking at all the branches in the code, more tests are needed : e.g. having "presigned" headers, on GET or otherwise, different case for headers, ...
a6c3afc to
64e9ffe
Compare
.github/pykmip/Dockerfile
Outdated
| cd pykmip && \ | ||
| python3 setup.py install && \ | ||
| pip3 install . && \ | ||
| cd / && \ |
There was a problem hiding this comment.
why do we need to cd / ?
everything afterwards uses absolute path...
| git clone https://github.com/openkmip/pykmip.git && \ | ||
| cd pykmip && \ | ||
| python3 setup.py install && \ | ||
| pip3 install . && \ |
There was a problem hiding this comment.
what is the reason for the build failure? Is there a new release of pykmip?
should the fix not include specifying the version of pykmip that we checkout, so we avoid unexpected behavior changes (or incompatibility when it requires a newer version of python...) ?
There was a problem hiding this comment.
The build was failing in the python3 setup.py install step when building pykmip from the GitHub repo on python:3.10-alpine (the setup.py invocation was exiting with status 1). There isn’t a new PyPI release of pykmip; we’re building from the GitHub repo because the latest fixes we need are only there (the last tagged release is still 0.10.0).
There was a problem hiding this comment.
if we need a specific SHA1, we can (and should!) specify it anyway; and add a comment explaining why we don't use the release / ...
| assert.strictEqual(err, undefined); | ||
| }); | ||
|
|
||
| it('should allow AWS SDK auxiliary x-amz-sdk-* query params on PUT for system.xml', () => { |
There was a problem hiding this comment.
looking at all the branches in the code, more tests are needed : e.g. having "presigned" headers, on GET or otherwise, different case for headers, ...
|
branch is not up-to-date with upstream development/9.0 : needs to be rebase and resolve conflicts... |
792b0a0 to
5c30e2a
Compare
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
| git clone https://github.com/openkmip/pykmip.git && \ | ||
| cd pykmip && \ | ||
| python3 setup.py install && \ | ||
| pip3 install . && \ |
There was a problem hiding this comment.
if we need a specific SHA1, we can (and should!) specify it anyway; and add a comment explaining why we don't use the release / ...
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command: Alternatively, the |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
9205b41 to
af2fd5f
Compare
This commit aims to add the handling of additional headers for Veeam routes in the CloudServer. The change actually enables requests with automatically added headers by the sdk to not be directly rejectded. Issue: CLDSRV-806
The image build was failing because we were trying to install pykmip with python v2 (setup.py install uses python command which points to python v2 by default in alpine image). This change checks out the latest commit and installs pykmip with pip3 as this is the one now supported by pykmip. Issue: CLDSRV-806
af2fd5f to
963edb9
Compare
fcb0bfe to
55ea857
Compare
|
/create_integration_branches |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
The following options are set: create_integration_branches |
|
/create_pull_requests |
Integration data createdI have created the integration data for the additional destination branches.
The following branches will NOT be impacted:
Follow integration pull requests if you would like to be notified of The following options are set: create_pull_requests, create_integration_branches |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
The following options are set: create_pull_requests, create_integration_branches |
|
/approve |
|
I have successfully merged the changeset of this pull request
The following branches have NOT changed:
Please check the status of the associated issue CLDSRV-806. Goodbye benzekrimaha. The following options are set: approve, create_pull_requests, create_integration_branches |
Issue: CLDSRV-806