Allow setting the acl for uploaded files (s3) (#204)

Gitii · web-flow · commit 751d665ddc50 · 2024-10-20T18:46:01.000-07:00
* Allow setting the acl for uploaded files (s3)

* rename option and set the acl when creating a bucket.

* add test

* (Not) Handle unknown pre-defined urls

* cleanup
diff --git a/doc/client-settings.md b/doc/client-settings.md
@@ -64,18 +64,19 @@ More options can be found in the [Azure.Identity README](https://github.com/Azur
 
 ## Amazon s3 specific properties
 
-| Property | Description |
-| --- | ------ |
-| profileName | AWS [credentials file](https://docs.aws.amazon.com/sdk-for-net/v2/developer-guide/net-dg-config-creds.html#creds-file) profile name. *[Cannot be used with accessKeyId or secretAccessKey]* |
-| accessKeyId | Access key id *[Cannot be used with profileName]* |
-| secretAccessKey | Secret access key *[Cannot be used with profileName]* |
-| bucketName | S3 bucket name *[Required]* |
-| region | S3 region *[Cannot be used with serviceURL]* |
-| serviceURL | S3 service URL *[Cannot be used with region]* |
-| path | Full URI of the storage bucket. If not specified a default URI will be used. |
-| feedSubPath | Provides a sub directory path within the bucket where the feed should be added. This allows for multiple feeds within a single bucket. |
-| serverSideEncryptionMethod | The encryption to use for uploaded objects. Only `AES256` and `None` are currently supported. Default is `None` |
-| compress | Compress JSON files with GZIP before uploading. Default is *true* |
+| Property                   | Description                                                                                                                                                                                                                                                                                                                  |
+|----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| profileName                | AWS [credentials file](https://docs.aws.amazon.com/sdk-for-net/v2/developer-guide/net-dg-config-creds.html#creds-file) profile name. *[Cannot be used with accessKeyId or secretAccessKey]*                                                                                                                                  |
+| accessKeyId                | Access key id *[Cannot be used with profileName]*                                                                                                                                                                                                                                                                            |
+| secretAccessKey            | Secret access key *[Cannot be used with profileName]*                                                                                                                                                                                                                                                                        |
+| bucketName                 | S3 bucket name *[Required]*                                                                                                                                                                                                                                                                                                  |
+| region                     | S3 region *[Cannot be used with serviceURL]*                                                                                                                                                                                                                                                                                 |
+| serviceURL                 | S3 service URL *[Cannot be used with region]*                                                                                                                                                                                                                                                                                |
+| path                       | Full URI of the storage bucket. If not specified a default URI will be used.                                                                                                                                                                                                                                                 |
+| feedSubPath                | Provides a sub directory path within the bucket where the feed should be added. This allows for multiple feeds within a single bucket.                                                                                                                                                                                       |
+| serverSideEncryptionMethod | The encryption to use for uploaded objects. Only `AES256` and `None` are currently supported. Default is `None`                                                                                                                                                                                                              |
+| compress                   | Compress JSON files with GZIP before uploading. Default is *true*                                                                                                                                                                                                                                                            |
+| acl                        | A acl can be set for uploaded files. By default, no specific canned acl is set and bucket defaults and/or policies are in effect. If the bucket is created by sleet and an acl is set, then the default bucket acl will be set to that acl. |
 
 Either `region` or `serviceURL` should be specified but not both.
 
diff --git a/src/SleetLib/FileSystem/AmazonS3File.cs b/src/SleetLib/FileSystem/AmazonS3File.cs
@@ -16,6 +16,7 @@ public class AmazonS3File : FileBase
         private readonly string key;
         private readonly bool compress = true;
         private readonly ServerSideEncryptionMethod serverSideEncryptionMethod;
+        private readonly S3CannedACL acl;
 
         internal AmazonS3File(
             AmazonS3FileSystem fileSystem,
@@ -26,14 +27,16 @@ internal AmazonS3File(
             string bucketName,
             string key,
             ServerSideEncryptionMethod serverSideEncryptionMethod,
-            bool compress = true)
+            bool compress = true,
+            S3CannedACL acl = null)
             : base(fileSystem, rootPath, displayPath, localCacheFile, fileSystem.LocalCache.PerfTracker)
         {
             this.client = client;
             this.bucketName = bucketName;
             this.key = key;
             this.compress = compress;
             this.serverSideEncryptionMethod = serverSideEncryptionMethod;
+            this.acl = acl;
         }
 
         protected override async Task CopyFromSource(ILogger log, CancellationToken token)
@@ -131,7 +134,7 @@ protected override async Task CopyToSource(ILogger log, CancellationToken token)
                     log.LogWarning($"Unknown file type: {absoluteUri}");
                 }
 
-                await UploadFileAsync(client, bucketName, key, contentType, contentEncoding, writeStream, serverSideEncryptionMethod, token)
+                await UploadFileAsync(client, bucketName, key, contentType, contentEncoding, writeStream, serverSideEncryptionMethod, acl, token)
                     .ConfigureAwait(false);
 
                 writeStream.Dispose();
diff --git a/src/SleetLib/FileSystem/AmazonS3FileSystem.cs b/src/SleetLib/FileSystem/AmazonS3FileSystem.cs
@@ -20,28 +20,30 @@ public class AmazonS3FileSystem : FileSystemBase
         private readonly IAmazonS3 _client;
         private readonly bool _compress;
         private readonly ServerSideEncryptionMethod _serverSideEncryptionMethod;
+        private readonly S3CannedACL _acl;
 
         private bool? _hasBucket;
 
-        public AmazonS3FileSystem(LocalCache cache, Uri root, IAmazonS3 client, string bucketName)
-            : this(cache, root, root, client, bucketName, ServerSideEncryptionMethod.None)
+        public AmazonS3FileSystem(LocalCache cache, Uri root, IAmazonS3 client, string bucketName, string acl)
+            : this(cache, root, root, client, bucketName, ServerSideEncryptionMethod.None, acl: acl)
         {
         }
 
-        public AmazonS3FileSystem(
-            LocalCache cache,
+        public AmazonS3FileSystem(LocalCache cache,
             Uri root,
             Uri baseUri,
             IAmazonS3 client,
             string bucketName,
             ServerSideEncryptionMethod serverSideEncryptionMethod,
             string feedSubPath = null,
-            bool compress = true)
+            bool compress = true,
+            S3CannedACL acl = null)
             : base(cache, root, baseUri)
         {
             _client = client;
             _bucketName = bucketName;
             _serverSideEncryptionMethod = serverSideEncryptionMethod;
+            _acl = acl;
 
             if (!string.IsNullOrEmpty(feedSubPath))
             {
@@ -117,7 +119,7 @@ public override async Task<IReadOnlyList<ISleetFile>> GetFiles(ILogger log, Canc
         private ISleetFile CreateAmazonS3File(SleetUriPair pair)
         {
             var key = GetRelativePath(pair.Root);
-            return new AmazonS3File(this, pair.Root, pair.BaseURI, LocalCache.GetNewTempPath(), _client, _bucketName, key, _serverSideEncryptionMethod, _compress);
+            return new AmazonS3File(this, pair.Root, pair.BaseURI, LocalCache.GetNewTempPath(), _client, _bucketName, key, _serverSideEncryptionMethod, _compress, _acl);
         }
 
         public override string GetRelativePath(Uri uri)
@@ -176,6 +178,12 @@ public override async Task CreateBucket(ILogger log, CancellationToken token)
                 // Set the public policy to public read-only
                 await Retry(SetBucketPolicy, log, token);
 
+                // Set the default acl of the bucket. Must not conflict with the public access policy.
+                if (_acl != null)
+                {
+                    await Retry(SetBucketAcl, log, token);
+                }
+
                 // Get and release the lock to ensure that everything will work for the next operation.
                 // In the E2E tests there are often failures due to the bucket saying it is not available
                 // even though the above checks passed. To work around this wait until a file can be
@@ -223,6 +231,18 @@ private Task SetOwnership(ILogger log, CancellationToken token)
             return _client.PutBucketOwnershipControlsAsync(ownerReq, token);
         }
 
+        // Set the default acl of the bucket.
+        private Task SetBucketAcl(ILogger log, CancellationToken token)
+        {
+            var aclReq = new PutACLRequest()
+            {
+                BucketName = _bucketName,
+                CannedACL = _acl
+            };
+
+            return _client.PutACLAsync(aclReq, token);
+        }
+
         // Remove public access blocks to allow public policies.
         private Task SetPublicAccessBlocks(ILogger log, CancellationToken token)
         {
diff --git a/src/SleetLib/FileSystem/AmazonS3FileSystemAbstraction.cs b/src/SleetLib/FileSystem/AmazonS3FileSystemAbstraction.cs
@@ -131,6 +131,7 @@ public static async Task UploadFileAsync(
             string contentEncoding,
             Stream reader,
             ServerSideEncryptionMethod serverSideEncryptionMethod,
+            S3CannedACL acl,
             CancellationToken token)
         {
             var transferUtility = new TransferUtility(client);
@@ -158,6 +159,11 @@ public static async Task UploadFileAsync(
             if (contentEncoding != null)
                 request.Headers.ContentEncoding = contentEncoding;
 
+            if (acl != null)
+            {
+                request.CannedACL = acl;
+            }
+
             using (transferUtility)
                 await transferUtility.UploadAsync(request, token).ConfigureAwait(false);
         }
diff --git a/src/SleetLib/FileSystem/FileSystemFactory.cs b/src/SleetLib/FileSystem/FileSystemFactory.cs
@@ -100,6 +100,7 @@ public static async Task<ISleetFileSystem> CreateFileSystemAsync(LocalSettings s
                         var serviceURL = JsonUtility.GetValueCaseInsensitive(sourceEntry, "serviceURL");
                         var serverSideEncryptionMethod = JsonUtility.GetValueCaseInsensitive(sourceEntry, "serverSideEncryptionMethod") ?? "None";
                         var compress = JsonUtility.GetBoolCaseInsensitive(sourceEntry, "compress", true);
+                        var acl = JsonUtility.GetValueCaseInsensitive(sourceEntry, "acl");
 
                         if (string.IsNullOrEmpty(bucketName))
                         {
@@ -120,6 +121,12 @@ public static async Task<ISleetFileSystem> CreateFileSystemAsync(LocalSettings s
                             throw new ArgumentException("Only 'None' or 'AES256' are currently supported for serverSideEncryptionMethod");
                         }
 
+                        S3CannedACL resolvedAcl = null;
+                        if (acl != null)
+                        {
+                            resolvedAcl = S3CannedACL.FindValue(acl);
+                        }
+
                         // Use the SDK value
                         var serverSideEncryptionMethodValue = ServerSideEncryptionMethod.None;
                         if (serverSideEncryptionMethod == "AES256")
@@ -183,7 +190,7 @@ public static async Task<ISleetFileSystem> CreateFileSystemAsync(LocalSettings s
                         }
                         // Load credentials from an ECS docker container
                         // Check if the env var GenericContainerCredentials.RelativeURIEnvVariable exists
-                        // Previously this used ECSTaskCredentials.RelativeURIEnvVariable but that was 
+                        // Previously this used ECSTaskCredentials.RelativeURIEnvVariable but that was
                         // deprecated and the property is now internal on GenericContainerCredentials
                         else if (
                             !string.IsNullOrWhiteSpace(Environment.GetEnvironmentVariable("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")))
@@ -229,7 +236,9 @@ public static async Task<ISleetFileSystem> CreateFileSystemAsync(LocalSettings s
                             bucketName,
                             serverSideEncryptionMethodValue,
                             feedSubPath,
-                            compress);
+                            compress,
+                            resolvedAcl
+                        );
                     }
                 }
             }
diff --git a/test/Sleet.AmazonS3.Tests/AmazonS3TestContext.cs b/test/Sleet.AmazonS3.Tests/AmazonS3TestContext.cs
@@ -18,7 +18,7 @@ public class AmazonS3TestContext : IDisposable
 
         private bool cleanupDone = false;
 
-        public AmazonS3TestContext()
+        public AmazonS3TestContext(string acl = null)
         {
             BucketName = $"sleet-test-{Guid.NewGuid().ToString()}";
             LocalCache = new LocalCache();
@@ -35,7 +35,7 @@ public AmazonS3TestContext()
             Client = new AmazonS3Client(accessKeyId, secretAccessKey, config);
             Uri = AmazonS3Utility.GetBucketPath(BucketName, region);
 
-            FileSystem = new AmazonS3FileSystem(LocalCache, Uri, Client, BucketName);
+            FileSystem = new AmazonS3FileSystem(LocalCache, Uri, Client, BucketName, acl);
             Logger = new TestLogger();
         }
 
diff --git a/test/Sleet.AmazonS3.Tests/BasicTests.cs b/test/Sleet.AmazonS3.Tests/BasicTests.cs
@@ -102,6 +102,37 @@ public async Task GivenAStorageAccountWithNoContainerVerifyPushSucceeds()
             }
         }
 
+        [EnvVarExistsFact(AmazonS3TestContext.EnvAccessKeyId)]
+        public async Task GivenAStorageAccountWithNoContainerPublicAclVerifyPushSucceeds()
+        {
+            using (var packagesFolder = new TestFolder())
+            using (var testContext = new AmazonS3TestContext(acl: "public-read"))
+            {
+                // Skip creation and allow it to be done during push.
+                testContext.CreateBucketOnInit = false;
+
+                await testContext.InitAsync();
+
+                var testPackage = new TestNupkg("packageA", "1.0.0");
+                var zipFile = testPackage.Save(packagesFolder.Root);
+
+                var result = await PushCommand.RunAsync(testContext.LocalSettings,
+                    testContext.FileSystem,
+                    new List<string>() { zipFile.FullName },
+                    force: false,
+                    skipExisting: false,
+                    log: testContext.Logger);
+
+                result &= await ValidateCommand.RunAsync(testContext.LocalSettings,
+                    testContext.FileSystem,
+                    testContext.Logger);
+
+                result.Should().BeTrue();
+
+                await testContext.CleanupAsync();
+            }
+        }
+
         [EnvVarExistsFact(AmazonS3TestContext.EnvAccessKeyId)]
         public async Task GivenAStorageAccountWithNoInitVerifyPushSucceeds()
         {

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ public class AmazonS3TestContext : IDisposable`
`18`	`18`
`19`	`19`	`private bool cleanupDone = false;`
`20`	`20`
`21`		`- public AmazonS3TestContext()`
	`21`	`+ public AmazonS3TestContext(string acl = null)`
`22`	`22`	`{`
`23`	`23`	`BucketName = $"sleet-test-{Guid.NewGuid().ToString()}";`
`24`	`24`	`LocalCache = new LocalCache();`
`@@ -35,7 +35,7 @@ public AmazonS3TestContext()`
`35`	`35`	`Client = new AmazonS3Client(accessKeyId, secretAccessKey, config);`
`36`	`36`	`Uri = AmazonS3Utility.GetBucketPath(BucketName, region);`
`37`	`37`
`38`		`- FileSystem = new AmazonS3FileSystem(LocalCache, Uri, Client, BucketName);`
	`38`	`+ FileSystem = new AmazonS3FileSystem(LocalCache, Uri, Client, BucketName, acl);`
`39`	`39`	`Logger = new TestLogger();`
`40`	`40`	`}`
`41`	`41`