Add a map instead of if

Author: matthiasL-scality

conf/nginx.conf.template

@@ -154,6 +154,19 @@ http {
   #
   include /etc/nginx/mimetypes.map;
 
+  # Determine the backend for /builds/ rewrites.
+  # CLI clients (no "Mozilla" in User-Agent) are redirected to a presigned S3
+  # URL (/redirect/). Browser clients and HEAD requests always proxy through
+  # nginx (/download/).
+  # The map key combines method and User-Agent so HEAD takes priority over the
+  # UA check (first matching regex wins).
+  #
+  map "$request_method:$http_user_agent" $builds_backend {
+      ~^HEAD:       /download/;   # HEAD wins regardless of UA
+      ~*:.*mozilla  /download/;   # Browser UA → proxy through nginx
+      default       /redirect/;   # CLI client → presigned S3 redirect
+  }
+
   server {
     # Use plain HTTP, as we are on a private network.
     #
@@ -251,15 +264,8 @@ http {
     # URL and download directly from S3. Browser clients keep the original
     # proxied-through-nginx behaviour (/download/).
     # Directory listings (trailing slash) always go to /download/.
+    # $builds_backend is set by the map directive in the http block above.
     #
-    set $builds_backend "/download/";
-    if ($http_user_agent !~* "Mozilla") {
-      set $builds_backend "/redirect/";
-    }
-    # HEAD requests are metadata checks, not downloads: always proxy directly.
-    if ($request_method = "HEAD") {
-      set $builds_backend "/download/";
-    }
     rewrite ^/builds/([^/]+/.+[^/])$ $builds_backend$1 last;
     rewrite ^/builds/(.*)$ /download/$1 last;
 

tests/end2end/test_routing.py

@@ -1,13 +1,20 @@
-"""Tests that verify which S3 bucket each build type is stored in.
+"""Tests that verify which S3 bucket each build type is stored in, and that
+the /builds/ endpoint routes to the correct backend depending on User-Agent
+and HTTP method.
 
-Artifacts routes uploads to one of three buckets based on the build name:
+Bucket routing based on build name:
   *:staging-*   → artifacts-staging
   *:promoted-*  → artifacts-promoted
   anything else → artifacts-prolonged
 
 Uploads via the artifacts API only accept staging build names (nginx regex
 enforces this).  For promoted/prolonged builds we insert objects directly via
 the S3 client and verify the artifacts download API can still retrieve them.
+
+/builds/ backend routing:
+  GET  + non-Mozilla UA  → /redirect/ → 302 presigned S3 URL
+  GET  + Mozilla UA      → /download/ → 200 proxied
+  HEAD + any UA          → /download/ → 200 proxied (HEAD is always direct)
 """
 
 import pytest
@@ -67,6 +74,39 @@ def test_prolonged_build_downloadable_from_prolonged_bucket(
     assert resp.content == b'notes'
 
 
+def test_builds_cli_ua_redirects_to_presigned_url(upload_file, session, artifacts_url):
+    """GET /builds/ with a non-Mozilla UA is rewritten to /redirect/ → 302."""
+    upload_file(STAGING_BUILD, 'file.txt')
+    resp = session.get(
+        f'{artifacts_url}/builds/{STAGING_BUILD}/file.txt',
+        headers={'User-Agent': 'curl/7.83.1'},
+        allow_redirects=False,
+    )
+    assert resp.status_code == 302
+
+
+def test_builds_browser_ua_proxied_directly(upload_file, session, artifacts_url):
+    """GET /builds/ with a Mozilla UA is rewritten to /download/ → 200 proxied."""
+    upload_file(STAGING_BUILD, 'file.txt')
+    resp = session.get(
+        f'{artifacts_url}/builds/{STAGING_BUILD}/file.txt',
+        headers={'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)'},
+        allow_redirects=False,
+    )
+    assert resp.status_code == 200
+
+
+def test_builds_head_always_proxied_regardless_of_ua(upload_file, session, artifacts_url):
+    """HEAD /builds/ with a non-Mozilla UA is still rewritten to /download/ → 200."""
+    upload_file(STAGING_BUILD, 'file.txt')
+    resp = session.head(
+        f'{artifacts_url}/builds/{STAGING_BUILD}/file.txt',
+        headers={'User-Agent': 'curl/7.83.1'},
+        allow_redirects=False,
+    )
+    assert resp.status_code == 200
+
+
 def test_staging_build_not_visible_from_promoted_bucket(
     session, artifacts_url, s3_client
 ):