Merge pull request #149 from ing-bank/feature/lineageFilter

whitelist user-agent for lineage

Author: kr7ysztof

src/it/scala/com/ing/wbaa/rokku/proxy/provider/LineageProviderAtlasItTest.scala

@@ -12,7 +12,7 @@ import org.scalatest.Assertion
 import org.scalatest.diagrams.Diagrams
 import org.scalatest.wordspec.AnyWordSpecLike
 
-import scala.concurrent.ExecutionContext
+import scala.concurrent.{ExecutionContext, TimeoutException}
 
 class LineageProviderAtlasItTest extends AnyWordSpecLike with Diagrams with EmbeddedKafka {
 
@@ -58,7 +58,7 @@ class LineageProviderAtlasItTest extends AnyWordSpecLike with Diagrams with Embe
         Thread.sleep(2000)
         createCustomTopic(createEventsTopic)
         apr.createLineageFromRequest(
-          fakeIncomingHttpRequest(HttpMethods.PUT, "/fakeBucket/fakeObject"), userSTS, remoteClientIP)
+          fakeIncomingHttpRequest(HttpMethods.PUT, "/fakeBucket/fakeObject").withHeaders(RawHeader("User-Agent", "aws-cli/1.16.68 Python/2.7")), userSTS, remoteClientIP)
         val message = consumeFirstStringMessageFrom(createEventsTopic)
         assert(message.contains("external_object_in/fakeObject"))
       }
@@ -69,7 +69,7 @@ class LineageProviderAtlasItTest extends AnyWordSpecLike with Diagrams with Embe
       withRunningKafka {
         Thread.sleep(2000)
         apr.createLineageFromRequest(
-          fakeIncomingHttpRequest(HttpMethods.PUT, "/fakeBucket/fakeTags").withHeaders(RawHeader("rokku-metadata", "k1=v1")), userSTS, remoteClientIP)
+          fakeIncomingHttpRequest(HttpMethods.PUT, "/fakeBucket/fakeTags").withHeaders(RawHeader("rokku-metadata", "k1=v1"), RawHeader("User-Agent", "aws-cli/1.16.68 Python/2.7")), userSTS, remoteClientIP)
         val message = consumeFirstStringMessageFrom(createEventsTopic)
         assert(message.contains("{\"awsTags\":[{\"attributes\":{\"key\":\"k1\",\"value\":\"v1\"},\"typeName\":\"aws_tag\"}]"))
       }
@@ -80,7 +80,7 @@ class LineageProviderAtlasItTest extends AnyWordSpecLike with Diagrams with Embe
       withRunningKafka {
         Thread.sleep(2000)
         apr.createLineageFromRequest(
-          fakeIncomingHttpRequest(HttpMethods.PUT, "/fakeBucket/fakeTags").withHeaders(RawHeader("rokku-classifications", "customerPII,secret")), userSTS, remoteClientIP)
+          fakeIncomingHttpRequest(HttpMethods.PUT, "/fakeBucket/fakeTags").withHeaders(RawHeader("rokku-classifications", "customerPII,secret"), RawHeader("User-Agent", "aws-cli/1.16.68 Python/2.7")), userSTS, remoteClientIP)
         val message = consumeFirstStringMessageFrom(createEventsTopic)
         assert(message.contains("\"classifications\":[{\"typeName\":\"customerPII\"},{\"typeName\":\"secret\"}]"))
       }
@@ -91,7 +91,7 @@ class LineageProviderAtlasItTest extends AnyWordSpecLike with Diagrams with Embe
       withRunningKafka {
         Thread.sleep(2000)
         apr.createLineageFromRequest(
-          fakeIncomingHttpRequest(HttpMethods.GET, "/fakeBucket/fakeObject"), userSTS, remoteClientIP)
+          fakeIncomingHttpRequest(HttpMethods.GET, "/fakeBucket/fakeObject").withHeaders(RawHeader("User-Agent", "aws-cli/1.16.68 Python/2.7")), userSTS, remoteClientIP)
         val message = consumeFirstStringMessageFrom(createEventsTopic)
         assert(message.contains("external_object_out/fakeObject"))
       }
@@ -102,10 +102,20 @@ class LineageProviderAtlasItTest extends AnyWordSpecLike with Diagrams with Embe
       withRunningKafka {
         Thread.sleep(2000)
         apr.createLineageFromRequest(
-          fakeIncomingHttpRequest(HttpMethods.DELETE, "/fakeBucket/fakeObject"), userSTS, remoteClientIP)
+          fakeIncomingHttpRequest(HttpMethods.DELETE, "/fakeBucket/fakeObject")withHeaders(RawHeader("User-Agent", "aws-cli/1.16.68 Python/2.7")), userSTS, remoteClientIP)
         val message = consumeFirstStringMessageFrom(createEventsTopic)
         assert(message.contains("fakeObject"))
       }
     }
+
+    "time out exception because the user agent is not whitelisted" in withLineageProviderAtlas() { apr =>
+      implicit val config = EmbeddedKafkaConfig(kafkaPort = testKafkaPort)
+      withRunningKafka {
+        Thread.sleep(2000)
+        apr.createLineageFromRequest(
+          fakeIncomingHttpRequest(HttpMethods.DELETE, "/fakeBucket/fakeObject")withHeaders(RawHeader("User-Agent", "no-aws-cli/1.16.68 Python/2.7")), userSTS, remoteClientIP)
+        assertThrows[TimeoutException](consumeFirstStringMessageFrom(createEventsTopic))
+      }
+    }
   }
 }

src/main/resources/application.conf

@@ -45,6 +45,7 @@ rokku {
 
     atlas {
         enabled = ${?ROKKU_ATLAS_ENABLED}
+        whitelistUserAgentSplitByComma = ${?ROKKU_ATLAS_WHITELIST_LOWERCASE_COMMA_SEPARATED_USER_AGENT}
     }
 
     kerberos {

src/main/resources/reference.conf

@@ -54,6 +54,7 @@ rokku {
 
     atlas {
         enabled = false
+        whitelistUserAgentSplitByComma = "aws-cli,boto3"
     }
 
     kerberos {

src/main/scala/com/ing/wbaa/rokku/proxy/provider/LineageProviderAtlas.scala

@@ -19,6 +19,8 @@ trait LineageProviderAtlas extends LineageHelpers {
 
   private val logger = new LoggerHandlerWithId
 
+  private val whitelistUserAgents = system.settings.config.getString("rokku.atlas.whitelistUserAgentSplitByComma").trim.split(",")
+
   def createLineageFromRequest(httpRequest: HttpRequest, userSTS: User, userIPs: UserIps)(implicit id: RequestId): Future[Done] = {
     val lineageHeaders = getLineageHeaders(httpRequest)
     val pseudoDir = lineageHeaders.pseduoDir
@@ -29,7 +31,9 @@ trait LineageProviderAtlas extends LineageHelpers {
 
     val extractObjectFromPath = bucketObject.getOrElse("").split("/").takeRight(1).mkString
 
-    if (lineageHeaders.bucket.length > 1) {
+    val isClientTypeWhitelisted = whitelistUserAgents.contains(lineageHeaders.clientType.getOrElse("").toLowerCase())
+
+    if (lineageHeaders.bucket.length > 1 && isClientTypeWhitelisted) {
       lineageHeaders.method match {
         // mb bucket
         case HttpMethods.PUT if !lineageHeaders.bucket.isEmpty && pseudoDir.isEmpty && bucketObject.isEmpty =>

src/test/scala/com/ing/wbaa/rokku/proxy/handler/RequestHandlerS3Spec.scala

@@ -2,25 +2,22 @@ package com.ing.wbaa.rokku.proxy.handler
 
 import akka.actor.ActorSystem
 import akka.http.scaladsl.model._
-import com.ing.wbaa.rokku.proxy.config.{ KafkaSettings, StorageS3Settings }
+import com.ing.wbaa.rokku.proxy.config.StorageS3Settings
 import com.ing.wbaa.rokku.proxy.data._
-import com.ing.wbaa.rokku.proxy.provider.LineageProviderAtlas
 import com.ing.wbaa.rokku.proxy.queue.MemoryUserRequestQueue
 import org.scalatest.diagrams.Diagrams
 import org.scalatest.wordspec.AsyncWordSpec
 
 import scala.concurrent.{ ExecutionContext, Future }
 
-class RequestHandlerS3Spec extends AsyncWordSpec with Diagrams with RequestHandlerS3 with LineageProviderAtlas with MemoryUserRequestQueue {
+class RequestHandlerS3Spec extends AsyncWordSpec with Diagrams with RequestHandlerS3 with MemoryUserRequestQueue {
 
   override implicit val system: ActorSystem = ActorSystem.create("test-system")
   override implicit val executionContext: ExecutionContext = system.dispatcher
   override val storageS3Settings: StorageS3Settings = new StorageS3Settings(system.settings.config) {
     override val storageS3Authority: Uri.Authority = Uri.Authority(Uri.Host("1.2.3.4"), 1234)
   }
 
-  override val kafkaSettings: KafkaSettings = new KafkaSettings(system.settings.config)
-
   implicit val requestId: RequestId = RequestId("test")
 
   var numFiredRequests = 0