pkg/linksharing/sharing: support blocking specific paths

Change-Id: I98814522033bd487eb7c47e92c69526c4c24625b
storj · Nov 8, 2024 · c5d7f96 · c5d7f96
1 parent 41c5357
commit c5d7f96
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/cmd/linksharing/config.yaml.lock b/cmd/linksharing/config.yaml.lock
@@ -28,6 +28,9 @@ auth-service.timeout: 10s
 # auth token for giving access to the auth service
 auth-service.token: ""
 
+# a comma separated list of hosts and request uris to return unauthorized errors for. e.g. link.storjshare.io/raw/accesskey/bucket/path1
+# blocked-paths: ""
+
 # server certificate file
 cert-file: ""
 

diff --git a/cmd/linksharing/main.go b/cmd/linksharing/main.go
@@ -56,6 +56,7 @@ type LinkSharing struct {
 	DynamicAssetsDir       string        `help:"use a assets dir that is reparsed for every request" default:""`
 	ConcurrentRequestLimit int           `help:"the number of concurrent requests total to allow" default:"40000"`
 	ConcurrentRequestWait  bool          `help:"if true, wait until a slot opens. if false, return 429" default:"false"`
+	BlockedPaths           string        `help:"a comma separated list of hosts and request uris to return unauthorized errors for. e.g. link.storjshare.io/raw/accesskey/bucket/path1"`
 
 	Client struct {
 		Identity uplinkutil.IdentityConfig
@@ -217,6 +218,7 @@ func cmdRun(cmd *cobra.Command, args []string) (err error) {
 			ListPageLimit:          runCfg.ListPageLimit,
 			ConcurrentRequestLimit: runCfg.ConcurrentRequestLimit,
 			ConcurrentRequestWait:  runCfg.ConcurrentRequestWait,
+			BlockedPaths:           strings.Split(runCfg.BlockedPaths, ","),
 		},
 		GeoLocationDB: runCfg.GeoLocationDB,
 		ShutdownDelay: runCfg.ShutdownDelay,

diff --git a/pkg/linksharing/sharing/handler.go b/pkg/linksharing/sharing/handler.go
@@ -153,6 +153,10 @@ type Config struct {
 	ConcurrentRequestLimit int
 	// ConcurrentRequestWait if true will make requests wait for a free slot instead of returning 429 (the default, false).
 	ConcurrentRequestWait bool
+
+	// BlockedPaths are requests that will return unauthorized errors. Each entry in this slice
+	// is of the host and the URI on that host concatenated.
+	BlockedPaths []string
 }
 
 // ConnectionPoolConfig is a config struct for configuring RPC connection pool options.
@@ -186,6 +190,7 @@ type Handler struct {
 	listPageLimit          int
 	concurrentRequests     *semaphore.Weighted
 	concurrentRequestWait  bool
+	blockedPaths           map[string]bool
 }
 
 // NewHandler creates a new link sharing HTTP handler.
@@ -296,6 +301,13 @@ func NewHandler(log *zap.Logger, mapper *objectmap.IPDB, txtRecords *TXTRecords,
 		concurrentRequests = semaphore.NewWeighted(int64(config.ConcurrentRequestLimit))
 	}
 
+	blockedPaths := make(map[string]bool, len(config.BlockedPaths))
+	for _, path := range config.BlockedPaths {
+		if len(path) > 0 {
+			blockedPaths[path] = true
+		}
+	}
+
 	return &Handler{
 		log:                    log,
 		urlBases:               bases,
@@ -316,6 +328,7 @@ func NewHandler(log *zap.Logger, mapper *objectmap.IPDB, txtRecords *TXTRecords,
 		listPageLimit:          config.ListPageLimit,
 		concurrentRequests:     concurrentRequests,
 		concurrentRequestWait:  config.ConcurrentRequestWait,
+		blockedPaths:           blockedPaths,
 	}, nil
 }
 
@@ -445,6 +458,10 @@ func (handler *Handler) serveHTTP(ctx context.Context, w http.ResponseWriter, r
 	}
 	handler.cors(ctx, w, r)
 
+	if handler.blockedPaths[r.Host+r.URL.Path] {
+		return errdata.WithStatus(errs.New("blocked url"), http.StatusUnauthorized)
+	}
+
 	done, err := handler.rateLimit(ctx)
 	if err != nil {
 		return errdata.WithStatus(err, http.StatusTooManyRequests)