From 439e099eaca3a56a83545af2afe2fcd154bb4b00 Mon Sep 17 00:00:00 2001
From: Siham Aissaoui <siham@scalingo.com>
Date: Tue, 23 Apr 2024 15:40:00 +0200
Subject: [PATCH 1/2] feat(s3): add endpoints allowlist

---
 storage/s3.go | 37 +++++++++++++++++++++++++++++++------
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/storage/s3.go b/storage/s3.go
index 1b07f3ce..18181919 100644
--- a/storage/s3.go
+++ b/storage/s3.go
@@ -5,6 +5,8 @@ import (
 	stderrors "errors"
 	"fmt"
 	"io"
+	"os"
+	"slices"
 	"strings"
 	"time"
 
@@ -302,12 +304,14 @@ func s3Config(cfg S3Config) aws.Config {
 		Credentials: credentials,
 	}
 	if cfg.Endpoint != "" {
-		config.EndpointResolverWithOptions = aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) {
-			return aws.Endpoint{
-				URL:           "https://" + cfg.Endpoint,
-				SigningRegion: cfg.Region,
-			}, nil
-		})
+		if endpointIsAllowed(cfg.Endpoint) {
+			config.EndpointResolverWithOptions = aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) {
+				return aws.Endpoint{
+					URL:           "https://" + cfg.Endpoint,
+					SigningRegion: cfg.Region,
+				}, nil
+			})
+		}
 	}
 
 	return config
@@ -316,3 +320,24 @@ func s3Config(cfg S3Config) aws.Config {
 func fullPath(path string) string {
 	return strings.TrimLeft("/"+path, "/")
 }
+
+func getAllowListFromEnv() []string {
+	s3EndpointsAllowList := os.Getenv("OBJECT_STORAGE_ALLOWLIST")
+	if s3EndpointsAllowList == "" {
+		log := logger.Default()
+		log.Warningln("S3 endpoint allowlist is not configured in your environment")
+		return nil
+	}
+	return strings.Split(s3EndpointsAllowList, ",")
+}
+
+func endpointIsAllowed(endpoint string) bool {
+	allowedEndpoints := getAllowListFromEnv()
+	if allowedEndpoints != nil {
+		return slices.IndexFunc(getAllowListFromEnv(), func(allowedEndpoint string) bool {
+			return strings.HasPrefix(endpoint, allowedEndpoint)
+		}) != -1
+	}
+
+	return true
+}

From fc47dc8bc9e4d68759ad5b313429dfc361df68af Mon Sep 17 00:00:00 2001
From: Siham Aissaoui <siham@scalingo.com>
Date: Tue, 23 Apr 2024 15:41:20 +0200
Subject: [PATCH 2/2] fix(s3): update go version

---
 storage/go.mod | 2 +-
 storage/go.sum | 5 +++++
 storage/s3.go  | 6 +++---
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/storage/go.mod b/storage/go.mod
index 986924df..71767660 100644
--- a/storage/go.mod
+++ b/storage/go.mod
@@ -1,6 +1,6 @@
 module github.com/Scalingo/go-utils/storage
 
-go 1.20
+go 1.21
 
 require (
 	github.com/Scalingo/go-utils/logger v1.2.0
diff --git a/storage/go.sum b/storage/go.sum
index 979f4f18..106d7dfc 100644
--- a/storage/go.sum
+++ b/storage/go.sum
@@ -37,6 +37,11 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+<<<<<<< HEAD
+=======
+github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+>>>>>>> 9ef694d (fix(s3): update go version)
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
diff --git a/storage/s3.go b/storage/s3.go
index 18181919..1bcc7f0a 100644
--- a/storage/s3.go
+++ b/storage/s3.go
@@ -305,6 +305,7 @@ func s3Config(cfg S3Config) aws.Config {
 	}
 	if cfg.Endpoint != "" {
 		if endpointIsAllowed(cfg.Endpoint) {
+			//nolint:all // AWS v1 function is deprecated, switching to v2 requires a refactoring of the package
 			config.EndpointResolverWithOptions = aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) {
 				return aws.Endpoint{
 					URL:           "https://" + cfg.Endpoint,
@@ -334,10 +335,9 @@ func getAllowListFromEnv() []string {
 func endpointIsAllowed(endpoint string) bool {
 	allowedEndpoints := getAllowListFromEnv()
 	if allowedEndpoints != nil {
-		return slices.IndexFunc(getAllowListFromEnv(), func(allowedEndpoint string) bool {
+		return slices.ContainsFunc(getAllowListFromEnv(), func(allowedEndpoint string) bool {
 			return strings.HasPrefix(endpoint, allowedEndpoint)
-		}) != -1
+		})
 	}
-
 	return true
 }