Add tests for auto bucket region on priv/pubic bucket

Signed-off-by: Tiger Kaovilai <[email protected]>

Author: kaovilai

Makefile

@@ -141,7 +141,7 @@ test: vet envtest ## Run unit tests; run Go linters checks; check if api and bun
 	@make check-go-dependencies
 
 GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
-GOLANGCI_LINT_VERSION ?= v1.55.2
+GOLANGCI_LINT_VERSION ?= v1.64.8 # go1.24 requires at least v1.64.4 to work on gci
 .PHONY: golangci-lint
 golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)

go.mod

@@ -26,8 +26,8 @@ require (
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.30.3
 	github.com/aws/aws-sdk-go-v2/config v1.26.3
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.26
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0
 	github.com/deckarep/golang-set/v2 v2.3.0
@@ -42,8 +42,8 @@ require (
 
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.26 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect

pkg/storage/aws/s3.go

@@ -6,8 +6,8 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/feature/s3/manager"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go/aws/request"
@@ -32,12 +32,14 @@ func GetBucketRegion(bucket string) (string, error) {
 	// Also set to use anonymous credentials. If the bucket is private, this function would not work unless we modify it to take credentials.
 	cfg, err := config.LoadDefaultConfig(context.Background(),
 		config.WithRegion("us-east-1"), // This is not default region being used, this is to specify a region hinting server that we will use to get region from.
-		config.WithCredentialsProvider(aws.AnonymousCredentials{}),
 	)
 	if err != nil {
 		return "", err
 	}
-	region, err = manager.GetBucketRegion(context.Background(), s3.NewFromConfig(cfg), bucket)
+	region, err = manager.GetBucketRegion(context.Background(), s3.NewFromConfig(cfg), bucket, func(o *s3.Options) {
+		// TODO: get creds from bsl
+		o.Credentials = credentials.NewStaticCredentialsProvider("anon-credentials", "anon-secret", "") // this works with private buckets.. why? supposed to require cred with s3:ListBucket https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
+	})
 	if region != "" {
 		return region, nil
 	}

pkg/storage/aws/s3_test.go

@@ -14,12 +14,31 @@ func TestGetBucketRegion(t *testing.T) {
 		wantErr bool
 	}{
 		{
+			// Public bucket should work anonymously, policy below
+			// {
+			// 	"Version": "2012-10-17",
+			// 	"Statement": [
+			// 		{
+			// 			"Sid": "publicList",
+			// 			"Effect": "Allow",
+			// 			"Principal": "*",
+			// 			"Action": "s3:ListBucket",
+			// 			"Resource": "arn:aws:s3:::openshift-velero-plugin-s3-auto-region-test-1"
+			// 		}
+			// 	]
+			// }
+			// ❯ aws s3api head-bucket --bucket openshift-velero-plugin-s3-auto-region-test-1 --no-sign-request
+			// {
+			//     "BucketRegion": "us-east-1",
+			//     "AccessPointAlias": false
+			// }
 			name:    "openshift-velero-plugin-s3-auto-region-test-1",
 			bucket:  "openshift-velero-plugin-s3-auto-region-test-1",
 			region:  "us-east-1",
 			wantErr: false,
 		},
 		{
+			// Private bucket do not require creds per email with AWS, not a concern
 			name:    "openshift-velero-plugin-s3-auto-region-test-2",
 			bucket:  "openshift-velero-plugin-s3-auto-region-test-2",
 			region:  "us-west-1",
@@ -42,6 +61,7 @@ func TestGetBucketRegion(t *testing.T) {
 			bucket:  "velero-6109f5e9711c8c58131acdd2f490f451",
 			region:  "us-east-1",
 			wantErr: false,
+			// TODO: add creds usage here.
 		},
 	}
 	for _, tt := range tests {