feat(middleware-bucket-endpoint): implement hostname population from ARN

Author: AllanZhengYP

packages/middleware-bucket-endpoint/src/bucketArnUtils.spec.ts

@@ -0,0 +1,5 @@
+describe("parseAccessPointArn", () => {
+  it("test", () => {
+    expect(1).toBe(1);
+  });
+});

packages/middleware-bucket-endpoint/src/bucketArnUtils.ts

@@ -1,12 +1,14 @@
 import { ARN } from "@aws-sdk/util-arn-parser";
 
+import { ArnHostnameParameters } from "./bucketHostname";
+
 export interface AccessPointArn extends ARN {
   accessPointName: string;
 }
 
 interface RequestOptions {
   clientRegion: string;
-  requestSuffix: string;
+  clientPartition: string;
   useArnRegion: boolean;
 }
 
@@ -16,16 +18,19 @@ export const parseAccessPointArn = (arn: ARN, requestOptions: RequestOptions): A
     throw new Error("expect 's3' in access point ARN service component");
   }
   validateRegion(region, { ...requestOptions });
+  validatePartition(partition, { ...requestOptions });
   validateAccountId(accountId);
   const [, accessPointName] = parseAccessPointResource(resource);
+  validateDNSHostLabel(`${accessPointName}-${accountId}`);
   return {
     ...arn,
     accessPointName,
   };
 };
 
-const validatePartition = (partition: string, options: { requestSuffix: string }) => {
-  if (options.requestSuffix) {
+const validatePartition = (partition: string, options: { clientPartition: string }) => {
+  if (partition !== options.clientPartition) {
+    throw new Error(`Partition in ARN is incompatible, got ${partition} but expected ${options.clientPartition}`);
   }
 };
 
@@ -39,18 +44,39 @@ const validateRegion = (
   if (region === "") {
     throw new Error("Access point ARN region is empty");
   }
-  if (isFipsPseudoRegion(options.clientRegion) && !options.useArnRegion) {
+  if (!options.useArnRegion && !isEqualRegions(region, options.clientRegion)) {
+    throw new Error(`Region in ARN is incompatible, got ${region} but expected ${options.clientRegion}`);
+  }
+  if (options.useArnRegion && isFipsRegion(region)) {
+    throw new Error("Region in ARN is a FIPS region");
   }
 };
 
-const isFipsPseudoRegion = (region: string) => region.startsWith("fips-") || region.endsWith("-fips");
+const isFipsRegion = (region: string) => region.startsWith("fips-") || region.endsWith("-fips");
+
+const getPseudoRegion = (region: string) => region.replace(/fips-|-fips/, "");
+
+const isEqualRegions = (regionA: string, regionB: string) =>
+  regionA === regionB || getPseudoRegion(regionA) === regionB || regionA === getPseudoRegion(regionB);
 
 const validateAccountId = (accountId: string) => {
   if (!/[0-9]{12}/.exec(accountId)) {
     throw new Error("Access point ARN accountID does not match regex '[0-9]{12}'");
   }
 };
 
+const validateDNSHostLabel = (label: string) => {
+  // reference: https://tools.ietf.org/html/rfc3986#section-3.2.2
+  if (
+    label.length >= 64 ||
+    !/^[a-z0-9][a-z0-9.-]+[a-z0-9]$/.test(label) ||
+    /(\d+\.){3}\d+/.test(label) ||
+    /[.-]{2}/.test(label)
+  ) {
+    throw new Error(`Invalid DNS label ${label}.`);
+  }
+};
+
 const parseAccessPointResource = (resource: string): [string, string] => {
   if (resource.indexOf("accesspoint:") !== 0 && resource.indexOf("accesspoint/") !== 0) {
     throw new Error("Access point ARN resource should begin with 'accesspoint/'");
@@ -62,4 +88,22 @@ const parseAccessPointResource = (resource: string): [string, string] => {
   return parsedResource as [string, string];
 };
 
-//TODO: The SDK must validate that populated {accesspoint-name}-{account-id} endpoint prefix results in a RFC 3986 Host label.
+export const populateAccessPointEndpoint = (
+  arn: AccessPointArn,
+  options: ArnHostnameParameters & { requestSuffix: string }
+): string => {
+  const { pathStyleEndpoint, dualstackEndpoint, accelerateEndpoint, tlsCompatible } = options;
+  if (pathStyleEndpoint) {
+    throw new Error("Path-style S3 endpoint is not supported when bucket is an Access Point ARN");
+  }
+  if (accelerateEndpoint) {
+    throw new Error("Accelerate is not supported when bucket is an Access Point ARN");
+  }
+  if (!tlsCompatible) {
+    throw new Error("Access Point can only be used with https");
+  }
+  const { accessPointName, accountId, region } = arn;
+  return `${accessPointName}-${accountId}.s3-accesspoint${dualstackEndpoint ? ".dualstack" : ""}.${region}.${
+    options.requestSuffix
+  }`;
+};

packages/middleware-bucket-endpoint/src/bucketEndpointMiddleware.spec.ts

@@ -14,14 +14,21 @@ describe("bucketEndpointMiddleware", () => {
     path: "/bucket",
   };
   const next = jest.fn();
+  const previouslyResolvedConfig = {
+    region: () => Promise.resolve("us-foo-1"),
+    regionInfoProvider: () => Promise.resolve({ hostname: "foo.us-foo-1.amazonaws.com" }),
+  };
 
   beforeEach(() => {
     next.mockClear();
   });
 
   it("should convert the request provided into one directed to a virtual hosted-style endpoint", async () => {
     const request = new HttpRequest(requestInput);
-    const handler = bucketEndpointMiddleware(resolveBucketEndpointConfig({}))(next, {} as any);
+    const handler = bucketEndpointMiddleware(resolveBucketEndpointConfig({ ...previouslyResolvedConfig }))(
+      next,
+      {} as any
+    );
     await handler({ input, request });
 
     const {
@@ -38,6 +45,7 @@ describe("bucketEndpointMiddleware", () => {
     const request = new HttpRequest(requestInput);
     const handler = bucketEndpointMiddleware(
       resolveBucketEndpointConfig({
+        ...previouslyResolvedConfig,
         forcePathStyle: true,
       })
     )(next, {} as any);
@@ -57,6 +65,7 @@ describe("bucketEndpointMiddleware", () => {
     const request = new HttpRequest(requestInput);
     const handler = bucketEndpointMiddleware(
       resolveBucketEndpointConfig({
+        ...previouslyResolvedConfig,
         bucketEndpoint: true,
       })
     )(next, {} as any);
@@ -77,6 +86,7 @@ describe("bucketEndpointMiddleware", () => {
     const request = new HttpRequest(requestInput);
     const handler = bucketEndpointMiddleware(
       resolveBucketEndpointConfig({
+        ...previouslyResolvedConfig,
         useAccelerateEndpoint: true,
       })
     )(next, {} as any);
@@ -96,6 +106,7 @@ describe("bucketEndpointMiddleware", () => {
     const request = new HttpRequest(requestInput);
     const handler = bucketEndpointMiddleware(
       resolveBucketEndpointConfig({
+        ...previouslyResolvedConfig,
         useDualstackEndpoint: true,
       })
     )(next, {} as any);
@@ -115,6 +126,7 @@ describe("bucketEndpointMiddleware", () => {
     const request = new HttpRequest(requestInput);
     const handler = bucketEndpointMiddleware(
       resolveBucketEndpointConfig({
+        ...previouslyResolvedConfig,
         useAccelerateEndpoint: true,
         useDualstackEndpoint: true,
       })

packages/middleware-bucket-endpoint/src/bucketEndpointMiddleware.ts

@@ -10,7 +10,6 @@ import {
 } from "@aws-sdk/types";
 import { parse as parseArn, validate as validateArn } from "@aws-sdk/util-arn-parser";
 
-// import { parseArn } from "./bucketArnUtils";
 import { bucketHostname } from "./bucketHostname";
 import { BucketEndpointResolvedConfig } from "./configurations";
 
@@ -25,6 +24,7 @@ export function bucketEndpointMiddleware(options: BucketEndpointResolvedConfig):
       if (options.bucketEndpoint) {
         request.hostname = bucketName;
       } else {
+        const clientRegion = await options.region();
         const { hostname, bucketEndpoint } = bucketHostname({
           bucketName: validateArn(bucketName) ? parseArn(bucketName) : bucketName,
           baseHostname: request.hostname,
@@ -33,6 +33,8 @@ export function bucketEndpointMiddleware(options: BucketEndpointResolvedConfig):
           pathStyleEndpoint: options.forcePathStyle,
           tlsCompatible: request.protocol === "https:",
           useArnRegion: await options.useArnRegion(),
+          clientRegion,
+          clientPartition: (await options.regionInfoProvider(clientRegion))?.partition,
         });
 
         request.hostname = hostname;

packages/middleware-bucket-endpoint/src/bucketHostname.ts

@@ -1,6 +1,7 @@
-import { ARN } from "@aws-sdk/util-arn-parser";
+import { ARN } from "@aws-sdk/util-arn-parser/src";
 
-import { AccessPointArn } from "./bucketArnUtils";
+import { parseAccessPointArn } from "./bucketArnUtils";
+import { populateAccessPointEndpoint } from "./bucketArnUtils";
 
 const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9\.\-]{1,61}[a-z0-9]$/;
 const IP_ADDRESS_PATTERN = /(\d+\.){3}\d+/;
@@ -11,28 +12,53 @@ const S3_US_EAST_1_ALTNAME_PATTERN = /^s3(-external-1)?\.amazonaws\.com$/;
 const AWS_PARTITION_SUFFIX = "amazonaws.com";
 
 export interface BucketHostnameParameters {
-  accelerateEndpoint?: boolean;
   baseHostname: string;
-  bucketName: string | ARN;
+  bucketName: string;
+  accelerateEndpoint?: boolean;
   dualstackEndpoint?: boolean;
   pathStyleEndpoint?: boolean;
   tlsCompatible?: boolean;
-  useArnRegion?: boolean;
 }
 
+export interface ArnHostnameParameters extends Omit<BucketHostnameParameters, "bucketName"> {
+  bucketName: ARN;
+  clientRegion: string;
+  useArnRegion: boolean;
+  clientPartition?: string;
+}
+
+const isBucketNameOptions = (
+  options: BucketHostnameParameters | ArnHostnameParameters
+): options is BucketHostnameParameters => typeof options.bucketName === "string";
+
 export interface BucketHostname {
   hostname: string;
   bucketEndpoint: boolean;
 }
 
-export function bucketHostname({
+export const bucketHostname = (options: BucketHostnameParameters | ArnHostnameParameters): BucketHostname => {
+  if (isBucketNameOptions(options)) {
+    // Construct endpoint when bucketName is a string referring to a bucket name
+    return getEndpointFromBucketName(options);
+  } else {
+    // Construct endpoint when bucketName is an ARN referring to an S3 resource like Access Point
+    const accessPointArn = parseAccessPointArn(options.bucketName, { ...options, clientPartition: "aws" });
+    const [, requestSuffix] = partitionSuffix(options.baseHostname);
+    return {
+      bucketEndpoint: true,
+      hostname: populateAccessPointEndpoint(accessPointArn, { ...options, requestSuffix }),
+    };
+  }
+};
+
+const getEndpointFromBucketName = ({
   accelerateEndpoint = false,
   baseHostname,
   bucketName,
   dualstackEndpoint = false,
   pathStyleEndpoint = false,
   tlsCompatible = true,
-}: BucketHostnameParameters): BucketHostname {
+}: BucketHostnameParameters): BucketHostname => {
   if (!S3_HOSTNAME_PATTERN.test(baseHostname)) {
     return {
       bucketEndpoint: false,
@@ -44,31 +70,24 @@ export function bucketHostname({
     ? ["us-east-1", AWS_PARTITION_SUFFIX]
     : partitionSuffix(baseHostname);
 
-  if (typeof bucketName === "string") {
-    if (
-      pathStyleEndpoint ||
-      !isDnsCompatibleBucketName(bucketName) ||
-      (tlsCompatible && DOT_PATTERN.test(bucketName))
-    ) {
-      return {
-        bucketEndpoint: false,
-        hostname: dualstackEndpoint ? `s3.dualstack.${region}.${hostnameSuffix}` : baseHostname,
-      };
-    }
-
-    if (accelerateEndpoint) {
-      baseHostname = `s3-accelerate${dualstackEndpoint ? ".dualstack" : ""}.${hostnameSuffix}`;
-    } else if (dualstackEndpoint) {
-      baseHostname = `s3.dualstack.${region}.${hostnameSuffix}`;
-    }
-
+  if (pathStyleEndpoint || !isDnsCompatibleBucketName(bucketName) || (tlsCompatible && DOT_PATTERN.test(bucketName))) {
     return {
-      bucketEndpoint: true,
-      hostname: `${bucketName}.${baseHostname}`,
+      bucketEndpoint: false,
+      hostname: dualstackEndpoint ? `s3.dualstack.${region}.${hostnameSuffix}` : baseHostname,
     };
-  } else {
   }
-}
+
+  if (accelerateEndpoint) {
+    baseHostname = `s3-accelerate${dualstackEndpoint ? ".dualstack" : ""}.${hostnameSuffix}`;
+  } else if (dualstackEndpoint) {
+    baseHostname = `s3.dualstack.${region}.${hostnameSuffix}`;
+  }
+
+  return {
+    bucketEndpoint: true,
+    hostname: `${bucketName}.${baseHostname}`,
+  };
+};
 
 /**
  * Determines whether a given string is DNS compliant per the rules outlined by
@@ -77,12 +96,10 @@ export function bucketHostname({
  *
  * @see https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
  */
-function isDnsCompatibleBucketName(bucketName: string): boolean {
-  return DOMAIN_PATTERN.test(bucketName) && !IP_ADDRESS_PATTERN.test(bucketName) && !DOTS_PATTERN.test(bucketName);
-}
-
-function partitionSuffix(hostname: string): [string, string] {
-  const parts = hostname.match(S3_HOSTNAME_PATTERN);
+const isDnsCompatibleBucketName = (bucketName: string): boolean =>
+  DOMAIN_PATTERN.test(bucketName) && !IP_ADDRESS_PATTERN.test(bucketName) && !DOTS_PATTERN.test(bucketName);
 
+const partitionSuffix = (hostname: string): [string, string] => {
+  const parts = hostname.match(S3_HOSTNAME_PATTERN)!;
   return [parts[2], hostname.replace(new RegExp(`^${parts[0]}`), "")];
-}
+};

packages/middleware-bucket-endpoint/src/configurations.ts

@@ -1,5 +1,5 @@
 import { LoadedConfigSelectors } from "@aws-sdk/node-config-provider";
-import { Provider } from "@aws-sdk/types";
+import { Provider, RegionInfoProvider } from "@aws-sdk/types";
 
 export interface BucketEndpointInputConfig {
   /**
@@ -24,15 +24,24 @@ export interface BucketEndpointInputConfig {
   useArnRegion?: boolean | Provider<boolean>;
 }
 
+interface PreviouslyResolved {
+  region: Provider<string>;
+  regionInfoProvider: RegionInfoProvider;
+}
+
 export interface BucketEndpointResolvedConfig {
   bucketEndpoint: boolean;
   forcePathStyle: boolean;
   useAccelerateEndpoint: boolean;
   useDualstackEndpoint: boolean;
   useArnRegion: Provider<boolean>;
+  region: Provider<string>;
+  regionInfoProvider: RegionInfoProvider;
 }
 
-export function resolveBucketEndpointConfig<T>(input: T & BucketEndpointInputConfig): T & BucketEndpointResolvedConfig {
+export function resolveBucketEndpointConfig<T>(
+  input: T & PreviouslyResolved & BucketEndpointInputConfig
+): T & BucketEndpointResolvedConfig {
   const {
     bucketEndpoint = false,
     forcePathStyle = false,