bf: ZENKO-835 do not replicate lifecycle actions

All actions coming from lifecycle (or potentially any service account)
are not replicated anymore. This applies now to delete markers created
by lifecycle expiration rules.

Author: jonathan-gramain

conf/authdata.json

@@ -41,5 +41,16 @@
             "access": "replicationKey1",
             "secret": "replicationSecretKey1"
         }]
+    },
+    {
+        "name": "Lifecycle",
+        "email": "[email protected]",
+        "arn": "arn:aws:iam::123456789016:root",
+        "canonicalID": "http://acs.zenko.io/accounts/service/lifecycle",
+        "shortid": "123456789016",
+        "keys": [{
+            "access": "lifecycleKey1",
+            "secret": "lifecycleSecretKey1"
+        }]
     }]
 }

lib/api/apiUtils/object/createAndStoreObject.js

@@ -107,7 +107,8 @@ function createAndStoreObject(bucketName, bucketMD, objectKey, objMD, authInfo,
         size,
         headers,
         isDeleteMarker,
-        replicationInfo: getReplicationInfo(objectKey, bucketMD, false, size),
+        replicationInfo: getReplicationInfo(
+            objectKey, bucketMD, false, size, null, null, authInfo),
         log,
     };
     if (!isDeleteMarker) {

lib/api/apiUtils/object/getReplicationInfo.js

@@ -1,5 +1,6 @@
 const s3config = require('../../../Config').config;
 const constants = require('../../../../constants');
+const { isBackbeatUser } = require('../authorization/aclChecks');
 
 function _getBackend(objectMD, site) {
     const backends = objectMD ? objectMD.replicationInfo.backends : [];
@@ -68,14 +69,26 @@ function _getReplicationInfo(rule, replicationConfig, content, operationType,
  * @param {boolean} objSize - The size, in bytes, of the object being PUT
  * @param {string} operationType - The type of operation to replicate
  * @param {object} objectMD - The object metadata
+ * @param {AuthInfo} [authInfo] - authentication info of object owner
  * @return {undefined}
  */
 function getReplicationInfo(objKey, bucketMD, isMD, objSize, operationType,
-    objectMD) {
+    objectMD, authInfo) {
     const content = isMD || objSize === 0 ? ['METADATA'] : ['DATA', 'METADATA'];
     const config = bucketMD.getReplicationConfiguration();
-    // If bucket does not have a replication configuration, do not replicate.
-    if (config) {
+
+    // Do not replicate object in the following cases:
+    //
+    // - bucket does not have a replication configuration
+    //
+    // - replication configuration does not apply to the object
+    //   (i.e. no rule matches object prefix)
+    //
+    // - object owner is an internal service account like Lifecycle
+    //   (because we do not want to replicate objects created from
+    //   actions triggered by internal services, by design)
+
+    if (config && (!authInfo || !isBackbeatUser(authInfo.getCanonicalID()))) {
         const rule = config.rules.find(rule => objKey.startsWith(rule.prefix));
         if (rule) {
             return _getReplicationInfo(rule, config, content, operationType,

tests/unit/api/objectReplicationMD.js

@@ -19,9 +19,9 @@ const objectPutTagging = require('../../../lib/api/objectPutTagging');
 const objectDeleteTagging = require('../../../lib/api/objectDeleteTagging');
 
 const log = new DummyRequestLogger();
-const canonicalID = 'accessKey1';
-const authInfo = makeAuthInfo(canonicalID);
+const authInfo = makeAuthInfo('accessKey1');
 const ownerID = authInfo.getCanonicalID();
+const authInfoLifecycleService = makeAuthInfo('lifecycleKey1');
 const namespace = 'default';
 const bucketName = 'source-bucket';
 const mpuShadowBucket = `${constants.mpuBucketPrefix}${bucketName}`;
@@ -381,6 +381,22 @@ describe('Replication object MD without bucket replication config', () => {
                 return done();
             }));
 
+        it('should not update metadata if putting a delete marker owned by ' +
+        'Lifecycle service account', done =>
+            async.series([
+                next => putObjectAndCheckMD(keyA, newReplicationMD, next),
+                next => objectDelete(authInfoLifecycleService, deleteReq,
+                                     log, next),
+            ], err => {
+                if (err) {
+                    return done(err);
+                }
+                const objectMD = metadata.keyMaps.get(bucketName).get(keyA);
+                assert.strictEqual(objectMD.isDeleteMarker, true);
+                checkObjectReplicationInfo(keyA, emptyReplicationMD);
+                return done();
+            }));
+
         describe('Object tagging', () => {
             beforeEach(done => async.series([
                 next => putObjectAndCheckMD(keyA, newReplicationMD, next),

tests/unit/helpers.js

@@ -69,6 +69,7 @@ function makeAuthInfo(accessKey) {
             + 'cd47ef2be',
         accessKey2: '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7'
             + 'cd47ef2bf',
+        lifecycleKey1: '0123456789abcdef/lifecycle',
         default: crypto.randomBytes(32).toString('hex'),
     };
     canIdMap[constants.publicId] = constants.publicId;