Merge pull request #2869 from coreos-inc/joseph.schorr/QS-2/cloudfront

CloudFront redirect support
2017-09-29 12:08:50 -04:00 · 2017-09-29 12:08:50 -04:00 · 82e09d6f16
commit 82e09d6f16
parent 5613582695 96827e2b60
27 changed files with 388 additions and 29 deletions
--- a/5
+++ b/5
@ -19,7 +19,7 @@ RUN virtualenv --distribute venv \
    && venv/bin/pip freeze
 # Install front-end dependencies
-# JS depedencies
+# JS dependencies
 COPY yarn.lock package.json tsconfig.json webpack.config.js tslint.json ./
 RUN yarn install --ignore-engines
@ -31,6 +31,9 @@ RUN yarn build \
 COPY . .
 # Update local copy of AWS IP Ranges.
 RUN curl https://ip-ranges.amazonaws.com/ip-ranges.json -o util/ipresolver/aws-ip-ranges.json
 # Set up the init system
 RUN mkdir -p /etc/my_init.d /etc/systlog-ng /usr/local/bin /etc/monit static/fonts static/ldn /usr/local/nginx/logs/ \
    && cp $QUAYCONF/init/*.sh /etc/my_init.d/ \
--- a/app.py
+++ b/app.py
@ -35,6 +35,7 @@ from oauth.loginmanager import OAuthLoginManager
 from storage import Storage
 from util.log import filter_logs
 from util import get_app_url
 from util.ipresolver import IPResolver
 from util.saas.analytics import Analytics
 from util.saas.useranalytics import UserAnalytics
 from util.saas.exceptionlog import Sentry
@ -195,7 +196,8 @@ prometheus = PrometheusPlugin(app)
 metric_queue = MetricQueue(prometheus)
 chunk_cleanup_queue = WorkQueue(app.config['CHUNK_CLEANUP_QUEUE_NAME'], tf, metric_queue=metric_queue)
 instance_keys = InstanceKeys(app)
-storage = Storage(app, metric_queue, chunk_cleanup_queue, instance_keys)
+ip_resolver = IPResolver(app)
 storage = Storage(app, metric_queue, chunk_cleanup_queue, instance_keys, config_provider, ip_resolver)
 userfiles = Userfiles(app, storage)
 log_archive = LogArchive(app, storage)
 analytics = Analytics(app)
--- a/conf/init/service/interactive/ipresolverupdateworker/log/run
+++ b/conf/init/service/interactive/ipresolverupdateworker/log/run
@ -0,0 +1,7 @@
 #!/bin/sh
 # Ensure dependencies start before the logger
 sv check syslog-ng > /dev/null || exit 1
 # Start the logger
 exec logger -i -t ipresolverupdateworker
--- a/conf/init/service/interactive/ipresolverupdateworker/run
+++ b/conf/init/service/interactive/ipresolverupdateworker/run
@ -0,0 +1,9 @@
 #! /bin/bash
 echo 'Starting ip resolver update worker'
 QUAYPATH=${QUAYPATH:-"."}
 cd ${QUAYDIR:-"/"}
 PYTHONPATH=$QUAYPATH venv/bin/python -m workers.ipresolverupdateworker 2>&1
 echo 'IP resolver update  worker exited'
--- a/data/userfiles.py
+++ b/data/userfiles.py
@ -107,7 +107,8 @@ class DelegateUserfiles(object):
  def get_file_url(self, file_id, expires_in=300, requires_cors=False):
    path = self.get_file_id_path(file_id)
-    url = self._storage.get_direct_download_url(self._locations, path, expires_in, requires_cors)
+    url = self._storage.get_direct_download_url(self._locations, path, request.remote_addr, expires_in,
                                                requires_cors)
    if url is None:
      if self._handler_name is None:
--- a/endpoints/appr/cnr_backend.py
+++ b/endpoints/appr/cnr_backend.py
@ -6,6 +6,7 @@ from cnr.models.channel_base import ChannelBase
 from cnr.models.db_base import CnrDB
 from cnr.models.package_base import PackageBase, manifest_media_type
 from flask import request
 from app import storage
 from endpoints.appr.models_oci import model
@ -36,7 +37,7 @@ class Blob(BlobBase):
    locations = model.get_blob_locations(digest)
    if not locations:
      raise_package_not_found(package_name, digest)
-    return storage.get_direct_download_url(locations, blobpath)
+    return storage.get_direct_download_url(locations, blobpath, request.remote_addr)
 class Channel(ChannelBase):
--- a/endpoints/v1/registry.py
+++ b/endpoints/v1/registry.py
@ -132,7 +132,7 @@ def get_image_layer(namespace, repository, image_id, headers):
      abort(404, 'Image %(image_id)s not found', issue='unknown-image', image_id=image_id)
    try:
      logger.debug('Looking up the direct download URL for path: %s', path)
-      direct_download_url = store.get_direct_download_url(locations, path)
+      direct_download_url = store.get_direct_download_url(locations, path, request.remote_addr)
      if direct_download_url:
        logger.debug('Returning direct download URL')
        resp = redirect(direct_download_url)
--- a/endpoints/v2/blob.py
+++ b/endpoints/v2/blob.py
@ -83,7 +83,7 @@ def download_blob(namespace_name, repo_name, digest):
  # Short-circuit by redirecting if the storage supports it.
  logger.debug('Looking up the direct download URL for path: %s', path)
-  direct_download_url = storage.get_direct_download_url(blob.locations, path)
+  direct_download_url = storage.get_direct_download_url(blob.locations, path, request.remote_addr)
  if direct_download_url:
    logger.debug('Returning direct download URL')
    resp = redirect(direct_download_url)
--- a/requirements-nover.txt
+++ b/requirements-nover.txt
@ -23,10 +23,12 @@ bencode
 bintrees
 bitmath
 boto
 boto3
 cachetools==1.1.6
 cryptography
 flask
 flask-restful
 geoip2
 gevent
 gipc
 gunicorn<19.0
@ -40,6 +42,7 @@ mixpanel
 mock
 moto==0.4.25 # remove when 0.4.28+ is out
 namedlist
 netaddr
 pathvalidate
 peewee==2.8.1
 psutil
--- a/requirements.txt
+++ b/requirements.txt
@ -23,6 +23,7 @@ bintrees==2.0.6
 bitmath==1.3.1.2
 blinker==1.4
 boto==2.46.1
 boto3==1.4.7
 cachetools==1.1.6
 certifi==2017.4.17
 cffi==1.10.0
@ -43,6 +44,7 @@ functools32==3.2.3.post2
 furl==1.0.0
 future==0.16.0
 futures==3.0.5
 geoip2==2.5.0
 gevent==1.2.1
 gipc==0.6.0
 greenlet==0.4.12
--- a/storage/init.py
+++ b/storage/init.py
@ -1,5 +1,5 @@
 from storage.local import LocalStorage
-from storage.cloud import S3Storage, GoogleCloudStorage, RadosGWStorage
+from storage.cloud import S3Storage, GoogleCloudStorage, RadosGWStorage, CloudFrontedS3Storage
 from storage.fakestorage import FakeStorage
 from storage.distributedstorage import DistributedStorage
 from storage.swift import SwiftStorage
@ -11,39 +11,44 @@ STORAGE_DRIVER_CLASSES = {
  'GoogleCloudStorage': GoogleCloudStorage,
  'RadosGWStorage': RadosGWStorage,
  'SwiftStorage': SwiftStorage,
  'CloudFrontedS3Storage': CloudFrontedS3Storage,
 }
-def get_storage_driver(location, metric_queue, chunk_cleanup_queue, storage_params):
+def get_storage_driver(location, metric_queue, chunk_cleanup_queue, config_provider, ip_resolver, storage_params):
  """ Returns a storage driver class for the given storage configuration
      (a pair of string name and a dict of parameters). """
  driver = storage_params[0]
  parameters = storage_params[1]
  driver_class = STORAGE_DRIVER_CLASSES.get(driver, FakeStorage)
-  context = StorageContext(location, metric_queue, chunk_cleanup_queue)
+  context = StorageContext(location, metric_queue, chunk_cleanup_queue, config_provider, ip_resolver)
  return driver_class(context, **parameters)
 class StorageContext(object):
-  def __init__(self, location, metric_queue, chunk_cleanup_queue):
+  def __init__(self, location, metric_queue, chunk_cleanup_queue, config_provider, ip_resolver):
    self.location = location
    self.metric_queue = metric_queue
    self.chunk_cleanup_queue = chunk_cleanup_queue
    self.config_provider = config_provider
    self.ip_resolver = ip_resolver
 class Storage(object):
-  def __init__(self, app=None, metric_queue=None, chunk_cleanup_queue=None, instance_keys=None):
+  def __init__(self, app=None, metric_queue=None, chunk_cleanup_queue=None, instance_keys=None,
               config_provider=None, ip_resolver=None):
    self.app = app
    if app is not None:
-      self.state = self.init_app(app, metric_queue, chunk_cleanup_queue, instance_keys)
+      self.state = self.init_app(app, metric_queue, chunk_cleanup_queue, instance_keys,
                                 config_provider, ip_resolver)
    else:
      self.state = None
-  def init_app(self, app, metric_queue, chunk_cleanup_queue, instance_keys):
+  def init_app(self, app, metric_queue, chunk_cleanup_queue, instance_keys, config_provider, ip_resolver):
    storages = {}
    for location, storage_params in app.config.get('DISTRIBUTED_STORAGE_CONFIG').items():
      storages[location] = get_storage_driver(location, metric_queue, chunk_cleanup_queue,
-                                              storage_params)
+                                              config_provider, ip_resolver, storage_params)
    preference = app.config.get('DISTRIBUTED_STORAGE_PREFERENCE', None)
    if not preference:
--- a/storage/basestorage.py
+++ b/storage/basestorage.py
@ -49,7 +49,7 @@ class BaseStorage(StoragePaths):
    if not self.exists('_verify'):
      raise Exception('Could not find verification file')
-  def get_direct_download_url(self, path, expires_in=60, requires_cors=False, head=False):
+  def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False, head=False):
    return None
  def get_direct_upload_url(self, path, mime_type, requires_cors=True):
--- a/storage/cloud.py
+++ b/storage/cloud.py
@ -3,8 +3,17 @@ import os
 import logging
 import copy
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import padding
 from cachetools import lru_cache
 from itertools import chain
 from datetime import datetime, timedelta
 from botocore.signers import CloudFrontSigner
 from boto.exception import S3ResponseError
 import boto.s3.connection
 import boto.s3.multipart
@ -119,7 +128,7 @@ class _CloudStorage(BaseStorageV2):
  def get_supports_resumable_downloads(self):
    return True
-  def get_direct_download_url(self, path, expires_in=60, requires_cors=False, head=False):
+  def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False, head=False):
    self._initialize_cloud_conn()
    path = self._init_path(path)
    k = self._key_class(self._cloud_bucket, path)
@ -568,11 +577,11 @@ class RadosGWStorage(_CloudStorage):
                                         storage_path, bucket_name, access_key, secret_key)
  # TODO remove when radosgw supports cors: http://tracker.ceph.com/issues/8718#change-38624
-  def get_direct_download_url(self, path, expires_in=60, requires_cors=False, head=False):
+  def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False, head=False):
    if requires_cors:
      return None
-    return super(RadosGWStorage, self).get_direct_download_url(path, expires_in, requires_cors,
+    return super(RadosGWStorage, self).get_direct_download_url(path, request_ip, expires_in, requires_cors,
                                                               head)
  # TODO remove when radosgw supports cors: http://tracker.ceph.com/issues/8718#change-38624
@ -590,3 +599,58 @@ class RadosGWStorage(_CloudStorage):
    # See https://github.com/ceph/ceph/pull/5139
    chunk_list = self._chunk_list_from_metadata(storage_metadata)
    self._client_side_chunk_join(final_path, chunk_list)
 class CloudFrontedS3Storage(S3Storage):
  """ An S3Storage engine that redirects to CloudFront for all requests outside of AWS. """
  def __init__(self, context, cloudfront_distribution_domain, cloudfront_key_id,
               cloudfront_privatekey_filename, storage_path, s3_bucket, *args, **kwargs):
    super(CloudFrontedS3Storage, self).__init__(context, storage_path, s3_bucket, *args, **kwargs)
    self.cloudfront_distribution_domain = cloudfront_distribution_domain
    self.cloudfront_key_id = cloudfront_key_id
    self.cloudfront_privatekey = self._load_private_key(cloudfront_privatekey_filename)
  def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False, head=False):
    logger.debug('Got direct download request for path "%s" with IP "%s"', path, request_ip)
    if request_ip is not None:
      # Lookup the IP address in our resolution table and determine whether it is under AWS. If it is,
      # then return an S3 signed URL, since we are in-network.
      resolved_ip_info = self._context.ip_resolver.resolve_ip(request_ip)
      logger.debug('Resolved IP information for IP %s: %s', request_ip, resolved_ip_info)
      if resolved_ip_info and resolved_ip_info.provider == 'aws':
        return super(CloudFrontedS3Storage, self).get_direct_download_url(path, request_ip, expires_in, requires_cors,
                                                                          head)
    url = 'https://%s/%s' % (self.cloudfront_distribution_domain, path)
    expire_date = datetime.now() + timedelta(seconds=expires_in)
    signer = self._get_cloudfront_signer()
    signed_url = signer.generate_presigned_url(url, date_less_than=expire_date)
    logger.debug('Returning CloudFront URL for path "%s" with IP "%s": %s', path, resolved_ip_info, signed_url)
    return signed_url
  @lru_cache(maxsize=1)
  def _get_cloudfront_signer(self):
    return CloudFrontSigner(self.cloudfront_key_id, self._get_rsa_signer())
  @lru_cache(maxsize=1)
  def _get_rsa_signer(self):
    private_key = self.cloudfront_privatekey
    def handler(message):
      signer = private_key.signer(padding.PKCS1v15(), hashes.SHA1())
      signer.update(message)
      return signer.finalize()
    return handler
  @lru_cache(maxsize=1)
  def _load_private_key(self, cloudfront_privatekey_filename):
    """ Returns the private key, loaded from the config provider, used to sign direct
        download URLs to CloudFront.
    """
    with self._context.config_provider.get_volume_file(cloudfront_privatekey_filename) as key_file:
        return serialization.load_pem_private_key(
            key_file.read(),
            password=None,
            backend=default_backend()
        )
--- a/storage/distributedstorage.py
+++ b/storage/distributedstorage.py
@ -56,9 +56,9 @@ class DistributedStorage(StoragePaths):
  cancel_chunked_upload = _location_aware(BaseStorageV2.cancel_chunked_upload)
-  def get_direct_download_url(self, locations, path, expires_in=600, requires_cors=False,
+  def get_direct_download_url(self, locations, path, request_ip=None, expires_in=600, requires_cors=False,
                              head=False):
-    download_url = self._get_direct_download_url(locations, path, expires_in, requires_cors, head)
+    download_url = self._get_direct_download_url(locations, path, request_ip, expires_in, requires_cors, head)
    if download_url is None:
      return None
--- a/storage/fakestorage.py
+++ b/storage/fakestorage.py
@ -15,7 +15,7 @@ class FakeStorage(BaseStorageV2):
  def _init_path(self, path=None, create=False):
    return path
-  def get_direct_download_url(self, path, expires_in=60, requires_cors=False, head=False):
+  def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False, head=False):
    try:
      if self.get_content('supports_direct_download') == 'true':
        return 'http://somefakeurl?goes=here'
--- a/storage/swift.py
+++ b/storage/swift.py
@ -147,7 +147,7 @@ class SwiftStorage(BaseStorage):
      logger.exception('Could not head object at path %s: %s', path, ex)
      return None
-  def get_direct_download_url(self, object_path, expires_in=60, requires_cors=False, head=False):
+  def get_direct_download_url(self, object_path, request_ip=None, expires_in=60, requires_cors=False, head=False):
    if requires_cors:
      return None
--- a/storage/test/test_cloudfront.py
+++ b/storage/test/test_cloudfront.py
@ -0,0 +1,54 @@
 import pytest
 from contextlib import contextmanager
 from mock import patch
 from moto import mock_s3
 import boto
 from app import config_provider
 from storage import CloudFrontedS3Storage, StorageContext
 from util.ipresolver import IPResolver
 from util.ipresolver.test.test_ipresolver import test_aws_ip, aws_ip_range_data
 from test.fixtures import *
 _TEST_CONTENT = os.urandom(1024)
 _TEST_BUCKET = 'some_bucket'
 _TEST_USER = 'someuser'
 _TEST_PASSWORD = 'somepassword'
 _TEST_PATH = 'some/cool/path'
@pytest.fixture(params=[True, False])
 def ipranges_populated(request):
  return request.param
@mock_s3
 def test_direct_download(test_aws_ip, aws_ip_range_data, ipranges_populated, app):
  ipresolver = IPResolver(app)
  if ipranges_populated:
    empty_range_data = {
      'syncToken': 123456789,
      'prefixes': [],
    }
    with patch.object(ipresolver, '_get_aws_ip_ranges', lambda: aws_ip_range_data if ipranges_populated else empty_range_data):
      context = StorageContext('nyc', None, None, config_provider, ipresolver)
      # Create a test bucket and put some test content.
      boto.connect_s3().create_bucket(_TEST_BUCKET)
      engine = CloudFrontedS3Storage(context, 'cloudfrontdomain', 'keyid', 'test/data/test.pem', 'some/path',
                                    _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD)
      engine.put_content(_TEST_PATH, _TEST_CONTENT)
      assert engine.exists(_TEST_PATH)
      # Request a direct download URL for a request from a known AWS IP, and ensure we are returned an S3 URL.
      assert 's3.amazonaws.com' in engine.get_direct_download_url(_TEST_PATH, test_aws_ip)
      if ipranges_populated:
        # Request a direct download URL for a request from a non-AWS IP, and ensure we are returned a CloudFront URL.
        assert 'cloudfrontdomain' in engine.get_direct_download_url(_TEST_PATH, '1.2.3.4')
      else:
        # Request a direct download URL for a request from a non-AWS IP, but since IP Ranges isn't populated, we still
        # get back an S3 URL.
        assert 's3.amazonaws.com' in engine.get_direct_download_url(_TEST_PATH, '1.2.3.4')
--- a/storage/test/test_swift.py
+++ b/storage/test/test_swift.py
@ -9,7 +9,7 @@ from storage import StorageContext
 from storage.swift import SwiftStorage
 base_args = {
-  'context': StorageContext('nyc', None, None),
+  'context': StorageContext('nyc', None, None, None, None),
  'swift_container': 'container-name',
  'storage_path': '/basepath',
  'auth_url': 'https://auth.com',
@ -191,7 +191,7 @@ def test_cancel_chunked_upload():
 def test_empty_chunks_queued_for_deletion():
  chunk_cleanup_queue = FakeQueue()
  args = dict(base_args)
-  args['context'] = StorageContext('nyc', None, chunk_cleanup_queue)
+  args['context'] = StorageContext('nyc', None, chunk_cleanup_queue, None, None)
  swift = FakeSwiftStorage(**args)
  uuid, metadata = swift.initiate_chunked_upload()
--- a/test/test_cloud_storage.py
+++ b/test/test_cloud_storage.py
@ -13,7 +13,7 @@ _TEST_BUCKET = 'some_bucket'
 _TEST_USER = 'someuser'
 _TEST_PASSWORD = 'somepassword'
 _TEST_PATH = 'some/cool/path'
-_TEST_CONTEXT = StorageContext('nyc', None, None)
+_TEST_CONTEXT = StorageContext('nyc', None, None, None, None)
 class TestCloudStorage(unittest.TestCase):
  def setUp(self):
--- a/util/audit.py
+++ b/util/audit.py
@ -5,7 +5,7 @@ from urlparse import urlparse
 from flask import request
-from app import analytics, userevents
+from app import analytics, userevents, ip_resolver
 from data import model
 from auth.registry_jwt_auth import get_granted_entity
 from auth.auth_context import (get_authenticated_user, get_validated_token,
@ -85,6 +85,11 @@ def track_and_log(event_name, repo_obj, analytics_name=None, analytics_sample=1,
    analytics.track(analytics_id, analytics_name, extra_params)
  # Add the resolved information to the metadata.
  resolved_ip = ip_resolver.resolve_ip(request.remote_addr)
  if resolved_ip is not None:
    metadata['resolved_ip'] = resolved_ip._asdict()
  # Log the action to the database.
  logger.debug('Logging the %s to logs system', event_name)
  model.log.log_action(event_name, namespace_name, performer=authenticated_user,
--- a/util/config/provider/testprovider.py
+++ b/util/config/provider/testprovider.py
@ -7,7 +7,7 @@ from util.config.provider.baseprovider import BaseProvider
 from util.license import (EntitlementValidationResult, Entitlement, Expiration, ExpirationType,
                          EntitlementRequirement)
-REAL_FILES = ['test/data/signing-private.gpg', 'test/data/signing-public.gpg']
+REAL_FILES = ['test/data/signing-private.gpg', 'test/data/signing-public.gpg', 'test/data/test.pem']
 class TestLicense(object):
  def validate_entitlement_requirement(self, entitlement_req, check_time):
--- a/util/config/validators/validate_storage.py
+++ b/util/config/validators/validate_storage.py
@ -1,4 +1,4 @@
-from app import app
+from app import app, ip_resolver, config_provider
 from storage import get_storage_driver
 from util.config.validators import BaseValidator, ConfigValidationException
@ -36,7 +36,8 @@ def _get_storage_providers(config):
  try:
    for name, parameters in storage_config.items():
-      drivers[name] = (parameters[0], get_storage_driver(None, None, None, parameters))
+      driver = get_storage_driver(None, None, None, config_provider, ip_resolver, parameters)
      drivers[name] = (parameters[0], driver)
  except TypeError:
    raise ConfigValidationException('Missing required parameter(s) for storage %s' % name)
--- a/util/ipresolver/GeoLite2-Country.mmdb
+++ b/util/ipresolver/GeoLite2-Country.mmdb
--- a/util/ipresolver/init.py
+++ b/util/ipresolver/init.py
@ -0,0 +1,117 @@
 import logging
 import json
 import requests
 from cachetools import ttl_cache, lru_cache
 from collections import namedtuple, defaultdict
 from netaddr import IPNetwork, IPAddress, IPSet, AddrFormatError
 import geoip2.database
 import geoip2.errors
 ResolvedLocation = namedtuple('ResolvedLocation', ['provider', 'region', 'service', 'sync_token'])
 logger = logging.getLogger(__name__)
 _DATA_FILES = {'aws-ip-ranges.json': 'https://ip-ranges.amazonaws.com/ip-ranges.json'}
 def update_resolver_datafiles():
  """ Performs an update of the data file(s) used by the IP Resolver. """
  for filename, url in _DATA_FILES.iteritems():
    logger.debug('Updating IP resolver data file "%s" from URL "%s"', filename, url)
    with open('util/ipresolver/%s' % filename, 'w') as f:
      response = requests.get(url)
      logger.debug('Got %s response for URL %s', response.status_code, url)
      if response.status_code / 2 != 100:
        raise Exception('Got non-2XX status code for URL %s: %s' % (url, response.status_code))
      f.write(response.text)
      logger.debug('Successfully wrote %s', filename)
 class IPResolver(object):
  def __init__(self, app):
    self.app = app
    self.geoip_db = geoip2.database.Reader('util/ipresolver/GeoLite2-Country.mmdb')
  def resolve_ip(self, ip_address):
    """ Attempts to return resolved information about the specified IP Address. If such an attempt fails,
        returns None.
    """
    location_function = self._get_location_function()
    if not ip_address or not location_function:
      return None
    return location_function(ip_address)
  def _get_aws_ip_ranges(self):
    try:
      with open('util/ipresolver/aws-ip-ranges.json', 'r') as f:
        return json.loads(f.read())
    except IOError:
      logger.exception('Could not load AWS IP Ranges')
      return None
    except ValueError:
      logger.exception('Could not load AWS IP Ranges')
      return None
    except TypeError:
      logger.exception('Could not load AWS IP Ranges')
      return None
  @ttl_cache(maxsize=1, ttl=600)
  def _get_location_function(self):
    aws_ip_range_json = self._get_aws_ip_ranges()
    if aws_ip_range_json is None:
      return None
    sync_token = aws_ip_range_json['syncToken']
    all_amazon, regions, services = IPResolver._parse_amazon_ranges(aws_ip_range_json)
    return IPResolver._build_location_function(sync_token, all_amazon, regions, services, self.geoip_db)
  @staticmethod
  def _build_location_function(sync_token, all_amazon, regions, country, country_db):
    @lru_cache(maxsize=4096)
    def _get_location(ip_address):
      try:
        parsed_ip = IPAddress(ip_address)
      except AddrFormatError:
        return ResolvedLocation('invalid_ip', None, None, sync_token)
      if parsed_ip not in all_amazon:
        # Try geoip classification
        try:
          found = country_db.country(parsed_ip)
          return ResolvedLocation(
            'internet',
            found.continent.code,
            found.country.iso_code,
            sync_token,
          )
        except geoip2.errors.AddressNotFoundError:
          return ResolvedLocation('internet', None, None, sync_token)
      region = None
      for region_name, region_set in regions.items():
        if parsed_ip in region_set:
          region = region_name
          break
      return ResolvedLocation('aws', region, None, sync_token)
    return _get_location
  @staticmethod
  def _parse_amazon_ranges(ranges):
    all_amazon = IPSet()
    regions = defaultdict(IPSet)
    services = defaultdict(IPSet)
    for service_description in ranges['prefixes']:
      cidr = IPNetwork(service_description['ip_prefix'])
      service = service_description['service']
      region = service_description['region']
      all_amazon.add(cidr)
      regions[region].add(cidr)
      services[service].add(cidr)
    return all_amazon, regions, services
--- a/util/ipresolver/test/init.py
+++ b/util/ipresolver/test/init.py
--- a/util/ipresolver/test/test_ipresolver.py
+++ b/util/ipresolver/test/test_ipresolver.py
@ -0,0 +1,40 @@
 import pytest
 from mock import patch
 from util.ipresolver import IPResolver, ResolvedLocation
 from test.fixtures import *
@pytest.fixture()
 def test_aws_ip():
  return '10.0.0.1'
@pytest.fixture()
 def aws_ip_range_data():
  fake_range_doc = {
    'syncToken': 123456789,
    'prefixes': [
      {
        'ip_prefix': '10.0.0.0/8',
        'region': 'GLOBAL',
        'service': 'AMAZON',
      } 
    ],
  }
  return fake_range_doc
 def test_unstarted(app, test_aws_ip):
  ipresolver = IPResolver(app)
  assert ipresolver.resolve_ip(test_aws_ip) is None
 def test_resolved(aws_ip_range_data, test_aws_ip, app,):
    ipresolver = IPResolver(app)
    def get_data():
      return aws_ip_range_data
    with patch.object(ipresolver, '_get_aws_ip_ranges', get_data):
      assert ipresolver.resolve_ip(test_aws_ip) == ResolvedLocation(provider='aws', region=u'GLOBAL', service=None, sync_token=123456789)
      assert ipresolver.resolve_ip('10.0.0.2') == ResolvedLocation(provider='aws', region=u'GLOBAL', service=None, sync_token=123456789)
      assert ipresolver.resolve_ip('1.2.3.4') == ResolvedLocation(provider='internet', region=u'NA', service=u'US', sync_token=123456789)
      assert ipresolver.resolve_ip('127.0.0.1') == ResolvedLocation(provider='internet', region=None, service=None, sync_token=123456789)
--- a/workers/ipresolverupdateworker.py
+++ b/workers/ipresolverupdateworker.py
@ -0,0 +1,45 @@
 import logging
 import time
 from app import app
 from util.ipresolver import update_resolver_datafiles
 from workers.worker import Worker
 logger = logging.getLogger(__name__)
 class IPResolverUpdateWorker(Worker):
  def __init__(self):
    super(IPResolverUpdateWorker, self).__init__()
    # Update now.
    try:
      self._update_resolver_datafiles()
    except:
      logger.exception('Initial update of range data files failed')
    self.add_operation(self._update_resolver_datafiles,
                       app.config.get('IP_RESOLVER_DATAFILE_REFRESH', 60 * 60 * 2) * 60)
  def _update_resolver_datafiles(self):
    logger.debug('Starting refresh of IP resolver data files')
    update_resolver_datafiles()
    logger.debug('Finished refresh of IP resolver data files')
 if __name__ == "__main__":
  # Only enable if CloudFronted storage is used.
  requires_resolution = False
  for storage_type, _ in app.config.get('DISTRIBUTED_STORAGE_CONFIG', {}).values():
    if storage_type == 'CloudFrontedS3Storage':
      requires_resolution = True
      break
  if not requires_resolution:
    logger.debug('Cloud fronted storage not used; skipping')
    while True:
      time.sleep(10000)
  worker = IPResolverUpdateWorker()
  worker.start()