From 8b7839300505efcdebcd77dba43e34c5b33b7ded Mon Sep 17 00:00:00 2001
From: mskanth972 <mskanth@amazon.com>
Date: Tue, 28 Nov 2023 23:18:25 -0500
Subject: [PATCH] Added checks to make sure delete-access-point should not
 delete entire EFS

---
 pkg/driver/controller.go      | 18 ++++++++++++++++++
 pkg/driver/controller_test.go | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/pkg/driver/controller.go b/pkg/driver/controller.go
index 6f701981f..3ddd1f516 100644
--- a/pkg/driver/controller.go
+++ b/pkg/driver/controller.go
@@ -21,6 +21,7 @@ import (
 	"crypto/sha256"
 	"fmt"
 	"github.com/google/uuid"
+	"io"
 	"os"
 	"path"
 	"sort"
@@ -394,11 +395,28 @@ func (d *Driver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest)
 				}
 			}
 
+			klog.V(2).Infof("Access point root directory : %s", accessPoint.AccessPointRootDir)
+			if accessPoint.AccessPointRootDir == "/" {
+				return nil, status.Errorf(codes.Internal, "Could not delete efs root dir '/'")
+			}
+
 			target := TempMountPathPrefix + "/" + accessPointId
 			if err := d.mounter.MakeDir(target); err != nil {
 				return nil, status.Errorf(codes.Internal, "Could not create dir %q: %v", target, err)
 			}
 			if err := d.mounter.Mount(fileSystemId, target, "efs", mountOptions); err != nil {
+				targetDir, err := os.Open(target)
+				if err != nil {
+					return nil, status.Errorf(codes.Internal, "Could not read dir %q: %v", target, err)
+				}
+				_, err = targetDir.Readdir(1)
+				if err != io.EOF {
+					if err != nil {
+						return nil, status.Errorf(codes.Internal, "Could not read dir %q: %v", target, err)
+					} else {
+						return nil, status.Errorf(codes.Internal, "Expected empty directory %s", target)
+					}
+				}
 				os.Remove(target)
 				return nil, status.Errorf(codes.Internal, "Could not mount %q at %q: %v", fileSystemId, target, err)
 			}
diff --git a/pkg/driver/controller_test.go b/pkg/driver/controller_test.go
index e4755cbab..833d975ce 100644
--- a/pkg/driver/controller_test.go
+++ b/pkg/driver/controller_test.go
@@ -2974,6 +2974,41 @@ func TestDeleteVolume(t *testing.T) {
 				mockCtl.Finish()
 			},
 		},
+		{
+			name: "Fail: Access point root directory is '/'",
+			testFunc: func(t *testing.T) {
+				mockCtl := gomock.NewController(t)
+				mockCloud := mocks.NewMockCloud(mockCtl)
+				mockMounter := mocks.NewMockMounter(mockCtl)
+
+				driver := &Driver{
+					endpoint:                 endpoint,
+					cloud:                    mockCloud,
+					mounter:                  mockMounter,
+					gidAllocator:             NewGidAllocator(),
+					deleteAccessPointRootDir: true,
+				}
+
+				req := &csi.DeleteVolumeRequest{
+					VolumeId: volumeId,
+				}
+
+				accessPoint := &cloud.AccessPoint{
+					AccessPointId:      apId,
+					FileSystemId:       fsId,
+					AccessPointRootDir: "/",
+					CapacityGiB:        0,
+				}
+
+				ctx := context.Background()
+				mockCloud.EXPECT().DescribeAccessPoint(gomock.Eq(ctx), gomock.Eq(apId)).Return(accessPoint, nil)
+				_, err := driver.DeleteVolume(ctx, req)
+				if err == nil {
+					t.Fatalf("DeleteVolume did not fail")
+				}
+				mockCtl.Finish()
+			},
+		},
 	}
 
 	for _, tc := range testCases {