Compare commits

...

2 Commits

Author SHA1 Message Date
Nicolas Humbert 62e66dad45 test 2021-08-02 16:07:51 -04:00
Nicolas Humbert ce6d0dbd65 VAULT-7 unexpected 403 errors 2021-08-02 13:35:31 -04:00
2 changed files with 19 additions and 73 deletions

View File

@ -278,85 +278,17 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log) {
return (aclPermission || (bucketPolicyPermission === 'allow')); return (aclPermission || (bucketPolicyPermission === 'allow'));
} }
function _isPermissionGranted(permissionList, canonicalID) {
if (permissionList.indexOf(publicId) > -1) {
return true;
}
if (permissionList.indexOf(allAuthedUsersId) > -1 &&
canonicalID !== publicId) {
return true;
}
if (permissionList.indexOf(canonicalID) > -1) {
return true;
}
return false;
}
function hasBucketReadAccess(bucket, requestType, canonicalID, authInfo, log) {
const bucketAcl = bucket.getAcl();
const bucketOwner = bucket.getOwner();
const bucketPolicy = bucket.getBucketPolicy();
let arn = null;
let requesterIsNotUser = true;
if (authInfo) {
requesterIsNotUser = !authInfo.isRequesterAnIAMUser();
arn = authInfo.getArn();
}
// bucket policies over acls if any is applicable
if (bucketPolicy) {
// bucketGet covers listObjects and listMultipartUploads, bucket read
// actions
const bucketListPermission = checkBucketPolicy(
bucketPolicy,
'bucketGet',
canonicalID,
arn,
bucketOwner,
log
);
if (bucketListPermission === 'explicitDeny') {
return false;
}
if (bucketListPermission === 'allow') {
return true;
}
// defaultDeny, fallback onto acls
}
if ((canonicalID === bucketOwner && requesterIsNotUser) ||
_isPermissionGranted(bucketAcl.FULL_CONTROL, canonicalID) ||
_isPermissionGranted(bucketAcl.READ, canonicalID)) {
return true;
}
if (bucketAcl.Canned === 'public-read' ||
bucketAcl.Canned === 'public-read-write' ||
(bucketAcl.Canned === 'authenticated-read' &&
canonicalID !== publicId)) {
return true;
}
return false;
}
function isObjAuthorized(bucket, objectMD, requestType, canonicalID, authInfo, log) { function isObjAuthorized(bucket, objectMD, requestType, canonicalID, authInfo, log) {
const bucketOwner = bucket.getOwner(); const bucketOwner = bucket.getOwner();
if (!objectMD) { if (!objectMD) {
// User is already authorized on the bucket for FULL_CONTROL or WRITE or
// bucket has canned ACL public-read-write
if (requestType === 'objectPut' || requestType === 'objectDelete') { if (requestType === 'objectPut' || requestType === 'objectDelete') {
return true; return true;
} }
// check bucket has read access
// if read access is granted, return true to have the api handler // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
// respond accordingly to the missing object metadata return isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log);
// if read access is not granted, return false for AccessDenied
return hasBucketReadAccess(bucket, requestType, canonicalID, authInfo, log);
} }
let requesterIsNotUser = true; let requesterIsNotUser = true;
let arn = null; let arn = null;

View File

@ -300,6 +300,20 @@ describe('without object metadata', () => {
const deniedAccess = [false, false, false, false]; const deniedAccess = [false, false, false, false];
const tests = [ const tests = [
{
it: 'should allow user if part of the bucket owner account',
canned: 'private', id: objectOwnerCanonicalId,
authInfo: userAuthInfo,
aclParam: null,
response: allowedAccess,
},
{
it: 'should not allow user if not part of the bucket owner account',
canned: 'private', id: accountToVet,
authInfo: altAcctAuthInfo,
aclParam: null,
response: deniedAccess,
},
{ {
it: 'should allow bucket owner', it: 'should allow bucket owner',
canned: 'private', id: bucketOwnerCanonicalId, canned: 'private', id: bucketOwnerCanonicalId,