logs

lib/api/api.js

@@ -70,7 +70,9 @@ const writeContinue = require('../utilities/writeContinue');
 const validateQueryAndHeaders = require('../utilities/validateQueryAndHeaders');
 const parseCopySource = require('./apiUtils/object/parseCopySource');
 const { tagConditionKeyAuth } = require('./apiUtils/authorization/tagConditionKeys');
-const { isRequesterASessionUser } = require('./apiUtils/authorization/permissionChecks');
+const { isRequesterASessionUser, isBucketAuthorized } = require('./apiUtils/authorization/permissionChecks');
+const metadata = require('../metadata/wrapper');
+const monitoring = require('../utilities/monitoringHandler');
 const checkHttpHeadersSize = require('./apiUtils/object/checkHttpHeadersSize');
 
 const monitoringMap = policies.actionMaps.actionMonitoringMapS3;
@@ -83,7 +85,7 @@ const api = {
         // Attach the apiMethod method to the request, so it can used by monitoring in the server
         // eslint-disable-next-line no-param-reassign
         request.apiMethod = apiMethod;
-
+        console.log('-- 1110: IN CALL API METHOD --')
         const actionLog = monitoringMap[apiMethod];
         if (!actionLog &&
             apiMethod !== 'websiteGet' &&
@@ -141,7 +143,10 @@ const api = {
             sourceBucket, sourceObject, sourceVersionId);
 
         function checkAuthResults(authResults) {
-            let returnTagCount = true;
+            const returnChecks = {
+                returnTagCount: true,
+                explicitAllow: false,
+            };
             if (apiMethod === 'objectGet') {
                 // first item checks s3:GetObject(Version) action
                 if (!authResults[0].isAllowed) {
@@ -152,19 +157,31 @@ const api = {
                 if (!authResults[1].isAllowed) {
                     log.trace('get tagging authorization denial ' +
                     'from Vault');
-                    returnTagCount = false;
+                    returnChecks.returnTagCount = false;
                 }
             } else {
+                // immediately handle case of explicit deny
+                if (authResults.explicitDeny) {
+                    log.trace('authorization denial from Vault');
+                    return errors.AccessDenied;
+                }
+                // if any remaining policies are allowed, then the request is allowed
                 for (let i = 0; i < authResults.length; i++) {
-                    if (!authResults[i].isAllowed) {
-                        log.trace('authorization denial from Vault');
-                        return errors.AccessDenied;
+                    console.log('-- 2120: Auth reses --', authResults[i])
+
+                    if (authResults[i].isAllowed) {
+                        returnChecks.explicitAllow = true;
+                        // if allowed, return immediately
+                        return returnChecks;
                     }
                 }
             }
-            return returnTagCount;
-        }
+            log.trace('authorization from Vault is not explicit');
+            console.log('-- 1120: NOT ECPLICIT --', returnChecks)
 
+            return returnChecks;
+        }
+        console.log('-- 1111: BEFORE ASYNC --')
         return async.waterfall([
             next => auth.server.doAuth(
                 request, log, (err, userInfo, authorizationResults, streamingV4Params) => {
@@ -238,12 +255,21 @@ const api = {
             if (err) {
                 return callback(err);
             }
+            console.log('-- 1117: BEF AUTH RES -- :', authorizationResults)
+
+            let checkedResults
             if (authorizationResults) {
-                const checkedResults = checkAuthResults(authorizationResults);
+                console.log('-- 1119: BLABLA --')
+
+                checkedResults = checkAuthResults(authorizationResults);
+                console.log('-- 1115: BEFORE IF ERROR --')
+
                 if (checkedResults instanceof Error) {
+                    console.log('-- 1116: BEFORE ERROR --')
+
                     return callback(checkedResults);
                 }
-                returnTagCount = checkedResults;
+                returnTagCount = checkedResults.returnTagCount;
             }
             if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
                 request._response = response;
@@ -257,6 +283,34 @@ const api = {
             if (apiMethod === 'objectGet') {
                 return this[apiMethod](userInfo, request, returnTagCount, log, callback);
             }
+            console.log('-- 1111: BEFORE IF --', checkedResults)
+
+            if (checkedResults && !checkedResults.explicitAllow) {
+                console.log('-- 1112: IN IF --')
+
+                metadata.getBucket(request.bucketName, log, (err, bucket) => {
+                    if (err) {
+                        log.debug('metadata getbucket failed', { error: err });
+                        return callback(err);
+                    }
+                    const canonicalID = userInfo.getCanonicalID();
+                    if (!isBucketAuthorized(bucket, apiMethod, canonicalID, userInfo, log, request)) {
+                        log.debug('access denied for user on bucket', {
+                            apiMethod,
+                            method: 'callApiMethod',
+                        });
+                        monitoring.promMetrics(
+                            request.method, request.bucketName, 403, apiMethod);
+                        log.trace('authentication error for user on bucket', { error: err });
+                        console.log('-- 1113: BEFORE ACCESS DENIED --')
+
+                        return callback(errors.AccessDenied, null, corsHeaders);
+                    }
+                });
+
+            }
+            console.log('-- 1114: BEFORE CALL --')
+
             return this[apiMethod](userInfo, request, log, callback);
         });
     },

lib/api/apiUtils/authorization/permissionChecks.js

@@ -273,6 +273,7 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
         const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal);
         const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
         const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
+        console.log('-- l276 checkBucketPolicy --', principalMatch, actionMatch, resourceMatch)
 
         if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Deny') {
             // explicit deny trumps any allows, so return immediately
@@ -303,6 +304,7 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
     }
     const aclPermission = checkBucketAcls(bucket, requestType, canonicalID);
     const bucketPolicy = bucket.getBucketPolicy();
+    console.log('-- l306 isBucketAuthorised --', JSON.stringify(bucketPolicy, null, 2));
     if (!bucketPolicy) {
         return aclPermission;
     }
@@ -311,6 +313,7 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
     if (bucketPolicyPermission === 'explicitDeny') {
         return false;
     }
+    console.log('-- l314 isBucketAuthorised --', aclPermission, bucketPolicyPermission);
     return (aclPermission || (bucketPolicyPermission === 'allow'));
 }
 

lib/api/bucketGet.js

@@ -286,6 +286,7 @@ function bucketGet(authInfo, request, log, callback) {
     const params = request.query;
     const bucketName = request.bucketName;
     const v2 = params['list-type'];
+    console.log('-- 3001: BUCKET GET --');
     if (v2 !== undefined && Number.parseInt(v2, 10) !== 2) {
         return callback(errors.InvalidArgument.customizeDescription('Invalid ' +
             'List Type specified in Request'));
@@ -344,16 +345,21 @@ function bucketGet(authInfo, request, log, callback) {
     } else {
         listParams.marker = params.marker;
     }
+    console.log('-- 3002: BUCKET GET --');
 
     metadataValidateBucket(metadataValParams, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
+            console.log('-- 3004: BUCKET GET --', err);
+
         if (err) {
             log.debug('error processing request', { error: err });
             monitoring.promMetrics(
                 'GET', bucketName, err.code, 'listBucket');
             return callback(err, null, corsHeaders);
         }
+        console.log('-- 3005: BUCKET GET --');
+
         if (params.versions !== undefined) {
             listParams.listingType = 'DelimiterVersions';
             delete listParams.marker;
@@ -361,6 +367,8 @@ function bucketGet(authInfo, request, log, callback) {
             listParams.versionIdMarker = params['version-id-marker'] ?
                 versionIdUtils.decode(params['version-id-marker']) : undefined;
         }
+        console.log('-- 3006: BUCKET GET --');
+
         if (!requestMaxKeys) {
             const emptyList = {
                 CommonPrefixes: [],
@@ -371,6 +379,8 @@ function bucketGet(authInfo, request, log, callback) {
             return handleResult(listParams, requestMaxKeys, encoding, authInfo,
                 bucketName, emptyList, corsHeaders, log, callback);
         }
+        console.log('-- 3007: BUCKET GET --');
+
         return services.getObjectListing(bucketName, listParams, log,
         (err, list) => {
             if (err) {
@@ -383,7 +393,7 @@ function bucketGet(authInfo, request, log, callback) {
                 bucketName, list, corsHeaders, log, callback);
         });
     });
-    return undefined;
+    return undefined
 }
 
 module.exports = {

lib/metadata/metadataUtils.js

@@ -109,6 +109,8 @@ function validateBucket(bucket, params, log) {
             requestType,
             method: 'validateBucket',
         });
+        console.log('-- 6004  MD VAL BUCKET --');
+
         return errors.NoSuchBucket;
     }
     // if requester is not bucket owner, bucket policy actions should be denied with
@@ -121,6 +123,7 @@ function validateBucket(bucket, params, log) {
     if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID,
                             authInfo, log, request)) {
         log.debug('access denied for user on bucket', { requestType });
+        console.log('-- 6000 access denied for user on bucket --');
         return errors.AccessDenied;
     }
     return null;
@@ -204,10 +207,14 @@ function metadataValidateBucket(params, log, callback) {
     const { bucketName } = params;
     return metadata.getBucket(bucketName, log, (err, bucket) => {
         if (err) {
+            console.log('-- 6002  MD FAILED --');
+
             log.debug('metadata getbucket failed', { error: err });
             return callback(err);
         }
+        console.log('-- 6001  MD VAL BUCKET --');
         const validationError = validateBucket(bucket, params, log);
+
         return callback(validationError, bucket);
     });
 }