Compare commits

...

2 Commits

Author SHA1 Message Date
Will Toozs c972381d89
logs 2023-05-17 19:46:18 +02:00
Will Toozs 888e03d3d2
save state 2023-05-17 11:19:53 +02:00
4 changed files with 86 additions and 12 deletions

View File

@ -70,7 +70,9 @@ const writeContinue = require('../utilities/writeContinue');
const validateQueryAndHeaders = require('../utilities/validateQueryAndHeaders'); const validateQueryAndHeaders = require('../utilities/validateQueryAndHeaders');
const parseCopySource = require('./apiUtils/object/parseCopySource'); const parseCopySource = require('./apiUtils/object/parseCopySource');
const { tagConditionKeyAuth } = require('./apiUtils/authorization/tagConditionKeys'); const { tagConditionKeyAuth } = require('./apiUtils/authorization/tagConditionKeys');
const { isRequesterASessionUser } = require('./apiUtils/authorization/permissionChecks'); const { isRequesterASessionUser, isBucketAuthorized } = require('./apiUtils/authorization/permissionChecks');
const metadata = require('../metadata/wrapper');
const monitoring = require('../utilities/monitoringHandler');
const checkHttpHeadersSize = require('./apiUtils/object/checkHttpHeadersSize'); const checkHttpHeadersSize = require('./apiUtils/object/checkHttpHeadersSize');
const monitoringMap = policies.actionMaps.actionMonitoringMapS3; const monitoringMap = policies.actionMaps.actionMonitoringMapS3;
@ -83,7 +85,7 @@ const api = {
// Attach the apiMethod method to the request, so it can used by monitoring in the server // Attach the apiMethod method to the request, so it can used by monitoring in the server
// eslint-disable-next-line no-param-reassign // eslint-disable-next-line no-param-reassign
request.apiMethod = apiMethod; request.apiMethod = apiMethod;
console.log('-- 1110: IN CALL API METHOD --')
const actionLog = monitoringMap[apiMethod]; const actionLog = monitoringMap[apiMethod];
if (!actionLog && if (!actionLog &&
apiMethod !== 'websiteGet' && apiMethod !== 'websiteGet' &&
@ -141,7 +143,10 @@ const api = {
sourceBucket, sourceObject, sourceVersionId); sourceBucket, sourceObject, sourceVersionId);
function checkAuthResults(authResults) { function checkAuthResults(authResults) {
let returnTagCount = true; const returnChecks = {
returnTagCount: true,
explicitAllow: false,
};
if (apiMethod === 'objectGet') { if (apiMethod === 'objectGet') {
// first item checks s3:GetObject(Version) action // first item checks s3:GetObject(Version) action
if (!authResults[0].isAllowed) { if (!authResults[0].isAllowed) {
@ -152,19 +157,31 @@ const api = {
if (!authResults[1].isAllowed) { if (!authResults[1].isAllowed) {
log.trace('get tagging authorization denial ' + log.trace('get tagging authorization denial ' +
'from Vault'); 'from Vault');
returnTagCount = false; returnChecks.returnTagCount = false;
} }
} else { } else {
for (let i = 0; i < authResults.length; i++) { // immediately handle case of explicit deny
if (!authResults[i].isAllowed) { if (authResults.explicitDeny) {
log.trace('authorization denial from Vault'); log.trace('authorization denial from Vault');
return errors.AccessDenied; return errors.AccessDenied;
} }
} // if any remaining policies are allowed, then the request is allowed
} for (let i = 0; i < authResults.length; i++) {
return returnTagCount; console.log('-- 2120: Auth reses --', authResults[i])
}
if (authResults[i].isAllowed) {
returnChecks.explicitAllow = true;
// if allowed, return immediately
return returnChecks;
}
}
}
log.trace('authorization from Vault is not explicit');
console.log('-- 1120: NOT ECPLICIT --', returnChecks)
return returnChecks;
}
console.log('-- 1111: BEFORE ASYNC --')
return async.waterfall([ return async.waterfall([
next => auth.server.doAuth( next => auth.server.doAuth(
request, log, (err, userInfo, authorizationResults, streamingV4Params) => { request, log, (err, userInfo, authorizationResults, streamingV4Params) => {
@ -238,12 +255,21 @@ const api = {
if (err) { if (err) {
return callback(err); return callback(err);
} }
console.log('-- 1117: BEF AUTH RES -- :', authorizationResults)
let checkedResults
if (authorizationResults) { if (authorizationResults) {
const checkedResults = checkAuthResults(authorizationResults); console.log('-- 1119: BLABLA --')
checkedResults = checkAuthResults(authorizationResults);
console.log('-- 1115: BEFORE IF ERROR --')
if (checkedResults instanceof Error) { if (checkedResults instanceof Error) {
console.log('-- 1116: BEFORE ERROR --')
return callback(checkedResults); return callback(checkedResults);
} }
returnTagCount = checkedResults; returnTagCount = checkedResults.returnTagCount;
} }
if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') { if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
request._response = response; request._response = response;
@ -257,6 +283,34 @@ const api = {
if (apiMethod === 'objectGet') { if (apiMethod === 'objectGet') {
return this[apiMethod](userInfo, request, returnTagCount, log, callback); return this[apiMethod](userInfo, request, returnTagCount, log, callback);
} }
console.log('-- 1111: BEFORE IF --', checkedResults)
if (checkedResults && !checkedResults.explicitAllow) {
console.log('-- 1112: IN IF --')
metadata.getBucket(request.bucketName, log, (err, bucket) => {
if (err) {
log.debug('metadata getbucket failed', { error: err });
return callback(err);
}
const canonicalID = userInfo.getCanonicalID();
if (!isBucketAuthorized(bucket, apiMethod, canonicalID, userInfo, log, request)) {
log.debug('access denied for user on bucket', {
apiMethod,
method: 'callApiMethod',
});
monitoring.promMetrics(
request.method, request.bucketName, 403, apiMethod);
log.trace('authentication error for user on bucket', { error: err });
console.log('-- 1113: BEFORE ACCESS DENIED --')
return callback(errors.AccessDenied, null, corsHeaders);
}
});
}
console.log('-- 1114: BEFORE CALL --')
return this[apiMethod](userInfo, request, log, callback); return this[apiMethod](userInfo, request, log, callback);
}); });
}, },

View File

@ -273,6 +273,7 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal); const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal);
const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log); const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log); const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
console.log('-- l276 checkBucketPolicy --', principalMatch, actionMatch, resourceMatch)
if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Deny') { if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Deny') {
// explicit deny trumps any allows, so return immediately // explicit deny trumps any allows, so return immediately
@ -303,6 +304,7 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
} }
const aclPermission = checkBucketAcls(bucket, requestType, canonicalID); const aclPermission = checkBucketAcls(bucket, requestType, canonicalID);
const bucketPolicy = bucket.getBucketPolicy(); const bucketPolicy = bucket.getBucketPolicy();
console.log('-- l306 isBucketAuthorised --', JSON.stringify(bucketPolicy, null, 2));
if (!bucketPolicy) { if (!bucketPolicy) {
return aclPermission; return aclPermission;
} }
@ -311,6 +313,7 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
if (bucketPolicyPermission === 'explicitDeny') { if (bucketPolicyPermission === 'explicitDeny') {
return false; return false;
} }
console.log('-- l314 isBucketAuthorised --', aclPermission, bucketPolicyPermission);
return (aclPermission || (bucketPolicyPermission === 'allow')); return (aclPermission || (bucketPolicyPermission === 'allow'));
} }

View File

@ -286,6 +286,7 @@ function bucketGet(authInfo, request, log, callback) {
const params = request.query; const params = request.query;
const bucketName = request.bucketName; const bucketName = request.bucketName;
const v2 = params['list-type']; const v2 = params['list-type'];
console.log('-- 3001: BUCKET GET --');
if (v2 !== undefined && Number.parseInt(v2, 10) !== 2) { if (v2 !== undefined && Number.parseInt(v2, 10) !== 2) {
return callback(errors.InvalidArgument.customizeDescription('Invalid ' + return callback(errors.InvalidArgument.customizeDescription('Invalid ' +
'List Type specified in Request')); 'List Type specified in Request'));
@ -344,16 +345,21 @@ function bucketGet(authInfo, request, log, callback) {
} else { } else {
listParams.marker = params.marker; listParams.marker = params.marker;
} }
console.log('-- 3002: BUCKET GET --');
metadataValidateBucket(metadataValParams, log, (err, bucket) => { metadataValidateBucket(metadataValParams, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
console.log('-- 3004: BUCKET GET --', err);
if (err) { if (err) {
log.debug('error processing request', { error: err }); log.debug('error processing request', { error: err });
monitoring.promMetrics( monitoring.promMetrics(
'GET', bucketName, err.code, 'listBucket'); 'GET', bucketName, err.code, 'listBucket');
return callback(err, null, corsHeaders); return callback(err, null, corsHeaders);
} }
console.log('-- 3005: BUCKET GET --');
if (params.versions !== undefined) { if (params.versions !== undefined) {
listParams.listingType = 'DelimiterVersions'; listParams.listingType = 'DelimiterVersions';
delete listParams.marker; delete listParams.marker;
@ -361,6 +367,8 @@ function bucketGet(authInfo, request, log, callback) {
listParams.versionIdMarker = params['version-id-marker'] ? listParams.versionIdMarker = params['version-id-marker'] ?
versionIdUtils.decode(params['version-id-marker']) : undefined; versionIdUtils.decode(params['version-id-marker']) : undefined;
} }
console.log('-- 3006: BUCKET GET --');
if (!requestMaxKeys) { if (!requestMaxKeys) {
const emptyList = { const emptyList = {
CommonPrefixes: [], CommonPrefixes: [],
@ -371,6 +379,8 @@ function bucketGet(authInfo, request, log, callback) {
return handleResult(listParams, requestMaxKeys, encoding, authInfo, return handleResult(listParams, requestMaxKeys, encoding, authInfo,
bucketName, emptyList, corsHeaders, log, callback); bucketName, emptyList, corsHeaders, log, callback);
} }
console.log('-- 3007: BUCKET GET --');
return services.getObjectListing(bucketName, listParams, log, return services.getObjectListing(bucketName, listParams, log,
(err, list) => { (err, list) => {
if (err) { if (err) {
@ -383,7 +393,7 @@ function bucketGet(authInfo, request, log, callback) {
bucketName, list, corsHeaders, log, callback); bucketName, list, corsHeaders, log, callback);
}); });
}); });
return undefined; return undefined
} }
module.exports = { module.exports = {

View File

@ -109,6 +109,8 @@ function validateBucket(bucket, params, log) {
requestType, requestType,
method: 'validateBucket', method: 'validateBucket',
}); });
console.log('-- 6004 MD VAL BUCKET --');
return errors.NoSuchBucket; return errors.NoSuchBucket;
} }
// if requester is not bucket owner, bucket policy actions should be denied with // if requester is not bucket owner, bucket policy actions should be denied with
@ -121,6 +123,7 @@ function validateBucket(bucket, params, log) {
if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID, if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID,
authInfo, log, request)) { authInfo, log, request)) {
log.debug('access denied for user on bucket', { requestType }); log.debug('access denied for user on bucket', { requestType });
console.log('-- 6000 access denied for user on bucket --');
return errors.AccessDenied; return errors.AccessDenied;
} }
return null; return null;
@ -204,10 +207,14 @@ function metadataValidateBucket(params, log, callback) {
const { bucketName } = params; const { bucketName } = params;
return metadata.getBucket(bucketName, log, (err, bucket) => { return metadata.getBucket(bucketName, log, (err, bucket) => {
if (err) { if (err) {
console.log('-- 6002 MD FAILED --');
log.debug('metadata getbucket failed', { error: err }); log.debug('metadata getbucket failed', { error: err });
return callback(err); return callback(err);
} }
console.log('-- 6001 MD VAL BUCKET --');
const validationError = validateBucket(bucket, params, log); const validationError = validateBucket(bucket, params, log);
return callback(validationError, bucket); return callback(validationError, bucket);
}); });
} }