Compare commits

...

2 Commits

Author SHA1 Message Date
Will Toozs c972381d89
logs 2023-05-17 19:46:18 +02:00
Will Toozs 888e03d3d2
save state 2023-05-17 11:19:53 +02:00
4 changed files with 86 additions and 12 deletions

View File

@ -70,7 +70,9 @@ const writeContinue = require('../utilities/writeContinue');
const validateQueryAndHeaders = require('../utilities/validateQueryAndHeaders');
const parseCopySource = require('./apiUtils/object/parseCopySource');
const { tagConditionKeyAuth } = require('./apiUtils/authorization/tagConditionKeys');
const { isRequesterASessionUser } = require('./apiUtils/authorization/permissionChecks');
const { isRequesterASessionUser, isBucketAuthorized } = require('./apiUtils/authorization/permissionChecks');
const metadata = require('../metadata/wrapper');
const monitoring = require('../utilities/monitoringHandler');
const checkHttpHeadersSize = require('./apiUtils/object/checkHttpHeadersSize');
const monitoringMap = policies.actionMaps.actionMonitoringMapS3;
@ -83,7 +85,7 @@ const api = {
// Attach the apiMethod method to the request, so it can used by monitoring in the server
// eslint-disable-next-line no-param-reassign
request.apiMethod = apiMethod;
console.log('-- 1110: IN CALL API METHOD --')
const actionLog = monitoringMap[apiMethod];
if (!actionLog &&
apiMethod !== 'websiteGet' &&
@ -141,7 +143,10 @@ const api = {
sourceBucket, sourceObject, sourceVersionId);
function checkAuthResults(authResults) {
let returnTagCount = true;
const returnChecks = {
returnTagCount: true,
explicitAllow: false,
};
if (apiMethod === 'objectGet') {
// first item checks s3:GetObject(Version) action
if (!authResults[0].isAllowed) {
@ -152,19 +157,31 @@ const api = {
if (!authResults[1].isAllowed) {
log.trace('get tagging authorization denial ' +
'from Vault');
returnTagCount = false;
returnChecks.returnTagCount = false;
}
} else {
for (let i = 0; i < authResults.length; i++) {
if (!authResults[i].isAllowed) {
// immediately handle case of explicit deny
if (authResults.explicitDeny) {
log.trace('authorization denial from Vault');
return errors.AccessDenied;
}
}
}
return returnTagCount;
}
// if any remaining policies are allowed, then the request is allowed
for (let i = 0; i < authResults.length; i++) {
console.log('-- 2120: Auth reses --', authResults[i])
if (authResults[i].isAllowed) {
returnChecks.explicitAllow = true;
// if allowed, return immediately
return returnChecks;
}
}
}
log.trace('authorization from Vault is not explicit');
console.log('-- 1120: NOT ECPLICIT --', returnChecks)
return returnChecks;
}
console.log('-- 1111: BEFORE ASYNC --')
return async.waterfall([
next => auth.server.doAuth(
request, log, (err, userInfo, authorizationResults, streamingV4Params) => {
@ -238,12 +255,21 @@ const api = {
if (err) {
return callback(err);
}
console.log('-- 1117: BEF AUTH RES -- :', authorizationResults)
let checkedResults
if (authorizationResults) {
const checkedResults = checkAuthResults(authorizationResults);
console.log('-- 1119: BLABLA --')
checkedResults = checkAuthResults(authorizationResults);
console.log('-- 1115: BEFORE IF ERROR --')
if (checkedResults instanceof Error) {
console.log('-- 1116: BEFORE ERROR --')
return callback(checkedResults);
}
returnTagCount = checkedResults;
returnTagCount = checkedResults.returnTagCount;
}
if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
request._response = response;
@ -257,6 +283,34 @@ const api = {
if (apiMethod === 'objectGet') {
return this[apiMethod](userInfo, request, returnTagCount, log, callback);
}
console.log('-- 1111: BEFORE IF --', checkedResults)
if (checkedResults && !checkedResults.explicitAllow) {
console.log('-- 1112: IN IF --')
metadata.getBucket(request.bucketName, log, (err, bucket) => {
if (err) {
log.debug('metadata getbucket failed', { error: err });
return callback(err);
}
const canonicalID = userInfo.getCanonicalID();
if (!isBucketAuthorized(bucket, apiMethod, canonicalID, userInfo, log, request)) {
log.debug('access denied for user on bucket', {
apiMethod,
method: 'callApiMethod',
});
monitoring.promMetrics(
request.method, request.bucketName, 403, apiMethod);
log.trace('authentication error for user on bucket', { error: err });
console.log('-- 1113: BEFORE ACCESS DENIED --')
return callback(errors.AccessDenied, null, corsHeaders);
}
});
}
console.log('-- 1114: BEFORE CALL --')
return this[apiMethod](userInfo, request, log, callback);
});
},

View File

@ -273,6 +273,7 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal);
const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
console.log('-- l276 checkBucketPolicy --', principalMatch, actionMatch, resourceMatch)
if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Deny') {
// explicit deny trumps any allows, so return immediately
@ -303,6 +304,7 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
}
const aclPermission = checkBucketAcls(bucket, requestType, canonicalID);
const bucketPolicy = bucket.getBucketPolicy();
console.log('-- l306 isBucketAuthorised --', JSON.stringify(bucketPolicy, null, 2));
if (!bucketPolicy) {
return aclPermission;
}
@ -311,6 +313,7 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
if (bucketPolicyPermission === 'explicitDeny') {
return false;
}
console.log('-- l314 isBucketAuthorised --', aclPermission, bucketPolicyPermission);
return (aclPermission || (bucketPolicyPermission === 'allow'));
}

View File

@ -286,6 +286,7 @@ function bucketGet(authInfo, request, log, callback) {
const params = request.query;
const bucketName = request.bucketName;
const v2 = params['list-type'];
console.log('-- 3001: BUCKET GET --');
if (v2 !== undefined && Number.parseInt(v2, 10) !== 2) {
return callback(errors.InvalidArgument.customizeDescription('Invalid ' +
'List Type specified in Request'));
@ -344,16 +345,21 @@ function bucketGet(authInfo, request, log, callback) {
} else {
listParams.marker = params.marker;
}
console.log('-- 3002: BUCKET GET --');
metadataValidateBucket(metadataValParams, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket);
console.log('-- 3004: BUCKET GET --', err);
if (err) {
log.debug('error processing request', { error: err });
monitoring.promMetrics(
'GET', bucketName, err.code, 'listBucket');
return callback(err, null, corsHeaders);
}
console.log('-- 3005: BUCKET GET --');
if (params.versions !== undefined) {
listParams.listingType = 'DelimiterVersions';
delete listParams.marker;
@ -361,6 +367,8 @@ function bucketGet(authInfo, request, log, callback) {
listParams.versionIdMarker = params['version-id-marker'] ?
versionIdUtils.decode(params['version-id-marker']) : undefined;
}
console.log('-- 3006: BUCKET GET --');
if (!requestMaxKeys) {
const emptyList = {
CommonPrefixes: [],
@ -371,6 +379,8 @@ function bucketGet(authInfo, request, log, callback) {
return handleResult(listParams, requestMaxKeys, encoding, authInfo,
bucketName, emptyList, corsHeaders, log, callback);
}
console.log('-- 3007: BUCKET GET --');
return services.getObjectListing(bucketName, listParams, log,
(err, list) => {
if (err) {
@ -383,7 +393,7 @@ function bucketGet(authInfo, request, log, callback) {
bucketName, list, corsHeaders, log, callback);
});
});
return undefined;
return undefined
}
module.exports = {

View File

@ -109,6 +109,8 @@ function validateBucket(bucket, params, log) {
requestType,
method: 'validateBucket',
});
console.log('-- 6004 MD VAL BUCKET --');
return errors.NoSuchBucket;
}
// if requester is not bucket owner, bucket policy actions should be denied with
@ -121,6 +123,7 @@ function validateBucket(bucket, params, log) {
if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID,
authInfo, log, request)) {
log.debug('access denied for user on bucket', { requestType });
console.log('-- 6000 access denied for user on bucket --');
return errors.AccessDenied;
}
return null;
@ -204,10 +207,14 @@ function metadataValidateBucket(params, log, callback) {
const { bucketName } = params;
return metadata.getBucket(bucketName, log, (err, bucket) => {
if (err) {
console.log('-- 6002 MD FAILED --');
log.debug('metadata getbucket failed', { error: err });
return callback(err);
}
console.log('-- 6001 MD VAL BUCKET --');
const validationError = validateBucket(bucket, params, log);
return callback(validationError, bucket);
});
}