Compare commits
2 Commits
developmen
...
improvemen
| Author | SHA1 | Date |
|---|---|---|
Will Toozs
|
c972381d89 | |
|
Will Toozs
|
888e03d3d2 |
|
|
@ -70,7 +70,9 @@ const writeContinue = require('../utilities/writeContinue');
|
|||
const validateQueryAndHeaders = require('../utilities/validateQueryAndHeaders');
|
||||
const parseCopySource = require('./apiUtils/object/parseCopySource');
|
||||
const { tagConditionKeyAuth } = require('./apiUtils/authorization/tagConditionKeys');
|
||||
const { isRequesterASessionUser } = require('./apiUtils/authorization/permissionChecks');
|
||||
const { isRequesterASessionUser, isBucketAuthorized } = require('./apiUtils/authorization/permissionChecks');
|
||||
const metadata = require('../metadata/wrapper');
|
||||
const monitoring = require('../utilities/monitoringHandler');
|
||||
const checkHttpHeadersSize = require('./apiUtils/object/checkHttpHeadersSize');
|
||||
|
||||
const monitoringMap = policies.actionMaps.actionMonitoringMapS3;
|
||||
|
|
@ -83,7 +85,7 @@ const api = {
|
|||
// Attach the apiMethod method to the request, so it can used by monitoring in the server
|
||||
// eslint-disable-next-line no-param-reassign
|
||||
request.apiMethod = apiMethod;
|
||||
|
||||
console.log('-- 1110: IN CALL API METHOD --')
|
||||
const actionLog = monitoringMap[apiMethod];
|
||||
if (!actionLog &&
|
||||
apiMethod !== 'websiteGet' &&
|
||||
|
|
@ -141,7 +143,10 @@ const api = {
|
|||
sourceBucket, sourceObject, sourceVersionId);
|
||||
|
||||
function checkAuthResults(authResults) {
|
||||
let returnTagCount = true;
|
||||
const returnChecks = {
|
||||
returnTagCount: true,
|
||||
explicitAllow: false,
|
||||
};
|
||||
if (apiMethod === 'objectGet') {
|
||||
// first item checks s3:GetObject(Version) action
|
||||
if (!authResults[0].isAllowed) {
|
||||
|
|
@ -152,19 +157,31 @@ const api = {
|
|||
if (!authResults[1].isAllowed) {
|
||||
log.trace('get tagging authorization denial ' +
|
||||
'from Vault');
|
||||
returnTagCount = false;
|
||||
returnChecks.returnTagCount = false;
|
||||
}
|
||||
} else {
|
||||
for (let i = 0; i < authResults.length; i++) {
|
||||
if (!authResults[i].isAllowed) {
|
||||
// immediately handle case of explicit deny
|
||||
if (authResults.explicitDeny) {
|
||||
log.trace('authorization denial from Vault');
|
||||
return errors.AccessDenied;
|
||||
}
|
||||
}
|
||||
}
|
||||
return returnTagCount;
|
||||
}
|
||||
// if any remaining policies are allowed, then the request is allowed
|
||||
for (let i = 0; i < authResults.length; i++) {
|
||||
console.log('-- 2120: Auth reses --', authResults[i])
|
||||
|
||||
if (authResults[i].isAllowed) {
|
||||
returnChecks.explicitAllow = true;
|
||||
// if allowed, return immediately
|
||||
return returnChecks;
|
||||
}
|
||||
}
|
||||
}
|
||||
log.trace('authorization from Vault is not explicit');
|
||||
console.log('-- 1120: NOT ECPLICIT --', returnChecks)
|
||||
|
||||
return returnChecks;
|
||||
}
|
||||
console.log('-- 1111: BEFORE ASYNC --')
|
||||
return async.waterfall([
|
||||
next => auth.server.doAuth(
|
||||
request, log, (err, userInfo, authorizationResults, streamingV4Params) => {
|
||||
|
|
@ -238,12 +255,21 @@ const api = {
|
|||
if (err) {
|
||||
return callback(err);
|
||||
}
|
||||
console.log('-- 1117: BEF AUTH RES -- :', authorizationResults)
|
||||
|
||||
let checkedResults
|
||||
if (authorizationResults) {
|
||||
const checkedResults = checkAuthResults(authorizationResults);
|
||||
console.log('-- 1119: BLABLA --')
|
||||
|
||||
checkedResults = checkAuthResults(authorizationResults);
|
||||
console.log('-- 1115: BEFORE IF ERROR --')
|
||||
|
||||
if (checkedResults instanceof Error) {
|
||||
console.log('-- 1116: BEFORE ERROR --')
|
||||
|
||||
return callback(checkedResults);
|
||||
}
|
||||
returnTagCount = checkedResults;
|
||||
returnTagCount = checkedResults.returnTagCount;
|
||||
}
|
||||
if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
|
||||
request._response = response;
|
||||
|
|
@ -257,6 +283,34 @@ const api = {
|
|||
if (apiMethod === 'objectGet') {
|
||||
return this[apiMethod](userInfo, request, returnTagCount, log, callback);
|
||||
}
|
||||
console.log('-- 1111: BEFORE IF --', checkedResults)
|
||||
|
||||
if (checkedResults && !checkedResults.explicitAllow) {
|
||||
console.log('-- 1112: IN IF --')
|
||||
|
||||
metadata.getBucket(request.bucketName, log, (err, bucket) => {
|
||||
if (err) {
|
||||
log.debug('metadata getbucket failed', { error: err });
|
||||
return callback(err);
|
||||
}
|
||||
const canonicalID = userInfo.getCanonicalID();
|
||||
if (!isBucketAuthorized(bucket, apiMethod, canonicalID, userInfo, log, request)) {
|
||||
log.debug('access denied for user on bucket', {
|
||||
apiMethod,
|
||||
method: 'callApiMethod',
|
||||
});
|
||||
monitoring.promMetrics(
|
||||
request.method, request.bucketName, 403, apiMethod);
|
||||
log.trace('authentication error for user on bucket', { error: err });
|
||||
console.log('-- 1113: BEFORE ACCESS DENIED --')
|
||||
|
||||
return callback(errors.AccessDenied, null, corsHeaders);
|
||||
}
|
||||
});
|
||||
|
||||
}
|
||||
console.log('-- 1114: BEFORE CALL --')
|
||||
|
||||
return this[apiMethod](userInfo, request, log, callback);
|
||||
});
|
||||
},
|
||||
|
|
|
|||
|
|
@ -273,6 +273,7 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
|
|||
const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal);
|
||||
const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
|
||||
const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
|
||||
console.log('-- l276 checkBucketPolicy --', principalMatch, actionMatch, resourceMatch)
|
||||
|
||||
if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Deny') {
|
||||
// explicit deny trumps any allows, so return immediately
|
||||
|
|
@ -303,6 +304,7 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
|
|||
}
|
||||
const aclPermission = checkBucketAcls(bucket, requestType, canonicalID);
|
||||
const bucketPolicy = bucket.getBucketPolicy();
|
||||
console.log('-- l306 isBucketAuthorised --', JSON.stringify(bucketPolicy, null, 2));
|
||||
if (!bucketPolicy) {
|
||||
return aclPermission;
|
||||
}
|
||||
|
|
@ -311,6 +313,7 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
|
|||
if (bucketPolicyPermission === 'explicitDeny') {
|
||||
return false;
|
||||
}
|
||||
console.log('-- l314 isBucketAuthorised --', aclPermission, bucketPolicyPermission);
|
||||
return (aclPermission || (bucketPolicyPermission === 'allow'));
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -286,6 +286,7 @@ function bucketGet(authInfo, request, log, callback) {
|
|||
const params = request.query;
|
||||
const bucketName = request.bucketName;
|
||||
const v2 = params['list-type'];
|
||||
console.log('-- 3001: BUCKET GET --');
|
||||
if (v2 !== undefined && Number.parseInt(v2, 10) !== 2) {
|
||||
return callback(errors.InvalidArgument.customizeDescription('Invalid ' +
|
||||
'List Type specified in Request'));
|
||||
|
|
@ -344,16 +345,21 @@ function bucketGet(authInfo, request, log, callback) {
|
|||
} else {
|
||||
listParams.marker = params.marker;
|
||||
}
|
||||
console.log('-- 3002: BUCKET GET --');
|
||||
|
||||
metadataValidateBucket(metadataValParams, log, (err, bucket) => {
|
||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||
request.method, bucket);
|
||||
console.log('-- 3004: BUCKET GET --', err);
|
||||
|
||||
if (err) {
|
||||
log.debug('error processing request', { error: err });
|
||||
monitoring.promMetrics(
|
||||
'GET', bucketName, err.code, 'listBucket');
|
||||
return callback(err, null, corsHeaders);
|
||||
}
|
||||
console.log('-- 3005: BUCKET GET --');
|
||||
|
||||
if (params.versions !== undefined) {
|
||||
listParams.listingType = 'DelimiterVersions';
|
||||
delete listParams.marker;
|
||||
|
|
@ -361,6 +367,8 @@ function bucketGet(authInfo, request, log, callback) {
|
|||
listParams.versionIdMarker = params['version-id-marker'] ?
|
||||
versionIdUtils.decode(params['version-id-marker']) : undefined;
|
||||
}
|
||||
console.log('-- 3006: BUCKET GET --');
|
||||
|
||||
if (!requestMaxKeys) {
|
||||
const emptyList = {
|
||||
CommonPrefixes: [],
|
||||
|
|
@ -371,6 +379,8 @@ function bucketGet(authInfo, request, log, callback) {
|
|||
return handleResult(listParams, requestMaxKeys, encoding, authInfo,
|
||||
bucketName, emptyList, corsHeaders, log, callback);
|
||||
}
|
||||
console.log('-- 3007: BUCKET GET --');
|
||||
|
||||
return services.getObjectListing(bucketName, listParams, log,
|
||||
(err, list) => {
|
||||
if (err) {
|
||||
|
|
@ -383,7 +393,7 @@ function bucketGet(authInfo, request, log, callback) {
|
|||
bucketName, list, corsHeaders, log, callback);
|
||||
});
|
||||
});
|
||||
return undefined;
|
||||
return undefined
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
|
|
|
|||
|
|
@ -109,6 +109,8 @@ function validateBucket(bucket, params, log) {
|
|||
requestType,
|
||||
method: 'validateBucket',
|
||||
});
|
||||
console.log('-- 6004 MD VAL BUCKET --');
|
||||
|
||||
return errors.NoSuchBucket;
|
||||
}
|
||||
// if requester is not bucket owner, bucket policy actions should be denied with
|
||||
|
|
@ -121,6 +123,7 @@ function validateBucket(bucket, params, log) {
|
|||
if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID,
|
||||
authInfo, log, request)) {
|
||||
log.debug('access denied for user on bucket', { requestType });
|
||||
console.log('-- 6000 access denied for user on bucket --');
|
||||
return errors.AccessDenied;
|
||||
}
|
||||
return null;
|
||||
|
|
@ -204,10 +207,14 @@ function metadataValidateBucket(params, log, callback) {
|
|||
const { bucketName } = params;
|
||||
return metadata.getBucket(bucketName, log, (err, bucket) => {
|
||||
if (err) {
|
||||
console.log('-- 6002 MD FAILED --');
|
||||
|
||||
log.debug('metadata getbucket failed', { error: err });
|
||||
return callback(err);
|
||||
}
|
||||
console.log('-- 6001 MD VAL BUCKET --');
|
||||
const validationError = validateBucket(bucket, params, log);
|
||||
|
||||
return callback(validationError, bucket);
|
||||
});
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue