Compare commits
12 Commits
developmen
...
improvemen
Author | SHA1 | Date |
---|---|---|
Will Toozs | 10ceb3d292 | |
Will Toozs | 4ce82167bb | |
Will Toozs | 47bf8fa966 | |
Will Toozs | d869133532 | |
Will Toozs | 90a39a70de | |
Will Toozs | 8fa4dd4523 | |
Will Toozs | 702a0ef26d | |
Will Toozs | bbd321b7b2 | |
Will Toozs | 73affabcb8 | |
Will Toozs | 3c8108871f | |
Will Toozs | 0f0850d40b | |
Will Toozs | 461b3da238 |
|
@ -153,6 +153,8 @@ const constants = {
|
||||||
'objectDeleteTagging',
|
'objectDeleteTagging',
|
||||||
'objectGetTagging',
|
'objectGetTagging',
|
||||||
'objectPutTagging',
|
'objectPutTagging',
|
||||||
|
'objectPutLegalHold',
|
||||||
|
'objectPutRetention',
|
||||||
],
|
],
|
||||||
// response header to be sent when there are invalid
|
// response header to be sent when there are invalid
|
||||||
// user metadata in the object's metadata
|
// user metadata in the object's metadata
|
||||||
|
|
|
@ -114,6 +114,7 @@ const api = {
|
||||||
// no need to check auth on website or cors preflight requests
|
// no need to check auth on website or cors preflight requests
|
||||||
if (apiMethod === 'websiteGet' || apiMethod === 'websiteHead' ||
|
if (apiMethod === 'websiteGet' || apiMethod === 'websiteHead' ||
|
||||||
apiMethod === 'corsPreflight') {
|
apiMethod === 'corsPreflight') {
|
||||||
|
request.iamAuthzResults = false;
|
||||||
return this[apiMethod](request, log, callback);
|
return this[apiMethod](request, log, callback);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -136,15 +137,25 @@ const api = {
|
||||||
|
|
||||||
const requestContexts = prepareRequestContexts(apiMethod, request,
|
const requestContexts = prepareRequestContexts(apiMethod, request,
|
||||||
sourceBucket, sourceObject, sourceVersionId);
|
sourceBucket, sourceObject, sourceVersionId);
|
||||||
|
// Extract all the _apiMethods and store them in an array
|
||||||
|
const apiMethods = requestContexts ? requestContexts.map(context => context._apiMethod) : [];
|
||||||
|
// Attach the names to the current request
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
request.apiMethods = apiMethods;
|
||||||
|
|
||||||
function checkAuthResults(authResults) {
|
function checkAuthResults(authResults) {
|
||||||
let returnTagCount = true;
|
let returnTagCount = true;
|
||||||
|
const isImplicitDeny = {};
|
||||||
|
let isOnlyImplicitDeny = true;
|
||||||
if (apiMethod === 'objectGet') {
|
if (apiMethod === 'objectGet') {
|
||||||
// first item checks s3:GetObject(Version) action
|
// first item checks s3:GetObject(Version) action
|
||||||
if (!authResults[0].isAllowed) {
|
if (!authResults[0].isAllowed && !authResults[0].isImplicit) {
|
||||||
log.trace('get object authorization denial from Vault');
|
log.trace('get object authorization denial from Vault');
|
||||||
return errors.AccessDenied;
|
return errors.AccessDenied;
|
||||||
}
|
}
|
||||||
|
// TODO add support for returnTagCount in the bucket policy
|
||||||
|
// checks
|
||||||
|
isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
|
||||||
// second item checks s3:GetObject(Version)Tagging action
|
// second item checks s3:GetObject(Version)Tagging action
|
||||||
if (!authResults[1].isAllowed) {
|
if (!authResults[1].isAllowed) {
|
||||||
log.trace('get tagging authorization denial ' +
|
log.trace('get tagging authorization denial ' +
|
||||||
|
@ -153,13 +164,25 @@ const api = {
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
for (let i = 0; i < authResults.length; i++) {
|
for (let i = 0; i < authResults.length; i++) {
|
||||||
if (!authResults[i].isAllowed) {
|
isImplicitDeny[authResults[i].action] = true;
|
||||||
|
if (!authResults[i].isAllowed && !authResults[i].isImplicit) {
|
||||||
|
// Any explicit deny rejects the current API call
|
||||||
log.trace('authorization denial from Vault');
|
log.trace('authorization denial from Vault');
|
||||||
return errors.AccessDenied;
|
return errors.AccessDenied;
|
||||||
|
} else if (authResults[i].isAllowed) {
|
||||||
|
// If the action is allowed, the result is not implicit
|
||||||
|
// Deny.
|
||||||
|
isImplicitDeny[authResults[i].action] = false;
|
||||||
|
isOnlyImplicitDeny = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return returnTagCount;
|
// These two APIs cannot use ACLs or Bucket Policies, hence, any
|
||||||
|
// implicit deny from vault must be treated as an explicit deny.
|
||||||
|
if ((apiMethod === 'bucketPut' || apiMethod === 'serviceGet') && isOnlyImplicitDeny) {
|
||||||
|
return errors.AccessDenied;
|
||||||
|
}
|
||||||
|
return { returnTagCount, isImplicitDeny };
|
||||||
}
|
}
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
|
@ -237,7 +260,14 @@ const api = {
|
||||||
if (checkedResults instanceof Error) {
|
if (checkedResults instanceof Error) {
|
||||||
return callback(checkedResults);
|
return callback(checkedResults);
|
||||||
}
|
}
|
||||||
returnTagCount = checkedResults;
|
returnTagCount = checkedResults.returnTagCount;
|
||||||
|
request.iamAuthzResults = checkedResults.isImplicitDeny;
|
||||||
|
} else {
|
||||||
|
// create an object of keys apiMethods with all values to false
|
||||||
|
request.iamAuthzResults = apiMethods.reduce((acc, curr) => {
|
||||||
|
acc[curr] = false;
|
||||||
|
return acc;
|
||||||
|
}, {});
|
||||||
}
|
}
|
||||||
if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
|
if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
|
||||||
request._response = response;
|
request._response = response;
|
||||||
|
|
|
@ -1,29 +1,50 @@
|
||||||
const { evaluators, actionMaps, RequestContext } = require('arsenal').policies;
|
const { evaluators, actionMaps, RequestContext } = require('arsenal').policies;
|
||||||
const constants = require('../../../../constants');
|
const constants = require('../../../../constants');
|
||||||
|
|
||||||
const { allAuthedUsersId, bucketOwnerActions, logId, publicId,
|
const {
|
||||||
assumedRoleArnResourceType, backbeatLifecycleSessionName } = constants;
|
allAuthedUsersId, bucketOwnerActions, logId, publicId,
|
||||||
|
assumedRoleArnResourceType, backbeatLifecycleSessionName,
|
||||||
|
} = constants;
|
||||||
|
|
||||||
// whitelist buckets to allow public read on objects
|
// whitelist buckets to allow public read on objects
|
||||||
const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS ?
|
const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS
|
||||||
process.env.ALLOW_PUBLIC_READ_BUCKETS.split(',') : [];
|
? process.env.ALLOW_PUBLIC_READ_BUCKETS.split(',') : [];
|
||||||
|
|
||||||
function checkBucketAcls(bucket, requestType, canonicalID) {
|
function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
|
||||||
|
// Same logic applies on the Versioned APIs, so let's simplify it.
|
||||||
|
const requestTypeParsed = requestType.endsWith('Version')
|
||||||
|
? requestType.slice(0, -7) : requestType;
|
||||||
if (bucket.getOwner() === canonicalID) {
|
if (bucket.getOwner() === canonicalID) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
// Backward compatibility
|
||||||
|
const arrayOfAllowed = [
|
||||||
|
'objectPutTagging',
|
||||||
|
'objectPutLegalHold',
|
||||||
|
'objectPutRetention',
|
||||||
|
];
|
||||||
|
if (mainApiCall === 'objectGet') {
|
||||||
|
if (requestTypeParsed === 'objectGetTagging') {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (mainApiCall === 'objectPut') {
|
||||||
|
if (arrayOfAllowed.includes(requestTypeParsed)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const bucketAcl = bucket.getAcl();
|
const bucketAcl = bucket.getAcl();
|
||||||
if (requestType === 'bucketGet' || requestType === 'bucketHead') {
|
if (requestTypeParsed === 'bucketGet' || requestTypeParsed === 'bucketHead') {
|
||||||
if (bucketAcl.Canned === 'public-read'
|
if (bucketAcl.Canned === 'public-read'
|
||||||
|| bucketAcl.Canned === 'public-read-write'
|
|| bucketAcl.Canned === 'public-read-write'
|
||||||
|| (bucketAcl.Canned === 'authenticated-read'
|
|| (bucketAcl.Canned === 'authenticated-read'
|
||||||
&& canonicalID !== publicId)) {
|
&& canonicalID !== publicId)) {
|
||||||
return true;
|
return true;
|
||||||
} else if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|
} if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||||
|| bucketAcl.READ.indexOf(canonicalID) > -1) {
|
|| bucketAcl.READ.indexOf(canonicalID) > -1) {
|
||||||
return true;
|
return true;
|
||||||
} else if (bucketAcl.READ.indexOf(publicId) > -1
|
} if (bucketAcl.READ.indexOf(publicId) > -1
|
||||||
|| (bucketAcl.READ.indexOf(allAuthedUsersId) > -1
|
|| (bucketAcl.READ.indexOf(allAuthedUsersId) > -1
|
||||||
&& canonicalID !== publicId)
|
&& canonicalID !== publicId)
|
||||||
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
||||||
|
@ -32,13 +53,13 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (requestType === 'bucketGetACL') {
|
if (requestTypeParsed === 'bucketGetACL') {
|
||||||
if ((bucketAcl.Canned === 'log-delivery-write'
|
if ((bucketAcl.Canned === 'log-delivery-write'
|
||||||
&& canonicalID === logId)
|
&& canonicalID === logId)
|
||||||
|| bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|
|| bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||||
|| bucketAcl.READ_ACP.indexOf(canonicalID) > -1) {
|
|| bucketAcl.READ_ACP.indexOf(canonicalID) > -1) {
|
||||||
return true;
|
return true;
|
||||||
} else if (bucketAcl.READ_ACP.indexOf(publicId) > -1
|
} if (bucketAcl.READ_ACP.indexOf(publicId) > -1
|
||||||
|| (bucketAcl.READ_ACP.indexOf(allAuthedUsersId) > -1
|
|| (bucketAcl.READ_ACP.indexOf(allAuthedUsersId) > -1
|
||||||
&& canonicalID !== publicId)
|
&& canonicalID !== publicId)
|
||||||
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
||||||
|
@ -48,11 +69,11 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (requestType === 'bucketPutACL') {
|
if (requestTypeParsed === 'bucketPutACL') {
|
||||||
if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|
if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||||
|| bucketAcl.WRITE_ACP.indexOf(canonicalID) > -1) {
|
|| bucketAcl.WRITE_ACP.indexOf(canonicalID) > -1) {
|
||||||
return true;
|
return true;
|
||||||
} else if (bucketAcl.WRITE_ACP.indexOf(publicId) > -1
|
} if (bucketAcl.WRITE_ACP.indexOf(publicId) > -1
|
||||||
|| (bucketAcl.WRITE_ACP.indexOf(allAuthedUsersId) > -1
|
|| (bucketAcl.WRITE_ACP.indexOf(allAuthedUsersId) > -1
|
||||||
&& canonicalID !== publicId)
|
&& canonicalID !== publicId)
|
||||||
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
||||||
|
@ -62,16 +83,12 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (requestType === 'bucketDelete' && bucket.getOwner() === canonicalID) {
|
if (requestTypeParsed === 'objectDelete' || requestTypeParsed === 'objectPut') {
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (requestType === 'objectDelete' || requestType === 'objectPut') {
|
|
||||||
if (bucketAcl.Canned === 'public-read-write'
|
if (bucketAcl.Canned === 'public-read-write'
|
||||||
|| bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|
|| bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||||
|| bucketAcl.WRITE.indexOf(canonicalID) > -1) {
|
|| bucketAcl.WRITE.indexOf(canonicalID) > -1) {
|
||||||
return true;
|
return true;
|
||||||
} else if (bucketAcl.WRITE.indexOf(publicId) > -1
|
} if (bucketAcl.WRITE.indexOf(publicId) > -1
|
||||||
|| (bucketAcl.WRITE.indexOf(allAuthedUsersId) > -1
|
|| (bucketAcl.WRITE.indexOf(allAuthedUsersId) > -1
|
||||||
&& canonicalID !== publicId)
|
&& canonicalID !== publicId)
|
||||||
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
||||||
|
@ -86,11 +103,12 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
|
||||||
// objectPutACL, objectGetACL, objectHead or objectGet, the bucket
|
// objectPutACL, objectGetACL, objectHead or objectGet, the bucket
|
||||||
// authorization check should just return true so can move on to check
|
// authorization check should just return true so can move on to check
|
||||||
// rights at the object level.
|
// rights at the object level.
|
||||||
return (requestType === 'objectPutACL' || requestType === 'objectGetACL' ||
|
return (requestTypeParsed === 'objectPutACL' || requestTypeParsed === 'objectGetACL'
|
||||||
requestType === 'objectGet' || requestType === 'objectHead');
|
|| requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
|
||||||
}
|
}
|
||||||
|
|
||||||
function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|
function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
|
||||||
|
isUserUnauthenticated, mainApiCall) {
|
||||||
const bucketOwner = bucket.getOwner();
|
const bucketOwner = bucket.getOwner();
|
||||||
// acls don't distinguish between users and accounts, so both should be allowed
|
// acls don't distinguish between users and accounts, so both should be allowed
|
||||||
if (bucketOwnerActions.includes(requestType)
|
if (bucketOwnerActions.includes(requestType)
|
||||||
|
@ -100,6 +118,15 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|
||||||
if (objectMD['owner-id'] === canonicalID) {
|
if (objectMD['owner-id'] === canonicalID) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Backward compatibility
|
||||||
|
if (mainApiCall === 'objectGet') {
|
||||||
|
if ((isUserUnauthenticated || (requesterIsNotUser && bucketOwner === objectMD['owner-id']))
|
||||||
|
&& requestType === 'objectGetTagging') {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!objectMD.acl) {
|
if (!objectMD.acl) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -110,15 +137,15 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|
||||||
|| (objectMD.acl.Canned === 'authenticated-read'
|
|| (objectMD.acl.Canned === 'authenticated-read'
|
||||||
&& canonicalID !== publicId)) {
|
&& canonicalID !== publicId)) {
|
||||||
return true;
|
return true;
|
||||||
} else if (objectMD.acl.Canned === 'bucket-owner-read'
|
} if (objectMD.acl.Canned === 'bucket-owner-read'
|
||||||
&& bucketOwner === canonicalID) {
|
&& bucketOwner === canonicalID) {
|
||||||
return true;
|
return true;
|
||||||
} else if ((objectMD.acl.Canned === 'bucket-owner-full-control'
|
} if ((objectMD.acl.Canned === 'bucket-owner-full-control'
|
||||||
&& bucketOwner === canonicalID)
|
&& bucketOwner === canonicalID)
|
||||||
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||||
|| objectMD.acl.READ.indexOf(canonicalID) > -1) {
|
|| objectMD.acl.READ.indexOf(canonicalID) > -1) {
|
||||||
return true;
|
return true;
|
||||||
} else if (objectMD.acl.READ.indexOf(publicId) > -1
|
} if (objectMD.acl.READ.indexOf(publicId) > -1
|
||||||
|| (objectMD.acl.READ.indexOf(allAuthedUsersId) > -1
|
|| (objectMD.acl.READ.indexOf(allAuthedUsersId) > -1
|
||||||
&& canonicalID !== publicId)
|
&& canonicalID !== publicId)
|
||||||
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
||||||
|
@ -140,7 +167,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|
||||||
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||||
|| objectMD.acl.WRITE_ACP.indexOf(canonicalID) > -1) {
|
|| objectMD.acl.WRITE_ACP.indexOf(canonicalID) > -1) {
|
||||||
return true;
|
return true;
|
||||||
} else if (objectMD.acl.WRITE_ACP.indexOf(publicId) > -1
|
} if (objectMD.acl.WRITE_ACP.indexOf(publicId) > -1
|
||||||
|| (objectMD.acl.WRITE_ACP.indexOf(allAuthedUsersId) > -1
|
|| (objectMD.acl.WRITE_ACP.indexOf(allAuthedUsersId) > -1
|
||||||
&& canonicalID !== publicId)
|
&& canonicalID !== publicId)
|
||||||
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
||||||
|
@ -156,7 +183,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|
||||||
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|
||||||
|| objectMD.acl.READ_ACP.indexOf(canonicalID) > -1) {
|
|| objectMD.acl.READ_ACP.indexOf(canonicalID) > -1) {
|
||||||
return true;
|
return true;
|
||||||
} else if (objectMD.acl.READ_ACP.indexOf(publicId) > -1
|
} if (objectMD.acl.READ_ACP.indexOf(publicId) > -1
|
||||||
|| (objectMD.acl.READ_ACP.indexOf(allAuthedUsersId) > -1
|
|| (objectMD.acl.READ_ACP.indexOf(allAuthedUsersId) > -1
|
||||||
&& canonicalID !== publicId)
|
&& canonicalID !== publicId)
|
||||||
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
|
||||||
|
@ -169,9 +196,9 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|
||||||
// allow public reads on buckets that are whitelisted for anonymous reads
|
// allow public reads on buckets that are whitelisted for anonymous reads
|
||||||
// TODO: remove this after bucket policies are implemented
|
// TODO: remove this after bucket policies are implemented
|
||||||
const bucketAcl = bucket.getAcl();
|
const bucketAcl = bucket.getAcl();
|
||||||
const allowPublicReads = publicReadBuckets.includes(bucket.getName()) &&
|
const allowPublicReads = publicReadBuckets.includes(bucket.getName())
|
||||||
bucketAcl.Canned === 'public-read' &&
|
&& bucketAcl.Canned === 'public-read'
|
||||||
(requestType === 'objectGet' || requestType === 'objectHead');
|
&& (requestType === 'objectGet' || requestType === 'objectHead');
|
||||||
if (allowPublicReads) {
|
if (allowPublicReads) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -268,7 +295,26 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
|
||||||
return permission;
|
return permission;
|
||||||
}
|
}
|
||||||
|
|
||||||
function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request) {
|
function isBucketAuthorized(bucket, requestTypes, canonicalID, authInfo, log, request, iamAuthzResults) {
|
||||||
|
if (!Array.isArray(requestTypes)) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
requestTypes = [requestTypes];
|
||||||
|
}
|
||||||
|
if (!iamAuthzResults) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
iamAuthzResults = {};
|
||||||
|
}
|
||||||
|
// By default, all missing actions are defined as allowed from IAM, to be
|
||||||
|
// backward compatible
|
||||||
|
requestTypes.forEach(requestType => {
|
||||||
|
if (iamAuthzResults[requestType] === undefined) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
iamAuthzResults[requestType] = false;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
const mainApiCall = requestTypes[0];
|
||||||
|
const results = {};
|
||||||
|
requestTypes.forEach(_requestType => {
|
||||||
// Check to see if user is authorized to perform a
|
// Check to see if user is authorized to perform a
|
||||||
// particular action on bucket based on ACLs.
|
// particular action on bucket based on ACLs.
|
||||||
// TODO: Add IAM checks
|
// TODO: Add IAM checks
|
||||||
|
@ -280,63 +326,164 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
|
||||||
}
|
}
|
||||||
// if the bucket owner is an account, users should not have default access
|
// if the bucket owner is an account, users should not have default access
|
||||||
if ((bucket.getOwner() === canonicalID) && requesterIsNotUser) {
|
if ((bucket.getOwner() === canonicalID) && requesterIsNotUser) {
|
||||||
return true;
|
results[_requestType] = iamAuthzResults[_requestType] === false;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
const aclPermission = checkBucketAcls(bucket, requestType, canonicalID);
|
const aclPermission = checkBucketAcls(bucket, _requestType, canonicalID, mainApiCall);
|
||||||
const bucketPolicy = bucket.getBucketPolicy();
|
const bucketPolicy = bucket.getBucketPolicy();
|
||||||
if (!bucketPolicy) {
|
if (!bucketPolicy) {
|
||||||
return aclPermission;
|
results[_requestType] = iamAuthzResults[_requestType] === false && aclPermission;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType,
|
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
|
||||||
canonicalID, arn, bucket.getOwner(), log, request);
|
canonicalID, arn, bucket.getOwner(), log, request);
|
||||||
if (bucketPolicyPermission === 'explicitDeny') {
|
if (bucketPolicyPermission === 'explicitDeny') {
|
||||||
return false;
|
results[_requestType] = false;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
return (aclPermission || (bucketPolicyPermission === 'allow'));
|
// If the bucket policy returns an allow, we accept the request, as the
|
||||||
|
// IAM response here is either Allow or implicit deny.
|
||||||
|
if (bucketPolicyPermission === 'allow') {
|
||||||
|
results[_requestType] = true;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
results[_requestType] = iamAuthzResults[_requestType] === false && aclPermission;
|
||||||
|
});
|
||||||
|
|
||||||
|
// final result is true if all the results are true
|
||||||
|
return Object.keys(results).every(key => results[key] === true);
|
||||||
}
|
}
|
||||||
|
|
||||||
function isObjAuthorized(bucket, objectMD, requestType, canonicalID, authInfo, log, request) {
|
|
||||||
|
function isObjAuthorized(bucket, objectMD, requestTypes, canonicalID, authInfo, log, request, iamAuthzResults) {
|
||||||
|
if (!Array.isArray(requestTypes)) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
requestTypes = [requestTypes];
|
||||||
|
}
|
||||||
|
// By default, all missing actions are defined as allowed from IAM, to be
|
||||||
|
// backward compatible
|
||||||
|
if (!iamAuthzResults) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
iamAuthzResults = {};
|
||||||
|
}
|
||||||
|
requestTypes.forEach(requestType => {
|
||||||
|
if (iamAuthzResults[requestType] === undefined) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
iamAuthzResults[requestType] = false;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
const results = {};
|
||||||
|
const mainApiCall = requestTypes[0];
|
||||||
|
requestTypes.forEach(_requestType => {
|
||||||
|
const parsedMethodName = _requestType.endsWith('Version')
|
||||||
|
? _requestType.slice(0, -7) : _requestType;
|
||||||
const bucketOwner = bucket.getOwner();
|
const bucketOwner = bucket.getOwner();
|
||||||
if (!objectMD) {
|
if (!objectMD) {
|
||||||
// User is already authorized on the bucket for FULL_CONTROL or WRITE or
|
// User is already authorized on the bucket for FULL_CONTROL or WRITE or
|
||||||
// bucket has canned ACL public-read-write
|
// bucket has canned ACL public-read-write
|
||||||
if (requestType === 'objectPut' || requestType === 'objectDelete') {
|
if (parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete') {
|
||||||
return true;
|
results[_requestType] = iamAuthzResults[_requestType] === false;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
// check bucket has read access
|
// check bucket has read access
|
||||||
// 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
|
// 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
|
||||||
return isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request);
|
results[_requestType] = isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
let requesterIsNotUser = true;
|
let requesterIsNotUser = true;
|
||||||
let arn = null;
|
let arn = null;
|
||||||
|
let isUserUnauthenticated = false;
|
||||||
if (authInfo) {
|
if (authInfo) {
|
||||||
requesterIsNotUser = !authInfo.isRequesterAnIAMUser();
|
requesterIsNotUser = !authInfo.isRequesterAnIAMUser();
|
||||||
arn = authInfo.getArn();
|
arn = authInfo.getArn();
|
||||||
|
isUserUnauthenticated = arn === undefined;
|
||||||
}
|
}
|
||||||
if (objectMD['owner-id'] === canonicalID && requesterIsNotUser) {
|
if (objectMD['owner-id'] === canonicalID && requesterIsNotUser) {
|
||||||
return true;
|
results[_requestType] = iamAuthzResults[_requestType] === false;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
// account is authorized if:
|
// account is authorized if:
|
||||||
// - requesttype is included in bucketOwnerActions and
|
// - requesttype is included in bucketOwnerActions and
|
||||||
// - account is the bucket owner
|
// - account is the bucket owner
|
||||||
// - requester is account, not user
|
// - requester is account, not user
|
||||||
if (bucketOwnerActions.includes(requestType)
|
if (bucketOwnerActions.includes(parsedMethodName)
|
||||||
&& (bucketOwner === canonicalID)
|
&& (bucketOwner === canonicalID)
|
||||||
&& requesterIsNotUser) {
|
&& requesterIsNotUser) {
|
||||||
return true;
|
results[_requestType] = iamAuthzResults[_requestType] === false;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
const aclPermission = checkObjectAcls(bucket, objectMD, requestType,
|
const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName,
|
||||||
canonicalID);
|
canonicalID, requesterIsNotUser, isUserUnauthenticated, mainApiCall);
|
||||||
const bucketPolicy = bucket.getBucketPolicy();
|
const bucketPolicy = bucket.getBucketPolicy();
|
||||||
if (!bucketPolicy) {
|
if (!bucketPolicy) {
|
||||||
return aclPermission;
|
results[_requestType] = iamAuthzResults[_requestType] === false && aclPermission;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType,
|
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
|
||||||
canonicalID, arn, bucket.getOwner(), log, request);
|
canonicalID, arn, bucket.getOwner(), log, request);
|
||||||
if (bucketPolicyPermission === 'explicitDeny') {
|
if (bucketPolicyPermission === 'explicitDeny') {
|
||||||
return false;
|
results[_requestType] = false;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
return (aclPermission || (bucketPolicyPermission === 'allow'));
|
// If the bucket policy returns an allow, we accept the request, as the
|
||||||
|
// IAM response here is either Allow or implicit deny.
|
||||||
|
if (bucketPolicyPermission === 'allow') {
|
||||||
|
results[_requestType] = true;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
results[_requestType] = iamAuthzResults[_requestType] === false && aclPermission;
|
||||||
|
});
|
||||||
|
|
||||||
|
// final result is true if all the results are true
|
||||||
|
return Object.keys(results).every(key => results[key] === true);
|
||||||
|
}
|
||||||
|
|
||||||
|
function evaluateBucketPolicyWithIAM(bucket, requestTypes, canonicalID, authInfo, iamAuthzResults, log, request) {
|
||||||
|
if (!Array.isArray(requestTypes)) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
requestTypes = [requestTypes];
|
||||||
|
}
|
||||||
|
if (iamAuthzResults === false) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
iamAuthzResults = {};
|
||||||
|
}
|
||||||
|
// By default, all missing actions are defined as allowed from IAM, to be
|
||||||
|
// backward compatible
|
||||||
|
requestTypes.forEach(requestType => {
|
||||||
|
if (iamAuthzResults[requestType] === undefined) {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
iamAuthzResults[requestType] = false;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
const results = {};
|
||||||
|
requestTypes.forEach(_requestType => {
|
||||||
|
let arn = null;
|
||||||
|
if (authInfo) {
|
||||||
|
arn = authInfo.getArn();
|
||||||
|
}
|
||||||
|
const bucketPolicy = bucket.getBucketPolicy();
|
||||||
|
if (!bucketPolicy) {
|
||||||
|
results[_requestType] = iamAuthzResults[_requestType] === false;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
|
||||||
|
canonicalID, arn, bucket.getOwner(), log, request);
|
||||||
|
if (bucketPolicyPermission === 'explicitDeny') {
|
||||||
|
results[_requestType] = false;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
// If the bucket policy returns an allow, we accept the request, as the
|
||||||
|
// IAM response here is either Allow or implicit deny.
|
||||||
|
if (bucketPolicyPermission === 'allow') {
|
||||||
|
results[_requestType] = true;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
results[_requestType] = iamAuthzResults[_requestType] === false;
|
||||||
|
});
|
||||||
|
|
||||||
|
// final result is true if all the results are true
|
||||||
|
return Object.keys(results).every(key => results[key] === true);
|
||||||
}
|
}
|
||||||
|
|
||||||
function _checkResource(resource, bucketArn) {
|
function _checkResource(resource, bucketArn) {
|
||||||
|
@ -383,9 +530,9 @@ function isLifecycleSession(arn) {
|
||||||
const resourceType = resourceNames[0];
|
const resourceType = resourceNames[0];
|
||||||
const sessionName = resourceNames[resourceNames.length - 1];
|
const sessionName = resourceNames[resourceNames.length - 1];
|
||||||
|
|
||||||
return (service === 'sts' &&
|
return (service === 'sts'
|
||||||
resourceType === assumedRoleArnResourceType &&
|
&& resourceType === assumedRoleArnResourceType
|
||||||
sessionName === backbeatLifecycleSessionName);
|
&& sessionName === backbeatLifecycleSessionName);
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
|
@ -395,4 +542,5 @@ module.exports = {
|
||||||
checkObjectAcls,
|
checkObjectAcls,
|
||||||
validatePolicyResource,
|
validatePolicyResource,
|
||||||
isLifecycleSession,
|
isLifecycleSession,
|
||||||
|
evaluateBucketPolicyWithIAM,
|
||||||
};
|
};
|
||||||
|
|
|
@ -44,7 +44,7 @@ const monitoring = require('../utilities/metrics');
|
||||||
function bucketPutACL(authInfo, request, log, callback) {
|
function bucketPutACL(authInfo, request, log, callback) {
|
||||||
log.debug('processing request', { method: 'bucketPutACL' });
|
log.debug('processing request', { method: 'bucketPutACL' });
|
||||||
|
|
||||||
const bucketName = request.bucketName;
|
const { bucketName } = request;
|
||||||
const canonicalID = authInfo.getCanonicalID();
|
const canonicalID = authInfo.getCanonicalID();
|
||||||
const newCannedACL = request.headers['x-amz-acl'];
|
const newCannedACL = request.headers['x-amz-acl'];
|
||||||
const possibleCannedACL = [
|
const possibleCannedACL = [
|
||||||
|
@ -54,19 +54,6 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
'authenticated-read',
|
'authenticated-read',
|
||||||
'log-delivery-write',
|
'log-delivery-write',
|
||||||
];
|
];
|
||||||
if (newCannedACL && possibleCannedACL.indexOf(newCannedACL) === -1) {
|
|
||||||
log.trace('invalid canned acl argument', {
|
|
||||||
acl: newCannedACL,
|
|
||||||
method: 'bucketPutACL',
|
|
||||||
});
|
|
||||||
monitoring.promMetrics('PUT', bucketName, 400, 'bucketPutACL');
|
|
||||||
return callback(errors.InvalidArgument);
|
|
||||||
}
|
|
||||||
if (!aclUtils.checkGrantHeaderValidity(request.headers)) {
|
|
||||||
log.trace('invalid acl header');
|
|
||||||
monitoring.promMetrics('PUT', bucketName, 400, 'bucketPutACL');
|
|
||||||
return callback(errors.InvalidArgument);
|
|
||||||
}
|
|
||||||
const possibleGroups = [constants.allAuthedUsersId,
|
const possibleGroups = [constants.allAuthedUsersId,
|
||||||
constants.publicId,
|
constants.publicId,
|
||||||
constants.logId,
|
constants.logId,
|
||||||
|
@ -74,7 +61,7 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutACL',
|
requestType: request.apiMethods || 'bucketPutACL',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
const possibleGrants = ['FULL_CONTROL', 'WRITE',
|
const possibleGrants = ['FULL_CONTROL', 'WRITE',
|
||||||
|
@ -88,24 +75,19 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
READ_ACP: [],
|
READ_ACP: [],
|
||||||
};
|
};
|
||||||
|
|
||||||
const grantReadHeader =
|
const grantReadHeader = aclUtils.parseGrant(request.headers[
|
||||||
aclUtils.parseGrant(request.headers[
|
|
||||||
'x-amz-grant-read'], 'READ');
|
'x-amz-grant-read'], 'READ');
|
||||||
const grantWriteHeader =
|
const grantWriteHeader = aclUtils.parseGrant(request.headers['x-amz-grant-write'], 'WRITE');
|
||||||
aclUtils.parseGrant(request.headers['x-amz-grant-write'], 'WRITE');
|
const grantReadACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
|
||||||
const grantReadACPHeader =
|
|
||||||
aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
|
|
||||||
'READ_ACP');
|
'READ_ACP');
|
||||||
const grantWriteACPHeader =
|
const grantWriteACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-write-acp'],
|
||||||
aclUtils.parseGrant(request.headers['x-amz-grant-write-acp'],
|
|
||||||
'WRITE_ACP');
|
'WRITE_ACP');
|
||||||
const grantFullControlHeader =
|
const grantFullControlHeader = aclUtils.parseGrant(request.headers['x-amz-grant-full-control'],
|
||||||
aclUtils.parseGrant(request.headers['x-amz-grant-full-control'],
|
|
||||||
'FULL_CONTROL');
|
'FULL_CONTROL');
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
function waterfall1(next) {
|
function waterfall1(next) {
|
||||||
metadataValidateBucket(metadataValParams, log,
|
metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket) => {
|
(err, bucket) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('request authorization failed', {
|
log.trace('request authorization failed', {
|
||||||
|
@ -114,6 +96,20 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
});
|
});
|
||||||
return next(err, bucket);
|
return next(err, bucket);
|
||||||
}
|
}
|
||||||
|
// if the API call is allowed, ensure that the parameters are valid
|
||||||
|
if (newCannedACL && possibleCannedACL.indexOf(newCannedACL) === -1) {
|
||||||
|
log.trace('invalid canned acl argument', {
|
||||||
|
acl: newCannedACL,
|
||||||
|
method: 'bucketPutACL',
|
||||||
|
});
|
||||||
|
monitoring.promMetrics('PUT', bucketName, 400, 'bucketPutACL');
|
||||||
|
return next(errors.InvalidArgument);
|
||||||
|
}
|
||||||
|
if (!aclUtils.checkGrantHeaderValidity(request.headers)) {
|
||||||
|
log.trace('invalid acl header');
|
||||||
|
monitoring.promMetrics('PUT', bucketName, 400, 'bucketPutACL');
|
||||||
|
return next(errors.InvalidArgument);
|
||||||
|
}
|
||||||
return next(null, bucket);
|
return next(null, bucket);
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
|
@ -196,13 +192,12 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
} else {
|
} else {
|
||||||
// If no canned ACL and no parsed xml, loop
|
// If no canned ACL and no parsed xml, loop
|
||||||
// through the access headers
|
// through the access headers
|
||||||
const allGrantHeaders =
|
const allGrantHeaders = [].concat(grantReadHeader, grantWriteHeader,
|
||||||
[].concat(grantReadHeader, grantWriteHeader,
|
|
||||||
grantReadACPHeader, grantWriteACPHeader,
|
grantReadACPHeader, grantWriteACPHeader,
|
||||||
grantFullControlHeader);
|
grantFullControlHeader);
|
||||||
|
|
||||||
usersIdentifiedByEmail = allGrantHeaders.filter(item =>
|
usersIdentifiedByEmail = allGrantHeaders.filter(item => item
|
||||||
item && item.userIDType.toLowerCase() === 'emailaddress');
|
&& item.userIDType.toLowerCase() === 'emailaddress');
|
||||||
|
|
||||||
usersIdentifiedByGroup = allGrantHeaders
|
usersIdentifiedByGroup = allGrantHeaders
|
||||||
.filter(itm => itm && itm.userIDType
|
.filter(itm => itm && itm.userIDType
|
||||||
|
@ -210,8 +205,10 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
|
for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
|
||||||
const userGroup = usersIdentifiedByGroup[i].identifier;
|
const userGroup = usersIdentifiedByGroup[i].identifier;
|
||||||
if (possibleGroups.indexOf(userGroup) < 0) {
|
if (possibleGroups.indexOf(userGroup) < 0) {
|
||||||
log.trace('invalid user group', { userGroup,
|
log.trace('invalid user group', {
|
||||||
method: 'bucketPutACL' });
|
userGroup,
|
||||||
|
method: 'bucketPutACL',
|
||||||
|
});
|
||||||
return next(errors.InvalidArgument, bucket);
|
return next(errors.InvalidArgument, bucket);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -246,8 +243,8 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
return vault.getCanonicalIds(justEmails, log,
|
return vault.getCanonicalIds(justEmails, log,
|
||||||
(err, results) => {
|
(err, results) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('error looking up canonical ids', {
|
log.trace('error looking up canonical ids',
|
||||||
error: err, method: 'vault.getCanonicalIDs' });
|
{ error: err, method: 'vault.getCanonicalIDs' });
|
||||||
return next(err, bucket);
|
return next(err, bucket);
|
||||||
}
|
}
|
||||||
const reconstructedUsersIdentifiedByEmail = aclUtils
|
const reconstructedUsersIdentifiedByEmail = aclUtils
|
||||||
|
@ -256,7 +253,8 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
const allUsers = [].concat(
|
const allUsers = [].concat(
|
||||||
reconstructedUsersIdentifiedByEmail,
|
reconstructedUsersIdentifiedByEmail,
|
||||||
usersIdentifiedByID,
|
usersIdentifiedByID,
|
||||||
usersIdentifiedByGroup);
|
usersIdentifiedByGroup,
|
||||||
|
);
|
||||||
const revisedAddACLParams = aclUtils
|
const revisedAddACLParams = aclUtils
|
||||||
.sortHeaderGrants(allUsers, addACLParams);
|
.sortHeaderGrants(allUsers, addACLParams);
|
||||||
return next(null, bucket, revisedAddACLParams);
|
return next(null, bucket, revisedAddACLParams);
|
||||||
|
@ -264,9 +262,9 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
}
|
}
|
||||||
const allUsers = [].concat(
|
const allUsers = [].concat(
|
||||||
usersIdentifiedByID,
|
usersIdentifiedByID,
|
||||||
usersIdentifiedByGroup);
|
usersIdentifiedByGroup,
|
||||||
const revisedAddACLParams =
|
);
|
||||||
aclUtils.sortHeaderGrants(allUsers, addACLParams);
|
const revisedAddACLParams = aclUtils.sortHeaderGrants(allUsers, addACLParams);
|
||||||
return next(null, bucket, revisedAddACLParams);
|
return next(null, bucket, revisedAddACLParams);
|
||||||
},
|
},
|
||||||
function waterfall4(bucket, addACLParams, next) {
|
function waterfall4(bucket, addACLParams, next) {
|
||||||
|
@ -277,19 +275,19 @@ function bucketPutACL(authInfo, request, log, callback) {
|
||||||
if (bucket.hasTransientFlag() || bucket.hasDeletedFlag()) {
|
if (bucket.hasTransientFlag() || bucket.hasDeletedFlag()) {
|
||||||
log.trace('transient or deleted flag so cleaning up bucket');
|
log.trace('transient or deleted flag so cleaning up bucket');
|
||||||
bucket.setFullAcl(addACLParams);
|
bucket.setFullAcl(addACLParams);
|
||||||
return cleanUpBucket(bucket, canonicalID, log, err =>
|
return cleanUpBucket(bucket, canonicalID, log, err => next(err, bucket));
|
||||||
next(err, bucket));
|
|
||||||
}
|
}
|
||||||
// If no bucket flags, just add acl's to bucket metadata
|
// If no bucket flags, just add acl's to bucket metadata
|
||||||
return acl.addACL(bucket, addACLParams, log, err =>
|
return acl.addACL(bucket, addACLParams, log, err => next(err, bucket));
|
||||||
next(err, bucket));
|
|
||||||
},
|
},
|
||||||
], (err, bucket) => {
|
], (err, bucket) => {
|
||||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, bucket);
|
request.method, bucket);
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('error processing request', { error: err,
|
log.trace('error processing request', {
|
||||||
method: 'bucketPutACL' });
|
error: err,
|
||||||
|
method: 'bucketPutACL',
|
||||||
|
});
|
||||||
monitoring.promMetrics('PUT', bucketName, err.code, 'bucketPutACL');
|
monitoring.promMetrics('PUT', bucketName, err.code, 'bucketPutACL');
|
||||||
} else {
|
} else {
|
||||||
pushMetric('putBucketAcl', log, {
|
pushMetric('putBucketAcl', log, {
|
||||||
|
|
|
@ -4,8 +4,7 @@ const { errors } = require('arsenal');
|
||||||
|
|
||||||
const bucketShield = require('./apiUtils/bucket/bucketShield');
|
const bucketShield = require('./apiUtils/bucket/bucketShield');
|
||||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||||
const { isBucketAuthorized } =
|
const { isBucketAuthorized } = require('./apiUtils/authorization/permissionChecks');
|
||||||
require('./apiUtils/authorization/permissionChecks');
|
|
||||||
const metadata = require('../metadata/wrapper');
|
const metadata = require('../metadata/wrapper');
|
||||||
const { parseCorsXml } = require('./apiUtils/bucket/bucketCors');
|
const { parseCorsXml } = require('./apiUtils/bucket/bucketCors');
|
||||||
const { pushMetric } = require('../utapi/utilities');
|
const { pushMetric } = require('../utapi/utilities');
|
||||||
|
@ -23,7 +22,7 @@ const requestType = 'bucketPutCors';
|
||||||
*/
|
*/
|
||||||
function bucketPutCors(authInfo, request, log, callback) {
|
function bucketPutCors(authInfo, request, log, callback) {
|
||||||
log.debug('processing request', { method: 'bucketPutCors' });
|
log.debug('processing request', { method: 'bucketPutCors' });
|
||||||
const bucketName = request.bucketName;
|
const { bucketName } = request;
|
||||||
const canonicalID = authInfo.getCanonicalID();
|
const canonicalID = authInfo.getCanonicalID();
|
||||||
|
|
||||||
if (!request.post) {
|
if (!request.post) {
|
||||||
|
@ -70,7 +69,8 @@ function bucketPutCors(authInfo, request, log, callback) {
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
function validateBucketAuthorization(bucket, rules, corsHeaders, next) {
|
function validateBucketAuthorization(bucket, rules, corsHeaders, next) {
|
||||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
|
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
|
||||||
|
request.iamAuthzResults, log, request)) {
|
||||||
log.debug('access denied for account on bucket', {
|
log.debug('access denied for account on bucket', {
|
||||||
requestType,
|
requestType,
|
||||||
});
|
});
|
||||||
|
@ -81,13 +81,14 @@ function bucketPutCors(authInfo, request, log, callback) {
|
||||||
function updateBucketMetadata(bucket, rules, corsHeaders, next) {
|
function updateBucketMetadata(bucket, rules, corsHeaders, next) {
|
||||||
log.trace('updating bucket cors rules in metadata');
|
log.trace('updating bucket cors rules in metadata');
|
||||||
bucket.setCors(rules);
|
bucket.setCors(rules);
|
||||||
metadata.updateBucket(bucketName, bucket, log, err =>
|
metadata.updateBucket(bucketName, bucket, log, err => next(err, corsHeaders));
|
||||||
next(err, corsHeaders));
|
|
||||||
},
|
},
|
||||||
], (err, corsHeaders) => {
|
], (err, corsHeaders) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('error processing request', { error: err,
|
log.trace('error processing request', {
|
||||||
method: 'bucketPutCors' });
|
error: err,
|
||||||
|
method: 'bucketPutCors',
|
||||||
|
});
|
||||||
monitoring.promMetrics('PUT', bucketName, err.code,
|
monitoring.promMetrics('PUT', bucketName, err.code,
|
||||||
'putBucketCors');
|
'putBucketCors');
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,17 +18,17 @@ const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||||
*/
|
*/
|
||||||
|
|
||||||
function bucketPutEncryption(authInfo, request, log, callback) {
|
function bucketPutEncryption(authInfo, request, log, callback) {
|
||||||
const bucketName = request.bucketName;
|
const { bucketName } = request;
|
||||||
|
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutEncryption',
|
requestType: request.apiMethods || 'bucketPutEncryption',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
next => metadataValidateBucket(metadataValParams, log, next),
|
next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, next),
|
||||||
(bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
|
(bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
|
||||||
(bucket, next) => {
|
(bucket, next) => {
|
||||||
log.trace('parsing encryption config', { method: 'bucketPutEncryption' });
|
log.trace('parsing encryption config', { method: 'bucketPutEncryption' });
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
const { waterfall } = require('async');
|
const { waterfall } = require('async');
|
||||||
const uuid = require('uuid/v4');
|
const uuid = require('uuid/v4');
|
||||||
const LifecycleConfiguration =
|
const { LifecycleConfiguration } = require('arsenal').models;
|
||||||
require('arsenal').models.LifecycleConfiguration;
|
|
||||||
|
|
||||||
const parseXML = require('../utilities/parseXML');
|
const parseXML = require('../utilities/parseXML');
|
||||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||||
|
@ -22,11 +21,11 @@ const monitoring = require('../utilities/metrics');
|
||||||
function bucketPutLifecycle(authInfo, request, log, callback) {
|
function bucketPutLifecycle(authInfo, request, log, callback) {
|
||||||
log.debug('processing request', { method: 'bucketPutLifecycle' });
|
log.debug('processing request', { method: 'bucketPutLifecycle' });
|
||||||
|
|
||||||
const bucketName = request.bucketName;
|
const { bucketName } = request;
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutLifecycle',
|
requestType: request.apiMethods || 'bucketPutLifecycle',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return waterfall([
|
return waterfall([
|
||||||
|
@ -43,7 +42,7 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
|
||||||
return next(null, configObj);
|
return next(null, configObj);
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
(lcConfig, next) => metadataValidateBucket(metadataValParams, log,
|
(lcConfig, next) => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket) => {
|
(err, bucket) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
return next(err, bucket);
|
return next(err, bucket);
|
||||||
|
@ -55,17 +54,19 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
|
||||||
bucket.setUid(uuid());
|
bucket.setUid(uuid());
|
||||||
}
|
}
|
||||||
bucket.setLifecycleConfiguration(lcConfig);
|
bucket.setLifecycleConfiguration(lcConfig);
|
||||||
metadata.updateBucket(bucket.getName(), bucket, log, err =>
|
metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
|
||||||
next(err, bucket));
|
|
||||||
},
|
},
|
||||||
], (err, bucket) => {
|
], (err, bucket) => {
|
||||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, bucket);
|
request.method, bucket);
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('error processing request', { error: err,
|
log.trace('error processing request', {
|
||||||
method: 'bucketPutLifecycle' });
|
error: err,
|
||||||
|
method: 'bucketPutLifecycle',
|
||||||
|
});
|
||||||
monitoring.promMetrics(
|
monitoring.promMetrics(
|
||||||
'PUT', bucketName, err.code, 'putBucketLifecycle');
|
'PUT', bucketName, err.code, 'putBucketLifecycle',
|
||||||
|
);
|
||||||
return callback(err, corsHeaders);
|
return callback(err, corsHeaders);
|
||||||
}
|
}
|
||||||
pushMetric('putBucketLifecycle', log, {
|
pushMetric('putBucketLifecycle', log, {
|
||||||
|
|
|
@ -19,11 +19,11 @@ const { pushMetric } = require('../utapi/utilities');
|
||||||
function bucketPutNotification(authInfo, request, log, callback) {
|
function bucketPutNotification(authInfo, request, log, callback) {
|
||||||
log.debug('processing request', { method: 'bucketPutNotification' });
|
log.debug('processing request', { method: 'bucketPutNotification' });
|
||||||
|
|
||||||
const bucketName = request.bucketName;
|
const { bucketName } = request;
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutNotification',
|
requestType: request.apiMethods || 'bucketPutNotification',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -34,7 +34,7 @@ function bucketPutNotification(authInfo, request, log, callback) {
|
||||||
const notifConfig = notificationConfig.error ? undefined : notificationConfig;
|
const notifConfig = notificationConfig.error ? undefined : notificationConfig;
|
||||||
process.nextTick(() => next(notificationConfig.error, notifConfig));
|
process.nextTick(() => next(notificationConfig.error, notifConfig));
|
||||||
},
|
},
|
||||||
(notifConfig, next) => metadataValidateBucket(metadataValParams, log,
|
(notifConfig, next) => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket) => next(err, bucket, notifConfig)),
|
(err, bucket) => next(err, bucket, notifConfig)),
|
||||||
(bucket, notifConfig, next) => {
|
(bucket, notifConfig, next) => {
|
||||||
bucket.setNotificationConfiguration(notifConfig);
|
bucket.setNotificationConfiguration(notifConfig);
|
||||||
|
@ -45,8 +45,10 @@ function bucketPutNotification(authInfo, request, log, callback) {
|
||||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, bucket);
|
request.method, bucket);
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('error processing request', { error: err,
|
log.trace('error processing request', {
|
||||||
method: 'bucketPutNotification' });
|
error: err,
|
||||||
|
method: 'bucketPutNotification',
|
||||||
|
});
|
||||||
return callback(err, corsHeaders);
|
return callback(err, corsHeaders);
|
||||||
}
|
}
|
||||||
pushMetric('putBucketNotification', log, {
|
pushMetric('putBucketNotification', log, {
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
const { waterfall } = require('async');
|
const { waterfall } = require('async');
|
||||||
const arsenal = require('arsenal');
|
const arsenal = require('arsenal');
|
||||||
|
|
||||||
const errors = arsenal.errors;
|
const { errors } = arsenal;
|
||||||
const ObjectLockConfiguration = arsenal.models.ObjectLockConfiguration;
|
const { ObjectLockConfiguration } = arsenal.models;
|
||||||
|
|
||||||
const parseXML = require('../utilities/parseXML');
|
const parseXML = require('../utilities/parseXML');
|
||||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||||
|
@ -22,11 +22,11 @@ const { pushMetric } = require('../utapi/utilities');
|
||||||
function bucketPutObjectLock(authInfo, request, log, callback) {
|
function bucketPutObjectLock(authInfo, request, log, callback) {
|
||||||
log.debug('processing request', { method: 'bucketPutObjectLock' });
|
log.debug('processing request', { method: 'bucketPutObjectLock' });
|
||||||
|
|
||||||
const bucketName = request.bucketName;
|
const { bucketName } = request;
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutObjectLock',
|
requestType: request.apiMethods || 'bucketPutObjectLock',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return waterfall([
|
return waterfall([
|
||||||
|
@ -36,12 +36,12 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
|
||||||
// if there was an error getting object lock configuration,
|
// if there was an error getting object lock configuration,
|
||||||
// returned configObj will contain 'error' key
|
// returned configObj will contain 'error' key
|
||||||
process.nextTick(() => {
|
process.nextTick(() => {
|
||||||
const configObj = lockConfigClass.
|
const configObj = lockConfigClass
|
||||||
getValidatedObjectLockConfiguration();
|
.getValidatedObjectLockConfiguration();
|
||||||
return next(configObj.error || null, configObj);
|
return next(configObj.error || null, configObj);
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
(objectLockConfig, next) => metadataValidateBucket(metadataValParams,
|
(objectLockConfig, next) => metadataValidateBucket(metadataValParams, request.iamAuthzResults,
|
||||||
log, (err, bucket) => {
|
log, (err, bucket) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
return next(err, bucket);
|
return next(err, bucket);
|
||||||
|
@ -53,23 +53,25 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
|
||||||
process.nextTick(() => {
|
process.nextTick(() => {
|
||||||
if (!isObjectLockEnabled) {
|
if (!isObjectLockEnabled) {
|
||||||
return next(errors.InvalidBucketState.customizeDescription(
|
return next(errors.InvalidBucketState.customizeDescription(
|
||||||
'Object Lock configuration cannot be enabled on ' +
|
'Object Lock configuration cannot be enabled on '
|
||||||
'existing buckets'), bucket);
|
+ 'existing buckets',
|
||||||
|
), bucket);
|
||||||
}
|
}
|
||||||
return next(null, bucket, objectLockConfig);
|
return next(null, bucket, objectLockConfig);
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
(bucket, objectLockConfig, next) => {
|
(bucket, objectLockConfig, next) => {
|
||||||
bucket.setObjectLockConfiguration(objectLockConfig);
|
bucket.setObjectLockConfiguration(objectLockConfig);
|
||||||
metadata.updateBucket(bucket.getName(), bucket, log, err =>
|
metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
|
||||||
next(err, bucket));
|
|
||||||
},
|
},
|
||||||
], (err, bucket) => {
|
], (err, bucket) => {
|
||||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, bucket);
|
request.method, bucket);
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('error processing request', { error: err,
|
log.trace('error processing request', {
|
||||||
method: 'bucketPutObjectLock' });
|
error: err,
|
||||||
|
method: 'bucketPutObjectLock',
|
||||||
|
});
|
||||||
return callback(err, corsHeaders);
|
return callback(err, corsHeaders);
|
||||||
}
|
}
|
||||||
pushMetric('putBucketObjectLock', log, {
|
pushMetric('putBucketObjectLock', log, {
|
||||||
|
|
|
@ -17,8 +17,7 @@ const { BucketPolicy } = models;
|
||||||
function _checkNotImplementedPolicy(policyString) {
|
function _checkNotImplementedPolicy(policyString) {
|
||||||
// bucket names and key names cannot include "", so including those
|
// bucket names and key names cannot include "", so including those
|
||||||
// isolates not implemented keys
|
// isolates not implemented keys
|
||||||
return policyString.includes('"Condition"')
|
return policyString.includes('"Service"')
|
||||||
|| policyString.includes('"Service"')
|
|
||||||
|| policyString.includes('"Federated"');
|
|| policyString.includes('"Federated"');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -37,7 +36,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutPolicy',
|
requestType: request.apiMethods || 'bucketPutPolicy',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -70,7 +69,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
|
||||||
return next(null, bucketPolicy);
|
return next(null, bucketPolicy);
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
(bucketPolicy, next) => metadataValidateBucket(metadataValParams, log,
|
(bucketPolicy, next) => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket) => {
|
(err, bucket) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
return next(err, bucket);
|
return next(err, bucket);
|
||||||
|
|
|
@ -28,7 +28,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutReplication',
|
requestType: request.apiMethods || 'bucketPutReplication',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
return waterfall([
|
return waterfall([
|
||||||
|
@ -37,7 +37,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
|
||||||
// Check bucket user privileges and ensure versioning is 'Enabled'.
|
// Check bucket user privileges and ensure versioning is 'Enabled'.
|
||||||
(config, next) =>
|
(config, next) =>
|
||||||
// TODO: Validate that destination bucket exists and has versioning.
|
// TODO: Validate that destination bucket exists and has versioning.
|
||||||
metadataValidateBucket(metadataValParams, log, (err, bucket) => {
|
metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
return next(err);
|
return next(err);
|
||||||
}
|
}
|
||||||
|
|
|
@ -38,11 +38,11 @@ function bucketPutTagging(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutTagging',
|
requestType: request.apiMethods || 'bucketPutTagging',
|
||||||
};
|
};
|
||||||
let bucket = null;
|
let bucket = null;
|
||||||
return waterfall([
|
return waterfall([
|
||||||
next => metadataValidateBucket(metadataValParams, log,
|
next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, b) => {
|
(err, b) => {
|
||||||
bucket = b;
|
bucket = b;
|
||||||
return next(err);
|
return next(err);
|
||||||
|
|
|
@ -88,13 +88,13 @@ function bucketPutVersioning(authInfo, request, log, callback) {
|
||||||
const metadataValParams = {
|
const metadataValParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName,
|
bucketName,
|
||||||
requestType: 'bucketPutVersioning',
|
requestType: request.apiMethods || 'bucketPutVersioning',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
return waterfall([
|
return waterfall([
|
||||||
next => _parseXML(request, log, next),
|
next => _parseXML(request, log, next),
|
||||||
next => metadataValidateBucket(metadataValParams, log,
|
next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket) => next(err, bucket)), // ignore extra null object,
|
(err, bucket) => next(err, bucket)), // ignore extra null object,
|
||||||
(bucket, next) => parseString(request.post, (err, result) => {
|
(bucket, next) => parseString(request.post, (err, result) => {
|
||||||
// just for linting; there should not be any parsing error here
|
// just for linting; there should not be any parsing error here
|
||||||
|
|
|
@ -49,7 +49,8 @@ function bucketPutWebsite(authInfo, request, log, callback) {
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
function validateBucketAuthorization(bucket, config, next) {
|
function validateBucketAuthorization(bucket, config, next) {
|
||||||
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
|
if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
|
||||||
|
request.iamAuthzResults, log, request)) {
|
||||||
log.debug('access denied for user on bucket', {
|
log.debug('access denied for user on bucket', {
|
||||||
requestType,
|
requestType,
|
||||||
method: 'bucketPutWebsite',
|
method: 'bucketPutWebsite',
|
||||||
|
|
|
@ -16,6 +16,7 @@ const { config } = require('../Config');
|
||||||
const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
|
const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
|
||||||
const monitoring = require('../utilities/metrics');
|
const monitoring = require('../utilities/metrics');
|
||||||
const writeContinue = require('../utilities/writeContinue');
|
const writeContinue = require('../utilities/writeContinue');
|
||||||
|
|
||||||
const versionIdUtils = versioning.VersionID;
|
const versionIdUtils = versioning.VersionID;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -59,7 +60,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
|
||||||
}
|
}
|
||||||
const invalidSSEError = errors.InvalidArgument.customizeDescription(
|
const invalidSSEError = errors.InvalidArgument.customizeDescription(
|
||||||
'The encryption method specified is not supported');
|
'The encryption method specified is not supported');
|
||||||
const requestType = 'objectPut';
|
const requestType = request.apiMethods || 'objectPut';
|
||||||
const valParams = { authInfo, bucketName, objectKey, requestType, request };
|
const valParams = { authInfo, bucketName, objectKey, requestType, request };
|
||||||
const canonicalID = authInfo.getCanonicalID();
|
const canonicalID = authInfo.getCanonicalID();
|
||||||
|
|
||||||
|
@ -70,8 +71,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
|
||||||
}
|
}
|
||||||
|
|
||||||
log.trace('owner canonicalID to send to data', { canonicalID });
|
log.trace('owner canonicalID to send to data', { canonicalID });
|
||||||
|
return metadataValidateBucketAndObj(valParams, request.iamAuthzResults, log,
|
||||||
return metadataValidateBucketAndObj(valParams, log,
|
|
||||||
(err, bucket, objMD) => {
|
(err, bucket, objMD) => {
|
||||||
const responseHeaders = collectCorsHeaders(headers.origin,
|
const responseHeaders = collectCorsHeaders(headers.origin,
|
||||||
method, bucket);
|
method, bucket);
|
||||||
|
@ -168,8 +168,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
|
||||||
const isVersionedObj = vcfg && vcfg.Status === 'Enabled';
|
const isVersionedObj = vcfg && vcfg.Status === 'Enabled';
|
||||||
if (isVersionedObj) {
|
if (isVersionedObj) {
|
||||||
if (storingResult && storingResult.versionId) {
|
if (storingResult && storingResult.versionId) {
|
||||||
responseHeaders['x-amz-version-id'] =
|
responseHeaders['x-amz-version-id'] = versionIdUtils.encode(storingResult.versionId,
|
||||||
versionIdUtils.encode(storingResult.versionId,
|
|
||||||
config.versionIdEncodingType);
|
config.versionIdEncodingType);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,8 +7,7 @@ const { pushMetric } = require('../utapi/utilities');
|
||||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||||
const constants = require('../../constants');
|
const constants = require('../../constants');
|
||||||
const vault = require('../auth/vault');
|
const vault = require('../auth/vault');
|
||||||
const { decodeVersionId, getVersionIdResHeader }
|
const { decodeVersionId, getVersionIdResHeader } = require('./apiUtils/object/versioning');
|
||||||
= require('./apiUtils/object/versioning');
|
|
||||||
const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
|
const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
|
||||||
const monitoring = require('../utilities/metrics');
|
const monitoring = require('../utilities/metrics');
|
||||||
const { config } = require('../Config');
|
const { config } = require('../Config');
|
||||||
|
@ -45,8 +44,8 @@ const { config } = require('../Config');
|
||||||
*/
|
*/
|
||||||
function objectPutACL(authInfo, request, log, cb) {
|
function objectPutACL(authInfo, request, log, cb) {
|
||||||
log.debug('processing request', { method: 'objectPutACL' });
|
log.debug('processing request', { method: 'objectPutACL' });
|
||||||
const bucketName = request.bucketName;
|
const { bucketName } = request;
|
||||||
const objectKey = request.objectKey;
|
const { objectKey } = request;
|
||||||
const newCannedACL = request.headers['x-amz-acl'];
|
const newCannedACL = request.headers['x-amz-acl'];
|
||||||
const possibleCannedACL = [
|
const possibleCannedACL = [
|
||||||
'private',
|
'private',
|
||||||
|
@ -88,7 +87,7 @@ function objectPutACL(authInfo, request, log, cb) {
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId: reqVersionId,
|
versionId: reqVersionId,
|
||||||
getDeleteMarker: true,
|
getDeleteMarker: true,
|
||||||
requestType: 'objectPutACL',
|
requestType: request.apiMethods || 'objectPutACL',
|
||||||
};
|
};
|
||||||
|
|
||||||
const possibleGrants = ['FULL_CONTROL', 'WRITE_ACP', 'READ', 'READ_ACP'];
|
const possibleGrants = ['FULL_CONTROL', 'WRITE_ACP', 'READ', 'READ_ACP'];
|
||||||
|
@ -100,26 +99,26 @@ function objectPutACL(authInfo, request, log, cb) {
|
||||||
READ_ACP: [],
|
READ_ACP: [],
|
||||||
};
|
};
|
||||||
|
|
||||||
const grantReadHeader =
|
const grantReadHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read'], 'READ');
|
||||||
aclUtils.parseGrant(request.headers['x-amz-grant-read'], 'READ');
|
const grantReadACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
|
||||||
const grantReadACPHeader =
|
|
||||||
aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
|
|
||||||
'READ_ACP');
|
'READ_ACP');
|
||||||
const grantWriteACPHeader = aclUtils.parseGrant(
|
const grantWriteACPHeader = aclUtils.parseGrant(
|
||||||
request.headers['x-amz-grant-write-acp'], 'WRITE_ACP');
|
request.headers['x-amz-grant-write-acp'], 'WRITE_ACP',
|
||||||
|
);
|
||||||
const grantFullControlHeader = aclUtils.parseGrant(
|
const grantFullControlHeader = aclUtils.parseGrant(
|
||||||
request.headers['x-amz-grant-full-control'], 'FULL_CONTROL');
|
request.headers['x-amz-grant-full-control'], 'FULL_CONTROL',
|
||||||
|
);
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
function validateBucketAndObj(next) {
|
function validateBucketAndObj(next) {
|
||||||
return metadataValidateBucketAndObj(metadataValParams, log,
|
return metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket, objectMD) => {
|
(err, bucket, objectMD) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
return next(err);
|
return next(err);
|
||||||
}
|
}
|
||||||
if (!objectMD) {
|
if (!objectMD) {
|
||||||
const err = reqVersionId ? errors.NoSuchVersion :
|
const err = reqVersionId ? errors.NoSuchVersion
|
||||||
errors.NoSuchKey;
|
: errors.NoSuchKey;
|
||||||
return next(err, bucket);
|
return next(err, bucket);
|
||||||
}
|
}
|
||||||
if (objectMD.isDeleteMarker) {
|
if (objectMD.isDeleteMarker) {
|
||||||
|
@ -222,22 +221,24 @@ function objectPutACL(authInfo, request, log, cb) {
|
||||||
} else {
|
} else {
|
||||||
// If no canned ACL and no parsed xml, loop
|
// If no canned ACL and no parsed xml, loop
|
||||||
// through the access headers
|
// through the access headers
|
||||||
const allGrantHeaders =
|
const allGrantHeaders = [].concat(grantReadHeader,
|
||||||
[].concat(grantReadHeader,
|
|
||||||
grantReadACPHeader, grantWriteACPHeader,
|
grantReadACPHeader, grantWriteACPHeader,
|
||||||
grantFullControlHeader);
|
grantFullControlHeader);
|
||||||
|
|
||||||
usersIdentifiedByEmail = allGrantHeaders.filter(item =>
|
usersIdentifiedByEmail = allGrantHeaders.filter(item => item
|
||||||
item && item.userIDType.toLowerCase() === 'emailaddress');
|
&& item.userIDType.toLowerCase() === 'emailaddress');
|
||||||
usersIdentifiedByGroup = allGrantHeaders
|
usersIdentifiedByGroup = allGrantHeaders
|
||||||
.filter(itm => itm && itm.userIDType
|
.filter(itm => itm && itm.userIDType
|
||||||
.toLowerCase() === 'uri');
|
.toLowerCase() === 'uri');
|
||||||
for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
|
for (let i = 0; i < usersIdentifiedByGroup.length; i += 1) {
|
||||||
if (possibleGroups.indexOf(
|
if (possibleGroups.indexOf(
|
||||||
usersIdentifiedByGroup[i].identifier) < 0) {
|
usersIdentifiedByGroup[i].identifier,
|
||||||
|
) < 0) {
|
||||||
log.trace('invalid user group',
|
log.trace('invalid user group',
|
||||||
{ userGroup: usersIdentifiedByGroup[i]
|
{
|
||||||
.identifier });
|
userGroup: usersIdentifiedByGroup[i]
|
||||||
|
.identifier,
|
||||||
|
});
|
||||||
return next(errors.InvalidArgument, bucket);
|
return next(errors.InvalidArgument, bucket);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -265,18 +266,20 @@ function objectPutACL(authInfo, request, log, cb) {
|
||||||
const allUsers = [].concat(
|
const allUsers = [].concat(
|
||||||
reconstructedUsersIdentifiedByEmail,
|
reconstructedUsersIdentifiedByEmail,
|
||||||
usersIdentifiedByID,
|
usersIdentifiedByID,
|
||||||
usersIdentifiedByGroup);
|
usersIdentifiedByGroup,
|
||||||
|
);
|
||||||
const revisedAddACLParams = aclUtils
|
const revisedAddACLParams = aclUtils
|
||||||
.sortHeaderGrants(allUsers, addACLParams);
|
.sortHeaderGrants(allUsers, addACLParams);
|
||||||
return next(null, bucket, objectMD,
|
return next(null, bucket, objectMD,
|
||||||
revisedAddACLParams);
|
revisedAddACLParams);
|
||||||
});
|
},
|
||||||
|
);
|
||||||
}
|
}
|
||||||
const allUsers = [].concat(
|
const allUsers = [].concat(
|
||||||
usersIdentifiedByID,
|
usersIdentifiedByID,
|
||||||
usersIdentifiedByGroup);
|
usersIdentifiedByGroup,
|
||||||
const revisedAddACLParams =
|
);
|
||||||
aclUtils.sortHeaderGrants(allUsers, addACLParams);
|
const revisedAddACLParams = aclUtils.sortHeaderGrants(allUsers, addACLParams);
|
||||||
return next(null, bucket, objectMD, revisedAddACLParams);
|
return next(null, bucket, objectMD, revisedAddACLParams);
|
||||||
},
|
},
|
||||||
function addAclsToObjMD(bucket, objectMD, ACLParams, next) {
|
function addAclsToObjMD(bucket, objectMD, ACLParams, next) {
|
||||||
|
@ -300,13 +303,13 @@ function objectPutACL(authInfo, request, log, cb) {
|
||||||
method: 'objectPutACL',
|
method: 'objectPutACL',
|
||||||
});
|
});
|
||||||
monitoring.promMetrics(
|
monitoring.promMetrics(
|
||||||
'PUT', bucketName, err.code, 'putObjectAcl');
|
'PUT', bucketName, err.code, 'putObjectAcl',
|
||||||
|
);
|
||||||
return cb(err, resHeaders);
|
return cb(err, resHeaders);
|
||||||
}
|
}
|
||||||
|
|
||||||
const verCfg = bucket.getVersioningConfiguration();
|
const verCfg = bucket.getVersioningConfiguration();
|
||||||
resHeaders['x-amz-version-id'] =
|
resHeaders['x-amz-version-id'] = getVersionIdResHeader(verCfg, objectMD);
|
||||||
getVersionIdResHeader(verCfg, objectMD);
|
|
||||||
|
|
||||||
log.trace('processed request successfully in object put acl api');
|
log.trace('processed request successfully in object put acl api');
|
||||||
pushMetric('putObjectAcl', log, {
|
pushMetric('putObjectAcl', log, {
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
const async = require('async');
|
const async = require('async');
|
||||||
const { errors, versioning, s3middleware } = require('arsenal');
|
const { errors, versioning, s3middleware } = require('arsenal');
|
||||||
|
|
||||||
const validateHeaders = s3middleware.validateConditionalHeaders;
|
const validateHeaders = s3middleware.validateConditionalHeaders;
|
||||||
|
|
||||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||||
const constants = require('../../constants');
|
const constants = require('../../constants');
|
||||||
const { data } = require('../data/wrapper');
|
const { data } = require('../data/wrapper');
|
||||||
const locationConstraintCheck =
|
const locationConstraintCheck = require('./apiUtils/object/locationConstraintCheck');
|
||||||
require('./apiUtils/object/locationConstraintCheck');
|
|
||||||
const metadata = require('../metadata/wrapper');
|
const metadata = require('../metadata/wrapper');
|
||||||
const { pushMetric } = require('../utapi/utilities');
|
const { pushMetric } = require('../utapi/utilities');
|
||||||
const logger = require('../utilities/logger');
|
const logger = require('../utilities/logger');
|
||||||
|
@ -62,8 +62,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
// Note that keys in the query object retain their case, so
|
// Note that keys in the query object retain their case, so
|
||||||
// request.query.uploadId must be called with that exact
|
// request.query.uploadId must be called with that exact
|
||||||
// capitalization
|
// capitalization
|
||||||
const uploadId = request.query.uploadId;
|
const { uploadId } = request.query;
|
||||||
|
|
||||||
const valPutParams = {
|
const valPutParams = {
|
||||||
authInfo,
|
authInfo,
|
||||||
bucketName: destBucketName,
|
bucketName: destBucketName,
|
||||||
|
@ -93,26 +92,26 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
function checkDestAuth(next) {
|
function checkDestAuth(next) {
|
||||||
return metadataValidateBucketAndObj(valPutParams, log,
|
return metadataValidateBucketAndObj(valPutParams, request.iamAuthzResults, log,
|
||||||
(err, destBucketMD) => {
|
(err, destBucketMD) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.debug('error validating authorization for ' +
|
log.debug('error validating authorization for '
|
||||||
'destination bucket',
|
+ 'destination bucket',
|
||||||
{ error: err });
|
{ error: err });
|
||||||
return next(err, destBucketMD);
|
return next(err, destBucketMD);
|
||||||
}
|
}
|
||||||
const flag = destBucketMD.hasDeletedFlag()
|
const flag = destBucketMD.hasDeletedFlag()
|
||||||
|| destBucketMD.hasTransientFlag();
|
|| destBucketMD.hasTransientFlag();
|
||||||
if (flag) {
|
if (flag) {
|
||||||
log.trace('deleted flag or transient flag ' +
|
log.trace('deleted flag or transient flag '
|
||||||
'on destination bucket', { flag });
|
+ 'on destination bucket', { flag });
|
||||||
return next(errors.NoSuchBucket);
|
return next(errors.NoSuchBucket);
|
||||||
}
|
}
|
||||||
return next(null, destBucketMD);
|
return next(null, destBucketMD);
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
function checkSourceAuthorization(destBucketMD, next) {
|
function checkSourceAuthorization(destBucketMD, next) {
|
||||||
return metadataValidateBucketAndObj(valGetParams, log,
|
return metadataValidateBucketAndObj(valGetParams, request.iamAuthzResults, log,
|
||||||
(err, sourceBucketMD, sourceObjMD) => {
|
(err, sourceBucketMD, sourceObjMD) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.debug('error validating get part of request',
|
log.debug('error validating get part of request',
|
||||||
|
@ -121,28 +120,26 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
}
|
}
|
||||||
if (!sourceObjMD) {
|
if (!sourceObjMD) {
|
||||||
log.debug('no source object', { sourceObject });
|
log.debug('no source object', { sourceObject });
|
||||||
const err = reqVersionId ? errors.NoSuchVersion :
|
const err = reqVersionId ? errors.NoSuchVersion
|
||||||
errors.NoSuchKey;
|
: errors.NoSuchKey;
|
||||||
return next(err, destBucketMD);
|
return next(err, destBucketMD);
|
||||||
}
|
}
|
||||||
let sourceLocationConstraintName =
|
let sourceLocationConstraintName = sourceObjMD.dataStoreName;
|
||||||
sourceObjMD.dataStoreName;
|
|
||||||
// for backwards compatibility before storing dataStoreName
|
// for backwards compatibility before storing dataStoreName
|
||||||
// TODO: handle in objectMD class
|
// TODO: handle in objectMD class
|
||||||
if (!sourceLocationConstraintName &&
|
if (!sourceLocationConstraintName
|
||||||
sourceObjMD.location[0] &&
|
&& sourceObjMD.location[0]
|
||||||
sourceObjMD.location[0].dataStoreName) {
|
&& sourceObjMD.location[0].dataStoreName) {
|
||||||
sourceLocationConstraintName =
|
sourceLocationConstraintName = sourceObjMD.location[0].dataStoreName;
|
||||||
sourceObjMD.location[0].dataStoreName;
|
|
||||||
}
|
}
|
||||||
if (sourceObjMD.isDeleteMarker) {
|
if (sourceObjMD.isDeleteMarker) {
|
||||||
log.debug('delete marker on source object',
|
log.debug('delete marker on source object',
|
||||||
{ sourceObject });
|
{ sourceObject });
|
||||||
if (reqVersionId) {
|
if (reqVersionId) {
|
||||||
const err = errors.InvalidRequest
|
const err = errors.InvalidRequest
|
||||||
.customizeDescription('The source of a copy ' +
|
.customizeDescription('The source of a copy '
|
||||||
'request may not specifically refer to a delete' +
|
+ 'request may not specifically refer to a delete'
|
||||||
'marker by version id.');
|
+ 'marker by version id.');
|
||||||
return next(err, destBucketMD);
|
return next(err, destBucketMD);
|
||||||
}
|
}
|
||||||
// if user specifies a key in a versioned source bucket
|
// if user specifies a key in a versioned source bucket
|
||||||
|
@ -150,8 +147,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
// delete marker, return NoSuchKey
|
// delete marker, return NoSuchKey
|
||||||
return next(errors.NoSuchKey, destBucketMD);
|
return next(errors.NoSuchKey, destBucketMD);
|
||||||
}
|
}
|
||||||
const headerValResult =
|
const headerValResult = validateHeaders(request.headers,
|
||||||
validateHeaders(request.headers,
|
|
||||||
sourceObjMD['last-modified'],
|
sourceObjMD['last-modified'],
|
||||||
sourceObjMD['content-md5']);
|
sourceObjMD['content-md5']);
|
||||||
if (headerValResult.error) {
|
if (headerValResult.error) {
|
||||||
|
@ -166,15 +162,15 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
// If specific version requested, include copy source
|
// If specific version requested, include copy source
|
||||||
// version id in response. Include in request by default
|
// version id in response. Include in request by default
|
||||||
// if versioning is enabled or suspended.
|
// if versioning is enabled or suspended.
|
||||||
if (sourceBucketMD.getVersioningConfiguration() ||
|
if (sourceBucketMD.getVersioningConfiguration()
|
||||||
reqVersionId) {
|
|| reqVersionId) {
|
||||||
if (sourceObjMD.isNull || !sourceObjMD.versionId) {
|
if (sourceObjMD.isNull || !sourceObjMD.versionId) {
|
||||||
sourceVerId = 'null';
|
sourceVerId = 'null';
|
||||||
} else {
|
} else {
|
||||||
sourceVerId =
|
sourceVerId = versionIdUtils.encode(
|
||||||
versionIdUtils.encode(
|
|
||||||
sourceObjMD.versionId,
|
sourceObjMD.versionId,
|
||||||
config.versionIdEncodingType);
|
config.versionIdEncodingType,
|
||||||
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return next(null, copyLocator.dataLocator, destBucketMD,
|
return next(null, copyLocator.dataLocator, destBucketMD,
|
||||||
|
@ -199,7 +195,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
});
|
});
|
||||||
return next(err);
|
return next(err);
|
||||||
}
|
}
|
||||||
let splitter = constants.splitter;
|
let { splitter } = constants;
|
||||||
if (mpuBucket.getMdBucketModelVersion() < 2) {
|
if (mpuBucket.getMdBucketModelVersion() < 2) {
|
||||||
splitter = constants.oldSplitter;
|
splitter = constants.oldSplitter;
|
||||||
}
|
}
|
||||||
|
@ -213,8 +209,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
function getMpuOverviewObject(dataLocator, destBucketMD,
|
function getMpuOverviewObject(dataLocator, destBucketMD,
|
||||||
copyObjectSize, sourceVerId, splitter,
|
copyObjectSize, sourceVerId, splitter,
|
||||||
sourceLocationConstraintName, next) {
|
sourceLocationConstraintName, next) {
|
||||||
const mpuOverviewKey =
|
const mpuOverviewKey = `overview${splitter}${destObjectKey}${splitter}${uploadId}`;
|
||||||
`overview${splitter}${destObjectKey}${splitter}${uploadId}`;
|
|
||||||
return metadata.getObjectMD(mpuBucketName, mpuOverviewKey,
|
return metadata.getObjectMD(mpuBucketName, mpuOverviewKey,
|
||||||
null, log, (err, res) => {
|
null, log, (err, res) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
|
@ -222,22 +217,21 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
if (err.NoSuchKey) {
|
if (err.NoSuchKey) {
|
||||||
return next(errors.NoSuchUpload);
|
return next(errors.NoSuchUpload);
|
||||||
}
|
}
|
||||||
log.error('error getting overview object from ' +
|
log.error('error getting overview object from '
|
||||||
'mpu bucket', {
|
+ 'mpu bucket', {
|
||||||
error: err,
|
error: err,
|
||||||
method: 'objectPutCopyPart::' +
|
method: 'objectPutCopyPart::'
|
||||||
'metadata.getObjectMD',
|
+ 'metadata.getObjectMD',
|
||||||
});
|
});
|
||||||
return next(err);
|
return next(err);
|
||||||
}
|
}
|
||||||
const initiatorID = res.initiator.ID;
|
const initiatorID = res.initiator.ID;
|
||||||
const requesterID = authInfo.isRequesterAnIAMUser() ?
|
const requesterID = authInfo.isRequesterAnIAMUser()
|
||||||
authInfo.getArn() : authInfo.getCanonicalID();
|
? authInfo.getArn() : authInfo.getCanonicalID();
|
||||||
if (initiatorID !== requesterID) {
|
if (initiatorID !== requesterID) {
|
||||||
return next(errors.AccessDenied);
|
return next(errors.AccessDenied);
|
||||||
}
|
}
|
||||||
const destObjLocationConstraint =
|
const destObjLocationConstraint = res.controllingLocationConstraint;
|
||||||
res.controllingLocationConstraint;
|
|
||||||
return next(null, dataLocator, destBucketMD,
|
return next(null, dataLocator, destBucketMD,
|
||||||
destObjLocationConstraint, copyObjectSize,
|
destObjLocationConstraint, copyObjectSize,
|
||||||
sourceVerId, sourceLocationConstraintName, splitter);
|
sourceVerId, sourceLocationConstraintName, splitter);
|
||||||
|
@ -253,6 +247,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
splitter,
|
splitter,
|
||||||
next,
|
next,
|
||||||
) {
|
) {
|
||||||
|
const originalIdentityAuthzResults = request.iamAuthzResults;
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
delete request.iamAuthzResults;
|
||||||
data.uploadPartCopy(
|
data.uploadPartCopy(
|
||||||
request,
|
request,
|
||||||
log,
|
log,
|
||||||
|
@ -263,6 +260,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
dataStoreContext,
|
dataStoreContext,
|
||||||
locationConstraintCheck,
|
locationConstraintCheck,
|
||||||
(error, eTag, lastModified, serverSideEncryption, locations) => {
|
(error, eTag, lastModified, serverSideEncryption, locations) => {
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
request.iamAuthzResults = originalIdentityAuthzResults;
|
||||||
if (error) {
|
if (error) {
|
||||||
if (error.message === 'skip') {
|
if (error.message === 'skip') {
|
||||||
return next(skipError, destBucketMD, eTag,
|
return next(skipError, destBucketMD, eTag,
|
||||||
|
@ -274,13 +273,13 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
return next(null, destBucketMD, locations, eTag,
|
return next(null, destBucketMD, locations, eTag,
|
||||||
copyObjectSize, sourceVerId, serverSideEncryption,
|
copyObjectSize, sourceVerId, serverSideEncryption,
|
||||||
lastModified, splitter);
|
lastModified, splitter);
|
||||||
});
|
},
|
||||||
|
);
|
||||||
},
|
},
|
||||||
function getExistingPartInfo(destBucketMD, locations, totalHash,
|
function getExistingPartInfo(destBucketMD, locations, totalHash,
|
||||||
copyObjectSize, sourceVerId, serverSideEncryption, lastModified,
|
copyObjectSize, sourceVerId, serverSideEncryption, lastModified,
|
||||||
splitter, next) {
|
splitter, next) {
|
||||||
const partKey =
|
const partKey = `${uploadId}${constants.splitter}${paddedPartNumber}`;
|
||||||
`${uploadId}${constants.splitter}${paddedPartNumber}`;
|
|
||||||
metadata.getObjectMD(mpuBucketName, partKey, {}, log,
|
metadata.getObjectMD(mpuBucketName, partKey, {}, log,
|
||||||
(err, result) => {
|
(err, result) => {
|
||||||
// If there is nothing being overwritten just move on
|
// If there is nothing being overwritten just move on
|
||||||
|
@ -298,8 +297,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
// Pull locations to clean up any potential orphans
|
// Pull locations to clean up any potential orphans
|
||||||
// in data if object put is an overwrite of
|
// in data if object put is an overwrite of
|
||||||
// already existing object with same key and part number
|
// already existing object with same key and part number
|
||||||
oldLocations = Array.isArray(oldLocations) ?
|
oldLocations = Array.isArray(oldLocations)
|
||||||
oldLocations : [oldLocations];
|
? oldLocations : [oldLocations];
|
||||||
}
|
}
|
||||||
return next(null, destBucketMD, locations, totalHash,
|
return next(null, destBucketMD, locations, totalHash,
|
||||||
prevObjectSize, copyObjectSize, sourceVerId,
|
prevObjectSize, copyObjectSize, sourceVerId,
|
||||||
|
@ -374,7 +373,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
// data locations) has been stored
|
// data locations) has been stored
|
||||||
if (oldLocationsToDelete) {
|
if (oldLocationsToDelete) {
|
||||||
const delLog = logger.newRequestLoggerFromSerializedUids(
|
const delLog = logger.newRequestLoggerFromSerializedUids(
|
||||||
log.getSerializedUids());
|
log.getSerializedUids(),
|
||||||
|
);
|
||||||
return data.batchDelete(oldLocationsToDelete, request.method, null,
|
return data.batchDelete(oldLocationsToDelete, request.method, null,
|
||||||
delLog, err => {
|
delLog, err => {
|
||||||
if (err) {
|
if (err) {
|
||||||
|
@ -415,11 +415,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
|
|
||||||
const additionalHeaders = corsHeaders || {};
|
const additionalHeaders = corsHeaders || {};
|
||||||
if (serverSideEncryption) {
|
if (serverSideEncryption) {
|
||||||
additionalHeaders['x-amz-server-side-encryption'] =
|
additionalHeaders['x-amz-server-side-encryption'] = serverSideEncryption.algorithm;
|
||||||
serverSideEncryption.algorithm;
|
|
||||||
if (serverSideEncryption.algorithm === 'aws:kms') {
|
if (serverSideEncryption.algorithm === 'aws:kms') {
|
||||||
additionalHeaders['x-amz-server-side-encryption-aws-kms-key-id']
|
additionalHeaders['x-amz-server-side-encryption-aws-kms-key-id'] = serverSideEncryption.masterKeyId;
|
||||||
= serverSideEncryption.masterKeyId;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
additionalHeaders['x-amz-copy-source-version-id'] = sourceVerId;
|
additionalHeaders['x-amz-copy-source-version-id'] = sourceVerId;
|
||||||
|
@ -433,7 +431,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
|
||||||
location: destBucketMD.getLocationConstraint(),
|
location: destBucketMD.getLocationConstraint(),
|
||||||
});
|
});
|
||||||
monitoring.promMetrics(
|
monitoring.promMetrics(
|
||||||
'PUT', destBucketName, '200', 'putObjectCopyPart');
|
'PUT', destBucketName, '200', 'putObjectCopyPart',
|
||||||
|
);
|
||||||
return callback(null, xml, additionalHeaders);
|
return callback(null, xml, additionalHeaders);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,12 +43,12 @@ function objectPutLegalHold(authInfo, request, log, callback) {
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId,
|
versionId,
|
||||||
getDeleteMarker: true,
|
getDeleteMarker: true,
|
||||||
requestType: 'objectPutLegalHold',
|
requestType: request.apiMethods || 'objectPutLegalHold',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
next => metadataValidateBucketAndObj(metadataValParams, log,
|
next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket, objectMD) => {
|
(err, bucket, objectMD) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('request authorization failed',
|
log.trace('request authorization failed',
|
||||||
|
|
|
@ -94,6 +94,7 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
||||||
const uploadId = request.query.uploadId;
|
const uploadId = request.query.uploadId;
|
||||||
const mpuBucketName = `${constants.mpuBucketPrefix}${bucketName}`;
|
const mpuBucketName = `${constants.mpuBucketPrefix}${bucketName}`;
|
||||||
const objectKey = request.objectKey;
|
const objectKey = request.objectKey;
|
||||||
|
const originalIdentityAuthzResults = request.iamAuthzResults;
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
// Get the destination bucket.
|
// Get the destination bucket.
|
||||||
|
@ -116,7 +117,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
||||||
// For validating the request at the destinationBucket level the
|
// For validating the request at the destinationBucket level the
|
||||||
// `requestType` is the general 'objectPut'.
|
// `requestType` is the general 'objectPut'.
|
||||||
const requestType = 'objectPut';
|
const requestType = 'objectPut';
|
||||||
if (!isBucketAuthorized(destinationBucket, requestType, canonicalID, authInfo, log, request)) {
|
if (!isBucketAuthorized(destinationBucket, request.apiMethods || requestType, canonicalID, authInfo,
|
||||||
|
request.iamAuthzResults, log, request)) {
|
||||||
log.debug('access denied for user on bucket', { requestType });
|
log.debug('access denied for user on bucket', { requestType });
|
||||||
return next(errors.AccessDenied, destinationBucket);
|
return next(errors.AccessDenied, destinationBucket);
|
||||||
}
|
}
|
||||||
|
@ -203,6 +205,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
||||||
partNumber,
|
partNumber,
|
||||||
bucketName,
|
bucketName,
|
||||||
};
|
};
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
delete request.iamAuthzResults;
|
||||||
writeContinue(request, request._response);
|
writeContinue(request, request._response);
|
||||||
return data.putPart(request, mpuInfo, streamingV4Params,
|
return data.putPart(request, mpuInfo, streamingV4Params,
|
||||||
objectLocationConstraint, locationConstraintCheck, log,
|
objectLocationConstraint, locationConstraintCheck, log,
|
||||||
|
@ -385,6 +389,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
|
||||||
], (err, destinationBucket, hexDigest, prevObjectSize) => {
|
], (err, destinationBucket, hexDigest, prevObjectSize) => {
|
||||||
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
const corsHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, destinationBucket);
|
request.method, destinationBucket);
|
||||||
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
request.iamAuthzResults = originalIdentityAuthzResults;
|
||||||
if (err) {
|
if (err) {
|
||||||
if (err === skipError) {
|
if (err === skipError) {
|
||||||
return cb(null, hexDigest, corsHeaders);
|
return cb(null, hexDigest, corsHeaders);
|
||||||
|
|
|
@ -44,12 +44,27 @@ function objectPutRetention(authInfo, request, log, callback) {
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId: reqVersionId,
|
versionId: reqVersionId,
|
||||||
getDeleteMarker: true,
|
getDeleteMarker: true,
|
||||||
requestType: 'objectPutRetention',
|
requestType: request.apiMethods || 'objectPutRetention',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
next => metadataValidateBucketAndObj(metadataValParams, log,
|
next => {
|
||||||
|
log.trace('parsing retention information');
|
||||||
|
parseRetentionXml(request.post, log,
|
||||||
|
(err, retentionInfo) => {
|
||||||
|
if (err) {
|
||||||
|
log.trace('error parsing retention information',
|
||||||
|
{ error: err });
|
||||||
|
return next(err);
|
||||||
|
}
|
||||||
|
const remainingDays = Math.ceil(
|
||||||
|
(new Date(retentionInfo.date) - Date.now()) / (1000 * 3600 * 24));
|
||||||
|
metadataValParams.request.objectLockRetentionDays = remainingDays;
|
||||||
|
return next(null, retentionInfo);
|
||||||
|
});
|
||||||
|
},
|
||||||
|
(retentionInfo, next) => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket, objectMD) => {
|
(err, bucket, objectMD) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('request authorization failed',
|
log.trace('request authorization failed',
|
||||||
|
@ -77,13 +92,8 @@ function objectPutRetention(authInfo, request, log, callback) {
|
||||||
'Bucket is missing Object Lock Configuration'
|
'Bucket is missing Object Lock Configuration'
|
||||||
), bucket);
|
), bucket);
|
||||||
}
|
}
|
||||||
return next(null, bucket, objectMD);
|
return next(null, bucket, retentionInfo, objectMD);
|
||||||
}),
|
}),
|
||||||
(bucket, objectMD, next) => {
|
|
||||||
log.trace('parsing retention information');
|
|
||||||
parseRetentionXml(request.post, log,
|
|
||||||
(err, retentionInfo) => next(err, bucket, retentionInfo, objectMD));
|
|
||||||
},
|
|
||||||
(bucket, retentionInfo, objectMD, next) => {
|
(bucket, retentionInfo, objectMD, next) => {
|
||||||
const hasGovernanceBypass = hasGovernanceBypassHeader(request.headers);
|
const hasGovernanceBypass = hasGovernanceBypassHeader(request.headers);
|
||||||
if (hasGovernanceBypass && authInfo.isRequesterAnIAMUser()) {
|
if (hasGovernanceBypass && authInfo.isRequesterAnIAMUser()) {
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
const async = require('async');
|
const async = require('async');
|
||||||
const { errors, s3middleware } = require('arsenal');
|
const { errors, s3middleware } = require('arsenal');
|
||||||
|
|
||||||
const { decodeVersionId, getVersionIdResHeader } =
|
const { decodeVersionId, getVersionIdResHeader } = require('./apiUtils/object/versioning');
|
||||||
require('./apiUtils/object/versioning');
|
|
||||||
|
|
||||||
const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
|
const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
|
||||||
const { pushMetric } = require('../utapi/utilities');
|
const { pushMetric } = require('../utapi/utilities');
|
||||||
|
@ -11,8 +10,10 @@ const getReplicationInfo = require('./apiUtils/object/getReplicationInfo');
|
||||||
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
|
||||||
const metadata = require('../metadata/wrapper');
|
const metadata = require('../metadata/wrapper');
|
||||||
const { data } = require('../data/wrapper');
|
const { data } = require('../data/wrapper');
|
||||||
|
|
||||||
const { parseTagXml } = s3middleware.tagging;
|
const { parseTagXml } = s3middleware.tagging;
|
||||||
const { config } = require('../Config');
|
const { config } = require('../Config');
|
||||||
|
|
||||||
const REPLICATION_ACTION = 'PUT_TAGGING';
|
const REPLICATION_ACTION = 'PUT_TAGGING';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -26,8 +27,8 @@ const REPLICATION_ACTION = 'PUT_TAGGING';
|
||||||
function objectPutTagging(authInfo, request, log, callback) {
|
function objectPutTagging(authInfo, request, log, callback) {
|
||||||
log.debug('processing request', { method: 'objectPutTagging' });
|
log.debug('processing request', { method: 'objectPutTagging' });
|
||||||
|
|
||||||
const bucketName = request.bucketName;
|
const { bucketName } = request;
|
||||||
const objectKey = request.objectKey;
|
const { objectKey } = request;
|
||||||
|
|
||||||
const decodedVidResult = decodeVersionId(request.query);
|
const decodedVidResult = decodeVersionId(request.query);
|
||||||
if (decodedVidResult instanceof Error) {
|
if (decodedVidResult instanceof Error) {
|
||||||
|
@ -45,12 +46,12 @@ function objectPutTagging(authInfo, request, log, callback) {
|
||||||
objectKey,
|
objectKey,
|
||||||
versionId: reqVersionId,
|
versionId: reqVersionId,
|
||||||
getDeleteMarker: true,
|
getDeleteMarker: true,
|
||||||
requestType: 'objectPutTagging',
|
requestType: request.apiMethods || 'objectPutTagging',
|
||||||
request,
|
request,
|
||||||
};
|
};
|
||||||
|
|
||||||
return async.waterfall([
|
return async.waterfall([
|
||||||
next => metadataValidateBucketAndObj(metadataValParams, log,
|
next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
|
||||||
(err, bucket, objectMD) => {
|
(err, bucket, objectMD) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('request authorization failed',
|
log.trace('request authorization failed',
|
||||||
|
@ -58,8 +59,8 @@ function objectPutTagging(authInfo, request, log, callback) {
|
||||||
return next(err);
|
return next(err);
|
||||||
}
|
}
|
||||||
if (!objectMD) {
|
if (!objectMD) {
|
||||||
const err = reqVersionId ? errors.NoSuchVersion :
|
const err = reqVersionId ? errors.NoSuchVersion
|
||||||
errors.NoSuchKey;
|
: errors.NoSuchKey;
|
||||||
log.trace('error no object metadata found',
|
log.trace('error no object metadata found',
|
||||||
{ method: 'objectPutTagging', error: err });
|
{ method: 'objectPutTagging', error: err });
|
||||||
return next(err, bucket);
|
return next(err, bucket);
|
||||||
|
@ -75,8 +76,7 @@ function objectPutTagging(authInfo, request, log, callback) {
|
||||||
}),
|
}),
|
||||||
(bucket, objectMD, next) => {
|
(bucket, objectMD, next) => {
|
||||||
log.trace('parsing tag(s)');
|
log.trace('parsing tag(s)');
|
||||||
parseTagXml(request.post, log, (err, tags) =>
|
parseTagXml(request.post, log, (err, tags) => next(err, bucket, tags, objectMD));
|
||||||
next(err, bucket, tags, objectMD));
|
|
||||||
},
|
},
|
||||||
(bucket, tags, objectMD, next) => {
|
(bucket, tags, objectMD, next) => {
|
||||||
// eslint-disable-next-line no-param-reassign
|
// eslint-disable-next-line no-param-reassign
|
||||||
|
@ -98,19 +98,19 @@ function objectPutTagging(authInfo, request, log, callback) {
|
||||||
// eslint-disable-next-line no-param-reassign
|
// eslint-disable-next-line no-param-reassign
|
||||||
objectMD.originOp = 's3:ObjectTagging:Put';
|
objectMD.originOp = 's3:ObjectTagging:Put';
|
||||||
metadata.putObjectMD(bucket.getName(), objectKey, objectMD, params,
|
metadata.putObjectMD(bucket.getName(), objectKey, objectMD, params,
|
||||||
log, err =>
|
log, err => next(err, bucket, objectMD));
|
||||||
next(err, bucket, objectMD));
|
|
||||||
},
|
},
|
||||||
(bucket, objectMD, next) =>
|
|
||||||
// if external backend handles tagging
|
// if external backend handles tagging
|
||||||
data.objectTagging('Put', objectKey, bucket, objectMD,
|
(bucket, objectMD, next) => data.objectTagging('Put', objectKey, bucket, objectMD,
|
||||||
log, err => next(err, bucket, objectMD)),
|
log, err => next(err, bucket, objectMD)),
|
||||||
], (err, bucket, objectMD) => {
|
], (err, bucket, objectMD) => {
|
||||||
const additionalResHeaders = collectCorsHeaders(request.headers.origin,
|
const additionalResHeaders = collectCorsHeaders(request.headers.origin,
|
||||||
request.method, bucket);
|
request.method, bucket);
|
||||||
if (err) {
|
if (err) {
|
||||||
log.trace('error processing request', { error: err,
|
log.trace('error processing request', {
|
||||||
method: 'objectPutTagging' });
|
error: err,
|
||||||
|
method: 'objectPutTagging',
|
||||||
|
});
|
||||||
monitoring.promMetrics('PUT', bucketName, err.code,
|
monitoring.promMetrics('PUT', bucketName, err.code,
|
||||||
'putObjectTagging');
|
'putObjectTagging');
|
||||||
} else {
|
} else {
|
||||||
|
@ -122,10 +122,10 @@ function objectPutTagging(authInfo, request, log, callback) {
|
||||||
location: objectMD ? objectMD.dataStoreName : undefined,
|
location: objectMD ? objectMD.dataStoreName : undefined,
|
||||||
});
|
});
|
||||||
monitoring.promMetrics(
|
monitoring.promMetrics(
|
||||||
'PUT', bucketName, '200', 'putObjectTagging');
|
'PUT', bucketName, '200', 'putObjectTagging',
|
||||||
|
);
|
||||||
const verCfg = bucket.getVersioningConfiguration();
|
const verCfg = bucket.getVersioningConfiguration();
|
||||||
additionalResHeaders['x-amz-version-id'] =
|
additionalResHeaders['x-amz-version-id'] = getVersionIdResHeader(verCfg, objectMD);
|
||||||
getVersionIdResHeader(verCfg, objectMD);
|
|
||||||
}
|
}
|
||||||
return callback(err, additionalResHeaders);
|
return callback(err, additionalResHeaders);
|
||||||
});
|
});
|
||||||
|
|
|
@ -3,21 +3,19 @@ const async = require('async');
|
||||||
const { parseString } = require('xml2js');
|
const { parseString } = require('xml2js');
|
||||||
const AWS = require('aws-sdk');
|
const AWS = require('aws-sdk');
|
||||||
|
|
||||||
const { cleanup, DummyRequestLogger, makeAuthInfo }
|
const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
|
||||||
= require('../unit/helpers');
|
const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../unit/helpers');
|
||||||
const { ds } = require('arsenal').storage.data.inMemory.datastore;
|
const { ds } = require('arsenal').storage.data.inMemory.datastore;
|
||||||
const { bucketPut } = require('../../lib/api/bucketPut');
|
const { bucketPut } = require('../../lib/api/bucketPut');
|
||||||
const initiateMultipartUpload
|
const initiateMultipartUpload = require('../../lib/api/initiateMultipartUpload');
|
||||||
= require('../../lib/api/initiateMultipartUpload');
|
|
||||||
const objectPut = require('../../lib/api/objectPut');
|
const objectPut = require('../../lib/api/objectPut');
|
||||||
const objectPutCopyPart = require('../../lib/api/objectPutCopyPart');
|
const objectPutCopyPart = require('../../lib/api/objectPutCopyPart');
|
||||||
const DummyRequest = require('../unit/DummyRequest');
|
const DummyRequest = require('../unit/DummyRequest');
|
||||||
const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
|
|
||||||
const constants = require('../../constants');
|
const constants = require('../../constants');
|
||||||
|
|
||||||
const s3 = new AWS.S3();
|
const s3 = new AWS.S3();
|
||||||
|
|
||||||
const splitter = constants.splitter;
|
const { splitter } = constants;
|
||||||
const log = new DummyRequestLogger();
|
const log = new DummyRequestLogger();
|
||||||
const canonicalID = 'accessKey1';
|
const canonicalID = 'accessKey1';
|
||||||
const authInfo = makeAuthInfo(canonicalID);
|
const authInfo = makeAuthInfo(canonicalID);
|
||||||
|
@ -56,14 +54,14 @@ function getAwsParamsBucketMismatch(destObjName, uploadId) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function copyPutPart(bucketLoc, mpuLoc, srcObjLoc, requestHost, cb,
|
function copyPutPart(bucketLoc, mpuLoc, srcObjLoc, requestHost, cb,
|
||||||
errorPutCopyPart) {
|
errorPutCopyPart) {
|
||||||
const keys = getSourceAndDestKeys();
|
const keys = getSourceAndDestKeys();
|
||||||
const { sourceObjName, destObjName } = keys;
|
const { sourceObjName, destObjName } = keys;
|
||||||
const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>' +
|
const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>'
|
||||||
'<CreateBucketConfiguration ' +
|
+ '<CreateBucketConfiguration '
|
||||||
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
`<LocationConstraint>${bucketLoc}</LocationConstraint>` +
|
+ `<LocationConstraint>${bucketLoc}</LocationConstraint>`
|
||||||
'</CreateBucketConfiguration>' : '';
|
+ '</CreateBucketConfiguration>' : '';
|
||||||
const bucketPutReq = new DummyRequest({
|
const bucketPutReq = new DummyRequest({
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -80,10 +78,13 @@ errorPutCopyPart) {
|
||||||
objectKey: destObjName,
|
objectKey: destObjName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: `/${destObjName}?uploads`,
|
url: `/${destObjName}?uploads`,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
if (mpuLoc) {
|
if (mpuLoc) {
|
||||||
initiateReq.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
|
initiateReq.headers = {
|
||||||
'x-amz-meta-scal-location-constraint': `${mpuLoc}` };
|
'host': `${bucketName}.s3.amazonaws.com`,
|
||||||
|
'x-amz-meta-scal-location-constraint': `${mpuLoc}`,
|
||||||
|
};
|
||||||
}
|
}
|
||||||
if (requestHost) {
|
if (requestHost) {
|
||||||
initiateReq.parsedHost = requestHost;
|
initiateReq.parsedHost = requestHost;
|
||||||
|
@ -94,10 +95,13 @@ errorPutCopyPart) {
|
||||||
objectKey: sourceObjName,
|
objectKey: sourceObjName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
if (srcObjLoc) {
|
if (srcObjLoc) {
|
||||||
sourceObjPutParams.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
|
sourceObjPutParams.headers = {
|
||||||
'x-amz-meta-scal-location-constraint': `${srcObjLoc}` };
|
'host': `${bucketName}.s3.amazonaws.com`,
|
||||||
|
'x-amz-meta-scal-location-constraint': `${srcObjLoc}`,
|
||||||
|
};
|
||||||
}
|
}
|
||||||
const sourceObjPutReq = new DummyRequest(sourceObjPutParams, body);
|
const sourceObjPutReq = new DummyRequest(sourceObjPutParams, body);
|
||||||
if (requestHost) {
|
if (requestHost) {
|
||||||
|
@ -112,8 +116,7 @@ errorPutCopyPart) {
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
next => {
|
next => {
|
||||||
objectPut(authInfo, sourceObjPutReq, undefined, log, err =>
|
objectPut(authInfo, sourceObjPutReq, undefined, log, err => next(err));
|
||||||
next(err));
|
|
||||||
},
|
},
|
||||||
next => {
|
next => {
|
||||||
initiateMultipartUpload(authInfo, initiateReq, log, next);
|
initiateMultipartUpload(authInfo, initiateReq, log, next);
|
||||||
|
@ -130,8 +133,8 @@ errorPutCopyPart) {
|
||||||
// Need to build request in here since do not have
|
// Need to build request in here since do not have
|
||||||
// uploadId until here
|
// uploadId until here
|
||||||
assert.ifError(err, 'Error putting source object or initiate MPU');
|
assert.ifError(err, 'Error putting source object or initiate MPU');
|
||||||
const testUploadId = json.InitiateMultipartUploadResult.
|
const testUploadId = json.InitiateMultipartUploadResult
|
||||||
UploadId[0];
|
.UploadId[0];
|
||||||
const copyPartParams = {
|
const copyPartParams = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -172,7 +175,7 @@ function assertPartList(partList, uploadId) {
|
||||||
}
|
}
|
||||||
|
|
||||||
describeSkipIfE2E('ObjectCopyPutPart API with multiple backends',
|
describeSkipIfE2E('ObjectCopyPutPart API with multiple backends',
|
||||||
function testSuite() {
|
function testSuite() {
|
||||||
this.timeout(60000);
|
this.timeout(60000);
|
||||||
|
|
||||||
beforeEach(() => {
|
beforeEach(() => {
|
||||||
|
@ -205,8 +208,8 @@ function testSuite() {
|
||||||
s3.listParts(awsReq, (err, partList) => {
|
s3.listParts(awsReq, (err, partList) => {
|
||||||
assertPartList(partList, uploadId);
|
assertPartList(partList, uploadId);
|
||||||
s3.abortMultipartUpload(awsReq, err => {
|
s3.abortMultipartUpload(awsReq, err => {
|
||||||
assert.equal(err, null, `Error aborting MPU: ${err}. ` +
|
assert.equal(err, null, `Error aborting MPU: ${err}. `
|
||||||
`You must abort MPU with upload ID ${uploadId} manually.`);
|
+ `You must abort MPU with upload ID ${uploadId} manually.`);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
@ -247,16 +250,16 @@ function testSuite() {
|
||||||
s3.listParts(awsReq, (err, partList) => {
|
s3.listParts(awsReq, (err, partList) => {
|
||||||
assertPartList(partList, uploadId);
|
assertPartList(partList, uploadId);
|
||||||
s3.abortMultipartUpload(awsReq, err => {
|
s3.abortMultipartUpload(awsReq, err => {
|
||||||
assert.equal(err, null, `Error aborting MPU: ${err}. ` +
|
assert.equal(err, null, `Error aborting MPU: ${err}. `
|
||||||
`You must abort MPU with upload ID ${uploadId} manually.`);
|
+ `You must abort MPU with upload ID ${uploadId} manually.`);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should copy part an object on AWS location that has bucketMatch ' +
|
it('should copy part an object on AWS location that has bucketMatch '
|
||||||
'equals false to a mpu with a different AWS location', done => {
|
+ 'equals false to a mpu with a different AWS location', done => {
|
||||||
copyPutPart(null, awsLocation, awsLocationMismatch, 'localhost',
|
copyPutPart(null, awsLocation, awsLocationMismatch, 'localhost',
|
||||||
(keys, uploadId) => {
|
(keys, uploadId) => {
|
||||||
assert.deepStrictEqual(ds, []);
|
assert.deepStrictEqual(ds, []);
|
||||||
|
@ -264,16 +267,16 @@ function testSuite() {
|
||||||
s3.listParts(awsReq, (err, partList) => {
|
s3.listParts(awsReq, (err, partList) => {
|
||||||
assertPartList(partList, uploadId);
|
assertPartList(partList, uploadId);
|
||||||
s3.abortMultipartUpload(awsReq, err => {
|
s3.abortMultipartUpload(awsReq, err => {
|
||||||
assert.equal(err, null, `Error aborting MPU: ${err}. ` +
|
assert.equal(err, null, `Error aborting MPU: ${err}. `
|
||||||
`You must abort MPU with upload ID ${uploadId} manually.`);
|
+ `You must abort MPU with upload ID ${uploadId} manually.`);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should copy part an object on AWS to a mpu with a different ' +
|
it('should copy part an object on AWS to a mpu with a different '
|
||||||
'AWS location that has bucketMatch equals false', done => {
|
+ 'AWS location that has bucketMatch equals false', done => {
|
||||||
copyPutPart(null, awsLocationMismatch, awsLocation, 'localhost',
|
copyPutPart(null, awsLocationMismatch, awsLocation, 'localhost',
|
||||||
(keys, uploadId) => {
|
(keys, uploadId) => {
|
||||||
assert.deepStrictEqual(ds, []);
|
assert.deepStrictEqual(ds, []);
|
||||||
|
@ -282,16 +285,16 @@ function testSuite() {
|
||||||
s3.listParts(awsReq, (err, partList) => {
|
s3.listParts(awsReq, (err, partList) => {
|
||||||
assertPartList(partList, uploadId);
|
assertPartList(partList, uploadId);
|
||||||
s3.abortMultipartUpload(awsReq, err => {
|
s3.abortMultipartUpload(awsReq, err => {
|
||||||
assert.equal(err, null, `Error aborting MPU: ${err}. ` +
|
assert.equal(err, null, `Error aborting MPU: ${err}. `
|
||||||
`You must abort MPU with upload ID ${uploadId} manually.`);
|
+ `You must abort MPU with upload ID ${uploadId} manually.`);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return error 403 AccessDenied copying part to a ' +
|
it('should return error 403 AccessDenied copying part to a '
|
||||||
'different AWS location without object READ access',
|
+ 'different AWS location without object READ access',
|
||||||
done => {
|
done => {
|
||||||
const errorPutCopyPart = { code: 'AccessDenied', statusCode: 403 };
|
const errorPutCopyPart = { code: 'AccessDenied', statusCode: 403 };
|
||||||
copyPutPart(null, awsLocation, awsLocation2, 'localhost', done,
|
copyPutPart(null, awsLocation, awsLocation2, 'localhost', done,
|
||||||
|
@ -305,4 +308,4 @@ function testSuite() {
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -3,20 +3,17 @@ const async = require('async');
|
||||||
const crypto = require('crypto');
|
const crypto = require('crypto');
|
||||||
const { parseString } = require('xml2js');
|
const { parseString } = require('xml2js');
|
||||||
const AWS = require('aws-sdk');
|
const AWS = require('aws-sdk');
|
||||||
|
const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
|
||||||
const { config } = require('../../lib/Config');
|
const { config } = require('../../lib/Config');
|
||||||
const { cleanup, DummyRequestLogger, makeAuthInfo }
|
const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../unit/helpers');
|
||||||
= require('../unit/helpers');
|
|
||||||
const { ds } = require('arsenal').storage.data.inMemory.datastore;
|
const { ds } = require('arsenal').storage.data.inMemory.datastore;
|
||||||
const { bucketPut } = require('../../lib/api/bucketPut');
|
const { bucketPut } = require('../../lib/api/bucketPut');
|
||||||
const initiateMultipartUpload
|
const initiateMultipartUpload = require('../../lib/api/initiateMultipartUpload');
|
||||||
= require('../../lib/api/initiateMultipartUpload');
|
|
||||||
const objectPutPart = require('../../lib/api/objectPutPart');
|
const objectPutPart = require('../../lib/api/objectPutPart');
|
||||||
const DummyRequest = require('../unit/DummyRequest');
|
const DummyRequest = require('../unit/DummyRequest');
|
||||||
const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
|
|
||||||
const mdWrapper = require('../../lib/metadata/wrapper');
|
const mdWrapper = require('../../lib/metadata/wrapper');
|
||||||
const constants = require('../../constants');
|
const constants = require('../../constants');
|
||||||
const { getRealAwsConfig } =
|
const { getRealAwsConfig } = require('../functional/aws-node-sdk/test/support/awsConfig');
|
||||||
require('../functional/aws-node-sdk/test/support/awsConfig');
|
|
||||||
|
|
||||||
const memLocation = 'scality-internal-mem';
|
const memLocation = 'scality-internal-mem';
|
||||||
const fileLocation = 'scality-internal-file';
|
const fileLocation = 'scality-internal-file';
|
||||||
|
@ -25,7 +22,7 @@ const awsLocationMismatch = 'awsbackendmismatch';
|
||||||
const awsConfig = getRealAwsConfig(awsLocation);
|
const awsConfig = getRealAwsConfig(awsLocation);
|
||||||
const s3 = new AWS.S3(awsConfig);
|
const s3 = new AWS.S3(awsConfig);
|
||||||
|
|
||||||
const splitter = constants.splitter;
|
const { splitter } = constants;
|
||||||
const log = new DummyRequestLogger();
|
const log = new DummyRequestLogger();
|
||||||
const canonicalID = 'accessKey1';
|
const canonicalID = 'accessKey1';
|
||||||
const authInfo = makeAuthInfo(canonicalID);
|
const authInfo = makeAuthInfo(canonicalID);
|
||||||
|
@ -47,13 +44,13 @@ function _getOverviewKey(objectKey, uploadId) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function putPart(bucketLoc, mpuLoc, requestHost, cb,
|
function putPart(bucketLoc, mpuLoc, requestHost, cb,
|
||||||
errorDescription) {
|
errorDescription) {
|
||||||
const objectName = `objectName-${Date.now()}`;
|
const objectName = `objectName-${Date.now()}`;
|
||||||
const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>' +
|
const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>'
|
||||||
'<CreateBucketConfiguration ' +
|
+ '<CreateBucketConfiguration '
|
||||||
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
`<LocationConstraint>${bucketLoc}</LocationConstraint>` +
|
+ `<LocationConstraint>${bucketLoc}</LocationConstraint>`
|
||||||
'</CreateBucketConfiguration>' : '';
|
+ '</CreateBucketConfiguration>' : '';
|
||||||
const bucketPutReq = {
|
const bucketPutReq = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -70,10 +67,13 @@ errorDescription) {
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: `/${objectName}?uploads`,
|
url: `/${objectName}?uploads`,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
if (mpuLoc) {
|
if (mpuLoc) {
|
||||||
initiateReq.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
|
initiateReq.headers = {
|
||||||
'x-amz-meta-scal-location-constraint': `${mpuLoc}` };
|
'host': `${bucketName}.s3.amazonaws.com`,
|
||||||
|
'x-amz-meta-scal-location-constraint': `${mpuLoc}`,
|
||||||
|
};
|
||||||
}
|
}
|
||||||
if (requestHost) {
|
if (requestHost) {
|
||||||
initiateReq.parsedHost = requestHost;
|
initiateReq.parsedHost = requestHost;
|
||||||
|
@ -123,9 +123,9 @@ errorDescription) {
|
||||||
const partReq = new DummyRequest(partReqParams, body1);
|
const partReq = new DummyRequest(partReqParams, body1);
|
||||||
return objectPutPart(authInfo, partReq, undefined, log, err => {
|
return objectPutPart(authInfo, partReq, undefined, log, err => {
|
||||||
assert.strictEqual(err, null);
|
assert.strictEqual(err, null);
|
||||||
if (bucketLoc !== awsLocation && mpuLoc !== awsLocation &&
|
if (bucketLoc !== awsLocation && mpuLoc !== awsLocation
|
||||||
bucketLoc !== awsLocationMismatch &&
|
&& bucketLoc !== awsLocationMismatch
|
||||||
mpuLoc !== awsLocationMismatch) {
|
&& mpuLoc !== awsLocationMismatch) {
|
||||||
const keysInMPUkeyMap = [];
|
const keysInMPUkeyMap = [];
|
||||||
metadata.keyMaps.get(mpuBucket).forEach((val, key) => {
|
metadata.keyMaps.get(mpuBucket).forEach((val, key) => {
|
||||||
keysInMPUkeyMap.push(key);
|
keysInMPUkeyMap.push(key);
|
||||||
|
@ -148,8 +148,8 @@ errorDescription) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function listAndAbort(uploadId, calculatedHash2, objectName, done) {
|
function listAndAbort(uploadId, calculatedHash2, objectName, done) {
|
||||||
const awsBucket = config.locationConstraints[awsLocation].
|
const awsBucket = config.locationConstraints[awsLocation]
|
||||||
details.bucketName;
|
.details.bucketName;
|
||||||
const params = {
|
const params = {
|
||||||
Bucket: awsBucket,
|
Bucket: awsBucket,
|
||||||
Key: objectName,
|
Key: objectName,
|
||||||
|
@ -162,15 +162,15 @@ function listAndAbort(uploadId, calculatedHash2, objectName, done) {
|
||||||
assert.strictEqual(`"${calculatedHash2}"`, data.Parts[0].ETag);
|
assert.strictEqual(`"${calculatedHash2}"`, data.Parts[0].ETag);
|
||||||
}
|
}
|
||||||
s3.abortMultipartUpload(params, err => {
|
s3.abortMultipartUpload(params, err => {
|
||||||
assert.equal(err, null, `Error aborting MPU: ${err}. ` +
|
assert.equal(err, null, `Error aborting MPU: ${err}. `
|
||||||
`You must abort MPU with upload ID ${uploadId} manually.`);
|
+ `You must abort MPU with upload ID ${uploadId} manually.`);
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
describeSkipIfE2E('objectPutPart API with multiple backends',
|
describeSkipIfE2E('objectPutPart API with multiple backends',
|
||||||
function testSuite() {
|
function testSuite() {
|
||||||
this.timeout(5000);
|
this.timeout(5000);
|
||||||
|
|
||||||
beforeEach(() => {
|
beforeEach(() => {
|
||||||
|
@ -211,8 +211,10 @@ function testSuite() {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: { 'host': `${bucketName}.s3.amazonaws.com`,
|
headers: {
|
||||||
'x-amz-meta-scal-location-constraint': awsLocation },
|
'host': `${bucketName}.s3.amazonaws.com`,
|
||||||
|
'x-amz-meta-scal-location-constraint': awsLocation,
|
||||||
|
},
|
||||||
url: `/${objectName}?partNumber=1&uploadId=${uploadId}`,
|
url: `/${objectName}?partNumber=1&uploadId=${uploadId}`,
|
||||||
query: {
|
query: {
|
||||||
partNumber: '1', uploadId,
|
partNumber: '1', uploadId,
|
||||||
|
@ -226,8 +228,8 @@ function testSuite() {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should upload part based on mpu location even if part ' +
|
it('should upload part based on mpu location even if part '
|
||||||
'location constraint is specified ', done => {
|
+ 'location constraint is specified ', done => {
|
||||||
putPart(fileLocation, memLocation, 'localhost', () => {
|
putPart(fileLocation, memLocation, 'localhost', () => {
|
||||||
assert.deepStrictEqual(ds[1].value, body1);
|
assert.deepStrictEqual(ds[1].value, body1);
|
||||||
done();
|
done();
|
||||||
|
@ -256,8 +258,8 @@ function testSuite() {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should put a part to AWS based on bucket location with bucketMatch ' +
|
it('should put a part to AWS based on bucket location with bucketMatch '
|
||||||
'set to true', done => {
|
+ 'set to true', done => {
|
||||||
putPart(null, awsLocation, 'localhost',
|
putPart(null, awsLocation, 'localhost',
|
||||||
(objectName, uploadId) => {
|
(objectName, uploadId) => {
|
||||||
assert.deepStrictEqual(ds, []);
|
assert.deepStrictEqual(ds, []);
|
||||||
|
@ -265,8 +267,8 @@ function testSuite() {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should put a part to AWS based on bucket location with bucketMatch ' +
|
it('should put a part to AWS based on bucket location with bucketMatch '
|
||||||
'set to false', done => {
|
+ 'set to false', done => {
|
||||||
putPart(null, awsLocationMismatch, 'localhost',
|
putPart(null, awsLocationMismatch, 'localhost',
|
||||||
(objectName, uploadId) => {
|
(objectName, uploadId) => {
|
||||||
assert.deepStrictEqual(ds, []);
|
assert.deepStrictEqual(ds, []);
|
||||||
|
@ -325,4 +327,4 @@ function testSuite() {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -18,11 +18,10 @@ const testBucketPutRequest = {
|
||||||
namespace,
|
namespace,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
const canonicalIDforSample1 =
|
const canonicalIDforSample1 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
|
||||||
'79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
|
const canonicalIDforSample2 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bf';
|
||||||
const canonicalIDforSample2 =
|
|
||||||
'79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bf';
|
|
||||||
|
|
||||||
const invalidIds = {
|
const invalidIds = {
|
||||||
'too short': 'id="invalid_id"',
|
'too short': 'id="invalid_id"',
|
||||||
|
@ -42,11 +41,10 @@ describe('putBucketACL API', () => {
|
||||||
afterEach(() => cleanup());
|
afterEach(() => cleanup());
|
||||||
|
|
||||||
it('should parse a grantheader', () => {
|
it('should parse a grantheader', () => {
|
||||||
const grantRead =
|
const grantRead = `uri=${constants.logId}, `
|
||||||
`uri=${constants.logId}, ` +
|
+ 'emailAddress="test@testing.com", '
|
||||||
'emailAddress="test@testing.com", ' +
|
+ 'emailAddress="test2@testly.com", '
|
||||||
'emailAddress="test2@testly.com", ' +
|
+ 'id="sdfsdfsfwwiieohefs"';
|
||||||
'id="sdfsdfsfwwiieohefs"';
|
|
||||||
const grantReadHeader = aclUtils.parseGrant(grantRead, 'read');
|
const grantReadHeader = aclUtils.parseGrant(grantRead, 'read');
|
||||||
const firstIdentifier = grantReadHeader[0].identifier;
|
const firstIdentifier = grantReadHeader[0].identifier;
|
||||||
assert.strictEqual(firstIdentifier, constants.logId);
|
assert.strictEqual(firstIdentifier, constants.logId);
|
||||||
|
@ -58,7 +56,7 @@ describe('putBucketACL API', () => {
|
||||||
assert.strictEqual(fourthIdentifier, 'sdfsdfsfwwiieohefs');
|
assert.strictEqual(fourthIdentifier, 'sdfsdfsfwwiieohefs');
|
||||||
const fourthType = grantReadHeader[3].userIDType;
|
const fourthType = grantReadHeader[3].userIDType;
|
||||||
assert.strictEqual(fourthType, 'id');
|
assert.strictEqual(fourthType, 'id');
|
||||||
const grantType = grantReadHeader[3].grantType;
|
const { grantType } = grantReadHeader[3];
|
||||||
assert.strictEqual(grantType, 'read');
|
assert.strictEqual(grantType, 'read');
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -72,6 +70,7 @@ describe('putBucketACL API', () => {
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -90,6 +89,7 @@ describe('putBucketACL API', () => {
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
assert.strictEqual(err, undefined);
|
assert.strictEqual(err, undefined);
|
||||||
|
@ -111,6 +111,7 @@ describe('putBucketACL API', () => {
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
const testACLRequest2 = {
|
const testACLRequest2 = {
|
||||||
bucketName,
|
bucketName,
|
||||||
|
@ -121,6 +122,7 @@ describe('putBucketACL API', () => {
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
assert.strictEqual(err, undefined);
|
assert.strictEqual(err, undefined);
|
||||||
|
@ -138,8 +140,8 @@ describe('putBucketACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should set a canned private ACL ' +
|
it('should set a canned private ACL '
|
||||||
'followed by a log-delivery-write ACL', done => {
|
+ 'followed by a log-delivery-write ACL', done => {
|
||||||
const testACLRequest = {
|
const testACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -149,6 +151,7 @@ describe('putBucketACL API', () => {
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
const testACLRequest2 = {
|
const testACLRequest2 = {
|
||||||
bucketName,
|
bucketName,
|
||||||
|
@ -159,6 +162,7 @@ describe('putBucketACL API', () => {
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -184,19 +188,20 @@ describe('putBucketACL API', () => {
|
||||||
headers: {
|
headers: {
|
||||||
'host': `${bucketName}.s3.amazonaws.com`,
|
'host': `${bucketName}.s3.amazonaws.com`,
|
||||||
'x-amz-grant-full-control':
|
'x-amz-grant-full-control':
|
||||||
'emailaddress="sampleaccount1@sampling.com"' +
|
'emailaddress="sampleaccount1@sampling.com"'
|
||||||
',emailaddress="sampleaccount2@sampling.com"',
|
+ ',emailaddress="sampleaccount2@sampling.com"',
|
||||||
'x-amz-grant-read': `uri=${constants.logId}`,
|
'x-amz-grant-read': `uri=${constants.logId}`,
|
||||||
'x-amz-grant-write': `uri=${constants.publicId}`,
|
'x-amz-grant-write': `uri=${constants.publicId}`,
|
||||||
'x-amz-grant-read-acp':
|
'x-amz-grant-read-acp':
|
||||||
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
|
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
|
||||||
'f8f8d5218e7cd47ef2be',
|
+ 'f8f8d5218e7cd47ef2be',
|
||||||
'x-amz-grant-write-acp':
|
'x-amz-grant-write-acp':
|
||||||
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
|
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
|
||||||
'f8f8d5218e7cd47ef2bf',
|
+ 'f8f8d5218e7cd47ef2bf',
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
assert.strictEqual(err, undefined);
|
assert.strictEqual(err, undefined);
|
||||||
|
@ -223,21 +228,22 @@ describe('putBucketACL API', () => {
|
||||||
headers: {
|
headers: {
|
||||||
'host': `${bucketName}.s3.amazonaws.com`,
|
'host': `${bucketName}.s3.amazonaws.com`,
|
||||||
'x-amz-grant-full-control':
|
'x-amz-grant-full-control':
|
||||||
'emailaddress="sampleaccount1@sampling.com"' +
|
'emailaddress="sampleaccount1@sampling.com"'
|
||||||
',emailaddress="sampleaccount2@sampling.com"',
|
+ ',emailaddress="sampleaccount2@sampling.com"',
|
||||||
'x-amz-grant-read':
|
'x-amz-grant-read':
|
||||||
'emailaddress="sampleaccount1@sampling.com"',
|
'emailaddress="sampleaccount1@sampling.com"',
|
||||||
'x-amz-grant-write':
|
'x-amz-grant-write':
|
||||||
'emailaddress="sampleaccount1@sampling.com"',
|
'emailaddress="sampleaccount1@sampling.com"',
|
||||||
'x-amz-grant-read-acp':
|
'x-amz-grant-read-acp':
|
||||||
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
|
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
|
||||||
'f8f8d5218e7cd47ef2be',
|
+ 'f8f8d5218e7cd47ef2be',
|
||||||
'x-amz-grant-write-acp':
|
'x-amz-grant-write-acp':
|
||||||
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
|
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
|
||||||
'f8f8d5218e7cd47ef2bf',
|
+ 'f8f8d5218e7cd47ef2bf',
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
assert.strictEqual(err, undefined);
|
assert.strictEqual(err, undefined);
|
||||||
|
@ -260,8 +266,8 @@ describe('putBucketACL API', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
Object.keys(invalidIds).forEach(idType => {
|
Object.keys(invalidIds).forEach(idType => {
|
||||||
it('should return an error if grantee canonical ID provided in ACL ' +
|
it('should return an error if grantee canonical ID provided in ACL '
|
||||||
`request invalid because ${idType}`, done => {
|
+ `request invalid because ${idType}`, done => {
|
||||||
const testACLRequest = {
|
const testACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -271,6 +277,7 @@ describe('putBucketACL API', () => {
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
return bucketPutACL(authInfo, testACLRequest, log, err => {
|
return bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
assert.deepStrictEqual(err, errors.InvalidArgument);
|
assert.deepStrictEqual(err, errors.InvalidArgument);
|
||||||
|
@ -279,19 +286,20 @@ describe('putBucketACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid email ' +
|
it('should return an error if invalid email '
|
||||||
'provided in ACL header request', done => {
|
+ 'provided in ACL header request', done => {
|
||||||
const testACLRequest = {
|
const testACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: {
|
headers: {
|
||||||
'host': `${bucketName}.s3.amazonaws.com`,
|
'host': `${bucketName}.s3.amazonaws.com`,
|
||||||
'x-amz-grant-full-control':
|
'x-amz-grant-full-control':
|
||||||
'emailaddress="sampleaccount1@sampling.com"' +
|
'emailaddress="sampleaccount1@sampling.com"'
|
||||||
',emailaddress="nonexistentEmail@sampling.com"',
|
+ ',emailaddress="nonexistentEmail@sampling.com"',
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -305,52 +313,53 @@ describe('putBucketACL API', () => {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="CanonicalUser">' +
|
+ '<Grantee xsi:type="CanonicalUser">'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>FULL_CONTROL</Permission>' +
|
+ '<Permission>FULL_CONTROL</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="Group">' +
|
+ '<Grantee xsi:type="Group">'
|
||||||
`<URI>${constants.publicId}</URI>` +
|
+ `<URI>${constants.publicId}</URI>`
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>READ</Permission>' +
|
+ '<Permission>READ</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="Group">' +
|
+ '<Grantee xsi:type="Group">'
|
||||||
`<URI>${constants.logId}</URI>` +
|
+ `<URI>${constants.logId}</URI>`
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>WRITE</Permission>' +
|
+ '<Permission>WRITE</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="AmazonCustomerByEmail">' +
|
+ '<Grantee xsi:type="AmazonCustomerByEmail">'
|
||||||
'<EmailAddress>sampleaccount1@sampling.com' +
|
+ '<EmailAddress>sampleaccount1@sampling.com'
|
||||||
'</EmailAddress>' +
|
+ '</EmailAddress>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>WRITE_ACP</Permission>' +
|
+ '<Permission>WRITE_ACP</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="CanonicalUser">' +
|
+ '<Grantee xsi:type="CanonicalUser">'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbacedfd' +
|
+ '<ID>79a59df900b949e55d96a1e698fbacedfd'
|
||||||
'6e09d98eacf8f8d5218e7cd47ef2bf</ID>' +
|
+ '6e09d98eacf8f8d5218e7cd47ef2bf</ID>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>READ_ACP</Permission>' +
|
+ '<Permission>READ_ACP</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'</AccessControlList>' +
|
+ '</AccessControlList>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -375,17 +384,18 @@ describe('putBucketACL API', () => {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'<AccessControlList></AccessControlList>' +
|
+ '<AccessControlList></AccessControlList>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -408,16 +418,17 @@ describe('putBucketACL API', () => {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -431,36 +442,37 @@ describe('putBucketACL API', () => {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="CanonicalUser">' +
|
+ '<Grantee xsi:type="CanonicalUser">'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>FULL_CONTROL</Permission>' +
|
+ '<Permission>FULL_CONTROL</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'</AccessControlList>' +
|
+ '</AccessControlList>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="CanonicalUser">' +
|
+ '<Grantee xsi:type="CanonicalUser">'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>READ</Permission>' +
|
+ '<Permission>READ</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'</AccessControlList>' +
|
+ '</AccessControlList>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -469,30 +481,31 @@ describe('putBucketACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid grantee user ID ' +
|
it('should return an error if invalid grantee user ID '
|
||||||
'provided in ACL request body', done => {
|
+ 'provided in ACL request body', done => {
|
||||||
const testACLRequest = {
|
const testACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="CanonicalUser">' +
|
+ '<Grantee xsi:type="CanonicalUser">'
|
||||||
'<ID>invalid_id</ID>' +
|
+ '<ID>invalid_id</ID>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>READ_ACP</Permission>' +
|
+ '<Permission>READ_ACP</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'</AccessControlList>' +
|
+ '</AccessControlList>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
return bucketPutACL(authInfo, testACLRequest, log, err => {
|
return bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -501,30 +514,31 @@ describe('putBucketACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid email ' +
|
it('should return an error if invalid email '
|
||||||
'address provided in ACLs set out in request body', done => {
|
+ 'address provided in ACLs set out in request body', done => {
|
||||||
const testACLRequest = {
|
const testACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="AmazonCustomerByEmail">' +
|
+ '<Grantee xsi:type="AmazonCustomerByEmail">'
|
||||||
'<EmailAddress>xyz@amazon.com</EmailAddress>' +
|
+ '<EmailAddress>xyz@amazon.com</EmailAddress>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>WRITE_ACP</Permission>' +
|
+ '<Permission>WRITE_ACP</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'</AccessControlList>' +
|
+ '</AccessControlList>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
assert.deepStrictEqual(err, errors.UnresolvableGrantByEmailAddress);
|
assert.deepStrictEqual(err, errors.UnresolvableGrantByEmailAddress);
|
||||||
|
@ -542,24 +556,25 @@ describe('putBucketACL API', () => {
|
||||||
* "Grant" which is part of the s3 xml scheme for ACLs
|
* "Grant" which is part of the s3 xml scheme for ACLs
|
||||||
* so an error should be returned
|
* so an error should be returned
|
||||||
*/
|
*/
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<PowerGrant>' +
|
+ '<PowerGrant>'
|
||||||
'<Grantee xsi:type="AmazonCustomerByEmail">' +
|
+ '<Grantee xsi:type="AmazonCustomerByEmail">'
|
||||||
'<EmailAddress>xyz@amazon.com</EmailAddress>' +
|
+ '<EmailAddress>xyz@amazon.com</EmailAddress>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>WRITE_ACP</Permission>' +
|
+ '<Permission>WRITE_ACP</Permission>'
|
||||||
'</PowerGrant>' +
|
+ '</PowerGrant>'
|
||||||
'</AccessControlList>' +
|
+ '</AccessControlList>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -579,32 +594,33 @@ describe('putBucketACL API', () => {
|
||||||
* "Grant" which is part of the s3 xml scheme for ACLs
|
* "Grant" which is part of the s3 xml scheme for ACLs
|
||||||
* so an error should be returned
|
* so an error should be returned
|
||||||
*/
|
*/
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="CanonicalUser">' +
|
+ '<Grantee xsi:type="CanonicalUser">'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>FULL_CONTROL</Permission>' +
|
+ '<Permission>FULL_CONTROL</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'<PowerGrant>' +
|
+ '<PowerGrant>'
|
||||||
'<Grantee xsi:type="AmazonCustomerByEmail">' +
|
+ '<Grantee xsi:type="AmazonCustomerByEmail">'
|
||||||
'<EmailAddress>xyz@amazon.com</EmailAddress>' +
|
+ '<EmailAddress>xyz@amazon.com</EmailAddress>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>WRITE_ACP</Permission>' +
|
+ '<Permission>WRITE_ACP</Permission>'
|
||||||
'</PowerGrant>' +
|
+ '</PowerGrant>'
|
||||||
'</AccessControlList>' +
|
+ '</AccessControlList>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -622,24 +638,25 @@ describe('putBucketACL API', () => {
|
||||||
// so an error should be returned
|
// so an error should be returned
|
||||||
post: {
|
post: {
|
||||||
'<AccessControlPolicy xmlns':
|
'<AccessControlPolicy xmlns':
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
'"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="AmazonCustomerByEmail">' +
|
+ '<Grantee xsi:type="AmazonCustomerByEmail">'
|
||||||
'<EmailAddress>xyz@amazon.com</EmailAddress>' +
|
+ '<EmailAddress>xyz@amazon.com</EmailAddress>'
|
||||||
'<Grantee>' +
|
+ '<Grantee>'
|
||||||
'<Permission>WRITE_ACP</Permission>' +
|
+ '<Permission>WRITE_ACP</Permission>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<AccessControlPolicy>',
|
+ '<AccessControlPolicy>',
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -648,32 +665,33 @@ describe('putBucketACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid group ' +
|
it('should return an error if invalid group '
|
||||||
'uri provided in ACLs set out in request body', done => {
|
+ 'uri provided in ACLs set out in request body', done => {
|
||||||
const testACLRequest = {
|
const testACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
// URI in grant below is not valid group URI for s3
|
// URI in grant below is not valid group URI for s3
|
||||||
post: '<AccessControlPolicy xmlns=' +
|
post: '<AccessControlPolicy xmlns='
|
||||||
'"http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Owner>' +
|
+ '<Owner>'
|
||||||
'<ID>79a59df900b949e55d96a1e698fbaced' +
|
+ '<ID>79a59df900b949e55d96a1e698fbaced'
|
||||||
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
|
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
|
||||||
'<DisplayName>OwnerDisplayName</DisplayName>' +
|
+ '<DisplayName>OwnerDisplayName</DisplayName>'
|
||||||
'</Owner>' +
|
+ '</Owner>'
|
||||||
'<AccessControlList>' +
|
+ '<AccessControlList>'
|
||||||
'<Grant>' +
|
+ '<Grant>'
|
||||||
'<Grantee xsi:type="Group">' +
|
+ '<Grantee xsi:type="Group">'
|
||||||
'<URI>http://acs.amazonaws.com/groups/' +
|
+ '<URI>http://acs.amazonaws.com/groups/'
|
||||||
'global/NOTAVALIDGROUP</URI>' +
|
+ 'global/NOTAVALIDGROUP</URI>'
|
||||||
'</Grantee>' +
|
+ '</Grantee>'
|
||||||
'<Permission>READ</Permission>' +
|
+ '<Permission>READ</Permission>'
|
||||||
'</Grant>' +
|
+ '</Grant>'
|
||||||
'</AccessControlList>' +
|
+ '</AccessControlList>'
|
||||||
'</AccessControlPolicy>',
|
+ '</AccessControlPolicy>',
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
@ -682,19 +700,20 @@ describe('putBucketACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid group uri' +
|
it('should return an error if invalid group uri'
|
||||||
'provided in ACL header request', done => {
|
+ 'provided in ACL header request', done => {
|
||||||
const testACLRequest = {
|
const testACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
headers: {
|
headers: {
|
||||||
'host': `${bucketName}.s3.amazonaws.com`,
|
'host': `${bucketName}.s3.amazonaws.com`,
|
||||||
'x-amz-grant-full-control':
|
'x-amz-grant-full-control':
|
||||||
'uri="http://acs.amazonaws.com/groups/' +
|
'uri="http://acs.amazonaws.com/groups/'
|
||||||
'global/NOTAVALIDGROUP"',
|
+ 'global/NOTAVALIDGROUP"',
|
||||||
},
|
},
|
||||||
url: '/?acl',
|
url: '/?acl',
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPutACL(authInfo, testACLRequest, log, err => {
|
bucketPutACL(authInfo, testACLRequest, log, err => {
|
||||||
|
|
|
@ -3,13 +3,13 @@ const { errors } = require('arsenal');
|
||||||
|
|
||||||
const { bucketPut } = require('../../../lib/api/bucketPut');
|
const { bucketPut } = require('../../../lib/api/bucketPut');
|
||||||
const bucketPutCors = require('../../../lib/api/bucketPutCors');
|
const bucketPutCors = require('../../../lib/api/bucketPutCors');
|
||||||
const { _validator, parseCorsXml }
|
const { _validator, parseCorsXml } = require('../../../lib/api/apiUtils/bucket/bucketCors');
|
||||||
= require('../../../lib/api/apiUtils/bucket/bucketCors');
|
const {
|
||||||
const { cleanup,
|
cleanup,
|
||||||
DummyRequestLogger,
|
DummyRequestLogger,
|
||||||
makeAuthInfo,
|
makeAuthInfo,
|
||||||
CorsConfigTester }
|
CorsConfigTester,
|
||||||
= require('../helpers');
|
} = require('../helpers');
|
||||||
const metadata = require('../../../lib/metadata/wrapper');
|
const metadata = require('../../../lib/metadata/wrapper');
|
||||||
|
|
||||||
const log = new DummyRequestLogger();
|
const log = new DummyRequestLogger();
|
||||||
|
@ -19,6 +19,7 @@ const testBucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
function _testPutBucketCors(authInfo, request, log, errCode, cb) {
|
function _testPutBucketCors(authInfo, request, log, errCode, cb) {
|
||||||
|
@ -30,13 +31,13 @@ function _testPutBucketCors(authInfo, request, log, errCode, cb) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function _generateSampleXml(value) {
|
function _generateSampleXml(value) {
|
||||||
const xml = '<CORSConfiguration>' +
|
const xml = '<CORSConfiguration>'
|
||||||
'<CORSRule>' +
|
+ '<CORSRule>'
|
||||||
'<AllowedMethod>PUT</AllowedMethod>' +
|
+ '<AllowedMethod>PUT</AllowedMethod>'
|
||||||
'<AllowedOrigin>www.example.com</AllowedOrigin>' +
|
+ '<AllowedOrigin>www.example.com</AllowedOrigin>'
|
||||||
`${value}` +
|
+ `${value}`
|
||||||
'</CORSRule>' +
|
+ '</CORSRule>'
|
||||||
'</CORSConfiguration>';
|
+ '</CORSConfiguration>';
|
||||||
|
|
||||||
return xml;
|
return xml;
|
||||||
}
|
}
|
||||||
|
@ -125,8 +126,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
|
||||||
|
|
||||||
it('should return MalformedXML if more than one ID per rule', done => {
|
it('should return MalformedXML if more than one ID per rule', done => {
|
||||||
const testValue = 'testid';
|
const testValue = 'testid';
|
||||||
const xml = _generateSampleXml(`<ID>${testValue}</ID>` +
|
const xml = _generateSampleXml(`<ID>${testValue}</ID>`
|
||||||
`<ID>${testValue}</ID>`);
|
+ `<ID>${testValue}</ID>`);
|
||||||
parseCorsXml(xml, log, err => {
|
parseCorsXml(xml, log, err => {
|
||||||
assert(err, 'Expected error but found none');
|
assert(err, 'Expected error but found none');
|
||||||
assert.deepStrictEqual(err, errors.MalformedXML);
|
assert.deepStrictEqual(err, errors.MalformedXML);
|
||||||
|
@ -157,8 +158,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
|
||||||
describe('validateMaxAgeSeconds ', () => {
|
describe('validateMaxAgeSeconds ', () => {
|
||||||
it('should validate successfully for valid value', done => {
|
it('should validate successfully for valid value', done => {
|
||||||
const testValue = 60;
|
const testValue = 60;
|
||||||
const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}` +
|
const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}`
|
||||||
'</MaxAgeSeconds>');
|
+ '</MaxAgeSeconds>');
|
||||||
parseCorsXml(xml, log, (err, result) => {
|
parseCorsXml(xml, log, (err, result) => {
|
||||||
assert.strictEqual(err, null, `Found unexpected err ${err}`);
|
assert.strictEqual(err, null, `Found unexpected err ${err}`);
|
||||||
assert.strictEqual(typeof result[0].maxAgeSeconds, 'number');
|
assert.strictEqual(typeof result[0].maxAgeSeconds, 'number');
|
||||||
|
@ -167,12 +168,13 @@ describe('PUT bucket cors :: helper validation functions ', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return MalformedXML if more than one MaxAgeSeconds ' +
|
it('should return MalformedXML if more than one MaxAgeSeconds '
|
||||||
'per rule', done => {
|
+ 'per rule', done => {
|
||||||
const testValue = '60';
|
const testValue = '60';
|
||||||
const xml = _generateSampleXml(
|
const xml = _generateSampleXml(
|
||||||
`<MaxAgeSeconds>${testValue}</MaxAgeSeconds>` +
|
`<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`
|
||||||
`<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`);
|
+ `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`,
|
||||||
|
);
|
||||||
parseCorsXml(xml, log, err => {
|
parseCorsXml(xml, log, err => {
|
||||||
assert(err, 'Expected error but found none');
|
assert(err, 'Expected error but found none');
|
||||||
assert.deepStrictEqual(err, errors.MalformedXML);
|
assert.deepStrictEqual(err, errors.MalformedXML);
|
||||||
|
@ -182,8 +184,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
|
||||||
|
|
||||||
it('should validate & return undefined if empty value', done => {
|
it('should validate & return undefined if empty value', done => {
|
||||||
const testValue = '';
|
const testValue = '';
|
||||||
const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}` +
|
const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}`
|
||||||
'</MaxAgeSeconds>');
|
+ '</MaxAgeSeconds>');
|
||||||
parseCorsXml(xml, log, (err, result) => {
|
parseCorsXml(xml, log, (err, result) => {
|
||||||
assert.strictEqual(err, null, `Found unexpected err ${err}`);
|
assert.strictEqual(err, null, `Found unexpected err ${err}`);
|
||||||
assert.strictEqual(result[0].MaxAgeSeconds, undefined);
|
assert.strictEqual(result[0].MaxAgeSeconds, undefined);
|
||||||
|
|
|
@ -14,6 +14,7 @@ const bucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
describe('bucketPutEncryption API', () => {
|
describe('bucketPutEncryption API', () => {
|
||||||
|
@ -32,7 +33,8 @@ describe('bucketPutEncryption API', () => {
|
||||||
|
|
||||||
it('should reject a config with no Rule', done => {
|
it('should reject a config with no Rule', done => {
|
||||||
bucketPutEncryption(authInfo, templateRequest(bucketName,
|
bucketPutEncryption(authInfo, templateRequest(bucketName,
|
||||||
{ post: `<?xml version="1.0" encoding="UTF-8"?>
|
{
|
||||||
|
post: `<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
|
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
|
||||||
</ServerSideEncryptionConfiguration>`,
|
</ServerSideEncryptionConfiguration>`,
|
||||||
}), log, err => {
|
}), log, err => {
|
||||||
|
@ -43,7 +45,8 @@ describe('bucketPutEncryption API', () => {
|
||||||
|
|
||||||
it('should reject a config with no ApplyServerSideEncryptionByDefault section', done => {
|
it('should reject a config with no ApplyServerSideEncryptionByDefault section', done => {
|
||||||
bucketPutEncryption(authInfo, templateRequest(bucketName,
|
bucketPutEncryption(authInfo, templateRequest(bucketName,
|
||||||
{ post: `<?xml version="1.0" encoding="UTF-8"?>
|
{
|
||||||
|
post: `<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
|
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
|
||||||
<Rule></Rule>
|
<Rule></Rule>
|
||||||
</ServerSideEncryptionConfiguration>`,
|
</ServerSideEncryptionConfiguration>`,
|
||||||
|
@ -155,8 +158,8 @@ describe('bucketPutEncryption API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should update SSEAlgorithm if existing SSEAlgorithm is AES256, ' +
|
it('should update SSEAlgorithm if existing SSEAlgorithm is AES256, '
|
||||||
'new SSEAlgorithm is aws:kms and no KMSMasterKeyID is provided',
|
+ 'new SSEAlgorithm is aws:kms and no KMSMasterKeyID is provided',
|
||||||
done => {
|
done => {
|
||||||
const post = templateSSEConfig({ algorithm: 'AES256' });
|
const post = templateSSEConfig({ algorithm: 'AES256' });
|
||||||
bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
|
bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
|
||||||
|
@ -177,8 +180,7 @@ describe('bucketPutEncryption API', () => {
|
||||||
});
|
});
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
}
|
});
|
||||||
);
|
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
@ -17,6 +17,7 @@ const testBucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const expectedLifecycleConfig = {
|
const expectedLifecycleConfig = {
|
||||||
|
|
|
@ -15,6 +15,7 @@ const bucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const expectedNotifConfig = {
|
const expectedNotifConfig = {
|
||||||
|
@ -52,6 +53,7 @@ function getNotifRequest(empty) {
|
||||||
host: `${bucketName}.s3.amazonaws.com`,
|
host: `${bucketName}.s3.amazonaws.com`,
|
||||||
},
|
},
|
||||||
post: notifXml,
|
post: notifXml,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
return putNotifConfigRequest;
|
return putNotifConfigRequest;
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,6 +15,7 @@ const bucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const objectLockXml = '<ObjectLockConfiguration ' +
|
const objectLockXml = '<ObjectLockConfiguration ' +
|
||||||
|
@ -30,6 +31,7 @@ const putObjLockRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: objectLockXml,
|
post: objectLockXml,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const expectedObjectLockConfig = {
|
const expectedObjectLockConfig = {
|
||||||
|
|
|
@ -15,6 +15,7 @@ const testBucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
let expectedBucketPolicy = {};
|
let expectedBucketPolicy = {};
|
||||||
|
@ -25,6 +26,7 @@ function getPolicyRequest(policy) {
|
||||||
host: `${bucketName}.s3.amazonaws.com`,
|
host: `${bucketName}.s3.amazonaws.com`,
|
||||||
},
|
},
|
||||||
post: JSON.stringify(policy),
|
post: JSON.stringify(policy),
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -76,7 +78,7 @@ describe('putBucketPolicy API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return error if policy contains conditions', done => {
|
it.skip('should return error if policy contains conditions', done => {
|
||||||
expectedBucketPolicy.Statement[0].Condition =
|
expectedBucketPolicy.Statement[0].Condition =
|
||||||
{ StringEquals: { 's3:x-amz-acl': ['public-read'] } };
|
{ StringEquals: { 's3:x-amz-acl': ['public-read'] } };
|
||||||
bucketPutPolicy(authInfo, getPolicyRequest(expectedBucketPolicy), log,
|
bucketPutPolicy(authInfo, getPolicyRequest(expectedBucketPolicy), log,
|
||||||
|
|
|
@ -19,6 +19,7 @@ const testBucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
function _getPutWebsiteRequest(xml) {
|
function _getPutWebsiteRequest(xml) {
|
||||||
|
@ -29,6 +30,7 @@ function _getPutWebsiteRequest(xml) {
|
||||||
},
|
},
|
||||||
url: '/?website',
|
url: '/?website',
|
||||||
query: { website: '' },
|
query: { website: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
request.post = xml;
|
request.post = xml;
|
||||||
return request;
|
return request;
|
||||||
|
|
|
@ -4,14 +4,16 @@ const moment = require('moment');
|
||||||
const { errors, s3middleware } = require('arsenal');
|
const { errors, s3middleware } = require('arsenal');
|
||||||
const sinon = require('sinon');
|
const sinon = require('sinon');
|
||||||
|
|
||||||
|
const { ds } = require('arsenal').storage.data.inMemory.datastore;
|
||||||
const { bucketPut } = require('../../../lib/api/bucketPut');
|
const { bucketPut } = require('../../../lib/api/bucketPut');
|
||||||
const bucketPutObjectLock = require('../../../lib/api/bucketPutObjectLock');
|
const bucketPutObjectLock = require('../../../lib/api/bucketPutObjectLock');
|
||||||
const bucketPutACL = require('../../../lib/api/bucketPutACL');
|
const bucketPutACL = require('../../../lib/api/bucketPutACL');
|
||||||
const bucketPutVersioning = require('../../../lib/api/bucketPutVersioning');
|
const bucketPutVersioning = require('../../../lib/api/bucketPutVersioning');
|
||||||
|
|
||||||
const { parseTagFromQuery } = s3middleware.tagging;
|
const { parseTagFromQuery } = s3middleware.tagging;
|
||||||
const { cleanup, DummyRequestLogger, makeAuthInfo, versioningTestUtils }
|
const {
|
||||||
= require('../helpers');
|
cleanup, DummyRequestLogger, makeAuthInfo, versioningTestUtils,
|
||||||
const { ds } = require('arsenal').storage.data.inMemory.datastore;
|
} = require('../helpers');
|
||||||
const metadata = require('../metadataswitch');
|
const metadata = require('../metadataswitch');
|
||||||
const objectPut = require('../../../lib/api/objectPut');
|
const objectPut = require('../../../lib/api/objectPut');
|
||||||
const { objectLockTestUtils } = require('../helpers');
|
const { objectLockTestUtils } = require('../helpers');
|
||||||
|
@ -19,7 +21,7 @@ const DummyRequest = require('../DummyRequest');
|
||||||
const mpuUtils = require('../utils/mpuUtils');
|
const mpuUtils = require('../utils/mpuUtils');
|
||||||
const { lastModifiedHeader } = require('../../../constants');
|
const { lastModifiedHeader } = require('../../../constants');
|
||||||
|
|
||||||
const any = sinon.match.any;
|
const { any } = sinon.match;
|
||||||
|
|
||||||
const log = new DummyRequestLogger();
|
const log = new DummyRequestLogger();
|
||||||
const canonicalID = 'accessKey1';
|
const canonicalID = 'accessKey1';
|
||||||
|
@ -49,10 +51,8 @@ const originalputObjectMD = metadata.putObjectMD;
|
||||||
const objectName = 'objectName';
|
const objectName = 'objectName';
|
||||||
|
|
||||||
let testPutObjectRequest;
|
let testPutObjectRequest;
|
||||||
const enableVersioningRequest =
|
const enableVersioningRequest = versioningTestUtils.createBucketPutVersioningReq(bucketName, 'Enabled');
|
||||||
versioningTestUtils.createBucketPutVersioningReq(bucketName, 'Enabled');
|
const suspendVersioningRequest = versioningTestUtils.createBucketPutVersioningReq(bucketName, 'Suspended');
|
||||||
const suspendVersioningRequest =
|
|
||||||
versioningTestUtils.createBucketPutVersioningReq(bucketName, 'Suspended');
|
|
||||||
|
|
||||||
function testAuth(bucketOwner, authUser, bucketPutReq, log, cb) {
|
function testAuth(bucketOwner, authUser, bucketPutReq, log, cb) {
|
||||||
bucketPut(bucketOwner, bucketPutReq, log, () => {
|
bucketPut(bucketOwner, bucketPutReq, log, () => {
|
||||||
|
@ -74,8 +74,10 @@ describe('parseTagFromQuery', () => {
|
||||||
const allowedChar = '+- =._:/';
|
const allowedChar = '+- =._:/';
|
||||||
const tests = [
|
const tests = [
|
||||||
{ tagging: 'key1=value1', result: { key1: 'value1' } },
|
{ tagging: 'key1=value1', result: { key1: 'value1' } },
|
||||||
{ tagging: `key1=${encodeURIComponent(allowedChar)}`,
|
{
|
||||||
result: { key1: allowedChar } },
|
tagging: `key1=${encodeURIComponent(allowedChar)}`,
|
||||||
|
result: { key1: allowedChar },
|
||||||
|
},
|
||||||
{ tagging: 'key1=value1=value2', error: invalidArgument },
|
{ tagging: 'key1=value1=value2', error: invalidArgument },
|
||||||
{ tagging: '=value1', error: invalidArgument },
|
{ tagging: '=value1', error: invalidArgument },
|
||||||
{ tagging: 'key1%=value1', error: invalidArgument },
|
{ tagging: 'key1%=value1', error: invalidArgument },
|
||||||
|
@ -143,16 +145,14 @@ describe('objectPut API', () => {
|
||||||
it('should put object if user has FULL_CONTROL grant on bucket', done => {
|
it('should put object if user has FULL_CONTROL grant on bucket', done => {
|
||||||
const bucketOwner = makeAuthInfo('accessKey2');
|
const bucketOwner = makeAuthInfo('accessKey2');
|
||||||
const authUser = makeAuthInfo('accessKey3');
|
const authUser = makeAuthInfo('accessKey3');
|
||||||
testPutBucketRequest.headers['x-amz-grant-full-control'] =
|
testPutBucketRequest.headers['x-amz-grant-full-control'] = `id=${authUser.getCanonicalID()}`;
|
||||||
`id=${authUser.getCanonicalID()}`;
|
|
||||||
testAuth(bucketOwner, authUser, testPutBucketRequest, log, done);
|
testAuth(bucketOwner, authUser, testPutBucketRequest, log, done);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should put object if user has WRITE grant on bucket', done => {
|
it('should put object if user has WRITE grant on bucket', done => {
|
||||||
const bucketOwner = makeAuthInfo('accessKey2');
|
const bucketOwner = makeAuthInfo('accessKey2');
|
||||||
const authUser = makeAuthInfo('accessKey3');
|
const authUser = makeAuthInfo('accessKey3');
|
||||||
testPutBucketRequest.headers['x-amz-grant-write'] =
|
testPutBucketRequest.headers['x-amz-grant-write'] = `id=${authUser.getCanonicalID()}`;
|
||||||
`id=${authUser.getCanonicalID()}`;
|
|
||||||
|
|
||||||
testAuth(bucketOwner, authUser, testPutBucketRequest, log, done);
|
testAuth(bucketOwner, authUser, testPutBucketRequest, log, done);
|
||||||
});
|
});
|
||||||
|
@ -240,8 +240,8 @@ describe('objectPut API', () => {
|
||||||
];
|
];
|
||||||
testObjectLockConfigs.forEach(config => {
|
testObjectLockConfigs.forEach(config => {
|
||||||
const { testMode, type, val } = config;
|
const { testMode, type, val } = config;
|
||||||
it('should put an object with default retention if object does not ' +
|
it('should put an object with default retention if object does not '
|
||||||
'have retention configuration but bucket has', done => {
|
+ 'have retention configuration but bucket has', done => {
|
||||||
const testPutObjectRequest = new DummyRequest({
|
const testPutObjectRequest = new DummyRequest({
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -255,6 +255,7 @@ describe('objectPut API', () => {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: objectLockTestUtils.generateXml(testMode, val, type),
|
post: objectLockTestUtils.generateXml(testMode, val, type),
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequestLock, log, () => {
|
bucketPut(authInfo, testPutBucketRequestLock, log, () => {
|
||||||
|
@ -268,10 +269,8 @@ describe('objectPut API', () => {
|
||||||
const mode = md.retentionMode;
|
const mode = md.retentionMode;
|
||||||
const retainDate = md.retentionDate;
|
const retainDate = md.retentionDate;
|
||||||
const date = moment();
|
const date = moment();
|
||||||
const days
|
const days = type === 'Days' ? val : val * 365;
|
||||||
= type === 'Days' ? val : val * 365;
|
const expectedDate = date.add(days, 'days');
|
||||||
const expectedDate
|
|
||||||
= date.add(days, 'days');
|
|
||||||
assert.ifError(err);
|
assert.ifError(err);
|
||||||
assert.strictEqual(mode, testMode);
|
assert.strictEqual(mode, testMode);
|
||||||
assert.strictEqual(formatTime(retainDate),
|
assert.strictEqual(formatTime(retainDate),
|
||||||
|
@ -534,8 +533,8 @@ describe('objectPut API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should not put object with retention configuration if object lock ' +
|
it('should not put object with retention configuration if object lock '
|
||||||
'is not enabled on the bucket', done => {
|
+ 'is not enabled on the bucket', done => {
|
||||||
const testPutObjectRequest = new DummyRequest({
|
const testPutObjectRequest = new DummyRequest({
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -552,15 +551,14 @@ describe('objectPut API', () => {
|
||||||
objectPut(authInfo, testPutObjectRequest, undefined, log, err => {
|
objectPut(authInfo, testPutObjectRequest, undefined, log, err => {
|
||||||
assert.deepStrictEqual(err, errors.InvalidRequest
|
assert.deepStrictEqual(err, errors.InvalidRequest
|
||||||
.customizeDescription(
|
.customizeDescription(
|
||||||
'Bucket is missing ObjectLockConfiguration'));
|
'Bucket is missing ObjectLockConfiguration',
|
||||||
|
));
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
it('should forward a 400 back to client on metadata 408 response', () => {
|
it('should forward a 400 back to client on metadata 408 response', () => {
|
||||||
metadata.putObjectMD =
|
metadata.putObjectMD = (bucketName, objName, objVal, params, log, cb) => cb({ httpCode: 408 });
|
||||||
(bucketName, objName, objVal, params, log, cb) =>
|
|
||||||
cb({ httpCode: 408 });
|
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
objectPut(authInfo, testPutObjectRequest, undefined, log,
|
objectPut(authInfo, testPutObjectRequest, undefined, log,
|
||||||
|
@ -571,9 +569,7 @@ describe('objectPut API', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should forward a 502 to the client for 4xx != 408', () => {
|
it('should forward a 502 to the client for 4xx != 408', () => {
|
||||||
metadata.putObjectMD =
|
metadata.putObjectMD = (bucketName, objName, objVal, params, log, cb) => cb({ httpCode: 412 });
|
||||||
(bucketName, objName, objVal, params, log, cb) =>
|
|
||||||
cb({ httpCode: 412 });
|
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
objectPut(authInfo, testPutObjectRequest, undefined, log,
|
objectPut(authInfo, testPutObjectRequest, undefined, log,
|
||||||
|
@ -589,13 +585,12 @@ describe('objectPut API with versioning', () => {
|
||||||
cleanup();
|
cleanup();
|
||||||
});
|
});
|
||||||
|
|
||||||
const objData = ['foo0', 'foo1', 'foo2'].map(str =>
|
const objData = ['foo0', 'foo1', 'foo2'].map(str => Buffer.from(str, 'utf8'));
|
||||||
Buffer.from(str, 'utf8'));
|
|
||||||
const testPutObjectRequests = objData.map(data => versioningTestUtils
|
const testPutObjectRequests = objData.map(data => versioningTestUtils
|
||||||
.createPutObjectRequest(bucketName, objectName, data));
|
.createPutObjectRequest(bucketName, objectName, data));
|
||||||
|
|
||||||
it('should delete latest version when creating new null version ' +
|
it('should delete latest version when creating new null version '
|
||||||
'if latest version is null version', done => {
|
+ 'if latest version is null version', done => {
|
||||||
async.series([
|
async.series([
|
||||||
callback => bucketPut(authInfo, testPutBucketRequest, log,
|
callback => bucketPut(authInfo, testPutBucketRequest, log,
|
||||||
callback),
|
callback),
|
||||||
|
@ -633,8 +628,7 @@ describe('objectPut API with versioning', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('when null version is not the latest version', () => {
|
describe('when null version is not the latest version', () => {
|
||||||
const objData = ['foo0', 'foo1', 'foo2'].map(str =>
|
const objData = ['foo0', 'foo1', 'foo2'].map(str => Buffer.from(str, 'utf8'));
|
||||||
Buffer.from(str, 'utf8'));
|
|
||||||
const testPutObjectRequests = objData.map(data => versioningTestUtils
|
const testPutObjectRequests = objData.map(data => versioningTestUtils
|
||||||
.createPutObjectRequest(bucketName, objectName, data));
|
.createPutObjectRequest(bucketName, objectName, data));
|
||||||
beforeEach(done => {
|
beforeEach(done => {
|
||||||
|
@ -677,8 +671,8 @@ describe('objectPut API with versioning', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return BadDigest error and not leave orphans in data when ' +
|
it('should return BadDigest error and not leave orphans in data when '
|
||||||
'contentMD5 and completedHash do not match', done => {
|
+ 'contentMD5 and completedHash do not match', done => {
|
||||||
const testPutObjectRequest = new DummyRequest({
|
const testPutObjectRequest = new DummyRequest({
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
|
|
@ -3,11 +3,12 @@ const { errors } = require('arsenal');
|
||||||
|
|
||||||
const { bucketPut } = require('../../../lib/api/bucketPut');
|
const { bucketPut } = require('../../../lib/api/bucketPut');
|
||||||
const constants = require('../../../constants');
|
const constants = require('../../../constants');
|
||||||
const { cleanup,
|
const {
|
||||||
|
cleanup,
|
||||||
DummyRequestLogger,
|
DummyRequestLogger,
|
||||||
makeAuthInfo,
|
makeAuthInfo,
|
||||||
AccessControlPolicy }
|
AccessControlPolicy,
|
||||||
= require('../helpers');
|
} = require('../helpers');
|
||||||
const metadata = require('../metadataswitch');
|
const metadata = require('../metadataswitch');
|
||||||
const objectPut = require('../../../lib/api/objectPut');
|
const objectPut = require('../../../lib/api/objectPut');
|
||||||
const objectPutACL = require('../../../lib/api/objectPutACL');
|
const objectPutACL = require('../../../lib/api/objectPutACL');
|
||||||
|
@ -17,8 +18,8 @@ const log = new DummyRequestLogger();
|
||||||
const canonicalID = 'accessKey1';
|
const canonicalID = 'accessKey1';
|
||||||
const authInfo = makeAuthInfo(canonicalID);
|
const authInfo = makeAuthInfo(canonicalID);
|
||||||
const ownerID = authInfo.getCanonicalID();
|
const ownerID = authInfo.getCanonicalID();
|
||||||
const anotherID = '79a59df900b949e55d96a1e698fba' +
|
const anotherID = '79a59df900b949e55d96a1e698fba'
|
||||||
'cedfd6e09d98eacf8f8d5218e7cd47ef2bf';
|
+ 'cedfd6e09d98eacf8f8d5218e7cd47ef2bf';
|
||||||
const defaultAcpParams = {
|
const defaultAcpParams = {
|
||||||
ownerID,
|
ownerID,
|
||||||
ownerDisplayName: 'OwnerDisplayName',
|
ownerDisplayName: 'OwnerDisplayName',
|
||||||
|
@ -56,6 +57,7 @@ describe('putObjectACL API', () => {
|
||||||
headers: { 'x-amz-acl': 'invalid-option' },
|
headers: { 'x-amz-acl': 'invalid-option' },
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -79,6 +81,7 @@ describe('putObjectACL API', () => {
|
||||||
headers: { 'x-amz-acl': 'public-read-write' },
|
headers: { 'x-amz-acl': 'public-read-write' },
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -108,6 +111,7 @@ describe('putObjectACL API', () => {
|
||||||
headers: { 'x-amz-acl': 'public-read' },
|
headers: { 'x-amz-acl': 'public-read' },
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const testObjACLRequest2 = {
|
const testObjACLRequest2 = {
|
||||||
|
@ -117,6 +121,7 @@ describe('putObjectACL API', () => {
|
||||||
headers: { 'x-amz-acl': 'authenticated-read' },
|
headers: { 'x-amz-acl': 'authenticated-read' },
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -154,14 +159,15 @@ describe('putObjectACL API', () => {
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: {
|
headers: {
|
||||||
'x-amz-grant-full-control':
|
'x-amz-grant-full-control':
|
||||||
'emailaddress="sampleaccount1@sampling.com"' +
|
'emailaddress="sampleaccount1@sampling.com"'
|
||||||
',emailaddress="sampleaccount2@sampling.com"',
|
+ ',emailaddress="sampleaccount2@sampling.com"',
|
||||||
'x-amz-grant-read': `uri=${constants.logId}`,
|
'x-amz-grant-read': `uri=${constants.logId}`,
|
||||||
'x-amz-grant-read-acp': `id=${ownerID}`,
|
'x-amz-grant-read-acp': `id=${ownerID}`,
|
||||||
'x-amz-grant-write-acp': `id=${anotherID}`,
|
'x-amz-grant-write-acp': `id=${anotherID}`,
|
||||||
},
|
},
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
objectPut(authInfo, testPutObjectRequest, undefined, log,
|
objectPut(authInfo, testPutObjectRequest, undefined, log,
|
||||||
|
@ -191,19 +197,20 @@ describe('putObjectACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid email ' +
|
it('should return an error if invalid email '
|
||||||
'provided in ACL header request', done => {
|
+ 'provided in ACL header request', done => {
|
||||||
const testObjACLRequest = {
|
const testObjACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: {
|
headers: {
|
||||||
'x-amz-grant-full-control':
|
'x-amz-grant-full-control':
|
||||||
'emailaddress="sampleaccount1@sampling.com"' +
|
'emailaddress="sampleaccount1@sampling.com"'
|
||||||
',emailaddress="nonexistentemail@sampling.com"',
|
+ ',emailaddress="nonexistentemail@sampling.com"',
|
||||||
},
|
},
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -234,6 +241,7 @@ describe('putObjectACL API', () => {
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
post: [Buffer.from(acp.getXml(), 'utf8')],
|
post: [Buffer.from(acp.getXml(), 'utf8')],
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -260,8 +268,8 @@ describe('putObjectACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if wrong owner ID ' +
|
it('should return an error if wrong owner ID '
|
||||||
'provided in ACLs set out in request body', done => {
|
+ 'provided in ACLs set out in request body', done => {
|
||||||
const acp = new AccessControlPolicy({ ownerID: anotherID });
|
const acp = new AccessControlPolicy({ ownerID: anotherID });
|
||||||
const testObjACLRequest = {
|
const testObjACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
|
@ -271,6 +279,7 @@ describe('putObjectACL API', () => {
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
post: [Buffer.from(acp.getXml(), 'utf8')],
|
post: [Buffer.from(acp.getXml(), 'utf8')],
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -285,8 +294,8 @@ describe('putObjectACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should ignore if WRITE ACL permission is ' +
|
it('should ignore if WRITE ACL permission is '
|
||||||
'provided in request body', done => {
|
+ 'provided in request body', done => {
|
||||||
const acp = new AccessControlPolicy(defaultAcpParams);
|
const acp = new AccessControlPolicy(defaultAcpParams);
|
||||||
acp.addGrantee('CanonicalUser', ownerID, 'FULL_CONTROL',
|
acp.addGrantee('CanonicalUser', ownerID, 'FULL_CONTROL',
|
||||||
'OwnerDisplayName');
|
'OwnerDisplayName');
|
||||||
|
@ -299,6 +308,7 @@ describe('putObjectACL API', () => {
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
post: [Buffer.from(acp.getXml(), 'utf8')],
|
post: [Buffer.from(acp.getXml(), 'utf8')],
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -325,8 +335,8 @@ describe('putObjectACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid email ' +
|
it('should return an error if invalid email '
|
||||||
'address provided in ACLs set out in request body', done => {
|
+ 'address provided in ACLs set out in request body', done => {
|
||||||
const acp = new AccessControlPolicy(defaultAcpParams);
|
const acp = new AccessControlPolicy(defaultAcpParams);
|
||||||
acp.addGrantee('AmazonCustomerByEmail', 'xyz@amazon.com', 'WRITE_ACP');
|
acp.addGrantee('AmazonCustomerByEmail', 'xyz@amazon.com', 'WRITE_ACP');
|
||||||
const testObjACLRequest = {
|
const testObjACLRequest = {
|
||||||
|
@ -337,6 +347,7 @@ describe('putObjectACL API', () => {
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
post: [Buffer.from(acp.getXml(), 'utf8')],
|
post: [Buffer.from(acp.getXml(), 'utf8')],
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -352,8 +363,8 @@ describe('putObjectACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if xml provided does not match s3 ' +
|
it('should return an error if xml provided does not match s3 '
|
||||||
'scheme for setting ACLs', done => {
|
+ 'scheme for setting ACLs', done => {
|
||||||
const acp = new AccessControlPolicy(defaultAcpParams);
|
const acp = new AccessControlPolicy(defaultAcpParams);
|
||||||
acp.addGrantee('AmazonCustomerByEmail', 'xyz@amazon.com', 'WRITE_ACP');
|
acp.addGrantee('AmazonCustomerByEmail', 'xyz@amazon.com', 'WRITE_ACP');
|
||||||
const originalXml = acp.getXml();
|
const originalXml = acp.getXml();
|
||||||
|
@ -366,6 +377,7 @@ describe('putObjectACL API', () => {
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
post: [Buffer.from(modifiedXml, 'utf8')],
|
post: [Buffer.from(modifiedXml, 'utf8')],
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -394,6 +406,7 @@ describe('putObjectACL API', () => {
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
post: [Buffer.from(modifiedXml, 'utf8')],
|
post: [Buffer.from(modifiedXml, 'utf8')],
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -409,11 +422,11 @@ describe('putObjectACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid group ' +
|
it('should return an error if invalid group '
|
||||||
'uri provided in ACLs set out in request body', done => {
|
+ 'uri provided in ACLs set out in request body', done => {
|
||||||
const acp = new AccessControlPolicy(defaultAcpParams);
|
const acp = new AccessControlPolicy(defaultAcpParams);
|
||||||
acp.addGrantee('Group', 'http://acs.amazonaws.com/groups/' +
|
acp.addGrantee('Group', 'http://acs.amazonaws.com/groups/'
|
||||||
'global/NOTAVALIDGROUP', 'WRITE_ACP');
|
+ 'global/NOTAVALIDGROUP', 'WRITE_ACP');
|
||||||
const testObjACLRequest = {
|
const testObjACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -422,6 +435,7 @@ describe('putObjectACL API', () => {
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
post: [Buffer.from(acp.getXml(), 'utf8')],
|
post: [Buffer.from(acp.getXml(), 'utf8')],
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
@ -436,8 +450,8 @@ describe('putObjectACL API', () => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should return an error if invalid group uri ' +
|
it('should return an error if invalid group uri '
|
||||||
'provided in ACL header request', done => {
|
+ 'provided in ACL header request', done => {
|
||||||
const testObjACLRequest = {
|
const testObjACLRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
namespace,
|
namespace,
|
||||||
|
@ -445,11 +459,12 @@ describe('putObjectACL API', () => {
|
||||||
headers: {
|
headers: {
|
||||||
'host': 's3.amazonaws.com',
|
'host': 's3.amazonaws.com',
|
||||||
'x-amz-grant-full-control':
|
'x-amz-grant-full-control':
|
||||||
'uri="http://acs.amazonaws.com/groups/' +
|
'uri="http://acs.amazonaws.com/groups/'
|
||||||
'global/NOTAVALIDGROUP"',
|
+ 'global/NOTAVALIDGROUP"',
|
||||||
},
|
},
|
||||||
url: `/${bucketName}/${objectName}?acl`,
|
url: `/${bucketName}/${objectName}?acl`,
|
||||||
query: { acl: '' },
|
query: { acl: '' },
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
bucketPut(authInfo, testPutBucketRequest, log, () => {
|
||||||
|
|
|
@ -19,6 +19,7 @@ const putBucketRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const putObjectRequest = new DummyRequest({
|
const putObjectRequest = new DummyRequest({
|
||||||
|
@ -29,16 +30,17 @@ const putObjectRequest = new DummyRequest({
|
||||||
url: `/${bucketName}/${objectName}`,
|
url: `/${bucketName}/${objectName}`,
|
||||||
}, postBody);
|
}, postBody);
|
||||||
|
|
||||||
const objectLegalHoldXml = status => '<LegalHold ' +
|
const objectLegalHoldXml = status => '<LegalHold '
|
||||||
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
`<Status>${status}</Status>` +
|
+ `<Status>${status}</Status>`
|
||||||
'</LegalHold>';
|
+ '</LegalHold>';
|
||||||
|
|
||||||
const putLegalHoldReq = status => ({
|
const putLegalHoldReq = status => ({
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: objectLegalHoldXml(status),
|
post: objectLegalHoldXml(status),
|
||||||
|
iamAuthzResults: false,
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('putObjectLegalHold API', () => {
|
describe('putObjectLegalHold API', () => {
|
||||||
|
|
|
@ -23,6 +23,7 @@ const bucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const putObjectRequest = new DummyRequest({
|
const putObjectRequest = new DummyRequest({
|
||||||
|
@ -33,41 +34,42 @@ const putObjectRequest = new DummyRequest({
|
||||||
url: `/${bucketName}/${objectName}`,
|
url: `/${bucketName}/${objectName}`,
|
||||||
}, postBody);
|
}, postBody);
|
||||||
|
|
||||||
const objectRetentionXmlGovernance = '<Retention ' +
|
const objectRetentionXmlGovernance = '<Retention '
|
||||||
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Mode>GOVERNANCE</Mode>' +
|
+ '<Mode>GOVERNANCE</Mode>'
|
||||||
`<RetainUntilDate>${expectedDate}</RetainUntilDate>` +
|
+ `<RetainUntilDate>${expectedDate}</RetainUntilDate>`
|
||||||
'</Retention>';
|
+ '</Retention>';
|
||||||
|
|
||||||
const objectRetentionXmlCompliance = '<Retention ' +
|
const objectRetentionXmlCompliance = '<Retention '
|
||||||
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Mode>COMPLIANCE</Mode>' +
|
+ '<Mode>COMPLIANCE</Mode>'
|
||||||
`<RetainUntilDate>${expectedDate}</RetainUntilDate>` +
|
+ `<RetainUntilDate>${expectedDate}</RetainUntilDate>`
|
||||||
'</Retention>';
|
+ '</Retention>';
|
||||||
|
|
||||||
const objectRetentionXmlGovernanceLonger = '<Retention ' +
|
const objectRetentionXmlGovernanceLonger = '<Retention '
|
||||||
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Mode>GOVERNANCE</Mode>' +
|
+ '<Mode>GOVERNANCE</Mode>'
|
||||||
`<RetainUntilDate>${moment().add(5, 'days').toISOString()}</RetainUntilDate>` +
|
+ `<RetainUntilDate>${moment().add(5, 'days').toISOString()}</RetainUntilDate>`
|
||||||
'</Retention>';
|
+ '</Retention>';
|
||||||
|
|
||||||
const objectRetentionXmlGovernanceShorter = '<Retention ' +
|
const objectRetentionXmlGovernanceShorter = '<Retention '
|
||||||
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Mode>GOVERNANCE</Mode>' +
|
+ '<Mode>GOVERNANCE</Mode>'
|
||||||
`<RetainUntilDate>${moment().add(1, 'days').toISOString()}</RetainUntilDate>` +
|
+ `<RetainUntilDate>${moment().add(1, 'days').toISOString()}</RetainUntilDate>`
|
||||||
'</Retention>';
|
+ '</Retention>';
|
||||||
|
|
||||||
const objectRetentionXmlComplianceShorter = '<Retention ' +
|
const objectRetentionXmlComplianceShorter = '<Retention '
|
||||||
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
|
+ 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
|
||||||
'<Mode>COMPLIANCE</Mode>' +
|
+ '<Mode>COMPLIANCE</Mode>'
|
||||||
`<RetainUntilDate>${moment().add(1, 'days').toISOString()}</RetainUntilDate>` +
|
+ `<RetainUntilDate>${moment().add(1, 'days').toISOString()}</RetainUntilDate>`
|
||||||
'</Retention>';
|
+ '</Retention>';
|
||||||
|
|
||||||
const putObjRetRequestGovernance = {
|
const putObjRetRequestGovernance = {
|
||||||
bucketName,
|
bucketName,
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: objectRetentionXmlGovernance,
|
post: objectRetentionXmlGovernance,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const putObjRetRequestGovernanceWithHeader = {
|
const putObjRetRequestGovernanceWithHeader = {
|
||||||
|
@ -78,6 +80,7 @@ const putObjRetRequestGovernanceWithHeader = {
|
||||||
'x-amz-bypass-governance-retention': 'true',
|
'x-amz-bypass-governance-retention': 'true',
|
||||||
},
|
},
|
||||||
post: objectRetentionXmlGovernance,
|
post: objectRetentionXmlGovernance,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const putObjRetRequestCompliance = {
|
const putObjRetRequestCompliance = {
|
||||||
|
@ -85,6 +88,7 @@ const putObjRetRequestCompliance = {
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: objectRetentionXmlCompliance,
|
post: objectRetentionXmlCompliance,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const putObjRetRequestComplianceShorter = {
|
const putObjRetRequestComplianceShorter = {
|
||||||
|
@ -92,6 +96,7 @@ const putObjRetRequestComplianceShorter = {
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: objectRetentionXmlComplianceShorter,
|
post: objectRetentionXmlComplianceShorter,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const putObjRetRequestGovernanceLonger = {
|
const putObjRetRequestGovernanceLonger = {
|
||||||
|
@ -99,6 +104,7 @@ const putObjRetRequestGovernanceLonger = {
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: objectRetentionXmlGovernanceLonger,
|
post: objectRetentionXmlGovernanceLonger,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const putObjRetRequestGovernanceShorter = {
|
const putObjRetRequestGovernanceShorter = {
|
||||||
|
@ -106,6 +112,7 @@ const putObjRetRequestGovernanceShorter = {
|
||||||
objectKey: objectName,
|
objectKey: objectName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
post: objectRetentionXmlGovernanceShorter,
|
post: objectRetentionXmlGovernanceShorter,
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
describe('putObjectRetention API', () => {
|
describe('putObjectRetention API', () => {
|
||||||
|
|
|
@ -3,16 +3,15 @@ const assert = require('assert');
|
||||||
const { bucketPut } = require('../../../lib/api/bucketPut');
|
const { bucketPut } = require('../../../lib/api/bucketPut');
|
||||||
const objectPut = require('../../../lib/api/objectPut');
|
const objectPut = require('../../../lib/api/objectPut');
|
||||||
const objectPutTagging = require('../../../lib/api/objectPutTagging');
|
const objectPutTagging = require('../../../lib/api/objectPutTagging');
|
||||||
const { _validator, parseTagXml }
|
const { _validator, parseTagXml } = require('arsenal').s3middleware.tagging;
|
||||||
= require('arsenal').s3middleware.tagging;
|
const {
|
||||||
const { cleanup,
|
cleanup,
|
||||||
DummyRequestLogger,
|
DummyRequestLogger,
|
||||||
makeAuthInfo,
|
makeAuthInfo,
|
||||||
TaggingConfigTester }
|
TaggingConfigTester,
|
||||||
= require('../helpers');
|
} = require('../helpers');
|
||||||
const metadata = require('../../../lib/metadata/wrapper');
|
const metadata = require('../../../lib/metadata/wrapper');
|
||||||
const { taggingTests }
|
const { taggingTests } = require('../../functional/aws-node-sdk/lib/utility/tagging.js');
|
||||||
= require('../../functional/aws-node-sdk/lib/utility/tagging.js');
|
|
||||||
const DummyRequest = require('../DummyRequest');
|
const DummyRequest = require('../DummyRequest');
|
||||||
|
|
||||||
const log = new DummyRequestLogger();
|
const log = new DummyRequestLogger();
|
||||||
|
@ -25,6 +24,7 @@ const testBucketPutRequest = {
|
||||||
bucketName,
|
bucketName,
|
||||||
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
headers: { host: `${bucketName}.s3.amazonaws.com` },
|
||||||
url: '/',
|
url: '/',
|
||||||
|
iamAuthzResults: false,
|
||||||
};
|
};
|
||||||
|
|
||||||
const testPutObjectRequest = new DummyRequest({
|
const testPutObjectRequest = new DummyRequest({
|
||||||
|
@ -42,14 +42,14 @@ function _checkError(err, code, errorName) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function _generateSampleXml(key, value) {
|
function _generateSampleXml(key, value) {
|
||||||
const xml = '<Tagging>' +
|
const xml = '<Tagging>'
|
||||||
'<TagSet>' +
|
+ '<TagSet>'
|
||||||
'<Tag>' +
|
+ '<Tag>'
|
||||||
`<Key>${key}</Key>` +
|
+ `<Key>${key}</Key>`
|
||||||
`<Value>${value}</Value>` +
|
+ `<Value>${value}</Value>`
|
||||||
'</Tag>' +
|
+ '</Tag>'
|
||||||
'</TagSet>' +
|
+ '</TagSet>'
|
||||||
'</Tagging>';
|
+ '</Tagging>';
|
||||||
|
|
||||||
return xml;
|
return xml;
|
||||||
}
|
}
|
||||||
|
@ -101,12 +101,18 @@ describe('PUT object tagging :: helper validation functions ', () => {
|
||||||
{ tagTest: { Key: ['foo'] }, isValid: false },
|
{ tagTest: { Key: ['foo'] }, isValid: false },
|
||||||
{ tagTest: { Value: ['bar'] }, isValid: false },
|
{ tagTest: { Value: ['bar'] }, isValid: false },
|
||||||
{ tagTest: { Keys: ['foo'], Value: ['bar'] }, isValid: false },
|
{ tagTest: { Keys: ['foo'], Value: ['bar'] }, isValid: false },
|
||||||
{ tagTest: { Key: ['foo', 'boo'], Value: ['bar'] },
|
{
|
||||||
isValid: false },
|
tagTest: { Key: ['foo', 'boo'], Value: ['bar'] },
|
||||||
{ tagTest: { Key: ['foo'], Value: ['bar', 'boo'] },
|
isValid: false,
|
||||||
isValid: false },
|
},
|
||||||
{ tagTest: { Key: ['foo', 'boo'], Value: ['bar', 'boo'] },
|
{
|
||||||
isValid: false },
|
tagTest: { Key: ['foo'], Value: ['bar', 'boo'] },
|
||||||
|
isValid: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
tagTest: { Key: ['foo', 'boo'], Value: ['bar', 'boo'] },
|
||||||
|
isValid: false,
|
||||||
|
},
|
||||||
{ tagTest: { Key: ['foo'], Values: ['bar'] }, isValid: false },
|
{ tagTest: { Key: ['foo'], Values: ['bar'] }, isValid: false },
|
||||||
{ tagTest: { Keys: ['foo'], Values: ['bar'] }, isValid: false },
|
{ tagTest: { Keys: ['foo'], Values: ['bar'] }, isValid: false },
|
||||||
];
|
];
|
||||||
|
@ -124,26 +130,66 @@ describe('PUT object tagging :: helper validation functions ', () => {
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('validateXMLStructure ', () => {
|
describe('validateXMLStructure ', () => {
|
||||||
it('should return expected true if tag is valid false/undefined ' +
|
it('should return expected true if tag is valid false/undefined '
|
||||||
'if not', done => {
|
+ 'if not', done => {
|
||||||
const tags = [
|
const tags = [
|
||||||
{ tagging: { Tagging: { TagSet: [{ Tag: [] }] } }, isValid:
|
{
|
||||||
true },
|
tagging: { Tagging: { TagSet: [{ Tag: [] }] } },
|
||||||
|
isValid:
|
||||||
|
true,
|
||||||
|
},
|
||||||
{ tagging: { Tagging: { TagSet: [''] } }, isValid: true },
|
{ tagging: { Tagging: { TagSet: [''] } }, isValid: true },
|
||||||
{ tagging: { Tagging: { TagSet: [] } }, isValid: false },
|
{ tagging: { Tagging: { TagSet: [] } }, isValid: false },
|
||||||
{ tagging: { Tagging: { TagSet: [{}] } }, isValid: false },
|
{ tagging: { Tagging: { TagSet: [{}] } }, isValid: false },
|
||||||
{ tagging: { Tagging: { Tagset: [{ Tag: [] }] } }, isValid:
|
{
|
||||||
false },
|
tagging: { Tagging: { Tagset: [{ Tag: [] }] } },
|
||||||
{ tagging: { Tagging: { Tagset: [{ Tag: [] }] },
|
isValid:
|
||||||
ExtraTagging: 'extratagging' }, isValid: false },
|
false,
|
||||||
{ tagging: { Tagging: { Tagset: [{ Tag: [] }], ExtraTagset:
|
},
|
||||||
'extratagset' } }, isValid: false },
|
{
|
||||||
{ tagging: { Tagging: { Tagset: [{ Tag: [] }], ExtraTagset:
|
tagging: {
|
||||||
'extratagset' } }, isValid: false },
|
Tagging: { Tagset: [{ Tag: [] }] },
|
||||||
{ tagging: { Tagging: { Tagset: [{ Tag: [], ExtraTag:
|
ExtraTagging: 'extratagging',
|
||||||
'extratag' }] } }, isValid: false },
|
},
|
||||||
{ tagging: { Tagging: { Tagset: [{ Tag: {} }] } }, isValid:
|
isValid: false,
|
||||||
false },
|
},
|
||||||
|
{
|
||||||
|
tagging: {
|
||||||
|
Tagging: {
|
||||||
|
Tagset: [{ Tag: [] }],
|
||||||
|
ExtraTagset:
|
||||||
|
'extratagset',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
isValid: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
tagging: {
|
||||||
|
Tagging: {
|
||||||
|
Tagset: [{ Tag: [] }],
|
||||||
|
ExtraTagset:
|
||||||
|
'extratagset',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
isValid: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
tagging: {
|
||||||
|
Tagging: {
|
||||||
|
Tagset: [{
|
||||||
|
Tag: [],
|
||||||
|
ExtraTag:
|
||||||
|
'extratag',
|
||||||
|
}],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
isValid: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
tagging: { Tagging: { Tagset: [{ Tag: {} }] } },
|
||||||
|
isValid:
|
||||||
|
false,
|
||||||
|
},
|
||||||
];
|
];
|
||||||
|
|
||||||
for (let i = 0; i < tags.length; i++) {
|
for (let i = 0; i < tags.length; i++) {
|
||||||
|
@ -172,8 +218,8 @@ describe('PUT object tagging :: helper validation functions ', () => {
|
||||||
|
|
||||||
taggingTests.forEach(taggingTest => {
|
taggingTests.forEach(taggingTest => {
|
||||||
it(taggingTest.it, done => {
|
it(taggingTest.it, done => {
|
||||||
const key = taggingTest.tag.key;
|
const { key } = taggingTest.tag;
|
||||||
const value = taggingTest.tag.value;
|
const { value } = taggingTest.tag;
|
||||||
const xml = _generateSampleXml(key, value);
|
const xml = _generateSampleXml(key, value);
|
||||||
parseTagXml(xml, log, (err, result) => {
|
parseTagXml(xml, log, (err, result) => {
|
||||||
if (taggingTest.error) {
|
if (taggingTest.error) {
|
||||||
|
|
|
@ -0,0 +1,236 @@
|
||||||
|
const assert = require('assert');
|
||||||
|
const { checkBucketAcls, checkObjectAcls } = require('../../../lib/api/apiUtils/authorization/permissionChecks');
|
||||||
|
const constants = require('../../../constants');
|
||||||
|
|
||||||
|
const { bucketOwnerActions } = constants;
|
||||||
|
|
||||||
|
describe('checkBucketAcls', () => {
|
||||||
|
const mockBucket = {
|
||||||
|
getOwner: () => 'ownerId',
|
||||||
|
getAcl: () => ({
|
||||||
|
Canned: '',
|
||||||
|
FULL_CONTROL: [],
|
||||||
|
READ: [],
|
||||||
|
READ_ACP: [],
|
||||||
|
WRITE: [],
|
||||||
|
WRITE_ACP: [],
|
||||||
|
}),
|
||||||
|
};
|
||||||
|
|
||||||
|
const testScenarios = [
|
||||||
|
{
|
||||||
|
description: 'should return true if bucket owner matches canonicalID',
|
||||||
|
input: {
|
||||||
|
bucketAcl: {}, requestType: 'anyType', canonicalID: 'ownerId', mainApiCall: 'anyApiCall',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for objectGetTagging when mainApiCall is objectGet',
|
||||||
|
input: {
|
||||||
|
bucketAcl: {}, requestType: 'objectGetTagging', canonicalID: 'anyId', mainApiCall: 'objectGet',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for objectPutTagging when mainApiCall is objectPut',
|
||||||
|
input: {
|
||||||
|
bucketAcl: {}, requestType: 'objectPutTagging', canonicalID: 'anyId', mainApiCall: 'objectPut',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for objectPutLegalHold when mainApiCall is objectPut',
|
||||||
|
input: {
|
||||||
|
bucketAcl: {}, requestType: 'objectPutLegalHold', canonicalID: 'anyId', mainApiCall: 'objectPut',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for objectPutRetention when mainApiCall is objectPut',
|
||||||
|
input: {
|
||||||
|
bucketAcl: {}, requestType: 'objectPutRetention', canonicalID: 'anyId', mainApiCall: 'objectPut',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for bucketGet if canned acl is public-read-write',
|
||||||
|
input: {
|
||||||
|
bucketAcl: { Canned: 'public-read-write' },
|
||||||
|
requestType: 'bucketGet',
|
||||||
|
canonicalID: 'anyId',
|
||||||
|
mainApiCall: 'anyApiCall',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for bucketGet if canned acl is authenticated-read and id is not publicId',
|
||||||
|
input: {
|
||||||
|
bucketAcl: { Canned: 'authenticated-read' },
|
||||||
|
requestType: 'bucketGet',
|
||||||
|
canonicalID: 'anyIdNotPublic',
|
||||||
|
mainApiCall: 'anyApiCall',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for bucketGet if canonicalID has FULL_CONTROL access',
|
||||||
|
input: {
|
||||||
|
bucketAcl: { FULL_CONTROL: ['anyId'], READ: [] },
|
||||||
|
requestType: 'bucketGet',
|
||||||
|
canonicalID: 'anyId',
|
||||||
|
mainApiCall: 'anyApiCall',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for bucketGetACL if canonicalID has FULL_CONTROL',
|
||||||
|
input: {
|
||||||
|
bucketAcl: { FULL_CONTROL: ['anyId'], READ_ACP: [] },
|
||||||
|
requestType: 'bucketGetACL',
|
||||||
|
canonicalID: 'anyId',
|
||||||
|
mainApiCall: 'anyApiCall',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for objectDelete if bucketAcl.Canned is public-read-write',
|
||||||
|
input: {
|
||||||
|
bucketAcl: { Canned: 'public-read-write' },
|
||||||
|
requestType: 'objectDelete',
|
||||||
|
canonicalID: 'anyId',
|
||||||
|
mainApiCall: 'anyApiCall',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return true for requestType ending with "Version"',
|
||||||
|
input: {
|
||||||
|
bucketAcl: {},
|
||||||
|
requestType: 'objectGetVersion',
|
||||||
|
canonicalID: 'anyId',
|
||||||
|
mainApiCall: 'objectGet',
|
||||||
|
},
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: 'should return false for unmatched scenarios',
|
||||||
|
input: {
|
||||||
|
bucketAcl: {},
|
||||||
|
requestType: 'unmatchedRequest',
|
||||||
|
canonicalID: 'anyId',
|
||||||
|
mainApiCall: 'anyApiCall',
|
||||||
|
},
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
];
|
||||||
|
|
||||||
|
testScenarios.forEach(scenario => {
|
||||||
|
it(scenario.description, () => {
|
||||||
|
// Mock the bucket based on the test scenario's input
|
||||||
|
mockBucket.getAcl = () => scenario.input.bucketAcl;
|
||||||
|
|
||||||
|
const result = checkBucketAcls(mockBucket,
|
||||||
|
scenario.input.requestType, scenario.input.canonicalID, scenario.input.mainApiCall);
|
||||||
|
assert.strictEqual(result, scenario.expected);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
describe('checkObjectAcls', () => {
|
||||||
|
const mockBucket = {
|
||||||
|
getOwner: () => 'bucketOwnerId',
|
||||||
|
getName: () => 'bucketName',
|
||||||
|
getAcl: () => ({ Canned: '' }),
|
||||||
|
};
|
||||||
|
const mockObjectMD = {
|
||||||
|
'owner-id': 'objectOwnerId',
|
||||||
|
'acl': {
|
||||||
|
Canned: '',
|
||||||
|
FULL_CONTROL: [],
|
||||||
|
READ: [],
|
||||||
|
READ_ACP: [],
|
||||||
|
WRITE: [],
|
||||||
|
WRITE_ACP: [],
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
it('should return true if request type is in bucketOwnerActions and bucket owner matches canonicalID', () => {
|
||||||
|
assert.strictEqual(checkObjectAcls(mockBucket, mockObjectMD, bucketOwnerActions[0],
|
||||||
|
'bucketOwnerId', false, false, 'anyApiCall'), true);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should return true if objectMD owner matches canonicalID', () => {
|
||||||
|
assert.strictEqual(checkObjectAcls(mockBucket, mockObjectMD, 'anyType',
|
||||||
|
'objectOwnerId', false, false, 'anyApiCall'), true);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should return true for objectGetTagging when mainApiCall is objectGet and conditions met', () => {
|
||||||
|
assert.strictEqual(checkObjectAcls(mockBucket, mockObjectMD, 'objectGetTagging',
|
||||||
|
'anyIdNotPublic', true, true, 'objectGet'), true);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should return false if no acl provided in objectMD', () => {
|
||||||
|
const objMDWithoutAcl = Object.assign({}, mockObjectMD);
|
||||||
|
delete objMDWithoutAcl.acl;
|
||||||
|
assert.strictEqual(checkObjectAcls(mockBucket, objMDWithoutAcl, 'anyType',
|
||||||
|
'anyId', false, false, 'anyApiCall'), false);
|
||||||
|
});
|
||||||
|
|
||||||
|
const tests = [
|
||||||
|
{
|
||||||
|
acl: 'public-read', reqType: 'objectGet', id: 'anyIdNotPublic', expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
acl: 'public-read-write', reqType: 'objectGet', id: 'anyIdNotPublic', expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
acl: 'authenticated-read', reqType: 'objectGet', id: 'anyIdNotPublic', expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
acl: 'bucket-owner-read', reqType: 'objectGet', id: 'bucketOwnerId', expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
acl: 'bucket-owner-full-control', reqType: 'objectGet', id: 'bucketOwnerId', expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
aclList: ['someId', 'anyIdNotPublic'],
|
||||||
|
aclField: 'FULL_CONTROL',
|
||||||
|
reqType: 'objectGet',
|
||||||
|
id: 'anyIdNotPublic',
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
aclList: ['someId', 'anyIdNotPublic'],
|
||||||
|
aclField: 'READ',
|
||||||
|
reqType: 'objectGet',
|
||||||
|
id: 'anyIdNotPublic',
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{ reqType: 'objectPut', id: 'anyId', expected: true },
|
||||||
|
{ reqType: 'objectDelete', id: 'anyId', expected: true },
|
||||||
|
{
|
||||||
|
aclList: ['anyId'], aclField: 'FULL_CONTROL', reqType: 'objectPutACL', id: 'anyId', expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
acl: '', reqType: 'objectGet', id: 'randomId', expected: false,
|
||||||
|
},
|
||||||
|
];
|
||||||
|
|
||||||
|
tests.forEach(test => {
|
||||||
|
it(`should return ${test.expected} for ${test.reqType} with ACL as ${test.acl
|
||||||
|
|| (`${test.aclField}:${JSON.stringify(test.aclList)}`)}`, () => {
|
||||||
|
if (test.acl) {
|
||||||
|
mockObjectMD.acl.Canned = test.acl;
|
||||||
|
} else if (test.aclList && test.aclField) {
|
||||||
|
mockObjectMD.acl[test.aclField] = test.aclList;
|
||||||
|
}
|
||||||
|
|
||||||
|
assert.strictEqual(
|
||||||
|
checkObjectAcls(mockBucket, mockObjectMD, test.reqType, test.id, false, false, 'anyApiCall'),
|
||||||
|
test.expected,
|
||||||
|
);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
Loading…
Reference in New Issue