Compare commits

...

39 Commits

Author SHA1 Message Date
Will Toozs f817122415
REVISIT THIS COMMIT
The code in this commit causes an error in the 'implicit deny iam policy with "Allow" bucket policy for User ARN' test for PutObject, giving an AccessDenied because the implicitDent is true. It seems worth re-evaluating the ACL expectations at this point.
2023-09-25 11:40:17 +02:00
Will Toozs 3773bcf61c
add evaluateBucketPolicyWithIAM omissions 2023-09-21 11:41:30 +02:00
Will Toozs c82ce08fdb
permission fix: no allow on user from account by default 2023-09-19 11:00:34 +02:00
Will Toozs 9bf9130ca9
change variable name 2023-09-18 18:38:27 +02:00
Will Toozs b4a986ec3a
fixup: remove skips 2023-09-18 18:38:27 +02:00
Will Toozs 8725888bbd
fixup: remove skips 2023-09-18 18:38:27 +02:00
Will Toozs 111ecf875b
CLDSRV-431: updatye other API impDeny test logic 2023-09-18 18:38:27 +02:00
Will Toozs 15ddc02c25
CLDSRV-431: implment other API impDeny logic 2023-09-18 18:38:26 +02:00
Will Toozs 482e6576b1
variable name change 2023-09-18 18:34:16 +02:00
Will Toozs 5f3fa488d5
fixup: skips 2023-09-18 18:34:16 +02:00
Will Toozs e035d5550b
fixup: skips 2023-09-18 18:34:15 +02:00
Will Toozs b119898ed1
CLDSRV-429: update get apis tests with impDenylogic 2023-09-18 18:34:15 +02:00
Will Toozs e9d5c17707
CLDSRV-429: update get apis with impDeny logic 2023-09-18 18:34:15 +02:00
Will Toozs a7ce187499
update variable name 2023-09-18 18:31:12 +02:00
Will Toozs 6f7b2d6638
fixup: skips 2023-09-18 18:31:12 +02:00
Will Toozs f10cacb033
CLDSRV-430: update delete API tests for impDeny logic 2023-09-18 18:31:11 +02:00
Will Toozs 9bf18d806a
CLDSRV-430: add delete API implicit deny logic 2023-09-18 18:31:11 +02:00
Will Toozs dfa80a41ed
update variable name 2023-09-18 18:28:35 +02:00
Will Toozs 9f753af13a
lint 2023-09-18 18:28:35 +02:00
Will Toozs c214bb8ee1
lint 2023-09-18 18:28:34 +02:00
Will Toozs 3fcd479639
test skips 2023-09-18 18:28:34 +02:00
Will Toozs 1bb2f11f6c
lint 2023-09-18 18:28:34 +02:00
Will Toozs bfe9d34547
skip irrelevant apis 2023-09-18 18:28:33 +02:00
Will Toozs cc8f8a7213
api updates 2023-09-18 18:28:29 +02:00
Will Toozs f53a8ea8c7
linting 2023-09-18 18:25:10 +02:00
Will Toozs 1d55be193a
fixup: missing constants change 2023-09-18 18:25:09 +02:00
Will Toozs 00ba0d9377
CLDSRV-428: put apis updated for implicit deny 2023-09-18 18:25:09 +02:00
Will Toozs fe6578b276
change variable name 2023-09-18 18:24:09 +02:00
Will Toozs da526b5092
fixup: retrocompatibility changes 2023-09-18 18:24:09 +02:00
Will Toozs 159906dc74
fixup: retrocompatibility changes 2023-09-18 18:24:09 +02:00
Will Toozs 3ff2b5e9ed
fixup: retrocompatibility changes 2023-09-18 18:24:08 +02:00
Will Toozs f69f72363b
fixup: retrocompatibility changes 2023-09-18 18:24:08 +02:00
Will Toozs 7f9562bfda
fixup: lint 2023-09-18 18:24:08 +02:00
Will Toozs c01898f1a0
CLDSRV-427: update bucket/object perm checks to account for implicit …
…denies
2023-09-18 18:24:08 +02:00
Will Toozs 0f64e7c337
CLDSRV-426: add tests for ACL permission check updates 2023-09-18 18:23:45 +02:00
Will Toozs de334d16e9
CLDSRV-426: update ACL permission checks for implicitDeny logic 2023-09-18 18:23:44 +02:00
Will Toozs e99bb1e1cc
change variable names for clarity 2023-09-15 17:52:03 +02:00
Will Toozs cd6320c432
edit: update arsenal package 2023-09-12 11:14:45 +02:00
Will Toozs 3bc66f8cea
CLDSRV-424: api call updated with implicit deny logic 2023-09-11 18:05:21 +02:00
128 changed files with 2306 additions and 1503 deletions

View File

@ -153,6 +153,8 @@ const constants = {
'objectDeleteTagging', 'objectDeleteTagging',
'objectGetTagging', 'objectGetTagging',
'objectPutTagging', 'objectPutTagging',
'objectPutLegalHold',
'objectPutRetention',
], ],
// response header to be sent when there are invalid // response header to be sent when there are invalid
// user metadata in the object's metadata // user metadata in the object's metadata

View File

@ -107,6 +107,7 @@ const api = {
// no need to check auth on website or cors preflight requests // no need to check auth on website or cors preflight requests
if (apiMethod === 'websiteGet' || apiMethod === 'websiteHead' || if (apiMethod === 'websiteGet' || apiMethod === 'websiteHead' ||
apiMethod === 'corsPreflight') { apiMethod === 'corsPreflight') {
request.actionImplicitDenies = false;
return this[apiMethod](request, log, callback); return this[apiMethod](request, log, callback);
} }
@ -129,15 +130,25 @@ const api = {
const requestContexts = prepareRequestContexts(apiMethod, request, const requestContexts = prepareRequestContexts(apiMethod, request,
sourceBucket, sourceObject, sourceVersionId); sourceBucket, sourceObject, sourceVersionId);
// Extract all the _apiMethods and store them in an array
const apiMethods = requestContexts ? requestContexts.map(context => context._apiMethod) : [];
// Attach the names to the current request
// eslint-disable-next-line no-param-reassign
request.apiMethods = apiMethods;
function checkAuthResults(authResults) { function checkAuthResults(authResults) {
let returnTagCount = true; let returnTagCount = true;
const isImplicitDeny = {};
let isOnlyImplicitDeny = true;
if (apiMethod === 'objectGet') { if (apiMethod === 'objectGet') {
// first item checks s3:GetObject(Version) action // first item checks s3:GetObject(Version) action
if (!authResults[0].isAllowed) { if (!authResults[0].isAllowed && !authResults[0].isImplicit) {
log.trace('get object authorization denial from Vault'); log.trace('get object authorization denial from Vault');
return errors.AccessDenied; return errors.AccessDenied;
} }
// TODO add support for returnTagCount in the bucket policy
// checks
isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
// second item checks s3:GetObject(Version)Tagging action // second item checks s3:GetObject(Version)Tagging action
if (!authResults[1].isAllowed) { if (!authResults[1].isAllowed) {
log.trace('get tagging authorization denial ' + log.trace('get tagging authorization denial ' +
@ -146,13 +157,25 @@ const api = {
} }
} else { } else {
for (let i = 0; i < authResults.length; i++) { for (let i = 0; i < authResults.length; i++) {
if (!authResults[i].isAllowed) { isImplicitDeny[authResults[i].action] = true;
if (!authResults[i].isAllowed && !authResults[i].isImplicit) {
// Any explicit deny rejects the current API call
log.trace('authorization denial from Vault'); log.trace('authorization denial from Vault');
return errors.AccessDenied; return errors.AccessDenied;
} else if (authResults[i].isAllowed) {
// If the action is allowed, the result is not implicit
// Deny.
isImplicitDeny[authResults[i].action] = false;
isOnlyImplicitDeny = false;
} }
} }
} }
return returnTagCount; // These two APIs cannot use ACLs or Bucket Policies, hence, any
// implicit deny from vault must be treated as an explicit deny.
if ((apiMethod === 'bucketPut' || apiMethod === 'serviceGet') && isOnlyImplicitDeny) {
return errors.AccessDenied;
}
return { returnTagCount, isImplicitDeny };
} }
return async.waterfall([ return async.waterfall([
@ -230,7 +253,16 @@ const api = {
if (checkedResults instanceof Error) { if (checkedResults instanceof Error) {
return callback(checkedResults); return callback(checkedResults);
} }
returnTagCount = checkedResults; returnTagCount = checkedResults.returnTagCount;
request.actionImplicitDenies = checkedResults.isImplicitDeny;
} else {
// create an object of keys apiMethods with all values to false:
// for backward compatibility, all apiMethods are allowed by default
// thus it is explicitly allowed, so implicit deny is false
request.actionImplicitDenies = apiMethods.reduce((acc, curr) => {
acc[curr] = false;
return acc;
}, {});
} }
if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') { if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
request._response = response; request._response = response;

View File

@ -1,29 +1,50 @@
const { evaluators, actionMaps, RequestContext } = require('arsenal').policies; const { evaluators, actionMaps, RequestContext } = require('arsenal').policies;
const constants = require('../../../../constants'); const constants = require('../../../../constants');
const { allAuthedUsersId, bucketOwnerActions, logId, publicId, const {
assumedRoleArnResourceType, backbeatLifecycleSessionName } = constants; allAuthedUsersId, bucketOwnerActions, logId, publicId,
assumedRoleArnResourceType, backbeatLifecycleSessionName,
} = constants;
// whitelist buckets to allow public read on objects // whitelist buckets to allow public read on objects
const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS ? const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS
process.env.ALLOW_PUBLIC_READ_BUCKETS.split(',') : []; ? process.env.ALLOW_PUBLIC_READ_BUCKETS.split(',') : [];
function checkBucketAcls(bucket, requestType, canonicalID) { function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
// Same logic applies on the Versioned APIs, so let's simplify it.
const requestTypeParsed = requestType.endsWith('Version')
? requestType.slice(0, -7) : requestType;
if (bucket.getOwner() === canonicalID) { if (bucket.getOwner() === canonicalID) {
return true; return true;
} }
// Backward compatibility
const arrayOfAllowed = [
'objectPutTagging',
'objectPutLegalHold',
'objectPutRetention',
];
if (mainApiCall === 'objectGet') {
if (requestTypeParsed === 'objectGetTagging') {
return true;
}
}
if (mainApiCall === 'objectPut') {
if (arrayOfAllowed.includes(requestTypeParsed)) {
return true;
}
}
const bucketAcl = bucket.getAcl(); const bucketAcl = bucket.getAcl();
if (requestType === 'bucketGet' || requestType === 'bucketHead') { if (requestTypeParsed === 'bucketGet' || requestTypeParsed === 'bucketHead') {
if (bucketAcl.Canned === 'public-read' if (bucketAcl.Canned === 'public-read'
|| bucketAcl.Canned === 'public-read-write' || bucketAcl.Canned === 'public-read-write'
|| (bucketAcl.Canned === 'authenticated-read' || (bucketAcl.Canned === 'authenticated-read'
&& canonicalID !== publicId)) { && canonicalID !== publicId)) {
return true; return true;
} else if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1 } if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|| bucketAcl.READ.indexOf(canonicalID) > -1) { || bucketAcl.READ.indexOf(canonicalID) > -1) {
return true; return true;
} else if (bucketAcl.READ.indexOf(publicId) > -1 } if (bucketAcl.READ.indexOf(publicId) > -1
|| (bucketAcl.READ.indexOf(allAuthedUsersId) > -1 || (bucketAcl.READ.indexOf(allAuthedUsersId) > -1
&& canonicalID !== publicId) && canonicalID !== publicId)
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1 || (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -32,13 +53,13 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
return true; return true;
} }
} }
if (requestType === 'bucketGetACL') { if (requestTypeParsed === 'bucketGetACL') {
if ((bucketAcl.Canned === 'log-delivery-write' if ((bucketAcl.Canned === 'log-delivery-write'
&& canonicalID === logId) && canonicalID === logId)
|| bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1 || bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|| bucketAcl.READ_ACP.indexOf(canonicalID) > -1) { || bucketAcl.READ_ACP.indexOf(canonicalID) > -1) {
return true; return true;
} else if (bucketAcl.READ_ACP.indexOf(publicId) > -1 } if (bucketAcl.READ_ACP.indexOf(publicId) > -1
|| (bucketAcl.READ_ACP.indexOf(allAuthedUsersId) > -1 || (bucketAcl.READ_ACP.indexOf(allAuthedUsersId) > -1
&& canonicalID !== publicId) && canonicalID !== publicId)
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1 || (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -48,11 +69,11 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
} }
} }
if (requestType === 'bucketPutACL') { if (requestTypeParsed === 'bucketPutACL') {
if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1 if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|| bucketAcl.WRITE_ACP.indexOf(canonicalID) > -1) { || bucketAcl.WRITE_ACP.indexOf(canonicalID) > -1) {
return true; return true;
} else if (bucketAcl.WRITE_ACP.indexOf(publicId) > -1 } if (bucketAcl.WRITE_ACP.indexOf(publicId) > -1
|| (bucketAcl.WRITE_ACP.indexOf(allAuthedUsersId) > -1 || (bucketAcl.WRITE_ACP.indexOf(allAuthedUsersId) > -1
&& canonicalID !== publicId) && canonicalID !== publicId)
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1 || (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -62,16 +83,12 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
} }
} }
if (requestType === 'bucketDelete' && bucket.getOwner() === canonicalID) { if (requestTypeParsed === 'objectDelete' || requestTypeParsed === 'objectPut') {
return true;
}
if (requestType === 'objectDelete' || requestType === 'objectPut') {
if (bucketAcl.Canned === 'public-read-write' if (bucketAcl.Canned === 'public-read-write'
|| bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1 || bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
|| bucketAcl.WRITE.indexOf(canonicalID) > -1) { || bucketAcl.WRITE.indexOf(canonicalID) > -1) {
return true; return true;
} else if (bucketAcl.WRITE.indexOf(publicId) > -1 } if (bucketAcl.WRITE.indexOf(publicId) > -1
|| (bucketAcl.WRITE.indexOf(allAuthedUsersId) > -1 || (bucketAcl.WRITE.indexOf(allAuthedUsersId) > -1
&& canonicalID !== publicId) && canonicalID !== publicId)
|| (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1 || (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -86,11 +103,12 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
// objectPutACL, objectGetACL, objectHead or objectGet, the bucket // objectPutACL, objectGetACL, objectHead or objectGet, the bucket
// authorization check should just return true so can move on to check // authorization check should just return true so can move on to check
// rights at the object level. // rights at the object level.
return (requestType === 'objectPutACL' || requestType === 'objectGetACL' || return (requestTypeParsed === 'objectPutACL' || requestTypeParsed === 'objectGetACL'
requestType === 'objectGet' || requestType === 'objectHead'); || requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
} }
function checkObjectAcls(bucket, objectMD, requestType, canonicalID) { function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
isUserUnauthenticated, mainApiCall) {
const bucketOwner = bucket.getOwner(); const bucketOwner = bucket.getOwner();
// acls don't distinguish between users and accounts, so both should be allowed // acls don't distinguish between users and accounts, so both should be allowed
if (bucketOwnerActions.includes(requestType) if (bucketOwnerActions.includes(requestType)
@ -100,6 +118,15 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
if (objectMD['owner-id'] === canonicalID) { if (objectMD['owner-id'] === canonicalID) {
return true; return true;
} }
// Backward compatibility
if (mainApiCall === 'objectGet') {
if ((isUserUnauthenticated || (requesterIsNotUser && bucketOwner === objectMD['owner-id']))
&& requestType === 'objectGetTagging') {
return true;
}
}
if (!objectMD.acl) { if (!objectMD.acl) {
return false; return false;
} }
@ -110,15 +137,15 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|| (objectMD.acl.Canned === 'authenticated-read' || (objectMD.acl.Canned === 'authenticated-read'
&& canonicalID !== publicId)) { && canonicalID !== publicId)) {
return true; return true;
} else if (objectMD.acl.Canned === 'bucket-owner-read' } if (objectMD.acl.Canned === 'bucket-owner-read'
&& bucketOwner === canonicalID) { && bucketOwner === canonicalID) {
return true; return true;
} else if ((objectMD.acl.Canned === 'bucket-owner-full-control' } if ((objectMD.acl.Canned === 'bucket-owner-full-control'
&& bucketOwner === canonicalID) && bucketOwner === canonicalID)
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1 || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|| objectMD.acl.READ.indexOf(canonicalID) > -1) { || objectMD.acl.READ.indexOf(canonicalID) > -1) {
return true; return true;
} else if (objectMD.acl.READ.indexOf(publicId) > -1 } if (objectMD.acl.READ.indexOf(publicId) > -1
|| (objectMD.acl.READ.indexOf(allAuthedUsersId) > -1 || (objectMD.acl.READ.indexOf(allAuthedUsersId) > -1
&& canonicalID !== publicId) && canonicalID !== publicId)
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1 || (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -140,7 +167,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1 || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|| objectMD.acl.WRITE_ACP.indexOf(canonicalID) > -1) { || objectMD.acl.WRITE_ACP.indexOf(canonicalID) > -1) {
return true; return true;
} else if (objectMD.acl.WRITE_ACP.indexOf(publicId) > -1 } if (objectMD.acl.WRITE_ACP.indexOf(publicId) > -1
|| (objectMD.acl.WRITE_ACP.indexOf(allAuthedUsersId) > -1 || (objectMD.acl.WRITE_ACP.indexOf(allAuthedUsersId) > -1
&& canonicalID !== publicId) && canonicalID !== publicId)
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1 || (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -156,7 +183,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
|| objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1 || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
|| objectMD.acl.READ_ACP.indexOf(canonicalID) > -1) { || objectMD.acl.READ_ACP.indexOf(canonicalID) > -1) {
return true; return true;
} else if (objectMD.acl.READ_ACP.indexOf(publicId) > -1 } if (objectMD.acl.READ_ACP.indexOf(publicId) > -1
|| (objectMD.acl.READ_ACP.indexOf(allAuthedUsersId) > -1 || (objectMD.acl.READ_ACP.indexOf(allAuthedUsersId) > -1
&& canonicalID !== publicId) && canonicalID !== publicId)
|| (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1 || (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -169,9 +196,9 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
// allow public reads on buckets that are whitelisted for anonymous reads // allow public reads on buckets that are whitelisted for anonymous reads
// TODO: remove this after bucket policies are implemented // TODO: remove this after bucket policies are implemented
const bucketAcl = bucket.getAcl(); const bucketAcl = bucket.getAcl();
const allowPublicReads = publicReadBuckets.includes(bucket.getName()) && const allowPublicReads = publicReadBuckets.includes(bucket.getName())
bucketAcl.Canned === 'public-read' && && bucketAcl.Canned === 'public-read'
(requestType === 'objectGet' || requestType === 'objectHead'); && (requestType === 'objectGet' || requestType === 'objectHead');
if (allowPublicReads) { if (allowPublicReads) {
return true; return true;
} }
@ -246,9 +273,10 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
let permission = 'defaultDeny'; let permission = 'defaultDeny';
// if requester is user within bucket owner account, actions should be // if requester is user within bucket owner account, actions should be
// allowed unless explicitly denied (assumes allowed by IAM policy) // allowed unless explicitly denied (assumes allowed by IAM policy)
if (bucketOwner === canonicalID) { // Update: manual testing on the 18/9/2023 found this not to be the case
permission = 'allow'; // if (bucketOwner === canonicalID) {
} // permission = 'allow';
// }
let copiedStatement = JSON.parse(JSON.stringify(policy.Statement)); let copiedStatement = JSON.parse(JSON.stringify(policy.Statement));
while (copiedStatement.length > 0) { while (copiedStatement.length > 0) {
const s = copiedStatement[0]; const s = copiedStatement[0];
@ -268,7 +296,26 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
return permission; return permission;
} }
function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request) { function isBucketAuthorized(bucket, requestTypes, canonicalID, authInfo, actionImplicitDenies, log, request) {
if (!Array.isArray(requestTypes)) {
// eslint-disable-next-line no-param-reassign
requestTypes = [requestTypes];
}
if (!actionImplicitDenies) {
// eslint-disable-next-line no-param-reassign
actionImplicitDenies = {};
}
// By default, all missing actions are defined as allowed from IAM, to be
// backward compatible
requestTypes.forEach(requestType => {
if (actionImplicitDenies[requestType] === undefined) {
// eslint-disable-next-line no-param-reassign
actionImplicitDenies[requestType] = false;
}
});
const mainApiCall = requestTypes[0];
const results = {};
requestTypes.forEach(_requestType => {
// Check to see if user is authorized to perform a // Check to see if user is authorized to perform a
// particular action on bucket based on ACLs. // particular action on bucket based on ACLs.
// TODO: Add IAM checks // TODO: Add IAM checks
@ -280,63 +327,165 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
} }
// if the bucket owner is an account, users should not have default access // if the bucket owner is an account, users should not have default access
if ((bucket.getOwner() === canonicalID) && requesterIsNotUser) { if ((bucket.getOwner() === canonicalID) && requesterIsNotUser) {
return true; results[_requestType] = actionImplicitDenies[_requestType] === false;
return;
} }
const aclPermission = checkBucketAcls(bucket, requestType, canonicalID); const aclPermission = checkBucketAcls(bucket, _requestType, canonicalID, mainApiCall);
const bucketPolicy = bucket.getBucketPolicy(); const bucketPolicy = bucket.getBucketPolicy();
if (!bucketPolicy) { if (!bucketPolicy) {
return aclPermission; results[_requestType] = actionImplicitDenies[_requestType] === false && aclPermission;
return;
} }
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType, const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
canonicalID, arn, bucket.getOwner(), log, request); canonicalID, arn, bucket.getOwner(), log, request);
if (bucketPolicyPermission === 'explicitDeny') { if (bucketPolicyPermission === 'explicitDeny') {
return false; results[_requestType] = false;
return;
} }
return (aclPermission || (bucketPolicyPermission === 'allow')); // If the bucket policy returns an allow, we accept the request, as the
// IAM response here is either Allow or implicit deny.
if (bucketPolicyPermission === 'allow') {
results[_requestType] = true;
return;
}
results[_requestType] = actionImplicitDenies[_requestType] === false && aclPermission;
});
// final result is true if all the results are true
return Object.keys(results).every(key => results[key] === true);
} }
function isObjAuthorized(bucket, objectMD, requestType, canonicalID, authInfo, log, request) {
function isObjAuthorized(bucket, objectMD, requestTypes, canonicalID, authInfo, actionImplicitDenies, log, request) {
if (!Array.isArray(requestTypes)) {
// eslint-disable-next-line no-param-reassign
requestTypes = [requestTypes];
}
// By default, all missing actions are defined as allowed from IAM, to be
// backward compatible
if (!actionImplicitDenies) {
// eslint-disable-next-line no-param-reassign
actionImplicitDenies = {};
}
requestTypes.forEach(requestType => {
if (actionImplicitDenies[requestType] === undefined) {
// eslint-disable-next-line no-param-reassign
actionImplicitDenies[requestType] = false;
}
});
const results = {};
const mainApiCall = requestTypes[0];
requestTypes.forEach(_requestType => {
const parsedMethodName = _requestType.endsWith('Version')
? _requestType.slice(0, -7) : _requestType;
const bucketOwner = bucket.getOwner(); const bucketOwner = bucket.getOwner();
if (!objectMD) { if (!objectMD) {
// User is already authorized on the bucket for FULL_CONTROL or WRITE or // User is already authorized on the bucket for FULL_CONTROL or WRITE or
// bucket has canned ACL public-read-write // bucket has canned ACL public-read-write
if (requestType === 'objectPut' || requestType === 'objectDelete') { // if (parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete') {
return true; // results[_requestType] = actionImplicitDenies[_requestType] === false;
} // return;
// }
// check bucket has read access // check bucket has read access
// 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
return isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request); results[_requestType] = isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo,
actionImplicitDenies, log, request);
return;
} }
let requesterIsNotUser = true; let requesterIsNotUser = true;
let arn = null; let arn = null;
let isUserUnauthenticated = false;
if (authInfo) { if (authInfo) {
requesterIsNotUser = !authInfo.isRequesterAnIAMUser(); requesterIsNotUser = !authInfo.isRequesterAnIAMUser();
arn = authInfo.getArn(); arn = authInfo.getArn();
isUserUnauthenticated = arn === undefined;
} }
if (objectMD['owner-id'] === canonicalID && requesterIsNotUser) { if (objectMD['owner-id'] === canonicalID && requesterIsNotUser) {
return true; results[_requestType] = actionImplicitDenies[_requestType] === false;
return;
} }
// account is authorized if: // account is authorized if:
// - requesttype is included in bucketOwnerActions and // - requesttype is included in bucketOwnerActions and
// - account is the bucket owner // - account is the bucket owner
// - requester is account, not user // - requester is account, not user
if (bucketOwnerActions.includes(requestType) if (bucketOwnerActions.includes(parsedMethodName)
&& (bucketOwner === canonicalID) && (bucketOwner === canonicalID)
&& requesterIsNotUser) { && requesterIsNotUser) {
return true; results[_requestType] = actionImplicitDenies[_requestType] === false;
return;
} }
const aclPermission = checkObjectAcls(bucket, objectMD, requestType, const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName,
canonicalID); canonicalID, requesterIsNotUser, isUserUnauthenticated, mainApiCall);
const bucketPolicy = bucket.getBucketPolicy(); const bucketPolicy = bucket.getBucketPolicy();
if (!bucketPolicy) { if (!bucketPolicy) {
return aclPermission; results[_requestType] = actionImplicitDenies[_requestType] === false && aclPermission;
return;
} }
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType, const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
canonicalID, arn, bucket.getOwner(), log, request); canonicalID, arn, bucket.getOwner(), log, request);
if (bucketPolicyPermission === 'explicitDeny') { if (bucketPolicyPermission === 'explicitDeny') {
return false; results[_requestType] = false;
return;
} }
return (aclPermission || (bucketPolicyPermission === 'allow')); // If the bucket policy returns an allow, we accept the request, as the
// IAM response here is either Allow or implicit deny.
if (bucketPolicyPermission === 'allow') {
results[_requestType] = true;
return;
}
results[_requestType] = actionImplicitDenies[_requestType] === false && aclPermission;
});
// final result is true if all the results are true
return Object.keys(results).every(key => results[key] === true);
}
function evaluateBucketPolicyWithIAM(bucket, requestTypes, canonicalID, authInfo, actionImplicitDenies, log, request) {
if (!Array.isArray(requestTypes)) {
// eslint-disable-next-line no-param-reassign
requestTypes = [requestTypes];
}
if (actionImplicitDenies === false) {
// eslint-disable-next-line no-param-reassign
actionImplicitDenies = {};
}
// By default, all missing actions are defined as allowed from IAM, to be
// backward compatible
requestTypes.forEach(requestType => {
if (actionImplicitDenies[requestType] === undefined) {
// eslint-disable-next-line no-param-reassign
actionImplicitDenies[requestType] = false;
}
});
const results = {};
requestTypes.forEach(_requestType => {
let arn = null;
if (authInfo) {
arn = authInfo.getArn();
}
const bucketPolicy = bucket.getBucketPolicy();
if (!bucketPolicy) {
results[_requestType] = actionImplicitDenies[_requestType] === false;
return;
}
const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
canonicalID, arn, bucket.getOwner(), log, request);
if (bucketPolicyPermission === 'explicitDeny') {
results[_requestType] = false;
return;
}
// If the bucket policy returns an allow, we accept the request, as the
// IAM response here is either Allow or implicit deny.
if (bucketPolicyPermission === 'allow') {
results[_requestType] = true;
return;
}
results[_requestType] = actionImplicitDenies[_requestType] === false;
});
// final result is true if all the results are true
return Object.keys(results).every(key => results[key] === true);
} }
function _checkResource(resource, bucketArn) { function _checkResource(resource, bucketArn) {
@ -383,9 +532,9 @@ function isLifecycleSession(arn) {
const resourceType = resourceNames[0]; const resourceType = resourceNames[0];
const sessionName = resourceNames[resourceNames.length - 1]; const sessionName = resourceNames[resourceNames.length - 1];
return (service === 'sts' && return (service === 'sts'
resourceType === assumedRoleArnResourceType && && resourceType === assumedRoleArnResourceType
sessionName === backbeatLifecycleSessionName); && sessionName === backbeatLifecycleSessionName);
} }
module.exports = { module.exports = {
@ -395,4 +544,5 @@ module.exports = {
checkObjectAcls, checkObjectAcls,
validatePolicyResource, validatePolicyResource,
isLifecycleSession, isLifecycleSession,
evaluateBucketPolicyWithIAM,
}; };

View File

@ -24,7 +24,7 @@ function _deleteMPUbucket(destinationBucketName, log, cb) {
}); });
} }
function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) { function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, request, log, cb) {
async.mapLimit(mpus, 1, (mpu, next) => { async.mapLimit(mpus, 1, (mpu, next) => {
const splitterChar = mpu.key.includes(oldSplitter) ? const splitterChar = mpu.key.includes(oldSplitter) ?
oldSplitter : splitter; oldSplitter : splitter;
@ -40,7 +40,7 @@ function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) {
byteLength: partSizeSum, byteLength: partSizeSum,
}); });
next(err); next(err);
}); }, request);
}, cb); }, cb);
} }
/** /**
@ -49,11 +49,13 @@ function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) {
* @param {object} bucketMD - bucket attributes/metadata * @param {object} bucketMD - bucket attributes/metadata
* @param {string} bucketName - bucket in which objectMetadata is stored * @param {string} bucketName - bucket in which objectMetadata is stored
* @param {string} canonicalID - account canonicalID of requester * @param {string} canonicalID - account canonicalID of requester
* @param {object} request - request object given by router
* including normalized headers
* @param {object} log - Werelogs logger * @param {object} log - Werelogs logger
* @param {function} cb - callback from async.waterfall in bucketDelete * @param {function} cb - callback from async.waterfall in bucketDelete
* @return {undefined} * @return {undefined}
*/ */
function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) { function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, request, log, cb) {
log.trace('deleting bucket from metadata'); log.trace('deleting bucket from metadata');
assert.strictEqual(typeof bucketName, 'string'); assert.strictEqual(typeof bucketName, 'string');
assert.strictEqual(typeof canonicalID, 'string'); assert.strictEqual(typeof canonicalID, 'string');
@ -100,7 +102,7 @@ function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) {
} }
if (objectsListRes.Contents.length) { if (objectsListRes.Contents.length) {
return _deleteOngoingMPUs(authInfo, bucketName, return _deleteOngoingMPUs(authInfo, bucketName,
bucketMD, objectsListRes.Contents, log, err => { bucketMD, objectsListRes.Contents, request, log, err => {
if (err) { if (err) {
return next(err); return next(err);
} }

View File

@ -22,10 +22,11 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
// but the requestType is the more general 'objectDelete' // but the requestType is the more general 'objectDelete'
const metadataValParams = Object.assign({}, metadataValMPUparams); const metadataValParams = Object.assign({}, metadataValMPUparams);
metadataValParams.requestType = 'objectPut'; metadataValParams.requestType = 'objectPut';
const authzIdentityResult = request ? request.actionImplicitDenies : true;
async.waterfall([ async.waterfall([
function checkDestBucketVal(next) { function checkDestBucketVal(next) {
metadataValidateBucketAndObj(metadataValParams, log, metadataValidateBucketAndObj(metadataValParams, authzIdentityResult, log,
(err, destinationBucket) => { (err, destinationBucket) => {
if (err) { if (err) {
return next(err, destinationBucket); return next(err, destinationBucket);
@ -56,9 +57,15 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
function abortExternalMpu(mpuBucket, mpuOverviewObj, destBucket, function abortExternalMpu(mpuBucket, mpuOverviewObj, destBucket,
next) { next) {
const location = mpuOverviewObj.controllingLocationConstraint; const location = mpuOverviewObj.controllingLocationConstraint;
const originalIdentityImpDenies = request.actionImplicitDenies;
// eslint-disable-next-line no-param-reassign
// eslint-disable-next-line no-param-reassign
delete request.actionImplicitDenies;
return data.abortMPU(objectKey, uploadId, location, bucketName, return data.abortMPU(objectKey, uploadId, location, bucketName,
request, destBucket, locationConstraintCheck, log, request, destBucket, locationConstraintCheck, log,
(err, skipDataDelete) => { (err, skipDataDelete) => {
// eslint-disable-next-line no-param-reassign
request.actionImplicitDenies = originalIdentityImpDenies;
if (err) { if (err) {
return next(err, destBucket); return next(err, destBucket);
} }

View File

@ -3,6 +3,7 @@ const moment = require('moment');
const { config } = require('../../../Config'); const { config } = require('../../../Config');
const vault = require('../../../auth/vault'); const vault = require('../../../auth/vault');
const { evaluateBucketPolicyWithIAM } = require('../authorization/permissionChecks');
/** /**
* Calculates retain until date for the locked object version * Calculates retain until date for the locked object version
@ -302,7 +303,11 @@ function checkUserGovernanceBypass(request, authInfo, bucketMD, objectKey, log,
if (err) { if (err) {
return cb(err); return cb(err);
} }
if (authorizationResults[0].isAllowed !== true) {
// Deny immediately if there is any explicit deny
const explicitDenyExists = authorizationResults.some(
authzResult => authzResult.isAllowed === false && authzResult.isImplicit === false);
if (explicitDenyExists) {
log.trace('authorization check failed for user', log.trace('authorization check failed for user',
{ {
'method': 'checkUserPolicyGovernanceBypass', 'method': 'checkUserPolicyGovernanceBypass',
@ -310,7 +315,25 @@ function checkUserGovernanceBypass(request, authInfo, bucketMD, objectKey, log,
}); });
return cb(errors.AccessDenied); return cb(errors.AccessDenied);
} }
return cb(null);
// Convert authorization results into an easier to handle format
const iamAuthzResults = authorizationResults.reduce((acc, curr, idx) => {
// eslint-disable-next-line no-param-reassign
acc[requestContextParams[idx].apiMethod] = curr.isImplicit;
return acc;
}, {});
// Evaluate against the bucket policies
const areAllActionsAllowed = evaluateBucketPolicyWithIAM(
bucketMD,
Object.keys(iamAuthzResults),
authInfo.getCanonicalID(),
authInfo,
iamAuthzResults,
log,
request);
return cb(areAllActionsAllowed ? null : errors.AccessDenied);
}); });
} }

View File

@ -31,7 +31,7 @@ function bucketDelete(authInfo, request, log, cb) {
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
(err, bucketMD) => { (err, bucketMD) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucketMD); request.method, bucketMD);
@ -43,7 +43,7 @@ function bucketDelete(authInfo, request, log, cb) {
log.trace('passed checks', log.trace('passed checks',
{ method: 'metadataValidateBucket' }); { method: 'metadataValidateBucket' });
return deleteBucket(authInfo, bucketMD, bucketName, return deleteBucket(authInfo, bucketMD, bucketName,
authInfo.getCanonicalID(), log, err => { authInfo.getCanonicalID(), request, log, err => {
if (err) { if (err) {
return cb(err, corsHeaders); return cb(err, corsHeaders);
} }

View File

@ -33,7 +33,8 @@ function bucketDeleteCors(authInfo, request, log, callback) {
} }
log.trace('found bucket in metadata'); log.trace('found bucket in metadata');
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
request.actionImplicitDenies, log, request)) {
log.debug('access denied for user on bucket', { log.debug('access denied for user on bucket', {
requestType, requestType,
method: 'bucketDeleteCors', method: 'bucketDeleteCors',

View File

@ -26,7 +26,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucket(metadataValParams, log, next), next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
(bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)), (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
(bucket, next) => { (bucket, next) => {
const sseConfig = bucket.getServerSideEncryption(); const sseConfig = bucket.getServerSideEncryption();

View File

@ -20,7 +20,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) {
requestType: 'bucketDeleteLifecycle', requestType: 'bucketDeleteLifecycle',
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, (err, bucket) => { return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
if (err) { if (err) {
log.debug('error processing request', { log.debug('error processing request', {

View File

@ -19,7 +19,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) {
requestType: 'bucketDeletePolicy', requestType: 'bucketDeletePolicy',
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, (err, bucket) => { return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
if (err) { if (err) {
log.debug('error processing request', { log.debug('error processing request', {

View File

@ -20,7 +20,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) {
requestType: 'bucketDeleteReplication', requestType: 'bucketDeleteReplication',
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, (err, bucket) => { return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
if (err) { if (err) {
log.debug('error processing request', { log.debug('error processing request', {

View File

@ -25,7 +25,8 @@ function bucketDeleteWebsite(authInfo, request, log, callback) {
} }
log.trace('found bucket in metadata'); log.trace('found bucket in metadata');
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
request.actionImplicitDenies, log, request)) {
log.debug('access denied for user on bucket', { log.debug('access denied for user on bucket', {
requestType, requestType,
method: 'bucketDeleteWebsite', method: 'bucketDeleteWebsite',

View File

@ -345,7 +345,7 @@ function bucketGet(authInfo, request, log, callback) {
listParams.marker = params.marker; listParams.marker = params.marker;
} }
metadataValidateBucket(metadataValParams, log, (err, bucket) => { metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (err) { if (err) {

View File

@ -54,7 +54,7 @@ function bucketGetACL(authInfo, request, log, callback) {
}, },
}; };
metadataValidateBucket(metadataValParams, log, (err, bucket) => { metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (err) { if (err) {

View File

@ -34,7 +34,8 @@ function bucketGetCors(authInfo, request, log, callback) {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
request.actionImplicitDenies, log, request)) {
log.debug('access denied for user on bucket', { log.debug('access denied for user on bucket', {
requestType, requestType,
method: 'bucketGetCors', method: 'bucketGetCors',

View File

@ -27,7 +27,7 @@ function bucketGetEncryption(authInfo, request, log, callback) {
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucket(metadataValParams, log, next), next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
(bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)), (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
(bucket, next) => { (bucket, next) => {
// If sseInfo is present but the `mandatory` flag is not set // If sseInfo is present but the `mandatory` flag is not set

View File

@ -23,7 +23,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
requestType: 'bucketGetLifecycle', requestType: 'bucketGetLifecycle',
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, (err, bucket) => { return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
if (err) { if (err) {
log.debug('error processing request', { log.debug('error processing request', {

View File

@ -36,7 +36,8 @@ function bucketGetLocation(authInfo, request, log, callback) {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
request.actionImplicitDenies, log, request)) {
log.debug('access denied for account on bucket', { log.debug('access denied for account on bucket', {
requestType, requestType,
method: 'bucketGetLocation', method: 'bucketGetLocation',

View File

@ -41,7 +41,7 @@ function bucketGetNotification(authInfo, request, log, callback) {
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, (err, bucket) => { return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
if (err) { if (err) {
log.debug('error processing request', { log.debug('error processing request', {

View File

@ -36,7 +36,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
requestType: 'bucketGetObjectLock', requestType: 'bucketGetObjectLock',
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, (err, bucket) => { return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
if (err) { if (err) {
log.debug('error processing request', { log.debug('error processing request', {

View File

@ -21,7 +21,7 @@ function bucketGetPolicy(authInfo, request, log, callback) {
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, (err, bucket) => { return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
if (err) { if (err) {
log.debug('error processing request', { log.debug('error processing request', {

View File

@ -23,7 +23,7 @@ function bucketGetReplication(authInfo, request, log, callback) {
requestType: 'bucketGetReplication', requestType: 'bucketGetReplication',
request, request,
}; };
return metadataValidateBucket(metadataValParams, log, (err, bucket) => { return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
if (err) { if (err) {
log.debug('error processing request', { log.debug('error processing request', {

View File

@ -57,7 +57,7 @@ function bucketGetVersioning(authInfo, request, log, callback) {
request, request,
}; };
metadataValidateBucket(metadataValParams, log, (err, bucket) => { metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (err) { if (err) {

View File

@ -34,7 +34,8 @@ function bucketGetWebsite(authInfo, request, log, callback) {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
request.actionImplicitDenies, log, request)) {
log.debug('access denied for user on bucket', { log.debug('access denied for user on bucket', {
requestType, requestType,
method: 'bucketGetWebsite', method: 'bucketGetWebsite',

View File

@ -21,7 +21,7 @@ function bucketHead(authInfo, request, log, callback) {
requestType: 'bucketHead', requestType: 'bucketHead',
request, request,
}; };
metadataValidateBucket(metadataValParams, log, (err, bucket) => { metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (err) { if (err) {

View File

@ -43,7 +43,7 @@ const { pushMetric } = require('../utapi/utilities');
function bucketPutACL(authInfo, request, log, callback) { function bucketPutACL(authInfo, request, log, callback) {
log.debug('processing request', { method: 'bucketPutACL' }); log.debug('processing request', { method: 'bucketPutACL' });
const bucketName = request.bucketName; const { bucketName } = request;
const canonicalID = authInfo.getCanonicalID(); const canonicalID = authInfo.getCanonicalID();
const newCannedACL = request.headers['x-amz-acl']; const newCannedACL = request.headers['x-amz-acl'];
const possibleCannedACL = [ const possibleCannedACL = [
@ -53,17 +53,6 @@ function bucketPutACL(authInfo, request, log, callback) {
'authenticated-read', 'authenticated-read',
'log-delivery-write', 'log-delivery-write',
]; ];
if (newCannedACL && possibleCannedACL.indexOf(newCannedACL) === -1) {
log.trace('invalid canned acl argument', {
acl: newCannedACL,
method: 'bucketPutACL',
});
return callback(errors.InvalidArgument);
}
if (!aclUtils.checkGrantHeaderValidity(request.headers)) {
log.trace('invalid acl header');
return callback(errors.InvalidArgument);
}
const possibleGroups = [constants.allAuthedUsersId, const possibleGroups = [constants.allAuthedUsersId,
constants.publicId, constants.publicId,
constants.logId, constants.logId,
@ -71,7 +60,7 @@ function bucketPutACL(authInfo, request, log, callback) {
const metadataValParams = { const metadataValParams = {
authInfo, authInfo,
bucketName, bucketName,
requestType: 'bucketPutACL', requestType: request.apiMethods || 'bucketPutACL',
request, request,
}; };
const possibleGrants = ['FULL_CONTROL', 'WRITE', const possibleGrants = ['FULL_CONTROL', 'WRITE',
@ -85,24 +74,19 @@ function bucketPutACL(authInfo, request, log, callback) {
READ_ACP: [], READ_ACP: [],
}; };
const grantReadHeader = const grantReadHeader = aclUtils.parseGrant(request.headers[
aclUtils.parseGrant(request.headers[
'x-amz-grant-read'], 'READ'); 'x-amz-grant-read'], 'READ');
const grantWriteHeader = const grantWriteHeader = aclUtils.parseGrant(request.headers['x-amz-grant-write'], 'WRITE');
aclUtils.parseGrant(request.headers['x-amz-grant-write'], 'WRITE'); const grantReadACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
const grantReadACPHeader =
aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
'READ_ACP'); 'READ_ACP');
const grantWriteACPHeader = const grantWriteACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-write-acp'],
aclUtils.parseGrant(request.headers['x-amz-grant-write-acp'],
'WRITE_ACP'); 'WRITE_ACP');
const grantFullControlHeader = const grantFullControlHeader = aclUtils.parseGrant(request.headers['x-amz-grant-full-control'],
aclUtils.parseGrant(request.headers['x-amz-grant-full-control'],
'FULL_CONTROL'); 'FULL_CONTROL');
return async.waterfall([ return async.waterfall([
function waterfall1(next) { function waterfall1(next) {
metadataValidateBucket(metadataValParams, log, metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
(err, bucket) => { (err, bucket) => {
if (err) { if (err) {
log.trace('request authorization failed', { log.trace('request authorization failed', {
@ -111,6 +95,18 @@ function bucketPutACL(authInfo, request, log, callback) {
}); });
return next(err, bucket); return next(err, bucket);
} }
// if the API call is allowed, ensure that the parameters are valid
if (newCannedACL && possibleCannedACL.indexOf(newCannedACL) === -1) {
log.trace('invalid canned acl argument', {
acl: newCannedACL,
method: 'bucketPutACL',
});
return next(errors.InvalidArgument);
}
if (!aclUtils.checkGrantHeaderValidity(request.headers)) {
log.trace('invalid acl header');
return next(errors.InvalidArgument);
}
return next(null, bucket); return next(null, bucket);
}); });
}, },
@ -193,13 +189,12 @@ function bucketPutACL(authInfo, request, log, callback) {
} else { } else {
// If no canned ACL and no parsed xml, loop // If no canned ACL and no parsed xml, loop
// through the access headers // through the access headers
const allGrantHeaders = const allGrantHeaders = [].concat(grantReadHeader, grantWriteHeader,
[].concat(grantReadHeader, grantWriteHeader,
grantReadACPHeader, grantWriteACPHeader, grantReadACPHeader, grantWriteACPHeader,
grantFullControlHeader); grantFullControlHeader);
usersIdentifiedByEmail = allGrantHeaders.filter(item => usersIdentifiedByEmail = allGrantHeaders.filter(item => item
item && item.userIDType.toLowerCase() === 'emailaddress'); && item.userIDType.toLowerCase() === 'emailaddress');
usersIdentifiedByGroup = allGrantHeaders usersIdentifiedByGroup = allGrantHeaders
.filter(itm => itm && itm.userIDType .filter(itm => itm && itm.userIDType
@ -207,8 +202,10 @@ function bucketPutACL(authInfo, request, log, callback) {
for (let i = 0; i < usersIdentifiedByGroup.length; i++) { for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
const userGroup = usersIdentifiedByGroup[i].identifier; const userGroup = usersIdentifiedByGroup[i].identifier;
if (possibleGroups.indexOf(userGroup) < 0) { if (possibleGroups.indexOf(userGroup) < 0) {
log.trace('invalid user group', { userGroup, log.trace('invalid user group', {
method: 'bucketPutACL' }); userGroup,
method: 'bucketPutACL',
});
return next(errors.InvalidArgument, bucket); return next(errors.InvalidArgument, bucket);
} }
} }
@ -241,8 +238,8 @@ function bucketPutACL(authInfo, request, log, callback) {
return vault.getCanonicalIds(justEmails, log, return vault.getCanonicalIds(justEmails, log,
(err, results) => { (err, results) => {
if (err) { if (err) {
log.trace('error looking up canonical ids', { log.trace('error looking up canonical ids',
error: err, method: 'vault.getCanonicalIDs' }); { error: err, method: 'vault.getCanonicalIDs' });
return next(err, bucket); return next(err, bucket);
} }
const reconstructedUsersIdentifiedByEmail = aclUtils const reconstructedUsersIdentifiedByEmail = aclUtils
@ -251,7 +248,8 @@ function bucketPutACL(authInfo, request, log, callback) {
const allUsers = [].concat( const allUsers = [].concat(
reconstructedUsersIdentifiedByEmail, reconstructedUsersIdentifiedByEmail,
usersIdentifiedByID, usersIdentifiedByID,
usersIdentifiedByGroup); usersIdentifiedByGroup,
);
const revisedAddACLParams = aclUtils const revisedAddACLParams = aclUtils
.sortHeaderGrants(allUsers, addACLParams); .sortHeaderGrants(allUsers, addACLParams);
return next(null, bucket, revisedAddACLParams); return next(null, bucket, revisedAddACLParams);
@ -259,9 +257,9 @@ function bucketPutACL(authInfo, request, log, callback) {
} }
const allUsers = [].concat( const allUsers = [].concat(
usersIdentifiedByID, usersIdentifiedByID,
usersIdentifiedByGroup); usersIdentifiedByGroup,
const revisedAddACLParams = );
aclUtils.sortHeaderGrants(allUsers, addACLParams); const revisedAddACLParams = aclUtils.sortHeaderGrants(allUsers, addACLParams);
return next(null, bucket, revisedAddACLParams); return next(null, bucket, revisedAddACLParams);
}, },
function waterfall4(bucket, addACLParams, next) { function waterfall4(bucket, addACLParams, next) {
@ -272,12 +270,10 @@ function bucketPutACL(authInfo, request, log, callback) {
if (bucket.hasTransientFlag() || bucket.hasDeletedFlag()) { if (bucket.hasTransientFlag() || bucket.hasDeletedFlag()) {
log.trace('transient or deleted flag so cleaning up bucket'); log.trace('transient or deleted flag so cleaning up bucket');
bucket.setFullAcl(addACLParams); bucket.setFullAcl(addACLParams);
return cleanUpBucket(bucket, canonicalID, log, err => return cleanUpBucket(bucket, canonicalID, log, err => next(err, bucket));
next(err, bucket));
} }
// If no bucket flags, just add acl's to bucket metadata // If no bucket flags, just add acl's to bucket metadata
return acl.addACL(bucket, addACLParams, log, err => return acl.addACL(bucket, addACLParams, log, err => next(err, bucket));
next(err, bucket));
}, },
], (err, bucket) => { ], (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,

View File

@ -4,8 +4,7 @@ const { errors } = require('arsenal');
const bucketShield = require('./apiUtils/bucket/bucketShield'); const bucketShield = require('./apiUtils/bucket/bucketShield');
const collectCorsHeaders = require('../utilities/collectCorsHeaders'); const collectCorsHeaders = require('../utilities/collectCorsHeaders');
const { isBucketAuthorized } = const { isBucketAuthorized } = require('./apiUtils/authorization/permissionChecks');
require('./apiUtils/authorization/permissionChecks');
const metadata = require('../metadata/wrapper'); const metadata = require('../metadata/wrapper');
const { parseCorsXml } = require('./apiUtils/bucket/bucketCors'); const { parseCorsXml } = require('./apiUtils/bucket/bucketCors');
const { pushMetric } = require('../utapi/utilities'); const { pushMetric } = require('../utapi/utilities');
@ -22,7 +21,7 @@ const requestType = 'bucketPutCors';
*/ */
function bucketPutCors(authInfo, request, log, callback) { function bucketPutCors(authInfo, request, log, callback) {
log.debug('processing request', { method: 'bucketPutCors' }); log.debug('processing request', { method: 'bucketPutCors' });
const bucketName = request.bucketName; const { bucketName } = request;
const canonicalID = authInfo.getCanonicalID(); const canonicalID = authInfo.getCanonicalID();
if (!request.post) { if (!request.post) {
@ -66,7 +65,8 @@ function bucketPutCors(authInfo, request, log, callback) {
}); });
}, },
function validateBucketAuthorization(bucket, rules, corsHeaders, next) { function validateBucketAuthorization(bucket, rules, corsHeaders, next) {
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
request.actionImplicitDenies, log, request)) {
log.debug('access denied for account on bucket', { log.debug('access denied for account on bucket', {
requestType, requestType,
}); });
@ -77,8 +77,7 @@ function bucketPutCors(authInfo, request, log, callback) {
function updateBucketMetadata(bucket, rules, corsHeaders, next) { function updateBucketMetadata(bucket, rules, corsHeaders, next) {
log.trace('updating bucket cors rules in metadata'); log.trace('updating bucket cors rules in metadata');
bucket.setCors(rules); bucket.setCors(rules);
metadata.updateBucket(bucketName, bucket, log, err => metadata.updateBucket(bucketName, bucket, log, err => next(err, corsHeaders));
next(err, corsHeaders));
}, },
], (err, corsHeaders) => { ], (err, corsHeaders) => {
if (err) { if (err) {

View File

@ -18,17 +18,17 @@ const collectCorsHeaders = require('../utilities/collectCorsHeaders');
*/ */
function bucketPutEncryption(authInfo, request, log, callback) { function bucketPutEncryption(authInfo, request, log, callback) {
const bucketName = request.bucketName; const { bucketName } = request;
const metadataValParams = { const metadataValParams = {
authInfo, authInfo,
bucketName, bucketName,
requestType: 'bucketPutEncryption', requestType: request.apiMethods || 'bucketPutEncryption',
request, request,
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucket(metadataValParams, log, next), next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
(bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)), (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
(bucket, next) => { (bucket, next) => {
log.trace('parsing encryption config', { method: 'bucketPutEncryption' }); log.trace('parsing encryption config', { method: 'bucketPutEncryption' });

View File

@ -1,7 +1,6 @@
const { waterfall } = require('async'); const { waterfall } = require('async');
const uuid = require('uuid/v4'); const uuid = require('uuid/v4');
const LifecycleConfiguration = const { LifecycleConfiguration } = require('arsenal').models;
require('arsenal').models.LifecycleConfiguration;
const parseXML = require('../utilities/parseXML'); const parseXML = require('../utilities/parseXML');
const collectCorsHeaders = require('../utilities/collectCorsHeaders'); const collectCorsHeaders = require('../utilities/collectCorsHeaders');
@ -21,11 +20,11 @@ const { pushMetric } = require('../utapi/utilities');
function bucketPutLifecycle(authInfo, request, log, callback) { function bucketPutLifecycle(authInfo, request, log, callback) {
log.debug('processing request', { method: 'bucketPutLifecycle' }); log.debug('processing request', { method: 'bucketPutLifecycle' });
const bucketName = request.bucketName; const { bucketName } = request;
const metadataValParams = { const metadataValParams = {
authInfo, authInfo,
bucketName, bucketName,
requestType: 'bucketPutLifecycle', requestType: request.apiMethods || 'bucketPutLifecycle',
request, request,
}; };
return waterfall([ return waterfall([
@ -42,7 +41,7 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
return next(null, configObj); return next(null, configObj);
}); });
}, },
(lcConfig, next) => metadataValidateBucket(metadataValParams, log, (lcConfig, next) => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
(err, bucket) => { (err, bucket) => {
if (err) { if (err) {
return next(err, bucket); return next(err, bucket);
@ -54,8 +53,7 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
bucket.setUid(uuid()); bucket.setUid(uuid());
} }
bucket.setLifecycleConfiguration(lcConfig); bucket.setLifecycleConfiguration(lcConfig);
metadata.updateBucket(bucket.getName(), bucket, log, err => metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
next(err, bucket));
}, },
], (err, bucket) => { ], (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,

View File

@ -19,11 +19,11 @@ const { pushMetric } = require('../utapi/utilities');
function bucketPutNotification(authInfo, request, log, callback) { function bucketPutNotification(authInfo, request, log, callback) {
log.debug('processing request', { method: 'bucketPutNotification' }); log.debug('processing request', { method: 'bucketPutNotification' });
const bucketName = request.bucketName; const { bucketName } = request;
const metadataValParams = { const metadataValParams = {
authInfo, authInfo,
bucketName, bucketName,
requestType: 'bucketPutNotification', requestType: request.apiMethods || 'bucketPutNotification',
request, request,
}; };
@ -34,7 +34,7 @@ function bucketPutNotification(authInfo, request, log, callback) {
const notifConfig = notificationConfig.error ? undefined : notificationConfig; const notifConfig = notificationConfig.error ? undefined : notificationConfig;
process.nextTick(() => next(notificationConfig.error, notifConfig)); process.nextTick(() => next(notificationConfig.error, notifConfig));
}, },
(notifConfig, next) => metadataValidateBucket(metadataValParams, log, (notifConfig, next) => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
(err, bucket) => next(err, bucket, notifConfig)), (err, bucket) => next(err, bucket, notifConfig)),
(bucket, notifConfig, next) => { (bucket, notifConfig, next) => {
bucket.setNotificationConfiguration(notifConfig); bucket.setNotificationConfiguration(notifConfig);
@ -45,8 +45,10 @@ function bucketPutNotification(authInfo, request, log, callback) {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (err) { if (err) {
log.trace('error processing request', { error: err, log.trace('error processing request', {
method: 'bucketPutNotification' }); error: err,
method: 'bucketPutNotification',
});
return callback(err, corsHeaders); return callback(err, corsHeaders);
} }
pushMetric('putBucketNotification', log, { pushMetric('putBucketNotification', log, {

View File

@ -1,8 +1,8 @@
const { waterfall } = require('async'); const { waterfall } = require('async');
const arsenal = require('arsenal'); const arsenal = require('arsenal');
const errors = arsenal.errors; const { errors } = arsenal;
const ObjectLockConfiguration = arsenal.models.ObjectLockConfiguration; const { ObjectLockConfiguration } = arsenal.models;
const parseXML = require('../utilities/parseXML'); const parseXML = require('../utilities/parseXML');
const collectCorsHeaders = require('../utilities/collectCorsHeaders'); const collectCorsHeaders = require('../utilities/collectCorsHeaders');
@ -22,11 +22,11 @@ const { pushMetric } = require('../utapi/utilities');
function bucketPutObjectLock(authInfo, request, log, callback) { function bucketPutObjectLock(authInfo, request, log, callback) {
log.debug('processing request', { method: 'bucketPutObjectLock' }); log.debug('processing request', { method: 'bucketPutObjectLock' });
const bucketName = request.bucketName; const { bucketName } = request;
const metadataValParams = { const metadataValParams = {
authInfo, authInfo,
bucketName, bucketName,
requestType: 'bucketPutObjectLock', requestType: request.apiMethods || 'bucketPutObjectLock',
request, request,
}; };
return waterfall([ return waterfall([
@ -36,12 +36,12 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
// if there was an error getting object lock configuration, // if there was an error getting object lock configuration,
// returned configObj will contain 'error' key // returned configObj will contain 'error' key
process.nextTick(() => { process.nextTick(() => {
const configObj = lockConfigClass. const configObj = lockConfigClass
getValidatedObjectLockConfiguration(); .getValidatedObjectLockConfiguration();
return next(configObj.error || null, configObj); return next(configObj.error || null, configObj);
}); });
}, },
(objectLockConfig, next) => metadataValidateBucket(metadataValParams, (objectLockConfig, next) => metadataValidateBucket(metadataValParams, request.actionImplicitDenies,
log, (err, bucket) => { log, (err, bucket) => {
if (err) { if (err) {
return next(err, bucket); return next(err, bucket);
@ -53,23 +53,25 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
process.nextTick(() => { process.nextTick(() => {
if (!isObjectLockEnabled) { if (!isObjectLockEnabled) {
return next(errors.InvalidBucketState.customizeDescription( return next(errors.InvalidBucketState.customizeDescription(
'Object Lock configuration cannot be enabled on ' + 'Object Lock configuration cannot be enabled on '
'existing buckets'), bucket); + 'existing buckets',
), bucket);
} }
return next(null, bucket, objectLockConfig); return next(null, bucket, objectLockConfig);
}); });
}, },
(bucket, objectLockConfig, next) => { (bucket, objectLockConfig, next) => {
bucket.setObjectLockConfiguration(objectLockConfig); bucket.setObjectLockConfiguration(objectLockConfig);
metadata.updateBucket(bucket.getName(), bucket, log, err => metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
next(err, bucket));
}, },
], (err, bucket) => { ], (err, bucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);
if (err) { if (err) {
log.trace('error processing request', { error: err, log.trace('error processing request', {
method: 'bucketPutObjectLock' }); error: err,
method: 'bucketPutObjectLock',
});
return callback(err, corsHeaders); return callback(err, corsHeaders);
} }
pushMetric('putBucketObjectLock', log, { pushMetric('putBucketObjectLock', log, {

View File

@ -17,8 +17,7 @@ const { BucketPolicy } = models;
function _checkNotImplementedPolicy(policyString) { function _checkNotImplementedPolicy(policyString) {
// bucket names and key names cannot include "", so including those // bucket names and key names cannot include "", so including those
// isolates not implemented keys // isolates not implemented keys
return policyString.includes('"Condition"') return policyString.includes('"Service"')
|| policyString.includes('"Service"')
|| policyString.includes('"Federated"'); || policyString.includes('"Federated"');
} }
@ -37,7 +36,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
const metadataValParams = { const metadataValParams = {
authInfo, authInfo,
bucketName, bucketName,
requestType: 'bucketPutPolicy', requestType: request.apiMethods || 'bucketPutPolicy',
request, request,
}; };
@ -70,7 +69,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
return next(null, bucketPolicy); return next(null, bucketPolicy);
}); });
}, },
(bucketPolicy, next) => metadataValidateBucket(metadataValParams, log, (bucketPolicy, next) => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
(err, bucket) => { (err, bucket) => {
if (err) { if (err) {
return next(err, bucket); return next(err, bucket);

View File

@ -27,7 +27,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
const metadataValParams = { const metadataValParams = {
authInfo, authInfo,
bucketName, bucketName,
requestType: 'bucketPutReplication', requestType: request.apiMethods || 'bucketPutReplication',
request, request,
}; };
return waterfall([ return waterfall([
@ -36,7 +36,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
// Check bucket user privileges and ensure versioning is 'Enabled'. // Check bucket user privileges and ensure versioning is 'Enabled'.
(config, next) => (config, next) =>
// TODO: Validate that destination bucket exists and has versioning. // TODO: Validate that destination bucket exists and has versioning.
metadataValidateBucket(metadataValParams, log, (err, bucket) => { metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
if (err) { if (err) {
return next(err); return next(err);
} }

View File

@ -87,13 +87,13 @@ function bucketPutVersioning(authInfo, request, log, callback) {
const metadataValParams = { const metadataValParams = {
authInfo, authInfo,
bucketName, bucketName,
requestType: 'bucketPutVersioning', requestType: request.apiMethods || 'bucketPutVersioning',
request, request,
}; };
return waterfall([ return waterfall([
next => _parseXML(request, log, next), next => _parseXML(request, log, next),
next => metadataValidateBucket(metadataValParams, log, next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
(err, bucket) => next(err, bucket)), // ignore extra null object, (err, bucket) => next(err, bucket)), // ignore extra null object,
(bucket, next) => parseString(request.post, (err, result) => { (bucket, next) => parseString(request.post, (err, result) => {
// just for linting; there should not be any parsing error here // just for linting; there should not be any parsing error here

View File

@ -46,7 +46,8 @@ function bucketPutWebsite(authInfo, request, log, callback) {
}); });
}, },
function validateBucketAuthorization(bucket, config, next) { function validateBucketAuthorization(bucket, config, next) {
if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
request.actionImplicitDenies, log, request)) {
log.debug('access denied for user on bucket', { log.debug('access denied for user on bucket', {
requestType, requestType,
method: 'bucketPutWebsite', method: 'bucketPutWebsite',

View File

@ -120,7 +120,7 @@ function completeMultipartUpload(authInfo, request, log, callback) {
// at the destinationBucket level are same as objectPut // at the destinationBucket level are same as objectPut
requestType: 'objectPut', requestType: 'objectPut',
}; };
metadataValidateBucketAndObj(metadataValParams, log, next); metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, next);
}, },
function validateMultipart(destBucket, objMD, next) { function validateMultipart(destBucket, objMD, next) {
if (objMD) { if (objMD) {
@ -190,9 +190,14 @@ function completeMultipartUpload(authInfo, request, log, callback) {
const mdInfo = { storedParts, mpuOverviewKey, splitter }; const mdInfo = { storedParts, mpuOverviewKey, splitter };
const mpuInfo = const mpuInfo =
{ objectKey, uploadId, jsonList, bucketName, destBucket }; { objectKey, uploadId, jsonList, bucketName, destBucket };
const originalIdentityImpDenies = request.actionImplicitDenies;
// eslint-disable-next-line no-param-reassign
delete request.actionImplicitDenies;
return data.completeMPU(request, mpuInfo, mdInfo, location, return data.completeMPU(request, mpuInfo, mdInfo, location,
null, null, null, locationConstraintCheck, log, null, null, null, locationConstraintCheck, log,
(err, completeObjData) => { (err, completeObjData) => {
// eslint-disable-next-line no-param-reassign
request.actionImplicitDenies = originalIdentityImpDenies;
if (err) { if (err) {
return next(err, destBucket); return next(err, destBucket);
} }

View File

@ -253,7 +253,7 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
} }
async.waterfall([ async.waterfall([
next => metadataValidateBucketAndObj(metadataValParams, log, next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(error, destinationBucket) => { (error, destinationBucket) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, destinationBucket); request.method, destinationBucket);

View File

@ -104,7 +104,7 @@ function listMultipartUploads(authInfo, request, log, callback) {
function waterfall1(next) { function waterfall1(next) {
// Check final destination bucket for authorization rather // Check final destination bucket for authorization rather
// than multipart upload bucket // than multipart upload bucket
metadataValidateBucket(metadataValParams, log, metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
(err, bucket) => next(err, bucket)); (err, bucket) => next(err, bucket));
}, },
function getMPUBucket(bucket, next) { function getMPUBucket(bucket, next) {

View File

@ -112,7 +112,7 @@ function listParts(authInfo, request, log, callback) {
async.waterfall([ async.waterfall([
function checkDestBucketVal(next) { function checkDestBucketVal(next) {
metadataValidateBucketAndObj(metadataValParams, log, metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, destinationBucket) => { (err, destinationBucket) => {
if (err) { if (err) {
return next(err, destinationBucket, null); return next(err, destinationBucket, null);
@ -150,8 +150,13 @@ function listParts(authInfo, request, log, callback) {
mpuOverviewObj, mpuOverviewObj,
destBucket, destBucket,
}; };
const originalIdentityImpDenies = request.actionImplicitDenies;
// eslint-disable-next-line no-param-reassign
delete request.actionImplicitDenies;
return data.listParts(mpuInfo, request, locationConstraintCheck, return data.listParts(mpuInfo, request, locationConstraintCheck,
log, (err, backendPartList) => { log, (err, backendPartList) => {
// eslint-disable-next-line no-param-reassign
request.actionImplicitDenies = originalIdentityImpDenies;
if (err) { if (err) {
return next(err, destBucket); return next(err, destBucket);
} }

View File

@ -11,7 +11,7 @@ const collectCorsHeaders = require('../utilities/collectCorsHeaders');
const metadata = require('../metadata/wrapper'); const metadata = require('../metadata/wrapper');
const services = require('../services'); const services = require('../services');
const vault = require('../auth/vault'); const vault = require('../auth/vault');
const { isBucketAuthorized } = const { isBucketAuthorized, evaluateBucketPolicyWithIAM } =
require('./apiUtils/authorization/permissionChecks'); require('./apiUtils/authorization/permissionChecks');
const { preprocessingVersioningDelete } const { preprocessingVersioningDelete }
= require('./apiUtils/object/versioning'); = require('./apiUtils/object/versioning');
@ -385,15 +385,37 @@ function multiObjectDelete(authInfo, request, log, callback) {
return next(null, quietSetting, objects); return next(null, quietSetting, objects);
}); });
}, },
function checkPolicies(quietSetting, objects, next) { function checkBucketMetadata(quietSetting, objects, next) {
const errorResults = [];
return metadata.getBucket(bucketName, log, (err, bucketMD) => {
if (err) {
log.trace('error retrieving bucket metadata', { error: err });
return next(err);
}
if (bucketShield(bucketMD, 'objectDelete')) {
return next(errors.NoSuchBucket);
}
if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo,
request.actionImplicitDenies, authInfo)) {
log.trace("access denied due to bucket acl's");
objects.forEach(entry => {
errorResults.push({
entry,
error: errors.AccessDenied,
});
});
return next(null, quietSetting, errorResults, [], bucketMD);
}
return next(null, quietSetting, errorResults, objects, bucketMD);
});
},
function checkPolicies(quietSetting, errorResults, objects, bucketMD, next) {
// track keys that are still on track to be deleted // track keys that are still on track to be deleted
const inPlay = []; const inPlay = [];
const errorResults = [];
// if request from account, no need to check policies // if request from account, no need to check policies
// all objects are inPlay so send array of object keys
// as inPlay argument
if (!authInfo.isRequesterAnIAMUser()) { if (!authInfo.isRequesterAnIAMUser()) {
return next(null, quietSetting, errorResults, objects); return next(null, quietSetting, errorResults, objects, bucketMD);
} }
// TODO: once arsenal's extractParams is separated from doAuth // TODO: once arsenal's extractParams is separated from doAuth
@ -429,7 +451,6 @@ function multiObjectDelete(authInfo, request, log, callback) {
}; };
return vault.checkPolicies(requestContextParams, authInfo.getArn(), return vault.checkPolicies(requestContextParams, authInfo.getArn(),
log, (err, authorizationResults) => { log, (err, authorizationResults) => {
// there were no policies so received a blanket AccessDenied
if (err && err.is.AccessDenied) { if (err && err.is.AccessDenied) {
objects.forEach(entry => { objects.forEach(entry => {
errorResults.push({ errorResults.push({
@ -437,7 +458,7 @@ function multiObjectDelete(authInfo, request, log, callback) {
error: errors.AccessDenied }); error: errors.AccessDenied });
}); });
// send empty array for inPlay // send empty array for inPlay
return next(null, quietSetting, errorResults, []); return next(null, quietSetting, errorResults, [], bucketMD);
} }
if (err) { if (err) {
log.trace('error checking policies', { log.trace('error checking policies', {
@ -455,6 +476,16 @@ function multiObjectDelete(authInfo, request, log, callback) {
}); });
return next(errors.InternalError); return next(errors.InternalError);
} }
// Convert authorization results into an easier to handle format
const iamAuthzResults = authorizationResults.reduce((acc, curr, idx) => {
const apiMethod = requestContextParams[idx].apiMethod;
// eslint-disable-next-line no-param-reassign
acc[apiMethod] = curr.isImplicit;
return acc;
}, {});
for (let i = 0; i < authorizationResults.length; i++) { for (let i = 0; i < authorizationResults.length; i++) {
const result = authorizationResults[i]; const result = authorizationResults[i];
// result is { isAllowed: true, // result is { isAllowed: true,
@ -470,7 +501,27 @@ function multiObjectDelete(authInfo, request, log, callback) {
key: result.arn.slice(slashIndex + 1), key: result.arn.slice(slashIndex + 1),
versionId: result.versionId, versionId: result.versionId,
}; };
if (result.isAllowed) {
// Deny immediately if there is an explicit deny
if (!result.isImplicit && !result.isAllowed) {
errorResults.push({
entry,
error: errors.AccessDenied,
});
continue;
}
// Evaluate against the bucket policies
const areAllActionsAllowed = evaluateBucketPolicyWithIAM(
bucketMD,
Object.keys(iamAuthzResults),
canonicalID,
authInfo,
iamAuthzResults,
log,
request);
if (areAllActionsAllowed) {
inPlay.push(entry); inPlay.push(entry);
} else { } else {
errorResults.push({ errorResults.push({
@ -479,47 +530,6 @@ function multiObjectDelete(authInfo, request, log, callback) {
}); });
} }
} }
return next(null, quietSetting, errorResults, inPlay);
});
},
function checkBucketMetadata(quietSetting, errorResults, inPlay, next) {
// if no objects in play, no need to check ACLs / get metadata,
// just move on if there is no Origin header
if (inPlay.length === 0 && !request.headers.origin) {
return next(null, quietSetting, errorResults, inPlay,
undefined);
}
return metadata.getBucket(bucketName, log, (err, bucketMD) => {
if (err) {
log.trace('error retrieving bucket metadata',
{ error: err });
return next(err);
}
// check whether bucket has transient or deleted flag
if (bucketShield(bucketMD, 'objectDelete')) {
return next(errors.NoSuchBucket);
}
// if no objects in play, no need to check ACLs
if (inPlay.length === 0) {
return next(null, quietSetting, errorResults, inPlay,
bucketMD);
}
if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, log, request)) {
log.trace("access denied due to bucket acl's");
// if access denied at the bucket level, no access for
// any of the objects so all results will be error results
inPlay.forEach(entry => {
errorResults.push({
entry,
error: errors.AccessDenied,
});
});
// by sending an empty array as the inPlay array
// async.forEachLimit below will not actually
// make any calls to metadata or data but will continue on
// to the next step to build xml
return next(null, quietSetting, errorResults, [], bucketMD);
}
return next(null, quietSetting, errorResults, inPlay, bucketMD); return next(null, quietSetting, errorResults, inPlay, bucketMD);
}); });
}, },

View File

@ -245,7 +245,7 @@ function objectCopy(authInfo, request, sourceBucket,
} }
return async.waterfall([ return async.waterfall([
function checkDestAuth(next) { function checkDestAuth(next) {
return metadataValidateBucketAndObj(valPutParams, log, return metadataValidateBucketAndObj(valPutParams, request.actionImplicitDenies, log,
(err, destBucketMD, destObjMD) => { (err, destBucketMD, destObjMD) => {
if (err) { if (err) {
log.debug('error validating put part of request', log.debug('error validating put part of request',
@ -263,7 +263,7 @@ function objectCopy(authInfo, request, sourceBucket,
}); });
}, },
function checkSourceAuthorization(destBucketMD, destObjMD, next) { function checkSourceAuthorization(destBucketMD, destObjMD, next) {
return metadataValidateBucketAndObj(valGetParams, log, return metadataValidateBucketAndObj(valGetParams, request.actionImplicitDenies, log,
(err, sourceBucketMD, sourceObjMD) => { (err, sourceBucketMD, sourceObjMD) => {
if (err) { if (err) {
log.debug('error validating get part of request', log.debug('error validating get part of request',
@ -408,10 +408,15 @@ function objectCopy(authInfo, request, sourceBucket,
return next(null, storeMetadataParams, dataLocator, destObjMD, return next(null, storeMetadataParams, dataLocator, destObjMD,
serverSideEncryption, destBucketMD); serverSideEncryption, destBucketMD);
} }
const originalIdentityImpDenies = request.actionImplicitDenies;
// eslint-disable-next-line no-param-reassign
delete request.actionImplicitDenies;
return data.copyObject(request, sourceLocationConstraintName, return data.copyObject(request, sourceLocationConstraintName,
storeMetadataParams, dataLocator, dataStoreContext, storeMetadataParams, dataLocator, dataStoreContext,
backendInfoDest, sourceBucketMD, destBucketMD, serverSideEncryption, log, backendInfoDest, sourceBucketMD, destBucketMD, serverSideEncryption, log,
(err, results) => { (err, results) => {
// eslint-disable-next-line no-param-reassign
request.actionImplicitDenies = originalIdentityImpDenies;
if (err) { if (err) {
return next(err, destBucketMD); return next(err, destBucketMD);
} }

View File

@ -56,7 +56,7 @@ function objectDelete(authInfo, request, log, cb) {
const canonicalID = authInfo.getCanonicalID(); const canonicalID = authInfo.getCanonicalID();
return async.waterfall([ return async.waterfall([
function validateBucketAndObj(next) { function validateBucketAndObj(next) {
return metadataValidateBucketAndObj(valParams, log, return metadataValidateBucketAndObj(valParams, request.actionImplicitDenies, log,
(err, bucketMD, objMD) => { (err, bucketMD, objMD) => {
if (err) { if (err) {
return next(err, bucketMD); return next(err, bucketMD);

View File

@ -46,7 +46,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucketAndObj(metadataValParams, log, next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
log.trace('request authorization failed', log.trace('request authorization failed',

View File

@ -48,7 +48,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
request, request,
}; };
return metadataValidateBucketAndObj(mdValParams, log, return metadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log,
(err, bucket, objMD) => { (err, bucket, objMD) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);

View File

@ -71,7 +71,7 @@ function objectGetACL(authInfo, request, log, callback) {
return async.waterfall([ return async.waterfall([
function validateBucketAndObj(next) { function validateBucketAndObj(next) {
return metadataValidateBucketAndObj(metadataValParams, log, return metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
log.trace('request authorization failed', log.trace('request authorization failed',

View File

@ -43,7 +43,7 @@ function objectGetLegalHold(authInfo, request, log, callback) {
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucketAndObj(metadataValParams, log, next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
log.trace('request authorization failed', log.trace('request authorization failed',

View File

@ -43,7 +43,7 @@ function objectGetRetention(authInfo, request, log, callback) {
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucketAndObj(metadataValParams, log, next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
log.trace('request authorization failed', log.trace('request authorization failed',

View File

@ -43,7 +43,7 @@ function objectGetTagging(authInfo, request, log, callback) {
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucketAndObj(metadataValParams, log, next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
log.trace('request authorization failed', log.trace('request authorization failed',

View File

@ -48,7 +48,7 @@ function objectHead(authInfo, request, log, callback) {
request, request,
}; };
return metadataValidateBucketAndObj(mdValParams, log, return metadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log,
(err, bucket, objMD) => { (err, bucket, objMD) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, bucket); request.method, bucket);

View File

@ -57,7 +57,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
} }
const invalidSSEError = errors.InvalidArgument.customizeDescription( const invalidSSEError = errors.InvalidArgument.customizeDescription(
'The encryption method specified is not supported'); 'The encryption method specified is not supported');
const requestType = 'objectPut'; const requestType = request.apiMethods || 'objectPut';
const valParams = { authInfo, bucketName, objectKey, requestType, request }; const valParams = { authInfo, bucketName, objectKey, requestType, request };
const canonicalID = authInfo.getCanonicalID(); const canonicalID = authInfo.getCanonicalID();
@ -68,8 +68,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
} }
log.trace('owner canonicalID to send to data', { canonicalID }); log.trace('owner canonicalID to send to data', { canonicalID });
return metadataValidateBucketAndObj(valParams, request.actionImplicitDenies, log,
return metadataValidateBucketAndObj(valParams, log,
(err, bucket, objMD) => { (err, bucket, objMD) => {
const responseHeaders = collectCorsHeaders(headers.origin, const responseHeaders = collectCorsHeaders(headers.origin,
method, bucket); method, bucket);

View File

@ -7,8 +7,7 @@ const { pushMetric } = require('../utapi/utilities');
const collectCorsHeaders = require('../utilities/collectCorsHeaders'); const collectCorsHeaders = require('../utilities/collectCorsHeaders');
const constants = require('../../constants'); const constants = require('../../constants');
const vault = require('../auth/vault'); const vault = require('../auth/vault');
const { decodeVersionId, getVersionIdResHeader } const { decodeVersionId, getVersionIdResHeader } = require('./apiUtils/object/versioning');
= require('./apiUtils/object/versioning');
const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils'); const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
/* /*
@ -43,8 +42,8 @@ const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
*/ */
function objectPutACL(authInfo, request, log, cb) { function objectPutACL(authInfo, request, log, cb) {
log.debug('processing request', { method: 'objectPutACL' }); log.debug('processing request', { method: 'objectPutACL' });
const bucketName = request.bucketName; const { bucketName } = request;
const objectKey = request.objectKey; const { objectKey } = request;
const newCannedACL = request.headers['x-amz-acl']; const newCannedACL = request.headers['x-amz-acl'];
const possibleCannedACL = [ const possibleCannedACL = [
'private', 'private',
@ -82,8 +81,8 @@ function objectPutACL(authInfo, request, log, cb) {
authInfo, authInfo,
bucketName, bucketName,
objectKey, objectKey,
requestType: 'objectPutACL',
versionId: reqVersionId, versionId: reqVersionId,
requestType: request.apiMethods || 'objectPutACL',
}; };
const possibleGrants = ['FULL_CONTROL', 'WRITE_ACP', 'READ', 'READ_ACP']; const possibleGrants = ['FULL_CONTROL', 'WRITE_ACP', 'READ', 'READ_ACP'];
@ -95,26 +94,26 @@ function objectPutACL(authInfo, request, log, cb) {
READ_ACP: [], READ_ACP: [],
}; };
const grantReadHeader = const grantReadHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read'], 'READ');
aclUtils.parseGrant(request.headers['x-amz-grant-read'], 'READ'); const grantReadACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
const grantReadACPHeader =
aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
'READ_ACP'); 'READ_ACP');
const grantWriteACPHeader = aclUtils.parseGrant( const grantWriteACPHeader = aclUtils.parseGrant(
request.headers['x-amz-grant-write-acp'], 'WRITE_ACP'); request.headers['x-amz-grant-write-acp'], 'WRITE_ACP',
);
const grantFullControlHeader = aclUtils.parseGrant( const grantFullControlHeader = aclUtils.parseGrant(
request.headers['x-amz-grant-full-control'], 'FULL_CONTROL'); request.headers['x-amz-grant-full-control'], 'FULL_CONTROL',
);
return async.waterfall([ return async.waterfall([
function validateBucketAndObj(next) { function validateBucketAndObj(next) {
return metadataValidateBucketAndObj(metadataValParams, log, return metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
return next(err); return next(err);
} }
if (!objectMD) { if (!objectMD) {
const err = reqVersionId ? errors.NoSuchVersion : const err = reqVersionId ? errors.NoSuchVersion
errors.NoSuchKey; : errors.NoSuchKey;
return next(err, bucket); return next(err, bucket);
} }
if (objectMD.isDeleteMarker) { if (objectMD.isDeleteMarker) {
@ -216,22 +215,24 @@ function objectPutACL(authInfo, request, log, cb) {
} else { } else {
// If no canned ACL and no parsed xml, loop // If no canned ACL and no parsed xml, loop
// through the access headers // through the access headers
const allGrantHeaders = const allGrantHeaders = [].concat(grantReadHeader,
[].concat(grantReadHeader,
grantReadACPHeader, grantWriteACPHeader, grantReadACPHeader, grantWriteACPHeader,
grantFullControlHeader); grantFullControlHeader);
usersIdentifiedByEmail = allGrantHeaders.filter(item => usersIdentifiedByEmail = allGrantHeaders.filter(item => item
item && item.userIDType.toLowerCase() === 'emailaddress'); && item.userIDType.toLowerCase() === 'emailaddress');
usersIdentifiedByGroup = allGrantHeaders usersIdentifiedByGroup = allGrantHeaders
.filter(itm => itm && itm.userIDType .filter(itm => itm && itm.userIDType
.toLowerCase() === 'uri'); .toLowerCase() === 'uri');
for (let i = 0; i < usersIdentifiedByGroup.length; i++) { for (let i = 0; i < usersIdentifiedByGroup.length; i += 1) {
if (possibleGroups.indexOf( if (possibleGroups.indexOf(
usersIdentifiedByGroup[i].identifier) < 0) { usersIdentifiedByGroup[i].identifier,
) < 0) {
log.trace('invalid user group', log.trace('invalid user group',
{ userGroup: usersIdentifiedByGroup[i] {
.identifier }); userGroup: usersIdentifiedByGroup[i]
.identifier,
});
return next(errors.InvalidArgument, bucket); return next(errors.InvalidArgument, bucket);
} }
} }
@ -259,18 +260,20 @@ function objectPutACL(authInfo, request, log, cb) {
const allUsers = [].concat( const allUsers = [].concat(
reconstructedUsersIdentifiedByEmail, reconstructedUsersIdentifiedByEmail,
usersIdentifiedByID, usersIdentifiedByID,
usersIdentifiedByGroup); usersIdentifiedByGroup,
);
const revisedAddACLParams = aclUtils const revisedAddACLParams = aclUtils
.sortHeaderGrants(allUsers, addACLParams); .sortHeaderGrants(allUsers, addACLParams);
return next(null, bucket, objectMD, return next(null, bucket, objectMD,
revisedAddACLParams); revisedAddACLParams);
}); },
);
} }
const allUsers = [].concat( const allUsers = [].concat(
usersIdentifiedByID, usersIdentifiedByID,
usersIdentifiedByGroup); usersIdentifiedByGroup,
const revisedAddACLParams = );
aclUtils.sortHeaderGrants(allUsers, addACLParams); const revisedAddACLParams = aclUtils.sortHeaderGrants(allUsers, addACLParams);
return next(null, bucket, objectMD, revisedAddACLParams); return next(null, bucket, objectMD, revisedAddACLParams);
}, },
function addAclsToObjMD(bucket, objectMD, ACLParams, next) { function addAclsToObjMD(bucket, objectMD, ACLParams, next) {
@ -292,8 +295,7 @@ function objectPutACL(authInfo, request, log, cb) {
} }
const verCfg = bucket.getVersioningConfiguration(); const verCfg = bucket.getVersioningConfiguration();
resHeaders['x-amz-version-id'] = resHeaders['x-amz-version-id'] = getVersionIdResHeader(verCfg, objectMD);
getVersionIdResHeader(verCfg, objectMD);
log.trace('processed request successfully in object put acl api'); log.trace('processed request successfully in object put acl api');
pushMetric('putObjectAcl', log, { pushMetric('putObjectAcl', log, {

View File

@ -1,12 +1,12 @@
const async = require('async'); const async = require('async');
const { errors, versioning, s3middleware } = require('arsenal'); const { errors, versioning, s3middleware } = require('arsenal');
const validateHeaders = s3middleware.validateConditionalHeaders; const validateHeaders = s3middleware.validateConditionalHeaders;
const collectCorsHeaders = require('../utilities/collectCorsHeaders'); const collectCorsHeaders = require('../utilities/collectCorsHeaders');
const constants = require('../../constants'); const constants = require('../../constants');
const { data } = require('../data/wrapper'); const { data } = require('../data/wrapper');
const locationConstraintCheck = const locationConstraintCheck = require('./apiUtils/object/locationConstraintCheck');
require('./apiUtils/object/locationConstraintCheck');
const metadata = require('../metadata/wrapper'); const metadata = require('../metadata/wrapper');
const { pushMetric } = require('../utapi/utilities'); const { pushMetric } = require('../utapi/utilities');
const logger = require('../utilities/logger'); const logger = require('../utilities/logger');
@ -58,8 +58,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
// Note that keys in the query object retain their case, so // Note that keys in the query object retain their case, so
// request.query.uploadId must be called with that exact // request.query.uploadId must be called with that exact
// capitalization // capitalization
const uploadId = request.query.uploadId; const { uploadId } = request.query;
const valPutParams = { const valPutParams = {
authInfo, authInfo,
bucketName: destBucketName, bucketName: destBucketName,
@ -89,26 +88,26 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
return async.waterfall([ return async.waterfall([
function checkDestAuth(next) { function checkDestAuth(next) {
return metadataValidateBucketAndObj(valPutParams, log, return metadataValidateBucketAndObj(valPutParams, request.actionImplicitDenies, log,
(err, destBucketMD) => { (err, destBucketMD) => {
if (err) { if (err) {
log.debug('error validating authorization for ' + log.debug('error validating authorization for '
'destination bucket', + 'destination bucket',
{ error: err }); { error: err });
return next(err, destBucketMD); return next(err, destBucketMD);
} }
const flag = destBucketMD.hasDeletedFlag() const flag = destBucketMD.hasDeletedFlag()
|| destBucketMD.hasTransientFlag(); || destBucketMD.hasTransientFlag();
if (flag) { if (flag) {
log.trace('deleted flag or transient flag ' + log.trace('deleted flag or transient flag '
'on destination bucket', { flag }); + 'on destination bucket', { flag });
return next(errors.NoSuchBucket); return next(errors.NoSuchBucket);
} }
return next(null, destBucketMD); return next(null, destBucketMD);
}); });
}, },
function checkSourceAuthorization(destBucketMD, next) { function checkSourceAuthorization(destBucketMD, next) {
return metadataValidateBucketAndObj(valGetParams, log, return metadataValidateBucketAndObj(valGetParams, request.actionImplicitDenies, log,
(err, sourceBucketMD, sourceObjMD) => { (err, sourceBucketMD, sourceObjMD) => {
if (err) { if (err) {
log.debug('error validating get part of request', log.debug('error validating get part of request',
@ -117,28 +116,26 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
} }
if (!sourceObjMD) { if (!sourceObjMD) {
log.debug('no source object', { sourceObject }); log.debug('no source object', { sourceObject });
const err = reqVersionId ? errors.NoSuchVersion : const err = reqVersionId ? errors.NoSuchVersion
errors.NoSuchKey; : errors.NoSuchKey;
return next(err, destBucketMD); return next(err, destBucketMD);
} }
let sourceLocationConstraintName = let sourceLocationConstraintName = sourceObjMD.dataStoreName;
sourceObjMD.dataStoreName;
// for backwards compatibility before storing dataStoreName // for backwards compatibility before storing dataStoreName
// TODO: handle in objectMD class // TODO: handle in objectMD class
if (!sourceLocationConstraintName && if (!sourceLocationConstraintName
sourceObjMD.location[0] && && sourceObjMD.location[0]
sourceObjMD.location[0].dataStoreName) { && sourceObjMD.location[0].dataStoreName) {
sourceLocationConstraintName = sourceLocationConstraintName = sourceObjMD.location[0].dataStoreName;
sourceObjMD.location[0].dataStoreName;
} }
if (sourceObjMD.isDeleteMarker) { if (sourceObjMD.isDeleteMarker) {
log.debug('delete marker on source object', log.debug('delete marker on source object',
{ sourceObject }); { sourceObject });
if (reqVersionId) { if (reqVersionId) {
const err = errors.InvalidRequest const err = errors.InvalidRequest
.customizeDescription('The source of a copy ' + .customizeDescription('The source of a copy '
'request may not specifically refer to a delete' + + 'request may not specifically refer to a delete'
'marker by version id.'); + 'marker by version id.');
return next(err, destBucketMD); return next(err, destBucketMD);
} }
// if user specifies a key in a versioned source bucket // if user specifies a key in a versioned source bucket
@ -146,8 +143,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
// delete marker, return NoSuchKey // delete marker, return NoSuchKey
return next(errors.NoSuchKey, destBucketMD); return next(errors.NoSuchKey, destBucketMD);
} }
const headerValResult = const headerValResult = validateHeaders(request.headers,
validateHeaders(request.headers,
sourceObjMD['last-modified'], sourceObjMD['last-modified'],
sourceObjMD['content-md5']); sourceObjMD['content-md5']);
if (headerValResult.error) { if (headerValResult.error) {
@ -162,15 +158,15 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
// If specific version requested, include copy source // If specific version requested, include copy source
// version id in response. Include in request by default // version id in response. Include in request by default
// if versioning is enabled or suspended. // if versioning is enabled or suspended.
if (sourceBucketMD.getVersioningConfiguration() || if (sourceBucketMD.getVersioningConfiguration()
reqVersionId) { || reqVersionId) {
if (sourceObjMD.isNull || !sourceObjMD.versionId) { if (sourceObjMD.isNull || !sourceObjMD.versionId) {
sourceVerId = 'null'; sourceVerId = 'null';
} else { } else {
sourceVerId = sourceVerId = versionIdUtils.encode(
versionIdUtils.encode(
sourceObjMD.versionId, sourceObjMD.versionId,
config.versionIdEncodingType); config.versionIdEncodingType,
);
} }
} }
return next(null, copyLocator.dataLocator, destBucketMD, return next(null, copyLocator.dataLocator, destBucketMD,
@ -195,7 +191,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
}); });
return next(err); return next(err);
} }
let splitter = constants.splitter; let { splitter } = constants;
if (mpuBucket.getMdBucketModelVersion() < 2) { if (mpuBucket.getMdBucketModelVersion() < 2) {
splitter = constants.oldSplitter; splitter = constants.oldSplitter;
} }
@ -209,8 +205,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
function getMpuOverviewObject(dataLocator, destBucketMD, function getMpuOverviewObject(dataLocator, destBucketMD,
copyObjectSize, sourceVerId, splitter, copyObjectSize, sourceVerId, splitter,
sourceLocationConstraintName, next) { sourceLocationConstraintName, next) {
const mpuOverviewKey = const mpuOverviewKey = `overview${splitter}${destObjectKey}${splitter}${uploadId}`;
`overview${splitter}${destObjectKey}${splitter}${uploadId}`;
return metadata.getObjectMD(mpuBucketName, mpuOverviewKey, return metadata.getObjectMD(mpuBucketName, mpuOverviewKey,
null, log, (err, res) => { null, log, (err, res) => {
if (err) { if (err) {
@ -218,22 +213,21 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
if (err.NoSuchKey) { if (err.NoSuchKey) {
return next(errors.NoSuchUpload); return next(errors.NoSuchUpload);
} }
log.error('error getting overview object from ' + log.error('error getting overview object from '
'mpu bucket', { + 'mpu bucket', {
error: err, error: err,
method: 'objectPutCopyPart::' + method: 'objectPutCopyPart::'
'metadata.getObjectMD', + 'metadata.getObjectMD',
}); });
return next(err); return next(err);
} }
const initiatorID = res.initiator.ID; const initiatorID = res.initiator.ID;
const requesterID = authInfo.isRequesterAnIAMUser() ? const requesterID = authInfo.isRequesterAnIAMUser()
authInfo.getArn() : authInfo.getCanonicalID(); ? authInfo.getArn() : authInfo.getCanonicalID();
if (initiatorID !== requesterID) { if (initiatorID !== requesterID) {
return next(errors.AccessDenied); return next(errors.AccessDenied);
} }
const destObjLocationConstraint = const destObjLocationConstraint = res.controllingLocationConstraint;
res.controllingLocationConstraint;
return next(null, dataLocator, destBucketMD, return next(null, dataLocator, destBucketMD,
destObjLocationConstraint, copyObjectSize, destObjLocationConstraint, copyObjectSize,
sourceVerId, sourceLocationConstraintName, splitter); sourceVerId, sourceLocationConstraintName, splitter);
@ -249,6 +243,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
splitter, splitter,
next, next,
) { ) {
const originalIdentityImpDenies = request.actionImplicitDenies;
// eslint-disable-next-line no-param-reassign
delete request.actionImplicitDenies;
data.uploadPartCopy( data.uploadPartCopy(
request, request,
log, log,
@ -259,6 +256,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
dataStoreContext, dataStoreContext,
locationConstraintCheck, locationConstraintCheck,
(error, eTag, lastModified, serverSideEncryption, locations) => { (error, eTag, lastModified, serverSideEncryption, locations) => {
// eslint-disable-next-line no-param-reassign
request.actionImplicitDenies = originalIdentityImpDenies;
if (error) { if (error) {
if (error.message === 'skip') { if (error.message === 'skip') {
return next(skipError, destBucketMD, eTag, return next(skipError, destBucketMD, eTag,
@ -270,13 +269,13 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
return next(null, destBucketMD, locations, eTag, return next(null, destBucketMD, locations, eTag,
copyObjectSize, sourceVerId, serverSideEncryption, copyObjectSize, sourceVerId, serverSideEncryption,
lastModified, splitter); lastModified, splitter);
}); },
);
}, },
function getExistingPartInfo(destBucketMD, locations, totalHash, function getExistingPartInfo(destBucketMD, locations, totalHash,
copyObjectSize, sourceVerId, serverSideEncryption, lastModified, copyObjectSize, sourceVerId, serverSideEncryption, lastModified,
splitter, next) { splitter, next) {
const partKey = const partKey = `${uploadId}${constants.splitter}${paddedPartNumber}`;
`${uploadId}${constants.splitter}${paddedPartNumber}`;
metadata.getObjectMD(mpuBucketName, partKey, {}, log, metadata.getObjectMD(mpuBucketName, partKey, {}, log,
(err, result) => { (err, result) => {
// If there is nothing being overwritten just move on // If there is nothing being overwritten just move on
@ -294,8 +293,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
// Pull locations to clean up any potential orphans // Pull locations to clean up any potential orphans
// in data if object put is an overwrite of // in data if object put is an overwrite of
// already existing object with same key and part number // already existing object with same key and part number
oldLocations = Array.isArray(oldLocations) ? oldLocations = Array.isArray(oldLocations)
oldLocations : [oldLocations]; ? oldLocations : [oldLocations];
} }
return next(null, destBucketMD, locations, totalHash, return next(null, destBucketMD, locations, totalHash,
prevObjectSize, copyObjectSize, sourceVerId, prevObjectSize, copyObjectSize, sourceVerId,
@ -370,7 +369,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
// data locations) has been stored // data locations) has been stored
if (oldLocationsToDelete) { if (oldLocationsToDelete) {
const delLog = logger.newRequestLoggerFromSerializedUids( const delLog = logger.newRequestLoggerFromSerializedUids(
log.getSerializedUids()); log.getSerializedUids(),
);
return data.batchDelete(oldLocationsToDelete, request.method, null, return data.batchDelete(oldLocationsToDelete, request.method, null,
delLog, err => { delLog, err => {
if (err) { if (err) {
@ -409,11 +409,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
const additionalHeaders = corsHeaders || {}; const additionalHeaders = corsHeaders || {};
if (serverSideEncryption) { if (serverSideEncryption) {
additionalHeaders['x-amz-server-side-encryption'] = additionalHeaders['x-amz-server-side-encryption'] = serverSideEncryption.algorithm;
serverSideEncryption.algorithm;
if (serverSideEncryption.algorithm === 'aws:kms') { if (serverSideEncryption.algorithm === 'aws:kms') {
additionalHeaders['x-amz-server-side-encryption-aws-kms-key-id'] additionalHeaders['x-amz-server-side-encryption-aws-kms-key-id'] = serverSideEncryption.masterKeyId;
= serverSideEncryption.masterKeyId;
} }
} }
additionalHeaders['x-amz-copy-source-version-id'] = sourceVerId; additionalHeaders['x-amz-copy-source-version-id'] = sourceVerId;

View File

@ -40,13 +40,13 @@ function objectPutLegalHold(authInfo, request, log, callback) {
authInfo, authInfo,
bucketName, bucketName,
objectKey, objectKey,
requestType: 'objectPutLegalHold',
versionId, versionId,
requestType: request.apiMethods || 'objectPutLegalHold',
request, request,
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucketAndObj(metadataValParams, log, next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
log.trace('request authorization failed', log.trace('request authorization failed',

View File

@ -87,6 +87,7 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
const uploadId = request.query.uploadId; const uploadId = request.query.uploadId;
const mpuBucketName = `${constants.mpuBucketPrefix}${bucketName}`; const mpuBucketName = `${constants.mpuBucketPrefix}${bucketName}`;
const objectKey = request.objectKey; const objectKey = request.objectKey;
const originalIdentityImpDenies = request.actionImplicitDenies;
return async.waterfall([ return async.waterfall([
// Get the destination bucket. // Get the destination bucket.
@ -109,7 +110,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
// For validating the request at the destinationBucket level the // For validating the request at the destinationBucket level the
// `requestType` is the general 'objectPut'. // `requestType` is the general 'objectPut'.
const requestType = 'objectPut'; const requestType = 'objectPut';
if (!isBucketAuthorized(destinationBucket, requestType, canonicalID, authInfo, log, request)) { if (!isBucketAuthorized(destinationBucket, request.apiMethods || requestType, canonicalID, authInfo,
request.actionImplicitDenies, log, request)) {
log.debug('access denied for user on bucket', { requestType }); log.debug('access denied for user on bucket', { requestType });
return next(errors.AccessDenied, destinationBucket); return next(errors.AccessDenied, destinationBucket);
} }
@ -196,6 +198,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
partNumber, partNumber,
bucketName, bucketName,
}; };
// eslint-disable-next-line no-param-reassign
delete request.actionImplicitDenies;
writeContinue(request, request._response); writeContinue(request, request._response);
return data.putPart(request, mpuInfo, streamingV4Params, return data.putPart(request, mpuInfo, streamingV4Params,
objectLocationConstraint, locationConstraintCheck, log, objectLocationConstraint, locationConstraintCheck, log,
@ -378,6 +382,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
], (err, destinationBucket, hexDigest, prevObjectSize) => { ], (err, destinationBucket, hexDigest, prevObjectSize) => {
const corsHeaders = collectCorsHeaders(request.headers.origin, const corsHeaders = collectCorsHeaders(request.headers.origin,
request.method, destinationBucket); request.method, destinationBucket);
// eslint-disable-next-line no-param-reassign
request.actionImplicitDenies = originalIdentityImpDenies;
if (err) { if (err) {
if (err === skipError) { if (err === skipError) {
return cb(null, hexDigest, corsHeaders); return cb(null, hexDigest, corsHeaders);

View File

@ -41,13 +41,28 @@ function objectPutRetention(authInfo, request, log, callback) {
authInfo, authInfo,
bucketName, bucketName,
objectKey, objectKey,
requestType: 'objectPutRetention',
versionId: reqVersionId, versionId: reqVersionId,
requestType: request.apiMethods || 'objectPutRetention',
request, request,
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucketAndObj(metadataValParams, log, next => {
log.trace('parsing retention information');
parseRetentionXml(request.post, log,
(err, retentionInfo) => {
if (err) {
log.trace('error parsing retention information',
{ error: err });
return next(err);
}
const remainingDays = Math.ceil(
(new Date(retentionInfo.date) - Date.now()) / (1000 * 3600 * 24));
metadataValParams.request.objectLockRetentionDays = remainingDays;
return next(null, retentionInfo);
});
},
(retentionInfo, next) => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
log.trace('request authorization failed', log.trace('request authorization failed',
@ -64,6 +79,8 @@ function objectPutRetention(authInfo, request, log, callback) {
if (objectMD.isDeleteMarker) { if (objectMD.isDeleteMarker) {
log.trace('version is a delete marker', log.trace('version is a delete marker',
{ method: 'objectPutRetention' }); { method: 'objectPutRetention' });
// FIXME we should return a `x-amz-delete-marker: true` header,
// see S3C-7592
return next(errors.MethodNotAllowed, bucket); return next(errors.MethodNotAllowed, bucket);
} }
if (!bucket.isObjectLockEnabled()) { if (!bucket.isObjectLockEnabled()) {
@ -73,13 +90,8 @@ function objectPutRetention(authInfo, request, log, callback) {
'Bucket is missing Object Lock Configuration' 'Bucket is missing Object Lock Configuration'
), bucket); ), bucket);
} }
return next(null, bucket, objectMD); return next(null, bucket, retentionInfo, objectMD);
}), }),
(bucket, objectMD, next) => {
log.trace('parsing retention information');
parseRetentionXml(request.post, log,
(err, retentionInfo) => next(err, bucket, retentionInfo, objectMD));
},
(bucket, retentionInfo, objectMD, next) => { (bucket, retentionInfo, objectMD, next) => {
const hasGovernanceBypass = hasGovernanceBypassHeader(request.headers); const hasGovernanceBypass = hasGovernanceBypassHeader(request.headers);
if (hasGovernanceBypass && authInfo.isRequesterAnIAMUser()) { if (hasGovernanceBypass && authInfo.isRequesterAnIAMUser()) {

View File

@ -1,8 +1,7 @@
const async = require('async'); const async = require('async');
const { errors, s3middleware } = require('arsenal'); const { errors, s3middleware } = require('arsenal');
const { decodeVersionId, getVersionIdResHeader } = const { decodeVersionId, getVersionIdResHeader } = require('./apiUtils/object/versioning');
require('./apiUtils/object/versioning');
const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils'); const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
const { pushMetric } = require('../utapi/utilities'); const { pushMetric } = require('../utapi/utilities');
@ -10,6 +9,7 @@ const getReplicationInfo = require('./apiUtils/object/getReplicationInfo');
const collectCorsHeaders = require('../utilities/collectCorsHeaders'); const collectCorsHeaders = require('../utilities/collectCorsHeaders');
const metadata = require('../metadata/wrapper'); const metadata = require('../metadata/wrapper');
const { data } = require('../data/wrapper'); const { data } = require('../data/wrapper');
const { parseTagXml } = s3middleware.tagging; const { parseTagXml } = s3middleware.tagging;
const REPLICATION_ACTION = 'PUT_TAGGING'; const REPLICATION_ACTION = 'PUT_TAGGING';
@ -24,8 +24,8 @@ const REPLICATION_ACTION = 'PUT_TAGGING';
function objectPutTagging(authInfo, request, log, callback) { function objectPutTagging(authInfo, request, log, callback) {
log.debug('processing request', { method: 'objectPutTagging' }); log.debug('processing request', { method: 'objectPutTagging' });
const bucketName = request.bucketName; const { bucketName } = request;
const objectKey = request.objectKey; const { objectKey } = request;
const decodedVidResult = decodeVersionId(request.query); const decodedVidResult = decodeVersionId(request.query);
if (decodedVidResult instanceof Error) { if (decodedVidResult instanceof Error) {
@ -41,13 +41,13 @@ function objectPutTagging(authInfo, request, log, callback) {
authInfo, authInfo,
bucketName, bucketName,
objectKey, objectKey,
requestType: 'objectPutTagging',
versionId: reqVersionId, versionId: reqVersionId,
requestType: request.apiMethods || 'objectPutTagging',
request, request,
}; };
return async.waterfall([ return async.waterfall([
next => metadataValidateBucketAndObj(metadataValParams, log, next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
(err, bucket, objectMD) => { (err, bucket, objectMD) => {
if (err) { if (err) {
log.trace('request authorization failed', log.trace('request authorization failed',
@ -70,8 +70,7 @@ function objectPutTagging(authInfo, request, log, callback) {
}), }),
(bucket, objectMD, next) => { (bucket, objectMD, next) => {
log.trace('parsing tag(s)'); log.trace('parsing tag(s)');
parseTagXml(request.post, log, (err, tags) => parseTagXml(request.post, log, (err, tags) => next(err, bucket, tags, objectMD));
next(err, bucket, tags, objectMD));
}, },
(bucket, tags, objectMD, next) => { (bucket, tags, objectMD, next) => {
// eslint-disable-next-line no-param-reassign // eslint-disable-next-line no-param-reassign
@ -88,12 +87,10 @@ function objectPutTagging(authInfo, request, log, callback) {
// eslint-disable-next-line no-param-reassign // eslint-disable-next-line no-param-reassign
objectMD.originOp = 's3:ObjectTagging:Put'; objectMD.originOp = 's3:ObjectTagging:Put';
metadata.putObjectMD(bucket.getName(), objectKey, objectMD, params, metadata.putObjectMD(bucket.getName(), objectKey, objectMD, params,
log, err => log, err => next(err, bucket, objectMD));
next(err, bucket, objectMD));
}, },
(bucket, objectMD, next) =>
// if external backend handles tagging // if external backend handles tagging
data.objectTagging('Put', objectKey, bucket, objectMD, (bucket, objectMD, next) => data.objectTagging('Put', objectKey, bucket, objectMD,
log, err => next(err, bucket, objectMD)), log, err => next(err, bucket, objectMD)),
], (err, bucket, objectMD) => { ], (err, bucket, objectMD) => {
const additionalResHeaders = collectCorsHeaders(request.headers.origin, const additionalResHeaders = collectCorsHeaders(request.headers.origin,
@ -110,8 +107,7 @@ function objectPutTagging(authInfo, request, log, callback) {
location: objectMD ? objectMD.dataStoreName : undefined, location: objectMD ? objectMD.dataStoreName : undefined,
}); });
const verCfg = bucket.getVersioningConfiguration(); const verCfg = bucket.getVersioningConfiguration();
additionalResHeaders['x-amz-version-id'] = additionalResHeaders['x-amz-version-id'] = getVersionIdResHeader(verCfg, objectMD);
getVersionIdResHeader(verCfg, objectMD);
} }
return callback(err, additionalResHeaders); return callback(err, additionalResHeaders);
}); });

View File

@ -21,12 +21,13 @@ const { pushMetric } = require('../utapi/utilities');
* @param {string} objectKey - object key from request (or as translated in * @param {string} objectKey - object key from request (or as translated in
* websiteGet) * websiteGet)
* @param {object} corsHeaders - CORS-related response headers * @param {object} corsHeaders - CORS-related response headers
* @param {object} request - normalized request object
* @param {object} log - Werelogs instance * @param {object} log - Werelogs instance
* @param {function} callback - callback to function in route * @param {function} callback - callback to function in route
* @return {undefined} * @return {undefined}
*/ */
function _errorActions(err, errorDocument, routingRules, function _errorActions(err, errorDocument, routingRules,
bucket, objectKey, corsHeaders, log, callback) { bucket, objectKey, corsHeaders, request, log, callback) {
const bucketName = bucket.getName(); const bucketName = bucket.getName();
const errRoutingRule = findRoutingRule(routingRules, const errRoutingRule = findRoutingRule(routingRules,
objectKey, err.code); objectKey, err.code);
@ -47,7 +48,7 @@ function _errorActions(err, errorDocument, routingRules,
// return the default error message if the object is private // return the default error message if the object is private
// rather than sending a stored error file // rather than sending a stored error file
if (!isObjAuthorized(bucket, errObjMD, 'objectGet', if (!isObjAuthorized(bucket, errObjMD, 'objectGet',
constants.publicId, null, log)) { constants.publicId, null, request.actionImplicitDenies, log)) {
log.trace('errorObj not authorized', { error: err }); log.trace('errorObj not authorized', { error: err });
return callback(err, true, null, corsHeaders); return callback(err, true, null, corsHeaders);
} }
@ -144,7 +145,7 @@ function websiteGet(request, log, callback) {
{ error: err }); { error: err });
let returnErr = err; let returnErr = err;
const bucketAuthorized = isBucketAuthorized(bucket, const bucketAuthorized = isBucketAuthorized(bucket,
'bucketGet', constants.publicId, null, log, request); 'bucketGet', constants.publicId, null, request.actionImplicitDenies, log, request);
// if index object does not exist and bucket is private AWS // if index object does not exist and bucket is private AWS
// returns 403 - AccessDenied error. // returns 403 - AccessDenied error.
if (err.is.NoSuchKey && !bucketAuthorized) { if (err.is.NoSuchKey && !bucketAuthorized) {
@ -152,16 +153,16 @@ function websiteGet(request, log, callback) {
} }
return _errorActions(returnErr, return _errorActions(returnErr,
websiteConfig.getErrorDocument(), routingRules, websiteConfig.getErrorDocument(), routingRules,
bucket, reqObjectKey, corsHeaders, log, bucket, reqObjectKey, corsHeaders, request, log,
callback); callback);
} }
if (!isObjAuthorized(bucket, objMD, 'objectGet', if (!isObjAuthorized(bucket, objMD, 'objectGet',
constants.publicId, null, log, request)) { constants.publicId, null, request.actionImplicitDenies, log, request)) {
const err = errors.AccessDenied; const err = errors.AccessDenied;
log.trace('request not authorized', { error: err }); log.trace('request not authorized', { error: err });
return _errorActions(err, websiteConfig.getErrorDocument(), return _errorActions(err, websiteConfig.getErrorDocument(),
routingRules, bucket, routingRules, bucket,
reqObjectKey, corsHeaders, log, callback); reqObjectKey, corsHeaders, request, log, callback);
} }
const headerValResult = validateHeaders(request.headers, const headerValResult = validateHeaders(request.headers,
@ -171,7 +172,7 @@ function websiteGet(request, log, callback) {
log.trace('header validation error', { error: err }); log.trace('header validation error', { error: err });
return _errorActions(err, websiteConfig.getErrorDocument(), return _errorActions(err, websiteConfig.getErrorDocument(),
routingRules, bucket, reqObjectKey, routingRules, bucket, reqObjectKey,
corsHeaders, log, callback); corsHeaders, request, log, callback);
} }
// check if object to serve has website redirect header // check if object to serve has website redirect header
// Note: AWS prioritizes website configuration rules over // Note: AWS prioritizes website configuration rules over

View File

@ -104,7 +104,7 @@ function websiteHead(request, log, callback) {
{ error: err }); { error: err });
let returnErr = err; let returnErr = err;
const bucketAuthorized = isBucketAuthorized(bucket, const bucketAuthorized = isBucketAuthorized(bucket,
'bucketGet', constants.publicId, null, log, request); 'bucketGet', constants.publicId, null, request.actionImplicitDenies, log, request);
// if index object does not exist and bucket is private AWS // if index object does not exist and bucket is private AWS
// returns 403 - AccessDenied error. // returns 403 - AccessDenied error.
if (err.is.NoSuchKey && !bucketAuthorized) { if (err.is.NoSuchKey && !bucketAuthorized) {
@ -114,7 +114,7 @@ function websiteHead(request, log, callback) {
reqObjectKey, corsHeaders, log, callback); reqObjectKey, corsHeaders, log, callback);
} }
if (!isObjAuthorized(bucket, objMD, 'objectGet', if (!isObjAuthorized(bucket, objMD, 'objectGet',
constants.publicId, null, log, request)) { constants.publicId, null, request.actionImplicitDenies, log, request)) {
const err = errors.AccessDenied; const err = errors.AccessDenied;
log.trace('request not authorized', { error: err }); log.trace('request not authorized', { error: err });
return _errorActions(err, routingRules, reqObjectKey, return _errorActions(err, routingRules, reqObjectKey,

View File

@ -42,7 +42,6 @@ function getNullVersion(objMD, bucketName, objectKey, log, cb) {
* NOTE: If the value of `versionId` param is 'null', this function returns the * NOTE: If the value of `versionId` param is 'null', this function returns the
* master version objMD. The null version object md must be retrieved in a * master version objMD. The null version object md must be retrieved in a
* separate step using the master object md: see getNullVersion(). * separate step using the master object md: see getNullVersion().
* @param {string} requestType - type of request
* @param {string} bucketName - name of bucket * @param {string} bucketName - name of bucket
* @param {string} objectKey - name of object key * @param {string} objectKey - name of object key
* @param {string} [versionId] - version of object to retrieve * @param {string} [versionId] - version of object to retrieve
@ -50,7 +49,7 @@ function getNullVersion(objMD, bucketName, objectKey, log, cb) {
* @param {function} cb - callback * @param {function} cb - callback
* @return {undefined} - and call callback with err, bucket md and object md * @return {undefined} - and call callback with err, bucket md and object md
*/ */
function metadataGetBucketAndObject(requestType, bucketName, objectKey, function metadataGetBucketAndObject(bucketName, objectKey,
versionId, log, cb) { versionId, log, cb) {
const options = { const options = {
// if attempting to get 'null' version, must retrieve null version id // if attempting to get 'null' version, must retrieve null version id
@ -73,13 +72,6 @@ function metadataGetBucketAndObject(requestType, bucketName, objectKey,
}); });
return cb(errors.NoSuchBucket); return cb(errors.NoSuchBucket);
} }
if (bucketShield(bucket, requestType)) {
log.debug('bucket is shielded from request', {
requestType,
method: 'metadataGetBucketAndObject',
});
return cb(errors.NoSuchBucket);
}
log.trace('found bucket in metadata'); log.trace('found bucket in metadata');
return cb(null, bucket, obj); return cb(null, bucket, obj);
}); });
@ -118,6 +110,35 @@ function metadataGetObject(bucketName, objectKey, versionId, log, cb) {
}); });
} }
function validateBucket(bucket, params, actionImplicitDenies, log) {
const { authInfo, preciseRequestType, request } = params;
let requestType = params.requestType;
if (bucketShield(bucket, requestType)) {
log.debug('bucket is shielded from request', {
requestType,
method: 'validateBucket',
});
return errors.NoSuchBucket;
}
// if requester is not bucket owner, bucket policy actions should be denied with
// MethodNotAllowed error
const onlyOwnerAllowed = ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'];
const canonicalID = authInfo.getCanonicalID();
if (!Array.isArray(requestType)) {
requestType = [requestType];
}
if (bucket.getOwner() !== canonicalID && requestType.some(type => onlyOwnerAllowed.includes(type))) {
return errors.MethodNotAllowed;
}
if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID,
authInfo, actionImplicitDenies, log, request)) {
log.debug('access denied for user on bucket', { requestType });
return errors.AccessDenied;
}
return null;
}
/** metadataValidateBucketAndObj - retrieve bucket and object md from metadata /** metadataValidateBucketAndObj - retrieve bucket and object md from metadata
* and check if user is authorized to access them. * and check if user is authorized to access them.
* @param {object} params - function parameters * @param {object} params - function parameters
@ -127,41 +148,45 @@ function metadataGetObject(bucketName, objectKey, versionId, log, cb) {
* @param {string} [params.versionId] - version id if getting specific version * @param {string} [params.versionId] - version id if getting specific version
* @param {string} params.requestType - type of request * @param {string} params.requestType - type of request
* @param {object} params.request - http request object * @param {object} params.request - http request object
* @param {boolean} actionImplicitDenies - identity authorization results
* @param {RequestLogger} log - request logger * @param {RequestLogger} log - request logger
* @param {function} callback - callback * @param {function} callback - callback
* @return {undefined} - and call callback with params err, bucket md * @return {undefined} - and call callback with params err, bucket md
*/ */
function metadataValidateBucketAndObj(params, log, callback) { function metadataValidateBucketAndObj(params, actionImplicitDenies, log, callback) {
const { authInfo, bucketName, objectKey, versionId, requestType, preciseRequestType, request } = params; const { authInfo, bucketName, objectKey, versionId, request } = params;
const canonicalID = authInfo.getCanonicalID(); let requestType = params.requestType;
async.waterfall([ if (!Array.isArray(requestType)) {
function getBucketAndObjectMD(next) { requestType = [requestType];
return metadataGetBucketAndObject(requestType, bucketName,
objectKey, versionId, log, next);
},
function checkBucketAuth(bucket, objMD, next) {
// if requester is not bucket owner, bucket policy actions should be denied with
// MethodNotAllowed error
const onlyOwnerAllowed = ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'];
if (bucket.getOwner() !== canonicalID && onlyOwnerAllowed.includes(requestType)) {
return next(errors.MethodNotAllowed, bucket);
} }
if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID, async.waterfall([
authInfo, log, request)) { next => metadataGetBucketAndObject(bucketName,
log.debug('access denied for user on bucket', { requestType }); objectKey, versionId, log, (err, bucket, objMD) => {
return next(errors.AccessDenied, bucket); if (err) {
// if some implicit actionImplicitDenies, return AccessDenied
// before leaking any state information
if (actionImplicitDenies && Object.values(actionImplicitDenies).some(v => v === true)) {
return next(errors.AccessDenied);
}
return next(err);
} }
return next(null, bucket, objMD); return next(null, bucket, objMD);
}, }),
function handleNullVersionGet(bucket, objMD, next) { (bucket, objMD, next) => {
const validationError = validateBucket(bucket, params, actionImplicitDenies, log);
if (validationError) {
return next(validationError, bucket);
}
if (objMD && versionId === 'null') { if (objMD && versionId === 'null') {
return getNullVersion(objMD, bucketName, objectKey, log, return getNullVersion(objMD, bucketName, objectKey, log,
(err, nullVer) => next(err, bucket, nullVer)); (err, nullVer) => next(err, bucket, nullVer));
} }
return next(null, bucket, objMD); return next(null, bucket, objMD);
}, },
function checkObjectAuth(bucket, objMD, next) { (bucket, objMD, next) => {
if (!isObjAuthorized(bucket, objMD, requestType, canonicalID, authInfo, log, request)) { const canonicalID = authInfo.getCanonicalID();
if (!isObjAuthorized(bucket, objMD, requestType, canonicalID, authInfo, actionImplicitDenies,
log, request)) {
log.debug('access denied for user on object', { requestType }); log.debug('access denied for user on object', { requestType });
return next(errors.AccessDenied, bucket); return next(errors.AccessDenied, bucket);
} }
@ -209,34 +234,25 @@ function metadataGetBucket(requestType, bucketName, log, cb) {
* @param {string} params.bucketName - name of bucket * @param {string} params.bucketName - name of bucket
* @param {string} params.requestType - type of request * @param {string} params.requestType - type of request
* @param {string} params.request - http request object * @param {string} params.request - http request object
* @param {boolean} actionImplicitDenies - identity authorization results
* @param {RequestLogger} log - request logger * @param {RequestLogger} log - request logger
* @param {function} callback - callback * @param {function} callback - callback
* @return {undefined} - and call callback with params err, bucket md * @return {undefined} - and call callback with params err, bucket md
*/ */
function metadataValidateBucket(params, log, callback) { function metadataValidateBucket(params, actionImplicitDenies, log, callback) {
const { authInfo, bucketName, requestType, preciseRequestType, request } = params; const { bucketName, requestType } = params;
const canonicalID = authInfo.getCanonicalID();
return metadataGetBucket(requestType, bucketName, log, (err, bucket) => { return metadataGetBucket(requestType, bucketName, log, (err, bucket) => {
if (err) { if (err) {
return callback(err); return callback(err);
} }
// if requester is not bucket owner, bucket policy actions should be denied with const validationError = validateBucket(bucket, params, actionImplicitDenies, log);
// MethodNotAllowed error return callback(validationError, bucket);
const onlyOwnerAllowed = ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'];
if (bucket.getOwner() !== canonicalID && onlyOwnerAllowed.includes(requestType)) {
return callback(errors.MethodNotAllowed, bucket);
}
// still return bucket for cors headers
if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID, authInfo, log, request)) {
log.debug('access denied for user on bucket', { requestType });
return callback(errors.AccessDenied, bucket);
}
return callback(null, bucket);
}); });
} }
module.exports = { module.exports = {
metadataGetObject, metadataGetObject,
validateBucket,
metadataValidateBucketAndObj, metadataValidateBucketAndObj,
metadataValidateBucket, metadataValidateBucket,
}; };

View File

@ -1149,6 +1149,8 @@ function routeBackbeat(clientIP, request, response, log) {
// Attach the apiMethod method to the request, so it can used by monitoring in the server // Attach the apiMethod method to the request, so it can used by monitoring in the server
// eslint-disable-next-line no-param-reassign // eslint-disable-next-line no-param-reassign
request.apiMethod = 'routeBackbeat'; request.apiMethod = 'routeBackbeat';
// eslint-disable-next-line no-param-reassign
request.actionImplicitDenies = false;
log.debug('routing request', { log.debug('routing request', {
method: 'routeBackbeat', method: 'routeBackbeat',
@ -1273,7 +1275,7 @@ function routeBackbeat(clientIP, request, response, log) {
requestType: 'ReplicateObject', requestType: 'ReplicateObject',
request, request,
}; };
return metadataValidateBucketAndObj(mdValParams, log, next); return metadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log, next);
}, },
(bucketInfo, objMd, next) => { (bucketInfo, objMd, next) => {
if (useMultipleBackend) { if (useMultipleBackend) {

View File

@ -20,7 +20,7 @@
"homepage": "https://github.com/scality/S3#readme", "homepage": "https://github.com/scality/S3#readme",
"dependencies": { "dependencies": {
"@hapi/joi": "^17.1.0", "@hapi/joi": "^17.1.0",
"arsenal": "git+https://github.com/scality/arsenal#7.10.47", "arsenal": "git+https://github.com/scality/arsenal#1d74f512c86ca34ee7e662acdc213f18c86326b0",
"async": "~2.5.0", "async": "~2.5.0",
"aws-sdk": "2.905.0", "aws-sdk": "2.905.0",
"azure-storage": "^2.1.0", "azure-storage": "^2.1.0",

View File

@ -175,7 +175,6 @@ describe('KMIP backed server-side encryption', () => {
done(); done();
}); });
}); });
it('should allow creating mpu with SSE header ' + it('should allow creating mpu with SSE header ' +
'in encrypted bucket', done => { 'in encrypted bucket', done => {
async.waterfall([ async.waterfall([

Binary file not shown.

View File

@ -54,6 +54,7 @@ const bucketPutRequest = {
url: '/', url: '/',
post: '', post: '',
parsedHost: 'localhost', parsedHost: 'localhost',
actionImplicitDenies: false,
}; };
const awsETag = 'be747eb4b75517bf6b3cf7c5fbb62f3a'; const awsETag = 'be747eb4b75517bf6b3cf7c5fbb62f3a';
@ -73,6 +74,7 @@ const completeBody = '<CompleteMultipartUpload>' +
const basicParams = { const basicParams = {
bucketName, bucketName,
namespace, namespace,
actionImplicitDenies: false,
}; };
function getObjectGetRequest(objectKey) { function getObjectGetRequest(objectKey) {
@ -270,6 +272,7 @@ function mpuSetup(location, key, cb) {
'x-amz-meta-scal-location-constraint': location }, 'x-amz-meta-scal-location-constraint': location },
url: `/${key}?uploads`, url: `/${key}?uploads`,
parsedHost: 'localhost', parsedHost: 'localhost',
actionImplicitDenies: false,
}; };
initiateMultipartUpload(authInfo, initiateRequest, log, initiateMultipartUpload(authInfo, initiateRequest, log,
(err, result) => { (err, result) => {
@ -317,7 +320,6 @@ function abortMultipleMpus(backendsInfo, callback) {
callback(); callback();
}); });
} }
describe('Multipart Upload API with AWS Backend', function mpuTestSuite() { describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
this.timeout(60000); this.timeout(60000);
@ -342,6 +344,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
'x-amz-meta-scal-location-constraint': `${awsLocation}` }, 'x-amz-meta-scal-location-constraint': `${awsLocation}` },
url: `/${objectKey}?uploads`, url: `/${objectKey}?uploads`,
parsedHost: 'localhost', parsedHost: 'localhost',
actionImplicitDenies: false,
}; };
initiateMultipartUpload(authInfo, initiateRequest, log, initiateMultipartUpload(authInfo, initiateRequest, log,
@ -365,6 +368,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
`${awsLocationMismatch}` }, `${awsLocationMismatch}` },
url: `/${objectKey}?uploads`, url: `/${objectKey}?uploads`,
parsedHost: 'localhost', parsedHost: 'localhost',
actionImplicitDenies: false,
}; };
initiateMultipartUpload(authInfo, initiateRequest, log, initiateMultipartUpload(authInfo, initiateRequest, log,
@ -389,6 +393,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
}, },
url: `/${objectKey}?uploads`, url: `/${objectKey}?uploads`,
parsedHost: 'localhost', parsedHost: 'localhost',
actionImplicitDenies: false,
}; };
initiateMultipartUpload(authInfo, initiateRequest, log, initiateMultipartUpload(authInfo, initiateRequest, log,
@ -612,6 +617,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
'x-amz-meta-scal-location-constraint': awsLocation }, 'x-amz-meta-scal-location-constraint': awsLocation },
url: `/${objectKey}?uploads`, url: `/${objectKey}?uploads`,
parsedHost: 'localhost', parsedHost: 'localhost',
actionImplicitDenies: false,
}; };
initiateMultipartUpload(authInfo, initiateRequest, log, initiateMultipartUpload(authInfo, initiateRequest, log,
err => { err => {
@ -712,6 +718,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
headers: { host: '/' }, headers: { host: '/' },
url: `/${bucketName}?uploads`, url: `/${bucketName}?uploads`,
query: {}, query: {},
actionImplicitDenies: false,
}; };
listMultipartUploads(authInfo, listMpuParams, log, listMultipartUploads(authInfo, listMpuParams, log,
(err, mpuListXml) => { (err, mpuListXml) => {

View File

@ -71,7 +71,6 @@ function copySetup(params, cb) {
callback), callback),
], err => cb(err)); ], err => cb(err));
} }
describe('ObjectCopy API with multiple backends', () => { describe('ObjectCopy API with multiple backends', () => {
before(() => { before(() => {
cleanup(); cleanup();

View File

@ -3,21 +3,19 @@ const async = require('async');
const { parseString } = require('xml2js'); const { parseString } = require('xml2js');
const AWS = require('aws-sdk'); const AWS = require('aws-sdk');
const { cleanup, DummyRequestLogger, makeAuthInfo } const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
= require('../unit/helpers'); const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../unit/helpers');
const { ds } = require('arsenal').storage.data.inMemory.datastore; const { ds } = require('arsenal').storage.data.inMemory.datastore;
const { bucketPut } = require('../../lib/api/bucketPut'); const { bucketPut } = require('../../lib/api/bucketPut');
const initiateMultipartUpload const initiateMultipartUpload = require('../../lib/api/initiateMultipartUpload');
= require('../../lib/api/initiateMultipartUpload');
const objectPut = require('../../lib/api/objectPut'); const objectPut = require('../../lib/api/objectPut');
const objectPutCopyPart = require('../../lib/api/objectPutCopyPart'); const objectPutCopyPart = require('../../lib/api/objectPutCopyPart');
const DummyRequest = require('../unit/DummyRequest'); const DummyRequest = require('../unit/DummyRequest');
const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
const constants = require('../../constants'); const constants = require('../../constants');
const s3 = new AWS.S3(); const s3 = new AWS.S3();
const splitter = constants.splitter; const { splitter } = constants;
const log = new DummyRequestLogger(); const log = new DummyRequestLogger();
const canonicalID = 'accessKey1'; const canonicalID = 'accessKey1';
const authInfo = makeAuthInfo(canonicalID); const authInfo = makeAuthInfo(canonicalID);
@ -59,11 +57,11 @@ function copyPutPart(bucketLoc, mpuLoc, srcObjLoc, requestHost, cb,
errorPutCopyPart) { errorPutCopyPart) {
const keys = getSourceAndDestKeys(); const keys = getSourceAndDestKeys();
const { sourceObjName, destObjName } = keys; const { sourceObjName, destObjName } = keys;
const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>' + const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>'
'<CreateBucketConfiguration ' + + '<CreateBucketConfiguration '
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' + + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
`<LocationConstraint>${bucketLoc}</LocationConstraint>` + + `<LocationConstraint>${bucketLoc}</LocationConstraint>`
'</CreateBucketConfiguration>' : ''; + '</CreateBucketConfiguration>' : '';
const bucketPutReq = new DummyRequest({ const bucketPutReq = new DummyRequest({
bucketName, bucketName,
namespace, namespace,
@ -80,10 +78,13 @@ errorPutCopyPart) {
objectKey: destObjName, objectKey: destObjName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: `/${destObjName}?uploads`, url: `/${destObjName}?uploads`,
actionImplicitDenies: false,
}; };
if (mpuLoc) { if (mpuLoc) {
initiateReq.headers = { 'host': `${bucketName}.s3.amazonaws.com`, initiateReq.headers = {
'x-amz-meta-scal-location-constraint': `${mpuLoc}` }; 'host': `${bucketName}.s3.amazonaws.com`,
'x-amz-meta-scal-location-constraint': `${mpuLoc}`,
};
} }
if (requestHost) { if (requestHost) {
initiateReq.parsedHost = requestHost; initiateReq.parsedHost = requestHost;
@ -94,10 +95,13 @@ errorPutCopyPart) {
objectKey: sourceObjName, objectKey: sourceObjName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
if (srcObjLoc) { if (srcObjLoc) {
sourceObjPutParams.headers = { 'host': `${bucketName}.s3.amazonaws.com`, sourceObjPutParams.headers = {
'x-amz-meta-scal-location-constraint': `${srcObjLoc}` }; 'host': `${bucketName}.s3.amazonaws.com`,
'x-amz-meta-scal-location-constraint': `${srcObjLoc}`,
};
} }
const sourceObjPutReq = new DummyRequest(sourceObjPutParams, body); const sourceObjPutReq = new DummyRequest(sourceObjPutParams, body);
if (requestHost) { if (requestHost) {
@ -112,8 +116,7 @@ errorPutCopyPart) {
}); });
}, },
next => { next => {
objectPut(authInfo, sourceObjPutReq, undefined, log, err => objectPut(authInfo, sourceObjPutReq, undefined, log, err => next(err));
next(err));
}, },
next => { next => {
initiateMultipartUpload(authInfo, initiateReq, log, next); initiateMultipartUpload(authInfo, initiateReq, log, next);
@ -130,8 +133,8 @@ errorPutCopyPart) {
// Need to build request in here since do not have // Need to build request in here since do not have
// uploadId until here // uploadId until here
assert.ifError(err, 'Error putting source object or initiate MPU'); assert.ifError(err, 'Error putting source object or initiate MPU');
const testUploadId = json.InitiateMultipartUploadResult. const testUploadId = json.InitiateMultipartUploadResult
UploadId[0]; .UploadId[0];
const copyPartParams = { const copyPartParams = {
bucketName, bucketName,
namespace, namespace,
@ -205,8 +208,8 @@ function testSuite() {
s3.listParts(awsReq, (err, partList) => { s3.listParts(awsReq, (err, partList) => {
assertPartList(partList, uploadId); assertPartList(partList, uploadId);
s3.abortMultipartUpload(awsReq, err => { s3.abortMultipartUpload(awsReq, err => {
assert.equal(err, null, `Error aborting MPU: ${err}. ` + assert.equal(err, null, `Error aborting MPU: ${err}. `
`You must abort MPU with upload ID ${uploadId} manually.`); + `You must abort MPU with upload ID ${uploadId} manually.`);
done(); done();
}); });
}); });
@ -247,16 +250,16 @@ function testSuite() {
s3.listParts(awsReq, (err, partList) => { s3.listParts(awsReq, (err, partList) => {
assertPartList(partList, uploadId); assertPartList(partList, uploadId);
s3.abortMultipartUpload(awsReq, err => { s3.abortMultipartUpload(awsReq, err => {
assert.equal(err, null, `Error aborting MPU: ${err}. ` + assert.equal(err, null, `Error aborting MPU: ${err}. `
`You must abort MPU with upload ID ${uploadId} manually.`); + `You must abort MPU with upload ID ${uploadId} manually.`);
done(); done();
}); });
}); });
}); });
}); });
it('should copy part an object on AWS location that has bucketMatch ' + it('should copy part an object on AWS location that has bucketMatch '
'equals false to a mpu with a different AWS location', done => { + 'equals false to a mpu with a different AWS location', done => {
copyPutPart(null, awsLocation, awsLocationMismatch, 'localhost', copyPutPart(null, awsLocation, awsLocationMismatch, 'localhost',
(keys, uploadId) => { (keys, uploadId) => {
assert.deepStrictEqual(ds, []); assert.deepStrictEqual(ds, []);
@ -264,16 +267,16 @@ function testSuite() {
s3.listParts(awsReq, (err, partList) => { s3.listParts(awsReq, (err, partList) => {
assertPartList(partList, uploadId); assertPartList(partList, uploadId);
s3.abortMultipartUpload(awsReq, err => { s3.abortMultipartUpload(awsReq, err => {
assert.equal(err, null, `Error aborting MPU: ${err}. ` + assert.equal(err, null, `Error aborting MPU: ${err}. `
`You must abort MPU with upload ID ${uploadId} manually.`); + `You must abort MPU with upload ID ${uploadId} manually.`);
done(); done();
}); });
}); });
}); });
}); });
it('should copy part an object on AWS to a mpu with a different ' + it('should copy part an object on AWS to a mpu with a different '
'AWS location that has bucketMatch equals false', done => { + 'AWS location that has bucketMatch equals false', done => {
copyPutPart(null, awsLocationMismatch, awsLocation, 'localhost', copyPutPart(null, awsLocationMismatch, awsLocation, 'localhost',
(keys, uploadId) => { (keys, uploadId) => {
assert.deepStrictEqual(ds, []); assert.deepStrictEqual(ds, []);
@ -282,16 +285,16 @@ function testSuite() {
s3.listParts(awsReq, (err, partList) => { s3.listParts(awsReq, (err, partList) => {
assertPartList(partList, uploadId); assertPartList(partList, uploadId);
s3.abortMultipartUpload(awsReq, err => { s3.abortMultipartUpload(awsReq, err => {
assert.equal(err, null, `Error aborting MPU: ${err}. ` + assert.equal(err, null, `Error aborting MPU: ${err}. `
`You must abort MPU with upload ID ${uploadId} manually.`); + `You must abort MPU with upload ID ${uploadId} manually.`);
done(); done();
}); });
}); });
}); });
}); });
it('should return error 403 AccessDenied copying part to a ' + it('should return error 403 AccessDenied copying part to a '
'different AWS location without object READ access', + 'different AWS location without object READ access',
done => { done => {
const errorPutCopyPart = { code: 'AccessDenied', statusCode: 403 }; const errorPutCopyPart = { code: 'AccessDenied', statusCode: 403 };
copyPutPart(null, awsLocation, awsLocation2, 'localhost', done, copyPutPart(null, awsLocation, awsLocation2, 'localhost', done,

View File

@ -3,20 +3,17 @@ const async = require('async');
const crypto = require('crypto'); const crypto = require('crypto');
const { parseString } = require('xml2js'); const { parseString } = require('xml2js');
const AWS = require('aws-sdk'); const AWS = require('aws-sdk');
const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
const { config } = require('../../lib/Config'); const { config } = require('../../lib/Config');
const { cleanup, DummyRequestLogger, makeAuthInfo } const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../unit/helpers');
= require('../unit/helpers');
const { ds } = require('arsenal').storage.data.inMemory.datastore; const { ds } = require('arsenal').storage.data.inMemory.datastore;
const { bucketPut } = require('../../lib/api/bucketPut'); const { bucketPut } = require('../../lib/api/bucketPut');
const initiateMultipartUpload const initiateMultipartUpload = require('../../lib/api/initiateMultipartUpload');
= require('../../lib/api/initiateMultipartUpload');
const objectPutPart = require('../../lib/api/objectPutPart'); const objectPutPart = require('../../lib/api/objectPutPart');
const DummyRequest = require('../unit/DummyRequest'); const DummyRequest = require('../unit/DummyRequest');
const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
const mdWrapper = require('../../lib/metadata/wrapper'); const mdWrapper = require('../../lib/metadata/wrapper');
const constants = require('../../constants'); const constants = require('../../constants');
const { getRealAwsConfig } = const { getRealAwsConfig } = require('../functional/aws-node-sdk/test/support/awsConfig');
require('../functional/aws-node-sdk/test/support/awsConfig');
const memLocation = 'scality-internal-mem'; const memLocation = 'scality-internal-mem';
const fileLocation = 'scality-internal-file'; const fileLocation = 'scality-internal-file';
@ -25,7 +22,7 @@ const awsLocationMismatch = 'awsbackendmismatch';
const awsConfig = getRealAwsConfig(awsLocation); const awsConfig = getRealAwsConfig(awsLocation);
const s3 = new AWS.S3(awsConfig); const s3 = new AWS.S3(awsConfig);
const splitter = constants.splitter; const { splitter } = constants;
const log = new DummyRequestLogger(); const log = new DummyRequestLogger();
const canonicalID = 'accessKey1'; const canonicalID = 'accessKey1';
const authInfo = makeAuthInfo(canonicalID); const authInfo = makeAuthInfo(canonicalID);
@ -49,11 +46,11 @@ function _getOverviewKey(objectKey, uploadId) {
function putPart(bucketLoc, mpuLoc, requestHost, cb, function putPart(bucketLoc, mpuLoc, requestHost, cb,
errorDescription) { errorDescription) {
const objectName = `objectName-${Date.now()}`; const objectName = `objectName-${Date.now()}`;
const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>' + const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>'
'<CreateBucketConfiguration ' + + '<CreateBucketConfiguration '
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' + + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
`<LocationConstraint>${bucketLoc}</LocationConstraint>` + + `<LocationConstraint>${bucketLoc}</LocationConstraint>`
'</CreateBucketConfiguration>' : ''; + '</CreateBucketConfiguration>' : '';
const bucketPutReq = { const bucketPutReq = {
bucketName, bucketName,
namespace, namespace,
@ -70,10 +67,13 @@ errorDescription) {
objectKey: objectName, objectKey: objectName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: `/${objectName}?uploads`, url: `/${objectName}?uploads`,
actionImplicitDenies: false,
}; };
if (mpuLoc) { if (mpuLoc) {
initiateReq.headers = { 'host': `${bucketName}.s3.amazonaws.com`, initiateReq.headers = {
'x-amz-meta-scal-location-constraint': `${mpuLoc}` }; 'host': `${bucketName}.s3.amazonaws.com`,
'x-amz-meta-scal-location-constraint': `${mpuLoc}`,
};
} }
if (requestHost) { if (requestHost) {
initiateReq.parsedHost = requestHost; initiateReq.parsedHost = requestHost;
@ -123,9 +123,9 @@ errorDescription) {
const partReq = new DummyRequest(partReqParams, body1); const partReq = new DummyRequest(partReqParams, body1);
return objectPutPart(authInfo, partReq, undefined, log, err => { return objectPutPart(authInfo, partReq, undefined, log, err => {
assert.strictEqual(err, null); assert.strictEqual(err, null);
if (bucketLoc !== awsLocation && mpuLoc !== awsLocation && if (bucketLoc !== awsLocation && mpuLoc !== awsLocation
bucketLoc !== awsLocationMismatch && && bucketLoc !== awsLocationMismatch
mpuLoc !== awsLocationMismatch) { && mpuLoc !== awsLocationMismatch) {
const keysInMPUkeyMap = []; const keysInMPUkeyMap = [];
metadata.keyMaps.get(mpuBucket).forEach((val, key) => { metadata.keyMaps.get(mpuBucket).forEach((val, key) => {
keysInMPUkeyMap.push(key); keysInMPUkeyMap.push(key);
@ -148,8 +148,8 @@ errorDescription) {
} }
function listAndAbort(uploadId, calculatedHash2, objectName, done) { function listAndAbort(uploadId, calculatedHash2, objectName, done) {
const awsBucket = config.locationConstraints[awsLocation]. const awsBucket = config.locationConstraints[awsLocation]
details.bucketName; .details.bucketName;
const params = { const params = {
Bucket: awsBucket, Bucket: awsBucket,
Key: objectName, Key: objectName,
@ -162,13 +162,12 @@ function listAndAbort(uploadId, calculatedHash2, objectName, done) {
assert.strictEqual(`"${calculatedHash2}"`, data.Parts[0].ETag); assert.strictEqual(`"${calculatedHash2}"`, data.Parts[0].ETag);
} }
s3.abortMultipartUpload(params, err => { s3.abortMultipartUpload(params, err => {
assert.equal(err, null, `Error aborting MPU: ${err}. ` + assert.equal(err, null, `Error aborting MPU: ${err}. `
`You must abort MPU with upload ID ${uploadId} manually.`); + `You must abort MPU with upload ID ${uploadId} manually.`);
done(); done();
}); });
}); });
} }
describeSkipIfE2E('objectPutPart API with multiple backends', describeSkipIfE2E('objectPutPart API with multiple backends',
function testSuite() { function testSuite() {
this.timeout(5000); this.timeout(5000);
@ -211,8 +210,10 @@ function testSuite() {
bucketName, bucketName,
namespace, namespace,
objectKey: objectName, objectKey: objectName,
headers: { 'host': `${bucketName}.s3.amazonaws.com`, headers: {
'x-amz-meta-scal-location-constraint': awsLocation }, 'host': `${bucketName}.s3.amazonaws.com`,
'x-amz-meta-scal-location-constraint': awsLocation,
},
url: `/${objectName}?partNumber=1&uploadId=${uploadId}`, url: `/${objectName}?partNumber=1&uploadId=${uploadId}`,
query: { query: {
partNumber: '1', uploadId, partNumber: '1', uploadId,
@ -226,8 +227,8 @@ function testSuite() {
}); });
}); });
it('should upload part based on mpu location even if part ' + it('should upload part based on mpu location even if part '
'location constraint is specified ', done => { + 'location constraint is specified ', done => {
putPart(fileLocation, memLocation, 'localhost', () => { putPart(fileLocation, memLocation, 'localhost', () => {
assert.deepStrictEqual(ds[1].value, body1); assert.deepStrictEqual(ds[1].value, body1);
done(); done();
@ -256,8 +257,8 @@ function testSuite() {
}); });
}); });
it('should put a part to AWS based on bucket location with bucketMatch ' + it('should put a part to AWS based on bucket location with bucketMatch '
'set to true', done => { + 'set to true', done => {
putPart(null, awsLocation, 'localhost', putPart(null, awsLocation, 'localhost',
(objectName, uploadId) => { (objectName, uploadId) => {
assert.deepStrictEqual(ds, []); assert.deepStrictEqual(ds, []);
@ -265,8 +266,8 @@ function testSuite() {
}); });
}); });
it('should put a part to AWS based on bucket location with bucketMatch ' + it('should put a part to AWS based on bucket location with bucketMatch '
'set to false', done => { + 'set to false', done => {
putPart(null, awsLocationMismatch, 'localhost', putPart(null, awsLocationMismatch, 'localhost',
(objectName, uploadId) => { (objectName, uploadId) => {
assert.deepStrictEqual(ds, []); assert.deepStrictEqual(ds, []);

View File

@ -16,7 +16,7 @@ class DummyRequest extends http.IncomingMessage {
this.parsedContentLength = 0; this.parsedContentLength = 0;
} }
} }
this.actionImplicitDenies = false;
if (Array.isArray(msg)) { if (Array.isArray(msg)) {
msg.forEach(part => { msg.forEach(part => {
this.push(part); this.push(part);

View File

@ -24,6 +24,7 @@ const bucketPutReq = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const taggingUtil = new TaggingConfigTester(); const taggingUtil = new TaggingConfigTester();

View File

@ -106,7 +106,7 @@ describe('bucket authorization for bucketGet, bucketHead, ' +
} }
bucket.setCannedAcl(value.canned); bucket.setCannedAcl(value.canned);
const results = requestTypes.map(type => const results = requestTypes.map(type =>
isBucketAuthorized(bucket, type, value.id, value.auth, log)); isBucketAuthorized(bucket, type, value.id, value.auth, false, log));
assert.deepStrictEqual(results, value.response); assert.deepStrictEqual(results, value.response);
done(); done();
}); });
@ -128,13 +128,13 @@ describe('bucket authorization for bucketGetACL', () => {
it('should allow access to bucket owner', () => { it('should allow access to bucket owner', () => {
const result = isBucketAuthorized(bucket, 'bucketGetACL', const result = isBucketAuthorized(bucket, 'bucketGetACL',
ownerCanonicalId, authInfo); ownerCanonicalId, authInfo, false);
assert.strictEqual(result, true); assert.strictEqual(result, true);
}); });
it('should allow access to user in bucket owner account', () => { it('should allow access to user in bucket owner account', () => {
const result = isBucketAuthorized(bucket, 'bucketGetACL', const result = isBucketAuthorized(bucket, 'bucketGetACL',
ownerCanonicalId, userAuthInfo); ownerCanonicalId, userAuthInfo, false);
assert.strictEqual(result, true); assert.strictEqual(result, true);
}); });
@ -157,7 +157,7 @@ describe('bucket authorization for bucketGetACL', () => {
orders.forEach(value => { orders.forEach(value => {
it(`should allow access to ${value.it}`, done => { it(`should allow access to ${value.it}`, done => {
const noAuthResult = isBucketAuthorized(bucket, 'bucketGetACL', const noAuthResult = isBucketAuthorized(bucket, 'bucketGetACL',
value.id); value.id, null, false);
assert.strictEqual(noAuthResult, false); assert.strictEqual(noAuthResult, false);
if (value.aclParam) { if (value.aclParam) {
bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]); bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]);
@ -165,7 +165,7 @@ describe('bucket authorization for bucketGetACL', () => {
bucket.setCannedAcl(value.canned); bucket.setCannedAcl(value.canned);
} }
const authorizedResult = isBucketAuthorized(bucket, 'bucketGetACL', const authorizedResult = isBucketAuthorized(bucket, 'bucketGetACL',
value.id, value.auth); value.id, value.auth, false);
assert.strictEqual(authorizedResult, true); assert.strictEqual(authorizedResult, true);
done(); done();
}); });
@ -187,13 +187,13 @@ describe('bucket authorization for bucketPutACL', () => {
it('should allow access to bucket owner', () => { it('should allow access to bucket owner', () => {
const result = isBucketAuthorized(bucket, 'bucketPutACL', const result = isBucketAuthorized(bucket, 'bucketPutACL',
ownerCanonicalId, authInfo); ownerCanonicalId, authInfo, false);
assert.strictEqual(result, true); assert.strictEqual(result, true);
}); });
it('should allow access to user in bucket owner account', () => { it('should allow access to user in bucket owner account', () => {
const result = isBucketAuthorized(bucket, 'bucketPutACL', const result = isBucketAuthorized(bucket, 'bucketPutACL',
ownerCanonicalId, userAuthInfo); ownerCanonicalId, userAuthInfo, false);
assert.strictEqual(result, true); assert.strictEqual(result, true);
}); });
@ -202,11 +202,11 @@ describe('bucket authorization for bucketPutACL', () => {
it('should allow access to account if ' + it('should allow access to account if ' +
`account was granted ${value} right`, done => { `account was granted ${value} right`, done => {
const noAuthResult = isBucketAuthorized(bucket, 'bucketPutACL', const noAuthResult = isBucketAuthorized(bucket, 'bucketPutACL',
accountToVet, altAcctAuthInfo); accountToVet, altAcctAuthInfo, false);
assert.strictEqual(noAuthResult, false); assert.strictEqual(noAuthResult, false);
bucket.setSpecificAcl(accountToVet, value); bucket.setSpecificAcl(accountToVet, value);
const authorizedResult = isBucketAuthorized(bucket, 'bucketPutACL', const authorizedResult = isBucketAuthorized(bucket, 'bucketPutACL',
accountToVet, altAcctAuthInfo); accountToVet, altAcctAuthInfo, false);
assert.strictEqual(authorizedResult, true); assert.strictEqual(authorizedResult, true);
done(); done();
}); });
@ -228,13 +228,13 @@ describe('bucket authorization for bucketOwnerAction', () => {
it('should allow access to bucket owner', () => { it('should allow access to bucket owner', () => {
const result = isBucketAuthorized(bucket, 'bucketDeleteCors', const result = isBucketAuthorized(bucket, 'bucketDeleteCors',
ownerCanonicalId, authInfo); ownerCanonicalId, authInfo, false);
assert.strictEqual(result, true); assert.strictEqual(result, true);
}); });
it('should allow access to user in bucket owner account', () => { it('should allow access to user in bucket owner account', () => {
const result = isBucketAuthorized(bucket, 'bucketDeleteCors', const result = isBucketAuthorized(bucket, 'bucketDeleteCors',
ownerCanonicalId, userAuthInfo); ownerCanonicalId, userAuthInfo, false);
assert.strictEqual(result, true); assert.strictEqual(result, true);
}); });
@ -256,7 +256,7 @@ describe('bucket authorization for bucketOwnerAction', () => {
} }
bucket.setCannedAcl(value.canned); bucket.setCannedAcl(value.canned);
const result = isBucketAuthorized(bucket, 'bucketDeleteCors', const result = isBucketAuthorized(bucket, 'bucketDeleteCors',
value.id, value.auth); value.id, value.auth, false);
assert.strictEqual(result, false); assert.strictEqual(result, false);
done(); done();
}); });
@ -278,13 +278,13 @@ describe('bucket authorization for bucketDelete', () => {
it('should allow access to bucket owner', () => { it('should allow access to bucket owner', () => {
const result = isBucketAuthorized(bucket, 'bucketDelete', const result = isBucketAuthorized(bucket, 'bucketDelete',
ownerCanonicalId, authInfo); ownerCanonicalId, authInfo, false);
assert.strictEqual(result, true); assert.strictEqual(result, true);
}); });
it('should allow access to user in bucket owner account', () => { it('should allow access to user in bucket owner account', () => {
const result = isBucketAuthorized(bucket, 'bucketDelete', const result = isBucketAuthorized(bucket, 'bucketDelete',
ownerCanonicalId, userAuthInfo); ownerCanonicalId, userAuthInfo, false);
assert.strictEqual(result, true); assert.strictEqual(result, true);
}); });
@ -305,7 +305,7 @@ describe('bucket authorization for bucketDelete', () => {
bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]); bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]);
} }
bucket.setCannedAcl(value.canned); bucket.setCannedAcl(value.canned);
const result = isBucketAuthorized(bucket, 'bucketDelete', value.id, value.auth); const result = isBucketAuthorized(bucket, 'bucketDelete', value.id, value.auth, false);
assert.strictEqual(result, false); assert.strictEqual(result, false);
done(); done();
}); });
@ -329,13 +329,13 @@ describe('bucket authorization for objectDelete and objectPut', () => {
it('should allow access to bucket owner', () => { it('should allow access to bucket owner', () => {
const results = requestTypes.map(type => const results = requestTypes.map(type =>
isBucketAuthorized(bucket, type, ownerCanonicalId, authInfo)); isBucketAuthorized(bucket, type, ownerCanonicalId, authInfo, false));
assert.deepStrictEqual(results, [true, true]); assert.deepStrictEqual(results, [true, true]);
}); });
it('should allow access to user in bucket owner account', () => { it('should allow access to user in bucket owner account', () => {
const results = requestTypes.map(type => const results = requestTypes.map(type =>
isBucketAuthorized(bucket, type, ownerCanonicalId, userAuthInfo)); isBucketAuthorized(bucket, type, ownerCanonicalId, userAuthInfo, false));
assert.deepStrictEqual(results, [true, true]); assert.deepStrictEqual(results, [true, true]);
}); });
@ -360,13 +360,13 @@ describe('bucket authorization for objectDelete and objectPut', () => {
it(`should allow access to ${value.it}`, done => { it(`should allow access to ${value.it}`, done => {
bucket.setCannedAcl(value.canned); bucket.setCannedAcl(value.canned);
const noAuthResults = requestTypes.map(type => const noAuthResults = requestTypes.map(type =>
isBucketAuthorized(bucket, type, value.id, value.auth)); isBucketAuthorized(bucket, type, value.id, value.auth, false));
assert.deepStrictEqual(noAuthResults, value.response); assert.deepStrictEqual(noAuthResults, value.response);
if (value.aclParam) { if (value.aclParam) {
bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]); bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]);
} }
const authResults = requestTypes.map(type => const authResults = requestTypes.map(type =>
isBucketAuthorized(bucket, type, accountToVet, altAcctAuthInfo)); isBucketAuthorized(bucket, type, accountToVet, altAcctAuthInfo, false));
assert.deepStrictEqual(authResults, [true, true]); assert.deepStrictEqual(authResults, [true, true]);
done(); done();
}); });
@ -378,10 +378,10 @@ describe('bucket authorization for objectPutACL and objectGetACL', () => {
'are done at object level', done => { 'are done at object level', done => {
const requestTypes = ['objectPutACL', 'objectGetACL']; const requestTypes = ['objectPutACL', 'objectGetACL'];
const results = requestTypes.map(type => const results = requestTypes.map(type =>
isBucketAuthorized(bucket, type, accountToVet, altAcctAuthInfo)); isBucketAuthorized(bucket, type, accountToVet, altAcctAuthInfo, false));
assert.deepStrictEqual(results, [true, true]); assert.deepStrictEqual(results, [true, true]);
const publicUserResults = requestTypes.map(type => const publicUserResults = requestTypes.map(type =>
isBucketAuthorized(bucket, type, constants.publicId)); isBucketAuthorized(bucket, type, constants.publicId, null, false));
assert.deepStrictEqual(publicUserResults, [true, true]); assert.deepStrictEqual(publicUserResults, [true, true]);
done(); done();
}); });

View File

@ -77,7 +77,6 @@ function createMPU(testRequest, initiateRequest, deleteOverviewMPUObj, cb) {
}); });
}); });
} }
describe('bucketDelete API', () => { describe('bucketDelete API', () => {
beforeEach(() => { beforeEach(() => {
cleanup(); cleanup();
@ -88,6 +87,7 @@ describe('bucketDelete API', () => {
namespace, namespace,
headers: {}, headers: {},
url: `/${bucketName}`, url: `/${bucketName}`,
actionImplicitDenies: false,
}; };
const initiateRequest = { const initiateRequest = {
@ -96,6 +96,7 @@ describe('bucketDelete API', () => {
objectKey: objectName, objectKey: objectName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: `/${objectName}?uploads`, url: `/${objectName}?uploads`,
actionImplicitDenies: false,
}; };
it('should return an error if the bucket is not empty', done => { it('should return an error if the bucket is not empty', done => {

View File

@ -19,12 +19,12 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const testBucketPutCorsRequest = const testBucketPutCorsRequest =
corsUtil.createBucketCorsRequest('PUT', bucketName); corsUtil.createBucketCorsRequest('PUT', bucketName);
const testBucketDeleteCorsRequest = const testBucketDeleteCorsRequest =
corsUtil.createBucketCorsRequest('DELETE', bucketName); corsUtil.createBucketCorsRequest('DELETE', bucketName);
describe('deleteBucketCors API', () => { describe('deleteBucketCors API', () => {
beforeEach(done => { beforeEach(done => {
cleanup(); cleanup();

View File

@ -13,8 +13,8 @@ const bucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
describe('bucketDeleteEncryption API', () => { describe('bucketDeleteEncryption API', () => {
before(() => cleanup()); before(() => cleanup());

View File

@ -19,6 +19,7 @@ function _makeRequest(includeXml) {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
if (includeXml) { if (includeXml) {
request.post = '<LifecycleConfiguration ' + request.post = '<LifecycleConfiguration ' +
@ -30,7 +31,6 @@ function _makeRequest(includeXml) {
} }
return request; return request;
} }
describe('deleteBucketLifecycle API', () => { describe('deleteBucketLifecycle API', () => {
before(() => cleanup()); before(() => cleanup());
beforeEach(done => bucketPut(authInfo, _makeRequest(), log, done)); beforeEach(done => bucketPut(authInfo, _makeRequest(), log, done));

View File

@ -19,6 +19,7 @@ function _makeRequest(includePolicy) {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
if (includePolicy) { if (includePolicy) {
const examplePolicy = { const examplePolicy = {
@ -36,7 +37,6 @@ function _makeRequest(includePolicy) {
} }
return request; return request;
} }
describe('deleteBucketPolicy API', () => { describe('deleteBucketPolicy API', () => {
before(() => cleanup()); before(() => cleanup());
beforeEach(done => bucketPut(authInfo, _makeRequest(), log, done)); beforeEach(done => bucketPut(authInfo, _makeRequest(), log, done));

View File

@ -20,6 +20,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const testBucketDeleteWebsiteRequest = { const testBucketDeleteWebsiteRequest = {
bucketName, bucketName,
@ -28,10 +29,10 @@ const testBucketDeleteWebsiteRequest = {
}, },
url: '/?website', url: '/?website',
query: { website: '' }, query: { website: '' },
actionImplicitDenies: false,
}; };
const testBucketPutWebsiteRequest = Object.assign({ post: config.getXml() }, const testBucketPutWebsiteRequest = Object.assign({ post: config.getXml() },
testBucketDeleteWebsiteRequest); testBucketDeleteWebsiteRequest);
describe('deleteBucketWebsite API', () => { describe('deleteBucketWebsite API', () => {
beforeEach(done => { beforeEach(done => {
cleanup(); cleanup();

View File

@ -63,6 +63,7 @@ const baseGetRequest = {
bucketName, bucketName,
namespace, namespace,
headers: { host: '/' }, headers: { host: '/' },
actionImplicitDenies: false,
}; };
const baseUrl = `/${bucketName}`; const baseUrl = `/${bucketName}`;
@ -173,7 +174,6 @@ const tests = [
}, },
}, },
]; ];
describe('bucketGet API', () => { describe('bucketGet API', () => {
beforeEach(() => { beforeEach(() => {
cleanup(); cleanup();

View File

@ -14,7 +14,6 @@ const authInfo = makeAuthInfo(accessKey);
const canonicalID = authInfo.getCanonicalID(); const canonicalID = authInfo.getCanonicalID();
const namespace = 'default'; const namespace = 'default';
const bucketName = 'bucketname'; const bucketName = 'bucketname';
describe('bucketGetACL API', () => { describe('bucketGetACL API', () => {
beforeEach(() => { beforeEach(() => {
cleanup(); cleanup();
@ -25,6 +24,7 @@ describe('bucketGetACL API', () => {
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const testGetACLRequest = { const testGetACLRequest = {
bucketName, bucketName,
@ -32,6 +32,7 @@ describe('bucketGetACL API', () => {
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
it('should get a canned private ACL', done => { it('should get a canned private ACL', done => {
@ -44,6 +45,7 @@ describe('bucketGetACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -76,6 +78,7 @@ describe('bucketGetACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -119,6 +122,7 @@ describe('bucketGetACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -156,6 +160,7 @@ describe('bucketGetACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -194,6 +199,7 @@ describe('bucketGetACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -248,6 +254,7 @@ describe('bucketGetACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
const canonicalIDforSample1 = const canonicalIDforSample1 =
'79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be'; '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
@ -338,6 +345,7 @@ describe('bucketGetACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -377,6 +385,7 @@ describe('bucketGetACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([

View File

@ -16,6 +16,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
function _makeCorsRequest(xml) { function _makeCorsRequest(xml) {
@ -26,6 +27,7 @@ function _makeCorsRequest(xml) {
}, },
url: '/?cors', url: '/?cors',
query: { cors: '' }, query: { cors: '' },
actionImplicitDenies: false,
}; };
if (xml) { if (xml) {
@ -55,7 +57,6 @@ function _comparePutGetXml(sampleXml, done) {
}); });
}); });
} }
describe('getBucketCors API', () => { describe('getBucketCors API', () => {
beforeEach(done => { beforeEach(done => {
cleanup(); cleanup();

View File

@ -17,8 +17,8 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
describe('getBucketLifecycle API', () => { describe('getBucketLifecycle API', () => {
before(() => cleanup()); before(() => cleanup());
beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done)); beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done));

View File

@ -16,6 +16,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const testGetLocationRequest = { const testGetLocationRequest = {
@ -25,6 +26,7 @@ const testGetLocationRequest = {
}, },
url: '/?location', url: '/?location',
query: { location: '' }, query: { location: '' },
actionImplicitDenies: false,
}; };
const locationConstraints = config.locationConstraints; const locationConstraints = config.locationConstraints;
@ -37,7 +39,6 @@ function getBucketRequestObject(location) {
'</CreateBucketConfiguration>' : undefined; '</CreateBucketConfiguration>' : undefined;
return Object.assign({ post }, testBucketPutRequest); return Object.assign({ post }, testBucketPutRequest);
} }
describe('getBucketLocation API', () => { describe('getBucketLocation API', () => {
Object.keys(locationConstraints).forEach(location => { Object.keys(locationConstraints).forEach(location => {
if (location === 'us-east-1') { if (location === 'us-east-1') {

View File

@ -15,6 +15,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
function getNotificationRequest(bucketName, xml) { function getNotificationRequest(bucketName, xml) {
@ -23,6 +24,7 @@ function getNotificationRequest(bucketName, xml) {
headers: { headers: {
host: `${bucketName}.s3.amazonaws.com`, host: `${bucketName}.s3.amazonaws.com`,
}, },
actionImplicitDenies: false,
}; };
if (xml) { if (xml) {
request.post = xml; request.post = xml;
@ -52,7 +54,6 @@ function getNotificationXml() {
'</NotificationConfiguration>'; '</NotificationConfiguration>';
} }
describe('getBucketNotification API', () => { describe('getBucketNotification API', () => {
before(cleanup); before(cleanup);
beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done)); beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done));

View File

@ -14,6 +14,7 @@ const bucketPutReq = {
host: `${bucketName}.s3.amazonaws.com`, host: `${bucketName}.s3.amazonaws.com`,
}, },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const testBucketPutReqWithObjLock = { const testBucketPutReqWithObjLock = {
@ -23,6 +24,7 @@ const testBucketPutReqWithObjLock = {
'x-amz-bucket-object-lock-enabled': 'True', 'x-amz-bucket-object-lock-enabled': 'True',
}, },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
function getObjectLockConfigRequest(bucketName, xml) { function getObjectLockConfigRequest(bucketName, xml) {
@ -33,6 +35,7 @@ function getObjectLockConfigRequest(bucketName, xml) {
'x-amz-bucket-object-lock-enabled': 'true', 'x-amz-bucket-object-lock-enabled': 'true',
}, },
url: '/?object-lock', url: '/?object-lock',
actionImplicitDenies: false,
}; };
if (xml) { if (xml) {
request.post = xml; request.post = xml;
@ -65,7 +68,6 @@ function getObjectLockXml(mode, type, time) {
xmlStr += xml.objLockConfigClose; xmlStr += xml.objLockConfigClose;
return xmlStr; return xmlStr;
} }
describe('bucketGetObjectLock API', () => { describe('bucketGetObjectLock API', () => {
before(done => bucketPut(authInfo, bucketPutReq, log, done)); before(done => bucketPut(authInfo, bucketPutReq, log, done));
after(cleanup); after(cleanup);
@ -79,7 +81,6 @@ describe('bucketGetObjectLock API', () => {
}); });
}); });
}); });
describe('bucketGetObjectLock API', () => { describe('bucketGetObjectLock API', () => {
before(cleanup); before(cleanup);
beforeEach(done => bucketPut(authInfo, testBucketPutReqWithObjLock, log, done)); beforeEach(done => bucketPut(authInfo, testBucketPutReqWithObjLock, log, done));

View File

@ -16,6 +16,7 @@ const testBasicRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const expectedBucketPolicy = { const expectedBucketPolicy = {
@ -34,8 +35,8 @@ const testPutPolicyRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
post: JSON.stringify(expectedBucketPolicy), post: JSON.stringify(expectedBucketPolicy),
actionImplicitDenies: false,
}; };
describe('getBucketPolicy API', () => { describe('getBucketPolicy API', () => {
before(() => cleanup()); before(() => cleanup());
beforeEach(done => bucketPut(authInfo, testBasicRequest, log, done)); beforeEach(done => bucketPut(authInfo, testBasicRequest, log, done));

View File

@ -53,7 +53,6 @@ function getReplicationConfig() {
], ],
}; };
} }
describe("'getReplicationConfigurationXML' function", () => { describe("'getReplicationConfigurationXML' function", () => {
it('should return XML from the bucket replication configuration', done => it('should return XML from the bucket replication configuration', done =>
getAndCheckXML(getReplicationConfig(), done)); getAndCheckXML(getReplicationConfig(), done));

View File

@ -15,6 +15,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
function _makeWebsiteRequest(xml) { function _makeWebsiteRequest(xml) {
@ -25,6 +26,7 @@ function _makeWebsiteRequest(xml) {
}, },
url: '/?website', url: '/?website',
query: { website: '' }, query: { website: '' },
actionImplicitDenies: false,
}; };
if (xml) { if (xml) {
@ -53,7 +55,6 @@ function _comparePutGetXml(sampleXml, done) {
}); });
}); });
} }
describe('getBucketWebsite API', () => { describe('getBucketWebsite API', () => {
beforeEach(done => { beforeEach(done => {
cleanup(); cleanup();

View File

@ -14,6 +14,7 @@ const testRequest = {
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
describe('bucketHead API', () => { describe('bucketHead API', () => {
beforeEach(() => { beforeEach(() => {

View File

@ -244,7 +244,7 @@ describe('bucket policy authorization', () => {
describe('isBucketAuthorized with no policy set', () => { describe('isBucketAuthorized with no policy set', () => {
it('should allow access to bucket owner', done => { it('should allow access to bucket owner', done => {
const allowed = isBucketAuthorized(bucket, 'bucketPut', const allowed = isBucketAuthorized(bucket, 'bucketPut',
bucketOwnerCanonicalId, null, log); bucketOwnerCanonicalId, null, false, log);
assert.equal(allowed, true); assert.equal(allowed, true);
done(); done();
}); });
@ -252,7 +252,7 @@ describe('bucket policy authorization', () => {
it('should deny access to non-bucket owner', it('should deny access to non-bucket owner',
done => { done => {
const allowed = isBucketAuthorized(bucket, 'bucketPut', const allowed = isBucketAuthorized(bucket, 'bucketPut',
altAcctCanonicalId, null, log); altAcctCanonicalId, null, false, log);
assert.equal(allowed, false); assert.equal(allowed, false);
done(); done();
}); });
@ -268,7 +268,7 @@ describe('bucket policy authorization', () => {
it('should allow access to non-bucket owner if principal is set to "*"', it('should allow access to non-bucket owner if principal is set to "*"',
done => { done => {
const allowed = isBucketAuthorized(bucket, bucAction, const allowed = isBucketAuthorized(bucket, bucAction,
altAcctCanonicalId, null, log); altAcctCanonicalId, null, false, log);
assert.equal(allowed, true); assert.equal(allowed, true);
done(); done();
}); });
@ -276,7 +276,7 @@ describe('bucket policy authorization', () => {
it('should allow access to public user if principal is set to "*"', it('should allow access to public user if principal is set to "*"',
done => { done => {
const allowed = isBucketAuthorized(bucket, bucAction, const allowed = isBucketAuthorized(bucket, bucAction,
constants.publicId, null, log); constants.publicId, null, false, log);
assert.equal(allowed, true); assert.equal(allowed, true);
done(); done();
}); });
@ -287,7 +287,7 @@ describe('bucket policy authorization', () => {
newPolicy.Statement[0][t.keyToChange] = t.bucketValue; newPolicy.Statement[0][t.keyToChange] = t.bucketValue;
bucket.setBucketPolicy(newPolicy); bucket.setBucketPolicy(newPolicy);
const allowed = isBucketAuthorized(bucket, bucAction, const allowed = isBucketAuthorized(bucket, bucAction,
t.bucketId, t.bucketAuthInfo, log); t.bucketId, t.bucketAuthInfo, false, log);
assert.equal(allowed, t.expected); assert.equal(allowed, t.expected);
done(); done();
}); });
@ -304,7 +304,7 @@ describe('bucket policy authorization', () => {
}; };
bucket.setBucketPolicy(newPolicy); bucket.setBucketPolicy(newPolicy);
const allowed = isBucketAuthorized(bucket, bucAction, const allowed = isBucketAuthorized(bucket, bucAction,
altAcctCanonicalId, null, log); altAcctCanonicalId, null, false, log);
assert.equal(allowed, false); assert.equal(allowed, false);
done(); done();
}); });
@ -312,7 +312,7 @@ describe('bucket policy authorization', () => {
it('should deny access to non-bucket owner with an unsupported action type', it('should deny access to non-bucket owner with an unsupported action type',
done => { done => {
const allowed = isBucketAuthorized(bucket, 'unsupportedAction', const allowed = isBucketAuthorized(bucket, 'unsupportedAction',
altAcctCanonicalId, null, log); altAcctCanonicalId, null, false, log);
assert.equal(allowed, false); assert.equal(allowed, false);
done(); done();
}); });
@ -325,7 +325,7 @@ describe('bucket policy authorization', () => {
it('should allow access to object owner', done => { it('should allow access to object owner', done => {
const allowed = isObjAuthorized(bucket, object, objAction, const allowed = isObjAuthorized(bucket, object, objAction,
objectOwnerCanonicalId, null, log); objectOwnerCanonicalId, null, false, log);
assert.equal(allowed, true); assert.equal(allowed, true);
done(); done();
}); });
@ -333,7 +333,7 @@ describe('bucket policy authorization', () => {
it('should deny access to non-object owner', it('should deny access to non-object owner',
done => { done => {
const allowed = isObjAuthorized(bucket, object, objAction, const allowed = isObjAuthorized(bucket, object, objAction,
altAcctCanonicalId, null, log); altAcctCanonicalId, null, false, log);
assert.equal(allowed, false); assert.equal(allowed, false);
done(); done();
}); });
@ -352,7 +352,7 @@ describe('bucket policy authorization', () => {
it('should allow access to non-object owner if principal is set to "*"', it('should allow access to non-object owner if principal is set to "*"',
done => { done => {
const allowed = isObjAuthorized(bucket, object, objAction, const allowed = isObjAuthorized(bucket, object, objAction,
altAcctCanonicalId, null, log); altAcctCanonicalId, null, false, log);
assert.equal(allowed, true); assert.equal(allowed, true);
done(); done();
}); });
@ -360,7 +360,7 @@ describe('bucket policy authorization', () => {
it('should allow access to public user if principal is set to "*"', it('should allow access to public user if principal is set to "*"',
done => { done => {
const allowed = isObjAuthorized(bucket, object, objAction, const allowed = isObjAuthorized(bucket, object, objAction,
constants.publicId, null, log); constants.publicId, null, false, log);
assert.equal(allowed, true); assert.equal(allowed, true);
done(); done();
}); });
@ -371,7 +371,7 @@ describe('bucket policy authorization', () => {
newPolicy.Statement[0][t.keyToChange] = t.objectValue; newPolicy.Statement[0][t.keyToChange] = t.objectValue;
bucket.setBucketPolicy(newPolicy); bucket.setBucketPolicy(newPolicy);
const allowed = isObjAuthorized(bucket, object, objAction, const allowed = isObjAuthorized(bucket, object, objAction,
t.objectId, t.objectAuthInfo, log); t.objectId, t.objectAuthInfo, false, log);
assert.equal(allowed, t.expected); assert.equal(allowed, t.expected);
done(); done();
}); });
@ -383,7 +383,7 @@ describe('bucket policy authorization', () => {
newPolicy.Statement[0].Action = ['s3:GetObject']; newPolicy.Statement[0].Action = ['s3:GetObject'];
bucket.setBucketPolicy(newPolicy); bucket.setBucketPolicy(newPolicy);
const allowed = isObjAuthorized(bucket, object, 'objectHead', const allowed = isObjAuthorized(bucket, object, 'objectHead',
altAcctCanonicalId, altAcctAuthInfo, log); altAcctCanonicalId, altAcctAuthInfo, false, log);
assert.equal(allowed, true); assert.equal(allowed, true);
done(); done();
}); });
@ -393,7 +393,7 @@ describe('bucket policy authorization', () => {
newPolicy.Statement[0].Action = ['s3:PutObject']; newPolicy.Statement[0].Action = ['s3:PutObject'];
bucket.setBucketPolicy(newPolicy); bucket.setBucketPolicy(newPolicy);
const allowed = isObjAuthorized(bucket, object, 'objectHead', const allowed = isObjAuthorized(bucket, object, 'objectHead',
altAcctCanonicalId, altAcctAuthInfo, log); altAcctCanonicalId, altAcctAuthInfo, false, log);
assert.equal(allowed, false); assert.equal(allowed, false);
done(); done();
}); });
@ -408,7 +408,7 @@ describe('bucket policy authorization', () => {
}; };
bucket.setBucketPolicy(newPolicy); bucket.setBucketPolicy(newPolicy);
const allowed = isObjAuthorized(bucket, object, objAction, const allowed = isObjAuthorized(bucket, object, objAction,
altAcctCanonicalId, null, log); altAcctCanonicalId, null, false, log);
assert.equal(allowed, false); assert.equal(allowed, false);
done(); done();
}); });
@ -416,7 +416,7 @@ describe('bucket policy authorization', () => {
it('should deny access to non-object owner with an unsupported action type', it('should deny access to non-object owner with an unsupported action type',
done => { done => {
const allowed = isObjAuthorized(bucket, object, 'unsupportedAction', const allowed = isObjAuthorized(bucket, object, 'unsupportedAction',
altAcctCanonicalId, null, log); altAcctCanonicalId, null, false, log);
assert.equal(allowed, false); assert.equal(allowed, false);
done(); done();
}); });

View File

@ -18,11 +18,10 @@ const testBucketPutRequest = {
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const canonicalIDforSample1 = const canonicalIDforSample1 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
'79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be'; const canonicalIDforSample2 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bf';
const canonicalIDforSample2 =
'79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bf';
const invalidIds = { const invalidIds = {
'too short': 'id="invalid_id"', 'too short': 'id="invalid_id"',
@ -42,11 +41,10 @@ describe('putBucketACL API', () => {
afterEach(() => cleanup()); afterEach(() => cleanup());
it('should parse a grantheader', () => { it('should parse a grantheader', () => {
const grantRead = const grantRead = `uri=${constants.logId}, `
`uri=${constants.logId}, ` + + 'emailAddress="test@testing.com", '
'emailAddress="test@testing.com", ' + + 'emailAddress="test2@testly.com", '
'emailAddress="test2@testly.com", ' + + 'id="sdfsdfsfwwiieohefs"';
'id="sdfsdfsfwwiieohefs"';
const grantReadHeader = aclUtils.parseGrant(grantRead, 'read'); const grantReadHeader = aclUtils.parseGrant(grantRead, 'read');
const firstIdentifier = grantReadHeader[0].identifier; const firstIdentifier = grantReadHeader[0].identifier;
assert.strictEqual(firstIdentifier, constants.logId); assert.strictEqual(firstIdentifier, constants.logId);
@ -58,7 +56,7 @@ describe('putBucketACL API', () => {
assert.strictEqual(fourthIdentifier, 'sdfsdfsfwwiieohefs'); assert.strictEqual(fourthIdentifier, 'sdfsdfsfwwiieohefs');
const fourthType = grantReadHeader[3].userIDType; const fourthType = grantReadHeader[3].userIDType;
assert.strictEqual(fourthType, 'id'); assert.strictEqual(fourthType, 'id');
const grantType = grantReadHeader[3].grantType; const { grantType } = grantReadHeader[3];
assert.strictEqual(grantType, 'read'); assert.strictEqual(grantType, 'read');
}); });
@ -72,6 +70,7 @@ describe('putBucketACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -90,6 +89,7 @@ describe('putBucketACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
assert.strictEqual(err, undefined); assert.strictEqual(err, undefined);
@ -111,6 +111,7 @@ describe('putBucketACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
const testACLRequest2 = { const testACLRequest2 = {
bucketName, bucketName,
@ -121,6 +122,7 @@ describe('putBucketACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
assert.strictEqual(err, undefined); assert.strictEqual(err, undefined);
@ -138,8 +140,8 @@ describe('putBucketACL API', () => {
}); });
}); });
it('should set a canned private ACL ' + it('should set a canned private ACL '
'followed by a log-delivery-write ACL', done => { + 'followed by a log-delivery-write ACL', done => {
const testACLRequest = { const testACLRequest = {
bucketName, bucketName,
namespace, namespace,
@ -149,6 +151,7 @@ describe('putBucketACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
const testACLRequest2 = { const testACLRequest2 = {
bucketName, bucketName,
@ -159,6 +162,7 @@ describe('putBucketACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -184,19 +188,20 @@ describe('putBucketACL API', () => {
headers: { headers: {
'host': `${bucketName}.s3.amazonaws.com`, 'host': `${bucketName}.s3.amazonaws.com`,
'x-amz-grant-full-control': 'x-amz-grant-full-control':
'emailaddress="sampleaccount1@sampling.com"' + 'emailaddress="sampleaccount1@sampling.com"'
',emailaddress="sampleaccount2@sampling.com"', + ',emailaddress="sampleaccount2@sampling.com"',
'x-amz-grant-read': `uri=${constants.logId}`, 'x-amz-grant-read': `uri=${constants.logId}`,
'x-amz-grant-write': `uri=${constants.publicId}`, 'x-amz-grant-write': `uri=${constants.publicId}`,
'x-amz-grant-read-acp': 'x-amz-grant-read-acp':
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' + 'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
'f8f8d5218e7cd47ef2be', + 'f8f8d5218e7cd47ef2be',
'x-amz-grant-write-acp': 'x-amz-grant-write-acp':
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' + 'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
'f8f8d5218e7cd47ef2bf', + 'f8f8d5218e7cd47ef2bf',
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
assert.strictEqual(err, undefined); assert.strictEqual(err, undefined);
@ -223,21 +228,22 @@ describe('putBucketACL API', () => {
headers: { headers: {
'host': `${bucketName}.s3.amazonaws.com`, 'host': `${bucketName}.s3.amazonaws.com`,
'x-amz-grant-full-control': 'x-amz-grant-full-control':
'emailaddress="sampleaccount1@sampling.com"' + 'emailaddress="sampleaccount1@sampling.com"'
',emailaddress="sampleaccount2@sampling.com"', + ',emailaddress="sampleaccount2@sampling.com"',
'x-amz-grant-read': 'x-amz-grant-read':
'emailaddress="sampleaccount1@sampling.com"', 'emailaddress="sampleaccount1@sampling.com"',
'x-amz-grant-write': 'x-amz-grant-write':
'emailaddress="sampleaccount1@sampling.com"', 'emailaddress="sampleaccount1@sampling.com"',
'x-amz-grant-read-acp': 'x-amz-grant-read-acp':
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' + 'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
'f8f8d5218e7cd47ef2be', + 'f8f8d5218e7cd47ef2be',
'x-amz-grant-write-acp': 'x-amz-grant-write-acp':
'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' + 'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
'f8f8d5218e7cd47ef2bf', + 'f8f8d5218e7cd47ef2bf',
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
assert.strictEqual(err, undefined); assert.strictEqual(err, undefined);
@ -260,8 +266,8 @@ describe('putBucketACL API', () => {
}); });
Object.keys(invalidIds).forEach(idType => { Object.keys(invalidIds).forEach(idType => {
it('should return an error if grantee canonical ID provided in ACL ' + it('should return an error if grantee canonical ID provided in ACL '
`request invalid because ${idType}`, done => { + `request invalid because ${idType}`, done => {
const testACLRequest = { const testACLRequest = {
bucketName, bucketName,
namespace, namespace,
@ -271,6 +277,7 @@ describe('putBucketACL API', () => {
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
return bucketPutACL(authInfo, testACLRequest, log, err => { return bucketPutACL(authInfo, testACLRequest, log, err => {
assert.deepStrictEqual(err, errors.InvalidArgument); assert.deepStrictEqual(err, errors.InvalidArgument);
@ -279,19 +286,20 @@ describe('putBucketACL API', () => {
}); });
}); });
it('should return an error if invalid email ' + it('should return an error if invalid email '
'provided in ACL header request', done => { + 'provided in ACL header request', done => {
const testACLRequest = { const testACLRequest = {
bucketName, bucketName,
namespace, namespace,
headers: { headers: {
'host': `${bucketName}.s3.amazonaws.com`, 'host': `${bucketName}.s3.amazonaws.com`,
'x-amz-grant-full-control': 'x-amz-grant-full-control':
'emailaddress="sampleaccount1@sampling.com"' + 'emailaddress="sampleaccount1@sampling.com"'
',emailaddress="nonexistentEmail@sampling.com"', + ',emailaddress="nonexistentEmail@sampling.com"',
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -305,52 +313,53 @@ describe('putBucketACL API', () => {
bucketName, bucketName,
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
post: '<AccessControlPolicy xmlns=' + post: '<AccessControlPolicy xmlns='
'"http://s3.amazonaws.com/doc/2006-03-01/">' + + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Owner>' + + '</Owner>'
'<AccessControlList>' + + '<AccessControlList>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="CanonicalUser">' + + '<Grantee xsi:type="CanonicalUser">'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Grantee>' + + '</Grantee>'
'<Permission>FULL_CONTROL</Permission>' + + '<Permission>FULL_CONTROL</Permission>'
'</Grant>' + + '</Grant>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="Group">' + + '<Grantee xsi:type="Group">'
`<URI>${constants.publicId}</URI>` + + `<URI>${constants.publicId}</URI>`
'</Grantee>' + + '</Grantee>'
'<Permission>READ</Permission>' + + '<Permission>READ</Permission>'
'</Grant>' + + '</Grant>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="Group">' + + '<Grantee xsi:type="Group">'
`<URI>${constants.logId}</URI>` + + `<URI>${constants.logId}</URI>`
'</Grantee>' + + '</Grantee>'
'<Permission>WRITE</Permission>' + + '<Permission>WRITE</Permission>'
'</Grant>' + + '</Grant>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="AmazonCustomerByEmail">' + + '<Grantee xsi:type="AmazonCustomerByEmail">'
'<EmailAddress>sampleaccount1@sampling.com' + + '<EmailAddress>sampleaccount1@sampling.com'
'</EmailAddress>' + + '</EmailAddress>'
'</Grantee>' + + '</Grantee>'
'<Permission>WRITE_ACP</Permission>' + + '<Permission>WRITE_ACP</Permission>'
'</Grant>' + + '</Grant>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="CanonicalUser">' + + '<Grantee xsi:type="CanonicalUser">'
'<ID>79a59df900b949e55d96a1e698fbacedfd' + + '<ID>79a59df900b949e55d96a1e698fbacedfd'
'6e09d98eacf8f8d5218e7cd47ef2bf</ID>' + + '6e09d98eacf8f8d5218e7cd47ef2bf</ID>'
'</Grantee>' + + '</Grantee>'
'<Permission>READ_ACP</Permission>' + + '<Permission>READ_ACP</Permission>'
'</Grant>' + + '</Grant>'
'</AccessControlList>' + + '</AccessControlList>'
'</AccessControlPolicy>', + '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -375,17 +384,18 @@ describe('putBucketACL API', () => {
bucketName, bucketName,
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
post: '<AccessControlPolicy xmlns=' + post: '<AccessControlPolicy xmlns='
'"http://s3.amazonaws.com/doc/2006-03-01/">' + + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Owner>' + + '</Owner>'
'<AccessControlList></AccessControlList>' + + '<AccessControlList></AccessControlList>'
'</AccessControlPolicy>', + '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -408,16 +418,17 @@ describe('putBucketACL API', () => {
bucketName, bucketName,
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
post: '<AccessControlPolicy xmlns=' + post: '<AccessControlPolicy xmlns='
'"http://s3.amazonaws.com/doc/2006-03-01/">' + + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Owner>' + + '</Owner>'
'</AccessControlPolicy>', + '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -438,29 +449,10 @@ describe('putBucketACL API', () => {
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
'<DisplayName>OwnerDisplayName</DisplayName>' + '<DisplayName>OwnerDisplayName</DisplayName>' +
'</Owner>' + '</Owner>' +
'<AccessControlList>' +
'<Grant>' +
'<Grantee xsi:type="CanonicalUser">' +
'<ID>79a59df900b949e55d96a1e698fbaced' +
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
'<DisplayName>OwnerDisplayName</DisplayName>' +
'</Grantee>' +
'<Permission>FULL_CONTROL</Permission>' +
'</Grant>' +
'</AccessControlList>' +
'<AccessControlList>' +
'<Grant>' +
'<Grantee xsi:type="CanonicalUser">' +
'<ID>79a59df900b949e55d96a1e698fbaced' +
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
'<DisplayName>OwnerDisplayName</DisplayName>' +
'</Grantee>' +
'<Permission>READ</Permission>' +
'</Grant>' +
'</AccessControlList>' +
'</AccessControlPolicy>', '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -469,30 +461,75 @@ describe('putBucketACL API', () => {
}); });
}); });
it('should return an error if invalid grantee user ID ' + it('should return an error if multiple AccessControlList section', done => {
'provided in ACL request body', done => {
const testACLRequest = { const testACLRequest = {
bucketName, bucketName,
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
post: '<AccessControlPolicy xmlns=' + post: '<AccessControlPolicy xmlns='
'"http://s3.amazonaws.com/doc/2006-03-01/">' + + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Owner>' + + '</Owner>'
'<AccessControlList>' + + '<AccessControlList>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="CanonicalUser">' + + '<Grantee xsi:type="CanonicalUser">'
'<ID>invalid_id</ID>' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'</Grantee>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<Permission>READ_ACP</Permission>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Grant>' + + '</Grantee>'
'</AccessControlList>' + + '<Permission>FULL_CONTROL</Permission>'
'</AccessControlPolicy>', + '</Grant>'
+ '</AccessControlList>'
+ '<AccessControlList>'
+ '<Grant>'
+ '<Grantee xsi:type="CanonicalUser">'
+ '<ID>79a59df900b949e55d96a1e698fbaced'
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
+ '<DisplayName>OwnerDisplayName</DisplayName>'
+ '</Grantee>'
+ '<Permission>READ</Permission>'
+ '</Grant>'
+ '</AccessControlList>'
+ '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
iamAuthzResults: false,
};
bucketPutACL(authInfo, testACLRequest, log, err => {
assert.deepStrictEqual(err, errors.MalformedACLError);
done();
});
});
it('should return an error if invalid grantee user ID '
+ 'provided in ACL request body', done => {
const testACLRequest = {
bucketName,
namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` },
post: '<AccessControlPolicy xmlns='
+ '"http://s3.amazonaws.com/doc/2006-03-01/">'
+ '<Owner>'
+ '<ID>79a59df900b949e55d96a1e698fbaced'
+ 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
+ '<DisplayName>OwnerDisplayName</DisplayName>'
+ '</Owner>'
+ '<AccessControlList>'
+ '<Grant>'
+ '<Grantee xsi:type="CanonicalUser">'
+ '<ID>invalid_id</ID>'
+ '</Grantee>'
+ '<Permission>READ_ACP</Permission>'
+ '</Grant>'
+ '</AccessControlList>'
+ '</AccessControlPolicy>',
url: '/?acl',
query: { acl: '' },
actionImplicitDenies: false,
}; };
return bucketPutACL(authInfo, testACLRequest, log, err => { return bucketPutACL(authInfo, testACLRequest, log, err => {
@ -501,30 +538,31 @@ describe('putBucketACL API', () => {
}); });
}); });
it('should return an error if invalid email ' + it('should return an error if invalid email '
'address provided in ACLs set out in request body', done => { + 'address provided in ACLs set out in request body', done => {
const testACLRequest = { const testACLRequest = {
bucketName, bucketName,
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
post: '<AccessControlPolicy xmlns=' + post: '<AccessControlPolicy xmlns='
'"http://s3.amazonaws.com/doc/2006-03-01/">' + + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Owner>' + + '</Owner>'
'<AccessControlList>' + + '<AccessControlList>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="AmazonCustomerByEmail">' + + '<Grantee xsi:type="AmazonCustomerByEmail">'
'<EmailAddress>xyz@amazon.com</EmailAddress>' + + '<EmailAddress>xyz@amazon.com</EmailAddress>'
'</Grantee>' + + '</Grantee>'
'<Permission>WRITE_ACP</Permission>' + + '<Permission>WRITE_ACP</Permission>'
'</Grant>' + + '</Grant>'
'</AccessControlList>' + + '</AccessControlList>'
'</AccessControlPolicy>', + '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
assert.deepStrictEqual(err, errors.UnresolvableGrantByEmailAddress); assert.deepStrictEqual(err, errors.UnresolvableGrantByEmailAddress);
@ -542,24 +580,25 @@ describe('putBucketACL API', () => {
* "Grant" which is part of the s3 xml scheme for ACLs * "Grant" which is part of the s3 xml scheme for ACLs
* so an error should be returned * so an error should be returned
*/ */
post: '<AccessControlPolicy xmlns=' + post: '<AccessControlPolicy xmlns='
'"http://s3.amazonaws.com/doc/2006-03-01/">' + + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Owner>' + + '</Owner>'
'<AccessControlList>' + + '<AccessControlList>'
'<PowerGrant>' + + '<PowerGrant>'
'<Grantee xsi:type="AmazonCustomerByEmail">' + + '<Grantee xsi:type="AmazonCustomerByEmail">'
'<EmailAddress>xyz@amazon.com</EmailAddress>' + + '<EmailAddress>xyz@amazon.com</EmailAddress>'
'</Grantee>' + + '</Grantee>'
'<Permission>WRITE_ACP</Permission>' + + '<Permission>WRITE_ACP</Permission>'
'</PowerGrant>' + + '</PowerGrant>'
'</AccessControlList>' + + '</AccessControlList>'
'</AccessControlPolicy>', + '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -579,32 +618,33 @@ describe('putBucketACL API', () => {
* "Grant" which is part of the s3 xml scheme for ACLs * "Grant" which is part of the s3 xml scheme for ACLs
* so an error should be returned * so an error should be returned
*/ */
post: '<AccessControlPolicy xmlns=' + post: '<AccessControlPolicy xmlns='
'"http://s3.amazonaws.com/doc/2006-03-01/">' + + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Owner>' + + '</Owner>'
'<AccessControlList>' + + '<AccessControlList>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="CanonicalUser">' + + '<Grantee xsi:type="CanonicalUser">'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Grantee>' + + '</Grantee>'
'<Permission>FULL_CONTROL</Permission>' + + '<Permission>FULL_CONTROL</Permission>'
'</Grant>' + + '</Grant>'
'<PowerGrant>' + + '<PowerGrant>'
'<Grantee xsi:type="AmazonCustomerByEmail">' + + '<Grantee xsi:type="AmazonCustomerByEmail">'
'<EmailAddress>xyz@amazon.com</EmailAddress>' + + '<EmailAddress>xyz@amazon.com</EmailAddress>'
'</Grantee>' + + '</Grantee>'
'<Permission>WRITE_ACP</Permission>' + + '<Permission>WRITE_ACP</Permission>'
'</PowerGrant>' + + '</PowerGrant>'
'</AccessControlList>' + + '</AccessControlList>'
'</AccessControlPolicy>', + '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -622,24 +662,25 @@ describe('putBucketACL API', () => {
// so an error should be returned // so an error should be returned
post: { post: {
'<AccessControlPolicy xmlns': '<AccessControlPolicy xmlns':
'"http://s3.amazonaws.com/doc/2006-03-01/">' + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'<Owner>' + + '<Owner>'
'<AccessControlList>' + + '<AccessControlList>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="AmazonCustomerByEmail">' + + '<Grantee xsi:type="AmazonCustomerByEmail">'
'<EmailAddress>xyz@amazon.com</EmailAddress>' + + '<EmailAddress>xyz@amazon.com</EmailAddress>'
'<Grantee>' + + '<Grantee>'
'<Permission>WRITE_ACP</Permission>' + + '<Permission>WRITE_ACP</Permission>'
'<Grant>' + + '<Grant>'
'<AccessControlList>' + + '<AccessControlList>'
'<AccessControlPolicy>', + '<AccessControlPolicy>',
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -648,32 +689,33 @@ describe('putBucketACL API', () => {
}); });
}); });
it('should return an error if invalid group ' + it('should return an error if invalid group '
'uri provided in ACLs set out in request body', done => { + 'uri provided in ACLs set out in request body', done => {
const testACLRequest = { const testACLRequest = {
bucketName, bucketName,
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
// URI in grant below is not valid group URI for s3 // URI in grant below is not valid group URI for s3
post: '<AccessControlPolicy xmlns=' + post: '<AccessControlPolicy xmlns='
'"http://s3.amazonaws.com/doc/2006-03-01/">' + + '"http://s3.amazonaws.com/doc/2006-03-01/">'
'<Owner>' + + '<Owner>'
'<ID>79a59df900b949e55d96a1e698fbaced' + + '<ID>79a59df900b949e55d96a1e698fbaced'
'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' + + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
'<DisplayName>OwnerDisplayName</DisplayName>' + + '<DisplayName>OwnerDisplayName</DisplayName>'
'</Owner>' + + '</Owner>'
'<AccessControlList>' + + '<AccessControlList>'
'<Grant>' + + '<Grant>'
'<Grantee xsi:type="Group">' + + '<Grantee xsi:type="Group">'
'<URI>http://acs.amazonaws.com/groups/' + + '<URI>http://acs.amazonaws.com/groups/'
'global/NOTAVALIDGROUP</URI>' + + 'global/NOTAVALIDGROUP</URI>'
'</Grantee>' + + '</Grantee>'
'<Permission>READ</Permission>' + + '<Permission>READ</Permission>'
'</Grant>' + + '</Grant>'
'</AccessControlList>' + + '</AccessControlList>'
'</AccessControlPolicy>', + '</AccessControlPolicy>',
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {
@ -682,19 +724,20 @@ describe('putBucketACL API', () => {
}); });
}); });
it('should return an error if invalid group uri' + it('should return an error if invalid group uri'
'provided in ACL header request', done => { + 'provided in ACL header request', done => {
const testACLRequest = { const testACLRequest = {
bucketName, bucketName,
namespace, namespace,
headers: { headers: {
'host': `${bucketName}.s3.amazonaws.com`, 'host': `${bucketName}.s3.amazonaws.com`,
'x-amz-grant-full-control': 'x-amz-grant-full-control':
'uri="http://acs.amazonaws.com/groups/' + 'uri="http://acs.amazonaws.com/groups/'
'global/NOTAVALIDGROUP"', + 'global/NOTAVALIDGROUP"',
}, },
url: '/?acl', url: '/?acl',
query: { acl: '' }, query: { acl: '' },
actionImplicitDenies: false,
}; };
bucketPutACL(authInfo, testACLRequest, log, err => { bucketPutACL(authInfo, testACLRequest, log, err => {

View File

@ -3,13 +3,13 @@ const { errors } = require('arsenal');
const { bucketPut } = require('../../../lib/api/bucketPut'); const { bucketPut } = require('../../../lib/api/bucketPut');
const bucketPutCors = require('../../../lib/api/bucketPutCors'); const bucketPutCors = require('../../../lib/api/bucketPutCors');
const { _validator, parseCorsXml } const { _validator, parseCorsXml } = require('../../../lib/api/apiUtils/bucket/bucketCors');
= require('../../../lib/api/apiUtils/bucket/bucketCors'); const {
const { cleanup, cleanup,
DummyRequestLogger, DummyRequestLogger,
makeAuthInfo, makeAuthInfo,
CorsConfigTester } CorsConfigTester,
= require('../helpers'); } = require('../helpers');
const metadata = require('../../../lib/metadata/wrapper'); const metadata = require('../../../lib/metadata/wrapper');
const log = new DummyRequestLogger(); const log = new DummyRequestLogger();
@ -19,6 +19,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
function _testPutBucketCors(authInfo, request, log, errCode, cb) { function _testPutBucketCors(authInfo, request, log, errCode, cb) {
@ -30,13 +31,13 @@ function _testPutBucketCors(authInfo, request, log, errCode, cb) {
} }
function _generateSampleXml(value) { function _generateSampleXml(value) {
const xml = '<CORSConfiguration>' + const xml = '<CORSConfiguration>'
'<CORSRule>' + + '<CORSRule>'
'<AllowedMethod>PUT</AllowedMethod>' + + '<AllowedMethod>PUT</AllowedMethod>'
'<AllowedOrigin>www.example.com</AllowedOrigin>' + + '<AllowedOrigin>www.example.com</AllowedOrigin>'
`${value}` + + `${value}`
'</CORSRule>' + + '</CORSRule>'
'</CORSConfiguration>'; + '</CORSConfiguration>';
return xml; return xml;
} }
@ -125,8 +126,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
it('should return MalformedXML if more than one ID per rule', done => { it('should return MalformedXML if more than one ID per rule', done => {
const testValue = 'testid'; const testValue = 'testid';
const xml = _generateSampleXml(`<ID>${testValue}</ID>` + const xml = _generateSampleXml(`<ID>${testValue}</ID>`
`<ID>${testValue}</ID>`); + `<ID>${testValue}</ID>`);
parseCorsXml(xml, log, err => { parseCorsXml(xml, log, err => {
assert(err, 'Expected error but found none'); assert(err, 'Expected error but found none');
assert.deepStrictEqual(err, errors.MalformedXML); assert.deepStrictEqual(err, errors.MalformedXML);
@ -157,8 +158,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
describe('validateMaxAgeSeconds ', () => { describe('validateMaxAgeSeconds ', () => {
it('should validate successfully for valid value', done => { it('should validate successfully for valid value', done => {
const testValue = 60; const testValue = 60;
const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}` + const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}`
'</MaxAgeSeconds>'); + '</MaxAgeSeconds>');
parseCorsXml(xml, log, (err, result) => { parseCorsXml(xml, log, (err, result) => {
assert.strictEqual(err, null, `Found unexpected err ${err}`); assert.strictEqual(err, null, `Found unexpected err ${err}`);
assert.strictEqual(typeof result[0].maxAgeSeconds, 'number'); assert.strictEqual(typeof result[0].maxAgeSeconds, 'number');
@ -167,12 +168,13 @@ describe('PUT bucket cors :: helper validation functions ', () => {
}); });
}); });
it('should return MalformedXML if more than one MaxAgeSeconds ' + it('should return MalformedXML if more than one MaxAgeSeconds '
'per rule', done => { + 'per rule', done => {
const testValue = '60'; const testValue = '60';
const xml = _generateSampleXml( const xml = _generateSampleXml(
`<MaxAgeSeconds>${testValue}</MaxAgeSeconds>` + `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`
`<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`); + `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`,
);
parseCorsXml(xml, log, err => { parseCorsXml(xml, log, err => {
assert(err, 'Expected error but found none'); assert(err, 'Expected error but found none');
assert.deepStrictEqual(err, errors.MalformedXML); assert.deepStrictEqual(err, errors.MalformedXML);
@ -182,8 +184,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
it('should validate & return undefined if empty value', done => { it('should validate & return undefined if empty value', done => {
const testValue = ''; const testValue = '';
const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}` + const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}`
'</MaxAgeSeconds>'); + '</MaxAgeSeconds>');
parseCorsXml(xml, log, (err, result) => { parseCorsXml(xml, log, (err, result) => {
assert.strictEqual(err, null, `Found unexpected err ${err}`); assert.strictEqual(err, null, `Found unexpected err ${err}`);
assert.strictEqual(result[0].MaxAgeSeconds, undefined); assert.strictEqual(result[0].MaxAgeSeconds, undefined);

View File

@ -14,6 +14,7 @@ const bucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
describe('bucketPutEncryption API', () => { describe('bucketPutEncryption API', () => {
@ -32,7 +33,8 @@ describe('bucketPutEncryption API', () => {
it('should reject a config with no Rule', done => { it('should reject a config with no Rule', done => {
bucketPutEncryption(authInfo, templateRequest(bucketName, bucketPutEncryption(authInfo, templateRequest(bucketName,
{ post: `<?xml version="1.0" encoding="UTF-8"?> {
post: `<?xml version="1.0" encoding="UTF-8"?>
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
</ServerSideEncryptionConfiguration>`, </ServerSideEncryptionConfiguration>`,
}), log, err => { }), log, err => {
@ -43,7 +45,8 @@ describe('bucketPutEncryption API', () => {
it('should reject a config with no ApplyServerSideEncryptionByDefault section', done => { it('should reject a config with no ApplyServerSideEncryptionByDefault section', done => {
bucketPutEncryption(authInfo, templateRequest(bucketName, bucketPutEncryption(authInfo, templateRequest(bucketName,
{ post: `<?xml version="1.0" encoding="UTF-8"?> {
post: `<?xml version="1.0" encoding="UTF-8"?>
<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Rule></Rule> <Rule></Rule>
</ServerSideEncryptionConfiguration>`, </ServerSideEncryptionConfiguration>`,
@ -155,8 +158,8 @@ describe('bucketPutEncryption API', () => {
}); });
}); });
it('should update SSEAlgorithm if existing SSEAlgorithm is AES256, ' + it('should update SSEAlgorithm if existing SSEAlgorithm is AES256, '
'new SSEAlgorithm is aws:kms and no KMSMasterKeyID is provided', + 'new SSEAlgorithm is aws:kms and no KMSMasterKeyID is provided',
done => { done => {
const post = templateSSEConfig({ algorithm: 'AES256' }); const post = templateSSEConfig({ algorithm: 'AES256' });
bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => { bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
@ -177,8 +180,7 @@ describe('bucketPutEncryption API', () => {
}); });
done(); done();
}); });
} });
);
}); });
}); });
}); });

View File

@ -17,6 +17,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const expectedLifecycleConfig = { const expectedLifecycleConfig = {

View File

@ -15,6 +15,7 @@ const bucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const expectedNotifConfig = { const expectedNotifConfig = {
@ -52,6 +53,7 @@ function getNotifRequest(empty) {
host: `${bucketName}.s3.amazonaws.com`, host: `${bucketName}.s3.amazonaws.com`,
}, },
post: notifXml, post: notifXml,
actionImplicitDenies: false,
}; };
return putNotifConfigRequest; return putNotifConfigRequest;
} }

View File

@ -15,6 +15,7 @@ const bucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const objectLockXml = '<ObjectLockConfiguration ' + const objectLockXml = '<ObjectLockConfiguration ' +
@ -30,6 +31,7 @@ const putObjLockRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
post: objectLockXml, post: objectLockXml,
actionImplicitDenies: false,
}; };
const expectedObjectLockConfig = { const expectedObjectLockConfig = {

View File

@ -15,6 +15,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
let expectedBucketPolicy = {}; let expectedBucketPolicy = {};
@ -25,6 +26,7 @@ function getPolicyRequest(policy) {
host: `${bucketName}.s3.amazonaws.com`, host: `${bucketName}.s3.amazonaws.com`,
}, },
post: JSON.stringify(policy), post: JSON.stringify(policy),
actionImplicitDenies: false,
}; };
} }
@ -76,7 +78,7 @@ describe('putBucketPolicy API', () => {
}); });
}); });
it('should return error if policy contains conditions', done => { it.skip('should return error if policy contains conditions', done => {
expectedBucketPolicy.Statement[0].Condition = expectedBucketPolicy.Statement[0].Condition =
{ StringEquals: { 's3:x-amz-acl': ['public-read'] } }; { StringEquals: { 's3:x-amz-acl': ['public-read'] } };
bucketPutPolicy(authInfo, getPolicyRequest(expectedBucketPolicy), log, bucketPutPolicy(authInfo, getPolicyRequest(expectedBucketPolicy), log,

View File

@ -19,6 +19,7 @@ const testBucketPutRequest = {
bucketName, bucketName,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
function _getPutWebsiteRequest(xml) { function _getPutWebsiteRequest(xml) {
@ -29,6 +30,7 @@ function _getPutWebsiteRequest(xml) {
}, },
url: '/?website', url: '/?website',
query: { website: '' }, query: { website: '' },
actionImplicitDenies: false,
}; };
request.post = xml; request.post = xml;
return request; return request;

View File

@ -28,6 +28,7 @@ const testPutBucketRequest = new DummyRequest({
namespace, namespace,
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
url: '/', url: '/',
actionImplicitDenies: false,
}); });
const testDeleteRequest = new DummyRequest({ const testDeleteRequest = new DummyRequest({
bucketName, bucketName,
@ -35,6 +36,7 @@ const testDeleteRequest = new DummyRequest({
objectKey: objectName, objectKey: objectName,
headers: {}, headers: {},
url: `/${bucketName}/${objectName}`, url: `/${bucketName}/${objectName}`,
actionImplicitDenies: false,
}); });
function _createBucketPutVersioningReq(status) { function _createBucketPutVersioningReq(status) {
@ -45,6 +47,7 @@ function _createBucketPutVersioningReq(status) {
}, },
url: '/?versioning', url: '/?versioning',
query: { versioning: '' }, query: { versioning: '' },
actionImplicitDenies: false,
}; };
const xml = '<VersioningConfiguration ' + const xml = '<VersioningConfiguration ' +
'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
@ -62,6 +65,7 @@ function _createMultiObjectDeleteRequest(numObjects) {
}, },
url: '/?delete', url: '/?delete',
query: { delete: '' }, query: { delete: '' },
actionImplicitDenies: false,
}; };
const xml = []; const xml = [];
xml.push('<?xml version="1.0" encoding="UTF-8"?>'); xml.push('<?xml version="1.0" encoding="UTF-8"?>');

View File

@ -58,11 +58,13 @@ const baseTestRequest = {
post: '', post: '',
headers: { host: `${bucketName}.s3.amazonaws.com` }, headers: { host: `${bucketName}.s3.amazonaws.com` },
query: {}, query: {},
actionImplicitDenies: false,
}; };
const serviceGetRequest = { const serviceGetRequest = {
parsedHost: 's3.amazonaws.com', parsedHost: 's3.amazonaws.com',
headers: { host: 's3.amazonaws.com' }, headers: { host: 's3.amazonaws.com' },
url: '/', url: '/',
actionImplicitDenies: false,
}; };
const userBucketOwner = 'admin'; const userBucketOwner = 'admin';
@ -103,7 +105,6 @@ function confirmDeleted(done) {
}); });
} }
describe('deleted flag bucket handling', () => { describe('deleted flag bucket handling', () => {
beforeEach(done => { beforeEach(done => {
cleanup(); cleanup();

View File

@ -32,6 +32,7 @@ describe('listMultipartUploads API', () => {
namespace, namespace,
headers: {}, headers: {},
url: `/${bucketName}`, url: `/${bucketName}`,
actionImplicitDenies: false,
}; };
const testInitiateMPURequest1 = { const testInitiateMPURequest1 = {
bucketName, bucketName,
@ -39,6 +40,7 @@ describe('listMultipartUploads API', () => {
objectKey: objectName1, objectKey: objectName1,
headers: {}, headers: {},
url: `/${bucketName}/${objectName1}?uploads`, url: `/${bucketName}/${objectName1}?uploads`,
actionImplicitDenies: false,
}; };
const testInitiateMPURequest2 = { const testInitiateMPURequest2 = {
bucketName, bucketName,
@ -46,6 +48,7 @@ describe('listMultipartUploads API', () => {
objectKey: objectName2, objectKey: objectName2,
headers: {}, headers: {},
url: `/${bucketName}/${objectName2}?uploads`, url: `/${bucketName}/${objectName2}?uploads`,
actionImplicitDenies: false,
}; };
const testInitiateMPURequest3 = { const testInitiateMPURequest3 = {
bucketName, bucketName,
@ -53,6 +56,7 @@ describe('listMultipartUploads API', () => {
objectKey: objectName3, objectKey: objectName3,
headers: {}, headers: {},
url: `/${bucketName}/${objectName3}?uploads`, url: `/${bucketName}/${objectName3}?uploads`,
actionImplicitDenies: false,
}; };
it('should return the name of the common prefix ' + it('should return the name of the common prefix ' +
@ -65,6 +69,7 @@ describe('listMultipartUploads API', () => {
headers: { host: '/' }, headers: { host: '/' },
url: `/${bucketName}?uploads&delimiter=/&prefix=sub`, url: `/${bucketName}?uploads&delimiter=/&prefix=sub`,
query: { delimiter, prefix }, query: { delimiter, prefix },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -94,6 +99,7 @@ describe('listMultipartUploads API', () => {
headers: { host: '/' }, headers: { host: '/' },
url: `/${bucketName}?uploads`, url: `/${bucketName}?uploads`,
query: {}, query: {},
actionImplicitDenies: false,
}; };
@ -127,6 +133,7 @@ describe('listMultipartUploads API', () => {
headers: { host: '/' }, headers: { host: '/' },
url: `/${bucketName}?uploads`, url: `/${bucketName}?uploads`,
query: { 'max-uploads': '1' }, query: { 'max-uploads': '1' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -163,6 +170,7 @@ describe('listMultipartUploads API', () => {
headers: { host: '/' }, headers: { host: '/' },
url: `/${bucketName}?uploads`, url: `/${bucketName}?uploads`,
query: { 'encoding-type': 'url' }, query: { 'encoding-type': 'url' },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([
@ -195,6 +203,7 @@ describe('listMultipartUploads API', () => {
headers: { host: '/' }, headers: { host: '/' },
url: `/${bucketName}?uploads`, url: `/${bucketName}?uploads`,
query: { 'key-marker': objectName1 }, query: { 'key-marker': objectName1 },
actionImplicitDenies: false,
}; };
async.waterfall([ async.waterfall([

Some files were not shown because too many files have changed in this diff Show More