Compare commits

...

4 Commits

Author SHA1 Message Date
Maha Benzekri 7e87b8dedd
change cldsrv for more inputs 2024-07-11 15:26:58 +02:00
Maha Benzekri e72afd61cc
logs 2024-07-11 15:19:13 +02:00
Maha Benzekri 6e3fc1b7de
fixup 2024-07-11 15:19:12 +02:00
Maha Benzekri ff41f177e3
logs 2024-07-11 15:19:12 +02:00
3 changed files with 10 additions and 1 deletions

View File

@ -60,7 +60,7 @@
},
"clusters": 1,
"log": {
"logLevel": "info",
"logLevel": "trace",
"dumpLevel": "error"
},
"healthChecks": {

View File

@ -146,6 +146,7 @@ const api = {
const requestContexts = prepareRequestContexts(apiMethod, request,
sourceBucket, sourceObject, sourceVersionId);
log.info('requestContexts', { requestContexts });
// Extract all the _apiMethods and store them in an array
const apiMethods = requestContexts ? requestContexts.map(context => context._apiMethod) : [];
// Attach the names to the current request
@ -165,6 +166,7 @@ const api = {
// TODO add support for returnTagCount in the bucket policy
// checks
isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
log.info('isImplicitDeny', { authResults });
// second item checks s3:GetObject(Version)Tagging action
if (!authResults[1].isAllowed) {
log.trace('get tagging authorization denial ' +
@ -173,6 +175,7 @@ const api = {
}
} else {
for (let i = 0; i < authResults.length; i++) {
log.info('authResults', { authResults });
isImplicitDeny[authResults[i].action] = true;
if (!authResults[i].isAllowed && !authResults[i].isImplicit) {
// Any explicit deny rejects the current API call

View File

@ -571,7 +571,9 @@ function multiObjectDelete(authInfo, request, log, callback) {
};
return vault.checkPolicies(requestContextParams, authInfo.getArn(),
log, (err, authorizationResults) => {
log.info('received authorization results', { authorizationResults });
// there were no policies so received a blanket AccessDenied
log.info("checking error", { err });
if (err?.is.AccessDenied) {
objects.forEach(entry => {
errorResults.push({
@ -588,6 +590,8 @@ function multiObjectDelete(authInfo, request, log, callback) {
});
return next(err);
}
log.info('authorization results', { authorizationResults });
log.info("checking condition", { condition: objects.length !== authorizationResults.length })
if (objects.length !== authorizationResults.length) {
log.error('vault did not return correct number of ' +
'authorization results', {
@ -604,8 +608,10 @@ function multiObjectDelete(authInfo, request, log, callback) {
acc[apiMethod] = curr.isImplicit;
return acc;
}, {});
log.info("actionImplicitDenies", { actionImplicitDenies });
for (let i = 0; i < authorizationResults.length; i++) {
const result = authorizationResults[i];
log.info('checking authorization result', result);
// result is { isAllowed: true,
// arn: arn:aws:s3:::bucket/object,
// versionId: sampleversionId } unless not allowed