Merge remote-tracking branch 'origin/w/7.70/bugfix/CLDSRV-616' into w/8.8/bugfix/CLDSRV-616

Merge remote-tracking branch 'origin/bugfix/CLDSRV-616' into w/7.70/bugfix/CLDSRV-616
CLDSRV-616: Bump version
2025-02-25 16:46:36 +02:00 · 2025-02-25 16:43:57 +02:00 · 2025-02-25 14:56:46 +02:00 · 2025-02-25 14:56:35 +02:00
2 changed files with 20 additions and 2 deletions
--- a/lib/api/apiUtils/authorization/permissionChecks.js
+++ b/lib/api/apiUtils/authorization/permissionChecks.js
@ -293,6 +293,10 @@ function _checkPrincipal(requester, principal) {
    if (principal === '*') {
        return true;
    }
+    // User in unauthenticated (anonymous request)
+    if (requester === undefined) {
+        return false;
+    }
    if (principal === requester) {
        return true;
    }
--- a/tests/unit/api/bucketPolicyAuth.js
+++ b/tests/unit/api/bucketPolicyAuth.js
@ -1,5 +1,6 @@
 const assert = require('assert');
 const { BucketInfo, BucketPolicy } = require('arsenal').models;
+const AuthInfo = require('arsenal').auth.AuthInfo;
 const constants = require('../../../constants');
 const { isBucketAuthorized, isObjAuthorized, validatePolicyResource }
    = require('../../../lib/api/apiUtils/authorization/permissionChecks');
@ -35,6 +36,9 @@ const basePolicyObj = {
 };
 const bucketName = 'matchme';
 const log = new DummyRequestLogger();
+const publicUserAuthInfo = new AuthInfo({
+    canonicalID: constants.publicId,
+});

 const authTests = [
    {
@ -292,11 +296,21 @@ describe('bucket policy authorization', () => {
        it('should allow access to public user if principal is set to "*"',
        done => {
            const allowed = isBucketAuthorized(bucket, bucAction,
-                constants.publicId, null, log);
+                constants.publicId, publicUserAuthInfo, log);
            assert.equal(allowed, true);
            done();
        });

+        it('should deny access to public user if principal is not set to "*"', function itFn(done) {
+            const newPolicy = this.test.basePolicy;
+            newPolicy.Statement[0].Principal = { AWS: authInfo.getArn() };
+            bucket.setBucketPolicy(newPolicy);
+            const allowed = isBucketAuthorized(bucket, bucAction,
+                constants.publicId, publicUserAuthInfo, log);
+            assert.equal(allowed, false);
+            done();
+        });
+
        authTests.forEach(t => {
            it(`${t.name}bucket owner`, function itFn(done) {
                const newPolicy = this.test.basePolicy;
@ -376,7 +390,7 @@ describe('bucket policy authorization', () => {
        it('should allow access to public user if principal is set to "*"',
        done => {
            const allowed = isObjAuthorized(bucket, object, objAction,
-                constants.publicId, null, log);
+                constants.publicId, publicUserAuthInfo, log);
            assert.equal(allowed, true);
            done();
        });
Author	SHA1	Message	Date
Dimitrios Vasilas	e9441c6cbe	Merge remote-tracking branch 'origin/w/7.70/bugfix/CLDSRV-616' into w/8.8/bugfix/CLDSRV-616	2025-02-25 16:46:36 +02:00
Dimitrios Vasilas	c144a8cbe5	Merge remote-tracking branch 'origin/bugfix/CLDSRV-616' into w/7.70/bugfix/CLDSRV-616	2025-02-25 16:43:57 +02:00
Dimitrios Vasilas	965a80fe0d	CLDSRV-616: Bump version	2025-02-25 14:56:46 +02:00
Dimitrios Vasilas	d57e3a94b7	CLDSRV-616: Fix bucket policy check for anonymous req When checking bucket policies and the following conditions are true: - The request is anonymous (`--no-sign-request`) - There is a bucket policy with AWS principal Then `_getAccountId` is called in arn === undefined and causes an exception to be thrown. The reason is that vault return the following authInfo with anonymous requests: { arn: undefined, canonicalID: 'http://acs.amazonaws.com/groups/global/AllUsers', shortid: undefined, email: undefined, accountDisplayName: undefined, IAMdisplayName: undefined } The fix is to check is to check is arn === undefined and fail the check if the policy principal is not '*'	2025-02-25 14:56:35 +02:00