wip

scality · Jul 11, 2023 · c65067d · c65067d
1 parent 9a29d19
commit c65067d
Show file tree

Hide file tree

Showing 53 changed files with 234 additions and 90 deletions.
diff --git a/lib/api/api.js b/lib/api/api.js
@@ -165,6 +165,10 @@ const api = {
                     }
                 }
             }
+            // Specific APIs are not checking any ACLs or Bucket Policies.
+            if (apiMethod === 'bucketPut' || apiMethod === 'serviceGet' && isImplicitDeny) {
+                return errors.AccessDenied;
+            }
             return { returnTagCount, isImplicitDeny };
         }
 

diff --git a/lib/api/apiUtils/authorization/permissionChecks.js b/lib/api/apiUtils/authorization/permissionChecks.js
@@ -1,5 +1,6 @@
-const { evaluators, actionMaps, RequestContext } = require('arsenal').policies;
+const { evaluators, actionMaps, RequestContext, requestUtils } = require('arsenal').policies;
 const constants = require('../../../../constants');
+const { config } = require('../../../Config');
 
 const { allAuthedUsersId, bucketOwnerActions, logId, publicId,
     assumedRoleArnResourceType, backbeatLifecycleSessionName } = constants;
@@ -8,8 +9,8 @@ const { allAuthedUsersId, bucketOwnerActions, logId, publicId,
 const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS ?
     process.env.ALLOW_PUBLIC_READ_BUCKETS.split(',') : [];
 
-function checkBucketAcls(bucket, requestType, canonicalID, requesterIsNotUser) {
-    if (bucket.getOwner() === canonicalID && requesterIsNotUser) {
+function checkBucketAcls(bucket, requestType, canonicalID) {
+    if (bucket.getOwner() === canonicalID) {
         return true;
     }
 
@@ -198,6 +199,20 @@ function _checkBucketPolicyResources(request, resource, log) {
     return evaluators.isResourceApplicable(requestContext, resource, log);
 }
 
+function _checkBucketPolicyConditions(request, conditions, log) {
+    const ip = request ? requestUtils.getClientIp(request, config) : undefined;
+    if (!conditions) {
+        return true;
+    }
+    // build request context from the request!
+    const requestContext = new RequestContext(request.headers, request.query,
+        request.bucketName, request.objectKey, ip,
+        request.connection.encrypted, request.resourceType, 's3', null, null,
+        null, null, null, null, null, null, null, null, null,
+        request.objectLockRetentionDays);
+    return evaluators.meetConditions(requestContext, conditions, log);
+}
+
 function _getAccountId(arn) {
     // account or user arn is of format 'arn:aws:iam::<12-digit-acct-id>:etc...
     return arn.substr(13, 12);
@@ -255,12 +270,13 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
         const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal);
         const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
         const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
+        const conditionsMatch = _checkBucketPolicyConditions(request, s.Condition, log);
 
-        if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Deny') {
+        if (principalMatch && actionMatch && resourceMatch && conditionsMatch && s.Effect === 'Deny') {
             // explicit deny trumps any allows, so return immediately
             return 'explicitDeny';
         }
-        if (principalMatch && actionMatch && resourceMatch && s.Effect === 'Allow') {
+        if (principalMatch && actionMatch && resourceMatch && conditionsMatch && s.Effect === 'Allow') {
             permission = 'allow';
         }
         copiedStatement = copiedStatement.splice(1);
@@ -318,7 +334,7 @@ function isObjAuthorized(bucket, objectMD, requestType, canonicalID, authInfo, i
         // check bucket has read access
         // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
         return isIdentityAndResourceAuthorized(isImplicitIdentityDeny,
-            isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request));
+            isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, isImplicitIdentityDeny, log, request));
     }
     let requesterIsNotUser = true;
     let arn = null;

diff --git a/lib/api/apiUtils/object/abortMultipartUpload.js b/lib/api/apiUtils/object/abortMultipartUpload.js
@@ -22,10 +22,11 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
     // but the requestType is the more general 'objectDelete'
     const metadataValParams = Object.assign({}, metadataValMPUparams);
     metadataValParams.requestType = 'objectPut';
+    const authzIdentityResult = request ? request.isImplicitIdentityDeny : true;
 
     async.waterfall([
         function checkDestBucketVal(next) {
-            metadataValidateBucketAndObj(metadataValParams, log,
+            metadataValidateBucketAndObj(metadataValParams, authzIdentityResult, log,
                 (err, destinationBucket) => {
                     if (err) {
                         return next(err, destinationBucket);

diff --git a/lib/api/bucketDelete.js b/lib/api/bucketDelete.js
@@ -34,7 +34,7 @@ function bucketDelete(authInfo, request, log, cb) {
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log,
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log,
         (err, bucketMD) => {
             const corsHeaders = collectCorsHeaders(request.headers.origin,
                 request.method, bucketMD);

diff --git a/lib/api/bucketDeleteEncryption.js b/lib/api/bucketDeleteEncryption.js
@@ -26,7 +26,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, next),
         (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
         (bucket, next) => {
             const sseConfig = bucket.getServerSideEncryption();

diff --git a/lib/api/bucketDeleteLifecycle.js b/lib/api/bucketDeleteLifecycle.js
@@ -21,7 +21,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) {
         requestType: 'bucketDeleteLifecycle',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketDeletePolicy.js b/lib/api/bucketDeletePolicy.js
@@ -19,7 +19,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) {
         requestType: 'bucketDeletePolicy',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketDeleteReplication.js b/lib/api/bucketDeleteReplication.js
@@ -21,7 +21,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) {
         requestType: 'bucketDeleteReplication',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGet.js b/lib/api/bucketGet.js
@@ -351,7 +351,7 @@ function bucketGet(authInfo, request, log, callback) {
         listParams.marker = params.marker;
     }
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

diff --git a/lib/api/bucketGetACL.js b/lib/api/bucketGetACL.js
@@ -55,7 +55,7 @@ function bucketGetACL(authInfo, request, log, callback) {
         },
     };
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

diff --git a/lib/api/bucketGetEncryption.js b/lib/api/bucketGetEncryption.js
@@ -27,7 +27,7 @@ function bucketGetEncryption(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, next),
         (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
         (bucket, next) => {
             // If sseInfo is present but the `mandatory` flag is not set

diff --git a/lib/api/bucketGetLifecycle.js b/lib/api/bucketGetLifecycle.js
@@ -24,7 +24,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
         requestType: 'bucketGetLifecycle',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetNotification.js b/lib/api/bucketGetNotification.js
@@ -41,7 +41,7 @@ function bucketGetNotification(authInfo, request, log, callback) {
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetObjectLock.js b/lib/api/bucketGetObjectLock.js
@@ -36,7 +36,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
         requestType: 'bucketGetObjectLock',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetPolicy.js b/lib/api/bucketGetPolicy.js
@@ -21,7 +21,7 @@ function bucketGetPolicy(authInfo, request, log, callback) {
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetReplication.js b/lib/api/bucketGetReplication.js
@@ -24,7 +24,7 @@ function bucketGetReplication(authInfo, request, log, callback) {
         requestType: 'bucketGetReplication',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetVersioning.js b/lib/api/bucketGetVersioning.js
@@ -58,7 +58,7 @@ function bucketGetVersioning(authInfo, request, log, callback) {
         request,
     };
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

diff --git a/lib/api/bucketHead.js b/lib/api/bucketHead.js
@@ -22,7 +22,7 @@ function bucketHead(authInfo, request, log, callback) {
         requestType: 'bucketHead',
         request,
     };
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

diff --git a/lib/api/bucketPutACL.js b/lib/api/bucketPutACL.js
@@ -105,7 +105,7 @@ function bucketPutACL(authInfo, request, log, callback) {
 
     return async.waterfall([
         function waterfall1(next) {
-            metadataValidateBucket(metadataValParams, log,
+            metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log,
             (err, bucket) => {
                 if (err) {
                     log.trace('request authorization failed', {

diff --git a/lib/api/bucketPutEncryption.js b/lib/api/bucketPutEncryption.js
@@ -28,7 +28,7 @@ function bucketPutEncryption(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, next),
         (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
         (bucket, next) => {
             log.trace('parsing encryption config', { method: 'bucketPutEncryption' });

diff --git a/lib/api/bucketPutLifecycle.js b/lib/api/bucketPutLifecycle.js
@@ -43,7 +43,7 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
                 return next(null, configObj);
             });
         },
-        (lcConfig, next) => metadataValidateBucket(metadataValParams, log,
+        (lcConfig, next) => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log,
             (err, bucket) => {
                 if (err) {
                     return next(err, bucket);

diff --git a/lib/api/bucketPutNotification.js b/lib/api/bucketPutNotification.js
@@ -34,7 +34,7 @@ function bucketPutNotification(authInfo, request, log, callback) {
             const notifConfig = notificationConfig.error ? undefined : notificationConfig;
             process.nextTick(() => next(notificationConfig.error, notifConfig));
         },
-        (notifConfig, next) => metadataValidateBucket(metadataValParams, log,
+        (notifConfig, next) => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log,
             (err, bucket) => next(err, bucket, notifConfig)),
         (bucket, notifConfig, next) => {
             bucket.setNotificationConfiguration(notifConfig);

diff --git a/lib/api/bucketPutObjectLock.js b/lib/api/bucketPutObjectLock.js
@@ -41,7 +41,7 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
                 return next(configObj.error || null, configObj);
             });
         },
-        (objectLockConfig, next) => metadataValidateBucket(metadataValParams,
+        (objectLockConfig, next) => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny,
             log, (err, bucket) => {
                 if (err) {
                     return next(err, bucket);

diff --git a/lib/api/bucketPutPolicy.js b/lib/api/bucketPutPolicy.js
@@ -17,8 +17,7 @@ const { BucketPolicy } = models;
 function _checkNotImplementedPolicy(policyString) {
     // bucket names and key names cannot include "", so including those
     // isolates not implemented keys
-    return policyString.includes('"Condition"')
-    || policyString.includes('"Service"')
+    return policyString.includes('"Service"')
     || policyString.includes('"Federated"');
 }
 
@@ -70,7 +69,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
                 return next(null, bucketPolicy);
             });
         },
-        (bucketPolicy, next) => metadataValidateBucket(metadataValParams, log,
+        (bucketPolicy, next) => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log,
             (err, bucket) => {
                 if (err) {
                     return next(err, bucket);

diff --git a/lib/api/bucketPutReplication.js b/lib/api/bucketPutReplication.js
@@ -37,7 +37,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
         // Check bucket user privileges and ensure versioning is 'Enabled'.
         (config, next) =>
             // TODO: Validate that destination bucket exists and has versioning.
-            metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+            metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log, (err, bucket) => {
                 if (err) {
                     return next(err);
                 }

diff --git a/lib/api/bucketPutTagging.js b/lib/api/bucketPutTagging.js
@@ -42,7 +42,7 @@ function bucketPutTagging(authInfo, request, log, callback) {
     };
     let bucket = null;
     return waterfall([
-        next => metadataValidateBucket(metadataValParams, log,
+        next => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log,
             (err, b) => {
                 bucket = b;
                 return next(err);

diff --git a/lib/api/bucketPutVersioning.js b/lib/api/bucketPutVersioning.js
@@ -94,7 +94,7 @@ function bucketPutVersioning(authInfo, request, log, callback) {
 
     return waterfall([
         next => _parseXML(request, log, next),
-        next => metadataValidateBucket(metadataValParams, log,
+        next => metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log,
             (err, bucket) => next(err, bucket)), // ignore extra null object,
         (bucket, next) => parseString(request.post, (err, result) => {
             // just for linting; there should not be any parsing error here

diff --git a/lib/api/completeMultipartUpload.js b/lib/api/completeMultipartUpload.js
@@ -120,7 +120,7 @@ function completeMultipartUpload(authInfo, request, log, callback) {
                 // at the destinationBucket level are same as objectPut
                 requestType: 'objectPut',
             };
-            metadataValidateBucketAndObj(metadataValParams, log, next);
+            metadataValidateBucketAndObj(metadataValParams, request.isImplicitIdentityDeny, log, next);
         },
         function validateMultipart(destBucket, objMD, next) {
             if (objMD) {

diff --git a/lib/api/initiateMultipartUpload.js b/lib/api/initiateMultipartUpload.js
@@ -262,7 +262,7 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
     }
 
     async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.isImplicitIdentityDeny, log,
             (error, destinationBucket) => {
                 const corsHeaders = collectCorsHeaders(request.headers.origin,
                     request.method, destinationBucket);

diff --git a/lib/api/listMultipartUploads.js b/lib/api/listMultipartUploads.js
@@ -105,7 +105,7 @@ function listMultipartUploads(authInfo, request, log, callback) {
         function waterfall1(next) {
             // Check final destination bucket for authorization rather
             // than multipart upload bucket
-            metadataValidateBucket(metadataValParams, log,
+            metadataValidateBucket(metadataValParams, request.isImplicitIdentityDeny, log,
                 (err, bucket) => next(err, bucket));
         },
         function getMPUBucket(bucket, next) {

diff --git a/lib/api/listParts.js b/lib/api/listParts.js
@@ -115,7 +115,7 @@ function listParts(authInfo, request, log, callback) {
 
     async.waterfall([
         function checkDestBucketVal(next) {
-            metadataValidateBucketAndObj(metadataValParams, log,
+            metadataValidateBucketAndObj(metadataValParams, request.isImplicitIdentityDeny, log,
                 (err, destinationBucket) => {
                     if (err) {
                         return next(err, destinationBucket, null);

diff --git a/lib/api/objectCopy.js b/lib/api/objectCopy.js
@@ -249,7 +249,7 @@ function objectCopy(authInfo, request, sourceBucket,
     }
     return async.waterfall([
         function checkDestAuth(next) {
-            return metadataValidateBucketAndObj(valPutParams, log,
+            return metadataValidateBucketAndObj(valPutParams, request.isImplicitIdentityDeny, log,
                 (err, destBucketMD, destObjMD) => {
                     if (err) {
                         log.debug('error validating put part of request',
@@ -267,7 +267,7 @@ function objectCopy(authInfo, request, sourceBucket,
                 });
         },
         function checkSourceAuthorization(destBucketMD, destObjMD, next) {
-            return metadataValidateBucketAndObj(valGetParams, log,
+            return metadataValidateBucketAndObj(valGetParams, request.isImplicitIdentityDeny, log,
                 (err, sourceBucketMD, sourceObjMD) => {
                     if (err) {
                         log.debug('error validating get part of request',

diff --git a/lib/api/objectDelete.js b/lib/api/objectDelete.js
@@ -59,7 +59,7 @@ function objectDelete(authInfo, request, log, cb) {
     const canonicalID = authInfo.getCanonicalID();
     return async.waterfall([
         function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(valParams, log,
+            return metadataValidateBucketAndObj(valParams, request.isImplicitIdentityDeny, log,
             (err, bucketMD, objMD) => {
                 if (err) {
                     return next(err, bucketMD);

diff --git a/lib/api/objectDeleteTagging.js b/lib/api/objectDeleteTagging.js
@@ -49,7 +49,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.isImplicitIdentityDeny, log,
           (err, bucket, objectMD) => {
               if (err) {
                   log.trace('request authorization failed',