validate grants when setting ownership to `OwnershipBucketOwnerEnforced`

Signed-off-by: changlin.shi <changlin.shi@ly.com>
2 years ago · 2227888acc
4 changed files with 53 additions and 0 deletions
--- a/weed/s3api/s3acl/acl_helper.go
+++ b/weed/s3api/s3acl/acl_helper.go
@ -503,3 +503,13 @@ func GrantEquals(a, b *s3.Grant) bool {
 	}
 	return true
 }
 func GrantWithFullControl(accountId string) *s3.Grant {
 	return &s3.Grant{
 		Permission: &s3_constants.PermissionFullControl,
 		Grantee: &s3.Grantee{
 			Type: &s3_constants.GrantTypeCanonicalUser,
 			ID:   &accountId,
 		},
 	}
 }
--- a/weed/s3api/s3acl/acl_helper_test.go
+++ b/weed/s3api/s3acl/acl_helper_test.go
@ -706,3 +706,20 @@ func TestSetAcpGrantsHeader(t *testing.T) {
 		t.Fatalf("owner unexpect")
 	}
 }
 func TestGrantWithFullControl(t *testing.T) {
 	accountId := "Accountaskdfj"
 	expect := &s3.Grant{
 		Permission: &s3_constants.PermissionFullControl,
 		Grantee: &s3.Grantee{
 			Type: &s3_constants.GrantTypeCanonicalUser,
 			ID:   &accountId,
 		},
 	}
 	result := GrantWithFullControl(accountId)
 	if !GrantEquals(result, expect) {
 		t.Fatal("GrantWithFullControl not expect")
 	}
 }
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@ -6,6 +6,8 @@ import (
 	"errors"
 	"fmt"
 	"github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3account"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
 	"github.com/seaweedfs/seaweedfs/weed/util"
 	"math"
 	"net/http"
@ -400,6 +402,24 @@ func (s3a *S3ApiServer) PutBucketOwnershipControls(w http.ResponseWriter, r *htt
 	oldOwnership, ok := bucketEntry.Extended[s3_constants.ExtOwnershipKey]
 	if !ok || string(oldOwnership) != ownership {
 		// must reset bucket acl to default(bucket owner with full control permission) before setting ownership
 		// to `OwnershipBucketOwnerEnforced` (bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting)
 		if ownership == s3_constants.OwnershipBucketOwnerEnforced {
 			acpGrants := s3acl.GetAcpGrants(bucketEntry.Extended)
 			if len(acpGrants) != 1 {
 				s3err.WriteErrorResponse(w, r, s3err.InvalidBucketAclWithObjectOwnership)
 				return
 			}
 			bucketOwner := s3acl.GetAcpOwner(bucketEntry.Extended, s3account.AccountAdmin.Id)
 			expectGrant := s3acl.GrantWithFullControl(bucketOwner)
 			if s3acl.GrantEquals(acpGrants[0], expectGrant) {
 				s3err.WriteErrorResponse(w, r, s3err.InvalidBucketAclWithObjectOwnership)
 				return
 			}
 		}
 		if bucketEntry.Extended == nil {
 			bucketEntry.Extended = make(map[string][]byte)
 		}
--- a/weed/s3api/s3err/s3api_errors.go
+++ b/weed/s3api/s3err/s3api_errors.go
@ -109,6 +109,7 @@ const (
 	ErrRequestBytesExceed
 	OwnershipControlsNotFoundError
 	InvalidBucketAclWithObjectOwnership
 )
 // error code to APIError structure, these fields carry respective
@ -422,6 +423,11 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "The bucket ownership controls were not found",
 		HTTPStatusCode: http.StatusNotFound,
 	},
 	InvalidBucketAclWithObjectOwnership: {
 		Code:           "InvalidBucketAclWithObjectOwnership",
 		Description:    "Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting",
 		HTTPStatusCode: http.StatusNotFound,
 	},
 }
 // GetAPIError provides API Error for input API error code.