From 381b496132a48cdd3c9fe8504bca210e96b9ad59 Mon Sep 17 00:00:00 2001 From: "changlin.shi" Date: Tue, 22 Nov 2022 16:18:02 +0800 Subject: [PATCH] acl for Initializing multipart upload Signed-off-by: changlin.shi --- weed/s3api/s3api_acp.go | 22 +++++++++++++++---- weed/s3api/s3api_object_handlers.go | 2 +- weed/s3api/s3api_object_multipart_handlers.go | 22 +++++++++---------- 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/weed/s3api/s3api_acp.go b/weed/s3api/s3api_acp.go index ca79cb6d2..fb7309ab4 100644 --- a/weed/s3api/s3api_acp.go +++ b/weed/s3api/s3api_acp.go @@ -33,17 +33,31 @@ func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s return s3err.ErrAccessDenied } -// Check Object-Write related access +// CheckAccessForPutObject Check ACL for PutObject API // includes: // - PutObjectHandler -// - PutObjectPartHandler -func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object string) s3err.ErrorCode { +func (s3a *S3ApiServer) CheckAccessForPutObject(r *http.Request, bucket, object string) s3err.ErrorCode { + accountId := s3acl.GetAccountId(r) + return s3a.checkAccessForWriteObject(r, bucket, object, accountId) +} + +// CheckAccessForNewMultipartUpload Check Acl for InitiateMultipartUploadResult API +// includes: +// - NewMultipartUploadHandler +func (s3a *S3ApiServer) CheckAccessForNewMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode { + accountId := s3acl.GetAccountId(r) + if accountId == IdentityAnonymous.AccountId { + return s3err.ErrAccessDenied + } + return s3a.checkAccessForWriteObject(r, bucket, object, accountId) +} + +func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object, accountId string) s3err.ErrorCode { bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket) if errCode != s3err.ErrNone { return errCode } - accountId := s3acl.GetAccountId(r) if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced { // validate grants (only bucketOwnerFullControl acl is allowed) _, grants, errCode := s3acl.ParseAndValidateAclHeaders(r, s3a.accountManager, bucketMetadata.ObjectOwnership, *bucketMetadata.Owner.ID, accountId, false) diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go index 9885303a6..203e63b3d 100644 --- a/weed/s3api/s3api_object_handlers.go +++ b/weed/s3api/s3api_object_handlers.go @@ -99,7 +99,7 @@ func (s3a *S3ApiServer) PutObjectHandler(w http.ResponseWriter, r *http.Request) } defer dataReader.Close() - errCode := s3a.checkAccessForWriteObject(r, bucket, object) + errCode := s3a.CheckAccessForPutObject(r, bucket, object) if errCode != s3err.ErrNone { s3err.WriteErrorResponse(w, r, errCode) return diff --git a/weed/s3api/s3api_object_multipart_handlers.go b/weed/s3api/s3api_object_multipart_handlers.go index 38e167f6b..7efb7b3dc 100644 --- a/weed/s3api/s3api_object_multipart_handlers.go +++ b/weed/s3api/s3api_object_multipart_handlers.go @@ -30,6 +30,13 @@ const ( func (s3a *S3ApiServer) NewMultipartUploadHandler(w http.ResponseWriter, r *http.Request) { bucket, object := s3_constants.GetBucketAndObject(r) + //acl + errCode := s3a.CheckAccessForNewMultipartUpload(r, bucket, object) + if errCode != s3err.ErrNone { + s3err.WriteErrorResponse(w, r, errCode) + return + } + createMultipartUploadInput := &s3.CreateMultipartUploadInput{ Bucket: aws.String(bucket), Key: objectKey(aws.String(object)), @@ -230,31 +237,22 @@ func (s3a *S3ApiServer) PutObjectPartHandler(w http.ResponseWriter, r *http.Requ if s3a.iam.isEnabled() { rAuthType := getRequestAuthType(r) var s3ErrCode s3err.ErrorCode - var identity *Identity switch rAuthType { case authTypeStreamingSigned: - dataReader, identity, s3ErrCode = s3a.iam.newSignV4ChunkedReader(r) + dataReader, _, s3ErrCode = s3a.iam.newSignV4ChunkedReader(r) case authTypeSignedV2, authTypePresignedV2: - identity, s3ErrCode = s3a.iam.isReqAuthenticatedV2(r) + _, s3ErrCode = s3a.iam.isReqAuthenticatedV2(r) case authTypePresigned, authTypeSigned: - identity, s3ErrCode = s3a.iam.reqSignatureV4Verify(r) + _, s3ErrCode = s3a.iam.reqSignatureV4Verify(r) } if s3ErrCode != s3err.ErrNone { s3err.WriteErrorResponse(w, r, s3ErrCode) return } - r.Header.Set(s3_constants.AmzAccountId, identity.AccountId) } defer dataReader.Close() glog.V(2).Infof("PutObjectPartHandler %s %s %04d", bucket, uploadID, partID) - - s3ErrCode := s3a.checkAccessForWriteObject(r, bucket, object) - if s3ErrCode != s3err.ErrNone { - s3err.WriteErrorResponse(w, r, s3ErrCode) - return - } - uploadUrl := fmt.Sprintf("http://%s%s/%s/%04d.part", s3a.option.Filer.ToHttpAddress(), s3a.genUploadsFolder(bucket), uploadID, partID)