add acl validation for s3 GetObjectHandler

2 years ago · daf5b4d59b
5 changed files with 80 additions and 4 deletions
--- a/weed/s3api/s3_constants/header.go
+++ b/weed/s3api/s3_constants/header.go
@ -38,6 +38,7 @@ const (
 	AmzTagCount               = "x-amz-tagging-count"
 	X_SeaweedFS_Header_Directory_Key = "x-seaweedfs-is-directory-key"
 	XSeaweedFSHeaderAmzBucketOwnerId = "x-seaweedfs-amz-bucket-owner-id"
 	// S3 ACL headers
 	AmzCannedAcl      = "X-Amz-Acl"
--- a/weed/s3api/s3acl/acl_helper.go
+++ b/weed/s3api/s3acl/acl_helper.go
@ -5,6 +5,7 @@ import (
 	"encoding/xml"
 	"github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/seaweedfs/seaweedfs/weed/filer"
 	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
@ -503,3 +504,38 @@ func GrantEquals(a, b *s3.Grant) bool {
 	}
 	return true
 }
 func CheckObjectAccessForReadObject(r *http.Request, w http.ResponseWriter, entry *filer.Entry, bucketOwnerId string) (statusCode int, ok bool) {
 	if entry.IsDirectory() {
 		w.Header().Set(s3_constants.X_SeaweedFS_Header_Directory_Key, "true")
 		return http.StatusMethodNotAllowed, false
 	}
 	accountId := GetAccountId(r)
 	if len(accountId) == 0 {
 		glog.Warning("#checkObjectAccessForReadObject header[accountId] not exists!")
 		return http.StatusForbidden, false
 	}
 	//owner access
 	objectOwner := GetAcpOwner(entry.Extended, bucketOwnerId)
 	if accountId == objectOwner {
 		return http.StatusOK, true
 	}
 	//find in Grants
 	acpGrants := GetAcpGrants(entry.Extended)
 	if acpGrants != nil {
 		reqGrants := DetermineReqGrants(accountId, s3_constants.PermissionRead)
 		for _, requiredGrant := range reqGrants {
 			for _, grant := range acpGrants {
 				if GrantEquals(requiredGrant, grant) {
 					return http.StatusOK, true
 				}
 			}
 		}
 	}
 	glog.V(3).Infof("acl denied! request account id: %s", accountId)
 	return http.StatusForbidden, false
 }
--- a/weed/s3api/s3api_acp.go
+++ b/weed/s3api/s3api_acp.go
@ -27,3 +27,23 @@ func (s3a *S3ApiServer) checkAccessByOwnership(r *http.Request, bucket string) s
 	}
 	return s3err.ErrAccessDenied
 }
 // Check Object-Read related access
 // includes:
 // - GetObjectHandler
 //
 // offload object access validation to Filer layer
 // - s3acl.CheckObjectAccessForReadObject
 func (s3a *S3ApiServer) checkBucketAccessForReadObject(r *http.Request, bucket string) s3err.ErrorCode {
 	bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
 	if errCode != s3err.ErrNone {
 		return errCode
 	}
 	if bucketMetadata.ObjectOwnership != s3_constants.OwnershipBucketOwnerEnforced {
 		//offload object acl validation to filer layer
 		r.Header.Set(s3_constants.XSeaweedFSHeaderAmzBucketOwnerId, *bucketMetadata.Owner.ID)
 	}
 	return s3err.ErrNone
 }
--- a/weed/s3api/s3api_object_handlers.go
+++ b/weed/s3api/s3api_object_handlers.go
@ -164,6 +164,12 @@ func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request)
 	bucket, object := s3_constants.GetBucketAndObject(r)
 	glog.V(3).Infof("GetObjectHandler %s %s", bucket, object)
 	errCode := s3a.checkBucketAccessForReadObject(r, bucket)
 	if errCode != s3err.ErrNone {
 		s3err.WriteErrorResponse(w, r, errCode)
 		return
 	}
 	if strings.HasSuffix(r.URL.Path, "/") {
 		s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
 		return
@ -371,14 +377,17 @@ func (s3a *S3ApiServer) proxyToFiler(w http.ResponseWriter, r *http.Request, des
 	}
 	defer util.CloseResponse(resp)
 	if resp.StatusCode == http.StatusPreconditionFailed {
 	switch resp.StatusCode {
 	case http.StatusPreconditionFailed:
 		s3err.WriteErrorResponse(w, r, s3err.ErrPreconditionFailed)
 		return
 	}
 	if resp.StatusCode == http.StatusRequestedRangeNotSatisfiable {
 	case http.StatusRequestedRangeNotSatisfiable:
 		s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRange)
 		return
 	case http.StatusForbidden:
 		s3err.WriteErrorResponse(w, r, s3err.ErrAccessDenied)
 		return
 	default:
 	}
 	if r.Method == "DELETE" {
--- a/weed/server/filer_server_handlers_read.go
+++ b/weed/server/filer_server_handlers_read.go
@ -5,6 +5,7 @@ import (
 	"context"
 	"fmt"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3acl"
 	"github.com/seaweedfs/seaweedfs/weed/util/mem"
 	"io"
 	"math"
@ -107,6 +108,15 @@ func (fs *FilerServer) GetOrHeadHandler(w http.ResponseWriter, r *http.Request)
 		return
 	}
 	//s3 acl offload to filer
 	offloadHeaderBucketOwner := r.Header.Get(s3_constants.XSeaweedFSHeaderAmzBucketOwnerId)
 	if len(offloadHeaderBucketOwner) > 0 {
 		if statusCode, ok := s3acl.CheckObjectAccessForReadObject(r, w, entry, offloadHeaderBucketOwner); !ok {
 			w.WriteHeader(statusCode)
 			return
 		}
 	}
 	query := r.URL.Query()
 	if entry.IsDirectory() {