From e06676f007934ef20ae1429a097137a9b0466425 Mon Sep 17 00:00:00 2001 From: "ruitao.liu" Date: Thu, 12 Nov 2020 16:15:59 +0800 Subject: [PATCH 1/3] check permission for bucket delete/head. --- weed/s3api/filer_util.go | 6 +++++ weed/s3api/s3api_bucket_handlers.go | 36 ++++++++++++++--------------- 2 files changed, 23 insertions(+), 19 deletions(-) diff --git a/weed/s3api/filer_util.go b/weed/s3api/filer_util.go index ebdbe8245..72df337a5 100644 --- a/weed/s3api/filer_util.go +++ b/weed/s3api/filer_util.go @@ -7,6 +7,7 @@ import ( "github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/pb/filer_pb" + "github.com/chrislusf/seaweedfs/weed/util" ) func (s3a *S3ApiServer) mkdir(parentDirectoryPath string, dirName string, fn func(entry *filer_pb.Entry)) error { @@ -75,6 +76,11 @@ func (s3a *S3ApiServer) exists(parentDirectoryPath string, entryName string, isD } +func (s3a *S3ApiServer) get(parentDirectoryPath, entryName string) (entry *filer_pb.Entry, err error) { + fullPath := util.NewFullPath(parentDirectoryPath, entryName) + return filer_pb.GetEntry(s3a, fullPath) +} + func objectKey(key *string) *string { if strings.HasPrefix(*key, "/") { t := (*key)[1:] diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index bd3d7fd58..744f22617 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -120,6 +120,15 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque bucket, _ := getBucketAndObject(r) + if entry, err := s3a.get(s3a.option.BucketsPath, bucket); entry != nil && err == nil { + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return + } + } + } + err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { // delete collection @@ -149,28 +158,17 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request bucket, _ := getBucketAndObject(r) - err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { - - request := &filer_pb.LookupDirectoryEntryRequest{ - Directory: s3a.option.BucketsPath, - Name: bucket, - } - - glog.V(1).Infof("lookup bucket: %v", request) - if _, err := filer_pb.LookupEntry(client, request); err != nil { - if err == filer_pb.ErrNotFound { - return filer_pb.ErrNotFound - } - return fmt.Errorf("lookup bucket %s/%s: %v", s3a.option.BucketsPath, bucket, err) - } - - return nil - }) - - if err != nil { + entry, err := s3a.get(s3a.option.BucketsPath, bucket) + if entry == nil || err != nil { writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL) return } + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return + } + } writeSuccessResponseEmpty(w) } From ab966410d2a180344d0275354aeac5c599bb7c66 Mon Sep 17 00:00:00 2001 From: "ruitao.liu" Date: Thu, 12 Nov 2020 16:44:16 +0800 Subject: [PATCH 2/3] return NoSuchBucket instead of InternalError delete non-existed bucket. --- weed/s3api/s3api_bucket_handlers.go | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index 744f22617..1e6d710be 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -120,16 +120,19 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque bucket, _ := getBucketAndObject(r) - if entry, err := s3a.get(s3a.option.BucketsPath, bucket); entry != nil && err == nil { - if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { - if string(id) != r.Header.Get(xhttp.AmzIdentityId) { - writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) - return - } + entry, err := s3a.get(s3a.option.BucketsPath, bucket) + if entry == nil || err == filer_pb.ErrNotFound { + writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL) + return + } + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return } } - err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { + err = s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { // delete collection deleteCollectionRequest := &filer_pb.DeleteCollectionRequest{ From c4f0fd6e1b2b66a988831bbcec15033aedb79420 Mon Sep 17 00:00:00 2001 From: "ruitao.liu" Date: Thu, 12 Nov 2020 17:59:31 +0800 Subject: [PATCH 3/3] skip if entry.Extended map is nil. --- weed/s3api/s3api_bucket_handlers.go | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index 1e6d710be..6b2ed8ef2 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -125,10 +125,13 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL) return } - if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { - if string(id) != r.Header.Get(xhttp.AmzIdentityId) { - writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) - return + + if entry.Extended != nil { + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return + } } } @@ -166,10 +169,13 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL) return } - if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { - if string(id) != r.Header.Get(xhttp.AmzIdentityId) { - writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) - return + + if entry.Extended != nil { + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return + } } }