From f1d63024007246125deb055071938e73af685803 Mon Sep 17 00:00:00 2001
From: "changlin.shi" <changlin.shi@ly.com>
Date: Tue, 22 Nov 2022 16:47:28 +0800
Subject: [PATCH] acl for complete multipart uplod

Signed-off-by: changlin.shi <changlin.shi@ly.com>
---
 weed/s3api/s3api_acp.go                       | 29 +++++++++++++++++++
 weed/s3api/s3api_object_multipart_handlers.go |  1 +
 2 files changed, 30 insertions(+)

diff --git a/weed/s3api/s3api_acp.go b/weed/s3api/s3api_acp.go
index fb7309ab4..e53fda373 100644
--- a/weed/s3api/s3api_acp.go
+++ b/weed/s3api/s3api_acp.go
@@ -52,6 +52,35 @@ func (s3a *S3ApiServer) CheckAccessForNewMultipartUpload(r *http.Request, bucket
 	return s3a.checkAccessForWriteObject(r, bucket, object, accountId)
 }
 
+// CheckAccessForCompleteMultipartUpload Check Acl for CompleteMultipartUpload API
+// includes:
+// - CompleteMultipartUploadHandler
+func (s3a *S3ApiServer) CheckAccessForCompleteMultipartUpload(r *http.Request, bucket, object string) s3err.ErrorCode {
+	bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
+	if errCode != s3err.ErrNone {
+		return errCode
+	}
+
+	//bucket access allowed
+	accountId := s3acl.GetAccountId(r)
+	if accountId == *bucketMetadata.Owner.ID {
+		return s3err.ErrNone
+	} else {
+		if len(bucketMetadata.Acl) > 0 {
+			reqGrants := s3acl.DetermineReqGrants(accountId, s3_constants.PermissionWrite)
+			for _, bucketGrant := range bucketMetadata.Acl {
+				for _, requiredGrant := range reqGrants {
+					if s3acl.GrantEquals(bucketGrant, requiredGrant) {
+						return s3err.ErrNone
+					}
+				}
+			}
+		}
+	}
+	glog.V(3).Infof("acl denied! request account id: %s", accountId)
+	return s3err.ErrAccessDenied
+}
+
 func (s3a *S3ApiServer) checkAccessForWriteObject(r *http.Request, bucket, object, accountId string) s3err.ErrorCode {
 	bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket)
 	if errCode != s3err.ErrNone {
diff --git a/weed/s3api/s3api_object_multipart_handlers.go b/weed/s3api/s3api_object_multipart_handlers.go
index 7efb7b3dc..c4b65a7d5 100644
--- a/weed/s3api/s3api_object_multipart_handlers.go
+++ b/weed/s3api/s3api_object_multipart_handlers.go
@@ -70,6 +70,7 @@ func (s3a *S3ApiServer) CompleteMultipartUploadHandler(w http.ResponseWriter, r
 	// https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
 
 	bucket, object := s3_constants.GetBucketAndObject(r)
+	s3a.CheckAccessForCompleteMultipartUpload(r, bucket, object)
 
 	parts := &CompleteMultipartUpload{}
 	if err := xmlDecoder(r.Body, parts, r.ContentLength); err != nil {