diff --git a/weed/s3api/s3api_acp.go b/weed/s3api/s3api_acp.go index 6d2a62965..f5d0bc967 100644 --- a/weed/s3api/s3api_acp.go +++ b/weed/s3api/s3api_acp.go @@ -63,3 +63,39 @@ func (s3a *S3ApiServer) checkAccessForPutBucketAcl(accountId, bucket string) (*B func updateBucketEntry(s3a *S3ApiServer, entry *filer_pb.Entry) error { return s3a.updateEntry(s3a.option.BucketsPath, entry) } + +// Check Bucket/BucketAcl Read related access +// includes: +// - HeadBucketHandler +// - GetBucketAclHandler +// - ListObjectsV1Handler +// - ListObjectsV2Handler +func (s3a *S3ApiServer) checkAccessForReadBucket(r *http.Request, bucket, aclAction string) (*BucketMetaData, s3err.ErrorCode) { + bucketMetadata, errCode := s3a.bucketRegistry.GetBucketMetadata(bucket) + if errCode != s3err.ErrNone { + return nil, errCode + } + + if bucketMetadata.ObjectOwnership == s3_constants.OwnershipBucketOwnerEnforced { + return bucketMetadata, s3err.ErrNone + } + + accountId := s3acl.GetAccountId(r) + if accountId == s3account.AccountAdmin.Id || accountId == *bucketMetadata.Owner.ID { + return bucketMetadata, s3err.ErrNone + } + + if len(bucketMetadata.Acl) > 0 { + reqGrants := s3acl.DetermineReqGrants(accountId, aclAction) + for _, bucketGrant := range bucketMetadata.Acl { + for _, reqGrant := range reqGrants { + if s3acl.GrantEquals(bucketGrant, reqGrant) { + return bucketMetadata, s3err.ErrNone + } + } + } + } + + glog.V(3).Infof("acl denied! request account id: %s", accountId) + return nil, s3err.ErrAccessDenied +} diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index db84be783..6089ed6db 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -202,6 +202,11 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request bucket, _ := s3_constants.GetBucketAndObject(r) glog.V(3).Infof("HeadBucketHandler %s", bucket) + _, errorCode := s3a.checkAccessForReadBucket(r, bucket, s3_constants.PermissionRead) + if errorCode != s3err.ErrNone { + s3err.WriteErrorResponse(w, r, errorCode) + return + } if entry, err := s3a.getEntry(s3a.option.BucketsPath, bucket); entry == nil || err == filer_pb.ErrNotFound { s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchBucket) return @@ -287,37 +292,19 @@ func (s3a *S3ApiServer) GetBucketAclHandler(w http.ResponseWriter, r *http.Reque bucket, _ := s3_constants.GetBucketAndObject(r) glog.V(3).Infof("GetBucketAclHandler %s", bucket) - if err := s3a.checkBucket(r, bucket); err != s3err.ErrNone { - s3err.WriteErrorResponse(w, r, err) + bucketMetadata, errorCode := s3a.checkAccessForReadBucket(r, bucket, s3_constants.PermissionReadAcp) + if s3err.ErrNone != errorCode { + s3err.WriteErrorResponse(w, r, errorCode) return } - response := AccessControlPolicy{} - for _, ident := range s3a.iam.identities { - if len(ident.Credentials) == 0 { - continue - } - for _, action := range ident.Actions { - if !action.overBucket(bucket) || action.getPermission() == "" { - continue - } - id := ident.Credentials[0].AccessKey - if response.Owner.DisplayName == "" && action.isOwner(bucket) && len(ident.Credentials) > 0 { - response.Owner.DisplayName = ident.Name - response.Owner.ID = id - } - response.AccessControlList.Grant = append(response.AccessControlList.Grant, Grant{ - Grantee: Grantee{ - ID: id, - DisplayName: ident.Name, - Type: "CanonicalUser", - XMLXSI: "CanonicalUser", - XMLNS: "http://www.w3.org/2001/XMLSchema-instance"}, - Permission: action.getPermission(), - }) - } + acp := &s3.PutBucketAclInput{ + AccessControlPolicy: &s3.AccessControlPolicy{ + Grants: bucketMetadata.Acl, + Owner: bucketMetadata.Owner, + }, } - writeSuccessResponseXML(w, r, response) + s3err.WriteAwsXMLResponse(w, r, http.StatusOK, acp) } // GetBucketLifecycleConfigurationHandler Get Bucket Lifecycle configuration diff --git a/weed/s3api/s3api_objects_list_handlers.go b/weed/s3api/s3api_objects_list_handlers.go index 620969fd6..97ba83d19 100644 --- a/weed/s3api/s3api_objects_list_handlers.go +++ b/weed/s3api/s3api_objects_list_handlers.go @@ -41,6 +41,12 @@ func (s3a *S3ApiServer) ListObjectsV2Handler(w http.ResponseWriter, r *http.Requ bucket, _ := s3_constants.GetBucketAndObject(r) glog.V(3).Infof("ListObjectsV2Handler %s", bucket) + _, errCode := s3a.checkAccessForReadBucket(r, bucket, s3_constants.PermissionRead) + if errCode != s3err.ErrNone { + s3err.WriteErrorResponse(w, r, errCode) + return + } + originalPrefix, continuationToken, startAfter, delimiter, _, maxKeys := getListObjectsV2Args(r.URL.Query()) if maxKeys < 0 { @@ -97,6 +103,12 @@ func (s3a *S3ApiServer) ListObjectsV1Handler(w http.ResponseWriter, r *http.Requ bucket, _ := s3_constants.GetBucketAndObject(r) glog.V(3).Infof("ListObjectsV1Handler %s", bucket) + _, errCode := s3a.checkAccessForReadBucket(r, bucket, s3_constants.PermissionRead) + if errCode != s3err.ErrNone { + s3err.WriteErrorResponse(w, r, errCode) + return + } + originalPrefix, marker, delimiter, maxKeys := getListObjectsV1Args(r.URL.Query()) if maxKeys < 0 {