[#528] Check owner ID before deleting bucket

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>

api/handler/acl_test.go

@@ -191,6 +191,7 @@ func TestDeleteBucketWithPolicy(t *testing.T) {
 	require.Len(t, hc.h.ape.(*apeMock).policyMap, 1)
 	require.Len(t, hc.h.ape.(*apeMock).chainMap[engine.ContainerTarget(bi.CID.EncodeToString())], 4)
 
+	hc.owner = bi.Owner
 	deleteBucket(t, hc, bktName, http.StatusNoContent)
 
 	require.Empty(t, hc.h.ape.(*apeMock).policyMap)

api/handler/delete.go

@@ -244,6 +244,11 @@ func (h *handler) DeleteBucketHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if reqInfo.User != bktInfo.Owner.String() {
+		h.logAndSendError(w, "request owner id does not match bucket owner id", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
+		return
+	}
+
 	var sessionToken *session.Container
 
 	boxData, err := middleware.GetBoxData(r.Context())

api/handler/delete_test.go

@@ -37,6 +37,7 @@ func TestDeleteBucketOnAlreadyRemovedError(t *testing.T) {
 
 	deleteObjects(t, hc, bktName, [][2]string{{objName, emptyVersion}})
 
+	hc.owner = bktInfo.Owner
 	deleteBucket(t, hc, bktName, http.StatusNoContent)
 }
 
@@ -53,11 +54,12 @@ func TestDeleteBucket(t *testing.T) {
 	tc := prepareHandlerContext(t)
 
 	bktName, objName := "bucket-for-removal", "object-to-delete"
-	_, objInfo := createVersionedBucketAndObject(t, tc, bktName, objName)
+	bktInfo, objInfo := createVersionedBucketAndObject(t, tc, bktName, objName)
 
 	deleteMarkerVersion, isDeleteMarker := deleteObject(t, tc, bktName, objName, emptyVersion)
 	require.True(t, isDeleteMarker)
 
+	tc.owner = bktInfo.Owner
 	deleteBucket(t, tc, bktName, http.StatusConflict)
 	deleteObject(t, tc, bktName, objName, objInfo.VersionID())
 	deleteBucket(t, tc, bktName, http.StatusConflict)
@@ -82,6 +84,7 @@ func TestDeleteBucketOnNotFoundError(t *testing.T) {
 
 	deleteObjects(t, hc, bktName, [][2]string{{objName, emptyVersion}})
 
+	hc.owner = bktInfo.Owner
 	deleteBucket(t, hc, bktName, http.StatusNoContent)
 }
 
@@ -99,6 +102,7 @@ func TestForceDeleteBucket(t *testing.T) {
 	addr.SetContainer(bktInfo.CID)
 	addr.SetObject(nodeVersion.OID)
 
+	hc.owner = bktInfo.Owner
 	deleteBucketForce(t, hc, bktName, http.StatusConflict, "false")
 	deleteBucketForce(t, hc, bktName, http.StatusNoContent, "true")
 }
@@ -457,6 +461,17 @@ func TestDeleteObjectCheckMarkerReturn(t *testing.T) {
 	require.Equal(t, deleteMarkerVersion, deleteMarkerVersion2)
 }
 
+func TestDeleteBucketByNotOwner(t *testing.T) {
+	hc := prepareHandlerContext(t)
+
+	bktName := "bucket-name"
+	bktInfo := createTestBucket(hc, bktName)
+	deleteBucket(t, hc, bktName, http.StatusForbidden)
+
+	hc.owner = bktInfo.Owner
+	deleteBucket(t, hc, bktName, http.StatusNoContent)
+}
+
 func createBucketAndObject(tc *handlerContext, bktName, objName string) (*data.BucketInfo, *data.ObjectInfo) {
 	bktInfo := createTestBucket(tc, bktName)
 

api/handler/handlers_test.go

@@ -462,6 +462,7 @@ func prepareTestRequestWithQuery(hc *handlerContext, bktName, objName string, qu
 	r.URL.RawQuery = query.Encode()
 
 	reqInfo := middleware.NewReqInfo(w, r, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "")
+	reqInfo.User = hc.owner.String()
 	r = r.WithContext(middleware.SetReqInfo(hc.Context(), reqInfo))
 
 	return w, r