From 66fe3fee7b83ebc53e5c1f3dd75343f248cf2590 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Thu, 21 Jul 2022 12:55:33 +0300 Subject: [PATCH] [#574] Produce deny records for private objects Signed-off-by: Alex Vanin --- api/handler/acl.go | 24 ++++++++++++++++++++++++ api/handler/acl_test.go | 18 ++++++++++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/api/handler/acl.go b/api/handler/acl.go index 1ea6d5e93..7befb2986 100644 --- a/api/handler/acl.go +++ b/api/handler/acl.go @@ -1190,6 +1190,13 @@ func aclToPolicy(acl *AccessControlPolicy, resInfo *resourceInfo) (*bucketPolicy getAllowStatement(resInfo, acl.Owner.ID, aclFullControl), } + // Expect to have at least 1 full control grant for owner which is set in + // parseACLHeaders(). If there is no other grants, then user sets private + // canned ACL, which is processed in this branch. + if len(acl.AccessControlList) < 2 { + results = append([]statement{getDenyStatement(resInfo, allUsersWildcard, aclFullControl)}, results...) + } + for _, grant := range acl.AccessControlList { if grant.Grantee.Type == acpAmazonCustomerByEmail || (grant.Grantee.Type == acpGroup && grant.Grantee.URI != allUsersGroup) { return nil, stderrors.New("unsupported grantee type") @@ -1227,6 +1234,23 @@ func getAllowStatement(resInfo *resourceInfo, id string, permission AWSACL) stat return state } +func getDenyStatement(resInfo *resourceInfo, id string, permission AWSACL) statement { + state := statement{ + Effect: "Deny", + Principal: principal{ + CanonicalUser: id, + }, + Action: getActions(permission, resInfo.IsBucket()), + Resource: []string{arnAwsPrefix + resInfo.Name()}, + } + + if id == allUsersWildcard { + state.Principal = principal{AWS: allUsersWildcard} + } + + return state +} + func getActions(permission AWSACL, isBucket bool) []string { var res []string switch permission { diff --git a/api/handler/acl_test.go b/api/handler/acl_test.go index f9580c6e3..84b2df35e 100644 --- a/api/handler/acl_test.go +++ b/api/handler/acl_test.go @@ -862,7 +862,7 @@ func TestObjectWithVersionAclToTable(t *testing.T) { Bucket: "bucketName", Object: "object", } - expectedTable := allowedTableForObject(t, key, resInfoObject) + expectedTable := allowedTableForPrivateObject(t, key, resInfoObject) actualTable := tableFromACL(t, acl, resInfoObject) checkTables(t, expectedTable, actualTable) @@ -871,12 +871,12 @@ func TestObjectWithVersionAclToTable(t *testing.T) { Object: "objectVersion", Version: "Gfrct4Afhio8pCGCCKVNTf1kyexQjMBeaUfvDtQCkAvg", } - expectedTable = allowedTableForObject(t, key, resInfoObjectVersion) + expectedTable = allowedTableForPrivateObject(t, key, resInfoObjectVersion) actualTable = tableFromACL(t, acl, resInfoObjectVersion) checkTables(t, expectedTable, actualTable) } -func allowedTableForObject(t *testing.T, key *keys.PrivateKey, resInfo *resourceInfo) *eacl.Table { +func allowedTableForPrivateObject(t *testing.T, key *keys.PrivateKey, resInfo *resourceInfo) *eacl.Table { var isVersion bool var objID oid.ID if resInfo.Version != "" { @@ -886,7 +886,7 @@ func allowedTableForObject(t *testing.T, key *keys.PrivateKey, resInfo *resource } expectedTable := eacl.NewTable() - serviceRec := &ServiceRecord{Resource: resInfo.Name(), GroupRecordsLength: len(readOps)} + serviceRec := &ServiceRecord{Resource: resInfo.Name(), GroupRecordsLength: len(readOps) * 2} expectedTable.AddRecord(serviceRec.ToEACLRecord()) for i := len(readOps) - 1; i >= 0; i-- { @@ -899,6 +899,16 @@ func allowedTableForObject(t *testing.T, key *keys.PrivateKey, resInfo *resource } expectedTable.AddRecord(record) } + for i := len(readOps) - 1; i >= 0; i-- { + op := readOps[i] + record := getOthersRecord(op, eacl.ActionDeny) + if isVersion { + record.AddObjectIDFilter(eacl.MatchStringEqual, objID) + } else { + record.AddObjectAttributeFilter(eacl.MatchStringEqual, object.AttributeFileName, resInfo.Object) + } + expectedTable.AddRecord(record) + } return expectedTable }