From 280d11c79472b8ba853690792bc6ba98b5a3359c Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Tue, 18 Jun 2024 11:20:08 +0300 Subject: [PATCH] [#407] Don't set full_control for bucket owner Signed-off-by: Denis Kirillov --- api/handler/acl.go | 17 +---------------- api/handler/acl_test.go | 32 +++++++++++++------------------- api/handler/put.go | 40 +++++++--------------------------------- 3 files changed, 21 insertions(+), 68 deletions(-) diff --git a/api/handler/acl.go b/api/handler/acl.go index bf7dd8e8..4219c27d 100644 --- a/api/handler/acl.go +++ b/api/handler/acl.go @@ -325,15 +325,6 @@ func (h *handler) encodePrivateCannedACL(ctx context.Context, bktInfo *data.Buck DisplayName: ownerDisplayName, }} - granteeOwner := NewGrantee(acpCanonicalUser) - granteeOwner.ID = ownerEncodedID - granteeOwner.DisplayName = ownerDisplayName - - res.AccessControlList = []*Grant{{ - Grantee: granteeOwner, - Permission: aclFullControl, - }} - return res } @@ -443,13 +434,7 @@ func (h *handler) putBucketACLAPEHandler(w http.ResponseWriter, r *http.Request, return } - key, err := h.bearerTokenIssuerKey(ctx) - if err != nil { - h.logAndSendError(w, "couldn't get bearer token issuer key", reqInfo, err) - return - } - - chainRules := bucketCannedACLToAPERules(cannedACL, reqInfo, key, bktInfo.CID) + chainRules := bucketCannedACLToAPERules(cannedACL, reqInfo, bktInfo.CID) if err = h.ape.SaveACLChains(bktInfo.CID.EncodeToString(), chainRules); err != nil { h.logAndSendError(w, "failed to add morph rule chains", reqInfo, err) return diff --git a/api/handler/acl_test.go b/api/handler/acl_test.go index 838e682c..490d321a 100644 --- a/api/handler/acl_test.go +++ b/api/handler/acl_test.go @@ -1408,38 +1408,32 @@ func TestBucketACLAPE(t *testing.T) { } func checkPrivateACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) { - checkACLOwner(t, aclRes, ownerKey, 1) + checkACLOwner(t, aclRes, ownerKey) } func checkPublicReadACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) { - checkACLOwner(t, aclRes, ownerKey, 2) + checkACLOwner(t, aclRes, ownerKey) + + require.Equal(t, allUsersGroup, aclRes.AccessControlList[0].Grantee.URI) + require.Equal(t, aclRead, aclRes.AccessControlList[0].Permission) +} + +func checkPublicReadWriteACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) { + checkACLOwner(t, aclRes, ownerKey) + + require.Equal(t, allUsersGroup, aclRes.AccessControlList[0].Grantee.URI) + require.Equal(t, aclWrite, aclRes.AccessControlList[0].Permission) require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI) require.Equal(t, aclRead, aclRes.AccessControlList[1].Permission) } -func checkPublicReadWriteACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) { - checkACLOwner(t, aclRes, ownerKey, 3) - - require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI) - require.Equal(t, aclWrite, aclRes.AccessControlList[1].Permission) - - require.Equal(t, allUsersGroup, aclRes.AccessControlList[2].Grantee.URI) - require.Equal(t, aclRead, aclRes.AccessControlList[2].Permission) -} - -func checkACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey, ln int) { +func checkACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) { ownerIDStr := hex.EncodeToString(ownerKey.Bytes()) ownerNameStr := ownerKey.Address() require.Equal(t, ownerIDStr, aclRes.Owner.ID) require.Equal(t, ownerNameStr, aclRes.Owner.DisplayName) - - require.Len(t, aclRes.AccessControlList, ln) - - require.Equal(t, ownerIDStr, aclRes.AccessControlList[0].Grantee.ID) - require.Equal(t, ownerNameStr, aclRes.AccessControlList[0].Grantee.DisplayName) - require.Equal(t, aclFullControl, aclRes.AccessControlList[0].Permission) } func TestBucketPolicy(t *testing.T) { diff --git a/api/handler/put.go b/api/handler/put.go index 2e50f9a6..9e9a4a01 100644 --- a/api/handler/put.go +++ b/api/handler/put.go @@ -4,7 +4,6 @@ import ( "bytes" "crypto/md5" "encoding/base64" - "encoding/hex" "encoding/json" "encoding/xml" stderrors "errors" @@ -907,7 +906,7 @@ func (h *handler) createBucketHandlerPolicy(w http.ResponseWriter, r *http.Reque } h.reqLogger(ctx).Info(logs.BucketIsCreated, zap.Stringer("container_id", bktInfo.CID)) - chains := bucketCannedACLToAPERules(cannedACL, reqInfo, key, bktInfo.CID) + chains := bucketCannedACLToAPERules(cannedACL, reqInfo, bktInfo.CID) if err = h.ape.SaveACLChains(bktInfo.CID.EncodeToString(), chains); err != nil { h.logAndSendError(w, "failed to add morph rule chain", reqInfo, err) return @@ -1072,42 +1071,17 @@ var ( } ) -func bucketCannedACLToAPERules(cannedACL string, reqInfo *middleware.ReqInfo, key *keys.PublicKey, cnrID cid.ID) []*chain.Chain { +func bucketCannedACLToAPERules(cannedACL string, reqInfo *middleware.ReqInfo, cnrID cid.ID) []*chain.Chain { cnrIDStr := cnrID.EncodeToString() chains := []*chain.Chain{ { - ID: getBucketCannedChainID(chain.S3, cnrID), - Rules: []chain.Rule{{ - Status: chain.Allow, - Actions: chain.Actions{Names: []string{"s3:*"}}, - Resources: chain.Resources{Names: []string{ - fmt.Sprintf(s3.ResourceFormatS3Bucket, reqInfo.BucketName), - fmt.Sprintf(s3.ResourceFormatS3BucketObjects, reqInfo.BucketName), - }}, - Condition: []chain.Condition{{ - Op: chain.CondStringEquals, - Kind: chain.KindRequest, - Key: s3.PropertyKeyOwner, - Value: key.Address(), - }}, - }}}, + ID: getBucketCannedChainID(chain.S3, cnrID), + Rules: []chain.Rule{}, + }, { - ID: getBucketCannedChainID(chain.Ingress, cnrID), - Rules: []chain.Rule{{ - Status: chain.Allow, - Actions: chain.Actions{Names: []string{"*"}}, - Resources: chain.Resources{Names: []string{ - fmt.Sprintf(native.ResourceFormatNamespaceContainer, reqInfo.Namespace, cnrIDStr), - fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, reqInfo.Namespace, cnrIDStr), - }}, - Condition: []chain.Condition{{ - Op: chain.CondStringEquals, - Kind: chain.KindRequest, - Key: native.PropertyKeyActorPublicKey, - Value: hex.EncodeToString(key.Bytes()), - }}, - }}, + ID: getBucketCannedChainID(chain.Ingress, cnrID), + Rules: []chain.Rule{}, }, }