From 3260308cc076d97f99a0d335705c054725e8eea5 Mon Sep 17 00:00:00 2001 From: Marina Biryukova Date: Tue, 29 Oct 2024 14:18:01 +0300 Subject: [PATCH] [#528] Check owner ID before deleting bucket Signed-off-by: Marina Biryukova --- api/handler/acl_test.go | 1 + api/handler/delete.go | 5 +++++ api/handler/delete_test.go | 17 ++++++++++++++++- api/handler/handlers_test.go | 1 + 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/api/handler/acl_test.go b/api/handler/acl_test.go index 8bb6a06b..14b3cf4e 100644 --- a/api/handler/acl_test.go +++ b/api/handler/acl_test.go @@ -191,6 +191,7 @@ func TestDeleteBucketWithPolicy(t *testing.T) { require.Len(t, hc.h.ape.(*apeMock).policyMap, 1) require.Len(t, hc.h.ape.(*apeMock).chainMap[engine.ContainerTarget(bi.CID.EncodeToString())], 4) + hc.owner = bi.Owner deleteBucket(t, hc, bktName, http.StatusNoContent) require.Empty(t, hc.h.ape.(*apeMock).policyMap) diff --git a/api/handler/delete.go b/api/handler/delete.go index bb3111ec..39769ffc 100644 --- a/api/handler/delete.go +++ b/api/handler/delete.go @@ -245,6 +245,11 @@ func (h *handler) DeleteBucketHandler(w http.ResponseWriter, r *http.Request) { return } + if err = checkOwner(bktInfo, reqInfo.User); err != nil { + h.logAndSendError(w, "request owner id does not match bucket owner id", reqInfo, err) + return + } + var sessionToken *session.Container boxData, err := middleware.GetBoxData(ctx) diff --git a/api/handler/delete_test.go b/api/handler/delete_test.go index 80d23c83..68fdbb52 100644 --- a/api/handler/delete_test.go +++ b/api/handler/delete_test.go @@ -37,6 +37,7 @@ func TestDeleteBucketOnAlreadyRemovedError(t *testing.T) { deleteObjects(t, hc, bktName, [][2]string{{objName, emptyVersion}}) + hc.owner = bktInfo.Owner deleteBucket(t, hc, bktName, http.StatusNoContent) } @@ -53,11 +54,12 @@ func TestDeleteBucket(t *testing.T) { tc := prepareHandlerContext(t) bktName, objName := "bucket-for-removal", "object-to-delete" - _, objInfo := createVersionedBucketAndObject(t, tc, bktName, objName) + bktInfo, objInfo := createVersionedBucketAndObject(t, tc, bktName, objName) deleteMarkerVersion, isDeleteMarker := deleteObject(t, tc, bktName, objName, emptyVersion) require.True(t, isDeleteMarker) + tc.owner = bktInfo.Owner deleteBucket(t, tc, bktName, http.StatusConflict) deleteObject(t, tc, bktName, objName, objInfo.VersionID()) deleteBucket(t, tc, bktName, http.StatusConflict) @@ -82,6 +84,7 @@ func TestDeleteBucketOnNotFoundError(t *testing.T) { deleteObjects(t, hc, bktName, [][2]string{{objName, emptyVersion}}) + hc.owner = bktInfo.Owner deleteBucket(t, hc, bktName, http.StatusNoContent) } @@ -99,6 +102,7 @@ func TestForceDeleteBucket(t *testing.T) { addr.SetContainer(bktInfo.CID) addr.SetObject(nodeVersion.OID) + hc.owner = bktInfo.Owner deleteBucketForce(t, hc, bktName, http.StatusConflict, "false") deleteBucketForce(t, hc, bktName, http.StatusNoContent, "true") } @@ -457,6 +461,17 @@ func TestDeleteObjectCheckMarkerReturn(t *testing.T) { require.Equal(t, deleteMarkerVersion, deleteMarkerVersion2) } +func TestDeleteBucketByNotOwner(t *testing.T) { + hc := prepareHandlerContext(t) + + bktName := "bucket-name" + bktInfo := createTestBucket(hc, bktName) + deleteBucket(t, hc, bktName, http.StatusForbidden) + + hc.owner = bktInfo.Owner + deleteBucket(t, hc, bktName, http.StatusNoContent) +} + func createBucketAndObject(tc *handlerContext, bktName, objName string) (*data.BucketInfo, *data.ObjectInfo) { bktInfo := createTestBucket(tc, bktName) diff --git a/api/handler/handlers_test.go b/api/handler/handlers_test.go index dc32ff91..628bba77 100644 --- a/api/handler/handlers_test.go +++ b/api/handler/handlers_test.go @@ -462,6 +462,7 @@ func prepareTestRequestWithQuery(hc *handlerContext, bktName, objName string, qu r.URL.RawQuery = query.Encode() reqInfo := middleware.NewReqInfo(w, r, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "") + reqInfo.User = hc.owner.String() r = r.WithContext(middleware.SetReqInfo(hc.Context(), reqInfo)) return w, r