[#407] Don't set full_control for bucket owner

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-06-18 11:20:08 +03:00 · 2024-06-18 11:20:08 +03:00 · 280d11c794
commit 280d11c794
parent ed34b2cae4
3 changed files with 21 additions and 68 deletions
--- a/api/handler/acl.go
+++ b/api/handler/acl.go
@ -325,15 +325,6 @@ func (h *handler) encodePrivateCannedACL(ctx context.Context, bktInfo *data.Buck
 		DisplayName: ownerDisplayName,
 	}}

-	granteeOwner := NewGrantee(acpCanonicalUser)
-	granteeOwner.ID = ownerEncodedID
-	granteeOwner.DisplayName = ownerDisplayName
-
-	res.AccessControlList = []*Grant{{
-		Grantee:    granteeOwner,
-		Permission: aclFullControl,
-	}}
-
 	return res
 }

@ -443,13 +434,7 @@ func (h *handler) putBucketACLAPEHandler(w http.ResponseWriter, r *http.Request,
 		return
 	}

-	key, err := h.bearerTokenIssuerKey(ctx)
-	if err != nil {
-		h.logAndSendError(w, "couldn't get bearer token issuer key", reqInfo, err)
-		return
-	}
-
-	chainRules := bucketCannedACLToAPERules(cannedACL, reqInfo, key, bktInfo.CID)
+	chainRules := bucketCannedACLToAPERules(cannedACL, reqInfo, bktInfo.CID)
 	if err = h.ape.SaveACLChains(bktInfo.CID.EncodeToString(), chainRules); err != nil {
 		h.logAndSendError(w, "failed to add morph rule chains", reqInfo, err)
 		return
--- a/api/handler/acl_test.go
+++ b/api/handler/acl_test.go
@ -1408,38 +1408,32 @@ func TestBucketACLAPE(t *testing.T) {
 }

 func checkPrivateACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
-	checkACLOwner(t, aclRes, ownerKey, 1)
+	checkACLOwner(t, aclRes, ownerKey)
 }

 func checkPublicReadACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
-	checkACLOwner(t, aclRes, ownerKey, 2)
+	checkACLOwner(t, aclRes, ownerKey)
+
+	require.Equal(t, allUsersGroup, aclRes.AccessControlList[0].Grantee.URI)
+	require.Equal(t, aclRead, aclRes.AccessControlList[0].Permission)
+}
+
+func checkPublicReadWriteACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
+	checkACLOwner(t, aclRes, ownerKey)
+
+	require.Equal(t, allUsersGroup, aclRes.AccessControlList[0].Grantee.URI)
+	require.Equal(t, aclWrite, aclRes.AccessControlList[0].Permission)

 	require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
 	require.Equal(t, aclRead, aclRes.AccessControlList[1].Permission)
 }

-func checkPublicReadWriteACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
-	checkACLOwner(t, aclRes, ownerKey, 3)
-
-	require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
-	require.Equal(t, aclWrite, aclRes.AccessControlList[1].Permission)
-
-	require.Equal(t, allUsersGroup, aclRes.AccessControlList[2].Grantee.URI)
-	require.Equal(t, aclRead, aclRes.AccessControlList[2].Permission)
-}
-
-func checkACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey, ln int) {
+func checkACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
 	ownerIDStr := hex.EncodeToString(ownerKey.Bytes())
 	ownerNameStr := ownerKey.Address()

 	require.Equal(t, ownerIDStr, aclRes.Owner.ID)
 	require.Equal(t, ownerNameStr, aclRes.Owner.DisplayName)
-
-	require.Len(t, aclRes.AccessControlList, ln)
-
-	require.Equal(t, ownerIDStr, aclRes.AccessControlList[0].Grantee.ID)
-	require.Equal(t, ownerNameStr, aclRes.AccessControlList[0].Grantee.DisplayName)
-	require.Equal(t, aclFullControl, aclRes.AccessControlList[0].Permission)
 }

 func TestBucketPolicy(t *testing.T) {
--- a/api/handler/put.go
+++ b/api/handler/put.go
@ -4,7 +4,6 @@ import (
 	"bytes"
 	"crypto/md5"
 	"encoding/base64"
-	"encoding/hex"
 	"encoding/json"
 	"encoding/xml"
 	stderrors "errors"
@ -907,7 +906,7 @@ func (h *handler) createBucketHandlerPolicy(w http.ResponseWriter, r *http.Reque
 	}
 	h.reqLogger(ctx).Info(logs.BucketIsCreated, zap.Stringer("container_id", bktInfo.CID))

-	chains := bucketCannedACLToAPERules(cannedACL, reqInfo, key, bktInfo.CID)
+	chains := bucketCannedACLToAPERules(cannedACL, reqInfo, bktInfo.CID)
 	if err = h.ape.SaveACLChains(bktInfo.CID.EncodeToString(), chains); err != nil {
 		h.logAndSendError(w, "failed to add morph rule chain", reqInfo, err)
 		return
@ -1072,42 +1071,17 @@ var (
 	}
 )

-func bucketCannedACLToAPERules(cannedACL string, reqInfo *middleware.ReqInfo, key *keys.PublicKey, cnrID cid.ID) []*chain.Chain {
+func bucketCannedACLToAPERules(cannedACL string, reqInfo *middleware.ReqInfo, cnrID cid.ID) []*chain.Chain {
 	cnrIDStr := cnrID.EncodeToString()

 	chains := []*chain.Chain{
 		{
-			ID: getBucketCannedChainID(chain.S3, cnrID),
-			Rules: []chain.Rule{{
-				Status:  chain.Allow,
-				Actions: chain.Actions{Names: []string{"s3:*"}},
-				Resources: chain.Resources{Names: []string{
-					fmt.Sprintf(s3.ResourceFormatS3Bucket, reqInfo.BucketName),
-					fmt.Sprintf(s3.ResourceFormatS3BucketObjects, reqInfo.BucketName),
-				}},
-				Condition: []chain.Condition{{
-					Op:    chain.CondStringEquals,
-					Kind:  chain.KindRequest,
-					Key:   s3.PropertyKeyOwner,
-					Value: key.Address(),
-				}},
-			}}},
+			ID:    getBucketCannedChainID(chain.S3, cnrID),
+			Rules: []chain.Rule{},
+		},
 		{
-			ID: getBucketCannedChainID(chain.Ingress, cnrID),
-			Rules: []chain.Rule{{
-				Status:  chain.Allow,
-				Actions: chain.Actions{Names: []string{"*"}},
-				Resources: chain.Resources{Names: []string{
-					fmt.Sprintf(native.ResourceFormatNamespaceContainer, reqInfo.Namespace, cnrIDStr),
-					fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, reqInfo.Namespace, cnrIDStr),
-				}},
-				Condition: []chain.Condition{{
-					Op:    chain.CondStringEquals,
-					Kind:  chain.KindRequest,
-					Key:   native.PropertyKeyActorPublicKey,
-					Value: hex.EncodeToString(key.Bytes()),
-				}},
-			}},
+			ID:    getBucketCannedChainID(chain.Ingress, cnrID),
+			Rules: []chain.Rule{},
 		},
 	}