[#306] In APE buckets forbid canned acl except private

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-03-19 16:56:32 +03:00 · 2024-03-19 16:56:32 +03:00 · 80c7b73eb9
commit 80c7b73eb9
parent 62cc5a04a7
9 changed files with 290 additions and 110 deletions
--- a/api/handler/acl_test.go
+++ b/api/handler/acl_test.go
@ -1329,55 +1329,96 @@ func TestPutBucketAPE(t *testing.T) {
 	require.Len(t, chains, 2)
 }

-func TestPutBucketObjectACLErrorAPE(t *testing.T) {
+func TestPutObjectACLErrorAPE(t *testing.T) {
 	hc := prepareHandlerContext(t)
 	bktName, objName := "bucket-for-acl-ape", "object"

 	info := createBucket(hc, bktName)
-	putObject(hc, bktName, objName)
+
+	putObjectWithHeadersAssertS3Error(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPublic}, s3errors.ErrAccessControlListNotSupported)
+	putObjectWithHeaders(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPrivate}) // only `private` canned acl is allowed, that is actually ignored
+	putObjectWithHeaders(hc, bktName, objName, nil)

 	aclBody := &AccessControlPolicy{}
-	putBucketACLAssertS3Error(hc, bktName, info.Box, nil, aclBody, s3errors.ErrAccessControlListNotSupported)
-
 	putObjectACLAssertS3Error(hc, bktName, objName, info.Box, nil, aclBody, s3errors.ErrAccessControlListNotSupported)
-	getObjectACLAssertS3Error(hc, bktName, objName, s3errors.ErrAccessControlListNotSupported)
+
+	aclRes := getObjectACL(hc, bktName, objName)
+	checkPrivateACL(t, aclRes, info.Key.PublicKey())
 }

-func TestGetBucketACLAPE(t *testing.T) {
+func TestCreateObjectACLErrorAPE(t *testing.T) {
+	hc := prepareHandlerContext(t)
+	bktName, objName, objNameCopy := "bucket-for-acl-ape", "object", "copy"
+
+	createBucket(hc, bktName)
+
+	putObject(hc, bktName, objName)
+	copyObject(hc, bktName, objName, objNameCopy, CopyMeta{Headers: map[string]string{api.AmzACL: basicACLPublic}}, http.StatusBadRequest)
+	copyObject(hc, bktName, objName, objNameCopy, CopyMeta{Headers: map[string]string{api.AmzACL: basicACLPrivate}}, http.StatusOK)
+
+	createMultipartUploadAssertS3Error(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPublic}, s3errors.ErrAccessControlListNotSupported)
+	createMultipartUpload(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPrivate})
+}
+
+func TestPutObjectACLBackwardCompatibility(t *testing.T) {
+	hc := prepareHandlerContext(t)
+	hc.config.aclEnabled = true
+	bktName, objName := "bucket-for-acl-ape", "object"
+
+	info := createBucket(hc, bktName)
+
+	putObjectWithHeadersBase(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPrivate}, info.Box, nil)
+	putObjectWithHeadersBase(hc, bktName, objName, map[string]string{api.AmzACL: basicACLPublic}, info.Box, nil)
+
+	aclRes := getObjectACL(hc, bktName, objName)
+	require.Len(t, aclRes.AccessControlList, 2)
+	require.Equal(t, hex.EncodeToString(info.Key.PublicKey().Bytes()), aclRes.AccessControlList[0].Grantee.ID)
+	require.Equal(t, aclFullControl, aclRes.AccessControlList[0].Permission)
+	require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
+	require.Equal(t, aclFullControl, aclRes.AccessControlList[1].Permission)
+
+	aclBody := &AccessControlPolicy{}
+	putObjectACLBase(hc, bktName, objName, info.Box, nil, aclBody)
+}
+
+func TestBucketACLAPE(t *testing.T) {
 	hc := prepareHandlerContext(t)
 	bktName := "bucket-for-acl-ape"

 	info := createBucket(hc, bktName)

+	aclBody := &AccessControlPolicy{}
+	putBucketACLAssertS3Error(hc, bktName, info.Box, nil, aclBody, s3errors.ErrAccessControlListNotSupported)
+
 	aclRes := getBucketACL(hc, bktName)
-	checkPrivateBucketACL(t, aclRes, info.Key.PublicKey())
+	checkPrivateACL(t, aclRes, info.Key.PublicKey())

 	putBucketACL(hc, bktName, info.Box, map[string]string{api.AmzACL: basicACLPrivate})
 	aclRes = getBucketACL(hc, bktName)
-	checkPrivateBucketACL(t, aclRes, info.Key.PublicKey())
+	checkPrivateACL(t, aclRes, info.Key.PublicKey())

 	putBucketACL(hc, bktName, info.Box, map[string]string{api.AmzACL: basicACLReadOnly})
 	aclRes = getBucketACL(hc, bktName)
-	checkPublicReadBucketACL(t, aclRes, info.Key.PublicKey())
+	checkPublicReadACL(t, aclRes, info.Key.PublicKey())

 	putBucketACL(hc, bktName, info.Box, map[string]string{api.AmzACL: basicACLPublic})
 	aclRes = getBucketACL(hc, bktName)
-	checkPublicReadWriteBucketACL(t, aclRes, info.Key.PublicKey())
+	checkPublicReadWriteACL(t, aclRes, info.Key.PublicKey())
 }

-func checkPrivateBucketACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
-	checkBucketACLOwner(t, aclRes, ownerKey, 1)
+func checkPrivateACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
+	checkACLOwner(t, aclRes, ownerKey, 1)
 }

-func checkPublicReadBucketACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
-	checkBucketACLOwner(t, aclRes, ownerKey, 2)
+func checkPublicReadACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
+	checkACLOwner(t, aclRes, ownerKey, 2)

 	require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
 	require.Equal(t, aclRead, aclRes.AccessControlList[1].Permission)
 }

-func checkPublicReadWriteBucketACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
-	checkBucketACLOwner(t, aclRes, ownerKey, 3)
+func checkPublicReadWriteACL(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey) {
+	checkACLOwner(t, aclRes, ownerKey, 3)

 	require.Equal(t, allUsersGroup, aclRes.AccessControlList[1].Grantee.URI)
 	require.Equal(t, aclWrite, aclRes.AccessControlList[1].Permission)
@ -1386,7 +1427,7 @@ func checkPublicReadWriteBucketACL(t *testing.T, aclRes *AccessControlPolicy, ow
 	require.Equal(t, aclRead, aclRes.AccessControlList[2].Permission)
 }

-func checkBucketACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey, ln int) {
+func checkACLOwner(t *testing.T, aclRes *AccessControlPolicy, ownerKey *keys.PublicKey, ln int) {
 	ownerIDStr := hex.EncodeToString(ownerKey.Bytes())
 	ownerNameStr := ownerKey.Address()

@ -1661,9 +1702,12 @@ func putObjectACLBase(hc *handlerContext, bktName, objName string, box *accessbo
 	return w
 }

-func getObjectACLAssertS3Error(hc *handlerContext, bktName, objName string, code s3errors.ErrorCode) {
+func getObjectACL(hc *handlerContext, bktName, objName string) *AccessControlPolicy {
 	w := getObjectACLBase(hc, bktName, objName)
-	assertS3Error(hc.t, w, s3errors.GetAPIError(code))
+	assertStatus(hc.t, w, http.StatusOK)
+	res := &AccessControlPolicy{}
+	parseTestResponse(hc.t, w, res)
+	return res
 }

 func getObjectACLBase(hc *handlerContext, bktName, objName string) *httptest.ResponseRecorder {
@ -1671,3 +1715,29 @@ func getObjectACLBase(hc *handlerContext, bktName, objName string) *httptest.Res
 	hc.Handler().GetObjectACLHandler(w, r)
 	return w
 }
+
+func putObjectWithHeaders(hc *handlerContext, bktName, objName string, headers map[string]string) http.Header {
+	w := putObjectWithHeadersBase(hc, bktName, objName, headers, nil, nil)
+	assertStatus(hc.t, w, http.StatusOK)
+	return w.Header()
+}
+
+func putObjectWithHeadersAssertS3Error(hc *handlerContext, bktName, objName string, headers map[string]string, code s3errors.ErrorCode) {
+	w := putObjectWithHeadersBase(hc, bktName, objName, headers, nil, nil)
+	assertS3Error(hc.t, w, s3errors.GetAPIError(code))
+}
+
+func putObjectWithHeadersBase(hc *handlerContext, bktName, objName string, headers map[string]string, box *accessbox.Box, data []byte) *httptest.ResponseRecorder {
+	body := bytes.NewReader(data)
+	w, r := prepareTestPayloadRequest(hc, bktName, objName, body)
+
+	for k, v := range headers {
+		r.Header.Set(k, v)
+	}
+
+	ctx := middleware.SetBoxData(r.Context(), box)
+	r = r.WithContext(ctx)
+
+	hc.Handler().PutObjectHandler(w, r)
+	return w
+}