CLDSRV-430: add delete API implicit deny logic

Will Toozs · Will Toozs · commit 8cafabd98242 · 2023-09-13T16:50:53.000+02:00
diff --git a/lib/api/apiUtils/bucket/bucketDeletion.js b/lib/api/apiUtils/bucket/bucketDeletion.js
@@ -24,7 +24,7 @@ function _deleteMPUbucket(destinationBucketName, log, cb) {
     });
 }
 
-function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) {
+function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, request, log, cb) {
     async.mapLimit(mpus, 1, (mpu, next) => {
         const splitterChar = mpu.key.includes(oldSplitter) ?
             oldSplitter : splitter;
@@ -40,7 +40,7 @@ function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) {
                     byteLength: partSizeSum,
                 });
                 next(err);
-            });
+            }, request);
     }, cb);
 }
 /**
@@ -49,11 +49,13 @@ function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) {
  * @param {object} bucketMD - bucket attributes/metadata
  * @param {string} bucketName - bucket in which objectMetadata is stored
  * @param {string} canonicalID - account canonicalID of requester
+ * @param {object} request - request object given by router
+ *                           including normalized headers
  * @param {object} log - Werelogs logger
  * @param {function} cb - callback from async.waterfall in bucketDelete
  * @return {undefined}
  */
-function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) {
+function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, request, log, cb) {
     log.trace('deleting bucket from metadata');
     assert.strictEqual(typeof bucketName, 'string');
     assert.strictEqual(typeof canonicalID, 'string');
@@ -100,7 +102,7 @@ function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) {
                     }
                     if (objectsListRes.Contents.length) {
                         return _deleteOngoingMPUs(authInfo, bucketName,
-                            bucketMD, objectsListRes.Contents, log, err => {
+                            bucketMD, objectsListRes.Contents, request, log, err => {
                                 if (err) {
                                     return next(err);
                                 }
diff --git a/lib/api/bucketDelete.js b/lib/api/bucketDelete.js
@@ -31,7 +31,7 @@ function bucketDelete(authInfo, request, log, cb) {
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log,
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
         (err, bucketMD) => {
             const corsHeaders = collectCorsHeaders(request.headers.origin,
                 request.method, bucketMD);
@@ -43,7 +43,7 @@ function bucketDelete(authInfo, request, log, cb) {
             log.trace('passed checks',
                 { method: 'metadataValidateBucket' });
             return deleteBucket(authInfo, bucketMD, bucketName,
-                authInfo.getCanonicalID(), log, err => {
+                authInfo.getCanonicalID(), request, log, err => {
                     if (err) {
                         return cb(err, corsHeaders);
                     }
diff --git a/lib/api/bucketDeleteCors.js b/lib/api/bucketDeleteCors.js
@@ -33,7 +33,8 @@ function bucketDeleteCors(authInfo, request, log, callback) {
         }
         log.trace('found bucket in metadata');
 
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
+            request.iamAuthzResults, log, request)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketDeleteCors',
diff --git a/lib/api/bucketDeleteEncryption.js b/lib/api/bucketDeleteEncryption.js
@@ -26,7 +26,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, next),
         (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
         (bucket, next) => {
             const sseConfig = bucket.getServerSideEncryption();
diff --git a/lib/api/bucketDeleteLifecycle.js b/lib/api/bucketDeleteLifecycle.js
@@ -20,7 +20,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) {
         requestType: 'bucketDeleteLifecycle',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {
diff --git a/lib/api/bucketDeletePolicy.js b/lib/api/bucketDeletePolicy.js
@@ -19,7 +19,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) {
         requestType: 'bucketDeletePolicy',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {
diff --git a/lib/api/bucketDeleteReplication.js b/lib/api/bucketDeleteReplication.js
@@ -20,7 +20,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) {
         requestType: 'bucketDeleteReplication',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {
diff --git a/lib/api/bucketDeleteWebsite.js b/lib/api/bucketDeleteWebsite.js
@@ -25,7 +25,8 @@ function bucketDeleteWebsite(authInfo, request, log, callback) {
         }
         log.trace('found bucket in metadata');
 
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
+            request.iamAuthzResults, log, request)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketDeleteWebsite',
diff --git a/lib/api/objectDelete.js b/lib/api/objectDelete.js
@@ -56,8 +56,8 @@ function objectDelete(authInfo, request, log, cb) {
     const canonicalID = authInfo.getCanonicalID();
     return async.waterfall([
         function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(valParams, log,
-            (err, bucketMD, objMD) => {
+            return metadataValidateBucketAndObj(valParams, request.iamAuthzResults, log,
+                (err, bucketMD, objMD) => {
                 if (err) {
                     return next(err, bucketMD);
                 }
diff --git a/lib/api/objectDeleteTagging.js b/lib/api/objectDeleteTagging.js
@@ -46,7 +46,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
           (err, bucket, objectMD) => {
               if (err) {
                   log.trace('request authorization failed',
diff --git a/tests/unit/api/bucketDelete.js b/tests/unit/api/bucketDelete.js
@@ -88,6 +88,7 @@ describe.skip('bucketDelete API', () => {
         namespace,
         headers: {},
         url: `/${bucketName}`,
+        iamAuthzResults: false,
     };
 
     const initiateRequest = {
@@ -96,6 +97,7 @@ describe.skip('bucketDelete API', () => {
         objectKey: objectName,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: `/${objectName}?uploads`,
+        iamAuthzResults: false,
     };
 
     it('should return an error if the bucket is not empty', done => {
diff --git a/tests/unit/api/bucketDeleteCors.js b/tests/unit/api/bucketDeleteCors.js
@@ -19,6 +19,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 const testBucketPutCorsRequest =
     corsUtil.createBucketCorsRequest('PUT', bucketName);
diff --git a/tests/unit/api/bucketDeleteEncryption.js b/tests/unit/api/bucketDeleteEncryption.js
@@ -13,6 +13,7 @@ const bucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 // TODO CLDSRV-430 remove skip
 describe.skip('bucketDeleteEncryption API', () => {
diff --git a/tests/unit/api/bucketDeleteLifecycle.js b/tests/unit/api/bucketDeleteLifecycle.js
@@ -19,6 +19,7 @@ function _makeRequest(includeXml) {
         bucketName,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: '/',
+        iamAuthzResults: false,
     };
     if (includeXml) {
         request.post = '<LifecycleConfiguration ' +
diff --git a/tests/unit/api/bucketDeletePolicy.js b/tests/unit/api/bucketDeletePolicy.js
@@ -19,6 +19,7 @@ function _makeRequest(includePolicy) {
         bucketName,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: '/',
+        iamAuthzResults: false,
     };
     if (includePolicy) {
         const examplePolicy = {
diff --git a/tests/unit/api/bucketDeleteWebsite.js b/tests/unit/api/bucketDeleteWebsite.js
@@ -20,6 +20,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 const testBucketDeleteWebsiteRequest = {
     bucketName,
@@ -28,6 +29,7 @@ const testBucketDeleteWebsiteRequest = {
     },
     url: '/?website',
     query: { website: '' },
+    iamAuthzResults: false,
 };
 const testBucketPutWebsiteRequest = Object.assign({ post: config.getXml() },
     testBucketDeleteWebsiteRequest);
diff --git a/tests/unit/api/objectDeleteTagging.js b/tests/unit/api/objectDeleteTagging.js
@@ -22,6 +22,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const testPutObjectRequest = new DummyRequest({

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,8 @@ function bucketDeleteCors(authInfo, request, log, callback) {`
`33`	`33`	`}`
`34`	`34`	`log.trace('found bucket in metadata');`
`35`	`35`
`36`		`- if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {`
	`36`	`+ if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,`
	`37`	`+ request.iamAuthzResults, log, request)) {`
`37`	`38`	`log.debug('access denied for user on bucket', {`
`38`	`39`	`requestType,`
`39`	`40`	`method: 'bucketDeleteCors',`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,8 @@ function bucketDeleteWebsite(authInfo, request, log, callback) {`
`25`	`25`	`}`
`26`	`26`	`log.trace('found bucket in metadata');`
`27`	`27`
`28`		`- if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {`
	`28`	`+ if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,`
	`29`	`+ request.iamAuthzResults, log, request)) {`
`29`	`30`	`log.debug('access denied for user on bucket', {`
`30`	`31`	`requestType,`
`31`	`32`	`method: 'bucketDeleteWebsite',`