scality
diff --git a/‎lib/api/apiUtils/authorization/permissionChecks.js
Lines changed: 173 additions & 31 deletions b/‎lib/api/apiUtils/authorization/permissionChecks.js
Lines changed: 173 additions & 31 deletions
@@ -117,7 +117,7 @@ function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
     // authorization check should just return true so can move on to check
     // rights at the object level.
     return (requestTypeParsed === 'objectPutACL' || requestTypeParsed === 'objectGetACL'
-    || requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
+        || requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
 }
 
 function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
@@ -265,67 +265,203 @@ function _isAccountId(principal) {
     return (principal.length === 12 && /^\d+$/.test(principal));
 }
 
-function _checkPrincipal(requester, principal) {
-    if (principal === '*') {
+function _isRootUser(arn) {
+    if (!arn) {
+        return false;
+    }
+
+    // Vault returns the following arn when the account makes requests 'arn:aws:iam::295412255825:/master/',
+    // with an empty resource type ('user/' prefix missing).
+    const arns = arn.split(':');
+    const resource = arns.at(-1);
+
+    // If we start with '/' is because we have a empty resource type so we know it is a root account.
+    if (resource.startsWith('/')) {
         return true;
     }
-    // User in unauthenticated (anonymous request)
-    if (requester === undefined) {
-        return false;
+
+    return false;
+}
+
+const checkPrincipalResult = {
+    KO: 0,
+    OK: 1,
+    CROSS_ACCOUNT_OK: 2,
+};
+
+function _checkPrincipal(requester, principal, buckerOwnerCanonicalID, requesterCanonicalID) {
+    if (principal === '*') {
+        if (!_isRootUser(requester)) {
+            return buckerOwnerCanonicalID === requesterCanonicalID ?
+                checkPrincipalResult.OK : checkPrincipalResult.CROSS_ACCOUNT_OK;
+        }
+
+        return checkPrincipalResult.OK;
+    }
+    if (requester === undefined) { // User in unauthenticated (anonymous request)
+        return checkPrincipalResult.KO;
     }
     if (principal === requester) {
-        return true;
+        if (!_isRootUser(requester)) {
+            return buckerOwnerCanonicalID === requesterCanonicalID ?
+                checkPrincipalResult.OK : checkPrincipalResult.CROSS_ACCOUNT_OK;
+        }
+
+        return checkPrincipalResult.OK;
     }
     if (_isAccountId(principal)) {
-        return _getAccountId(requester) === principal;
+        if (_getAccountId(requester) !== principal) {
+            return checkPrincipalResult.KO;
+        }
+
+        if (!_isRootUser(requester)) {
+            return buckerOwnerCanonicalID === requesterCanonicalID ?
+                checkPrincipalResult.OK : checkPrincipalResult.CROSS_ACCOUNT_OK;
+        }
+
+        return checkPrincipalResult.OK;
     }
     if (principal.endsWith('root')) {
-        return _getAccountId(requester) === _getAccountId(principal);
+        if (_getAccountId(requester) !== _getAccountId(principal)) {
+            return checkPrincipalResult.KO;
+        }
+
+        if (!_isRootUser(requester)) {
+            return buckerOwnerCanonicalID === requesterCanonicalID ?
+                checkPrincipalResult.OK : checkPrincipalResult.CROSS_ACCOUNT_OK;
+        }
+
+        return checkPrincipalResult.OK;
     }
-    return false;
+    return checkPrincipalResult.KO;
 }
 
-function _checkPrincipals(canonicalID, arn, principal) {
+function _checkPrincipals(canonicalID, arn, principal, buckerOwnerCanonicalID) {
     if (principal === '*') {
-        return true;
+        if (arn === undefined) { // User in unauthenticated (anonymous request)
+            return checkPrincipalResult.OK;
+        }
+
+        if (!_isRootUser(arn)) {
+            return buckerOwnerCanonicalID === canonicalID ?
+                checkPrincipalResult.OK : checkPrincipalResult.CROSS_ACCOUNT_OK;
+        }
+
+        return checkPrincipalResult.OK;
     }
     if (principal.CanonicalUser) {
         if (Array.isArray(principal.CanonicalUser)) {
-            return principal.CanonicalUser.some(p => _checkPrincipal(canonicalID, p));
+            let out = checkPrincipalResult.KO;
+            for (const p of principal.CanonicalUser) {
+                if (out === checkPrincipalResult.OK) {
+                    break;
+                }
+
+                const res = _checkPrincipal(canonicalID, p, buckerOwnerCanonicalID, canonicalID);
+                if (res !== checkPrincipalResult.KO) {
+                    out = res;
+                }
+            }
+            return out;
         }
-        return _checkPrincipal(canonicalID, principal.CanonicalUser);
+        return _checkPrincipal(canonicalID, principal.CanonicalUser, buckerOwnerCanonicalID, canonicalID);
     }
     if (principal.AWS) {
         if (Array.isArray(principal.AWS)) {
-            return principal.AWS.some(p => _checkPrincipal(arn, p));
+            let out = checkPrincipalResult.KO;
+            for (const p of principal.AWS) {
+                if (out === checkPrincipalResult.OK) {
+                    break;
+                }
+
+                const res = _checkPrincipal(arn, p, buckerOwnerCanonicalID, canonicalID);
+                if (res !== checkPrincipalResult.KO) {
+                    out = res;
+                }
+            }
+
+            return out;
         }
-        return _checkPrincipal(arn, principal.AWS);
+        return _checkPrincipal(arn, principal.AWS, buckerOwnerCanonicalID, canonicalID);
     }
-    return false;
+    return checkPrincipalResult.KO;
 }
 
+const checkBucketPolicyResult = {
+    DEFAULT_DENY: 0,
+    EXPLICIT_DENY: 1,
+    ALLOW: 2,
+    CROSS_ACCOUNT_ALLOW: 3,
+};
+
+// checkBucketPolicy FSM.
+// ┌───────────────────────────┐
+// │                           ▼
+// │                         ┌───────┐
+// │               ┌────────►│ ALLOW ├──────────────┐
+// │ ┌─────┐       │         └──┬────┘              │
+// │ │START│       │            │                   │
+// │ └──┬──┘       │            │                   │
+// │    │          │            │                   │
+// │    ▼          │            ▼                   ▼
+// │┌──────────────┤          ┌────┐             ┌─────┐
+// ││ DEFAULT_DENY ├─────────►│DENY├────────────►│ END │
+// │└──────┬───────┤          └────┘             └─────┘
+// │       │       │             ▲                  ▲ ▲
+// │       │       │             │                  │ │
+// │       │       │             │                  │ │
+// │       │       │         ┌───┴───────────┐      │ │
+// │       │       └────────►│ CROSS_ACCOUNT ├──────┘ │
+// │       │                 └┬──────────────┘        │
+// └───────┼──────────────────┘                       │
+//         └──────────────────────────────────────────┘
+//
 function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, log, request, actionImplicitDenies) {
-    let permission = 'defaultDeny';
+    let permission = checkBucketPolicyResult.DEFAULT_DENY;
     // if requester is user within bucket owner account, actions should be
     // allowed unless explicitly denied (assumes allowed by IAM policy)
     if (bucketOwner === canonicalID && actionImplicitDenies[requestType] === false) {
-        permission = 'allow';
+        permission = checkBucketPolicyResult.ALLOW;
     }
     let copiedStatement = JSON.parse(JSON.stringify(policy.Statement));
     while (copiedStatement.length > 0) {
         const s = copiedStatement[0];
-        const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal);
+        const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal, bucketOwner);
         const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
         const resourceMatch = _checkBucketPolicyResources(request, s.Resource, log);
         const conditionsMatch = _checkBucketPolicyConditions(request, s.Condition, log);
 
-        if (principalMatch && actionMatch && resourceMatch && conditionsMatch && s.Effect === 'Deny') {
-            // explicit deny trumps any allows, so return immediately
-            return 'explicitDeny';
-        }
-        if (principalMatch && actionMatch && resourceMatch && conditionsMatch && s.Effect === 'Allow') {
-            permission = 'allow';
+        const ok = principalMatch === checkPrincipalResult.OK && actionMatch && resourceMatch && conditionsMatch;
+        const okCross = principalMatch === checkPrincipalResult.CROSS_ACCOUNT_OK
+            && actionMatch && resourceMatch && conditionsMatch;
+        switch (permission) {
+        case checkBucketPolicyResult.DEFAULT_DENY:
+            if ((ok || okCross) && s.Effect === 'Deny') {
+                return checkBucketPolicyResult.EXPLICIT_DENY;
+            } else if (ok && s.Effect === 'Allow') {
+                permission = checkBucketPolicyResult.ALLOW;
+            } else if (okCross && s.Effect === 'Allow') {
+                permission = checkBucketPolicyResult.CROSS_ACCOUNT_ALLOW;
+            }
+            break;
+        case checkBucketPolicyResult.EXPLICIT_DENY:
+            return checkBucketPolicyResult.EXPLICIT_DENY;
+        case checkBucketPolicyResult.ALLOW:
+            if ((ok || okCross) && s.Effect === 'Deny') {
+                return checkBucketPolicyResult.EXPLICIT_DENY;
+            }
+            break;
+        case checkBucketPolicyResult.CROSS_ACCOUNT_ALLOW:
+            if ((ok || okCross) && s.Effect === 'Deny') {
+                return checkBucketPolicyResult.EXPLICIT_DENY;
+            } else if (ok && s.Effect === 'Allow') {
+                permission = checkBucketPolicyResult.ALLOW;
+            }
+            break;
+        default: // Needed for the linter, should be unreachable.
+            break;
         }
+
         copiedStatement = copiedStatement.splice(1);
     }
     return permission;
@@ -341,9 +477,13 @@ function processBucketPolicy(requestType, bucket, canonicalID, arn, bucketOwner,
         const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType, canonicalID, arn,
             bucketOwner, log, request, actionImplicitDenies);
 
-        if (bucketPolicyPermission === 'explicitDeny') {
+        if (bucketPolicyPermission === checkBucketPolicyResult.EXPLICIT_DENY) {
             processedResult = false;
-        } else if (bucketPolicyPermission === 'allow') {
+        } else if (bucketPolicyPermission === checkBucketPolicyResult.ALLOW) {
+            processedResult = true;
+        } else if (bucketPolicyPermission === checkBucketPolicyResult.CROSS_ACCOUNT_ALLOW
+            && actionImplicitDenies[requestType] === false) {
+            // If the bucket policy is cross account, only return true if Vault also returned an explicit allow.
             processedResult = true;
         } else {
             processedResult = actionImplicitDenies[requestType] === false && aclPermission;
@@ -405,7 +545,7 @@ function evaluateBucketPolicyWithIAM(bucket, requestTypesInput, canonicalID, aut
             arn = authInfo.getArn();
         }
         return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
-        request, true, results, actionImplicitDenies);
+            request, true, results, actionImplicitDenies);
     });
 }
 
@@ -456,8 +596,8 @@ function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authI
         // - account is the bucket owner
         // - requester is account, not user
         if (bucketOwnerActions.includes(parsedMethodName)
-        && (bucketOwner === canonicalID)
-        && requesterIsNotUser) {
+            && (bucketOwner === canonicalID)
+            && requesterIsNotUser) {
             results[_requestType] = actionImplicitDenies[_requestType] === false;
             return results[_requestType];
         }
@@ -613,4 +753,6 @@ module.exports = {
     validatePolicyConditions,
     isLifecycleSession,
     evaluateBucketPolicyWithIAM,
+    checkBucketPolicy,
+    checkBucketPolicyResult,
 };