CLDSRV-674: check x-amz-tagging-count permissions in bucket policies

Author: leif-scality

lib/api/api.js

@@ -152,8 +152,6 @@ const api = {
                     log.trace('get object authorization denial from Vault');
                     return errors.AccessDenied;
                 }
-                // TODO add support for returnTagCount in the bucket policy
-                // checks
                 isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
                 // second item checks s3:GetObject(Version)Tagging action
                 if (!authResults[1].isAllowed) {
@@ -281,6 +279,9 @@ const api = {
                     sourceObject, sourceVersionId, log, callback);
             }
             if (apiMethod === 'objectGet') {
+                // remove objectGetTagging/objectGetTaggingVersion from apiMethods, these where added by
+                // prepareRequestContexts to determine the value of returnTagCount.
+                request.apiMethods = request.apiMethods.filter(methodName => !methodName.includes('Tagging'));
                 return this[apiMethod](userInfo, request, returnTagCount, log, callback);
             }
             return this[apiMethod](userInfo, request, log, callback);

lib/api/objectGet.js

@@ -51,6 +51,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
         getDeleteMarker: true,
         requestType: request.apiMethods || 'objectGet',
         request,
+        returnTagCount,
     };
 
     return standardMetadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log,
@@ -97,7 +98,8 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
             return callback(headerValResult.error, null, corsHeaders);
         }
         const responseMetaHeaders = collectResponseHeaders(objMD,
-            corsHeaders, verCfg, returnTagCount);
+            corsHeaders, verCfg,
+            returnTagCount && objMD.returnTagCount); // IAM and Bucket policy should both authorize tagging.
 
         setExpirationHeaders(responseMetaHeaders, {
             lifecycleConfig: bucket.getLifecycleConfiguration(),

lib/metadata/metadataUtils.js

@@ -230,13 +230,29 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
             return next(null, bucket, objMD);
         },
         (bucket, objMD, next) => {
+            const objMetadata = objMD;
             const canonicalID = authInfo.getCanonicalID();
-            if (!isObjAuthorized(bucket, objMD, requestType, canonicalID, authInfo, log, request,
+            if (!isObjAuthorized(bucket, objMetadata, requestType, canonicalID, authInfo, log, request,
                 actionImplicitDenies)) {
                 log.debug('access denied for user on object', { requestType });
                 return next(errors.AccessDenied, bucket);
             }
-            return next(null, bucket, objMD);
+
+            let returnTagCount = false;
+            if (params.returnTagCount) {
+                // If returnTagCount is true we know that Vault athorized the request so it is not an implicitDeny.
+                const implicitDeny = false;
+                if (requestType.some(r => r === 'objectGet')) {
+                    returnTagCount = isObjAuthorized(bucket, objMetadata, ['objectGetTagging'], canonicalID, authInfo,
+                        log, request, implicitDeny);
+                } else if (requestType.some(r => r === 'objectGetVersion')) {
+                    returnTagCount = returnTagCount && isObjAuthorized(bucket, objMetadata, ['objectGetTaggingVersion'],
+                        canonicalID, authInfo, log, request, implicitDeny);
+                }
+
+                objMetadata.returnTagCount = returnTagCount;
+            }
+            return next(null, bucket, objMetadata);
         },
     ], (err, bucket, objMD) => {
         if (err) {