From e9d5c177071186e245dbfd52b869436e1bb15eb7 Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Wed, 13 Sep 2023 17:30:02 +0200 Subject: [PATCH 1/5] CLDSRV-429: update get apis with impDeny logic --- lib/api/bucketGet.js | 2 +- lib/api/bucketGetACL.js | 2 +- lib/api/bucketGetCors.js | 3 ++- lib/api/bucketGetEncryption.js | 2 +- lib/api/bucketGetLifecycle.js | 2 +- lib/api/bucketGetLocation.js | 3 ++- lib/api/bucketGetNotification.js | 2 +- lib/api/bucketGetObjectLock.js | 2 +- lib/api/bucketGetPolicy.js | 2 +- lib/api/bucketGetReplication.js | 2 +- lib/api/bucketGetVersioning.js | 2 +- lib/api/bucketGetWebsite.js | 3 ++- lib/api/objectGet.js | 2 +- lib/api/objectGetACL.js | 2 +- lib/api/objectGetLegalHold.js | 2 +- lib/api/objectGetRetention.js | 2 +- lib/api/objectGetTagging.js | 2 +- lib/api/websiteGet.js | 15 ++++++++------- tests/unit/api/bucketGet.js | 1 + tests/unit/api/bucketGetACL.js | 10 ++++++++++ tests/unit/api/bucketGetCors.js | 2 ++ tests/unit/api/bucketGetLifecycle.js | 1 + tests/unit/api/bucketGetLocation.js | 2 ++ tests/unit/api/bucketGetNotification.js | 2 ++ tests/unit/api/bucketGetObjectLock.js | 3 +++ tests/unit/api/bucketGetPolicy.js | 2 ++ tests/unit/api/bucketGetWebsite.js | 2 ++ tests/unit/api/objectGet.js | 5 +++++ tests/unit/api/objectGetACL.js | 2 ++ tests/unit/api/objectGetLegalHold.js | 3 +++ tests/unit/api/objectGetRetention.js | 3 +++ tests/unit/api/objectGetTagging.js | 1 + tests/unit/api/serviceGet.js | 1 + 33 files changed, 68 insertions(+), 24 deletions(-) diff --git a/lib/api/bucketGet.js b/lib/api/bucketGet.js index c864a80b50..5a3fdde5c1 100644 --- a/lib/api/bucketGet.js +++ b/lib/api/bucketGet.js @@ -345,7 +345,7 @@ function bucketGet(authInfo, request, log, callback) { listParams.marker = params.marker; } - metadataValidateBucket(metadataValParams, log, (err, bucket) => { + metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); if (err) { diff --git a/lib/api/bucketGetACL.js b/lib/api/bucketGetACL.js index 1c5d592753..54549a8544 100644 --- a/lib/api/bucketGetACL.js +++ b/lib/api/bucketGetACL.js @@ -54,7 +54,7 @@ function bucketGetACL(authInfo, request, log, callback) { }, }; - metadataValidateBucket(metadataValParams, log, (err, bucket) => { + metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); if (err) { diff --git a/lib/api/bucketGetCors.js b/lib/api/bucketGetCors.js index 19534fe3ee..ca080504f4 100644 --- a/lib/api/bucketGetCors.js +++ b/lib/api/bucketGetCors.js @@ -34,7 +34,8 @@ function bucketGetCors(authInfo, request, log, callback) { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); - if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { + if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, + request.iamAuthzResults, log, request)) { log.debug('access denied for user on bucket', { requestType, method: 'bucketGetCors', diff --git a/lib/api/bucketGetEncryption.js b/lib/api/bucketGetEncryption.js index 8720b69b4d..dceb1d3511 100644 --- a/lib/api/bucketGetEncryption.js +++ b/lib/api/bucketGetEncryption.js @@ -27,7 +27,7 @@ function bucketGetEncryption(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucket(metadataValParams, log, next), + next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, next), (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)), (bucket, next) => { // If sseInfo is present but the `mandatory` flag is not set diff --git a/lib/api/bucketGetLifecycle.js b/lib/api/bucketGetLifecycle.js index 6411d5eb5b..7a1490d9ee 100644 --- a/lib/api/bucketGetLifecycle.js +++ b/lib/api/bucketGetLifecycle.js @@ -23,7 +23,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) { requestType: 'bucketGetLifecycle', request, }; - return metadataValidateBucket(metadataValParams, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetLocation.js b/lib/api/bucketGetLocation.js index 4d95ee6b86..c302b2f389 100644 --- a/lib/api/bucketGetLocation.js +++ b/lib/api/bucketGetLocation.js @@ -36,7 +36,8 @@ function bucketGetLocation(authInfo, request, log, callback) { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); - if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { + if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, + request.iamAuthzResults, log, request)) { log.debug('access denied for account on bucket', { requestType, method: 'bucketGetLocation', diff --git a/lib/api/bucketGetNotification.js b/lib/api/bucketGetNotification.js index a3e41c03ae..aa3c2a9c3a 100644 --- a/lib/api/bucketGetNotification.js +++ b/lib/api/bucketGetNotification.js @@ -41,7 +41,7 @@ function bucketGetNotification(authInfo, request, log, callback) { request, }; - return metadataValidateBucket(metadataValParams, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetObjectLock.js b/lib/api/bucketGetObjectLock.js index cbb92d34b2..e46f804c22 100644 --- a/lib/api/bucketGetObjectLock.js +++ b/lib/api/bucketGetObjectLock.js @@ -36,7 +36,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) { requestType: 'bucketGetObjectLock', request, }; - return metadataValidateBucket(metadataValParams, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetPolicy.js b/lib/api/bucketGetPolicy.js index c87bb12cce..f3e0ccd3cb 100644 --- a/lib/api/bucketGetPolicy.js +++ b/lib/api/bucketGetPolicy.js @@ -21,7 +21,7 @@ function bucketGetPolicy(authInfo, request, log, callback) { request, }; - return metadataValidateBucket(metadataValParams, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetReplication.js b/lib/api/bucketGetReplication.js index 03cbcac37f..fcee81631b 100644 --- a/lib/api/bucketGetReplication.js +++ b/lib/api/bucketGetReplication.js @@ -23,7 +23,7 @@ function bucketGetReplication(authInfo, request, log, callback) { requestType: 'bucketGetReplication', request, }; - return metadataValidateBucket(metadataValParams, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetVersioning.js b/lib/api/bucketGetVersioning.js index f25edbac6f..0ecfcb4dee 100644 --- a/lib/api/bucketGetVersioning.js +++ b/lib/api/bucketGetVersioning.js @@ -57,7 +57,7 @@ function bucketGetVersioning(authInfo, request, log, callback) { request, }; - metadataValidateBucket(metadataValParams, log, (err, bucket) => { + metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); if (err) { diff --git a/lib/api/bucketGetWebsite.js b/lib/api/bucketGetWebsite.js index 315d825e39..40d9d493e9 100644 --- a/lib/api/bucketGetWebsite.js +++ b/lib/api/bucketGetWebsite.js @@ -34,7 +34,8 @@ function bucketGetWebsite(authInfo, request, log, callback) { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); - if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { + if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, + request.iamAuthzResults, log, request)) { log.debug('access denied for user on bucket', { requestType, method: 'bucketGetWebsite', diff --git a/lib/api/objectGet.js b/lib/api/objectGet.js index d8b6b366a7..9cc8735f3e 100644 --- a/lib/api/objectGet.js +++ b/lib/api/objectGet.js @@ -48,7 +48,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) { request, }; - return metadataValidateBucketAndObj(mdValParams, log, + return metadataValidateBucketAndObj(mdValParams, request.iamAuthzResults, log, (err, bucket, objMD) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); diff --git a/lib/api/objectGetACL.js b/lib/api/objectGetACL.js index ea2c88968f..e1d6253d2c 100644 --- a/lib/api/objectGetACL.js +++ b/lib/api/objectGetACL.js @@ -71,7 +71,7 @@ function objectGetACL(authInfo, request, log, callback) { return async.waterfall([ function validateBucketAndObj(next) { - return metadataValidateBucketAndObj(metadataValParams, log, + return metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/lib/api/objectGetLegalHold.js b/lib/api/objectGetLegalHold.js index 40cb4fcbc9..2e3bc2a767 100644 --- a/lib/api/objectGetLegalHold.js +++ b/lib/api/objectGetLegalHold.js @@ -43,7 +43,7 @@ function objectGetLegalHold(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucketAndObj(metadataValParams, log, + next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/lib/api/objectGetRetention.js b/lib/api/objectGetRetention.js index e5e49bb0ec..6afe34e3ea 100644 --- a/lib/api/objectGetRetention.js +++ b/lib/api/objectGetRetention.js @@ -43,7 +43,7 @@ function objectGetRetention(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucketAndObj(metadataValParams, log, + next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/lib/api/objectGetTagging.js b/lib/api/objectGetTagging.js index 48233c3acc..9048429de0 100644 --- a/lib/api/objectGetTagging.js +++ b/lib/api/objectGetTagging.js @@ -43,7 +43,7 @@ function objectGetTagging(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucketAndObj(metadataValParams, log, + next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/lib/api/websiteGet.js b/lib/api/websiteGet.js index bf328a8f6e..8d36710be0 100644 --- a/lib/api/websiteGet.js +++ b/lib/api/websiteGet.js @@ -21,12 +21,13 @@ const { pushMetric } = require('../utapi/utilities'); * @param {string} objectKey - object key from request (or as translated in * websiteGet) * @param {object} corsHeaders - CORS-related response headers + * @param {object} request - normalized request object * @param {object} log - Werelogs instance * @param {function} callback - callback to function in route * @return {undefined} */ function _errorActions(err, errorDocument, routingRules, - bucket, objectKey, corsHeaders, log, callback) { + bucket, objectKey, corsHeaders, request, log, callback) { const bucketName = bucket.getName(); const errRoutingRule = findRoutingRule(routingRules, objectKey, err.code); @@ -47,7 +48,7 @@ function _errorActions(err, errorDocument, routingRules, // return the default error message if the object is private // rather than sending a stored error file if (!isObjAuthorized(bucket, errObjMD, 'objectGet', - constants.publicId, null, log)) { + constants.publicId, null, request.iamAuthzResults, log)) { log.trace('errorObj not authorized', { error: err }); return callback(err, true, null, corsHeaders); } @@ -144,7 +145,7 @@ function websiteGet(request, log, callback) { { error: err }); let returnErr = err; const bucketAuthorized = isBucketAuthorized(bucket, - 'bucketGet', constants.publicId, null, log, request); + 'bucketGet', constants.publicId, null, request.iamAuthzResults, log, request); // if index object does not exist and bucket is private AWS // returns 403 - AccessDenied error. if (err.is.NoSuchKey && !bucketAuthorized) { @@ -152,16 +153,16 @@ function websiteGet(request, log, callback) { } return _errorActions(returnErr, websiteConfig.getErrorDocument(), routingRules, - bucket, reqObjectKey, corsHeaders, log, + bucket, reqObjectKey, corsHeaders, request, log, callback); } if (!isObjAuthorized(bucket, objMD, 'objectGet', - constants.publicId, null, log, request)) { + constants.publicId, null, request.iamAuthzResults, log, request)) { const err = errors.AccessDenied; log.trace('request not authorized', { error: err }); return _errorActions(err, websiteConfig.getErrorDocument(), routingRules, bucket, - reqObjectKey, corsHeaders, log, callback); + reqObjectKey, corsHeaders, request, log, callback); } const headerValResult = validateHeaders(request.headers, @@ -171,7 +172,7 @@ function websiteGet(request, log, callback) { log.trace('header validation error', { error: err }); return _errorActions(err, websiteConfig.getErrorDocument(), routingRules, bucket, reqObjectKey, - corsHeaders, log, callback); + corsHeaders, request, log, callback); } // check if object to serve has website redirect header // Note: AWS prioritizes website configuration rules over diff --git a/tests/unit/api/bucketGet.js b/tests/unit/api/bucketGet.js index c178de5435..a6ec0c2fff 100644 --- a/tests/unit/api/bucketGet.js +++ b/tests/unit/api/bucketGet.js @@ -63,6 +63,7 @@ const baseGetRequest = { bucketName, namespace, headers: { host: '/' }, + iamAuthzResults: false, }; const baseUrl = `/${bucketName}`; diff --git a/tests/unit/api/bucketGetACL.js b/tests/unit/api/bucketGetACL.js index b9bb3ef4b3..f5f9133962 100644 --- a/tests/unit/api/bucketGetACL.js +++ b/tests/unit/api/bucketGetACL.js @@ -25,6 +25,7 @@ describe.skip('bucketGetACL API', () => { namespace, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; const testGetACLRequest = { bucketName, @@ -32,6 +33,7 @@ describe.skip('bucketGetACL API', () => { headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; it('should get a canned private ACL', done => { @@ -44,6 +46,7 @@ describe.skip('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; async.waterfall([ @@ -76,6 +79,7 @@ describe.skip('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; async.waterfall([ @@ -119,6 +123,7 @@ describe.skip('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; async.waterfall([ @@ -156,6 +161,7 @@ describe.skip('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; async.waterfall([ @@ -194,6 +200,7 @@ describe.skip('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; async.waterfall([ @@ -248,6 +255,7 @@ describe.skip('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; const canonicalIDforSample1 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be'; @@ -338,6 +346,7 @@ describe.skip('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; async.waterfall([ @@ -377,6 +386,7 @@ describe.skip('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, + iamAuthzResults: false, }; async.waterfall([ diff --git a/tests/unit/api/bucketGetCors.js b/tests/unit/api/bucketGetCors.js index 4ae4976d6f..ae06cfb075 100644 --- a/tests/unit/api/bucketGetCors.js +++ b/tests/unit/api/bucketGetCors.js @@ -16,6 +16,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; function _makeCorsRequest(xml) { @@ -26,6 +27,7 @@ function _makeCorsRequest(xml) { }, url: '/?cors', query: { cors: '' }, + iamAuthzResults: false, }; if (xml) { diff --git a/tests/unit/api/bucketGetLifecycle.js b/tests/unit/api/bucketGetLifecycle.js index 91af065321..99f471ad5e 100644 --- a/tests/unit/api/bucketGetLifecycle.js +++ b/tests/unit/api/bucketGetLifecycle.js @@ -17,6 +17,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; // TODO CLDSRV-429 remove skip describe.skip('getBucketLifecycle API', () => { diff --git a/tests/unit/api/bucketGetLocation.js b/tests/unit/api/bucketGetLocation.js index c0bb9eec45..204e5417f4 100644 --- a/tests/unit/api/bucketGetLocation.js +++ b/tests/unit/api/bucketGetLocation.js @@ -16,6 +16,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; const testGetLocationRequest = { @@ -25,6 +26,7 @@ const testGetLocationRequest = { }, url: '/?location', query: { location: '' }, + iamAuthzResults: false, }; const locationConstraints = config.locationConstraints; diff --git a/tests/unit/api/bucketGetNotification.js b/tests/unit/api/bucketGetNotification.js index e74a4e0bba..a246f733c4 100644 --- a/tests/unit/api/bucketGetNotification.js +++ b/tests/unit/api/bucketGetNotification.js @@ -15,6 +15,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; function getNotificationRequest(bucketName, xml) { @@ -23,6 +24,7 @@ function getNotificationRequest(bucketName, xml) { headers: { host: `${bucketName}.s3.amazonaws.com`, }, + iamAuthzResults: false, }; if (xml) { request.post = xml; diff --git a/tests/unit/api/bucketGetObjectLock.js b/tests/unit/api/bucketGetObjectLock.js index edee9f7734..3c8031de00 100644 --- a/tests/unit/api/bucketGetObjectLock.js +++ b/tests/unit/api/bucketGetObjectLock.js @@ -14,6 +14,7 @@ const bucketPutReq = { host: `${bucketName}.s3.amazonaws.com`, }, url: '/', + iamAuthzResults: false, }; const testBucketPutReqWithObjLock = { @@ -23,6 +24,7 @@ const testBucketPutReqWithObjLock = { 'x-amz-bucket-object-lock-enabled': 'True', }, url: '/', + iamAuthzResults: false, }; function getObjectLockConfigRequest(bucketName, xml) { @@ -33,6 +35,7 @@ function getObjectLockConfigRequest(bucketName, xml) { 'x-amz-bucket-object-lock-enabled': 'true', }, url: '/?object-lock', + iamAuthzResults: false, }; if (xml) { request.post = xml; diff --git a/tests/unit/api/bucketGetPolicy.js b/tests/unit/api/bucketGetPolicy.js index d1c02f6eba..f4879d59fe 100644 --- a/tests/unit/api/bucketGetPolicy.js +++ b/tests/unit/api/bucketGetPolicy.js @@ -16,6 +16,7 @@ const testBasicRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; const expectedBucketPolicy = { @@ -34,6 +35,7 @@ const testPutPolicyRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, post: JSON.stringify(expectedBucketPolicy), + iamAuthzResults: false, }; // TODO CLDSRV-429 remove skip describe.skip('getBucketPolicy API', () => { diff --git a/tests/unit/api/bucketGetWebsite.js b/tests/unit/api/bucketGetWebsite.js index cb2398f7b1..a3670383f0 100644 --- a/tests/unit/api/bucketGetWebsite.js +++ b/tests/unit/api/bucketGetWebsite.js @@ -15,6 +15,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; function _makeWebsiteRequest(xml) { @@ -25,6 +26,7 @@ function _makeWebsiteRequest(xml) { }, url: '/?website', query: { website: '' }, + iamAuthzResults: false, }; if (xml) { diff --git a/tests/unit/api/objectGet.js b/tests/unit/api/objectGet.js index fa015282af..b8ccbeaef3 100644 --- a/tests/unit/api/objectGet.js +++ b/tests/unit/api/objectGet.js @@ -47,6 +47,7 @@ describe.skip('objectGet API', () => { namespace, headers: {}, url: `/${bucketName}`, + iamAuthzResults: false, }; const userMetadataKey = 'x-amz-meta-test'; const userMetadataValue = 'some metadata'; @@ -56,6 +57,7 @@ describe.skip('objectGet API', () => { objectKey: objectName, headers: {}, url: `/${bucketName}/${objectName}`, + iamAuthzResults: false, }; it('should get the object metadata', done => { @@ -84,6 +86,7 @@ describe.skip('objectGet API', () => { 'x-amz-bucket-object-lock-enabled': 'true', }, url: `/${bucketName}`, + iamAuthzResults: false, }; const createPutDummyRetention = (date, mode) => new DummyRequest({ @@ -245,6 +248,7 @@ describe.skip('objectGet API', () => { objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: `/${objectName}?uploads`, + iamAuthzResults: false, }; async.waterfall([ next => bucketPut(authInfo, testPutBucketRequest, log, next), @@ -321,6 +325,7 @@ describe.skip('objectGet API', () => { headers: { host: `${bucketName}.s3.amazonaws.com` }, query: { uploadId: testUploadId }, post: completeBody, + iamAuthzResults: false, }; completeMultipartUpload(authInfo, completeRequest, log, err => { diff --git a/tests/unit/api/objectGetACL.js b/tests/unit/api/objectGetACL.js index 52275fef98..d59d683e02 100644 --- a/tests/unit/api/objectGetACL.js +++ b/tests/unit/api/objectGetACL.js @@ -36,6 +36,7 @@ describe.skip('objectGetACL API', () => { 'x-amz-acl': 'public-read-write', }, url: '/', + iamAuthzResults: false, }; const testGetACLRequest = { bucketName, @@ -44,6 +45,7 @@ describe.skip('objectGetACL API', () => { objectKey: objectName, url: `/${bucketName}/${objectName}?acl`, query: { acl: '' }, + iamAuthzResults: false, }; it('should get a canned private ACL', done => { diff --git a/tests/unit/api/objectGetLegalHold.js b/tests/unit/api/objectGetLegalHold.js index 7094e76850..8a62cfbf60 100644 --- a/tests/unit/api/objectGetLegalHold.js +++ b/tests/unit/api/objectGetLegalHold.js @@ -18,6 +18,7 @@ const bucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; const putObjectRequest = new DummyRequest({ @@ -37,12 +38,14 @@ const putObjectLegalHoldRequest = status => ({ objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, post: objectLegalHoldXml(status), + iamAuthzResults: false, }); const getObjectLegalHoldRequest = { bucketName, objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, + iamAuthzResults: false, }; // TODO CLDSRV-429 remove skip describe.skip('getObjectLegalHold API', () => { diff --git a/tests/unit/api/objectGetRetention.js b/tests/unit/api/objectGetRetention.js index a3d0d279e6..2ed4d2d1e7 100644 --- a/tests/unit/api/objectGetRetention.js +++ b/tests/unit/api/objectGetRetention.js @@ -21,6 +21,7 @@ const bucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; const putObjectRequest = new DummyRequest({ @@ -42,12 +43,14 @@ const putObjRetRequest = { objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, post: objectRetentionXml, + iamAuthzResults: false, }; const getObjRetRequest = { bucketName, objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, + iamAuthzResults: false, }; // TODO CLDSRV-429 remove skip describe.skip('getObjectRetention API', () => { diff --git a/tests/unit/api/objectGetTagging.js b/tests/unit/api/objectGetTagging.js index 92f7163efd..b8b2893767 100644 --- a/tests/unit/api/objectGetTagging.js +++ b/tests/unit/api/objectGetTagging.js @@ -21,6 +21,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; const testPutObjectRequest = new DummyRequest({ diff --git a/tests/unit/api/serviceGet.js b/tests/unit/api/serviceGet.js index 91849b3ae4..d1a4e14ab0 100644 --- a/tests/unit/api/serviceGet.js +++ b/tests/unit/api/serviceGet.js @@ -24,6 +24,7 @@ describe.skip('serviceGet API', () => { parsedHost: 's3.amazonaws.com', headers: { host: 's3.amazonaws.com' }, url: '/', + iamAuthzResults: false, }; it('should return the list of buckets owned by the user', done => { From b119898ed197c666eb4ab290091c453d0302ee5f Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Wed, 13 Sep 2023 17:36:21 +0200 Subject: [PATCH 2/5] CLDSRV-429: update get apis tests with impDenylogic --- tests/unit/api/bucketGet.js | 6 ++---- tests/unit/api/bucketGetACL.js | 3 +-- tests/unit/api/bucketGetCors.js | 3 +-- tests/unit/api/bucketGetLifecycle.js | 3 +-- tests/unit/api/bucketGetLocation.js | 3 +-- tests/unit/api/bucketGetNotification.js | 3 +-- tests/unit/api/bucketGetObjectLock.js | 6 ++---- tests/unit/api/bucketGetPolicy.js | 3 +-- tests/unit/api/bucketGetReplication.js | 3 +-- tests/unit/api/bucketGetWebsite.js | 3 +-- tests/unit/api/objectDelete.js | 6 ++---- tests/unit/api/objectGet.js | 3 +-- tests/unit/api/objectGetACL.js | 3 +-- tests/unit/api/objectGetLegalHold.js | 3 +-- tests/unit/api/objectGetRetention.js | 3 +-- tests/unit/api/objectGetTagging.js | 4 ++-- 16 files changed, 20 insertions(+), 38 deletions(-) diff --git a/tests/unit/api/bucketGet.js b/tests/unit/api/bucketGet.js index a6ec0c2fff..87b2d62c81 100644 --- a/tests/unit/api/bucketGet.js +++ b/tests/unit/api/bucketGet.js @@ -174,8 +174,7 @@ const tests = [ }, }, ]; -// TODO CLDSRV-429 remove skip -describe.skip('bucketGet API', () => { +describe('bucketGet API', () => { beforeEach(() => { cleanup(); }); @@ -291,8 +290,7 @@ const testsForV2 = [...tests, }, ]; -// TODO CLDSRV-429 remove skip -describe.skip('bucketGet API V2', () => { +describe('bucketGet API V2', () => { beforeEach(() => { cleanup(); }); diff --git a/tests/unit/api/bucketGetACL.js b/tests/unit/api/bucketGetACL.js index f5f9133962..f7238b7cac 100644 --- a/tests/unit/api/bucketGetACL.js +++ b/tests/unit/api/bucketGetACL.js @@ -14,8 +14,7 @@ const authInfo = makeAuthInfo(accessKey); const canonicalID = authInfo.getCanonicalID(); const namespace = 'default'; const bucketName = 'bucketname'; -// TODO CLDSRV-429 remove skip -describe.skip('bucketGetACL API', () => { +describe('bucketGetACL API', () => { beforeEach(() => { cleanup(); }); diff --git a/tests/unit/api/bucketGetCors.js b/tests/unit/api/bucketGetCors.js index ae06cfb075..474087dc27 100644 --- a/tests/unit/api/bucketGetCors.js +++ b/tests/unit/api/bucketGetCors.js @@ -57,8 +57,7 @@ function _comparePutGetXml(sampleXml, done) { }); }); } -// TODO CLDSRV-429 remove skip -describe.skip('getBucketCors API', () => { +describe('getBucketCors API', () => { beforeEach(done => { cleanup(); bucketPut(authInfo, testBucketPutRequest, log, done); diff --git a/tests/unit/api/bucketGetLifecycle.js b/tests/unit/api/bucketGetLifecycle.js index 99f471ad5e..e3f0a0247b 100644 --- a/tests/unit/api/bucketGetLifecycle.js +++ b/tests/unit/api/bucketGetLifecycle.js @@ -19,8 +19,7 @@ const testBucketPutRequest = { url: '/', iamAuthzResults: false, }; -// TODO CLDSRV-429 remove skip -describe.skip('getBucketLifecycle API', () => { +describe('getBucketLifecycle API', () => { before(() => cleanup()); beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done)); afterEach(() => cleanup()); diff --git a/tests/unit/api/bucketGetLocation.js b/tests/unit/api/bucketGetLocation.js index 204e5417f4..2f1eeb9089 100644 --- a/tests/unit/api/bucketGetLocation.js +++ b/tests/unit/api/bucketGetLocation.js @@ -39,8 +39,7 @@ function getBucketRequestObject(location) { '' : undefined; return Object.assign({ post }, testBucketPutRequest); } -// TODO CLDSRV-429 remove skip -describe.skip('getBucketLocation API', () => { +describe('getBucketLocation API', () => { Object.keys(locationConstraints).forEach(location => { if (location === 'us-east-1') { // if region us-east-1 should return empty string diff --git a/tests/unit/api/bucketGetNotification.js b/tests/unit/api/bucketGetNotification.js index a246f733c4..ce6b16b92e 100644 --- a/tests/unit/api/bucketGetNotification.js +++ b/tests/unit/api/bucketGetNotification.js @@ -54,8 +54,7 @@ function getNotificationXml() { ''; } -// TODO CLDSRV-429 remove skip -describe.skip('getBucketNotification API', () => { +describe('getBucketNotification API', () => { before(cleanup); beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done)); afterEach(cleanup); diff --git a/tests/unit/api/bucketGetObjectLock.js b/tests/unit/api/bucketGetObjectLock.js index 3c8031de00..2f846dcad2 100644 --- a/tests/unit/api/bucketGetObjectLock.js +++ b/tests/unit/api/bucketGetObjectLock.js @@ -68,8 +68,7 @@ function getObjectLockXml(mode, type, time) { xmlStr += xml.objLockConfigClose; return xmlStr; } -// TODO CLDSRV-429 remove skip -describe.skip('bucketGetObjectLock API', () => { +describe('bucketGetObjectLock API', () => { before(done => bucketPut(authInfo, bucketPutReq, log, done)); after(cleanup); @@ -82,8 +81,7 @@ describe.skip('bucketGetObjectLock API', () => { }); }); }); -// TODO CLDSRV-429 remove skip -describe.skip('bucketGetObjectLock API', () => { +describe('bucketGetObjectLock API', () => { before(cleanup); beforeEach(done => bucketPut(authInfo, testBucketPutReqWithObjLock, log, done)); afterEach(cleanup); diff --git a/tests/unit/api/bucketGetPolicy.js b/tests/unit/api/bucketGetPolicy.js index f4879d59fe..85096b4aea 100644 --- a/tests/unit/api/bucketGetPolicy.js +++ b/tests/unit/api/bucketGetPolicy.js @@ -37,8 +37,7 @@ const testPutPolicyRequest = { post: JSON.stringify(expectedBucketPolicy), iamAuthzResults: false, }; -// TODO CLDSRV-429 remove skip -describe.skip('getBucketPolicy API', () => { +describe('getBucketPolicy API', () => { before(() => cleanup()); beforeEach(done => bucketPut(authInfo, testBasicRequest, log, done)); afterEach(() => cleanup()); diff --git a/tests/unit/api/bucketGetReplication.js b/tests/unit/api/bucketGetReplication.js index c59564cfa4..1dc3e4df50 100644 --- a/tests/unit/api/bucketGetReplication.js +++ b/tests/unit/api/bucketGetReplication.js @@ -53,8 +53,7 @@ function getReplicationConfig() { ], }; } -// TODO CLDSRV-429 remove skip -describe.skip("'getReplicationConfigurationXML' function", () => { +describe("'getReplicationConfigurationXML' function", () => { it('should return XML from the bucket replication configuration', done => getAndCheckXML(getReplicationConfig(), done)); diff --git a/tests/unit/api/bucketGetWebsite.js b/tests/unit/api/bucketGetWebsite.js index a3670383f0..432f795b42 100644 --- a/tests/unit/api/bucketGetWebsite.js +++ b/tests/unit/api/bucketGetWebsite.js @@ -55,8 +55,7 @@ function _comparePutGetXml(sampleXml, done) { }); }); } -// TODO CLDSRV-429 remove skip -describe.skip('getBucketWebsite API', () => { +describe('getBucketWebsite API', () => { beforeEach(done => { cleanup(); bucketPut(authInfo, testBucketPutRequest, log, done); diff --git a/tests/unit/api/objectDelete.js b/tests/unit/api/objectDelete.js index fa5514ebf7..576793b3f4 100644 --- a/tests/unit/api/objectDelete.js +++ b/tests/unit/api/objectDelete.js @@ -84,8 +84,7 @@ describe('objectDelete API', () => { url: `/${bucketName}/${objectKey}`, }); - // TODO CLDSRV-429 remove skip - skipped due to get at the end - it.skip('should delete an object', done => { + it('should delete an object', done => { bucketPut(authInfo, testBucketPutRequest, log, () => { objectPut(authInfo, testPutObjectRequest, undefined, log, () => { @@ -102,8 +101,7 @@ describe('objectDelete API', () => { }); }); - // TODO CLDSRV-429 remove skip - skipped due to get at the end - it.skip('should delete a 0 bytes object', done => { + it('should delete a 0 bytes object', done => { const testPutObjectRequest = new DummyRequest({ bucketName, namespace, diff --git a/tests/unit/api/objectGet.js b/tests/unit/api/objectGet.js index b8ccbeaef3..68fe6bb1db 100644 --- a/tests/unit/api/objectGet.js +++ b/tests/unit/api/objectGet.js @@ -22,8 +22,7 @@ const namespace = 'default'; const bucketName = 'bucketname'; const objectName = 'objectName'; const postBody = Buffer.from('I am a body', 'utf8'); -// TODO CLDSRV-429 remove skip -describe.skip('objectGet API', () => { +describe('objectGet API', () => { let testPutObjectRequest; beforeEach(() => { diff --git a/tests/unit/api/objectGetACL.js b/tests/unit/api/objectGetACL.js index d59d683e02..7532735f1a 100644 --- a/tests/unit/api/objectGetACL.js +++ b/tests/unit/api/objectGetACL.js @@ -20,8 +20,7 @@ const otherAccountCanonicalID = otherAccountAuthInfo.getCanonicalID(); const namespace = 'default'; const bucketName = 'bucketname'; const postBody = Buffer.from('I am a body', 'utf8'); -// TODO CLDSRV-429 remove skip -describe.skip('objectGetACL API', () => { +describe('objectGetACL API', () => { beforeEach(() => { cleanup(); }); diff --git a/tests/unit/api/objectGetLegalHold.js b/tests/unit/api/objectGetLegalHold.js index 8a62cfbf60..9782bccbfb 100644 --- a/tests/unit/api/objectGetLegalHold.js +++ b/tests/unit/api/objectGetLegalHold.js @@ -47,8 +47,7 @@ const getObjectLegalHoldRequest = { headers: { host: `${bucketName}.s3.amazonaws.com` }, iamAuthzResults: false, }; -// TODO CLDSRV-429 remove skip -describe.skip('getObjectLegalHold API', () => { +describe('getObjectLegalHold API', () => { before(cleanup); describe('without Object Lock enabled on bucket', () => { diff --git a/tests/unit/api/objectGetRetention.js b/tests/unit/api/objectGetRetention.js index 2ed4d2d1e7..bc70036a2e 100644 --- a/tests/unit/api/objectGetRetention.js +++ b/tests/unit/api/objectGetRetention.js @@ -52,8 +52,7 @@ const getObjRetRequest = { headers: { host: `${bucketName}.s3.amazonaws.com` }, iamAuthzResults: false, }; -// TODO CLDSRV-429 remove skip -describe.skip('getObjectRetention API', () => { +describe('getObjectRetention API', () => { before(cleanup); describe('without Object Lock enabled on bucket', () => { diff --git a/tests/unit/api/objectGetTagging.js b/tests/unit/api/objectGetTagging.js index b8b2893767..348d137349 100644 --- a/tests/unit/api/objectGetTagging.js +++ b/tests/unit/api/objectGetTagging.js @@ -31,8 +31,8 @@ const testPutObjectRequest = new DummyRequest({ headers: {}, url: `/${bucketName}/${objectName}`, }, postBody); -// TODO CLDSRV-429 remove skip -describe.skip('getObjectTagging API', () => { + +describe('getObjectTagging API', () => { beforeEach(done => { cleanup(); bucketPut(authInfo, testBucketPutRequest, log, err => { From e035d5550b133050f2d1e4b5e79005339ce50cd5 Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Wed, 13 Sep 2023 17:42:46 +0200 Subject: [PATCH 3/5] fixup: skips --- tests/unit/api/objectGet.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/unit/api/objectGet.js b/tests/unit/api/objectGet.js index 68fe6bb1db..959e50f040 100644 --- a/tests/unit/api/objectGet.js +++ b/tests/unit/api/objectGet.js @@ -238,7 +238,8 @@ describe('objectGet API', () => { }); }); - it('should get the object data retrieval info for an object put by MPU', + // TODO CLDSRV-431 remove skip - skipped due to MPU call + it.skip('should get the object data retrieval info for an object put by MPU', done => { const partBody = Buffer.from('I am a part\n', 'utf8'); const initiateRequest = { From 5f3fa488d5745a2d63be5c2dd4bf095fecd4fbca Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Wed, 13 Sep 2023 17:52:57 +0200 Subject: [PATCH 4/5] fixup: skips --- tests/functional/aws-node-sdk/test/bucket/get.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/functional/aws-node-sdk/test/bucket/get.js b/tests/functional/aws-node-sdk/test/bucket/get.js index 7eca17cee2..f4763dfc7c 100644 --- a/tests/functional/aws-node-sdk/test/bucket/get.js +++ b/tests/functional/aws-node-sdk/test/bucket/get.js @@ -286,8 +286,7 @@ const tests = [ }, ]; -// TODO CLDSRV-928 remove skip -describe.skip('GET Bucket - AWS.S3.listObjects', () => { +describe('GET Bucket - AWS.S3.listObjects', () => { describe('When user is unauthorized', () => { let bucketUtil; let bucketName; From 482e6576b1713f73898500bb14164d2b4bcee4ea Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Mon, 18 Sep 2023 15:00:07 +0200 Subject: [PATCH 5/5] variable name change --- lib/api/bucketGet.js | 2 +- lib/api/bucketGetACL.js | 2 +- lib/api/bucketGetCors.js | 2 +- lib/api/bucketGetEncryption.js | 2 +- lib/api/bucketGetLifecycle.js | 2 +- lib/api/bucketGetLocation.js | 2 +- lib/api/bucketGetNotification.js | 2 +- lib/api/bucketGetObjectLock.js | 2 +- lib/api/bucketGetPolicy.js | 2 +- lib/api/bucketGetReplication.js | 2 +- lib/api/bucketGetVersioning.js | 2 +- lib/api/bucketGetWebsite.js | 2 +- lib/api/objectGet.js | 2 +- lib/api/objectGetACL.js | 2 +- lib/api/objectGetLegalHold.js | 2 +- lib/api/objectGetRetention.js | 2 +- lib/api/objectGetTagging.js | 2 +- lib/api/websiteGet.js | 6 +++--- tests/unit/api/bucketGet.js | 2 +- tests/unit/api/bucketGetACL.js | 20 ++++++++++---------- tests/unit/api/bucketGetCors.js | 4 ++-- tests/unit/api/bucketGetLifecycle.js | 2 +- tests/unit/api/bucketGetLocation.js | 4 ++-- tests/unit/api/bucketGetNotification.js | 4 ++-- tests/unit/api/bucketGetObjectLock.js | 6 +++--- tests/unit/api/bucketGetPolicy.js | 4 ++-- tests/unit/api/bucketGetWebsite.js | 4 ++-- tests/unit/api/objectGet.js | 10 +++++----- tests/unit/api/objectGetACL.js | 4 ++-- tests/unit/api/objectGetLegalHold.js | 6 +++--- tests/unit/api/objectGetRetention.js | 6 +++--- tests/unit/api/objectGetTagging.js | 2 +- tests/unit/api/serviceGet.js | 2 +- 33 files changed, 60 insertions(+), 60 deletions(-) diff --git a/lib/api/bucketGet.js b/lib/api/bucketGet.js index 5a3fdde5c1..674303ae54 100644 --- a/lib/api/bucketGet.js +++ b/lib/api/bucketGet.js @@ -345,7 +345,7 @@ function bucketGet(authInfo, request, log, callback) { listParams.marker = params.marker; } - metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); if (err) { diff --git a/lib/api/bucketGetACL.js b/lib/api/bucketGetACL.js index 54549a8544..8faff12551 100644 --- a/lib/api/bucketGetACL.js +++ b/lib/api/bucketGetACL.js @@ -54,7 +54,7 @@ function bucketGetACL(authInfo, request, log, callback) { }, }; - metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); if (err) { diff --git a/lib/api/bucketGetCors.js b/lib/api/bucketGetCors.js index ca080504f4..11b1ebf3d8 100644 --- a/lib/api/bucketGetCors.js +++ b/lib/api/bucketGetCors.js @@ -35,7 +35,7 @@ function bucketGetCors(authInfo, request, log, callback) { request.method, bucket); if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, - request.iamAuthzResults, log, request)) { + request.actionImplicitDenies, log, request)) { log.debug('access denied for user on bucket', { requestType, method: 'bucketGetCors', diff --git a/lib/api/bucketGetEncryption.js b/lib/api/bucketGetEncryption.js index dceb1d3511..2e6f371ba4 100644 --- a/lib/api/bucketGetEncryption.js +++ b/lib/api/bucketGetEncryption.js @@ -27,7 +27,7 @@ function bucketGetEncryption(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, next), + next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next), (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)), (bucket, next) => { // If sseInfo is present but the `mandatory` flag is not set diff --git a/lib/api/bucketGetLifecycle.js b/lib/api/bucketGetLifecycle.js index 7a1490d9ee..a8f8cecb29 100644 --- a/lib/api/bucketGetLifecycle.js +++ b/lib/api/bucketGetLifecycle.js @@ -23,7 +23,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) { requestType: 'bucketGetLifecycle', request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetLocation.js b/lib/api/bucketGetLocation.js index c302b2f389..0b65879ece 100644 --- a/lib/api/bucketGetLocation.js +++ b/lib/api/bucketGetLocation.js @@ -37,7 +37,7 @@ function bucketGetLocation(authInfo, request, log, callback) { request.method, bucket); if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, - request.iamAuthzResults, log, request)) { + request.actionImplicitDenies, log, request)) { log.debug('access denied for account on bucket', { requestType, method: 'bucketGetLocation', diff --git a/lib/api/bucketGetNotification.js b/lib/api/bucketGetNotification.js index aa3c2a9c3a..cf701cc361 100644 --- a/lib/api/bucketGetNotification.js +++ b/lib/api/bucketGetNotification.js @@ -41,7 +41,7 @@ function bucketGetNotification(authInfo, request, log, callback) { request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetObjectLock.js b/lib/api/bucketGetObjectLock.js index e46f804c22..9303ccffc2 100644 --- a/lib/api/bucketGetObjectLock.js +++ b/lib/api/bucketGetObjectLock.js @@ -36,7 +36,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) { requestType: 'bucketGetObjectLock', request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetPolicy.js b/lib/api/bucketGetPolicy.js index f3e0ccd3cb..7cdd0c9a99 100644 --- a/lib/api/bucketGetPolicy.js +++ b/lib/api/bucketGetPolicy.js @@ -21,7 +21,7 @@ function bucketGetPolicy(authInfo, request, log, callback) { request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetReplication.js b/lib/api/bucketGetReplication.js index fcee81631b..48a9cadf40 100644 --- a/lib/api/bucketGetReplication.js +++ b/lib/api/bucketGetReplication.js @@ -23,7 +23,7 @@ function bucketGetReplication(authInfo, request, log, callback) { requestType: 'bucketGetReplication', request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketGetVersioning.js b/lib/api/bucketGetVersioning.js index 0ecfcb4dee..9ec1c9a1b4 100644 --- a/lib/api/bucketGetVersioning.js +++ b/lib/api/bucketGetVersioning.js @@ -57,7 +57,7 @@ function bucketGetVersioning(authInfo, request, log, callback) { request, }; - metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); if (err) { diff --git a/lib/api/bucketGetWebsite.js b/lib/api/bucketGetWebsite.js index 40d9d493e9..e47e98fe48 100644 --- a/lib/api/bucketGetWebsite.js +++ b/lib/api/bucketGetWebsite.js @@ -35,7 +35,7 @@ function bucketGetWebsite(authInfo, request, log, callback) { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, - request.iamAuthzResults, log, request)) { + request.actionImplicitDenies, log, request)) { log.debug('access denied for user on bucket', { requestType, method: 'bucketGetWebsite', diff --git a/lib/api/objectGet.js b/lib/api/objectGet.js index 9cc8735f3e..75c7bd13b6 100644 --- a/lib/api/objectGet.js +++ b/lib/api/objectGet.js @@ -48,7 +48,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) { request, }; - return metadataValidateBucketAndObj(mdValParams, request.iamAuthzResults, log, + return metadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log, (err, bucket, objMD) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket); diff --git a/lib/api/objectGetACL.js b/lib/api/objectGetACL.js index e1d6253d2c..d96f0a62d3 100644 --- a/lib/api/objectGetACL.js +++ b/lib/api/objectGetACL.js @@ -71,7 +71,7 @@ function objectGetACL(authInfo, request, log, callback) { return async.waterfall([ function validateBucketAndObj(next) { - return metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, + return metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/lib/api/objectGetLegalHold.js b/lib/api/objectGetLegalHold.js index 2e3bc2a767..a450314a2b 100644 --- a/lib/api/objectGetLegalHold.js +++ b/lib/api/objectGetLegalHold.js @@ -43,7 +43,7 @@ function objectGetLegalHold(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, + next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/lib/api/objectGetRetention.js b/lib/api/objectGetRetention.js index 6afe34e3ea..825843ac4b 100644 --- a/lib/api/objectGetRetention.js +++ b/lib/api/objectGetRetention.js @@ -43,7 +43,7 @@ function objectGetRetention(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, + next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/lib/api/objectGetTagging.js b/lib/api/objectGetTagging.js index 9048429de0..98657156a0 100644 --- a/lib/api/objectGetTagging.js +++ b/lib/api/objectGetTagging.js @@ -43,7 +43,7 @@ function objectGetTagging(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, + next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/lib/api/websiteGet.js b/lib/api/websiteGet.js index 8d36710be0..0bbfbbedba 100644 --- a/lib/api/websiteGet.js +++ b/lib/api/websiteGet.js @@ -48,7 +48,7 @@ function _errorActions(err, errorDocument, routingRules, // return the default error message if the object is private // rather than sending a stored error file if (!isObjAuthorized(bucket, errObjMD, 'objectGet', - constants.publicId, null, request.iamAuthzResults, log)) { + constants.publicId, null, request.actionImplicitDenies, log)) { log.trace('errorObj not authorized', { error: err }); return callback(err, true, null, corsHeaders); } @@ -145,7 +145,7 @@ function websiteGet(request, log, callback) { { error: err }); let returnErr = err; const bucketAuthorized = isBucketAuthorized(bucket, - 'bucketGet', constants.publicId, null, request.iamAuthzResults, log, request); + 'bucketGet', constants.publicId, null, request.actionImplicitDenies, log, request); // if index object does not exist and bucket is private AWS // returns 403 - AccessDenied error. if (err.is.NoSuchKey && !bucketAuthorized) { @@ -157,7 +157,7 @@ function websiteGet(request, log, callback) { callback); } if (!isObjAuthorized(bucket, objMD, 'objectGet', - constants.publicId, null, request.iamAuthzResults, log, request)) { + constants.publicId, null, request.actionImplicitDenies, log, request)) { const err = errors.AccessDenied; log.trace('request not authorized', { error: err }); return _errorActions(err, websiteConfig.getErrorDocument(), diff --git a/tests/unit/api/bucketGet.js b/tests/unit/api/bucketGet.js index 87b2d62c81..e43fcc7fd8 100644 --- a/tests/unit/api/bucketGet.js +++ b/tests/unit/api/bucketGet.js @@ -63,7 +63,7 @@ const baseGetRequest = { bucketName, namespace, headers: { host: '/' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; const baseUrl = `/${bucketName}`; diff --git a/tests/unit/api/bucketGetACL.js b/tests/unit/api/bucketGetACL.js index f7238b7cac..703b686bfb 100644 --- a/tests/unit/api/bucketGetACL.js +++ b/tests/unit/api/bucketGetACL.js @@ -24,7 +24,7 @@ describe('bucketGetACL API', () => { namespace, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const testGetACLRequest = { bucketName, @@ -32,7 +32,7 @@ describe('bucketGetACL API', () => { headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; it('should get a canned private ACL', done => { @@ -45,7 +45,7 @@ describe('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; async.waterfall([ @@ -78,7 +78,7 @@ describe('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; async.waterfall([ @@ -122,7 +122,7 @@ describe('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; async.waterfall([ @@ -160,7 +160,7 @@ describe('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; async.waterfall([ @@ -199,7 +199,7 @@ describe('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; async.waterfall([ @@ -254,7 +254,7 @@ describe('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; const canonicalIDforSample1 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be'; @@ -345,7 +345,7 @@ describe('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; async.waterfall([ @@ -385,7 +385,7 @@ describe('bucketGetACL API', () => { }, url: '/?acl', query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; async.waterfall([ diff --git a/tests/unit/api/bucketGetCors.js b/tests/unit/api/bucketGetCors.js index 474087dc27..47f413086f 100644 --- a/tests/unit/api/bucketGetCors.js +++ b/tests/unit/api/bucketGetCors.js @@ -16,7 +16,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; function _makeCorsRequest(xml) { @@ -27,7 +27,7 @@ function _makeCorsRequest(xml) { }, url: '/?cors', query: { cors: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; if (xml) { diff --git a/tests/unit/api/bucketGetLifecycle.js b/tests/unit/api/bucketGetLifecycle.js index e3f0a0247b..6c1760ad34 100644 --- a/tests/unit/api/bucketGetLifecycle.js +++ b/tests/unit/api/bucketGetLifecycle.js @@ -17,7 +17,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; describe('getBucketLifecycle API', () => { before(() => cleanup()); diff --git a/tests/unit/api/bucketGetLocation.js b/tests/unit/api/bucketGetLocation.js index 2f1eeb9089..cc0aaa4d79 100644 --- a/tests/unit/api/bucketGetLocation.js +++ b/tests/unit/api/bucketGetLocation.js @@ -16,7 +16,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const testGetLocationRequest = { @@ -26,7 +26,7 @@ const testGetLocationRequest = { }, url: '/?location', query: { location: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; const locationConstraints = config.locationConstraints; diff --git a/tests/unit/api/bucketGetNotification.js b/tests/unit/api/bucketGetNotification.js index ce6b16b92e..b72d68b5e5 100644 --- a/tests/unit/api/bucketGetNotification.js +++ b/tests/unit/api/bucketGetNotification.js @@ -15,7 +15,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; function getNotificationRequest(bucketName, xml) { @@ -24,7 +24,7 @@ function getNotificationRequest(bucketName, xml) { headers: { host: `${bucketName}.s3.amazonaws.com`, }, - iamAuthzResults: false, + actionImplicitDenies: false, }; if (xml) { request.post = xml; diff --git a/tests/unit/api/bucketGetObjectLock.js b/tests/unit/api/bucketGetObjectLock.js index 2f846dcad2..5d6820efb5 100644 --- a/tests/unit/api/bucketGetObjectLock.js +++ b/tests/unit/api/bucketGetObjectLock.js @@ -14,7 +14,7 @@ const bucketPutReq = { host: `${bucketName}.s3.amazonaws.com`, }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const testBucketPutReqWithObjLock = { @@ -24,7 +24,7 @@ const testBucketPutReqWithObjLock = { 'x-amz-bucket-object-lock-enabled': 'True', }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; function getObjectLockConfigRequest(bucketName, xml) { @@ -35,7 +35,7 @@ function getObjectLockConfigRequest(bucketName, xml) { 'x-amz-bucket-object-lock-enabled': 'true', }, url: '/?object-lock', - iamAuthzResults: false, + actionImplicitDenies: false, }; if (xml) { request.post = xml; diff --git a/tests/unit/api/bucketGetPolicy.js b/tests/unit/api/bucketGetPolicy.js index 85096b4aea..d5244a5a56 100644 --- a/tests/unit/api/bucketGetPolicy.js +++ b/tests/unit/api/bucketGetPolicy.js @@ -16,7 +16,7 @@ const testBasicRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const expectedBucketPolicy = { @@ -35,7 +35,7 @@ const testPutPolicyRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, post: JSON.stringify(expectedBucketPolicy), - iamAuthzResults: false, + actionImplicitDenies: false, }; describe('getBucketPolicy API', () => { before(() => cleanup()); diff --git a/tests/unit/api/bucketGetWebsite.js b/tests/unit/api/bucketGetWebsite.js index 432f795b42..007ba3f7d9 100644 --- a/tests/unit/api/bucketGetWebsite.js +++ b/tests/unit/api/bucketGetWebsite.js @@ -15,7 +15,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; function _makeWebsiteRequest(xml) { @@ -26,7 +26,7 @@ function _makeWebsiteRequest(xml) { }, url: '/?website', query: { website: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; if (xml) { diff --git a/tests/unit/api/objectGet.js b/tests/unit/api/objectGet.js index 959e50f040..b8c6e108a6 100644 --- a/tests/unit/api/objectGet.js +++ b/tests/unit/api/objectGet.js @@ -46,7 +46,7 @@ describe('objectGet API', () => { namespace, headers: {}, url: `/${bucketName}`, - iamAuthzResults: false, + actionImplicitDenies: false, }; const userMetadataKey = 'x-amz-meta-test'; const userMetadataValue = 'some metadata'; @@ -56,7 +56,7 @@ describe('objectGet API', () => { objectKey: objectName, headers: {}, url: `/${bucketName}/${objectName}`, - iamAuthzResults: false, + actionImplicitDenies: false, }; it('should get the object metadata', done => { @@ -85,7 +85,7 @@ describe('objectGet API', () => { 'x-amz-bucket-object-lock-enabled': 'true', }, url: `/${bucketName}`, - iamAuthzResults: false, + actionImplicitDenies: false, }; const createPutDummyRetention = (date, mode) => new DummyRequest({ @@ -248,7 +248,7 @@ describe('objectGet API', () => { objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: `/${objectName}?uploads`, - iamAuthzResults: false, + actionImplicitDenies: false, }; async.waterfall([ next => bucketPut(authInfo, testPutBucketRequest, log, next), @@ -325,7 +325,7 @@ describe('objectGet API', () => { headers: { host: `${bucketName}.s3.amazonaws.com` }, query: { uploadId: testUploadId }, post: completeBody, - iamAuthzResults: false, + actionImplicitDenies: false, }; completeMultipartUpload(authInfo, completeRequest, log, err => { diff --git a/tests/unit/api/objectGetACL.js b/tests/unit/api/objectGetACL.js index 7532735f1a..ab78d136d1 100644 --- a/tests/unit/api/objectGetACL.js +++ b/tests/unit/api/objectGetACL.js @@ -35,7 +35,7 @@ describe('objectGetACL API', () => { 'x-amz-acl': 'public-read-write', }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const testGetACLRequest = { bucketName, @@ -44,7 +44,7 @@ describe('objectGetACL API', () => { objectKey: objectName, url: `/${bucketName}/${objectName}?acl`, query: { acl: '' }, - iamAuthzResults: false, + actionImplicitDenies: false, }; it('should get a canned private ACL', done => { diff --git a/tests/unit/api/objectGetLegalHold.js b/tests/unit/api/objectGetLegalHold.js index 9782bccbfb..a80fc8cee5 100644 --- a/tests/unit/api/objectGetLegalHold.js +++ b/tests/unit/api/objectGetLegalHold.js @@ -18,7 +18,7 @@ const bucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const putObjectRequest = new DummyRequest({ @@ -38,14 +38,14 @@ const putObjectLegalHoldRequest = status => ({ objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, post: objectLegalHoldXml(status), - iamAuthzResults: false, + actionImplicitDenies: false, }); const getObjectLegalHoldRequest = { bucketName, objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, - iamAuthzResults: false, + actionImplicitDenies: false, }; describe('getObjectLegalHold API', () => { before(cleanup); diff --git a/tests/unit/api/objectGetRetention.js b/tests/unit/api/objectGetRetention.js index bc70036a2e..f3129291a2 100644 --- a/tests/unit/api/objectGetRetention.js +++ b/tests/unit/api/objectGetRetention.js @@ -21,7 +21,7 @@ const bucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const putObjectRequest = new DummyRequest({ @@ -43,14 +43,14 @@ const putObjRetRequest = { objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, post: objectRetentionXml, - iamAuthzResults: false, + actionImplicitDenies: false, }; const getObjRetRequest = { bucketName, objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, - iamAuthzResults: false, + actionImplicitDenies: false, }; describe('getObjectRetention API', () => { before(cleanup); diff --git a/tests/unit/api/objectGetTagging.js b/tests/unit/api/objectGetTagging.js index 348d137349..b099120fb2 100644 --- a/tests/unit/api/objectGetTagging.js +++ b/tests/unit/api/objectGetTagging.js @@ -21,7 +21,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const testPutObjectRequest = new DummyRequest({ diff --git a/tests/unit/api/serviceGet.js b/tests/unit/api/serviceGet.js index d1a4e14ab0..2eb3ab1eda 100644 --- a/tests/unit/api/serviceGet.js +++ b/tests/unit/api/serviceGet.js @@ -24,7 +24,7 @@ describe.skip('serviceGet API', () => { parsedHost: 's3.amazonaws.com', headers: { host: 's3.amazonaws.com' }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; it('should return the list of buckets owned by the user', done => {