scality · KazToozs · Sep 13, 2023 · Sep 13, 2023 · Sep 13, 2023 · Sep 13, 2023
diff --git a/lib/api/bucketGet.js b/lib/api/bucketGet.js
@@ -345,7 +345,7 @@ function bucketGet(authInfo, request, log, callback) {
         listParams.marker = params.marker;
     }
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

diff --git a/lib/api/bucketGetACL.js b/lib/api/bucketGetACL.js
@@ -54,7 +54,7 @@ function bucketGetACL(authInfo, request, log, callback) {
         },
     };
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

diff --git a/lib/api/bucketGetCors.js b/lib/api/bucketGetCors.js
@@ -34,7 +34,8 @@ function bucketGetCors(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
 
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
+            request.actionImplicitDenies, log, request)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketGetCors',

diff --git a/lib/api/bucketGetEncryption.js b/lib/api/bucketGetEncryption.js
@@ -27,7 +27,7 @@ function bucketGetEncryption(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
         (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
         (bucket, next) => {
             // If sseInfo is present but the `mandatory` flag is not set

diff --git a/lib/api/bucketGetLifecycle.js b/lib/api/bucketGetLifecycle.js
@@ -23,7 +23,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
         requestType: 'bucketGetLifecycle',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetLocation.js b/lib/api/bucketGetLocation.js
@@ -36,7 +36,8 @@ function bucketGetLocation(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
 
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
+            request.actionImplicitDenies, log, request)) {
             log.debug('access denied for account on bucket', {
                 requestType,
                 method: 'bucketGetLocation',

diff --git a/lib/api/bucketGetNotification.js b/lib/api/bucketGetNotification.js
@@ -41,7 +41,7 @@ function bucketGetNotification(authInfo, request, log, callback) {
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetObjectLock.js b/lib/api/bucketGetObjectLock.js
@@ -36,7 +36,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
         requestType: 'bucketGetObjectLock',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetPolicy.js b/lib/api/bucketGetPolicy.js
@@ -21,7 +21,7 @@ function bucketGetPolicy(authInfo, request, log, callback) {
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetReplication.js b/lib/api/bucketGetReplication.js
@@ -23,7 +23,7 @@ function bucketGetReplication(authInfo, request, log, callback) {
         requestType: 'bucketGetReplication',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

diff --git a/lib/api/bucketGetVersioning.js b/lib/api/bucketGetVersioning.js
@@ -57,7 +57,7 @@ function bucketGetVersioning(authInfo, request, log, callback) {
         request,
     };
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

diff --git a/lib/api/bucketGetWebsite.js b/lib/api/bucketGetWebsite.js
@@ -34,7 +34,8 @@ function bucketGetWebsite(authInfo, request, log, callback) {
 
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
+            request.actionImplicitDenies, log, request)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketGetWebsite',

diff --git a/lib/api/objectGet.js b/lib/api/objectGet.js
@@ -48,7 +48,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
         request,
     };
 
-    return metadataValidateBucketAndObj(mdValParams, log,
+    return metadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log,
     (err, bucket, objMD) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);

diff --git a/lib/api/objectGetACL.js b/lib/api/objectGetACL.js
@@ -71,7 +71,7 @@ function objectGetACL(authInfo, request, log, callback) {
 
     return async.waterfall([
         function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(metadataValParams, log,
+            return metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
                 (err, bucket, objectMD) => {
                     if (err) {
                         log.trace('request authorization failed',

diff --git a/lib/api/objectGetLegalHold.js b/lib/api/objectGetLegalHold.js
@@ -43,7 +43,7 @@ function objectGetLegalHold(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',

diff --git a/lib/api/objectGetRetention.js b/lib/api/objectGetRetention.js
@@ -43,7 +43,7 @@ function objectGetRetention(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',

diff --git a/lib/api/objectGetTagging.js b/lib/api/objectGetTagging.js
@@ -43,7 +43,7 @@ function objectGetTagging(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
           (err, bucket, objectMD) => {
               if (err) {
                   log.trace('request authorization failed',

diff --git a/lib/api/websiteGet.js b/lib/api/websiteGet.js
@@ -21,12 +21,13 @@ const { pushMetric } = require('../utapi/utilities');
  * @param {string} objectKey - object key from request (or as translated in
  * websiteGet)
  * @param {object} corsHeaders - CORS-related response headers
+ * @param {object} request - normalized request object
  * @param {object} log - Werelogs instance
  * @param {function} callback - callback to function in route
  * @return {undefined}
  */
 function _errorActions(err, errorDocument, routingRules,
-    bucket, objectKey, corsHeaders, log, callback) {
+    bucket, objectKey, corsHeaders, request, log, callback) {
     const bucketName = bucket.getName();
     const errRoutingRule = findRoutingRule(routingRules,
         objectKey, err.code);
@@ -47,7 +48,7 @@ function _errorActions(err, errorDocument, routingRules,
                 // return the default error message if the object is private
                 // rather than sending a stored error file
                 if (!isObjAuthorized(bucket, errObjMD, 'objectGet',
-                    constants.publicId, null, log)) {
+                    constants.publicId, null, request.actionImplicitDenies, log)) {
                     log.trace('errorObj not authorized', { error: err });
                     return callback(err, true, null, corsHeaders);
                 }
@@ -144,24 +145,24 @@ function websiteGet(request, log, callback) {
                     { error: err });
                     let returnErr = err;
                     const bucketAuthorized = isBucketAuthorized(bucket,
-                      'bucketGet', constants.publicId, null, log, request);
+                      'bucketGet', constants.publicId, null, request.actionImplicitDenies, log, request);
                     // if index object does not exist and bucket is private AWS
                     // returns 403 - AccessDenied error.
                     if (err.is.NoSuchKey && !bucketAuthorized) {
                         returnErr = errors.AccessDenied;
                     }
                     return _errorActions(returnErr,
                       websiteConfig.getErrorDocument(), routingRules,
-                      bucket, reqObjectKey, corsHeaders, log,
+                      bucket, reqObjectKey, corsHeaders, request, log,
                       callback);
                 }
                 if (!isObjAuthorized(bucket, objMD, 'objectGet',
-                    constants.publicId, null, log, request)) {
+                    constants.publicId, null, request.actionImplicitDenies, log, request)) {
                     const err = errors.AccessDenied;
                     log.trace('request not authorized', { error: err });
                     return _errorActions(err, websiteConfig.getErrorDocument(),
                         routingRules, bucket,
-                        reqObjectKey, corsHeaders, log, callback);
+                        reqObjectKey, corsHeaders, request, log, callback);
                 }
 
                 const headerValResult = validateHeaders(request.headers,
@@ -171,7 +172,7 @@ function websiteGet(request, log, callback) {
                     log.trace('header validation error', { error: err });
                     return _errorActions(err, websiteConfig.getErrorDocument(),
                         routingRules, bucket, reqObjectKey,
-                        corsHeaders, log, callback);
+                        corsHeaders, request, log, callback);
                 }
                 // check if object to serve has website redirect header
                 // Note: AWS prioritizes website configuration rules over

diff --git a/tests/functional/aws-node-sdk/test/bucket/get.js b/tests/functional/aws-node-sdk/test/bucket/get.js
@@ -286,8 +286,7 @@ const tests = [
     },
 ];
 
-// TODO CLDSRV-928 remove skip
-describe.skip('GET Bucket - AWS.S3.listObjects', () => {
+describe('GET Bucket - AWS.S3.listObjects', () => {
     describe('When user is unauthorized', () => {
         let bucketUtil;
         let bucketName;

diff --git a/tests/unit/api/bucketGet.js b/tests/unit/api/bucketGet.js
@@ -63,6 +63,7 @@ const baseGetRequest = {
     bucketName,
     namespace,
     headers: { host: '/' },
+    actionImplicitDenies: false,
 };
 const baseUrl = `/${bucketName}`;
 
@@ -173,8 +174,7 @@ const tests = [
         },
     },
 ];
-// TODO CLDSRV-429 remove skip
-describe.skip('bucketGet API', () => {
+describe('bucketGet API', () => {
     beforeEach(() => {
         cleanup();
     });
@@ -290,8 +290,7 @@ const testsForV2 = [...tests,
     },
 ];
 
-// TODO CLDSRV-429 remove skip
-describe.skip('bucketGet API V2', () => {
+describe('bucketGet API V2', () => {
     beforeEach(() => {
         cleanup();
     });

diff --git a/tests/unit/api/bucketGetACL.js b/tests/unit/api/bucketGetACL.js
@@ -14,8 +14,7 @@ const authInfo = makeAuthInfo(accessKey);
 const canonicalID = authInfo.getCanonicalID();
 const namespace = 'default';
 const bucketName = 'bucketname';
-// TODO CLDSRV-429 remove skip
-describe.skip('bucketGetACL API', () => {
+describe('bucketGetACL API', () => {
     beforeEach(() => {
         cleanup();
     });
@@ -25,13 +24,15 @@ describe.skip('bucketGetACL API', () => {
         namespace,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: '/',
+        actionImplicitDenies: false,
     };
     const testGetACLRequest = {
         bucketName,
         namespace,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: '/?acl',
         query: { acl: '' },
+        actionImplicitDenies: false,
     };
 
     it('should get a canned private ACL', done => {
@@ -44,6 +45,7 @@ describe.skip('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            actionImplicitDenies: false,
         };
 
         async.waterfall([
@@ -76,6 +78,7 @@ describe.skip('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            actionImplicitDenies: false,
         };
 
         async.waterfall([
@@ -119,6 +122,7 @@ describe.skip('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            actionImplicitDenies: false,
         };
 
         async.waterfall([
@@ -156,6 +160,7 @@ describe.skip('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            actionImplicitDenies: false,
         };
 
         async.waterfall([
@@ -194,6 +199,7 @@ describe.skip('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            actionImplicitDenies: false,
         };
 
         async.waterfall([
@@ -248,6 +254,7 @@ describe.skip('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            actionImplicitDenies: false,
         };
         const canonicalIDforSample1 =
             '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
@@ -338,6 +345,7 @@ describe.skip('bucketGetACL API', () => {
                 },
                 url: '/?acl',
                 query: { acl: '' },
+                actionImplicitDenies: false,
             };
 
             async.waterfall([
@@ -377,6 +385,7 @@ describe.skip('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            actionImplicitDenies: false,
         };
 
         async.waterfall([

diff --git a/tests/unit/api/bucketGetCors.js b/tests/unit/api/bucketGetCors.js
@@ -16,6 +16,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    actionImplicitDenies: false,
 };
 
 function _makeCorsRequest(xml) {
@@ -26,6 +27,7 @@ function _makeCorsRequest(xml) {
         },
         url: '/?cors',
         query: { cors: '' },
+        actionImplicitDenies: false,
     };
 
     if (xml) {
@@ -55,8 +57,7 @@ function _comparePutGetXml(sampleXml, done) {
         });
     });
 }
-// TODO CLDSRV-429 remove skip
-describe.skip('getBucketCors API', () => {
+describe('getBucketCors API', () => {
     beforeEach(done => {
         cleanup();
         bucketPut(authInfo, testBucketPutRequest, log, done);

diff --git a/tests/unit/api/bucketGetLifecycle.js b/tests/unit/api/bucketGetLifecycle.js
@@ -17,9 +17,9 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    actionImplicitDenies: false,
 };
-// TODO CLDSRV-429 remove skip
-describe.skip('getBucketLifecycle API', () => {
+describe('getBucketLifecycle API', () => {
     before(() => cleanup());
     beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done));
     afterEach(() => cleanup());