Merge branch 'w/8.4/bugfix/CLDSRV-291-testObjectHeadWithBucketPolicy'…

… into tmp/octopus/w/8.5/bugfix/CLDSRV-291-testObjectHeadWithBucketPolicy
scality · Nov 3, 2022 · 1d19001 · 1d19001
2 parents aeb8de5 + 79e7dc3
commit 1d19001
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/package.json b/package.json
@@ -20,7 +20,7 @@
   "homepage": "https://github.com/scality/S3#readme",
   "dependencies": {
     "@hapi/joi": "^17.1.0",
-    "arsenal": "git+https://github.com/scality/Arsenal#8.1.69",
+    "arsenal": "git+https://github.com/scality/Arsenal#8.1.70",
     "async": "~2.5.0",
     "aws-sdk": "2.905.0",
     "azure-storage": "^2.1.0",

diff --git a/tests/unit/api/bucketPolicyAuth.js b/tests/unit/api/bucketPolicyAuth.js
@@ -377,6 +377,26 @@ describe('bucket policy authorization', () => {
             });
         });
 
+        it('should allow access to non-object owner for objectHead action with s3:GetObject permission',
+        function itFn(done) {
+            const newPolicy = this.test.basePolicy;
+            newPolicy.Statement[0].Action = ['s3:GetObject'];
+            bucket.setBucketPolicy(newPolicy);
+            const allowed = isObjAuthorized(bucket, object, 'objectHead',
+                                            altAcctCanonicalId, altAcctAuthInfo, log);
+            assert.equal(allowed, true);
+            done();
+        });
+        it('should deny access to non-object owner for objectHead action without s3:GetObject permission',
+        function itFn(done) {
+            const newPolicy = this.test.basePolicy;
+            newPolicy.Statement[0].Action = ['s3:PutObject'];
+            bucket.setBucketPolicy(newPolicy);
+            const allowed = isObjAuthorized(bucket, object, 'objectHead',
+                                            altAcctCanonicalId, altAcctAuthInfo, log);
+            assert.equal(allowed, false);
+            done();
+        });
         it('should deny access to non-object owner if two statements apply ' +
         'to principal but one denies access', function itFn(done) {
             const newPolicy = this.test.basePolicy;

diff --git a/yarn.lock b/yarn.lock
@@ -534,9 +534,9 @@ arraybuffer.slice@~0.0.7:
   optionalDependencies:
     ioctl "^2.0.2"
 
-"arsenal@git+https://github.com/scality/Arsenal#8.1.69":
-  version "8.1.69"
-  resolved "git+https://github.com/scality/Arsenal#8307a1513edcc38b529271d5ae0fc7b06996f5ae"
+"arsenal@git+https://github.com/scality/Arsenal#8.1.70":
+  version "8.1.70"
+  resolved "git+https://github.com/scality/Arsenal#c343820cae2c7a533fb73046b2ad4c13cb77fc8b"
   dependencies:
     "@types/async" "^3.2.12"
     "@types/utf8" "^3.0.1"