From b01f836b344e95797c3c60f0faba4448eb1e4b09 Mon Sep 17 00:00:00 2001 From: Alexander Chan Date: Mon, 28 Nov 2022 17:00:36 -0800 Subject: [PATCH] Revert "bugfix: CLDSRV-282 fix regression from CLDSRV-280" This reverts commit 0a432f2724ce6d4e4fb068d717a7e35d2ea65791. --- lib/api/bucketPut.js | 65 ++++++++++++++----------------------- tests/unit/api/bucketPut.js | 22 ------------- tests/unit/policies.js | 39 ---------------------- 3 files changed, 25 insertions(+), 101 deletions(-) delete mode 100644 tests/unit/policies.js diff --git a/lib/api/bucketPut.js b/lib/api/bucketPut.js index cfc3022d39..78db2a80f4 100644 --- a/lib/api/bucketPut.js +++ b/lib/api/bucketPut.js @@ -124,12 +124,7 @@ function _handleAuthResults(locationConstraint, log, cb) { if (err) { return cb(err); } - if (!authorizationResults.every(res => { - if (Array.isArray(res)) { - return res.every(subRes => subRes.isAllowed); - } - return res.isAllowed; - })) { + if (!authorizationResults.every(res => res.isAllowed)) { log.trace( 'authorization check failed for user', { locationConstraint }, @@ -145,36 +140,6 @@ function _isObjectLockEnabled(headers) { return header !== undefined && header.toLowerCase() === 'true'; } -function authBucketPut(authParams, bucketName, locationConstraint, request, authInfo) { - const ip = requestUtils.getClientIp(request, config); - const baseParams = { - authParams, - ip, - bucketName, - request, - authInfo, - locationConstraint, - }; - const requestConstantParams = [Object.assign( - baseParams, - { apiMethod: 'bucketPut' }, - )]; - - if (_isObjectLockEnabled(request.headers)) { - requestConstantParams.push(Object.assign( - {}, - baseParams, - { apiMethod: 'bucketPutObjectLock' }, - )); - requestConstantParams.push(Object.assign( - {}, - baseParams, - { apiMethod: 'bucketPutVersioning' }, - )); - } - return requestConstantParams; -} - /** * PUT Service - Create bucket for the user * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info @@ -211,9 +176,30 @@ function bucketPut(authInfo, request, log, callback) { } const authParams = auth.server.extractParams(request, log, 's3', request.query); - const requestConstantParams = authBucketPut( - authParams, bucketName, locationConstraint, request, authInfo - ); + const ip = requestUtils.getClientIp(request, config); + const baseParams = { + authParams, + ip, + bucketName, + request, + authInfo, + locationConstraint, + }; + const requestConstantParams = [Object.assign( + baseParams, + { apiMethod: 'bucketPut' }, + )]; + + if (!_isObjectLockEnabled(request.headers)) { + requestConstantParams.push(Object.assign( + baseParams, + { apiMethod: 'bucketPutObjectLock' }, + )); + requestConstantParams.push(Object.assign( + baseParams, + { apiMethod: 'bucketPutVersioning' }, + )); + } return vault.checkPolicies( requestConstantParams.map(_buildConstantParams), @@ -244,5 +230,4 @@ module.exports = { checkLocationConstraint, bucketPut, _handleAuthResults, - authBucketPut, }; diff --git a/tests/unit/api/bucketPut.js b/tests/unit/api/bucketPut.js index 0bee6955ca..6079c8bfff 100644 --- a/tests/unit/api/bucketPut.js +++ b/tests/unit/api/bucketPut.js @@ -410,28 +410,6 @@ describe('bucketPut API', () => { ], calledWith: [null, constraint], }, - { - description: 'array of arrays allowed auth', - error: undefined, - results: [ - { isAllowed: true }, - { isAllowed: true }, - [{ isAllowed: true }, { isAllowed: true }], - { isAllowed: true }, - ], - calledWith: [null, constraint], - }, - { - description: 'array of arrays not allowed auth', - error: undefined, - results: [ - { isAllowed: true }, - { isAllowed: true }, - [{ isAllowed: true }, { isAllowed: false }], - { isAllowed: true }, - ], - calledWith: [errors.AccessDenied], - }, { description: 'single not allowed auth', error: undefined, diff --git a/tests/unit/policies.js b/tests/unit/policies.js deleted file mode 100644 index 19bbb737bd..0000000000 --- a/tests/unit/policies.js +++ /dev/null @@ -1,39 +0,0 @@ -const assert = require('assert'); -const DummyRequest = require('./DummyRequest'); -const { authBucketPut } = require('../../lib/api/bucketPut'); - -function prepareDummyRequest(headers = {}) { - const request = new DummyRequest({ - hostname: 'localhost', - port: 80, - headers, - socket: { - remoteAddress: '0.0.0.0', - }, - }); - return request; -} - -describe('Policies: permission checks for S3 APIs', () => { - describe('PutBucket', () => { - function putBucketApiMethods(headers) { - const request = prepareDummyRequest(headers); - const result = authBucketPut(null, 'name', null, request, null); - return result.map(req => req.apiMethod); - } - - it('should return s3:PutBucket without any provided header', () => { - assert.deepStrictEqual( - putBucketApiMethods(), - ['bucketPut'], - ); - }); - - it('should return s3:PutBucket and s3:PutBucketObjectLockConfiguration with ACL headers', () => { - assert.deepStrictEqual( - putBucketApiMethods({ 'x-amz-bucket-object-lock-enabled': 'true' }), - ['bucketPut', 'bucketPutObjectLock', 'bucketPutVersioning'], - ); - }); - }); -});