From 9bf18d806a6235eadae681604497ace1a6463652 Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Wed, 13 Sep 2023 16:50:53 +0200 Subject: [PATCH 1/4] CLDSRV-430: add delete API implicit deny logic --- lib/api/apiUtils/bucket/bucketDeletion.js | 10 ++++++---- lib/api/bucketDelete.js | 4 ++-- lib/api/bucketDeleteCors.js | 3 ++- lib/api/bucketDeleteEncryption.js | 2 +- lib/api/bucketDeleteLifecycle.js | 2 +- lib/api/bucketDeletePolicy.js | 2 +- lib/api/bucketDeleteReplication.js | 2 +- lib/api/bucketDeleteWebsite.js | 3 ++- lib/api/objectDelete.js | 4 ++-- lib/api/objectDeleteTagging.js | 2 +- tests/unit/api/bucketDelete.js | 2 ++ tests/unit/api/bucketDeleteCors.js | 1 + tests/unit/api/bucketDeleteEncryption.js | 1 + tests/unit/api/bucketDeleteLifecycle.js | 1 + tests/unit/api/bucketDeletePolicy.js | 1 + tests/unit/api/bucketDeleteWebsite.js | 2 ++ tests/unit/api/objectDeleteTagging.js | 1 + 17 files changed, 28 insertions(+), 15 deletions(-) diff --git a/lib/api/apiUtils/bucket/bucketDeletion.js b/lib/api/apiUtils/bucket/bucketDeletion.js index 9c5fe60fe5..5b8225c136 100644 --- a/lib/api/apiUtils/bucket/bucketDeletion.js +++ b/lib/api/apiUtils/bucket/bucketDeletion.js @@ -24,7 +24,7 @@ function _deleteMPUbucket(destinationBucketName, log, cb) { }); } -function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) { +function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, request, log, cb) { async.mapLimit(mpus, 1, (mpu, next) => { const splitterChar = mpu.key.includes(oldSplitter) ? oldSplitter : splitter; @@ -40,7 +40,7 @@ function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) { byteLength: partSizeSum, }); next(err); - }); + }, request); }, cb); } /** @@ -49,11 +49,13 @@ function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) { * @param {object} bucketMD - bucket attributes/metadata * @param {string} bucketName - bucket in which objectMetadata is stored * @param {string} canonicalID - account canonicalID of requester + * @param {object} request - request object given by router + * including normalized headers * @param {object} log - Werelogs logger * @param {function} cb - callback from async.waterfall in bucketDelete * @return {undefined} */ -function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) { +function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, request, log, cb) { log.trace('deleting bucket from metadata'); assert.strictEqual(typeof bucketName, 'string'); assert.strictEqual(typeof canonicalID, 'string'); @@ -100,7 +102,7 @@ function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) { } if (objectsListRes.Contents.length) { return _deleteOngoingMPUs(authInfo, bucketName, - bucketMD, objectsListRes.Contents, log, err => { + bucketMD, objectsListRes.Contents, request, log, err => { if (err) { return next(err); } diff --git a/lib/api/bucketDelete.js b/lib/api/bucketDelete.js index 56553d827b..737bdf58af 100644 --- a/lib/api/bucketDelete.js +++ b/lib/api/bucketDelete.js @@ -31,7 +31,7 @@ function bucketDelete(authInfo, request, log, cb) { request, }; - return metadataValidateBucket(metadataValParams, log, + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucketMD) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucketMD); @@ -43,7 +43,7 @@ function bucketDelete(authInfo, request, log, cb) { log.trace('passed checks', { method: 'metadataValidateBucket' }); return deleteBucket(authInfo, bucketMD, bucketName, - authInfo.getCanonicalID(), log, err => { + authInfo.getCanonicalID(), request, log, err => { if (err) { return cb(err, corsHeaders); } diff --git a/lib/api/bucketDeleteCors.js b/lib/api/bucketDeleteCors.js index 9518229a24..7fcfe65ca4 100644 --- a/lib/api/bucketDeleteCors.js +++ b/lib/api/bucketDeleteCors.js @@ -33,7 +33,8 @@ function bucketDeleteCors(authInfo, request, log, callback) { } log.trace('found bucket in metadata'); - if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { + if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, + request.iamAuthzResults, log, request)) { log.debug('access denied for user on bucket', { requestType, method: 'bucketDeleteCors', diff --git a/lib/api/bucketDeleteEncryption.js b/lib/api/bucketDeleteEncryption.js index 793516fc53..b3c1f22e0c 100644 --- a/lib/api/bucketDeleteEncryption.js +++ b/lib/api/bucketDeleteEncryption.js @@ -26,7 +26,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucket(metadataValParams, log, next), + next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, next), (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)), (bucket, next) => { const sseConfig = bucket.getServerSideEncryption(); diff --git a/lib/api/bucketDeleteLifecycle.js b/lib/api/bucketDeleteLifecycle.js index 0d6bd4037c..c8da533a0f 100644 --- a/lib/api/bucketDeleteLifecycle.js +++ b/lib/api/bucketDeleteLifecycle.js @@ -20,7 +20,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) { requestType: 'bucketDeleteLifecycle', request, }; - return metadataValidateBucket(metadataValParams, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketDeletePolicy.js b/lib/api/bucketDeletePolicy.js index d5a85d0bbd..11940916d1 100644 --- a/lib/api/bucketDeletePolicy.js +++ b/lib/api/bucketDeletePolicy.js @@ -19,7 +19,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) { requestType: 'bucketDeletePolicy', request, }; - return metadataValidateBucket(metadataValParams, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketDeleteReplication.js b/lib/api/bucketDeleteReplication.js index 4a93a9bcb9..6ac3a6b34d 100644 --- a/lib/api/bucketDeleteReplication.js +++ b/lib/api/bucketDeleteReplication.js @@ -20,7 +20,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) { requestType: 'bucketDeleteReplication', request, }; - return metadataValidateBucket(metadataValParams, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketDeleteWebsite.js b/lib/api/bucketDeleteWebsite.js index 587517a730..ccd25e1ddd 100644 --- a/lib/api/bucketDeleteWebsite.js +++ b/lib/api/bucketDeleteWebsite.js @@ -25,7 +25,8 @@ function bucketDeleteWebsite(authInfo, request, log, callback) { } log.trace('found bucket in metadata'); - if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) { + if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, + request.iamAuthzResults, log, request)) { log.debug('access denied for user on bucket', { requestType, method: 'bucketDeleteWebsite', diff --git a/lib/api/objectDelete.js b/lib/api/objectDelete.js index 34e09dfe0d..ceae7b31b5 100644 --- a/lib/api/objectDelete.js +++ b/lib/api/objectDelete.js @@ -56,8 +56,8 @@ function objectDelete(authInfo, request, log, cb) { const canonicalID = authInfo.getCanonicalID(); return async.waterfall([ function validateBucketAndObj(next) { - return metadataValidateBucketAndObj(valParams, log, - (err, bucketMD, objMD) => { + return metadataValidateBucketAndObj(valParams, request.iamAuthzResults, log, + (err, bucketMD, objMD) => { if (err) { return next(err, bucketMD); } diff --git a/lib/api/objectDeleteTagging.js b/lib/api/objectDeleteTagging.js index c5618a840b..f2033b9ead 100644 --- a/lib/api/objectDeleteTagging.js +++ b/lib/api/objectDeleteTagging.js @@ -46,7 +46,7 @@ function objectDeleteTagging(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucketAndObj(metadataValParams, log, + next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/tests/unit/api/bucketDelete.js b/tests/unit/api/bucketDelete.js index 5bda7d2e63..f336b692f9 100644 --- a/tests/unit/api/bucketDelete.js +++ b/tests/unit/api/bucketDelete.js @@ -88,6 +88,7 @@ describe.skip('bucketDelete API', () => { namespace, headers: {}, url: `/${bucketName}`, + iamAuthzResults: false, }; const initiateRequest = { @@ -96,6 +97,7 @@ describe.skip('bucketDelete API', () => { objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: `/${objectName}?uploads`, + iamAuthzResults: false, }; it('should return an error if the bucket is not empty', done => { diff --git a/tests/unit/api/bucketDeleteCors.js b/tests/unit/api/bucketDeleteCors.js index 8fea77d29e..1ce520e204 100644 --- a/tests/unit/api/bucketDeleteCors.js +++ b/tests/unit/api/bucketDeleteCors.js @@ -19,6 +19,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; const testBucketPutCorsRequest = corsUtil.createBucketCorsRequest('PUT', bucketName); diff --git a/tests/unit/api/bucketDeleteEncryption.js b/tests/unit/api/bucketDeleteEncryption.js index da443334d5..61b27fb956 100644 --- a/tests/unit/api/bucketDeleteEncryption.js +++ b/tests/unit/api/bucketDeleteEncryption.js @@ -13,6 +13,7 @@ const bucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; // TODO CLDSRV-430 remove skip describe.skip('bucketDeleteEncryption API', () => { diff --git a/tests/unit/api/bucketDeleteLifecycle.js b/tests/unit/api/bucketDeleteLifecycle.js index 7a65cf2148..ed93eb1ffc 100644 --- a/tests/unit/api/bucketDeleteLifecycle.js +++ b/tests/unit/api/bucketDeleteLifecycle.js @@ -19,6 +19,7 @@ function _makeRequest(includeXml) { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', + iamAuthzResults: false, }; if (includeXml) { request.post = ' Date: Wed, 13 Sep 2023 16:55:28 +0200 Subject: [PATCH 2/4] CLDSRV-430: update delete API tests for impDeny logic --- tests/unit/api/bucketDelete.js | 3 +-- tests/unit/api/bucketDeleteCors.js | 3 +-- tests/unit/api/bucketDeleteEncryption.js | 3 +-- tests/unit/api/bucketDeleteLifecycle.js | 3 +-- tests/unit/api/bucketDeletePolicy.js | 3 +-- tests/unit/api/bucketDeleteWebsite.js | 3 +-- tests/unit/api/objectDelete.js | 3 +-- tests/unit/api/objectDeleteTagging.js | 3 +-- 8 files changed, 8 insertions(+), 16 deletions(-) diff --git a/tests/unit/api/bucketDelete.js b/tests/unit/api/bucketDelete.js index f336b692f9..f57ed416c5 100644 --- a/tests/unit/api/bucketDelete.js +++ b/tests/unit/api/bucketDelete.js @@ -77,8 +77,7 @@ function createMPU(testRequest, initiateRequest, deleteOverviewMPUObj, cb) { }); }); } -// TODO CLDSRV-430 remove skip -describe.skip('bucketDelete API', () => { +describe('bucketDelete API', () => { beforeEach(() => { cleanup(); }); diff --git a/tests/unit/api/bucketDeleteCors.js b/tests/unit/api/bucketDeleteCors.js index 1ce520e204..7ce803453a 100644 --- a/tests/unit/api/bucketDeleteCors.js +++ b/tests/unit/api/bucketDeleteCors.js @@ -25,8 +25,7 @@ const testBucketPutCorsRequest = corsUtil.createBucketCorsRequest('PUT', bucketName); const testBucketDeleteCorsRequest = corsUtil.createBucketCorsRequest('DELETE', bucketName); -// TODO CLDSRV-430 remove skip -describe.skip('deleteBucketCors API', () => { +describe('deleteBucketCors API', () => { beforeEach(done => { cleanup(); bucketPut(authInfo, testBucketPutRequest, log, () => { diff --git a/tests/unit/api/bucketDeleteEncryption.js b/tests/unit/api/bucketDeleteEncryption.js index 61b27fb956..96a7478234 100644 --- a/tests/unit/api/bucketDeleteEncryption.js +++ b/tests/unit/api/bucketDeleteEncryption.js @@ -15,8 +15,7 @@ const bucketPutRequest = { url: '/', iamAuthzResults: false, }; -// TODO CLDSRV-430 remove skip -describe.skip('bucketDeleteEncryption API', () => { +describe('bucketDeleteEncryption API', () => { before(() => cleanup()); beforeEach(done => bucketPut(authInfo, bucketPutRequest, log, done)); diff --git a/tests/unit/api/bucketDeleteLifecycle.js b/tests/unit/api/bucketDeleteLifecycle.js index ed93eb1ffc..d986241256 100644 --- a/tests/unit/api/bucketDeleteLifecycle.js +++ b/tests/unit/api/bucketDeleteLifecycle.js @@ -31,8 +31,7 @@ function _makeRequest(includeXml) { } return request; } -// TODO CLDSRV-430 remove skip -describe.skip('deleteBucketLifecycle API', () => { +describe('deleteBucketLifecycle API', () => { before(() => cleanup()); beforeEach(done => bucketPut(authInfo, _makeRequest(), log, done)); afterEach(() => cleanup()); diff --git a/tests/unit/api/bucketDeletePolicy.js b/tests/unit/api/bucketDeletePolicy.js index bb0687cb34..777330d7c0 100644 --- a/tests/unit/api/bucketDeletePolicy.js +++ b/tests/unit/api/bucketDeletePolicy.js @@ -37,8 +37,7 @@ function _makeRequest(includePolicy) { } return request; } -// TODO CLDSRV-430 remove skip -describe.skip('deleteBucketPolicy API', () => { +describe('deleteBucketPolicy API', () => { before(() => cleanup()); beforeEach(done => bucketPut(authInfo, _makeRequest(), log, done)); afterEach(() => cleanup()); diff --git a/tests/unit/api/bucketDeleteWebsite.js b/tests/unit/api/bucketDeleteWebsite.js index d9ebf7cd8d..c7b03ab764 100644 --- a/tests/unit/api/bucketDeleteWebsite.js +++ b/tests/unit/api/bucketDeleteWebsite.js @@ -33,8 +33,7 @@ const testBucketDeleteWebsiteRequest = { }; const testBucketPutWebsiteRequest = Object.assign({ post: config.getXml() }, testBucketDeleteWebsiteRequest); -// TODO CLDSRV-430 remove skip -describe.skip('deleteBucketWebsite API', () => { +describe('deleteBucketWebsite API', () => { beforeEach(done => { cleanup(); bucketPut(authInfo, testBucketPutRequest, log, () => { diff --git a/tests/unit/api/objectDelete.js b/tests/unit/api/objectDelete.js index da1b414bef..4010717502 100644 --- a/tests/unit/api/objectDelete.js +++ b/tests/unit/api/objectDelete.js @@ -39,8 +39,7 @@ function testAuth(bucketOwner, authUser, bucketPutReq, objPutReq, objDelReq, }); }); } -// TODO CLDSRV-430 remove skip -describe.skip('objectDelete API', () => { +describe('objectDelete API', () => { let testPutObjectRequest; before(() => { diff --git a/tests/unit/api/objectDeleteTagging.js b/tests/unit/api/objectDeleteTagging.js index 6a0097aea1..d88cf20df0 100644 --- a/tests/unit/api/objectDeleteTagging.js +++ b/tests/unit/api/objectDeleteTagging.js @@ -32,8 +32,7 @@ const testPutObjectRequest = new DummyRequest({ headers: {}, url: `/${bucketName}/${objectName}`, }, postBody); -// TODO CLDSRV-430 remove skip -describe.skip('deleteObjectTagging API', () => { +describe('deleteObjectTagging API', () => { beforeEach(done => { cleanup(); bucketPut(authInfo, testBucketPutRequest, log, err => { From 6f7b2d663854afc74ec1b995cd60da6c1ab4f799 Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Wed, 13 Sep 2023 17:27:15 +0200 Subject: [PATCH 3/4] fixup: skips --- lib/api/multiObjectDelete.js | 3 ++- tests/unit/api/bucketDelete.js | 9 ++++++--- tests/unit/api/objectDelete.js | 9 ++++++--- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/lib/api/multiObjectDelete.js b/lib/api/multiObjectDelete.js index 85a794754e..e79c24a3f2 100644 --- a/lib/api/multiObjectDelete.js +++ b/lib/api/multiObjectDelete.js @@ -504,7 +504,8 @@ function multiObjectDelete(authInfo, request, log, callback) { return next(null, quietSetting, errorResults, inPlay, bucketMD); } - if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, log, request)) { + if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, + request.iamAuthzResults, log, request)) { log.trace("access denied due to bucket acl's"); // if access denied at the bucket level, no access for // any of the objects so all results will be error results diff --git a/tests/unit/api/bucketDelete.js b/tests/unit/api/bucketDelete.js index f57ed416c5..6d03bae64e 100644 --- a/tests/unit/api/bucketDelete.js +++ b/tests/unit/api/bucketDelete.js @@ -129,7 +129,8 @@ describe('bucketDelete API', () => { }); }); - it('should not return an error if the bucket has an initiated mpu', + // TODO CLDSRV-431 remove skip + it.skip('should not return an error if the bucket has an initiated mpu', done => { bucketPut(authInfo, testRequest, log, err => { assert.strictEqual(err, null); @@ -159,11 +160,13 @@ describe('bucketDelete API', () => { }); }); - it('should delete a bucket even if the bucket has ongoing mpu', + // TODO CLDSRV-431 remove skip + it.skip('should delete a bucket even if the bucket has ongoing mpu', done => createMPU(testRequest, initiateRequest, false, done)); + // TODO CLDSRV-431 remove skip // if only part object (and no overview objects) is in mpu shadow bucket - it('should delete a bucket even if the bucket has an orphan part', + it.skip('should delete a bucket even if the bucket has an orphan part', done => createMPU(testRequest, initiateRequest, true, done)); diff --git a/tests/unit/api/objectDelete.js b/tests/unit/api/objectDelete.js index 4010717502..fa5514ebf7 100644 --- a/tests/unit/api/objectDelete.js +++ b/tests/unit/api/objectDelete.js @@ -84,7 +84,8 @@ describe('objectDelete API', () => { url: `/${bucketName}/${objectKey}`, }); - it('should delete an object', done => { + // TODO CLDSRV-429 remove skip - skipped due to get at the end + it.skip('should delete an object', done => { bucketPut(authInfo, testBucketPutRequest, log, () => { objectPut(authInfo, testPutObjectRequest, undefined, log, () => { @@ -101,7 +102,8 @@ describe('objectDelete API', () => { }); }); - it('should delete a 0 bytes object', done => { + // TODO CLDSRV-429 remove skip - skipped due to get at the end + it.skip('should delete a 0 bytes object', done => { const testPutObjectRequest = new DummyRequest({ bucketName, namespace, @@ -127,7 +129,8 @@ describe('objectDelete API', () => { }); }); - it('should delete a multipart upload and send `uploadId` as `replayId` to deleteObject', done => { + // TODO CLDSRV-431 remove skip - skipped due to MPU call + it.skip('should delete a multipart upload and send `uploadId` as `replayId` to deleteObject', done => { bucketPut(authInfo, testBucketPutRequest, log, () => { mpuUtils.createMPU(namespace, bucketName, objectKey, log, (err, testUploadId) => { From a7ce187499da2bf5c2f7d0979068fb659a53a1ff Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Mon, 18 Sep 2023 14:44:48 +0200 Subject: [PATCH 4/4] update variable name --- lib/api/bucketDelete.js | 2 +- lib/api/bucketDeleteCors.js | 2 +- lib/api/bucketDeleteEncryption.js | 2 +- lib/api/bucketDeleteLifecycle.js | 2 +- lib/api/bucketDeletePolicy.js | 2 +- lib/api/bucketDeleteReplication.js | 2 +- lib/api/bucketDeleteWebsite.js | 2 +- lib/api/multiObjectDelete.js | 2 +- lib/api/objectDelete.js | 2 +- lib/api/objectDeleteTagging.js | 2 +- tests/unit/api/bucketDelete.js | 4 ++-- tests/unit/api/bucketDeleteCors.js | 2 +- tests/unit/api/bucketDeleteEncryption.js | 2 +- tests/unit/api/bucketDeleteLifecycle.js | 2 +- tests/unit/api/bucketDeletePolicy.js | 2 +- tests/unit/api/bucketDeleteWebsite.js | 4 ++-- tests/unit/api/objectDeleteTagging.js | 2 +- 17 files changed, 19 insertions(+), 19 deletions(-) diff --git a/lib/api/bucketDelete.js b/lib/api/bucketDelete.js index 737bdf58af..636dcff151 100644 --- a/lib/api/bucketDelete.js +++ b/lib/api/bucketDelete.js @@ -31,7 +31,7 @@ function bucketDelete(authInfo, request, log, cb) { request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucketMD) => { const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucketMD); diff --git a/lib/api/bucketDeleteCors.js b/lib/api/bucketDeleteCors.js index 7fcfe65ca4..007c229a03 100644 --- a/lib/api/bucketDeleteCors.js +++ b/lib/api/bucketDeleteCors.js @@ -34,7 +34,7 @@ function bucketDeleteCors(authInfo, request, log, callback) { log.trace('found bucket in metadata'); if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, - request.iamAuthzResults, log, request)) { + request.actionImplicitDenies, log, request)) { log.debug('access denied for user on bucket', { requestType, method: 'bucketDeleteCors', diff --git a/lib/api/bucketDeleteEncryption.js b/lib/api/bucketDeleteEncryption.js index b3c1f22e0c..5ec5442da1 100644 --- a/lib/api/bucketDeleteEncryption.js +++ b/lib/api/bucketDeleteEncryption.js @@ -26,7 +26,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, next), + next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next), (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)), (bucket, next) => { const sseConfig = bucket.getServerSideEncryption(); diff --git a/lib/api/bucketDeleteLifecycle.js b/lib/api/bucketDeleteLifecycle.js index c8da533a0f..c1e7e9fc66 100644 --- a/lib/api/bucketDeleteLifecycle.js +++ b/lib/api/bucketDeleteLifecycle.js @@ -20,7 +20,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) { requestType: 'bucketDeleteLifecycle', request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketDeletePolicy.js b/lib/api/bucketDeletePolicy.js index 11940916d1..0c509af630 100644 --- a/lib/api/bucketDeletePolicy.js +++ b/lib/api/bucketDeletePolicy.js @@ -19,7 +19,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) { requestType: 'bucketDeletePolicy', request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketDeleteReplication.js b/lib/api/bucketDeleteReplication.js index 6ac3a6b34d..5fb58783bd 100644 --- a/lib/api/bucketDeleteReplication.js +++ b/lib/api/bucketDeleteReplication.js @@ -20,7 +20,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) { requestType: 'bucketDeleteReplication', request, }; - return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => { + return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => { const corsHeaders = collectCorsHeaders(headers.origin, method, bucket); if (err) { log.debug('error processing request', { diff --git a/lib/api/bucketDeleteWebsite.js b/lib/api/bucketDeleteWebsite.js index ccd25e1ddd..74a0c415ca 100644 --- a/lib/api/bucketDeleteWebsite.js +++ b/lib/api/bucketDeleteWebsite.js @@ -26,7 +26,7 @@ function bucketDeleteWebsite(authInfo, request, log, callback) { log.trace('found bucket in metadata'); if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, - request.iamAuthzResults, log, request)) { + request.actionImplicitDenies, log, request)) { log.debug('access denied for user on bucket', { requestType, method: 'bucketDeleteWebsite', diff --git a/lib/api/multiObjectDelete.js b/lib/api/multiObjectDelete.js index e79c24a3f2..3715e3fb80 100644 --- a/lib/api/multiObjectDelete.js +++ b/lib/api/multiObjectDelete.js @@ -505,7 +505,7 @@ function multiObjectDelete(authInfo, request, log, callback) { bucketMD); } if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, - request.iamAuthzResults, log, request)) { + request.actionImplicitDenies, log, request)) { log.trace("access denied due to bucket acl's"); // if access denied at the bucket level, no access for // any of the objects so all results will be error results diff --git a/lib/api/objectDelete.js b/lib/api/objectDelete.js index ceae7b31b5..ee47a83cd5 100644 --- a/lib/api/objectDelete.js +++ b/lib/api/objectDelete.js @@ -56,7 +56,7 @@ function objectDelete(authInfo, request, log, cb) { const canonicalID = authInfo.getCanonicalID(); return async.waterfall([ function validateBucketAndObj(next) { - return metadataValidateBucketAndObj(valParams, request.iamAuthzResults, log, + return metadataValidateBucketAndObj(valParams, request.actionImplicitDenies, log, (err, bucketMD, objMD) => { if (err) { return next(err, bucketMD); diff --git a/lib/api/objectDeleteTagging.js b/lib/api/objectDeleteTagging.js index f2033b9ead..f9aa5ad809 100644 --- a/lib/api/objectDeleteTagging.js +++ b/lib/api/objectDeleteTagging.js @@ -46,7 +46,7 @@ function objectDeleteTagging(authInfo, request, log, callback) { }; return async.waterfall([ - next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log, + next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, (err, bucket, objectMD) => { if (err) { log.trace('request authorization failed', diff --git a/tests/unit/api/bucketDelete.js b/tests/unit/api/bucketDelete.js index 6d03bae64e..c0f49df2bf 100644 --- a/tests/unit/api/bucketDelete.js +++ b/tests/unit/api/bucketDelete.js @@ -87,7 +87,7 @@ describe('bucketDelete API', () => { namespace, headers: {}, url: `/${bucketName}`, - iamAuthzResults: false, + actionImplicitDenies: false, }; const initiateRequest = { @@ -96,7 +96,7 @@ describe('bucketDelete API', () => { objectKey: objectName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: `/${objectName}?uploads`, - iamAuthzResults: false, + actionImplicitDenies: false, }; it('should return an error if the bucket is not empty', done => { diff --git a/tests/unit/api/bucketDeleteCors.js b/tests/unit/api/bucketDeleteCors.js index 7ce803453a..e1685bcd9c 100644 --- a/tests/unit/api/bucketDeleteCors.js +++ b/tests/unit/api/bucketDeleteCors.js @@ -19,7 +19,7 @@ const testBucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; const testBucketPutCorsRequest = corsUtil.createBucketCorsRequest('PUT', bucketName); diff --git a/tests/unit/api/bucketDeleteEncryption.js b/tests/unit/api/bucketDeleteEncryption.js index 96a7478234..2084b32024 100644 --- a/tests/unit/api/bucketDeleteEncryption.js +++ b/tests/unit/api/bucketDeleteEncryption.js @@ -13,7 +13,7 @@ const bucketPutRequest = { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; describe('bucketDeleteEncryption API', () => { before(() => cleanup()); diff --git a/tests/unit/api/bucketDeleteLifecycle.js b/tests/unit/api/bucketDeleteLifecycle.js index d986241256..d407d4cf9a 100644 --- a/tests/unit/api/bucketDeleteLifecycle.js +++ b/tests/unit/api/bucketDeleteLifecycle.js @@ -19,7 +19,7 @@ function _makeRequest(includeXml) { bucketName, headers: { host: `${bucketName}.s3.amazonaws.com` }, url: '/', - iamAuthzResults: false, + actionImplicitDenies: false, }; if (includeXml) { request.post = '