(authResults, apiMethod, log)
| 182 | } |
| 183 | |
| 184 | function checkAuthResults(authResults, apiMethod, log) { |
| 185 | let returnTagCount = true; |
| 186 | const isImplicitDeny = {}; |
| 187 | let isOnlyImplicitDeny = true; |
| 188 | if (apiMethod === 'objectGet') { |
| 189 | // first item checks s3:GetObject(Version) action |
| 190 | if (!authResults[0].isAllowed && !authResults[0].isImplicit) { |
| 191 | log.trace('get object authorization denial from Vault'); |
| 192 | return errors.AccessDenied; |
| 193 | } |
| 194 | isImplicitDeny[authResults[0].action] = authResults[0].isImplicit; |
| 195 | // second item checks s3:GetObject(Version)Tagging action |
| 196 | if (!authResults[1].isAllowed) { |
| 197 | log.trace('get tagging authorization denial ' + |
| 198 | 'from Vault'); |
| 199 | returnTagCount = false; |
| 200 | } |
| 201 | } else { |
| 202 | for (let i = 0; i < authResults.length; i++) { |
| 203 | isImplicitDeny[authResults[i].action] = true; |
| 204 | if (!authResults[i].isAllowed && !authResults[i].isImplicit) { |
| 205 | // Any explicit deny rejects the current API call |
| 206 | log.trace('authorization denial from Vault'); |
| 207 | return errors.AccessDenied; |
| 208 | } |
| 209 | if (authResults[i].isAllowed) { |
| 210 | // If the action is allowed, the result is not implicit |
| 211 | // Deny. |
| 212 | isImplicitDeny[authResults[i].action] = false; |
| 213 | isOnlyImplicitDeny = false; |
| 214 | } |
| 215 | } |
| 216 | } |
| 217 | // These two APIs cannot use ACLs or Bucket Policies, hence, any |
| 218 | // implicit deny from vault must be treated as an explicit deny. |
| 219 | if ((apiMethod === 'bucketPut' || apiMethod === 'serviceGet') && isOnlyImplicitDeny) { |
| 220 | return errors.AccessDenied; |
| 221 | } |
| 222 | return { returnTagCount, isImplicitDeny }; |
| 223 | } |
| 224 | |
| 225 | /* eslint-disable no-param-reassign */ |
| 226 | function handleAuthorizationResults(request, authorizationResults, apiMethod, returnTagCount, log, callback) { |
no test coverage detected