MCPcopy Index your code
hub / github.com/scality/cloudserver / checkAuthResults

Function checkAuthResults

lib/api/api.js:184–223  ·  view source on GitHub ↗
(authResults, apiMethod, log)

Source from the content-addressed store, hash-verified

182}
183
184function checkAuthResults(authResults, apiMethod, log) {
185 let returnTagCount = true;
186 const isImplicitDeny = {};
187 let isOnlyImplicitDeny = true;
188 if (apiMethod === 'objectGet') {
189 // first item checks s3:GetObject(Version) action
190 if (!authResults[0].isAllowed && !authResults[0].isImplicit) {
191 log.trace('get object authorization denial from Vault');
192 return errors.AccessDenied;
193 }
194 isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
195 // second item checks s3:GetObject(Version)Tagging action
196 if (!authResults[1].isAllowed) {
197 log.trace('get tagging authorization denial ' +
198 'from Vault');
199 returnTagCount = false;
200 }
201 } else {
202 for (let i = 0; i < authResults.length; i++) {
203 isImplicitDeny[authResults[i].action] = true;
204 if (!authResults[i].isAllowed && !authResults[i].isImplicit) {
205 // Any explicit deny rejects the current API call
206 log.trace('authorization denial from Vault');
207 return errors.AccessDenied;
208 }
209 if (authResults[i].isAllowed) {
210 // If the action is allowed, the result is not implicit
211 // Deny.
212 isImplicitDeny[authResults[i].action] = false;
213 isOnlyImplicitDeny = false;
214 }
215 }
216 }
217 // These two APIs cannot use ACLs or Bucket Policies, hence, any
218 // implicit deny from vault must be treated as an explicit deny.
219 if ((apiMethod === 'bucketPut' || apiMethod === 'serviceGet') && isOnlyImplicitDeny) {
220 return errors.AccessDenied;
221 }
222 return { returnTagCount, isImplicitDeny };
223}
224
225/* eslint-disable no-param-reassign */
226function handleAuthorizationResults(request, authorizationResults, apiMethod, returnTagCount, log, callback) {

Callers 1

Calls 1

traceMethod · 0.80

Tested by

no test coverage detected