MCPcopy Index your code
hub / github.com/scality/cloudserver / checkBucketPolicy

Function checkBucketPolicy

lib/api/apiUtils/authorization/permissionChecks.js:448–506  ·  view source on GitHub ↗
(policy, requestType, canonicalID, arn, bucketOwner, log, request, actionImplicitDenies)

Source from the content-addressed store, hash-verified

446// └──────────────────────────────────────────┘
447//
448function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, log, request, actionImplicitDenies) {
449 let permission = checkBucketPolicyResult.DEFAULT_DENY;
450 // if requester is user within bucket owner account, actions should be
451 // allowed unless explicitly denied (assumes allowed by IAM policy)
452 if (bucketOwner === canonicalID && actionImplicitDenies[requestType] === false) {
453 permission = checkBucketPolicyResult.ALLOW;
454 }
455 let copiedStatement = JSON.parse(JSON.stringify(policy.Statement));
456
457 const ip = request ? requestUtils.getClientIp(request, config) : undefined;
458 const isSecure = request ? requestUtils.getHttpProtocolSecurity(request, config) : undefined;
459 const requestContext = request ? new RequestContext(request.headers, request.query,
460 request.bucketName, request.objectKey, ip,
461 isSecure, request.resourceType, 's3', null, null,
462 null, null, null, null, null, null, null, null, null,
463 request.objectLockRetentionDays) : undefined;
464
465 while (copiedStatement.length > 0) {
466 const s = copiedStatement[0];
467 const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal, bucketOwner);
468 const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log);
469 const resourceMatch = _checkBucketPolicyResources(requestContext, s.Resource, log);
470 const conditionsMatch = _checkBucketPolicyConditions(requestContext, s.Condition, log);
471
472 const ok = principalMatch === checkPrincipalResult.OK && actionMatch && resourceMatch && conditionsMatch;
473 const okCross = principalMatch === checkPrincipalResult.CROSS_ACCOUNT_OK
474 && actionMatch && resourceMatch && conditionsMatch;
475 switch (permission) {
476 case checkBucketPolicyResult.DEFAULT_DENY:
477 if ((ok || okCross) && s.Effect === 'Deny') {
478 return checkBucketPolicyResult.EXPLICIT_DENY;
479 } else if (ok && s.Effect === 'Allow') {
480 permission = checkBucketPolicyResult.ALLOW;
481 } else if (okCross && s.Effect === 'Allow') {
482 permission = checkBucketPolicyResult.CROSS_ACCOUNT_ALLOW;
483 }
484 break;
485 case checkBucketPolicyResult.EXPLICIT_DENY:
486 return checkBucketPolicyResult.EXPLICIT_DENY;
487 case checkBucketPolicyResult.ALLOW:
488 if ((ok || okCross) && s.Effect === 'Deny') {
489 return checkBucketPolicyResult.EXPLICIT_DENY;
490 }
491 break;
492 case checkBucketPolicyResult.CROSS_ACCOUNT_ALLOW:
493 if ((ok || okCross) && s.Effect === 'Deny') {
494 return checkBucketPolicyResult.EXPLICIT_DENY;
495 } else if (ok && s.Effect === 'Allow') {
496 permission = checkBucketPolicyResult.ALLOW;
497 }
498 break;
499 default: // Needed for the linter, should be unreachable.
500 break;
501 }
502
503 copiedStatement = copiedStatement.splice(1);
504 }
505 return permission;

Callers 2

processBucketPolicyFunction · 0.85

Calls 4

_checkPrincipalsFunction · 0.85

Tested by

no test coverage detected