(policy, requestType, canonicalID, arn, bucketOwner, log, request, actionImplicitDenies)
| 446 | // └──────────────────────────────────────────┘ |
| 447 | // |
| 448 | function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, log, request, actionImplicitDenies) { |
| 449 | let permission = checkBucketPolicyResult.DEFAULT_DENY; |
| 450 | // if requester is user within bucket owner account, actions should be |
| 451 | // allowed unless explicitly denied (assumes allowed by IAM policy) |
| 452 | if (bucketOwner === canonicalID && actionImplicitDenies[requestType] === false) { |
| 453 | permission = checkBucketPolicyResult.ALLOW; |
| 454 | } |
| 455 | let copiedStatement = JSON.parse(JSON.stringify(policy.Statement)); |
| 456 | |
| 457 | const ip = request ? requestUtils.getClientIp(request, config) : undefined; |
| 458 | const isSecure = request ? requestUtils.getHttpProtocolSecurity(request, config) : undefined; |
| 459 | const requestContext = request ? new RequestContext(request.headers, request.query, |
| 460 | request.bucketName, request.objectKey, ip, |
| 461 | isSecure, request.resourceType, 's3', null, null, |
| 462 | null, null, null, null, null, null, null, null, null, |
| 463 | request.objectLockRetentionDays) : undefined; |
| 464 | |
| 465 | while (copiedStatement.length > 0) { |
| 466 | const s = copiedStatement[0]; |
| 467 | const principalMatch = _checkPrincipals(canonicalID, arn, s.Principal, bucketOwner); |
| 468 | const actionMatch = _checkBucketPolicyActions(requestType, s.Action, log); |
| 469 | const resourceMatch = _checkBucketPolicyResources(requestContext, s.Resource, log); |
| 470 | const conditionsMatch = _checkBucketPolicyConditions(requestContext, s.Condition, log); |
| 471 | |
| 472 | const ok = principalMatch === checkPrincipalResult.OK && actionMatch && resourceMatch && conditionsMatch; |
| 473 | const okCross = principalMatch === checkPrincipalResult.CROSS_ACCOUNT_OK |
| 474 | && actionMatch && resourceMatch && conditionsMatch; |
| 475 | switch (permission) { |
| 476 | case checkBucketPolicyResult.DEFAULT_DENY: |
| 477 | if ((ok || okCross) && s.Effect === 'Deny') { |
| 478 | return checkBucketPolicyResult.EXPLICIT_DENY; |
| 479 | } else if (ok && s.Effect === 'Allow') { |
| 480 | permission = checkBucketPolicyResult.ALLOW; |
| 481 | } else if (okCross && s.Effect === 'Allow') { |
| 482 | permission = checkBucketPolicyResult.CROSS_ACCOUNT_ALLOW; |
| 483 | } |
| 484 | break; |
| 485 | case checkBucketPolicyResult.EXPLICIT_DENY: |
| 486 | return checkBucketPolicyResult.EXPLICIT_DENY; |
| 487 | case checkBucketPolicyResult.ALLOW: |
| 488 | if ((ok || okCross) && s.Effect === 'Deny') { |
| 489 | return checkBucketPolicyResult.EXPLICIT_DENY; |
| 490 | } |
| 491 | break; |
| 492 | case checkBucketPolicyResult.CROSS_ACCOUNT_ALLOW: |
| 493 | if ((ok || okCross) && s.Effect === 'Deny') { |
| 494 | return checkBucketPolicyResult.EXPLICIT_DENY; |
| 495 | } else if (ok && s.Effect === 'Allow') { |
| 496 | permission = checkBucketPolicyResult.ALLOW; |
| 497 | } |
| 498 | break; |
| 499 | default: // Needed for the linter, should be unreachable. |
| 500 | break; |
| 501 | } |
| 502 | |
| 503 | copiedStatement = copiedStatement.splice(1); |
| 504 | } |
| 505 | return permission; |
no test coverage detected