MCPcopy
hub / github.com/scality/cloudserver / isObjAuthorized

Function isObjAuthorized

lib/api/apiUtils/authorization/permissionChecks.js:599–661  ·  view source on GitHub ↗
(bucket, objectMD, requestTypesInput, canonicalID, authInfo, log, request,
    actionImplicitDeniesInput = {}, isWebsite = false)

Source from the content-addressed store, hash-verified

597}
598
599function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authInfo, log, request,
600 actionImplicitDeniesInput = {}, isWebsite = false) {
601 const requestTypes = Array.isArray(requestTypesInput) ? requestTypesInput : [requestTypesInput];
602 const actionImplicitDenies = !actionImplicitDeniesInput ? {} : actionImplicitDeniesInput;
603 const results = {};
604 const mainApiCall = requestTypes[0];
605 return requestTypes.every(_requestType => {
606 // By default, all missing actions are defined as allowed from IAM, to be
607 // backward compatible
608 actionImplicitDenies[_requestType] = actionImplicitDenies[_requestType] || false;
609 const parsedMethodName = _requestType.endsWith('Version')
610 ? _requestType.slice(0, -7) : _requestType;
611 const bucketOwner = bucket.getOwner();
612 if (!objectMD) {
613 // check bucket has read access
614 // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
615 let permission = 'bucketGet';
616 if (actionsToConsiderAsObjectPut.includes(_requestType)) {
617 permission = 'objectPut';
618 }
619 results[_requestType] = isBucketAuthorized(bucket, permission, canonicalID, authInfo, log, request,
620 actionImplicitDenies, isWebsite);
621 // User is already authorized on the bucket for FULL_CONTROL or WRITE or
622 // bucket has canned ACL public-read-write
623 if ((parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete')
624 && results[_requestType] === false) {
625 results[_requestType] = actionImplicitDenies[_requestType] === false;
626 }
627 return results[_requestType];
628 }
629 let requesterIsNotUser = true;
630 let arn = null;
631 let isUserUnauthenticated = false;
632 if (authInfo) {
633 requesterIsNotUser = !isRequesterNonAccountUser(authInfo);
634 arn = authInfo.getArn();
635 isUserUnauthenticated = arn === undefined;
636 }
637 if (objectMD['owner-id'] === canonicalID && requesterIsNotUser || isServiceAccount(canonicalID)) {
638 results[_requestType] = actionImplicitDenies[_requestType] === false;
639 return results[_requestType];
640 }
641 // account is authorized if:
642 // - requesttype is included in bucketOwnerActions and
643 // - account is the bucket owner
644 // - requester is account, not user
645 if (bucketOwnerActions.includes(parsedMethodName)
646 && (bucketOwner === canonicalID)
647 && requesterIsNotUser) {
648 results[_requestType] = actionImplicitDenies[_requestType] === false;
649 return results[_requestType];
650 }
651 const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName,
652 canonicalID, requesterIsNotUser, isUserUnauthenticated, mainApiCall);
653 const { allowed, aclRequired } = processBucketPolicy(_requestType, bucket, canonicalID, arn, bucketOwner,
654 log, request, aclPermission, results, actionImplicitDenies);
655 if (aclRequired && request?.serverAccessLog) {
656 // eslint-disable-next-line no-param-reassign

Callers 6

_errorActionsFunction · 0.85
runWebsiteFunction · 0.85
objectACLauth.jsFile · 0.85

Calls 6

isBucketAuthorizedFunction · 0.85
isServiceAccountFunction · 0.85
checkObjectAclsFunction · 0.85
processBucketPolicyFunction · 0.85
getOwnerMethod · 0.80

Tested by

no test coverage detected