(bucket, objectMD, requestTypesInput, canonicalID, authInfo, log, request,
actionImplicitDeniesInput = {}, isWebsite = false)
| 597 | } |
| 598 | |
| 599 | function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authInfo, log, request, |
| 600 | actionImplicitDeniesInput = {}, isWebsite = false) { |
| 601 | const requestTypes = Array.isArray(requestTypesInput) ? requestTypesInput : [requestTypesInput]; |
| 602 | const actionImplicitDenies = !actionImplicitDeniesInput ? {} : actionImplicitDeniesInput; |
| 603 | const results = {}; |
| 604 | const mainApiCall = requestTypes[0]; |
| 605 | return requestTypes.every(_requestType => { |
| 606 | // By default, all missing actions are defined as allowed from IAM, to be |
| 607 | // backward compatible |
| 608 | actionImplicitDenies[_requestType] = actionImplicitDenies[_requestType] || false; |
| 609 | const parsedMethodName = _requestType.endsWith('Version') |
| 610 | ? _requestType.slice(0, -7) : _requestType; |
| 611 | const bucketOwner = bucket.getOwner(); |
| 612 | if (!objectMD) { |
| 613 | // check bucket has read access |
| 614 | // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions |
| 615 | let permission = 'bucketGet'; |
| 616 | if (actionsToConsiderAsObjectPut.includes(_requestType)) { |
| 617 | permission = 'objectPut'; |
| 618 | } |
| 619 | results[_requestType] = isBucketAuthorized(bucket, permission, canonicalID, authInfo, log, request, |
| 620 | actionImplicitDenies, isWebsite); |
| 621 | // User is already authorized on the bucket for FULL_CONTROL or WRITE or |
| 622 | // bucket has canned ACL public-read-write |
| 623 | if ((parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete') |
| 624 | && results[_requestType] === false) { |
| 625 | results[_requestType] = actionImplicitDenies[_requestType] === false; |
| 626 | } |
| 627 | return results[_requestType]; |
| 628 | } |
| 629 | let requesterIsNotUser = true; |
| 630 | let arn = null; |
| 631 | let isUserUnauthenticated = false; |
| 632 | if (authInfo) { |
| 633 | requesterIsNotUser = !isRequesterNonAccountUser(authInfo); |
| 634 | arn = authInfo.getArn(); |
| 635 | isUserUnauthenticated = arn === undefined; |
| 636 | } |
| 637 | if (objectMD['owner-id'] === canonicalID && requesterIsNotUser || isServiceAccount(canonicalID)) { |
| 638 | results[_requestType] = actionImplicitDenies[_requestType] === false; |
| 639 | return results[_requestType]; |
| 640 | } |
| 641 | // account is authorized if: |
| 642 | // - requesttype is included in bucketOwnerActions and |
| 643 | // - account is the bucket owner |
| 644 | // - requester is account, not user |
| 645 | if (bucketOwnerActions.includes(parsedMethodName) |
| 646 | && (bucketOwner === canonicalID) |
| 647 | && requesterIsNotUser) { |
| 648 | results[_requestType] = actionImplicitDenies[_requestType] === false; |
| 649 | return results[_requestType]; |
| 650 | } |
| 651 | const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName, |
| 652 | canonicalID, requesterIsNotUser, isUserUnauthenticated, mainApiCall); |
| 653 | const { allowed, aclRequired } = processBucketPolicy(_requestType, bucket, canonicalID, arn, bucketOwner, |
| 654 | log, request, aclPermission, results, actionImplicitDenies); |
| 655 | if (aclRequired && request?.serverAccessLog) { |
| 656 | // eslint-disable-next-line no-param-reassign |
no test coverage detected