* Validate that a bucket is accessible and authorized to the user, * return a specific error code otherwise * * @param {BucketInfo} bucket - bucket info * @param {object} params - function parameters * @param {AuthInfo} params.authInfo - AuthInfo class instance, requester's info * @param {stri
(bucket, params, log, actionImplicitDenies = {})
| 211 | * - AccessDenied: bucket is not authorized |
| 212 | */ |
| 213 | function validateBucket(bucket, params, log, actionImplicitDenies = {}) { |
| 214 | const { authInfo, preciseRequestType, request } = params; |
| 215 | let requestType = params.requestType; |
| 216 | if (bucketShield(bucket, requestType)) { |
| 217 | log.debug('bucket is shielded from request', { |
| 218 | requestType, |
| 219 | method: 'validateBucket', |
| 220 | }); |
| 221 | return errors.NoSuchBucket; |
| 222 | } |
| 223 | |
| 224 | const canonicalID = authInfo.getCanonicalID(); |
| 225 | if (!Array.isArray(requestType)) { |
| 226 | requestType = [requestType]; |
| 227 | } |
| 228 | |
| 229 | // Skip checking bucket ownership if the requesting user is the rate limit service user |
| 230 | // and the requestType is Get/Put/DeleteBucketRateLimit. |
| 231 | if (requestType.every(type => rateLimitApiActions.includes(type)) |
| 232 | && config.rateLimiting.enabled |
| 233 | && isRateLimitServiceUser(authInfo) |
| 234 | ) { |
| 235 | return null; |
| 236 | } |
| 237 | |
| 238 | if (bucket.getOwner() !== canonicalID && requestType.some(type => onlyOwnerAllowed.includes(type))) { |
| 239 | return errors.MethodNotAllowed; |
| 240 | } |
| 241 | if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID, |
| 242 | authInfo, log, request, actionImplicitDenies)) { |
| 243 | log.debug('access denied for user on bucket', { requestType }); |
| 244 | return errors.AccessDenied; |
| 245 | } |
| 246 | return null; |
| 247 | } |
| 248 | |
| 249 | /** |
| 250 | * Check rate limiting if not already checked |
no test coverage detected