s3tables: refactor permission checks to use resource owner in bucket handlers
This commit is contained in:
Chris Lu
@@ -14,12 +14,6 @@ import (
|
|||||||
// handleGetTableBucket gets details of a table bucket
|
// handleGetTableBucket gets details of a table bucket
|
||||||
func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Request, filerClient FilerClient) error {
|
func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Request, filerClient FilerClient) error {
|
||||||
// Check permission
|
// Check permission
|
||||||
principal := h.getPrincipalFromRequest(r)
|
|
||||||
accountID := h.getAccountID(r)
|
|
||||||
if !CanGetTableBucket(principal, accountID) {
|
|
||||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
|
|
||||||
return NewAuthError("GetTableBucket", principal, "not authorized to get table bucket details")
|
|
||||||
}
|
|
||||||
|
|
||||||
var req GetTableBucketRequest
|
var req GetTableBucketRequest
|
||||||
if err := h.readRequestBody(r, &req); err != nil {
|
if err := h.readRequestBody(r, &req); err != nil {
|
||||||
@@ -46,7 +40,10 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return json.Unmarshal(data, &metadata)
|
if err := json.Unmarshal(data, &metadata); err != nil {
|
||||||
|
return fmt.Errorf("failed to unmarshal metadata: %w", err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
})
|
})
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -58,6 +55,13 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check permission
|
||||||
|
principal := h.getPrincipalFromRequest(r)
|
||||||
|
if !CanGetTableBucket(principal, metadata.OwnerID) {
|
||||||
|
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
|
||||||
|
return NewAuthError("GetTableBucket", principal, "not authorized to get table bucket details")
|
||||||
|
}
|
||||||
|
|
||||||
resp := &GetTableBucketResponse{
|
resp := &GetTableBucketResponse{
|
||||||
ARN: h.generateTableBucketARN(r, bucketName),
|
ARN: h.generateTableBucketARN(r, bucketName),
|
||||||
Name: metadata.Name,
|
Name: metadata.Name,
|
||||||
@@ -197,13 +201,6 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
|
|||||||
|
|
||||||
// handleDeleteTableBucket deletes a table bucket
|
// handleDeleteTableBucket deletes a table bucket
|
||||||
func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http.Request, filerClient FilerClient) error {
|
func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http.Request, filerClient FilerClient) error {
|
||||||
// Check permission
|
|
||||||
principal := h.getPrincipalFromRequest(r)
|
|
||||||
accountID := h.getAccountID(r)
|
|
||||||
if !CanDeleteTableBucket(principal, accountID) {
|
|
||||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table buckets")
|
|
||||||
return NewAuthError("DeleteTableBucket", principal, "not authorized to delete table buckets")
|
|
||||||
}
|
|
||||||
|
|
||||||
var req DeleteTableBucketRequest
|
var req DeleteTableBucketRequest
|
||||||
if err := h.readRequestBody(r, &req); err != nil {
|
if err := h.readRequestBody(r, &req); err != nil {
|
||||||
@@ -224,7 +221,36 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http
|
|||||||
|
|
||||||
bucketPath := getTableBucketPath(bucketName)
|
bucketPath := getTableBucketPath(bucketName)
|
||||||
|
|
||||||
// Check if bucket exists and is empty
|
// Check if bucket exists and get metadata for permission check
|
||||||
|
var metadata tableBucketMetadata
|
||||||
|
err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
|
||||||
|
data, err := h.getExtendedAttribute(r.Context(), client, bucketPath, ExtendedKeyMetadata)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := json.Unmarshal(data, &metadata); err != nil {
|
||||||
|
return fmt.Errorf("failed to unmarshal metadata: %w", err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
})
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
if errors.Is(err, filer_pb.ErrNotFound) {
|
||||||
|
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
|
||||||
|
} else {
|
||||||
|
h.writeError(w, http.StatusInternalServerError, ErrCodeInternalError, fmt.Sprintf("failed to get table bucket metadata: %v", err))
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check permission
|
||||||
|
principal := h.getPrincipalFromRequest(r)
|
||||||
|
if !CanDeleteTableBucket(principal, metadata.OwnerID) {
|
||||||
|
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket")
|
||||||
|
return NewAuthError("DeleteTableBucket", principal, "not authorized to delete table bucket")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if bucket is empty
|
||||||
hasChildren := false
|
hasChildren := false
|
||||||
err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
|
err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
|
||||||
resp, err := client.ListEntries(r.Context(), &filer_pb.ListEntriesRequest{
|
resp, err := client.ListEntries(r.Context(), &filer_pb.ListEntriesRequest{
|
||||||
|
|||||||
Reference in New Issue
Block a user