s3tables: enforce strict resource ownership and implement result filtering for buckets
This commit is contained in:
Chris Lu
@@ -55,11 +55,10 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check permission
|
// Check ownership
|
||||||
principal := h.getPrincipalFromRequest(r)
|
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
|
||||||
if !CanGetTableBucket(principal, metadata.OwnerAccountID) {
|
|
||||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
|
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
|
||||||
return NewAuthError("GetTableBucket", principal, "not authorized to get table bucket details")
|
return fmt.Errorf("access denied")
|
||||||
}
|
}
|
||||||
|
|
||||||
resp := &GetTableBucketResponse{
|
resp := &GetTableBucketResponse{
|
||||||
@@ -155,6 +154,10 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if metadata.OwnerAccountID != accountID {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
buckets = append(buckets, TableBucketSummary{
|
buckets = append(buckets, TableBucketSummary{
|
||||||
ARN: h.generateTableBucketARN(r, entry.Entry.Name),
|
ARN: h.generateTableBucketARN(r, entry.Entry.Name),
|
||||||
Name: entry.Entry.Name,
|
Name: entry.Entry.Name,
|
||||||
@@ -221,9 +224,11 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http
|
|||||||
|
|
||||||
bucketPath := getTableBucketPath(bucketName)
|
bucketPath := getTableBucketPath(bucketName)
|
||||||
|
|
||||||
// Check if bucket exists and get metadata for permission check
|
// Check if bucket exists and perform ownership + emptiness check in one block
|
||||||
var metadata tableBucketMetadata
|
var metadata tableBucketMetadata
|
||||||
|
hasChildren := false
|
||||||
err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
|
err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
|
||||||
|
// 1. Get metadata for ownership check
|
||||||
data, err := h.getExtendedAttribute(r.Context(), client, bucketPath, ExtendedKeyMetadata)
|
data, err := h.getExtendedAttribute(r.Context(), client, bucketPath, ExtendedKeyMetadata)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@@ -231,28 +236,14 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http
|
|||||||
if err := json.Unmarshal(data, &metadata); err != nil {
|
if err := json.Unmarshal(data, &metadata); err != nil {
|
||||||
return fmt.Errorf("failed to unmarshal metadata: %w", err)
|
return fmt.Errorf("failed to unmarshal metadata: %w", err)
|
||||||
}
|
}
|
||||||
return nil
|
|
||||||
})
|
|
||||||
|
|
||||||
if err != nil {
|
// 2. Check ownership
|
||||||
if errors.Is(err, filer_pb.ErrNotFound) {
|
principal := h.getPrincipalFromRequest(r)
|
||||||
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
|
if principal != metadata.OwnerAccountID {
|
||||||
} else {
|
return fmt.Errorf("access denied: principal %s does not own bucket %s", principal, bucketName)
|
||||||
h.writeError(w, http.StatusInternalServerError, ErrCodeInternalError, fmt.Sprintf("failed to get table bucket metadata: %v", err))
|
|
||||||
}
|
}
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check permission
|
// 3. Check if bucket is empty
|
||||||
principal := h.getPrincipalFromRequest(r)
|
|
||||||
if !CanDeleteTableBucket(principal, metadata.OwnerAccountID) {
|
|
||||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket")
|
|
||||||
return NewAuthError("DeleteTableBucket", principal, "not authorized to delete table bucket")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check if bucket is empty
|
|
||||||
hasChildren := false
|
|
||||||
err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
|
|
||||||
resp, err := client.ListEntries(r.Context(), &filer_pb.ListEntriesRequest{
|
resp, err := client.ListEntries(r.Context(), &filer_pb.ListEntriesRequest{
|
||||||
Directory: bucketPath,
|
Directory: bucketPath,
|
||||||
Limit: 10,
|
Limit: 10,
|
||||||
@@ -281,9 +272,11 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
if errors.Is(err, filer_pb.ErrNotFound) {
|
if errors.Is(err, filer_pb.ErrNotFound) {
|
||||||
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
|
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
|
||||||
return err
|
} else if strings.Contains(err.Error(), "access denied") {
|
||||||
|
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, err.Error())
|
||||||
|
} else {
|
||||||
|
h.writeError(w, http.StatusInternalServerError, ErrCodeInternalError, fmt.Sprintf("failed to delete table bucket: %v", err))
|
||||||
}
|
}
|
||||||
h.writeError(w, http.StatusInternalServerError, ErrCodeInternalError, fmt.Sprintf("failed to list bucket entries: %v", err))
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user