DFBUGS-1517:

This is the put-bucket-policy case for combination of

Effect : DENY,
Action: $OPERATION,
NotPrincipal: $ACCOUNT

The $ACCOUNT mentioned in the "NotPrincipal" should be
excluded from DENy operation and should be allowed on the
$OPERATION

Example: For operation get_object, if we have DENY effect
for * (all accounts) and we want to give access to any one
or few accounts, then that account can be part of "NotPrincipal"

Signed-off-by: Vinayakswami Hariharmath <[email protected]>

Author: vh05

src/endpoint/s3/s3_bucket_policy_utils.js

@@ -174,8 +174,8 @@ function _is_principal_fit(account, statement) {
     let principal_fit = false;
     statement_principal = statement_principal.AWS ? statement_principal.AWS : statement_principal;
     for (const principal of _.flatten([statement_principal])) {
-        dbg.log1('bucket_policy: ', statement.Principal ? 'Principal' : 'NotPrincipal', ' fit?', principal, account);
-        if ((principal.unwrap() === '*') || (principal.unwrap() === account)) {
+        dbg.log1('bucket_policy: ', statement.Principal ? 'Principal' : 'NotPrincipal', ' fit?', principal, account.account_identifier_name);
+        if ((principal.unwrap() === '*') || (principal.unwrap() === account.account_identifier_id) || (principal.unwrap() === account.account_identifier_name)) {
             principal_fit = true;
             break;
         }

src/endpoint/s3/s3_rest.js

@@ -287,14 +287,14 @@ async function authorize_request_policy(req) {
     // we start the permission check on account identifier intentionally
     if (account_identifier_id) {
         permission_by_id = await s3_bucket_policy_utils.has_bucket_policy_permission(
-            s3_policy, account_identifier_id, method, arn_path, req);
+            s3_policy, {account_identifier_name, account_identifier_id}, method, arn_path, req);
         dbg.log3('authorize_request_policy: permission_by_id', permission_by_id);
     }
     if (permission_by_id === "DENY") throw new S3Error(S3Error.AccessDenied);
 
     if ((!account_identifier_id || permission_by_id !== "DENY") && account.owner === undefined) {
         permission_by_name = await s3_bucket_policy_utils.has_bucket_policy_permission(
-            s3_policy, account_identifier_name, method, arn_path, req);
+            s3_policy, {account_identifier_name, account_identifier_id}, method, arn_path, req);
         dbg.log3('authorize_request_policy: permission_by_name', permission_by_name);
     }
     if (permission_by_name === "DENY") throw new S3Error(S3Error.AccessDenied);