Merge pull request #8776 from aspandey/access_object_version

noobaa-core: Bucket Policy Condition to access Specific VersionID

Author: aspandey

src/endpoint/s3/s3_bucket_policy_utils.js

@@ -110,12 +110,15 @@ const predicate_map = {
 
 const condition_fit_functions = {
     's3:ExistingObjectTag': _is_object_tag_fit,
-    's3:x-amz-server-side-encryption': _is_server_side_encryption_fit
+    's3:x-amz-server-side-encryption': _is_server_side_encryption_fit,
+    's3:VersionId': _is_object_version_fit
 };
 
+//https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-policy-keys
 const supported_actions = {
     's3:ExistingObjectTag': ['s3:DeleteObjectTagging', 's3:DeleteObjectVersionTagging', 's3:GetObject', 's3:GetObjectAcl', 's3:GetObjectTagging', 's3:GetObjectVersion', 's3:GetObjectVersionTagging', 's3:PutObjectAcl', 's3:PutObjectTagging', 's3:PutObjectVersionTagging'],
-    's3:x-amz-server-side-encryption': ['s3:PutObject']
+    's3:x-amz-server-side-encryption': ['s3:PutObject'],
+    's3:VersionId': ['s3:GetObjectVersion', 's3:DeleteObjectVersion', 's3:GetObjectVersionAttributes', 's3:GetObjectVersionTagging', 's3:PutObjectVersionTagging', 's3:DeleteObjectVersionTagging']
 };
 
 const SUPPORTED_BUCKET_POLICY_CONDITIONS = Object.keys(supported_actions);
@@ -136,6 +139,12 @@ async function _is_object_tag_fit(req, predicate, value) {
     dbg.log1('bucket_policy: object tag fit?', value, tag, res);
     return res;
 }
+async function _is_object_version_fit(req, predicate, value) {
+    const version_id = req.query.versionId;
+    const res = predicate(version_id, value);
+    dbg.log1('bucket_policy: version-id fit? version-id, policy version-id, match :', version_id, value, res);
+    return res;
+}
 
 async function has_bucket_policy_permission(policy, account, method, arn_path, req) {
     const [allow_statements, deny_statements] = _.partition(policy.Statement, statement => statement.Effect === 'Allow');
@@ -210,7 +219,7 @@ async function _is_statements_fit(statements, account, method, arn_path, req) {
         const resource_fit = _is_resource_fit(arn_path, statement);
         const condition_fit = await _is_condition_fit(statement, req, method);
 
-        dbg.log1('bucket_policy: is_statements_fit', action_fit, principal_fit, resource_fit, condition_fit);
+        dbg.log1('bucket_policy - is_statements_fit: action_fit, principal_fit, resource_fit, condition_fit', action_fit, principal_fit, resource_fit, condition_fit);
         if (action_fit && principal_fit && resource_fit && condition_fit) return true;
     }
     return false;

src/server/common_services/auth_server.js

@@ -595,16 +595,16 @@ function _prepare_auth_request(req) {
         dbg.log3('load auth system:', req.system && req.system._id);
     };
 
-    req.has_bucket_anonymous_permission = function(bucket, action, bucket_path) {
-        return has_bucket_anonymous_permission(bucket, action, bucket_path);
+    req.has_bucket_anonymous_permission = function(bucket, action, bucket_path, req_query) {
+        return has_bucket_anonymous_permission(bucket, action, bucket_path, req_query);
     };
 
-    req.has_s3_bucket_permission = async function(bucket, action, bucket_path) {
+    req.has_s3_bucket_permission = async function(bucket, action, bucket_path, req_query) {
         // Since this method can be called both authorized and unauthorized
         // We need to check the anonymous permission only when the bucket is configured to server anonymous requests
         // In case of anonymous function but with authentication flow we roll back to previous code and not return here
         if (req.auth_token && typeof req.auth_token === 'object') {
-            return req.has_bucket_action_permission(bucket, action, bucket_path);
+            return req.has_bucket_action_permission(bucket, action, bucket_path, req_query);
         }
         // If we came with a NooBaa management token then we've already checked the method permissions prior to this function
         // There is nothing specific to bucket permissions for the management credentials
@@ -614,20 +614,20 @@ function _prepare_auth_request(req) {
         }
 
         if (options.anonymous === true) {
-            return req.has_bucket_anonymous_permission(bucket, action, bucket_path);
+            return req.has_bucket_anonymous_permission(bucket, action, bucket_path, req_query);
         }
 
         return false;
     };
 
     req.check_bucket_action_permission = async function(bucket, action, bucket_path) {
-        if (!await has_bucket_action_permission(bucket, req.account, action, bucket_path)) {
+        if (!await has_bucket_action_permission(bucket, req.account, action, undefined, bucket_path)) {
             throw new RpcError('UNAUTHORIZED', 'No permission to access bucket');
         }
     };
 
-    req.has_bucket_action_permission = async function(bucket, action, bucket_path) {
-        return has_bucket_action_permission(bucket, req.account, action, bucket_path);
+    req.has_bucket_action_permission = async function(bucket, action, bucket_path, req_query) {
+        return has_bucket_action_permission(bucket, req.account, action, req_query, bucket_path);
     };
 }
 
@@ -669,9 +669,8 @@ function _get_auth_info(account, system, authorized_by, role, extra) {
  * @param {string} bucket_path s3 bucket path (must start from "/")
  * @returns  {Promise<boolean>} true if the account has permission to perform the action on the bucket
  */
-async function has_bucket_action_permission(bucket, account, action, bucket_path = "") {
+async function has_bucket_action_permission(bucket, account, action, req_query, bucket_path = "") {
     dbg.log1('has_bucket_action_permission:', bucket.name, account.email, bucket.owner_account.email);
-
     // If the system owner account wants to access the bucket, allow it
     if (bucket.system.owner.email.unwrap() === account.email.unwrap()) return true;
 
@@ -689,7 +688,7 @@ async function has_bucket_action_permission(bucket, account, action, bucket_path
         account.email.unwrap(),
         action,
         `arn:aws:s3:::${bucket.name.unwrap()}${bucket_path}`,
-        undefined
+        req_query
     );
 
     if (result === 'DENY') return false;
@@ -704,7 +703,8 @@ async function has_bucket_action_permission(bucket, account, action, bucket_path
  * @param {string} bucket_path bucket path
  * @returns {Promise<boolean>} true if the bucket is configured to serve anonymous requests
  */
-async function has_bucket_anonymous_permission(bucket, action, bucket_path = "") {
+async function has_bucket_anonymous_permission(bucket, action, bucket_path, req_query) {
+    bucket_path = bucket_path ?? "";
     const bucket_policy = bucket.s3_policy;
     if (!bucket_policy) return false;
     return await s3_bucket_policy_utils.has_bucket_policy_permission(
@@ -713,7 +713,7 @@ async function has_bucket_anonymous_permission(bucket, action, bucket_path = "")
         undefined,
         action || `s3:GetObject`,
         `arn:aws:s3:::${bucket.name.unwrap()}${bucket_path}`,
-        undefined
+        req_query
     ) === 'ALLOW';
 }
 

src/server/object_services/object_server.js

@@ -698,7 +698,7 @@ async function read_object_mapping(req) {
     const obj = await find_object_md(req);
 
     // Check if the requesting account is authorized to read the object
-    if (!await req.has_s3_bucket_permission(req.bucket, 's3:GetObject', '/' + obj.key)) {
+    if (!await req.has_s3_bucket_permission(req.bucket, 's3:GetObject', '/' + obj.key, undefined)) {
         throw new RpcError('UNAUTHORIZED', 'requesting account is not authorized to read the object');
     }
 
@@ -770,6 +770,26 @@ async function read_node_mapping(req) {
     };
 }
 
+/**
+ * Converts RPC parameters to a bucket policy request query.
+ * Extracts the version ID (if present) to construct a query object.
+ * @param {object} rpc_params - The RPC parameters object.
+ * @returns {object|null} A query object or null.
+ */
+
+function _convert_rpc_params_to_bucket_policy_req(rpc_params) {
+
+    let req_query = null;
+    if (rpc_params && rpc_params.version_id) {
+        req_query = {
+            query: {
+                versionId: rpc_params.version_id
+            }
+        };
+    }
+    return req_query;
+}
+
 /**
  *
  * READ_OBJECT_MD
@@ -783,11 +803,13 @@ async function read_object_md(req) {
         throw new RpcError('UNAUTHORIZED', 'read_object_md: role should be admin');
     }
 
+    const req_query = _convert_rpc_params_to_bucket_policy_req(req.rpc_params);
     const obj = await find_object_md(req);
 
     // Check if the requesting account is authorized to read the object
     const action = version_id ? 's3:GetObjectVersion' : 's3:GetObject';
-    if (!await req.has_s3_bucket_permission(req.bucket, action, '/' + obj.key)) {
+
+    if (!await req.has_s3_bucket_permission(req.bucket, action, '/' + obj.key, req_query)) {
         throw new RpcError('UNAUTHORIZED', 'requesting account is not authorized to read the object');
     }
 

src/test/unit_tests/test_s3_bucket_policy.js

@@ -1,5 +1,6 @@
 /* Copyright (C) 2016 NooBaa */
 /* eslint max-lines-per-function: ['error', 650] */
+/* eslint max-lines: ["error", 2500] */
 'use strict';
 
 // setup coretest first to prepare the env
@@ -35,6 +36,8 @@ const BKT = 'test2-bucket-policy-ops';
 const BKT_B = 'test2-bucket-policy-ops-1';
 const BKT_C = 'test2-bucket-policy-ops-2';
 const BKT_D = 'test2-bucket-policy-ops-3';
+const VER_BKT = 'test-object-ver-policy-ops';
+
 const KEY = 'file1.txt';
 const user_a = 'alice';
 const user_b = 'bob';
@@ -137,6 +140,8 @@ async function setup() {
     await s3_owner.createBucket({ Bucket: BKT });
     await s3_owner.createBucket({ Bucket: BKT_C });
     await s3_owner.createBucket({ Bucket: BKT_D });
+    await s3_owner.createBucket({ Bucket: VER_BKT });
+
     s3_anon = new S3({
         ...s3_creds,
         credentials: {
@@ -150,7 +155,7 @@ async function setup() {
     });
 }
 
-/*eslint max-lines-per-function: ["error", 2000]*/
+/*eslint max-lines-per-function: ["error", 3000]*/
 mocha.describe('s3_bucket_policy', function() {
     mocha.before(setup);
     mocha.it('should fail setting bucket policy when user doesn\'t exist', async function() {
@@ -1963,4 +1968,129 @@ mocha.describe('s3_bucket_policy', function() {
             assert.strictEqual(res.PolicyStatus.IsPublic, true);
         });
     });
+    mocha.describe('s3_bucket_policy: Granting access to a specific version of an object ', function() {
+        mocha.it('should be able to put access permission based on VersionId', async function() {
+            const self = this; // eslint-disable-line no-invalid-this
+            self.timeout(15000);
+            const object_key = 'allowed_file_1.txt';
+
+            await s3_owner.putBucketVersioning({
+                Bucket: VER_BKT,
+                VersioningConfiguration: {
+                    MFADelete: 'Disabled',
+                    Status: 'Enabled'
+                }
+            });
+
+            // Create an object and upload different copies of same object
+            const first_res = await s3_owner.putObject({
+                Body: 'Some data for the file... bla bla bla... version I',
+                Bucket: VER_BKT,
+                Key: object_key
+            });
+
+            await s3_owner.putObject({
+                Body: 'Some data for the file... bla bla bla bla... version II',
+                Bucket: VER_BKT,
+                Key: object_key
+            });
+
+            const third_res = await s3_owner.putObject({
+                Body: 'Some data for the file... bla bla bla bla... version III',
+                Bucket: VER_BKT,
+                Key: object_key
+            });
+
+            const version_policy = {
+                Version: '2012-10-17',
+                Statement: [
+                    {
+                        Sid: 'id-1',
+                        Effect: 'Allow',
+                        Principal: { AWS: user_b },
+                        Action: ['s3:*'],
+                        Resource: [`arn:aws:s3:::${VER_BKT}/${object_key}`]
+                    },
+                    {
+                        Sid: 'id-2',
+                        Effect: 'Allow',
+                        Principal: { AWS: user_a },
+                        Action: ['s3:*'],
+                        Resource: [`arn:aws:s3:::${VER_BKT}/${object_key}`]
+                    },
+                    {
+                        Sid: 'id-3',
+                        Effect: 'Deny',
+                        Principal: { AWS: user_a },
+                        Action: ['s3:GetObjectVersion'],
+                        Resource: [`arn:aws:s3:::${VER_BKT}/${object_key}`],
+                        Condition: {
+                            StringNotEquals: {
+                                's3:VersionId': first_res.VersionId // Use one of the VersionId to set policy
+                            }
+                        }
+                    },
+                    {
+                        Sid: 'id-4',
+                        Effect: 'Deny',
+                        Principal: { AWS: user_a },
+                        Action: ['s3:DeleteObjectVersion'],
+                        Resource: [`arn:aws:s3:::${VER_BKT}/${object_key}`],
+                        Condition: {
+                            StringNotEquals: {
+                                's3:VersionId': first_res.VersionId // Use one of the VersionId to set policy
+                            }
+                        }
+                    }
+                ]
+            };
+            // Put new policy to allow user_b full access while user_a has access on one VersionId
+            const res_put_bucket_policy = await s3_owner.putBucketPolicy({
+                Bucket: VER_BKT,
+                Policy: JSON.stringify(version_policy)
+            });
+            assert.equal(res_put_bucket_policy.$metadata.httpStatusCode, 200);
+
+            const res_get_bucket_policy = await s3_owner.getBucketPolicy({
+                Bucket: VER_BKT,
+            });
+            assert.equal(res_get_bucket_policy.$metadata.httpStatusCode, 200);
+
+            // Access should be Allowed
+            const res1 = await s3_a.getObject({
+                Bucket: VER_BKT,
+                Key: object_key,
+                VersionId: first_res.VersionId
+            });
+            assert.equal(res1.$metadata.httpStatusCode, 200);
+
+            // Access should be Denied
+            await assert_throws_async(s3_a.getObject({
+                Bucket: VER_BKT,
+                Key: object_key,
+                VersionId: third_res.VersionId
+            }));
+
+            // All Access should be allowed : For user_b
+            const res2 = await s3_b.getObject({
+                Bucket: VER_BKT,
+                Key: object_key,
+                VersionId: first_res.VersionId
+            });
+            assert.equal(res2.$metadata.httpStatusCode, 200);
+
+            const res4 = await s3_b.getObject({
+                Bucket: VER_BKT,
+                Key: object_key,
+            });
+            assert.equal(res4.$metadata.httpStatusCode, 200);
+
+            // DELETE should be Allowed : First Version
+            await s3_a.deleteObject({
+                Bucket: VER_BKT,
+                Key: object_key,
+                VersionId: first_res.VersionId
+            });
+        });
+    });
 });