Skip to content

Commit

Permalink
update s3write permissions function to cover all permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@Akopti8
Akopti8 committed May 10, 2024
1 parent 27f83ea commit dced850
Show file tree
Hide file tree
Showing 7 changed files with 29 additions and 44 deletions.
2 changes: 1 addition & 1 deletion auth/database.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (

// Database interface abstracts database operations
type Database interface {
CheckUserPermission(userEmail, prefix, bucket string, operations []string) bool
CheckUserPermission(userEmail, bucket, prefix string, operations []string) bool
Close() error
GetUserAccessiblePrefixes(userEmail, bucket string, operations []string) ([]string, error)
}
Expand Down
2 changes: 1 addition & 1 deletion blobstore/blobhandler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,7 @@ func (bh *BlobHandler) HandleCheckS3UserPermission(c echo.Context) error {
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}
isAllowed := bh.DB.CheckUserPermission(userEmail, prefix, bucket, []string{"write"})
isAllowed := bh.DB.CheckUserPermission(userEmail, bucket, prefix, []string{operation})
log.Info("Checked user permissions successfully")
return c.JSON(http.StatusOK, isAllowed)
}
4 changes: 2 additions & 2 deletions blobstore/blobstore.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ func isIdenticalArray(array1, array2 []string) bool {
return true
}

func (bh *BlobHandler) CheckUserS3WritePermission(c echo.Context, bucket, prefix string) (int, error) {
func (bh *BlobHandler) CheckUserS3Permission(c echo.Context, bucket, prefix string, permissions []string) (int, error) {
if bh.Config.AuthLevel > 0 {
claims, ok := c.Get("claims").(*auth.Claims)
if !ok {
Expand All @@ -95,7 +95,7 @@ func (bh *BlobHandler) CheckUserS3WritePermission(c echo.Context, bucket, prefix

// We assume if someone is limited_writer, they should never be admin or super_writer
if isLimitedWriter {
if !bh.DB.CheckUserPermission(ue, bucket, prefix, []string{"write"}) {
if !bh.DB.CheckUserPermission(ue, bucket, prefix, permissions) {
return http.StatusForbidden, fmt.Errorf("forbidden")
}
}
Expand Down
27 changes: 10 additions & 17 deletions blobstore/metadata.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
"fmt"
"net/http"

"github.com/Dewberry/s3api/auth"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/s3"
Expand Down Expand Up @@ -118,14 +117,11 @@ func (bh *BlobHandler) HandleGetMetaData(c echo.Context) error {
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}
claims, ok := c.Get("claims").(*auth.Claims)
if !ok {
return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
}
ue := claims.Email
canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
if !canRead {
return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
log.Error(errMsg.Error())
return c.JSON(httpCode, errMsg.Error())
}
result, err := s3Ctrl.GetMetaData(bucket, key)
if err != nil {
Expand Down Expand Up @@ -157,14 +153,11 @@ func (bh *BlobHandler) HandleGetObjExist(c echo.Context) error {
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}
claims, ok := c.Get("claims").(*auth.Claims)
if !ok {
return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
}
ue := claims.Email
canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
if !canRead {
return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
log.Error(errMsg.Error())
return c.JSON(httpCode, errMsg.Error())
}
// Proceed if the permission check passes
result, err := s3Ctrl.KeyExists(bucket, key)
Expand Down
14 changes: 5 additions & 9 deletions blobstore/object_content.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"net/http"
"strings"

"github.com/Dewberry/s3api/auth"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/labstack/echo/v4"
Expand Down Expand Up @@ -54,14 +53,11 @@ func (bh *BlobHandler) HandleObjectContents(c echo.Context) error {
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}
claims, ok := c.Get("claims").(*auth.Claims)
if !ok {
return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
}
ue := claims.Email
canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
if !canRead {
return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
log.Error(errMsg.Error())
return c.JSON(httpCode, errMsg.Error())
}
body, err := s3Ctrl.FetchObjectContent(bucket, key)
if err != nil {
Expand Down
14 changes: 5 additions & 9 deletions blobstore/presigned_url.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import (
"sync"
"time"

"github.com/Dewberry/s3api/auth"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/aws/aws-sdk-go/service/s3/s3manager"
Expand Down Expand Up @@ -130,14 +129,11 @@ func (bh *BlobHandler) HandleGetPresignedDownloadURL(c echo.Context) error {
log.Error("HandleGetPresignedURL: " + err.Error())
return c.JSON(http.StatusUnprocessableEntity, err.Error())
}
claims, ok := c.Get("claims").(*auth.Claims)
if !ok {
return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
}
ue := claims.Email
canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
if !canRead {
return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
log.Error(errMsg.Error())
return c.JSON(httpCode, errMsg.Error())
}
keyExist, err := s3Ctrl.KeyExists(bucket, key)
if err != nil {
Expand Down
10 changes: 5 additions & 5 deletions blobstore/upload.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ func (bh *BlobHandler) HandleMultipartUpload(c echo.Context) error {
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}

httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
log.Error(errMsg.Error())
Expand Down Expand Up @@ -240,7 +240,7 @@ func (bh *BlobHandler) HandleGetPresignedUploadURL(c echo.Context) error {
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
log.Error(errMsg.Error())
Expand Down Expand Up @@ -309,7 +309,7 @@ func (bh *BlobHandler) HandleGetMultipartUploadID(c echo.Context) error {
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
log.Error(errMsg.Error())
Expand Down Expand Up @@ -358,7 +358,7 @@ func (bh *BlobHandler) HandleCompleteMultipartUpload(c echo.Context) error {
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err.Error())
log.Error(errMsg.Error())
Expand Down Expand Up @@ -426,7 +426,7 @@ func (bh *BlobHandler) HandleAbortMultipartUpload(c echo.Context) error {
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
}
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
if err != nil {
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
log.Error(errMsg.Error())
Expand Down

0 comments on commit dced850

Please sign in to comment.