update s3write permissions function to cover all permissions

Akopti8 · Akopti8 · commit dced850ad17a · 2024-05-10T10:53:20.000-04:00
diff --git a/auth/database.go b/auth/database.go
@@ -12,7 +12,7 @@ import (
 
 // Database interface abstracts database operations
 type Database interface {
-	CheckUserPermission(userEmail, prefix, bucket string, operations []string) bool
+	CheckUserPermission(userEmail, bucket, prefix string, operations []string) bool
 	Close() error
 	GetUserAccessiblePrefixes(userEmail, bucket string, operations []string) ([]string, error)
 }
diff --git a/blobstore/blobhandler.go b/blobstore/blobhandler.go
@@ -327,7 +327,7 @@ func (bh *BlobHandler) HandleCheckS3UserPermission(c echo.Context) error {
 		log.Error(errMsg.Error())
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
-	isAllowed := bh.DB.CheckUserPermission(userEmail, prefix, bucket, []string{"write"})
+	isAllowed := bh.DB.CheckUserPermission(userEmail, bucket, prefix, []string{operation})
 	log.Info("Checked user permissions successfully")
 	return c.JSON(http.StatusOK, isAllowed)
 }
diff --git a/blobstore/blobstore.go b/blobstore/blobstore.go
@@ -81,7 +81,7 @@ func isIdenticalArray(array1, array2 []string) bool {
 	return true
 }
 
-func (bh *BlobHandler) CheckUserS3WritePermission(c echo.Context, bucket, prefix string) (int, error) {
+func (bh *BlobHandler) CheckUserS3Permission(c echo.Context, bucket, prefix string, permissions []string) (int, error) {
 	if bh.Config.AuthLevel > 0 {
 		claims, ok := c.Get("claims").(*auth.Claims)
 		if !ok {
@@ -95,7 +95,7 @@ func (bh *BlobHandler) CheckUserS3WritePermission(c echo.Context, bucket, prefix
 
 		// We assume if someone is limited_writer, they should never be admin or super_writer
 		if isLimitedWriter {
-			if !bh.DB.CheckUserPermission(ue, bucket, prefix, []string{"write"}) {
+			if !bh.DB.CheckUserPermission(ue, bucket, prefix, permissions) {
 				return http.StatusForbidden, fmt.Errorf("forbidden")
 			}
 		}
diff --git a/blobstore/metadata.go b/blobstore/metadata.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/Dewberry/s3api/auth"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/service/s3"
@@ -118,14 +117,11 @@ func (bh *BlobHandler) HandleGetMetaData(c echo.Context) error {
 		log.Error(errMsg.Error())
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
-	claims, ok := c.Get("claims").(*auth.Claims)
-	if !ok {
-		return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
-	}
-	ue := claims.Email
-	canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
-	if !canRead {
-		return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
+	if err != nil {
+		errMsg := fmt.Errorf("error while checking for user permission: %s", err)
+		log.Error(errMsg.Error())
+		return c.JSON(httpCode, errMsg.Error())
 	}
 	result, err := s3Ctrl.GetMetaData(bucket, key)
 	if err != nil {
@@ -157,14 +153,11 @@ func (bh *BlobHandler) HandleGetObjExist(c echo.Context) error {
 		log.Error(errMsg.Error())
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
-	claims, ok := c.Get("claims").(*auth.Claims)
-	if !ok {
-		return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
-	}
-	ue := claims.Email
-	canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
-	if !canRead {
-		return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
+	if err != nil {
+		errMsg := fmt.Errorf("error while checking for user permission: %s", err)
+		log.Error(errMsg.Error())
+		return c.JSON(httpCode, errMsg.Error())
 	}
 	// Proceed if the permission check passes
 	result, err := s3Ctrl.KeyExists(bucket, key)
diff --git a/blobstore/object_content.go b/blobstore/object_content.go
@@ -7,7 +7,6 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/Dewberry/s3api/auth"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/labstack/echo/v4"
@@ -54,14 +53,11 @@ func (bh *BlobHandler) HandleObjectContents(c echo.Context) error {
 		log.Error(errMsg.Error())
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
-	claims, ok := c.Get("claims").(*auth.Claims)
-	if !ok {
-		return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
-	}
-	ue := claims.Email
-	canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
-	if !canRead {
-		return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
+	if err != nil {
+		errMsg := fmt.Errorf("error while checking for user permission: %s", err)
+		log.Error(errMsg.Error())
+		return c.JSON(httpCode, errMsg.Error())
 	}
 	body, err := s3Ctrl.FetchObjectContent(bucket, key)
 	if err != nil {
diff --git a/blobstore/presigned_url.go b/blobstore/presigned_url.go
@@ -14,7 +14,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/Dewberry/s3api/auth"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/aws/aws-sdk-go/service/s3/s3manager"
@@ -130,14 +129,11 @@ func (bh *BlobHandler) HandleGetPresignedDownloadURL(c echo.Context) error {
 		log.Error("HandleGetPresignedURL: " + err.Error())
 		return c.JSON(http.StatusUnprocessableEntity, err.Error())
 	}
-	claims, ok := c.Get("claims").(*auth.Claims)
-	if !ok {
-		return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
-	}
-	ue := claims.Email
-	canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
-	if !canRead {
-		return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
+	if err != nil {
+		errMsg := fmt.Errorf("error while checking for user permission: %s", err)
+		log.Error(errMsg.Error())
+		return c.JSON(httpCode, errMsg.Error())
 	}
 	keyExist, err := s3Ctrl.KeyExists(bucket, key)
 	if err != nil {
diff --git a/blobstore/upload.go b/blobstore/upload.go
@@ -129,7 +129,7 @@ func (bh *BlobHandler) HandleMultipartUpload(c echo.Context) error {
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
 
-	httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
 	if err != nil {
 		errMsg := fmt.Errorf("error while checking for user permission: %s", err)
 		log.Error(errMsg.Error())
@@ -240,7 +240,7 @@ func (bh *BlobHandler) HandleGetPresignedUploadURL(c echo.Context) error {
 		log.Error(errMsg.Error())
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
-	httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
 	if err != nil {
 		errMsg := fmt.Errorf("error while checking for user permission: %s", err)
 		log.Error(errMsg.Error())
@@ -309,7 +309,7 @@ func (bh *BlobHandler) HandleGetMultipartUploadID(c echo.Context) error {
 		log.Error(errMsg.Error())
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
-	httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
 	if err != nil {
 		errMsg := fmt.Errorf("error while checking for user permission: %s", err)
 		log.Error(errMsg.Error())
@@ -358,7 +358,7 @@ func (bh *BlobHandler) HandleCompleteMultipartUpload(c echo.Context) error {
 		log.Error(errMsg.Error())
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
-	httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
 	if err != nil {
 		errMsg := fmt.Errorf("error while checking for user permission: %s", err.Error())
 		log.Error(errMsg.Error())
@@ -426,7 +426,7 @@ func (bh *BlobHandler) HandleAbortMultipartUpload(c echo.Context) error {
 		log.Error(errMsg.Error())
 		return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
 	}
-	httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
+	httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
 	if err != nil {
 		errMsg := fmt.Errorf("error while checking for user permission: %s", err)
 		log.Error(errMsg.Error())

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ import (`
`12`	`12`
`13`	`13`	`// Database interface abstracts database operations`
`14`	`14`	`type Database interface {`
`15`		`- CheckUserPermission(userEmail, prefix, bucket string, operations []string) bool`
	`15`	`+ CheckUserPermission(userEmail, bucket, prefix string, operations []string) bool`
`16`	`16`	`Close() error`
`17`	`17`	`GetUserAccessiblePrefixes(userEmail, bucket string, operations []string) ([]string, error)`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,7 @@ func (bh *BlobHandler) HandleCheckS3UserPermission(c echo.Context) error {`
`327`	`327`	`log.Error(errMsg.Error())`
`328`	`328`	`return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())`
`329`	`329`	`}`
`330`		`- isAllowed := bh.DB.CheckUserPermission(userEmail, prefix, bucket, []string{"write"})`
	`330`	`+ isAllowed := bh.DB.CheckUserPermission(userEmail, bucket, prefix, []string{operation})`
`331`	`331`	`log.Info("Checked user permissions successfully")`
`332`	`332`	`return c.JSON(http.StatusOK, isAllowed)`
`333`	`333`	`}`
Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ func isIdenticalArray(array1, array2 []string) bool {`
`81`	`81`	`return true`
`82`	`82`	`}`
`83`	`83`
`84`		`-func (bh *BlobHandler) CheckUserS3WritePermission(c echo.Context, bucket, prefix string) (int, error) {`
	`84`	`+func (bh *BlobHandler) CheckUserS3Permission(c echo.Context, bucket, prefix string, permissions []string) (int, error) {`
`85`	`85`	`if bh.Config.AuthLevel > 0 {`
`86`	`86`	`claims, ok := c.Get("claims").(*auth.Claims)`
`87`	`87`	`if !ok {`
`@@ -95,7 +95,7 @@ func (bh *BlobHandler) CheckUserS3WritePermission(c echo.Context, bucket, prefix`
`95`	`95`
`96`	`96`	`// We assume if someone is limited_writer, they should never be admin or super_writer`
`97`	`97`	`if isLimitedWriter {`
`98`		`- if !bh.DB.CheckUserPermission(ue, bucket, prefix, []string{"write"}) {`
	`98`	`+ if !bh.DB.CheckUserPermission(ue, bucket, prefix, permissions) {`
`99`	`99`	`return http.StatusForbidden, fmt.Errorf("forbidden")`
`100`	`100`	`}`
`101`	`101`	`}`