Skip to content

Commit dced850

Browse files
Akopti8Akopti8
committed
update s3write permissions function to cover all permissions
1 parent 27f83ea commit dced850

File tree

7 files changed

+29
-44
lines changed

7 files changed

+29
-44
lines changed

auth/database.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ import (
1212

1313
// Database interface abstracts database operations
1414
type Database interface {
15-
CheckUserPermission(userEmail, prefix, bucket string, operations []string) bool
15+
CheckUserPermission(userEmail, bucket, prefix string, operations []string) bool
1616
Close() error
1717
GetUserAccessiblePrefixes(userEmail, bucket string, operations []string) ([]string, error)
1818
}

blobstore/blobhandler.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -327,7 +327,7 @@ func (bh *BlobHandler) HandleCheckS3UserPermission(c echo.Context) error {
327327
log.Error(errMsg.Error())
328328
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
329329
}
330-
isAllowed := bh.DB.CheckUserPermission(userEmail, prefix, bucket, []string{"write"})
330+
isAllowed := bh.DB.CheckUserPermission(userEmail, bucket, prefix, []string{operation})
331331
log.Info("Checked user permissions successfully")
332332
return c.JSON(http.StatusOK, isAllowed)
333333
}

blobstore/blobstore.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ func isIdenticalArray(array1, array2 []string) bool {
8181
return true
8282
}
8383

84-
func (bh *BlobHandler) CheckUserS3WritePermission(c echo.Context, bucket, prefix string) (int, error) {
84+
func (bh *BlobHandler) CheckUserS3Permission(c echo.Context, bucket, prefix string, permissions []string) (int, error) {
8585
if bh.Config.AuthLevel > 0 {
8686
claims, ok := c.Get("claims").(*auth.Claims)
8787
if !ok {
@@ -95,7 +95,7 @@ func (bh *BlobHandler) CheckUserS3WritePermission(c echo.Context, bucket, prefix
9595

9696
// We assume if someone is limited_writer, they should never be admin or super_writer
9797
if isLimitedWriter {
98-
if !bh.DB.CheckUserPermission(ue, bucket, prefix, []string{"write"}) {
98+
if !bh.DB.CheckUserPermission(ue, bucket, prefix, permissions) {
9999
return http.StatusForbidden, fmt.Errorf("forbidden")
100100
}
101101
}

blobstore/metadata.go

Lines changed: 10 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ import (
55
"fmt"
66
"net/http"
77

8-
"github.com/Dewberry/s3api/auth"
98
"github.com/aws/aws-sdk-go/aws"
109
"github.com/aws/aws-sdk-go/aws/awserr"
1110
"github.com/aws/aws-sdk-go/service/s3"
@@ -118,14 +117,11 @@ func (bh *BlobHandler) HandleGetMetaData(c echo.Context) error {
118117
log.Error(errMsg.Error())
119118
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
120119
}
121-
claims, ok := c.Get("claims").(*auth.Claims)
122-
if !ok {
123-
return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
124-
}
125-
ue := claims.Email
126-
canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
127-
if !canRead {
128-
return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
120+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
121+
if err != nil {
122+
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
123+
log.Error(errMsg.Error())
124+
return c.JSON(httpCode, errMsg.Error())
129125
}
130126
result, err := s3Ctrl.GetMetaData(bucket, key)
131127
if err != nil {
@@ -157,14 +153,11 @@ func (bh *BlobHandler) HandleGetObjExist(c echo.Context) error {
157153
log.Error(errMsg.Error())
158154
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
159155
}
160-
claims, ok := c.Get("claims").(*auth.Claims)
161-
if !ok {
162-
return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
163-
}
164-
ue := claims.Email
165-
canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
166-
if !canRead {
167-
return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
156+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
157+
if err != nil {
158+
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
159+
log.Error(errMsg.Error())
160+
return c.JSON(httpCode, errMsg.Error())
168161
}
169162
// Proceed if the permission check passes
170163
result, err := s3Ctrl.KeyExists(bucket, key)

blobstore/object_content.go

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ import (
77
"net/http"
88
"strings"
99

10-
"github.com/Dewberry/s3api/auth"
1110
"github.com/aws/aws-sdk-go/aws"
1211
"github.com/aws/aws-sdk-go/service/s3"
1312
"github.com/labstack/echo/v4"
@@ -54,14 +53,11 @@ func (bh *BlobHandler) HandleObjectContents(c echo.Context) error {
5453
log.Error(errMsg.Error())
5554
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
5655
}
57-
claims, ok := c.Get("claims").(*auth.Claims)
58-
if !ok {
59-
return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
60-
}
61-
ue := claims.Email
62-
canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
63-
if !canRead {
64-
return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
56+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
57+
if err != nil {
58+
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
59+
log.Error(errMsg.Error())
60+
return c.JSON(httpCode, errMsg.Error())
6561
}
6662
body, err := s3Ctrl.FetchObjectContent(bucket, key)
6763
if err != nil {

blobstore/presigned_url.go

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ import (
1414
"sync"
1515
"time"
1616

17-
"github.com/Dewberry/s3api/auth"
1817
"github.com/aws/aws-sdk-go/aws"
1918
"github.com/aws/aws-sdk-go/service/s3"
2019
"github.com/aws/aws-sdk-go/service/s3/s3manager"
@@ -130,14 +129,11 @@ func (bh *BlobHandler) HandleGetPresignedDownloadURL(c echo.Context) error {
130129
log.Error("HandleGetPresignedURL: " + err.Error())
131130
return c.JSON(http.StatusUnprocessableEntity, err.Error())
132131
}
133-
claims, ok := c.Get("claims").(*auth.Claims)
134-
if !ok {
135-
return c.JSON(http.StatusInternalServerError, fmt.Errorf("could not get claims from request context"))
136-
}
137-
ue := claims.Email
138-
canRead := bh.DB.CheckUserPermission(ue, key, bucket, []string{"read", "write"})
139-
if !canRead {
140-
return c.JSON(http.StatusForbidden, fmt.Errorf("user is not autherized").Error())
132+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write", "read"})
133+
if err != nil {
134+
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
135+
log.Error(errMsg.Error())
136+
return c.JSON(httpCode, errMsg.Error())
141137
}
142138
keyExist, err := s3Ctrl.KeyExists(bucket, key)
143139
if err != nil {

blobstore/upload.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ func (bh *BlobHandler) HandleMultipartUpload(c echo.Context) error {
129129
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
130130
}
131131

132-
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
132+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
133133
if err != nil {
134134
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
135135
log.Error(errMsg.Error())
@@ -240,7 +240,7 @@ func (bh *BlobHandler) HandleGetPresignedUploadURL(c echo.Context) error {
240240
log.Error(errMsg.Error())
241241
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
242242
}
243-
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
243+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
244244
if err != nil {
245245
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
246246
log.Error(errMsg.Error())
@@ -309,7 +309,7 @@ func (bh *BlobHandler) HandleGetMultipartUploadID(c echo.Context) error {
309309
log.Error(errMsg.Error())
310310
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
311311
}
312-
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
312+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
313313
if err != nil {
314314
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
315315
log.Error(errMsg.Error())
@@ -358,7 +358,7 @@ func (bh *BlobHandler) HandleCompleteMultipartUpload(c echo.Context) error {
358358
log.Error(errMsg.Error())
359359
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
360360
}
361-
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
361+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
362362
if err != nil {
363363
errMsg := fmt.Errorf("error while checking for user permission: %s", err.Error())
364364
log.Error(errMsg.Error())
@@ -426,7 +426,7 @@ func (bh *BlobHandler) HandleAbortMultipartUpload(c echo.Context) error {
426426
log.Error(errMsg.Error())
427427
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())
428428
}
429-
httpCode, err := bh.CheckUserS3WritePermission(c, bucket, key)
429+
httpCode, err := bh.CheckUserS3Permission(c, bucket, key, []string{"write"})
430430
if err != nil {
431431
errMsg := fmt.Errorf("error while checking for user permission: %s", err)
432432
log.Error(errMsg.Error())

0 commit comments

Comments
 (0)