INTEGRATION [PR#5462 > development/8.6] CLDSRV-429: update get apis with impDeny logic

lib/api/bucketGet.js

@@ -2,7 +2,7 @@ const querystring = require('querystring');
 const { errors, versioning, s3middleware } = require('arsenal');
 const constants = require('../../constants');
 const services = require('../services');
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const escapeForXml = s3middleware.escapeForXml;
 const { pushMetric } = require('../utapi/utilities');
@@ -345,7 +345,7 @@ function bucketGet(authInfo, request, log, callback) {
         listParams.marker = params.marker;
     }
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

lib/api/bucketGetACL.js

@@ -1,5 +1,5 @@
 const aclUtils = require('../utilities/aclUtils');
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const vault = require('../auth/vault');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const { pushMetric } = require('../utapi/utilities');
@@ -55,7 +55,7 @@ function bucketGetACL(authInfo, request, log, callback) {
         },
     };
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

lib/api/bucketGetCors.js

@@ -39,7 +39,8 @@ function bucketGetCors(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
 
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log,
+            request, request.actionImplicitDenies)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketGetCors',

lib/api/bucketGetEncryption.js

@@ -4,7 +4,7 @@ const async = require('async');
 const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const { checkExpectedBucketOwner } = require('./apiUtils/authorization/bucketOwner');
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const escapeForXml = s3middleware.escapeForXml;
 
 /**
@@ -27,7 +27,7 @@ function bucketGetEncryption(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
         (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
         (bucket, next) => {
             // If sseInfo is present but the `mandatory` flag is not set

lib/api/bucketGetLifecycle.js

@@ -2,7 +2,7 @@ const { errors } = require('arsenal');
 const LifecycleConfiguration =
     require('arsenal').models.LifecycleConfiguration;
 
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const monitoring = require('../utilities/monitoringHandler');
@@ -24,7 +24,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
         requestType: 'bucketGetLifecycle',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetLocation.js

@@ -41,7 +41,8 @@ function bucketGetLocation(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
 
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request,
+            request.actionImplicitDenies)) {
             log.debug('access denied for account on bucket', {
                 requestType,
                 method: 'bucketGetLocation',

lib/api/bucketGetNotification.js

@@ -1,4 +1,4 @@
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const { NotificationConfiguration } = require('arsenal').models;
@@ -41,7 +41,7 @@ function bucketGetNotification(authInfo, request, log, callback) {
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetObjectLock.js

@@ -1,5 +1,5 @@
 const { errors } = require('arsenal');
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const ObjectLockConfiguration =
@@ -36,7 +36,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
         requestType: 'bucketGetObjectLock',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetPolicy.js

@@ -1,6 +1,6 @@
 const { errors } = require('arsenal');
 
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 
 /**
@@ -21,7 +21,7 @@ function bucketGetPolicy(authInfo, request, log, callback) {
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetReplication.js

@@ -1,6 +1,6 @@
 const { errors } = require('arsenal');
 
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
 const { getReplicationConfigurationXML } =
     require('./apiUtils/bucket/getReplicationConfiguration');
@@ -24,7 +24,7 @@ function bucketGetReplication(authInfo, request, log, callback) {
         requestType: 'bucketGetReplication',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetVersioning.js

@@ -1,4 +1,4 @@
-const { metadataValidateBucket } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const { pushMetric } = require('../utapi/utilities');
 const monitoring = require('../utilities/monitoringHandler');
@@ -58,7 +58,7 @@ function bucketGetVersioning(authInfo, request, log, callback) {
         request,
     };
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

lib/api/bucketGetWebsite.js

@@ -39,7 +39,8 @@ function bucketGetWebsite(authInfo, request, log, callback) {
 
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log,
+            request, request.actionImplicitDenies)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketGetWebsite',

lib/api/objectGet.js

@@ -15,7 +15,7 @@ const getReplicationBackendDataLocator =
     require('./apiUtils/object/getReplicationBackendDataLocator');
 const checkReadLocation = require('./apiUtils/object/checkReadLocation');
 
-const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const { config } = require('../Config');
 const { locationConstraints } = config;
 const monitoring = require('../utilities/monitoringHandler');
@@ -69,7 +69,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
         request,
     };
 
-    return metadataValidateBucketAndObj(mdValParams, log,
+    return standardMetadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log,
     (err, bucket, objMD) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);

lib/api/objectGetACL.js

@@ -7,7 +7,7 @@ const { pushMetric } = require('../utapi/utilities');
 const { decodeVersionId, getVersionIdResHeader }
     = require('./apiUtils/object/versioning');
 const vault = require('../auth/vault');
-const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const monitoring = require('../utilities/monitoringHandler');
 
 //  Sample XML response:
@@ -74,7 +74,7 @@ function objectGetACL(authInfo, request, log, callback) {
 
     return async.waterfall([
         function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(metadataValParams, log,
+            return standardMetadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
                 (err, bucket, objectMD) => {
                     if (err) {
                         log.trace('request authorization failed',

lib/api/objectGetLegalHold.js

@@ -4,7 +4,7 @@ const { errors, s3middleware } = require('arsenal');
 const { decodeVersionId, getVersionIdResHeader }
     = require('./apiUtils/object/versioning');
 
-const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 
@@ -45,7 +45,7 @@ function objectGetLegalHold(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => standardMetadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',

lib/api/objectGetRetention.js

@@ -4,7 +4,7 @@ const { errors, s3middleware } = require('arsenal');
 const { decodeVersionId, getVersionIdResHeader }
     = require('./apiUtils/object/versioning');
 
-const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 
@@ -45,7 +45,7 @@ function objectGetRetention(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => standardMetadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',

lib/api/objectGetTagging.js

@@ -4,7 +4,7 @@ const { errors, s3middleware } = require('arsenal');
 const { decodeVersionId, getVersionIdResHeader }
     = require('./apiUtils/object/versioning');
 
-const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
+const { standardMetadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const { convertToXml } = s3middleware.tagging;
@@ -46,7 +46,7 @@ function objectGetTagging(authInfo, request, log, callback) {
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => standardMetadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
           (err, bucket, objectMD) => {
               if (err) {
                   log.trace('request authorization failed',

lib/api/websiteGet.js

@@ -22,12 +22,13 @@ const monitoring = require('../utilities/monitoringHandler');
  * @param {string} objectKey - object key from request (or as translated in
  * websiteGet)
  * @param {object} corsHeaders - CORS-related response headers
+ * @param {object} request - normalized request object
  * @param {object} log - Werelogs instance
  * @param {function} callback - callback to function in route
  * @return {undefined}
  */
 function _errorActions(err, errorDocument, routingRules,
-    bucket, objectKey, corsHeaders, log, callback) {
+    bucket, objectKey, corsHeaders, request, log, callback) {
     const bucketName = bucket.getName();
     const errRoutingRule = findRoutingRule(routingRules,
         objectKey, err.code);
@@ -51,8 +52,8 @@ function _errorActions(err, errorDocument, routingRules,
                 }
                 // return the default error message if the object is private
                 // rather than sending a stored error file
-                if (!isObjAuthorized(bucket, errObjMD, 'objectGet',
-                    constants.publicId, null, log)) {
+                if (!isObjAuthorized(bucket, errObjMD, request.apiMethods || 'objectGet',
+                    constants.publicId, null, log, null, request.actionImplicitDenies)) {
                     log.trace('errorObj not authorized', { error: err });
                     monitoring.promMetrics(
                         'GET', bucketName, err.code, 'getObject');
@@ -162,25 +163,25 @@ function websiteGet(request, log, callback) {
                     monitoring.promMetrics(
                         'GET', bucketName, err.code, 'getObject');
                     let returnErr = err;
-                    const bucketAuthorized = isBucketAuthorized(bucket,
-                      'bucketGet', constants.publicId, null, log, request);
+                    const bucketAuthorized = isBucketAuthorized(bucket, request.apiMethods || 'bucketGet',
+                    constants.publicId, null, log, request, request.actionImplicitDenies);
                     // if index object does not exist and bucket is private AWS
                     // returns 403 - AccessDenied error.
                     if (err.is.NoSuchKey && !bucketAuthorized) {
                         returnErr = errors.AccessDenied;
                     }
                     return _errorActions(returnErr,
                       websiteConfig.getErrorDocument(), routingRules,
-                      bucket, reqObjectKey, corsHeaders, log,
+                      bucket, reqObjectKey, corsHeaders, request, log,
                       callback);
                 }
-                if (!isObjAuthorized(bucket, objMD, 'objectGet',
-                    constants.publicId, null, log, request)) {
+                if (!isObjAuthorized(bucket, objMD, request.apiMethods || 'objectGet',
+                    constants.publicId, null, log, request, request.actionImplicitDenies)) {
                     const err = errors.AccessDenied;
                     log.trace('request not authorized', { error: err });
                     return _errorActions(err, websiteConfig.getErrorDocument(),
                         routingRules, bucket,
-                        reqObjectKey, corsHeaders, log, callback);
+                        reqObjectKey, corsHeaders, request, log, callback);
                 }
 
                 const headerValResult = validateHeaders(request.headers,
@@ -190,7 +191,7 @@ function websiteGet(request, log, callback) {
                     log.trace('header validation error', { error: err });
                     return _errorActions(err, websiteConfig.getErrorDocument(),
                         routingRules, bucket, reqObjectKey,
-                        corsHeaders, log, callback);
+                        corsHeaders, request, log, callback);
                 }
                 // check if object to serve has website redirect header
                 // Note: AWS prioritizes website configuration rules over

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zenko/cloudserver",
-  "version": "8.6.13",
+  "version": "8.6.14",
   "description": "Zenko CloudServer, an open-source Node.js implementation of a server handling the Amazon S3 protocol",
   "main": "index.js",
   "engines": {

tests/unit/api/bucketGet.js

@@ -61,6 +61,7 @@ const baseGetRequest = {
     bucketName,
     namespace,
     headers: { host: '/' },
+    actionImplicitDenies: false,
 };
 const baseUrl = `/${bucketName}`;