Improvement/cldsrv 431 misc api implicit deny

[benzekrimaha]

Bucket policies are not correctly interpreted, this is part of the following epic to fix that: scality/Arsenal#2181

This PR is aiming to update get apis since object and bucket authorisations are made at API level and need to support implicit denies, ticket linked to this issue here : https://scality.atlassian.net/browse/CLDSRV-431

PRs providing implicit Deny logic to CS for processing in this PR
scality/Arsenal#2181 and scality/Arsenal#2193
https://github.com/scality/Vault/pull/2135
#5322
#5420
#5432
#5456
#5462
#5470

Here CI links for zenko tests :
https://github.com/scality/Zenko/actions/runs/7209044767
https://github.com/scality/Zenko/actions/runs/7209077500
https://github.com/scality/Zenko/actions/runs/7209082617

[Seragonia]

This can be done in the _normalizeBackbeatRequest function:

cloudserver/lib/routes/routeBackbeat.js

Line 71 in 15a1aa7

function _normalizeBackbeatRequest(req) {

[Seragonia]

Maybe not useful anymore if we default to true (implicit deny) when the request is mising the property?

[benzekrimaha]

Indeed even if it's not changing the behaviour setting it to false makes more sens , good catch

[Seragonia]

Same comment as in other PR here to optimize the logic and avoid re-creating objects

[Seragonia]

This was from the PoC but I would suggest being very strict on the check:

Suggested change

	return cb(areAllActionsAllowed ? null : errors.AccessDenied);
	return cb(areAllActionsAllowed === true ? null : errors.AccessDenied);

[bert-e]

Hello benzekrimaha,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Status report is not available.

[benzekrimaha]

ping

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-431 contains:

• 7.70.35

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 7.10.38

• 7.70.35

• 8.6.16

• 8.7.36

• 8.8.10

Please check the Fix Version/s of CLDSRV-431, or the target
branch of this pull request.

[benzekrimaha]

ping

[bert-e]

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

[benzekrimaha]

/create_integration_branches

[bert-e]

Conflict

A conflict has been raised during the creation of
integration branch w/7.70/improvement/CLDSRV-431-misc-api-implicitDeny with contents from improvement/CLDSRV-431-misc-api-implicitDeny
and development/7.70.

I have not created the integration branch.

Here are the steps to resolve this conflict:

 $ git fetch
 $ git checkout -B w/7.70/improvement/CLDSRV-431-misc-api-implicitDeny origin/development/7.70
 $ git merge origin/improvement/CLDSRV-431-misc-api-implicitDeny
 $ # <intense conflict resolution>
 $ git commit
 $ git push -u origin w/7.70/improvement/CLDSRV-431-misc-api-implicitDeny

The following options are set: create_integration_branches

[benzekrimaha]

ping

[bert-e]

Conflict

A conflict has been raised during the creation of
integration branch w/8.6/improvement/CLDSRV-431-misc-api-implicitDeny with contents from w/7.70/improvement/CLDSRV-431-misc-api-implicitDeny
and development/8.6.

I have not created the integration branch.

Here are the steps to resolve this conflict:

 $ git fetch
 $ git checkout -B w/8.6/improvement/CLDSRV-431-misc-api-implicitDeny origin/development/8.6
 $ git merge origin/w/7.70/improvement/CLDSRV-431-misc-api-implicitDeny
 $ # <intense conflict resolution>
 $ git commit
 $ git push -u origin w/8.6/improvement/CLDSRV-431-misc-api-implicitDeny

The following options are set: create_integration_branches

[benzekrimaha]

ping

[bert-e]

Conflict

A conflict has been raised during the creation of
integration branch w/8.7/improvement/CLDSRV-431-misc-api-implicitDeny with contents from w/8.6/improvement/CLDSRV-431-misc-api-implicitDeny
and development/8.7.

I have not created the integration branch.

Here are the steps to resolve this conflict:

 $ git fetch
 $ git checkout -B w/8.7/improvement/CLDSRV-431-misc-api-implicitDeny origin/development/8.7
 $ git merge origin/w/8.6/improvement/CLDSRV-431-misc-api-implicitDeny
 $ # <intense conflict resolution>
 $ git commit
 $ git push -u origin w/8.7/improvement/CLDSRV-431-misc-api-implicitDeny

The following options are set: create_integration_branches

[benzekrimaha]

ping

[bert-e]

Conflict

A conflict has been raised during the creation of
integration branch w/8.8/improvement/CLDSRV-431-misc-api-implicitDeny with contents from w/8.7/improvement/CLDSRV-431-misc-api-implicitDeny
and development/8.8.

I have not created the integration branch.

Here are the steps to resolve this conflict:

 $ git fetch
 $ git checkout -B w/8.8/improvement/CLDSRV-431-misc-api-implicitDeny origin/development/8.8
 $ git merge origin/w/8.7/improvement/CLDSRV-431-misc-api-implicitDeny
 $ # <intense conflict resolution>
 $ git commit
 $ git push -u origin w/8.8/improvement/CLDSRV-431-misc-api-implicitDeny

The following options are set: create_integration_branches

[benzekrimaha]

/create_pull_requests

[bert-e]

Integration data created

I have created the integration data for the additional destination branches.

• this pull request will merge improvement/CLDSRV-431-misc-api-implicitDeny into
  development/7.10
• w/7.70/improvement/CLDSRV-431-misc-api-implicitDeny will be merged into development/7.70 (pull request INTEGRATION [PR#5479 > development/7.70] Improvement/cldsrv 431 misc api implicit deny #5491)
• w/8.6/improvement/CLDSRV-431-misc-api-implicitDeny will be merged into development/8.6 (pull request INTEGRATION [PR#5479 > development/8.6] Improvement/cldsrv 431 misc api implicit deny #5492)
• w/8.7/improvement/CLDSRV-431-misc-api-implicitDeny will be merged into development/8.7 (pull request INTEGRATION [PR#5479 > development/8.7] Improvement/cldsrv 431 misc api implicit deny #5493)
• w/8.8/improvement/CLDSRV-431-misc-api-implicitDeny will be merged into development/8.8 (pull request INTEGRATION [PR#5479 > development/8.8] Improvement/cldsrv 431 misc api implicit deny #5494)

The following branches will NOT be impacted:

• development/7.4

Follow integration pull requests if you would like to be notified of
build statuses by email.

The following options are set: create_pull_requests, create_integration_branches

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

The following options are set: create_pull_requests, create_integration_branches

[anurag4DSB]

I tested this PR with E2E tests
LGTM
I was closely following there branch and code changes before the PR was opened, hence review was quick.
Integration PR: https://github.com/scality/Integration/pull/1215

[benzekrimaha]

@bert-e approve

[bert-e]

In the queue

The changeset has received all authorizations and has been added to the
relevant queue(s). The queue(s) will be merged in the target development
branch(es) as soon as builds have passed.

The changeset will be merged in:

• ✔️ development/7.10

• ✔️ development/7.70

• ✔️ development/8.6

• ✔️ development/8.7

• ✔️ development/8.8

The following branches will NOT be impacted:

• development/7.4

There is no action required on your side. You will be notified here once
the changeset has been merged. In the unlikely event that the changeset
fails permanently on the queue, a member of the admin team will
contact you to help resolve the matter.

IMPORTANT

Please do not attempt to modify this pull request.

• Any commit you add on the source branch will trigger a new cycle after the
  current queue is merged.
• Any commit you add on one of the integration branches will be lost.

If you need this pull request to be removed from the queue, please contact a
member of the admin team now.

The following options are set: approve, create_pull_requests, create_integration_branches

[bert-e]

I have successfully merged the changeset of this pull request
into targetted development branches:

• ✔️ development/7.10

• ✔️ development/7.70

• ✔️ development/8.6

• ✔️ development/8.7

• ✔️ development/8.8

The following branches have NOT changed:

• development/7.4

Please check the status of the associated issue CLDSRV-431.

Goodbye benzekrimaha.