[s3acl] Step 0: Put bucket ACL only responds success if the ACL is private. (#4856)

* Passing test:
test_bucket_acl_default
test_bucket_acl_canned_private_to_private

https://github.com/seaweedfs/seaweedfs/issues/4519

* Update weed/s3api/s3api_bucket_handlers.go

---------

Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>

docker/compose/s3tests.conf

@@ -18,10 +18,10 @@ bucket prefix = yournamehere-{random}-
 
 [s3 main]
 # main display_name set in vstart.sh
-display_name = M. Tester
+display_name = s3_tests
 
 # main user_idname set in vstart.sh
-user_id = testid
+user_id = s3_tests
 
 # main email set in vstart.sh
 email = tester@ceph.com

weed/s3api/s3api_bucket_handlers.go

@@ -259,34 +259,56 @@ func (s3a *S3ApiServer) GetBucketAclHandler(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	response := AccessControlPolicy{}
-	for _, ident := range s3a.iam.identities {
-		if len(ident.Credentials) == 0 {
-			continue
-		}
-		for _, action := range ident.Actions {
-			if !action.overBucket(bucket) || action.getPermission() == "" {
-				continue
-			}
-			id := ident.Credentials[0].AccessKey
-			if response.Owner.DisplayName == "" && action.isOwner(bucket) && len(ident.Credentials) > 0 {
-				response.Owner.DisplayName = ident.Name
-				response.Owner.ID = id
+	identityId := r.Header.Get(s3_constants.AmzIdentityId)
+	response := AccessControlPolicy{
+		Owner: CanonicalUser{
+			ID:          identityId,
+			DisplayName: identityId,
+		},
 	}
 	response.AccessControlList.Grant = append(response.AccessControlList.Grant, Grant{
 		Grantee: Grantee{
-					ID:          id,
-					DisplayName: ident.Name,
+			ID:          identityId,
+			DisplayName: identityId,
 			Type:        "CanonicalUser",
 			XMLXSI:      "CanonicalUser",
 			XMLNS:       "http://www.w3.org/2001/XMLSchema-instance"},
-				Permission: action.getPermission(),
+		Permission: s3.PermissionFullControl,
 	})
-		}
-	}
 	writeSuccessResponseXML(w, r, response)
 }
 
+// PutBucketAclHandler Put bucket ACL only responds success if the ACL is private.
+// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html //
+func (s3a *S3ApiServer) PutBucketAclHandler(w http.ResponseWriter, r *http.Request) {
+	// collect parameters
+	bucket, _ := s3_constants.GetBucketAndObject(r)
+	glog.V(3).Infof("PutBucketAclHandler %s", bucket)
+
+	if err := s3a.checkBucket(r, bucket); err != s3err.ErrNone {
+		s3err.WriteErrorResponse(w, r, err)
+		return
+	}
+	cannedAcl := r.Header.Get(s3_constants.AmzCannedAcl)
+	switch {
+	case cannedAcl == "":
+		acl := &s3.AccessControlPolicy{}
+		if err := xmlDecoder(r.Body, acl, r.ContentLength); err != nil {
+			glog.Errorf("PutBucketAclHandler: %s", err)
+			s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
+			return
+		}
+		if len(acl.Grants) == 1 && acl.Grants[0].Permission != nil && *acl.Grants[0].Permission == s3_constants.PermissionFullControl {
+			writeSuccessResponseEmpty(w, r)
+			return
+		}
+	case cannedAcl == s3_constants.CannedAclPrivate:
+		writeSuccessResponseEmpty(w, r)
+		return
+	}
+	s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
+}
+
 // GetBucketLifecycleConfigurationHandler Get Bucket Lifecycle configuration
 // https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketLifecycleConfiguration.html
 func (s3a *S3ApiServer) GetBucketLifecycleConfigurationHandler(w http.ResponseWriter, r *http.Request) {

weed/s3api/s3api_bucket_skip_handlers.go

@@ -41,9 +41,3 @@ func (s3a *S3ApiServer) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Re
 func (s3a *S3ApiServer) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
 	s3err.WriteErrorResponse(w, r, http.StatusNoContent)
 }
-
-// PutBucketAclHandler Put bucket ACL
-// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
-func (s3a *S3ApiServer) PutBucketAclHandler(w http.ResponseWriter, r *http.Request) {
-	s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
-}