check permission for bucket delete/head.

2024-01-19 02:48:24 +00:00 · 2020-11-12 16:15:59 +08:00 · 2020-11-12 16:15:59 +08:00 · e06676f007
parent d7cc0498e0
commit e06676f007
2 changed files with 23 additions and 19 deletions
--- a/weed/s3api/filer_util.go
+++ b/weed/s3api/filer_util.go
@ -7,6 +7,7 @@ import (

 	"github.com/chrislusf/seaweedfs/weed/glog"
 	"github.com/chrislusf/seaweedfs/weed/pb/filer_pb"
+	"github.com/chrislusf/seaweedfs/weed/util"
 )

 func (s3a *S3ApiServer) mkdir(parentDirectoryPath string, dirName string, fn func(entry *filer_pb.Entry)) error {
@ -75,6 +76,11 @@ func (s3a *S3ApiServer) exists(parentDirectoryPath string, entryName string, isD

 }

+func (s3a *S3ApiServer) get(parentDirectoryPath, entryName string) (entry *filer_pb.Entry, err error) {
+	fullPath := util.NewFullPath(parentDirectoryPath, entryName)
+	return filer_pb.GetEntry(s3a, fullPath)
+}
+
 func objectKey(key *string) *string {
 	if strings.HasPrefix(*key, "/") {
 		t := (*key)[1:]
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@ -120,6 +120,15 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque

 	bucket, _ := getBucketAndObject(r)

+	if entry, err := s3a.get(s3a.option.BucketsPath, bucket); entry != nil && err == nil {
+		if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
+			if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
+				writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
+				return
+			}
+		}
+	}
+
 	err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {

 		// delete collection
@ -149,28 +158,17 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request

 	bucket, _ := getBucketAndObject(r)

-	err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error {
-
-		request := &filer_pb.LookupDirectoryEntryRequest{
-			Directory: s3a.option.BucketsPath,
-			Name:      bucket,
-		}
-
-		glog.V(1).Infof("lookup bucket: %v", request)
-		if _, err := filer_pb.LookupEntry(client, request); err != nil {
-			if err == filer_pb.ErrNotFound {
-				return filer_pb.ErrNotFound
-			}
-			return fmt.Errorf("lookup bucket %s/%s: %v", s3a.option.BucketsPath, bucket, err)
-		}
-
-		return nil
-	})
-
-	if err != nil {
+	entry, err := s3a.get(s3a.option.BucketsPath, bucket)
+	if entry == nil || err != nil {
 		writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL)
 		return
 	}
+	if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok {
+		if string(id) != r.Header.Get(xhttp.AmzIdentityId) {
+			writeErrorResponse(w, s3err.ErrAccessDenied, r.URL)
+			return
+		}
+	}

 	writeSuccessResponseEmpty(w)
 }