From e06676f007934ef20ae1429a097137a9b0466425 Mon Sep 17 00:00:00 2001 From: "ruitao.liu" Date: Thu, 12 Nov 2020 16:15:59 +0800 Subject: [PATCH] check permission for bucket delete/head. --- weed/s3api/filer_util.go | 6 +++++ weed/s3api/s3api_bucket_handlers.go | 36 ++++++++++++++--------------- 2 files changed, 23 insertions(+), 19 deletions(-) diff --git a/weed/s3api/filer_util.go b/weed/s3api/filer_util.go index ebdbe8245..72df337a5 100644 --- a/weed/s3api/filer_util.go +++ b/weed/s3api/filer_util.go @@ -7,6 +7,7 @@ import ( "github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/pb/filer_pb" + "github.com/chrislusf/seaweedfs/weed/util" ) func (s3a *S3ApiServer) mkdir(parentDirectoryPath string, dirName string, fn func(entry *filer_pb.Entry)) error { @@ -75,6 +76,11 @@ func (s3a *S3ApiServer) exists(parentDirectoryPath string, entryName string, isD } +func (s3a *S3ApiServer) get(parentDirectoryPath, entryName string) (entry *filer_pb.Entry, err error) { + fullPath := util.NewFullPath(parentDirectoryPath, entryName) + return filer_pb.GetEntry(s3a, fullPath) +} + func objectKey(key *string) *string { if strings.HasPrefix(*key, "/") { t := (*key)[1:] diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index bd3d7fd58..744f22617 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -120,6 +120,15 @@ func (s3a *S3ApiServer) DeleteBucketHandler(w http.ResponseWriter, r *http.Reque bucket, _ := getBucketAndObject(r) + if entry, err := s3a.get(s3a.option.BucketsPath, bucket); entry != nil && err == nil { + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return + } + } + } + err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { // delete collection @@ -149,28 +158,17 @@ func (s3a *S3ApiServer) HeadBucketHandler(w http.ResponseWriter, r *http.Request bucket, _ := getBucketAndObject(r) - err := s3a.WithFilerClient(func(client filer_pb.SeaweedFilerClient) error { - - request := &filer_pb.LookupDirectoryEntryRequest{ - Directory: s3a.option.BucketsPath, - Name: bucket, - } - - glog.V(1).Infof("lookup bucket: %v", request) - if _, err := filer_pb.LookupEntry(client, request); err != nil { - if err == filer_pb.ErrNotFound { - return filer_pb.ErrNotFound - } - return fmt.Errorf("lookup bucket %s/%s: %v", s3a.option.BucketsPath, bucket, err) - } - - return nil - }) - - if err != nil { + entry, err := s3a.get(s3a.option.BucketsPath, bucket) + if entry == nil || err != nil { writeErrorResponse(w, s3err.ErrNoSuchBucket, r.URL) return } + if id, ok := entry.Extended[xhttp.AmzIdentityId]; ok { + if string(id) != r.Header.Get(xhttp.AmzIdentityId) { + writeErrorResponse(w, s3err.ErrAccessDenied, r.URL) + return + } + } writeSuccessResponseEmpty(w) }