From e76105e2abbbde00a9ae392bfdd5d20c7c706e89 Mon Sep 17 00:00:00 2001 From: chrislu Date: Mon, 3 Jan 2022 21:05:20 -0800 Subject: [PATCH] fix auth permission checking --- weed/s3api/auth_credentials.go | 2 +- weed/s3api/auth_credentials_test.go | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 3c27b7d35..5b5075d78 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -319,7 +319,7 @@ func (identity *Identity) canDo(action Action, bucket string, objectKey string) if bucket == "" { return false } - target := string(action) + ":" + bucket + "/" + objectKey + target := string(action) + ":" + bucket + objectKey limitedByBucket := string(action) + ":" + bucket adminLimitedByBucket := s3_constants.ACTION_ADMIN + ":" + bucket for _, a := range identity.Actions { diff --git a/weed/s3api/auth_credentials_test.go b/weed/s3api/auth_credentials_test.go index b674557fa..94479b4f5 100644 --- a/weed/s3api/auth_credentials_test.go +++ b/weed/s3api/auth_credentials_test.go @@ -78,8 +78,8 @@ func TestCanDo(t *testing.T) { }, } // object specific - assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "a/b/c/d.txt")) - assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "a/b/other/some"), "action without *") + assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt")) + assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "/a/b/other/some"), "action without *") // bucket specific ident2 := &Identity{ @@ -89,9 +89,9 @@ func TestCanDo(t *testing.T) { "Write:bucket1/*", }, } - assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "a/b/c/d.txt")) - assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "a/b/c/d.txt")) - assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "a/b/c/d.txt")) + assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt")) + assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt")) + assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "/a/b/c/d.txt")) // across buckets ident3 := &Identity{ @@ -101,9 +101,9 @@ func TestCanDo(t *testing.T) { "Write", }, } - assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "a/b/c/d.txt")) - assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "a/b/c/d.txt")) - assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "a/b/other/some")) + assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt")) + assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "/a/b/c/d.txt")) + assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "/a/b/other/some")) // partial buckets ident4 := &Identity{ @@ -112,7 +112,7 @@ func TestCanDo(t *testing.T) { "Read:special_*", }, } - assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "a/b/c/d.txt")) - assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "a/b/c/d.txt")) + assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "/a/b/c/d.txt")) + assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "/a/b/c/d.txt")) }