-
Notifications
You must be signed in to change notification settings - Fork 255
Expand file tree
/
Copy pathacl.js
More file actions
200 lines (181 loc) · 8.17 KB
/
acl.js
File metadata and controls
200 lines (181 loc) · 8.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
const { errors } = require('arsenal');
const getReplicationInfo = require('../api/apiUtils/object/getReplicationInfo');
const aclUtils = require('../utilities/aclUtils');
const constants = require('../../constants');
const metadata = require('../metadata/wrapper');
const vault = require('../auth/vault');
const { config } = require('../Config');
const acl = {
addACL(bucket, addACLParams, log, cb) {
log.trace('updating bucket acl in metadata');
bucket.setFullAcl(addACLParams);
metadata.updateBucket(bucket.getName(), bucket, log, cb);
},
/**
* returns true if the specified ACL grant is unchanged
* @param {string} grant name of the grant
* @param {object} oldAcl old acl config
* @param {object} newAcl new acl config
* @returns {bool} is the grant the same
*/
_aclGrantDidNotChange(grant, oldAcl, newAcl) {
if (grant === 'Canned') {
return oldAcl.Canned === newAcl.Canned;
}
/**
* An ACL grant is in form of an array of strings
* An ACL grant is considered unchanged when both the old and new one
* contain the same number of elements, and all elements from one
* grant are incuded in the other grant
*/
return oldAcl[grant].length === newAcl[grant].length
&& oldAcl[grant].every(value => newAcl[grant].includes(value));
},
addObjectACL(bucket, objectKey, objectMD, addACLParams, params, log, cb) {
log.trace('updating object acl in metadata');
const isAclUnchanged = Object.keys(objectMD.acl).length === Object.keys(addACLParams).length
&& Object.keys(objectMD.acl).every(grant => this._aclGrantDidNotChange(grant, objectMD.acl, addACLParams));
if (!isAclUnchanged) {
/* eslint-disable no-param-reassign */
objectMD.acl = addACLParams;
objectMD.originOp = 's3:ObjectAcl:Put';
const replicationInfo = getReplicationInfo(config, objectKey, bucket, true);
// Split the storageClass and iterate over each one
if (replicationInfo) {
const storageClasses = replicationInfo.storageClass ? replicationInfo.storageClass.split(',') : [];
const crrStorageClasses = [];
const crrBackends = [];
// Iterate over each storage class and check isCRR
storageClasses.forEach((storageClass, index) => {
const trimmedStorageClass = storageClass.trim();
if (config.locationConstraints &&
config.locationConstraints[trimmedStorageClass] &&
config.locationConstraints[trimmedStorageClass].isCRR) {
// This storage class has CRR enabled, include it
crrStorageClasses.push(trimmedStorageClass);
// Include corresponding backend if it exists
if (replicationInfo.backends && replicationInfo.backends[index]) {
crrBackends.push(replicationInfo.backends[index]);
}
}
});
// Only set replication info for storage classes that have isCRR = true
if (crrStorageClasses.length > 0) {
const filteredReplicationInfo = {
...replicationInfo,
storageClass: crrStorageClasses.join(','),
backends: crrBackends
};
objectMD.replicationInfo = {
...objectMD.replicationInfo,
...filteredReplicationInfo,
};
}
}
return metadata.putObjectMD(bucket.getName(), objectKey, objectMD, params, log, cb);
}
return cb();
},
parseAclFromHeaders(params, cb) {
const headers = params.headers;
const resourceType = params.resourceType;
const currentResourceACL = params.acl;
const log = params.log;
const resourceACL = {
Canned: '',
FULL_CONTROL: [],
WRITE: [],
WRITE_ACP: [],
READ: [],
READ_ACP: [],
};
let validCannedACL = [];
if (resourceType === 'bucket') {
validCannedACL =
['private', 'public-read', 'public-read-write',
'authenticated-read', 'log-delivery-write'];
} else if (resourceType === 'object') {
validCannedACL =
['private', 'public-read', 'public-read-write',
'authenticated-read', 'bucket-owner-read',
'bucket-owner-full-control'];
}
// parse canned acl
if (headers['x-amz-acl']) {
const newCannedACL = headers['x-amz-acl'];
if (validCannedACL.indexOf(newCannedACL) > -1) {
resourceACL.Canned = newCannedACL;
return cb(null, resourceACL);
}
return cb(errors.InvalidArgument);
}
// parse grant headers
const grantReadHeader =
aclUtils.parseGrant(headers['x-amz-grant-read'], 'READ');
let grantWriteHeader = [];
if (resourceType === 'bucket') {
grantWriteHeader = aclUtils
.parseGrant(headers['x-amz-grant-write'], 'WRITE');
}
const grantReadACPHeader = aclUtils
.parseGrant(headers['x-amz-grant-read-acp'], 'READ_ACP');
const grantWriteACPHeader = aclUtils
.parseGrant(headers['x-amz-grant-write-acp'], 'WRITE_ACP');
const grantFullControlHeader = aclUtils
.parseGrant(headers['x-amz-grant-full-control'], 'FULL_CONTROL');
const allGrantHeaders =
[].concat(grantReadHeader, grantWriteHeader,
grantReadACPHeader, grantWriteACPHeader,
grantFullControlHeader).filter(item => item !== undefined);
if (allGrantHeaders.length === 0) {
return cb(null, currentResourceACL);
}
const usersIdentifiedByEmail = allGrantHeaders
.filter(it => it && it.userIDType.toLowerCase() === 'emailaddress');
const usersIdentifiedByGroup = allGrantHeaders
.filter(item => item && item.userIDType.toLowerCase() === 'uri');
const justEmails = usersIdentifiedByEmail.map(item => item.identifier);
const validGroups = [
constants.allAuthedUsersId,
constants.publicId,
constants.logId,
];
for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
if (validGroups.indexOf(usersIdentifiedByGroup[i].identifier) < 0) {
return cb(errors.InvalidArgument);
}
}
const usersIdentifiedByID = allGrantHeaders
.filter(item => item && item.userIDType.toLowerCase() === 'id');
// TODO: Consider whether want to verify with Vault
// whether canonicalID is associated with existing
// account before adding to ACL
// If have to lookup canonicalID's do that asynchronously
// then add grants to bucket
if (justEmails.length > 0) {
vault.getCanonicalIds(justEmails, log, (err, results) => {
if (err) {
return cb(err);
}
const reconstructedUsersIdentifiedByEmail = aclUtils.
reconstructUsersIdentifiedByEmail(results,
usersIdentifiedByEmail);
const allUsers = [].concat(
reconstructedUsersIdentifiedByEmail,
usersIdentifiedByGroup,
usersIdentifiedByID);
const revisedACL =
aclUtils.sortHeaderGrants(allUsers, resourceACL);
return cb(null, revisedACL);
});
} else {
// If don't have to look up canonicalID's just sort grants
// and add to bucket
const revisedACL = aclUtils
.sortHeaderGrants(allGrantHeaders, resourceACL);
return cb(null, revisedACL);
}
return undefined;
},
};
module.exports = acl;