add missing ListBucketVersions from policy actions (#10414)

2020-09-03 18:25:06 -07:00 · 2020-09-03 18:25:06 -07:00 · 1c6781757c
parent b4e3956e69
commit 1c6781757c
4 changed files with 57 additions and 1 deletions
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@ -346,8 +346,26 @@ func checkRequestAuthTypeToAccessKey(ctx context.Context, r *http.Request, actio
 			// Request is allowed return the appropriate access key.
 			return cred.AccessKey, owner, ErrNone
 		}
+
+		if action == policy.ListBucketVersionsAction {
+			// In AWS S3 s3:ListBucket permission is same as s3:ListBucketVersions permission
+			// verify as a fallback.
+			if globalPolicySys.IsAllowed(policy.Args{
+				AccountName:     cred.AccessKey,
+				Action:          policy.ListBucketAction,
+				BucketName:      bucketName,
+				ConditionValues: getConditionValues(r, locationConstraint, "", nil),
+				IsOwner:         false,
+				ObjectName:      objectName,
+			}) {
+				// Request is allowed return the appropriate access key.
+				return cred.AccessKey, owner, ErrNone
+			}
+		}
+
 		return cred.AccessKey, owner, ErrAccessDenied
 	}
+
 	if globalIAMSys.IsAllowed(iampolicy.Args{
 		AccountName:     cred.AccessKey,
 		Action:          iampolicy.Action(action),
@ -360,6 +378,22 @@ func checkRequestAuthTypeToAccessKey(ctx context.Context, r *http.Request, actio
 		// Request is allowed return the appropriate access key.
 		return cred.AccessKey, owner, ErrNone
 	}
+	if action == policy.ListBucketVersionsAction {
+		// In AWS S3 s3:ListBucket permission is same as s3:ListBucketVersions permission
+		// verify as a fallback.
+		if globalIAMSys.IsAllowed(iampolicy.Args{
+			AccountName:     cred.AccessKey,
+			Action:          iampolicy.Action(policy.ListBucketAction),
+			BucketName:      bucketName,
+			ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
+			ObjectName:      objectName,
+			IsOwner:         owner,
+			Claims:          claims,
+		}) {
+			// Request is allowed return the appropriate access key.
+			return cred.AccessKey, owner, ErrNone
+		}
+	}

 	return cred.AccessKey, owner, ErrAccessDenied
 }
--- a/cmd/bucket-listobjects-handlers.go
+++ b/cmd/bucket-listobjects-handlers.go
@ -93,7 +93,7 @@ func (api objectAPIHandlers) ListObjectVersionsHandler(w http.ResponseWriter, r
 		return
 	}

-	if s3Error := checkRequestAuthType(ctx, r, policy.ListBucketAction, bucket, ""); s3Error != ErrNone {
+	if s3Error := checkRequestAuthType(ctx, r, policy.ListBucketVersionsAction, bucket, ""); s3Error != ErrNone {
 		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
 		return
 	}
--- a/pkg/bucket/policy/action.go
+++ b/pkg/bucket/policy/action.go
@ -71,6 +71,9 @@ const (
 	// ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action.
 	ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads"

+	// ListBucketVersionsAction - ListBucket versions Rest API action.
+	ListBucketVersionsAction = "s3:ListBucketVersions"
+
 	// ListenNotificationAction - ListenNotification Rest API action.
 	// This is MinIO extension.
 	ListenNotificationAction = "s3:ListenNotification"
@ -215,6 +218,7 @@ var supportedActions = map[Action]struct{}{
 	HeadBucketAction:                       {},
 	ListAllMyBucketsAction:                 {},
 	ListBucketAction:                       {},
+	ListBucketVersionsAction:               {},
 	ListBucketMultipartUploadsAction:       {},
 	ListenNotificationAction:               {},
 	ListenBucketNotificationAction:         {},
@ -323,6 +327,13 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 			condition.S3MaxKeys,
 		}, condition.CommonKeys...)...),

+	ListBucketVersionsAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3Prefix,
+			condition.S3Delimiter,
+			condition.S3MaxKeys,
+		}, condition.CommonKeys...)...),
+
 	ListBucketMultipartUploadsAction: condition.NewKeySet(condition.CommonKeys...),

 	ListenNotificationAction: condition.NewKeySet(condition.CommonKeys...),
--- a/pkg/iam/policy/action.go
+++ b/pkg/iam/policy/action.go
@ -67,6 +67,9 @@ const (
 	// ListBucketAction - ListBucket Rest API action.
 	ListBucketAction = "s3:ListBucket"

+	// ListBucketVersionsAction - ListBucketVersions Rest API action.
+	ListBucketVersionsAction = "s3:ListBucketVersions"
+
 	// ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action.
 	ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads"

@ -194,6 +197,7 @@ var supportedActions = map[Action]struct{}{
 	HeadBucketAction:                       {},
 	ListAllMyBucketsAction:                 {},
 	ListBucketAction:                       {},
+	ListBucketVersionsAction:               {},
 	ListBucketMultipartUploadsAction:       {},
 	ListenNotificationAction:               {},
 	ListenBucketNotificationAction:         {},
@ -312,6 +316,13 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 			condition.S3MaxKeys,
 		}, condition.CommonKeys...)...),

+	ListBucketVersionsAction: condition.NewKeySet(
+		append([]condition.Key{
+			condition.S3Prefix,
+			condition.S3Delimiter,
+			condition.S3MaxKeys,
+		}, condition.CommonKeys...)...),
+
 	ListBucketMultipartUploadsAction: condition.NewKeySet(condition.CommonKeys...),

 	ListenNotificationAction: condition.NewKeySet(condition.CommonKeys...),