[s3acl] Step 0: Put bucket ACL only responds success if the ACL is private. (#4856)

* Passing test: test_bucket_acl_default test_bucket_acl_canned_private_to_private https://github.com/seaweedfs/seaweedfs/issues/4519 * Update weed/s3api/s3api_bucket_handlers.go --------- Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co> Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
author: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com> 2023-09-21 20:20:05 +0500
committer: GitHub <noreply@github.com> 2023-09-21 08:20:05 -0700
commit: a46f873edd8a5fb0c25aeb1c5c3c33e925ed63dd (patch)
tree: b0fe92a5f834fecd84c5b03b3a40c8b5b2bf1e2d
parent: d8b424d123300aad13b934b25f5670506396da7b (diff)
download: seaweedfs-a46f873edd8a5fb0c25aeb1c5c3c33e925ed63dd.tar.xz
seaweedfs-a46f873edd8a5fb0c25aeb1c5c3c33e925ed63dd.zip
3 files changed, 47 insertions, 31 deletions
diff --git a/docker/compose/s3tests.conf b/docker/compose/s3tests.conf
index 68d9ddeb7..2bffe20d4 100644
--- a/docker/compose/s3tests.conf
+++ b/docker/compose/s3tests.conf
@@ -18,10 +18,10 @@ bucket prefix = yournamehere-{random}-
 
 [s3 main]
 # main display_name set in vstart.sh
-display_name = M. Tester
+display_name = s3_tests
 
 # main user_idname set in vstart.sh
-user_id = testid
+user_id = s3_tests
 
 # main email set in vstart.sh
 email = tester@ceph.com
diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index d4d81905d..d2e987a25 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -259,32 +259,54 @@ func (s3a *S3ApiServer) GetBucketAclHandler(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	response := AccessControlPolicy{}
-	for _, ident := range s3a.iam.identities {
-		if len(ident.Credentials) == 0 {
-			continue
+	identityId := r.Header.Get(s3_constants.AmzIdentityId)
+	response := AccessControlPolicy{
+		Owner: CanonicalUser{
+			ID:          identityId,
+			DisplayName: identityId,
+		},
+	}
+	response.AccessControlList.Grant = append(response.AccessControlList.Grant, Grant{
+		Grantee: Grantee{
+			ID:          identityId,
+			DisplayName: identityId,
+			Type:        "CanonicalUser",
+			XMLXSI:      "CanonicalUser",
+			XMLNS:       "http://www.w3.org/2001/XMLSchema-instance"},
+		Permission: s3.PermissionFullControl,
+	})
+	writeSuccessResponseXML(w, r, response)
+}
+
+// PutBucketAclHandler Put bucket ACL only responds success if the ACL is private.
+// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html //
+func (s3a *S3ApiServer) PutBucketAclHandler(w http.ResponseWriter, r *http.Request) {
+	// collect parameters
+	bucket, _ := s3_constants.GetBucketAndObject(r)
+	glog.V(3).Infof("PutBucketAclHandler %s", bucket)
+
+	if err := s3a.checkBucket(r, bucket); err != s3err.ErrNone {
+		s3err.WriteErrorResponse(w, r, err)
+		return
+	}
+	cannedAcl := r.Header.Get(s3_constants.AmzCannedAcl)
+	switch {
+	case cannedAcl == "":
+		acl := &s3.AccessControlPolicy{}
+		if err := xmlDecoder(r.Body, acl, r.ContentLength); err != nil {
+			glog.Errorf("PutBucketAclHandler: %s", err)
+			s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
+			return
 		}
-		for _, action := range ident.Actions {
-			if !action.overBucket(bucket) || action.getPermission() == "" {
-				continue
-			}
-			id := ident.Credentials[0].AccessKey
-			if response.Owner.DisplayName == "" && action.isOwner(bucket) && len(ident.Credentials) > 0 {
-				response.Owner.DisplayName = ident.Name
-				response.Owner.ID = id
-			}
-			response.AccessControlList.Grant = append(response.AccessControlList.Grant, Grant{
-				Grantee: Grantee{
-					ID:          id,
-					DisplayName: ident.Name,
-					Type:        "CanonicalUser",
-					XMLXSI:      "CanonicalUser",
-					XMLNS:       "http://www.w3.org/2001/XMLSchema-instance"},
-				Permission: action.getPermission(),
-			})
+		if len(acl.Grants) == 1 && acl.Grants[0].Permission != nil && *acl.Grants[0].Permission == s3_constants.PermissionFullControl {
+			writeSuccessResponseEmpty(w, r)
+			return
 		}
+	case cannedAcl == s3_constants.CannedAclPrivate:
+		writeSuccessResponseEmpty(w, r)
+		return
 	}
-	writeSuccessResponseXML(w, r, response)
+	s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
 }
 
 // GetBucketLifecycleConfigurationHandler Get Bucket Lifecycle configuration
diff --git a/weed/s3api/s3api_bucket_skip_handlers.go b/weed/s3api/s3api_bucket_skip_handlers.go
index 70fd38424..62d5b8ce7 100644
--- a/weed/s3api/s3api_bucket_skip_handlers.go
+++ b/weed/s3api/s3api_bucket_skip_handlers.go
@@ -41,9 +41,3 @@ func (s3a *S3ApiServer) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Re
 func (s3a *S3ApiServer) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
 	s3err.WriteErrorResponse(w, r, http.StatusNoContent)
 }
-
-// PutBucketAclHandler Put bucket ACL
-// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
-func (s3a *S3ApiServer) PutBucketAclHandler(w http.ResponseWriter, r *http.Request) {
-	s3err.WriteErrorResponse(w, r, s3err.ErrNotImplemented)
-}
author	Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com>	2023-09-21 20:20:05 +0500
committer	GitHub <noreply@github.com>	2023-09-21 08:20:05 -0700
commit	a46f873edd8a5fb0c25aeb1c5c3c33e925ed63dd (patch)
tree	b0fe92a5f834fecd84c5b03b3a40c8b5b2bf1e2d
parent	d8b424d123300aad13b934b25f5670506396da7b (diff)
download	seaweedfs-a46f873edd8a5fb0c25aeb1c5c3c33e925ed63dd.tar.xz seaweedfs-a46f873edd8a5fb0c25aeb1c5c3c33e925ed63dd.zip