feat: acl'ed list bucket

Author: hUwUtao

src/auth.rs

@@ -1,12 +1,14 @@
 //! S3 Authentication
 
 use std::collections::HashMap;
+use std::fmt::Debug;
 use std::path::{Path, PathBuf};
+use std::sync::Arc;
 
 use crate::errors::S3AuthError;
 use crate::ops::{ReqContext, S3Operation};
 use crate::path::S3Path;
-use crate::token::database::IndexDB;
+use crate::token::database::{IndexDB, PassiveIndexDB};
 use crate::utils::metrics::Mesurable;
 use crate::S3Storage;
 use crate::{dto::S3AuthContext, ops::S3Handler};
@@ -80,30 +82,30 @@ mod authorization {
             })
         }
 
+        pub fn match_listops(&self, bucket: &str) -> bool {
+            self.operations.contains(&"BucketList".to_string())
+                && self.bucket_matcher.is_match(bucket)
+        }
+
         pub fn matches(&self, operation: &S3Operation, bucket: &str, path: Option<&str>) -> bool {
             if !self.operations.contains(&operation.to_string()) {
                 debug!("not match ops");
                 return false;
             }
 
-            if !self.bucket_matcher.is_match(bucket) {
+            if bucket != "*" && !self.bucket_matcher.is_match(bucket) {
                 debug!("not match bucket");
                 return false;
             }
+
             if let Some(ref path_matcher) = self.path_matcher {
                 if let Some(path) = path {
                     debug!("attempt to path matching");
                     let matches = path_matcher.matches(&PathBuf::from(path));
-                    matches ^ self.path_matcher_inverted
-                } else {
-                    // TODO
-                    // if there is no path but requested in a path required endpoint, it should not be possible
-                    // there is no such case yet this is exploitable
-                    true
+                    return matches ^ self.path_matcher_inverted;
                 }
-            } else {
-                true
-            }
+            };
+            true
         }
     }
 
@@ -164,14 +166,21 @@ use tracing::debug;
 /// S3 Authentication Provider
 
 #[async_trait]
-pub trait S3Auth: Mesurable {
+pub trait S3Auth: Mesurable + Debug {
     /// lookup `secret_access_key` by `access_key_id`
     async fn get_secret_access_key(
         &self,
         context: &mut S3AuthContext<'_>,
         access_key_id: &str,
     ) -> Result<String, S3AuthError>;
 
+    async fn get_listops_matchers(
+        &self,
+        _context: &S3AuthContext<'_>,
+    ) -> Result<Arc<Vec<Permission>>, S3AuthError> {
+        Err(S3AuthError::AuthServiceUnavailable)
+    }
+
     async fn authorize_query(
         &self,
         _ctx: &'_ ReqContext<'_>,
@@ -252,6 +261,21 @@ impl S3Auth for RwLock<ACLAuth> {
         Err(S3AuthError::NotSignedUp)
     }
 
+    async fn get_listops_matchers(
+        &self,
+        context: &S3AuthContext<'_>,
+    ) -> Result<Arc<Vec<Permission>>, S3AuthError> {
+        if let Some(access_id) = context.access_id {
+            self.read()
+                .await
+                .indexdb
+                .get_roles_as_permission(&access_id)
+                .ok_or(S3AuthError::MissingToken)
+        } else {
+            Err(S3AuthError::MissingToken)
+        }
+    }
+
     async fn authorize_public_query(&self, ctx: &'_ ReqContext<'_>) -> Result<(), S3AuthError> {
         let readed = self.read().await;
         if let S3Path::Object { bucket, key } = ctx.path {
@@ -318,7 +342,9 @@ impl S3Auth for RwLock<ACLAuth> {
                     }
                     let is_valid_origin = {
                         let read_guard = self.read().await;
-                        (token.origin == bucket) ^ read_guard.indexdb.validate_orign(bucket, &token)
+                        (bucket == "*")
+                            || (token.origin == bucket)
+                                ^ read_guard.indexdb.validate_orign(bucket, &token)
                     };
                     if is_valid_origin {
                         return Ok(());

src/ops.rs

@@ -25,7 +25,7 @@ use crate::errors::S3Result;
 use crate::path::S3Path;
 use crate::storage::S3Storage;
 use crate::streams::multipart::Multipart;
-use crate::{async_trait, Body, BoxStdError, Mime, Request, Response};
+use crate::{async_trait, Body, BoxStdError, Mime, Request, Response, S3Auth};
 
 use std::fmt::Debug;
 use std::mem;
@@ -124,6 +124,8 @@ pub struct ReqContext<'a> {
     pub multipart: Option<Multipart>,
     /// auth
     pub auth: &'a mut S3AuthContext<'a>,
+    /// auth engine
+    pub auth_engine: Option<&'a Box<dyn S3Auth + Send + Sync>>,
 }
 
 impl<'a> ReqContext<'a> {

src/ops/list_buckets.rs

@@ -1,9 +1,11 @@
 //! [`ListBuckets`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html)
 
+use std::ops::Deref;
+
 use super::{wrap_internal_error, ReqContext, S3Handler};
 
 use crate::dto::{ListBucketsError, ListBucketsOutput, ListBucketsRequest};
-use crate::errors::{S3Error, S3Result};
+use crate::errors::{S3Error, S3Result, S3StorageError};
 use crate::output::S3Output;
 use crate::storage::S3Storage;
 use crate::utils::{ResponseExt, XmlWriterExt};
@@ -27,8 +29,32 @@ impl S3Handler for Handler {
         storage: &(dyn S3Storage + Send + Sync),
     ) -> S3Result<Response> {
         let input = extract(ctx)?;
-        let output = storage.list_buckets(input).await;
-        output.try_into_response()
+        if let Some(auth_engine) = ctx.auth_engine {
+            if let Ok(matchers) = auth_engine
+                .as_ref()
+                .get_listops_matchers(ctx.auth.deref())
+                .await
+            {
+                let output = storage
+                    .list_buckets(input)
+                    .await
+                    .map(|f| ListBucketsOutput {
+                        buckets: f.buckets.map(|b| {
+                            b.iter()
+                                .filter(|bn| {
+                                    matchers.iter().any(|m| {
+                                        m.match_listops(bn.name.as_ref().unwrap_or(&String::new()))
+                                    })
+                                })
+                                .map(|f| f.clone())
+                                .collect::<Vec<_>>()
+                        }),
+                        ..f
+                    });
+                return output.try_into_response();
+            }
+        }
+        ListBucketsOutput::default().try_into_response()
     }
 }
 

src/service.rs

@@ -190,6 +190,8 @@ impl S3Service {
         let query_strings = extract_qs(&req)?;
         let mime = extract_mime(&headers)?;
 
+        let refed = self.auth.as_ref();
+
         let mut ctx: ReqContext<'_> = ReqContext {
             req: &req,
             headers,
@@ -199,6 +201,7 @@ impl S3Service {
             mime,
             multipart: None,
             auth: &mut context,
+            auth_engine: self.auth.as_ref(),
         };
 
         debug!("authenticated");

src/storages/fs.rs

@@ -21,16 +21,19 @@ use crate::errors::{S3StorageError, S3StorageResult};
 use crate::headers::{AmzCopySource, Range};
 use crate::path::S3Path;
 use crate::storage::S3Storage;
+use crate::token::database::PassiveIndexDB;
 use crate::utils::{crypto, time, Apply};
 
 use std::collections::{HashMap, HashSet};
 use std::convert::TryInto;
 use std::env;
+use std::fmt::Debug;
 use std::io::{self, SeekFrom};
 use std::path::{Path, PathBuf};
 
 use futures::io::{AsyncReadExt, AsyncSeekExt, AsyncWrite, AsyncWriteExt, BufWriter};
 use futures::stream::{Stream, StreamExt, TryStreamExt};
+use hex_simd::AsOut;
 use hyper::body::Bytes;
 use md5::{Digest, Md5};
 use path_absolutize::Absolutize;