From 1d2ff46a89c72d3e0f64ab621b154b2622bde988 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Sat, 6 Aug 2022 00:27:09 +0100 Subject: [PATCH] Ensure lock/versioning permissions when creating a bucket (#15432) Currently, the code doesn't check if the user creating a bucket with locking feature has bucket locking and versioning permissions enabled, adding it in accordance with S3 spec. https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html Object Lock - If ObjectLockEnabledForBucket is set to true in your CreateBucket request, s3:PutBucketObjectLockConfiguration and s3:PutBucketVersioning permissions are required. --- cmd/bucket-handlers.go | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/cmd/bucket-handlers.go b/cmd/bucket-handlers.go index 14ad4c3d4..29d35bd0c 100644 --- a/cmd/bucket-handlers.go +++ b/cmd/bucket-handlers.go @@ -727,11 +727,30 @@ func (api objectAPIHandlers) PutBucketHandler(w http.ResponseWriter, r *http.Req } } - if s3Error := checkRequestAuthType(ctx, r, policy.CreateBucketAction, bucket, ""); s3Error != ErrNone { + cred, owner, s3Error := checkRequestAuthTypeCredential(ctx, r, policy.CreateBucketAction, bucket, "") + if s3Error != ErrNone { writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL) return } + if objectLockEnabled { + // Creating a bucket with locking requires the user having more permissions + for _, action := range []iampolicy.Action{iampolicy.PutBucketObjectLockConfigurationAction, iampolicy.PutBucketVersioningAction} { + if !globalIAMSys.IsAllowed(iampolicy.Args{ + AccountName: cred.AccessKey, + Groups: cred.Groups, + Action: action, + ConditionValues: getConditionValues(r, "", cred.AccessKey, cred.Claims), + BucketName: bucket, + IsOwner: owner, + Claims: cred.Claims, + }) { + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL) + return + } + } + } + // Parse incoming location constraint. location, s3Error := parseLocationConstraint(r) if s3Error != ErrNone {