Ensure lock/versioning permissions when creating a bucket (#15432)

Currently, the code doesn't check if the user creating a bucket with locking feature has bucket locking and versioning permissions enabled, adding it in accordance with S3 spec. https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html Object Lock - If ObjectLockEnabledForBucket is set to true in your CreateBucket request, s3:PutBucketObjectLockConfiguration and s3:PutBucketVersioning permissions are required.
2025-01-11 23:13:23 -05:00 · 2022-08-06 00:27:09 +01:00 · 2022-08-06 00:27:09 +01:00 · 1d2ff46a89
commit 1d2ff46a89
parent 8f7c739328
1 changed files with 20 additions and 1 deletions
--- a/cmd/bucket-handlers.go
+++ b/cmd/bucket-handlers.go
@ -727,11 +727,30 @@ func (api objectAPIHandlers) PutBucketHandler(w http.ResponseWriter, r *http.Req
 		}
 	}
-	if s3Error := checkRequestAuthType(ctx, r, policy.CreateBucketAction, bucket, ""); s3Error != ErrNone {
+	cred, owner, s3Error := checkRequestAuthTypeCredential(ctx, r, policy.CreateBucketAction, bucket, "")
 	if s3Error != ErrNone {
 		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL)
 		return
 	}
 	if objectLockEnabled {
 		// Creating a bucket with locking requires the user having more permissions
 		for _, action := range []iampolicy.Action{iampolicy.PutBucketObjectLockConfigurationAction, iampolicy.PutBucketVersioningAction} {
 			if !globalIAMSys.IsAllowed(iampolicy.Args{
 				AccountName:     cred.AccessKey,
 				Groups:          cred.Groups,
 				Action:          action,
 				ConditionValues: getConditionValues(r, "", cred.AccessKey, cred.Claims),
 				BucketName:      bucket,
 				IsOwner:         owner,
 				Claims:          cred.Claims,
 			}) {
 				writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
 				return
 			}
 		}
 	}
 	// Parse incoming location constraint.
 	location, s3Error := parseLocationConstraint(r)
 	if s3Error != ErrNone {