diff --git a/auth/bucket_policy_actions.go b/auth/bucket_policy_actions.go index ad49200c..be3f475a 100644 --- a/auth/bucket_policy_actions.go +++ b/auth/bucket_policy_actions.go @@ -60,9 +60,12 @@ const ( GetBucketOwnershipControlsAction Action = "s3:GetBucketOwnershipControls" PutBucketCorsAction Action = "s3:PutBucketCORS" GetBucketCorsAction Action = "s3:GetBucketCORS" - PutAnalyticsConfiguration Action = "s3:PutAnalyticsConfiguration" - GetAnalyticsConfiguration Action = "s3:GetAnalyticsConfiguration" - AllActions Action = "s3:*" + PutAnalyticsConfigurationAction Action = "s3:PutAnalyticsConfiguration" + GetAnalyticsConfigurationAction Action = "s3:GetAnalyticsConfiguration" + PutEncryptionConfigurationAction Action = "s3:PutEncryptionConfiguration" + GetEncryptionConfigurationAction Action = "s3:GetEncryptionConfiguration" + + AllActions Action = "s3:*" ) var supportedActionList = map[Action]struct{}{ diff --git a/metrics/actions.go b/metrics/actions.go index d5fc9749..6f0ecdf1 100644 --- a/metrics/actions.go +++ b/metrics/actions.go @@ -79,6 +79,9 @@ var ( ActionGetBucketAnalyticsConfiguration = "s3_GetBucketAnalyticsConfiguration" ActionListBucketAnalyticsConfigurations = "s3_ListBucketAnalyticsConfigurations" ActionDeleteBucketAnalyticsConfiguration = "s3_DeleteBucketAnalyticsConfiguration" + ActionPutBucketEncryption = "s3_PutBucketEncryption" + ActionGetBucketEncryption = "s3_GetBucketEncryption" + ActionDeleteBucketEncryption = "s3_DeleteBucketEcryption" // Admin actions ActionAdminCreateUser = "admin_CreateUser" diff --git a/s3api/router.go b/s3api/router.go index 59bf3967..89143a79 100644 --- a/s3api/router.go +++ b/s3api/router.go @@ -202,7 +202,21 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketAnalyticsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAnalyticsConfiguration, auth.PutAnalyticsConfiguration, auth.PermissionWrite), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite), + middlewares.VerifyPresignedV4Signature(root, iam, region, debug), + middlewares.VerifyV4Signature(root, iam, region, debug), + middlewares.VerifyMD5Body(), + middlewares.ParseAcl(be), + ), + ) + bucketRouter.Put("", + middlewares.MatchQueryArgs("encryption"), + controllers.ProcessHandlers( + ctrl.HandleErrorRoute(s3err.GetAPIError(s3err.ErrNotImplemented)), + metrics.ActionPutBucketEncryption, + services, + middlewares.BucketObjectNameValidator(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite), middlewares.VerifyPresignedV4Signature(root, iam, region, debug), middlewares.VerifyV4Signature(root, iam, region, debug), middlewares.VerifyMD5Body(), @@ -295,7 +309,21 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketAnalyticsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketAnalyticsConfiguration, auth.PutAnalyticsConfiguration, auth.PermissionWrite), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite), + middlewares.VerifyPresignedV4Signature(root, iam, region, debug), + middlewares.VerifyV4Signature(root, iam, region, debug), + middlewares.VerifyMD5Body(), + middlewares.ParseAcl(be), + ), + ) + bucketRouter.Delete("", + middlewares.MatchQueryArgs("encryption"), + controllers.ProcessHandlers( + ctrl.HandleErrorRoute(s3err.GetAPIError(s3err.ErrNotImplemented)), + metrics.ActionDeleteBucketEncryption, + services, + middlewares.BucketObjectNameValidator(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite), middlewares.VerifyPresignedV4Signature(root, iam, region, debug), middlewares.VerifyV4Signature(root, iam, region, debug), middlewares.VerifyMD5Body(), @@ -440,7 +468,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketAnalyticsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAnalyticsConfiguration, auth.GetAnalyticsConfiguration, auth.PermissionRead), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAnalyticsConfiguration, auth.GetAnalyticsConfigurationAction, auth.PermissionRead), middlewares.VerifyPresignedV4Signature(root, iam, region, debug), middlewares.VerifyV4Signature(root, iam, region, debug), middlewares.VerifyMD5Body(), @@ -454,7 +482,21 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListBucketAnalyticsConfigurations, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketAnalyticsConfigurations, auth.GetAnalyticsConfiguration, auth.PermissionRead), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketAnalyticsConfigurations, auth.GetAnalyticsConfigurationAction, auth.PermissionRead), + middlewares.VerifyPresignedV4Signature(root, iam, region, debug), + middlewares.VerifyV4Signature(root, iam, region, debug), + middlewares.VerifyMD5Body(), + middlewares.ParseAcl(be), + ), + ) + bucketRouter.Get("", + middlewares.MatchQueryArgs("encryption"), + controllers.ProcessHandlers( + ctrl.HandleErrorRoute(s3err.GetAPIError(s3err.ErrNotImplemented)), + metrics.ActionGetBucketEncryption, + services, + middlewares.BucketObjectNameValidator(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketEncryption, auth.GetEncryptionConfigurationAction, auth.PermissionRead), middlewares.VerifyPresignedV4Signature(root, iam, region, debug), middlewares.VerifyV4Signature(root, iam, region, debug), middlewares.VerifyMD5Body(), diff --git a/tests/integration/group-tests.go b/tests/integration/group-tests.go index 9eb11378..2787ef83 100644 --- a/tests/integration/group-tests.go +++ b/tests/integration/group-tests.go @@ -584,10 +584,15 @@ func TestGetObjectLegalHold(s *S3Conf) { } func TestNotImplementedActions(s *S3Conf) { + // bucket analytics actions PutBucketAnalyticsConfiguration_not_implemented(s) GetBucketAnalyticsConfiguration_not_implemented(s) ListBucketAnalyticsConfiguration_not_implemented(s) DeleteBucketAnalyticsConfiguration_not_implemented(s) + // bucket encryption actions + PutBucketEncryption_not_implemented(s) + GetBucketEncryption_not_implemented(s) + DeleteBucketEncryption_not_implemented(s) } func TestWORMProtection(s *S3Conf) { @@ -1299,6 +1304,9 @@ func GetIntTests() IntTests { "GetBucketAnalyticsConfiguration_not_implemented": GetBucketAnalyticsConfiguration_not_implemented, "ListBucketAnalyticsConfiguration_not_implemented": ListBucketAnalyticsConfiguration_not_implemented, "DeleteBucketAnalyticsConfiguration_not_implemented": DeleteBucketAnalyticsConfiguration_not_implemented, + "PutBucketEncryption_not_implemented": PutBucketEncryption_not_implemented, + "GetBucketEncryption_not_implemented": GetBucketEncryption_not_implemented, + "DeleteBucketEncryption_not_implemented": DeleteBucketEncryption_not_implemented, "WORMProtection_bucket_object_lock_configuration_compliance_mode": WORMProtection_bucket_object_lock_configuration_compliance_mode, "WORMProtection_bucket_object_lock_configuration_governance_mode": WORMProtection_bucket_object_lock_configuration_governance_mode, "WORMProtection_bucket_object_lock_governance_bypass_delete": WORMProtection_bucket_object_lock_governance_bypass_delete, diff --git a/tests/integration/tests.go b/tests/integration/tests.go index beccf4f7..b8aa6513 100644 --- a/tests/integration/tests.go +++ b/tests/integration/tests.go @@ -14667,6 +14667,57 @@ func DeleteBucketAnalyticsConfiguration_not_implemented(s *S3Conf) error { }) } +func PutBucketEncryption_not_implemented(s *S3Conf) error { + testName := "PutBucketEncryption_not_implemented" + return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { + ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) + _, err := s3client.PutBucketEncryption(ctx, + &s3.PutBucketEncryptionInput{ + Bucket: &bucket, + ServerSideEncryptionConfiguration: &types.ServerSideEncryptionConfiguration{ + Rules: []types.ServerSideEncryptionRule{ + { + ApplyServerSideEncryptionByDefault: &types.ServerSideEncryptionByDefault{ + SSEAlgorithm: types.ServerSideEncryptionAes256, + }, + }, + }, + }, + }) + cancel() + + return checkApiErr(err, s3err.GetAPIError(s3err.ErrNotImplemented)) + }) +} + +func GetBucketEncryption_not_implemented(s *S3Conf) error { + testName := "GetBucketEncryption_not_implemented" + return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { + ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) + _, err := s3client.GetBucketEncryption(ctx, + &s3.GetBucketEncryptionInput{ + Bucket: &bucket, + }) + cancel() + + return checkApiErr(err, s3err.GetAPIError(s3err.ErrNotImplemented)) + }) +} + +func DeleteBucketEncryption_not_implemented(s *S3Conf) error { + testName := "DeleteBucketEncryption_not_implemented" + return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { + ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) + _, err := s3client.DeleteBucketEncryption(ctx, + &s3.DeleteBucketEncryptionInput{ + Bucket: &bucket, + }) + cancel() + + return checkApiErr(err, s3err.GetAPIError(s3err.ErrNotImplemented)) + }) +} + func WORMProtection_bucket_object_lock_configuration_compliance_mode(s *S3Conf) error { testName := "WORMProtection_bucket_object_lock_configuration_compliance_mode" return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {