From ee64d7f846a84403733a03c5ca7b2a065ca8305d Mon Sep 17 00:00:00 2001
From: Ben McClelland <ben.mcclelland@versity.com>
Date: Mon, 24 Feb 2025 10:36:54 -0800
Subject: [PATCH] fix: s3proxy get bucket acl when no acl exists in s3 service

For s3 proxy backend, the ACLs are stored in bucket tags to not
conflict with the underlying s3 object store ACLs. If the tag
for the gatway ACLs does not exist for the bucket, then we were
incorrectly returning the NoSuchTagSet from teh tag lookup.
Instead, in this case we need to just return the default gateway
bucket ACL, which is the root account ownership.

Side note that there is currently a bug in the go sdk where the
NoSuchTagSet is not defained as an error type, and a workaround
for string matching is required until this is addressed.
https://github.com/aws/aws-sdk-go-v2/issues/2878
---
 backend/s3proxy/s3.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/backend/s3proxy/s3.go b/backend/s3proxy/s3.go
index fe9875d..097c1de 100644
--- a/backend/s3proxy/s3.go
+++ b/backend/s3proxy/s3.go
@@ -25,6 +25,7 @@ import (
 	"io"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -518,6 +519,14 @@ func (s *S3Proxy) GetBucketAcl(ctx context.Context, input *s3.GetBucketAclInput)
 		Bucket: input.Bucket,
 	})
 	if err != nil {
+		var ae smithy.APIError
+		if errors.As(err, &ae) {
+			// sdk issue workaround for missing NoSuchTagSet error type
+			// https://github.com/aws/aws-sdk-go-v2/issues/2878
+			if strings.Contains(ae.ErrorCode(), "NoSuchTagSet") {
+				return []byte{}, nil
+			}
+		}
 		return nil, handleError(err)
 	}