mirror of
https://github.com/versity/versitygw.git
synced 2026-02-07 10:50:43 +00:00
96c4c3e2d6
This implementation introduces **public buckets**, which are accessible without signature-based authentication.
There are two ways to grant public access to a bucket:
* **Bucket ACLs**
* **Bucket Policies**
Only `Get` and `List` operations are permitted on public buckets. All **write operations** require authentication, regardless of whether public access is granted through an ACL or a policy.
The implementation includes an `AuthorizePublicBucketAccess` middleware, which checks if public access has been granted to the bucket. If so, authentication middlewares are skipped. For unauthenticated requests, appropriate errors are returned based on the specific S3 action.
---
**1. Bucket-Level Operations:**
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::test"
}
]
}
```
**2. Object-Level Operations:**
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
}
]
}
```
**3. Both Bucket and Object-Level Operations:**
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::test"
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
}
]
}
```
---
```sh
aws s3api create-bucket --bucket test --object-ownership BucketOwnerPreferred
aws s3api put-bucket-acl --bucket test --acl public-read
```
61 lines
1.9 KiB
Go
61 lines
1.9 KiB
Go
// Copyright 2023 Versity Software
|
|
// This file is licensed under the Apache License, Version 2.0
|
|
// (the "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing,
|
|
// software distributed under the License is distributed on an
|
|
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
// KIND, either express or implied. See the License for the
|
|
// specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
package middlewares
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"github.com/gofiber/fiber/v2"
|
|
"github.com/versity/versitygw/auth"
|
|
"github.com/versity/versitygw/metrics"
|
|
"github.com/versity/versitygw/s3api/controllers"
|
|
"github.com/versity/versitygw/s3api/utils"
|
|
"github.com/versity/versitygw/s3err"
|
|
"github.com/versity/versitygw/s3log"
|
|
)
|
|
|
|
func IsAdmin(logger s3log.AuditLogger) fiber.Handler {
|
|
return func(ctx *fiber.Ctx) error {
|
|
acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)
|
|
if acct.Role != auth.RoleAdmin {
|
|
path := ctx.Path()
|
|
return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrAdminAccessDenied),
|
|
&controllers.MetaOpts{
|
|
Logger: logger,
|
|
Action: detectAction(path),
|
|
})
|
|
}
|
|
|
|
return ctx.Next()
|
|
}
|
|
}
|
|
|
|
func detectAction(path string) (action string) {
|
|
if strings.Contains(path, "create-user") {
|
|
action = metrics.ActionAdminCreateUser
|
|
} else if strings.Contains(path, "update-user") {
|
|
action = metrics.ActionAdminUpdateUser
|
|
} else if strings.Contains(path, "delete-user") {
|
|
action = metrics.ActionAdminDeleteUser
|
|
} else if strings.Contains(path, "list-user") {
|
|
action = metrics.ActionAdminListUsers
|
|
} else if strings.Contains(path, "list-buckets") {
|
|
action = metrics.ActionAdminListBuckets
|
|
} else if strings.Contains(path, "change-bucket-owner") {
|
|
action = metrics.ActionAdminChangeBucketOwner
|
|
}
|
|
return action
|
|
}
|