Merge pull request 'Properly enforce allow_create_bucket' (#447) from fix-allow-create-bucket into main

Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/447
This commit is contained in:
Alex 2022-12-12 14:55:12 +00:00
commit f7c65e830e
3 changed files with 39 additions and 0 deletions

View file

@ -161,6 +161,15 @@ pub async fn handle_create_bucket(
return Err(CommonError::BucketAlreadyExists.into()); return Err(CommonError::BucketAlreadyExists.into());
} }
} else { } else {
// Check user is allowed to create bucket
if !key_params.allow_create_bucket.get() {
return Err(CommonError::Forbidden(format!(
"Access key {} is not allowed to create buckets",
api_key.key_id
))
.into());
}
// Create the bucket! // Create the bucket!
if !is_valid_bucket_name(&bucket_name) { if !is_valid_bucket_name(&bucket_name) {
return Err(Error::bad_request(format!( return Err(Error::bad_request(format!(

View file

@ -1,4 +1,5 @@
use crate::common; use crate::common;
use crate::common::ext::CommandExt;
use aws_sdk_s3::model::BucketLocationConstraint; use aws_sdk_s3::model::BucketLocationConstraint;
use aws_sdk_s3::output::DeleteBucketOutput; use aws_sdk_s3::output::DeleteBucketOutput;
@ -8,6 +9,27 @@ async fn test_bucket_all() {
let bucket_name = "hello"; let bucket_name = "hello";
{ {
// Check bucket cannot be created if not authorized
ctx.garage
.command()
.args(["key", "deny"])
.args(["--create-bucket", &ctx.garage.key.id])
.quiet()
.expect_success_output("Could not deny key to create buckets");
// Try create bucket, should fail
let r = ctx.client.create_bucket().bucket(bucket_name).send().await;
assert!(r.is_err());
}
{
// Now allow key to create bucket
ctx.garage
.command()
.args(["key", "allow"])
.args(["--create-bucket", &ctx.garage.key.id])
.quiet()
.expect_success_output("Could not deny key to create buckets");
// Create bucket // Create bucket
//@TODO check with an invalid bucket name + with an already existing bucket //@TODO check with an invalid bucket name + with an already existing bucket
let r = ctx let r = ctx

View file

@ -1,6 +1,7 @@
use std::collections::HashMap; use std::collections::HashMap;
use crate::common; use crate::common;
use crate::common::ext::CommandExt;
use common::custom_requester::BodySignature; use common::custom_requester::BodySignature;
use hyper::Method; use hyper::Method;
@ -105,6 +106,13 @@ async fn test_create_bucket_streaming() {
let ctx = common::context(); let ctx = common::context();
let bucket = "createbucket-streaming"; let bucket = "createbucket-streaming";
ctx.garage
.command()
.args(["key", "allow"])
.args(["--create-bucket", &ctx.garage.key.id])
.quiet()
.expect_success_output("Could not allow key to create buckets");
{ {
// create bucket // create bucket
let _ = ctx let _ = ctx