aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex <alex@adnab.me>2022-12-12 14:55:12 +0000
committerAlex <alex@adnab.me>2022-12-12 14:55:12 +0000
commitf7c65e830e66c9887d989a8281d8fae7f76f9c8c (patch)
tree1ee78730b1f7cb9d9c3fc4e93edfb7292e6a92f6
parent980572a8872c56ea9572ff03579ebb9a65013775 (diff)
parent0e61e3b6fbe00e518225d851b04b47f6f1ba07a6 (diff)
downloadgarage-f7c65e830e66c9887d989a8281d8fae7f76f9c8c.tar.gz
garage-f7c65e830e66c9887d989a8281d8fae7f76f9c8c.zip
Merge pull request 'Properly enforce allow_create_bucket' (#447) from fix-allow-create-bucket into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/447
-rw-r--r--src/api/s3/bucket.rs9
-rw-r--r--src/garage/tests/bucket.rs22
-rw-r--r--src/garage/tests/s3/streaming_signature.rs8
3 files changed, 39 insertions, 0 deletions
diff --git a/src/api/s3/bucket.rs b/src/api/s3/bucket.rs
index 3ac6a6ec..8471385f 100644
--- a/src/api/s3/bucket.rs
+++ b/src/api/s3/bucket.rs
@@ -161,6 +161,15 @@ pub async fn handle_create_bucket(
return Err(CommonError::BucketAlreadyExists.into());
}
} else {
+ // Check user is allowed to create bucket
+ if !key_params.allow_create_bucket.get() {
+ return Err(CommonError::Forbidden(format!(
+ "Access key {} is not allowed to create buckets",
+ api_key.key_id
+ ))
+ .into());
+ }
+
// Create the bucket!
if !is_valid_bucket_name(&bucket_name) {
return Err(Error::bad_request(format!(
diff --git a/src/garage/tests/bucket.rs b/src/garage/tests/bucket.rs
index b32af068..9c363013 100644
--- a/src/garage/tests/bucket.rs
+++ b/src/garage/tests/bucket.rs
@@ -1,4 +1,5 @@
use crate::common;
+use crate::common::ext::CommandExt;
use aws_sdk_s3::model::BucketLocationConstraint;
use aws_sdk_s3::output::DeleteBucketOutput;
@@ -8,6 +9,27 @@ async fn test_bucket_all() {
let bucket_name = "hello";
{
+ // Check bucket cannot be created if not authorized
+ ctx.garage
+ .command()
+ .args(["key", "deny"])
+ .args(["--create-bucket", &ctx.garage.key.id])
+ .quiet()
+ .expect_success_output("Could not deny key to create buckets");
+
+ // Try create bucket, should fail
+ let r = ctx.client.create_bucket().bucket(bucket_name).send().await;
+ assert!(r.is_err());
+ }
+ {
+ // Now allow key to create bucket
+ ctx.garage
+ .command()
+ .args(["key", "allow"])
+ .args(["--create-bucket", &ctx.garage.key.id])
+ .quiet()
+ .expect_success_output("Could not deny key to create buckets");
+
// Create bucket
//@TODO check with an invalid bucket name + with an already existing bucket
let r = ctx
diff --git a/src/garage/tests/s3/streaming_signature.rs b/src/garage/tests/s3/streaming_signature.rs
index c68f7dfc..48da7607 100644
--- a/src/garage/tests/s3/streaming_signature.rs
+++ b/src/garage/tests/s3/streaming_signature.rs
@@ -1,6 +1,7 @@
use std::collections::HashMap;
use crate::common;
+use crate::common::ext::CommandExt;
use common::custom_requester::BodySignature;
use hyper::Method;
@@ -105,6 +106,13 @@ async fn test_create_bucket_streaming() {
let ctx = common::context();
let bucket = "createbucket-streaming";
+ ctx.garage
+ .command()
+ .args(["key", "allow"])
+ .args(["--create-bucket", &ctx.garage.key.id])
+ .quiet()
+ .expect_success_output("Could not allow key to create buckets");
+
{
// create bucket
let _ = ctx