diff options
| author | Alex <alex@adnab.me> | 2022-12-12 14:55:12 +0000 |
|---|---|---|
| committer | Alex <alex@adnab.me> | 2022-12-12 14:55:12 +0000 |
| commit | f7c65e830e66c9887d989a8281d8fae7f76f9c8c (patch) | |
| tree | 1ee78730b1f7cb9d9c3fc4e93edfb7292e6a92f6 | |
| parent | 980572a8872c56ea9572ff03579ebb9a65013775 (diff) | |
| parent | 0e61e3b6fbe00e518225d851b04b47f6f1ba07a6 (diff) | |
| download | garage-f7c65e830e66c9887d989a8281d8fae7f76f9c8c.tar.gz garage-f7c65e830e66c9887d989a8281d8fae7f76f9c8c.zip | |
Merge pull request 'Properly enforce allow_create_bucket' (#447) from fix-allow-create-bucket into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/447
| -rw-r--r-- | src/api/s3/bucket.rs | 9 | ||||
| -rw-r--r-- | src/garage/tests/bucket.rs | 22 | ||||
| -rw-r--r-- | src/garage/tests/s3/streaming_signature.rs | 8 |
3 files changed, 39 insertions, 0 deletions
diff --git a/src/api/s3/bucket.rs b/src/api/s3/bucket.rs index 3ac6a6ec..8471385f 100644 --- a/src/api/s3/bucket.rs +++ b/src/api/s3/bucket.rs @@ -161,6 +161,15 @@ pub async fn handle_create_bucket( return Err(CommonError::BucketAlreadyExists.into()); } } else { + // Check user is allowed to create bucket + if !key_params.allow_create_bucket.get() { + return Err(CommonError::Forbidden(format!( + "Access key {} is not allowed to create buckets", + api_key.key_id + )) + .into()); + } + // Create the bucket! if !is_valid_bucket_name(&bucket_name) { return Err(Error::bad_request(format!( diff --git a/src/garage/tests/bucket.rs b/src/garage/tests/bucket.rs index b32af068..9c363013 100644 --- a/src/garage/tests/bucket.rs +++ b/src/garage/tests/bucket.rs @@ -1,4 +1,5 @@ use crate::common; +use crate::common::ext::CommandExt; use aws_sdk_s3::model::BucketLocationConstraint; use aws_sdk_s3::output::DeleteBucketOutput; @@ -8,6 +9,27 @@ async fn test_bucket_all() { let bucket_name = "hello"; { + // Check bucket cannot be created if not authorized + ctx.garage + .command() + .args(["key", "deny"]) + .args(["--create-bucket", &ctx.garage.key.id]) + .quiet() + .expect_success_output("Could not deny key to create buckets"); + + // Try create bucket, should fail + let r = ctx.client.create_bucket().bucket(bucket_name).send().await; + assert!(r.is_err()); + } + { + // Now allow key to create bucket + ctx.garage + .command() + .args(["key", "allow"]) + .args(["--create-bucket", &ctx.garage.key.id]) + .quiet() + .expect_success_output("Could not deny key to create buckets"); + // Create bucket //@TODO check with an invalid bucket name + with an already existing bucket let r = ctx diff --git a/src/garage/tests/s3/streaming_signature.rs b/src/garage/tests/s3/streaming_signature.rs index c68f7dfc..48da7607 100644 --- a/src/garage/tests/s3/streaming_signature.rs +++ b/src/garage/tests/s3/streaming_signature.rs @@ -1,6 +1,7 @@ use std::collections::HashMap; use crate::common; +use crate::common::ext::CommandExt; use common::custom_requester::BodySignature; use hyper::Method; @@ -105,6 +106,13 @@ async fn test_create_bucket_streaming() { let ctx = common::context(); let bucket = "createbucket-streaming"; + ctx.garage + .command() + .args(["key", "allow"]) + .args(["--create-bucket", &ctx.garage.key.id]) + .quiet() + .expect_success_output("Could not allow key to create buckets"); + { // create bucket let _ = ctx |