From d6df9b16ac537288eef5be2fc5ff22a43afd9400 Mon Sep 17 00:00:00 2001 From: Krishna Srinivas <634494+krishnasrinivas@users.noreply.github.com> Date: Tue, 1 May 2018 23:43:27 -0700 Subject: [PATCH] Return NoSuchKey for anonReqs with s3:ListBucket policy (#5876) --- cmd/object-handlers.go | 50 ++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 7b7f4f85f..17ee7ab6a 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -79,35 +79,36 @@ func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Req return } - if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone { - writeErrorResponse(w, s3Error, r.URL) - return - } - getObjectInfo := objectAPI.GetObjectInfo if api.CacheAPI() != nil { getObjectInfo = api.CacheAPI().GetObjectInfo } - objInfo, err := getObjectInfo(ctx, bucket, object) - if err != nil { - apiErr := toAPIErrorCode(err) - if apiErr == ErrNoSuchKey && getRequestAuthType(r) == authTypeAnonymous { + if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone { + if getRequestAuthType(r) == authTypeAnonymous { // As per "Permission" section in https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html // If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission. // * If you have the s3:ListBucket permission on the bucket, Amazon S3 will return an HTTP status code 404 ("no such key") error. // * if you don’t have the s3:ListBucket permission, Amazon S3 will return an HTTP status code 403 ("access denied") error.` - if !globalPolicySys.IsAllowed(policy.Args{ + if globalPolicySys.IsAllowed(policy.Args{ Action: policy.ListBucketAction, BucketName: bucket, ConditionValues: getConditionValues(r, ""), IsOwner: false, }) { - apiErr = ErrAccessDenied + _, err := getObjectInfo(ctx, bucket, object) + if toAPIErrorCode(err) == ErrNoSuchKey { + s3Error = ErrNoSuchKey + } } } + writeErrorResponse(w, s3Error, r.URL) + return + } - writeErrorResponse(w, apiErr, r.URL) + objInfo, err := getObjectInfo(ctx, bucket, object) + if err != nil { + writeErrorResponse(w, toAPIErrorCode(err), r.URL) return } @@ -227,35 +228,36 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re return } - if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone { - writeErrorResponseHeadersOnly(w, s3Error) - return - } - getObjectInfo := objectAPI.GetObjectInfo if api.CacheAPI() != nil { getObjectInfo = api.CacheAPI().GetObjectInfo } - objInfo, err := getObjectInfo(ctx, bucket, object) - if err != nil { - apiErr := toAPIErrorCode(err) - if apiErr == ErrNoSuchKey && getRequestAuthType(r) == authTypeAnonymous { + if s3Error := checkRequestAuthType(ctx, r, policy.GetObjectAction, bucket, object); s3Error != ErrNone { + if getRequestAuthType(r) == authTypeAnonymous { // As per "Permission" section in https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html // If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission. // * If you have the s3:ListBucket permission on the bucket, Amazon S3 will return an HTTP status code 404 ("no such key") error. // * if you don’t have the s3:ListBucket permission, Amazon S3 will return an HTTP status code 403 ("access denied") error.` - if !globalPolicySys.IsAllowed(policy.Args{ + if globalPolicySys.IsAllowed(policy.Args{ Action: policy.ListBucketAction, BucketName: bucket, ConditionValues: getConditionValues(r, ""), IsOwner: false, }) { - apiErr = ErrAccessDenied + _, err := getObjectInfo(ctx, bucket, object) + if toAPIErrorCode(err) == ErrNoSuchKey { + s3Error = ErrNoSuchKey + } } } + writeErrorResponseHeadersOnly(w, s3Error) + return + } - writeErrorResponseHeadersOnly(w, apiErr) + objInfo, err := getObjectInfo(ctx, bucket, object) + if err != nil { + writeErrorResponseHeadersOnly(w, toAPIErrorCode(err)) return }