_isRootUser comments, check arn length, replace at method

leif-scality · leif-scality · commit 739faa33a085 · 2025-07-09T11:03:05.000+02:00
diff --git a/lib/api/apiUtils/authorization/permissionChecks.js b/lib/api/apiUtils/authorization/permissionChecks.js
@@ -278,6 +278,11 @@ function _isAccountId(principal) {
     return (principal.length === 12 && /^\d+$/.test(principal));
 }
 
+/**
+ * Checks if the ARN represents a root user account
+ * @param {string} arn - The ARN to check
+ * @returns {boolean} True if root user, false otherwise
+ */
 function _isRootUser(arn) {
     if (!arn) {
         return false;
@@ -286,7 +291,11 @@ function _isRootUser(arn) {
     // Vault returns the following arn when the account makes requests 'arn:aws:iam::295412255825:/master/',
     // with an empty resource type ('user/' prefix missing).
     const arns = arn.split(':');
-    const resource = arns.at(-1);
+    if (arns.length < 6) {
+        return false
+    }
+
+    const resource = arns[arns.length - 1];
 
     // If we start with '/' is because we have a empty resource type so we know it is a root account.
     if (resource.startsWith('/')) {
@@ -303,6 +312,8 @@ function _isRootUser(arn) {
  * @return {checkPrincipalResult} OK if it is not cross-account, CROSS_ACCOUNT_OK otherwise.
  */
 function _checkCrossAccount(requesterARN, requesterCanonicalID, bucketOwnerCanonicalID) {
+    // Vault returns ARNs like 'arn:aws:iam::123456789012:/master/' for root accounts
+    // with an empty resource type (missing 'user/' prefix)
     if (!_isRootUser(requesterARN)) {
         return bucketOwnerCanonicalID === requesterCanonicalID ?
             checkPrincipalResult.OK : checkPrincipalResult.CROSS_ACCOUNT_OK;
