CLDSRV-774: Add aclRequired field to server access logs

aclRequired indicates whether the request required an ACL for
authorization.

It is "Yes" when no bucket policy exists or when the bucket policy
returns DEFAULT_DENY, falling back to ACL evaluation.
It is "-" for owner requests, service accounts, and requests decided
by IAM or bucket policy alone.

For copy operations, the source bucket auth runs on the same request
object and would overwrite the destination's aclRequired. The value
is saved before source auth, then moved to sourceServerAccessLog and
the destination's value is restored.

Author: dvasilas

lib/api/apiUtils/authorization/permissionChecks.js

@@ -509,8 +509,10 @@ function processBucketPolicy(requestType, bucket, canonicalID, arn, bucketOwner,
     request, aclPermission, results, actionImplicitDenies) {
     const bucketPolicy = bucket.getBucketPolicy();
     let processedResult = results[requestType];
+    let aclRequired = false;
     if (!bucketPolicy || request?.bypassUserBucketPolicies) {
         processedResult = actionImplicitDenies[requestType] === false && aclPermission;
+        aclRequired = true;
     } else {
         const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType, canonicalID, arn,
             bucketOwner, log, request, actionImplicitDenies);
@@ -525,9 +527,10 @@ function processBucketPolicy(requestType, bucket, canonicalID, arn, bucketOwner,
             processedResult = true;
         } else {
             processedResult = actionImplicitDenies[requestType] === false && aclPermission;
+            aclRequired = true;
         }
     }
-    return processedResult;
+    return { allowed: processedResult, aclRequired };
 }
 
 function isBucketAuthorized(bucket, requestTypesInput, canonicalID, authInfo, log, request,
@@ -564,8 +567,13 @@ function isBucketAuthorized(bucket, requestTypesInput, canonicalID, authInfo, lo
             _requestType = 'objectGet';
             actionImplicitDenies.objectGet = actionImplicitDenies.objectGet || false;
         }
-        return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
-            request, aclPermission, results, actionImplicitDenies);
+        const { allowed, aclRequired } = processBucketPolicy(_requestType, bucket, canonicalID, arn,
+            bucket.getOwner(), log, request, aclPermission, results, actionImplicitDenies);
+        if (aclRequired && request?.serverAccessLog) {
+            // eslint-disable-next-line no-param-reassign
+            request.serverAccessLog.aclRequired = 'Yes';
+        }
+        return allowed;
     });
 }
 
@@ -582,8 +590,9 @@ function evaluateBucketPolicyWithIAM(bucket, requestTypesInput, canonicalID, aut
         if (authInfo) {
             arn = authInfo.getArn();
         }
-        return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
+        const { allowed } = processBucketPolicy(_requestType, bucket, canonicalID, arn, bucket.getOwner(), log,
             request, true, results, actionImplicitDenies);
+        return allowed;
     });
 }
 
@@ -641,8 +650,13 @@ function isObjAuthorized(bucket, objectMD, requestTypesInput, canonicalID, authI
         }
         const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName,
             canonicalID, requesterIsNotUser, isUserUnauthenticated, mainApiCall);
-        return processBucketPolicy(_requestType, bucket, canonicalID, arn, bucketOwner,
+        const { allowed, aclRequired } = processBucketPolicy(_requestType, bucket, canonicalID, arn, bucketOwner,
             log, request, aclPermission, results, actionImplicitDenies);
+        if (aclRequired && request?.serverAccessLog) {
+            // eslint-disable-next-line no-param-reassign
+            request.serverAccessLog.aclRequired = 'Yes';
+        }
+        return allowed;
     });
 }
 

lib/metadata/metadataUtils.js

@@ -50,6 +50,11 @@ function storeServerAccessLogInfo(request, bucket, raftSessionId, options = {})
             target.enabled = true;
             target.loggingEnabled = bucket.getBucketLoggingStatus().getLoggingEnabled();
         }
+        // Source auth runs on the same request object and overwrites the
+        // destination's aclRequired. Move the source value to its log entry
+        // and restore the destination value that was saved before source auth.
+        target.aclRequired = request.serverAccessLog.aclRequired;
+        request.serverAccessLog.aclRequired = options.savedAclRequired;
     } else {
         // Default behavior: store in main serverAccessLog
         request.serverAccessLog.raftSessionID = raftSessionId;
@@ -326,6 +331,10 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
     if (!Array.isArray(requestType)) {
         requestType = [requestType];
     }
+    if (params.serverAccessLogOptions?.copySource) {
+        // eslint-disable-next-line no-param-reassign
+        params.serverAccessLogOptions.savedAclRequired = request?.serverAccessLog?.aclRequired;
+    }
     async.waterfall([
         next => {
             // versionId may be 'null', which asks metadata to fetch the null key specifically

lib/utilities/serverAccessLogger.js

@@ -495,7 +495,7 @@ function buildLogEntry(req, params, options) {
         tlsVersion: req.socket?.encrypted
             ? req.socket.getCipher()['version']
             : req.headers?.['x-ssl-protocol'] ?? undefined,
-        aclRequired: options.aclRequired ?? undefined,  // TODO: CLDSRV-774
+        aclRequired: options.aclRequired ?? undefined,
         // hostID: undefined,         // NOT IMPLEMENTED
         // accessPointARN: undefined, // NOT IMPLEMENTED
 
@@ -557,6 +557,7 @@ function logBatchDeleteObject(req, requestID, objectKey, objectSize, error) {
         errorCode,
         objectKey,
         requestID,
+        aclRequired: req.serverAccessLog?.aclRequired,
     });
 
     serverAccessLogger.write(`${JSON.stringify(logEntry)}\n`);
@@ -589,7 +590,7 @@ function logServerAccess(req, res) {
         totalTime: calculateTotalTime(params.startTime, params.onFinishEndTime),
         turnAroundTime: calculateTurnAroundTime(params.startTurnAroundTime, endTurnAroundTime),
         versionId: req.query?.versionId,
-        aclRequired: undefined, // TODO: CLDSRV-774
+        aclRequired: req.serverAccessLog.aclRequired,
         referer: req.headers?.referer,
         userAgent: req.headers?.['user-agent'],
         requestID,
@@ -659,6 +660,7 @@ function logCopySourceAccess(req, requestID, operation, sourceBucket, sourceObje
         httpCode,
         errorCode,
         requestID,
+        aclRequired: params.aclRequired,
     });
 
     serverAccessLogger.write(`${JSON.stringify(logEntry)}\n`);