CLDSRV-774: Add aclRequired field tests

dvasilas · dvasilas · commit cdfe3cc956cf · 2026-04-09T12:29:52.000+03:00
diff --git a/tests/functional/aws-node-sdk/test/serverAccessLogs/testServerAccessLogFile.js b/tests/functional/aws-node-sdk/test/serverAccessLogs/testServerAccessLogFile.js
@@ -143,7 +143,7 @@ describe('Server Access Logs - File Output', async () => {
             'authenticationType': 'AuthHeader', // STATIC
             // 'hostHeader': '', // UNKNOWN
             'tlsVersion': null, // TODO: Add https tests.
-            'aclRequired': null, // TODO: Add https tests.
+            'aclRequired': null, // DYNAMIC (absent for owner, "Yes" when ACL is consulted)
             'bucketOwner': '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be', // DYNAMIC
             bucketName, // DYNAMIC
             // 'req_id': '', // UNKNOWN
diff --git a/tests/unit/api/apiUtils/permissionChecks.js b/tests/unit/api/apiUtils/permissionChecks.js
@@ -1,11 +1,15 @@
 const assert = require('assert');
 
-const { isLifecycleSession, checkBucketPolicyResult, checkBucketPolicy } =
+const { isLifecycleSession, checkBucketPolicyResult, checkBucketPolicy,
+    isBucketAuthorized, isObjAuthorized, evaluateBucketPolicyWithIAM } =
     require('../../../../lib/api/apiUtils/authorization/permissionChecks.js');
 const { DummyRequestLogger } = require('../../helpers');
 
 const stubLog = new DummyRequestLogger();
 
+const ownerCanonicalId = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
+const otherCanonicalId = 'aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhh1';
+
 describe('authInfoHelper', () => {
     const tests = [
         {
@@ -708,3 +712,214 @@ describe('checkBucketPolicy Principal logic', () => {
         });
     });
 });
+
+describe('aclRequired field in isBucketAuthorized', () => {
+    function makeBucket(owner, acl, bucketPolicy) {
+        return {
+            getOwner: () => owner,
+            getAcl: () => ({
+                Canned: acl?.Canned || '',
+                FULL_CONTROL: acl?.FULL_CONTROL || [],
+                READ: acl?.READ || [],
+                READ_ACP: acl?.READ_ACP || [],
+                WRITE: acl?.WRITE || [],
+                WRITE_ACP: acl?.WRITE_ACP || [],
+            }),
+            getBucketPolicy: () => bucketPolicy || null,
+        };
+    }
+
+    function makeRequest() {
+        return { serverAccessLog: {}, socket: { remoteAddress: '127.0.0.1' }, headers: {} };
+    }
+
+    function makeAuthInfo(canonicalID, arn, isIAMUser = false) {
+        return {
+            getCanonicalID: () => canonicalID,
+            getArn: () => arn,
+            isRequesterAnIAMUser: () => isIAMUser,
+        };
+    }
+
+    it('should not set aclRequired when requester is bucket owner', () => {
+        const request = makeRequest();
+        const bucket = makeBucket(ownerCanonicalId);
+        const authInfo = makeAuthInfo(ownerCanonicalId, 'arn:aws:iam::123456789012:/owner/');
+        isBucketAuthorized(bucket, 'bucketGet', ownerCanonicalId, authInfo, stubLog,
+            request, { bucketGet: false });
+        assert.strictEqual(request.serverAccessLog.aclRequired, undefined);
+    });
+
+    it('should set aclRequired to Yes for non-owner with no bucket policy', () => {
+        const request = makeRequest();
+        const bucket = makeBucket(ownerCanonicalId, { READ: [otherCanonicalId] });
+        const authInfo = makeAuthInfo(otherCanonicalId, 'arn:aws:iam::999999999999:user/other');
+        isBucketAuthorized(bucket, 'bucketGet', otherCanonicalId, authInfo, stubLog,
+            request, { bucketGet: false });
+        assert.strictEqual(request.serverAccessLog.aclRequired, 'Yes');
+    });
+
+    it('should not set aclRequired when bucket policy explicitly allows', () => {
+        const request = makeRequest();
+        // Use an IAM user in the bucket owner's account so principal match is OK (not CROSS_ACCOUNT)
+        // and the owner early-return doesn't fire (requester is IAM user, not account root)
+        const iamUserCanonicalId = ownerCanonicalId;
+        const bucket = makeBucket(ownerCanonicalId, {}, {
+            Statement: [{
+                Effect: 'Allow',
+                Principal: { AWS: 'arn:aws:iam::123456789012:user/iamuser' },
+                Action: ['s3:ListBucket'],
+                Resource: ['arn:aws:s3:::test-bucket'],
+            }],
+        });
+        const authInfo = makeAuthInfo(iamUserCanonicalId, 'arn:aws:iam::123456789012:user/iamuser', true);
+        isBucketAuthorized(bucket, 'bucketGet', iamUserCanonicalId, authInfo, stubLog,
+            request, { bucketGet: false });
+        assert.strictEqual(request.serverAccessLog.aclRequired, undefined);
+    });
+
+    it('should not set aclRequired when bucket policy explicitly denies', () => {
+        const request = makeRequest();
+        const iamUserCanonicalId = ownerCanonicalId;
+        const bucket = makeBucket(ownerCanonicalId, { READ: [iamUserCanonicalId] }, {
+            Statement: [{
+                Effect: 'Deny',
+                Principal: { AWS: 'arn:aws:iam::123456789012:user/iamuser' },
+                Action: ['s3:ListBucket'],
+                Resource: ['arn:aws:s3:::test-bucket'],
+            }],
+        });
+        const authInfo = makeAuthInfo(iamUserCanonicalId, 'arn:aws:iam::123456789012:user/iamuser', true);
+        isBucketAuthorized(bucket, 'bucketGet', iamUserCanonicalId, authInfo, stubLog,
+            request, { bucketGet: false });
+        assert.strictEqual(request.serverAccessLog.aclRequired, undefined);
+    });
+
+    it('should set aclRequired to Yes when bucket policy returns DEFAULT_DENY', () => {
+        const request = makeRequest();
+        // Policy grants PutObject to a different principal — nothing matches
+        // the bucketGet request from otherCanonicalId, so checkBucketPolicy
+        // returns DEFAULT_DENY and falls back to ACL evaluation.
+        const bucket = makeBucket(ownerCanonicalId, { READ: [otherCanonicalId] }, {
+            Statement: [{
+                Effect: 'Allow',
+                Principal: { AWS: 'arn:aws:iam::111111111111:root' },
+                Action: ['s3:PutObject'],
+                Resource: ['arn:aws:s3:::test-bucket/*'],
+            }],
+        });
+        const authInfo = makeAuthInfo(otherCanonicalId, 'arn:aws:iam::999999999999:user/other');
+        isBucketAuthorized(bucket, 'bucketGet', otherCanonicalId, authInfo, stubLog,
+            request, { bucketGet: false });
+        assert.strictEqual(request.serverAccessLog.aclRequired, 'Yes');
+    });
+
+    it('should handle missing serverAccessLog gracefully', () => {
+        const request = {};
+        const bucket = makeBucket(ownerCanonicalId, { READ: [otherCanonicalId] });
+        const authInfo = makeAuthInfo(otherCanonicalId, 'arn:aws:iam::999999999999:user/other');
+        assert.doesNotThrow(() => {
+            isBucketAuthorized(bucket, 'bucketGet', otherCanonicalId, authInfo, stubLog,
+                request, { bucketGet: false });
+        });
+    });
+});
+
+describe('aclRequired field in isObjAuthorized', () => {
+    function makeBucket(owner, acl, bucketPolicy) {
+        return {
+            getOwner: () => owner,
+            getName: () => 'test-bucket',
+            getAcl: () => ({
+                Canned: acl?.Canned || '',
+                FULL_CONTROL: acl?.FULL_CONTROL || [],
+                READ: acl?.READ || [],
+                READ_ACP: acl?.READ_ACP || [],
+                WRITE: acl?.WRITE || [],
+                WRITE_ACP: acl?.WRITE_ACP || [],
+            }),
+            getBucketPolicy: () => bucketPolicy || null,
+        };
+    }
+
+    function makeRequest() {
+        return { serverAccessLog: {} };
+    }
+
+    function makeAuthInfo(canonicalID, arn) {
+        return {
+            getCanonicalID: () => canonicalID,
+            getArn: () => arn,
+            isRequesterAnIAMUser: () => false,
+        };
+    }
+
+    function makeObjectMD(ownerId) {
+        return {
+            'owner-id': ownerId,
+            acl: {
+                Canned: '',
+                FULL_CONTROL: [],
+                READ: [],
+                READ_ACP: [],
+                WRITE: [],
+                WRITE_ACP: [],
+            },
+        };
+    }
+
+    it('should not set aclRequired when requester is object owner', () => {
+        const request = makeRequest();
+        const bucket = makeBucket(ownerCanonicalId);
+        const objectMD = makeObjectMD(otherCanonicalId);
+        const authInfo = makeAuthInfo(otherCanonicalId, 'arn:aws:iam::999999999999:/account/');
+        isObjAuthorized(bucket, objectMD, 'objectGet', otherCanonicalId, authInfo, stubLog,
+            request, { objectGet: false });
+        assert.strictEqual(request.serverAccessLog.aclRequired, undefined);
+    });
+
+    it('should set aclRequired to Yes for non-owner with no bucket policy', () => {
+        const request = makeRequest();
+        const bucket = makeBucket(ownerCanonicalId);
+        const objectMD = makeObjectMD(ownerCanonicalId);
+        objectMD.acl.READ = [otherCanonicalId];
+        const authInfo = makeAuthInfo(otherCanonicalId, 'arn:aws:iam::999999999999:user/other');
+        isObjAuthorized(bucket, objectMD, 'objectGet', otherCanonicalId, authInfo, stubLog,
+            request, { objectGet: false });
+        assert.strictEqual(request.serverAccessLog.aclRequired, 'Yes');
+    });
+});
+
+describe('aclRequired field in evaluateBucketPolicyWithIAM', () => {
+    function makeBucket(owner, bucketPolicy) {
+        return {
+            getOwner: () => owner,
+            getAcl: () => ({
+                Canned: '',
+                FULL_CONTROL: [],
+                READ: [],
+                READ_ACP: [],
+                WRITE: [],
+                WRITE_ACP: [],
+            }),
+            getBucketPolicy: () => bucketPolicy || null,
+        };
+    }
+
+    function makeAuthInfo(canonicalID, arn) {
+        return {
+            getCanonicalID: () => canonicalID,
+            getArn: () => arn,
+            isRequesterAnIAMUser: () => false,
+        };
+    }
+
+    it('should not set aclRequired (ACLs are not actually consulted)', () => {
+        const request = { serverAccessLog: {} };
+        const bucket = makeBucket(ownerCanonicalId);
+        const authInfo = makeAuthInfo(otherCanonicalId, 'arn:aws:iam::999999999999:user/other');
+        evaluateBucketPolicyWithIAM(bucket, 'objectDelete', otherCanonicalId, authInfo,
+            { objectDelete: false }, stubLog, request);
+        assert.strictEqual(request.serverAccessLog.aclRequired, undefined);
+    });
+});
diff --git a/tests/unit/metadata/metadataUtils.spec.js b/tests/unit/metadata/metadataUtils.spec.js
@@ -18,6 +18,7 @@ const {
     validateBucket,
     metadataGetObjects,
     metadataGetObject,
+    storeServerAccessLogInfo,
 } = require('../../../lib/metadata/metadataUtils');
 const metadata = require('../../../lib/metadata/wrapper');
 
@@ -150,3 +151,35 @@ describe('metadataGetObject', () => {
         });
     });
 });
+
+describe('storeServerAccessLogInfo - copySource aclRequired', () => {
+    it('should move source aclRequired to sourceServerAccessLog and restore destination value', () => {
+        // Destination auth set aclRequired='Yes', then source auth ran on the
+        // same request object and did not set aclRequired (owner on source).
+        const request = {
+            serverAccessLog: {},
+        };
+        const options = {
+            copySource: true,
+            savedAclRequired: 'Yes',
+        };
+        storeServerAccessLogInfo(request, null, null, options);
+        assert.strictEqual(request.sourceServerAccessLog.aclRequired, undefined);
+        assert.strictEqual(request.serverAccessLog.aclRequired, 'Yes');
+    });
+
+    it('should swap aclRequired when source auth also required ACL check', () => {
+        // Destination auth did not set aclRequired (owner on dest), then
+        // source auth set aclRequired='Yes' on the same request object.
+        const request = {
+            serverAccessLog: { aclRequired: 'Yes' },
+        };
+        const options = {
+            copySource: true,
+            savedAclRequired: undefined,
+        };
+        storeServerAccessLogInfo(request, null, null, options);
+        assert.strictEqual(request.sourceServerAccessLog.aclRequired, 'Yes');
+        assert.strictEqual(request.serverAccessLog.aclRequired, undefined);
+    });
+});
diff --git a/tests/unit/utils/serverAccessLogger.js b/tests/unit/utils/serverAccessLogger.js
@@ -1231,6 +1231,46 @@ describe('serverAccessLogger utility functions', () => {
             assert.strictEqual('loggingEnabled' in loggedData, true);
         });
 
+        it('should log aclRequired as Yes when set on request', () => {
+            setServerAccessLogger(mockLogger);
+            const req = {
+                serverAccessLog: {
+                    aclRequired: 'Yes',
+                },
+                headers: {},
+                socket: {},
+            };
+            const res = {
+                serverAccessLog: {},
+                getHeader: () => null,
+            };
+
+            logServerAccess(req, res);
+
+            assert.strictEqual(mockLogger.write.callCount, 1);
+            const loggedData = JSON.parse(mockLogger.write.firstCall.args[0].trim());
+            assert.strictEqual(loggedData.aclRequired, 'Yes');
+        });
+
+        it('should omit aclRequired when not set on request', () => {
+            setServerAccessLogger(mockLogger);
+            const req = {
+                serverAccessLog: {},
+                headers: {},
+                socket: {},
+            };
+            const res = {
+                serverAccessLog: {},
+                getHeader: () => null,
+            };
+
+            logServerAccess(req, res);
+
+            assert.strictEqual(mockLogger.write.callCount, 1);
+            const loggedData = JSON.parse(mockLogger.write.firstCall.args[0].trim());
+            assert.strictEqual('aclRequired' in loggedData, false);
+        });
+
         it('should include error code when present', () => {
             setServerAccessLogger(mockLogger);
             const req = {
