Merge branch 'w/8.8/bugfix/CLDSRV-616' into tmp/octopus/w/9.0/bugfix/CLDSRV-616

bert-e · bert-e · commit e1ccae89bbae · 2025-02-25T14:47:57.000Z
diff --git a/lib/api/apiUtils/authorization/permissionChecks.js b/lib/api/apiUtils/authorization/permissionChecks.js
@@ -282,6 +282,10 @@ function _checkPrincipal(requester, principal) {
     if (principal === '*') {
         return true;
     }
+    // User in unauthenticated (anonymous request)
+    if (requester === undefined) {
+        return false;
+    }
     if (principal === requester) {
         return true;
     }
diff --git a/tests/unit/api/bucketPolicyAuth.js b/tests/unit/api/bucketPolicyAuth.js
@@ -1,5 +1,6 @@
 const assert = require('assert');
 const { BucketInfo, BucketPolicy } = require('arsenal').models;
+const AuthInfo = require('arsenal').auth.AuthInfo;
 const constants = require('../../../constants');
 const { isBucketAuthorized, isObjAuthorized, validatePolicyResource }
     = require('../../../lib/api/apiUtils/authorization/permissionChecks');
@@ -35,6 +36,9 @@ const basePolicyObj = {
 };
 const bucketName = 'matchme';
 const log = new DummyRequestLogger();
+const publicUserAuthInfo = new AuthInfo({
+    canonicalID: constants.publicId,
+});
 
 const authTests = [
     {
@@ -292,11 +296,21 @@ describe('bucket policy authorization', () => {
         it('should allow access to public user if principal is set to "*"',
         done => {
             const allowed = isBucketAuthorized(bucket, bucAction,
-                constants.publicId, null, log);
+                constants.publicId, publicUserAuthInfo, log);
             assert.equal(allowed, true);
             done();
         });
 
+        it('should deny access to public user if principal is not set to "*"', function itFn(done) {
+            const newPolicy = this.test.basePolicy;
+            newPolicy.Statement[0].Principal = { AWS: authInfo.getArn() };
+            bucket.setBucketPolicy(newPolicy);
+            const allowed = isBucketAuthorized(bucket, bucAction,
+                constants.publicId, publicUserAuthInfo, log);
+            assert.equal(allowed, false);
+            done();
+        });
+
         authTests.forEach(t => {
             it(`${t.name}bucket owner`, function itFn(done) {
                 const newPolicy = this.test.basePolicy;
@@ -376,7 +390,7 @@ describe('bucket policy authorization', () => {
         it('should allow access to public user if principal is set to "*"',
         done => {
             const allowed = isObjAuthorized(bucket, object, objAction,
-                constants.publicId, null, log);
+                constants.publicId, publicUserAuthInfo, log);
             assert.equal(allowed, true);
             done();
         });

Original file line number	Diff line number	Diff line change
`@@ -282,6 +282,10 @@ function _checkPrincipal(requester, principal) {`
`282`	`282`	`if (principal === '*') {`
`283`	`283`	`return true;`
`284`	`284`	`}`
	`285`	`+ // User in unauthenticated (anonymous request)`
	`286`	`+ if (requester === undefined) {`
	`287`	`+ return false;`
	`288`	`+ }`
`285`	`289`	`if (principal === requester) {`
`286`	`290`	`return true;`
`287`	`291`	`}`