CLDSRV-674: handle cross-account bucket policies

[leif-scality]

Handle cross account cases when using bucket policies

https://scality.atlassian.net/browse/S3C-9896

[bert-e]

Hello leif-scality,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

[ghost]

to avoid nested if/for and duplication we should be able to use a helper function

something like:

function _findBestPrincipalMatch(principalArray, checkFunc) {
    let bestMatch = checkPrincipalResult.KO;
    if (!principalArray) {
        return bestMatch;
    }

    const principals = Array.isArray(principalArray) ? principalArray : [principalArray];

    for (const p of principals) {
        const result = checkFunc(p);
        if (result === checkPrincipalResult.OK) {
            return checkPrincipalResult.OK; // Highest permission, can exit early
        }
        if (result > bestMatch) {
            bestMatch = result;
        }
    }
    return bestMatch;
}

function _checkPrincipals(canonicalID, arn, principal, bucketOwnerCanonicalID) {
    if (principal === '*') {
        // Handle anonymous or authenticated wildcard
        if (arn === undefined) {
            return checkPrincipalResult.OK;
        }
        return _getPermissionLevel(arn, bucketOwnerCanonicalID, canonicalID); // Assuming _getPermissionLevel is refactored
    }

    if (principal.CanonicalUser) {
        return _findBestPrincipalMatch(principal.CanonicalUser, p =>
            _checkPrincipal(canonicalID, p, bucketOwnerCanonicalID, canonicalID));
    }

    if (principal.AWS) {
        return _findBestPrincipalMatch(principal.AWS, p =>
            _checkPrincipal(arn, p, bucketOwnerCanonicalID, canonicalID));
    }

    return checkPrincipalResult.KO;
}

[leif-scality]

@williamlardier I kept the diagram because the one in citadel is higher level than this one, I also think the diagram makes the function easier to understand.

[ghost]

Shouldn't it be /root to avoid valid user names ending in root?

Suggested change

	if (principal.endsWith('root') && _getAccountId(principal) === _getAccountId(requesterARN)) {
	if (principal.endsWith('/root') && _getAccountId(principal) === _getAccountId(requesterARN)) {

maybe a more formal check here would be better

[leif-scality]

I think we should do :root, /root is not a valid ARN, /account_name is only returned by vault when using the root access key's as explained in _IsRoot.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts

[leif-scality]

ping

[BourgoisMickael]

@bert-e create_pull_requests

[bert-e]

Integration data created

I have created the integration data for the additional destination branches.

• this pull request will merge bugfix/CLDSRV-674 into
  development/7.70
• w/8.8/bugfix/CLDSRV-674 will be merged into development/8.8 (pull request W/8.8/bugfix/cldsrv 674 #5884)
• w/9.0/bugfix/CLDSRV-674 will be merged into development/9.0 (pull request W/9.0/bugfix/cldsrv 674 #5885)
• w/9.1/bugfix/CLDSRV-674 will be merged into development/9.1 (pull request INTEGRATION [PR#5855 > development/9.1] CLDSRV-674: handle cross-account bucket policies #5886)

The following branches will NOT be impacted:

• development/7.10
• development/7.4

Follow integration pull requests if you would like to be notified of
build statuses by email.

The following options are set: create_pull_requests, create_integration_branches

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

The following options are set: create_pull_requests, create_integration_branches

[leif-scality]

/approve

[bert-e]

Build failed

The build for commit did not succeed in branch w/8.8/bugfix/CLDSRV-674

The following options are set: approve, create_pull_requests, create_integration_branches

[bert-e]

Build failed

The build for commit did not succeed in branch w/9.0/bugfix/CLDSRV-674

The following options are set: approve, create_pull_requests, create_integration_branches

[bert-e]

Build failed

The build for commit did not succeed in branch w/9.1/bugfix/CLDSRV-674

The following options are set: approve, create_pull_requests, create_integration_branches

[bert-e]

Build failed

The build for commit did not succeed in branch w/9.0/bugfix/CLDSRV-674

The following options are set: approve, create_pull_requests, create_integration_branches

[bert-e]

Build failed

The build for commit did not succeed in branch w/9.1/bugfix/CLDSRV-674

The following options are set: approve, create_pull_requests, create_integration_branches

[bert-e]

I have successfully merged the changeset of this pull request
into targetted development branches:

• ✔️ development/7.70

• ✔️ development/8.8

• ✔️ development/9.0

• ✔️ development/9.1

The following branches have NOT changed:

• development/7.10
• development/7.4

Please check the status of the associated issue CLDSRV-674.

Goodbye leif-scality.

The following options are set: approve, create_pull_requests, create_integration_branches