scality · bert-e · Aug 22, 2025 · Aug 20, 2025 · Aug 20, 2025 · Aug 20, 2025
diff --git a/lib/api/api.js b/lib/api/api.js
@@ -81,7 +81,68 @@ const monitoringMap = policies.actionMaps.actionMonitoringMapS3;
 
 auth.setHandler(vault);
 
+function checkAuthResults(authResults, apiMethod, log) {
+    let returnTagCount = true;
+    const isImplicitDeny = {};
+    let isOnlyImplicitDeny = true;
+    if (apiMethod === 'objectGet') {
+        // first item checks s3:GetObject(Version) action
+        if (!authResults[0].isAllowed && !authResults[0].isImplicit) {
+            log.trace('get object authorization denial from Vault');
+            return errors.AccessDenied;
+        }
+        isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
+        // second item checks s3:GetObject(Version)Tagging action
+        if (!authResults[1].isAllowed) {
+            log.trace('get tagging authorization denial ' +
+            'from Vault');
+            returnTagCount = false;
+        }
+    } else {
+        for (let i = 0; i < authResults.length; i++) {
+            isImplicitDeny[authResults[i].action] = true;
+            if (!authResults[i].isAllowed && !authResults[i].isImplicit) {
+                // Any explicit deny rejects the current API call
+                log.trace('authorization denial from Vault');
+                return errors.AccessDenied;
+            }
+            if (authResults[i].isAllowed) {
+                // If the action is allowed, the result is not implicit
+                // Deny.
+                isImplicitDeny[authResults[i].action] = false;
+                isOnlyImplicitDeny = false;
+            }
+        }
+    }
+    // These two APIs cannot use ACLs or Bucket Policies, hence, any
+    // implicit deny from vault must be treated as an explicit deny.
+    if ((apiMethod === 'bucketPut' || apiMethod === 'serviceGet') && isOnlyImplicitDeny) {
+        return errors.AccessDenied;
+    }
+    return { returnTagCount, isImplicitDeny };
+}
+
 /* eslint-disable no-param-reassign */
+function handleAuthorizationResults(request, authorizationResults, apiMethod, returnTagCount, log, callback) {
+    if (authorizationResults) {
+        const checkedResults = checkAuthResults(authorizationResults, apiMethod, log);
+        if (checkedResults instanceof Error) {
+            return callback(checkedResults);
+        }
+        returnTagCount = checkedResults.returnTagCount;
+        request.actionImplicitDenies = checkedResults.isImplicitDeny;
+    } else {
+        // create an object of keys apiMethods with all values to false:
+        // for backward compatibility, all apiMethods are allowed by default
+        // thus it is explicitly allowed, so implicit deny is false
+        request.actionImplicitDenies = request.apiMethods.reduce((acc, curr) => {
+            acc[curr] = false;
+            return acc;
+        }, {});
+    }
+    return callback(null, { returnTagCount });
+}
+
 const api = {
     callApiMethod(apiMethod, request, response, log, callback) {
         // Attach the apiMethod method to the request, so it can used by monitoring in the server
@@ -152,47 +213,6 @@ const api = {
         // Attach the names to the current request
         request.apiMethods = apiMethods;
 
-        function checkAuthResults(authResults) {
-            let returnTagCount = true;
-            const isImplicitDeny = {};
-            let isOnlyImplicitDeny = true;
-            if (apiMethod === 'objectGet') {
-                // first item checks s3:GetObject(Version) action
-                if (!authResults[0].isAllowed && !authResults[0].isImplicit) {
-                    log.trace('get object authorization denial from Vault');
-                    return errors.AccessDenied;
-                }
-                isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
-                // second item checks s3:GetObject(Version)Tagging action
-                if (!authResults[1].isAllowed) {
-                    log.trace('get tagging authorization denial ' +
-                    'from Vault');
-                    returnTagCount = false;
-                }
-            } else {
-                for (let i = 0; i < authResults.length; i++) {
-                    isImplicitDeny[authResults[i].action] = true;
-                    if (!authResults[i].isAllowed && !authResults[i].isImplicit) {
-                        // Any explicit deny rejects the current API call
-                        log.trace('authorization denial from Vault');
-                        return errors.AccessDenied;
-                    }
-                    if (authResults[i].isAllowed) {
-                        // If the action is allowed, the result is not implicit
-                        // Deny.
-                        isImplicitDeny[authResults[i].action] = false;
-                        isOnlyImplicitDeny = false;
-                    }
-                }
-            }
-            // These two APIs cannot use ACLs or Bucket Policies, hence, any
-            // implicit deny from vault must be treated as an explicit deny.
-            if ((apiMethod === 'bucketPut' || apiMethod === 'serviceGet') && isOnlyImplicitDeny) {
-                return errors.AccessDenied;
-            }
-            return { returnTagCount, isImplicitDeny };
-        }
-
         return async.waterfall([
             next => auth.server.doAuth(
                 request, log, (err, userInfo, authorizationResults, streamingV4Params, infos) => {
@@ -267,27 +287,19 @@ const api = {
                     return next(null, userInfo, authResultsWithTags, streamingV4Params, infos);
                 },
             ),
-        ], (err, userInfo, authorizationResults, streamingV4Params, infos) => {
+            (userInfo, authorizationResults, streamingV4Params, infos, next) => handleAuthorizationResults(
+                request, authorizationResults, apiMethod, returnTagCount, log, (err, res) => {
+                    request.accountQuotas = infos?.accountQuota;
+                    if (err) {
+                        return next(err);
+                    }
+                    returnTagCount = res.returnTagCount;
+                    return next(null, userInfo, authorizationResults, streamingV4Params);
+                }),
+        ], (err, userInfo, authorizationResults, streamingV4Params) => {
             if (err) {
                 return callback(err);
             }
-            request.accountQuotas = infos?.accountQuota;
-            if (authorizationResults) {
-                const checkedResults = checkAuthResults(authorizationResults);
-                if (checkedResults instanceof Error) {
-                    return callback(checkedResults);
-                }
-                returnTagCount = checkedResults.returnTagCount;
-                request.actionImplicitDenies = checkedResults.isImplicitDeny;
-            } else {
-                // create an object of keys apiMethods with all values to false:
-                // for backward compatibility, all apiMethods are allowed by default
-                // thus it is explicitly allowed, so implicit deny is false
-                request.actionImplicitDenies = apiMethods.reduce((acc, curr) => {
-                    acc[curr] = false;
-                    return acc;
-                }, {});
-            }
             const methodCallback = (err, ...results) => async.forEachLimit(request.finalizerHooks, 5,
                     (hook, done) => hook(err, done),
                     () => callback(err, ...results));
@@ -375,6 +387,8 @@ const api = {
     serviceGet,
     websiteGet: website,
     websiteHead: website,
+    checkAuthResults,
+    handleAuthorizationResults,
 };
 
 module.exports = api;