Merge pull request #1067 from versity/ben/default_bucket_acl

benmcclelland · web-flow · commit f42c20297b4a · 2025-02-13T14:55:17.000-08:00
fix: return default bucket acl if none exists
diff --git a/auth/acl.go b/auth/acl.go
@@ -193,14 +193,25 @@ func ParseACL(data []byte) (ACL, error) {
 	return acl, nil
 }
 
-func ParseACLOutput(data []byte) (GetBucketAclOutput, error) {
+func ParseACLOutput(data []byte, owner string) (GetBucketAclOutput, error) {
+	grants := []Grant{}
+
+	if len(data) == 0 {
+		return GetBucketAclOutput{
+			Owner: &types.Owner{
+				ID: &owner,
+			},
+			AccessControlList: AccessControlList{
+				Grants: grants,
+			},
+		}, nil
+	}
+
 	var acl ACL
 	if err := json.Unmarshal(data, &acl); err != nil {
 		return GetBucketAclOutput{}, fmt.Errorf("parse acl: %w", err)
 	}
 
-	grants := []Grant{}
-
 	for _, elem := range acl.Grantees {
 		acs := elem.Access
 		grants = append(grants, Grant{
diff --git a/s3api/controllers/base.go b/s3api/controllers/base.go
@@ -921,7 +921,7 @@ func (c S3ApiController) ListActions(ctx *fiber.Ctx) error {
 				})
 		}
 
-		res, err := auth.ParseACLOutput(data)
+		res, err := auth.ParseACLOutput(data, parsedAcl.Owner)
 		return SendXMLResponse(ctx, res, err,
 			&MetaOpts{
 				Logger:      c.logger,
diff --git a/s3api/middlewares/acl-parser.go b/s3api/middlewares/acl-parser.go
@@ -74,6 +74,11 @@ func AclParser(be backend.Backend, logger s3log.AuditLogger, readonly bool) fibe
 			return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger})
 		}
 
+		// if owner is not set, set default owner to root account
+		if parsedAcl.Owner == "" {
+			parsedAcl.Owner = ctx.Locals("rootAccess").(string)
+		}
+
 		ctx.Locals("parsedAcl", parsedAcl)
 		return ctx.Next()
 	}
diff --git a/s3api/middlewares/authentication.go b/s3api/middlewares/authentication.go
@@ -76,6 +76,7 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au
 		}
 
 		ctx.Locals("isRoot", authData.Access == root.Access)
+		ctx.Locals("rootAccess", root.Access)
 
 		account, err := acct.getAccount(authData.Access)
 		if err == auth.ErrNoSuchUser {
diff --git a/s3api/middlewares/presign-auth.go b/s3api/middlewares/presign-auth.go
@@ -43,6 +43,8 @@ func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, logger
 		}
 
 		ctx.Locals("isRoot", authData.Access == root.Access)
+		ctx.Locals("rootAccess", root.Access)
+
 		account, err := acct.getAccount(authData.Access)
 		if err == auth.ErrNoSuchUser {
 			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger, mm)

Original file line number	Diff line number	Diff line change
`@@ -921,7 +921,7 @@ func (c S3ApiController) ListActions(ctx *fiber.Ctx) error {`
`921`	`921`	`})`
`922`	`922`	`}`
`923`	`923`
`924`		`- res, err := auth.ParseACLOutput(data)`
	`924`	`+ res, err := auth.ParseACLOutput(data, parsedAcl.Owner)`
`925`	`925`	`return SendXMLResponse(ctx, res, err,`
`926`	`926`	`&MetaOpts{`
`927`	`927`	`Logger: c.logger,`
Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,11 @@ func AclParser(be backend.Backend, logger s3log.AuditLogger, readonly bool) fibe`
`74`	`74`	`return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger})`
`75`	`75`	`}`
`76`	`76`
	`77`	`+ // if owner is not set, set default owner to root account`
	`78`	`+ if parsedAcl.Owner == "" {`
	`79`	`+ parsedAcl.Owner = ctx.Locals("rootAccess").(string)`
	`80`	`+ }`
	`81`	`+`
`77`	`82`	`ctx.Locals("parsedAcl", parsedAcl)`
`78`	`83`	`return ctx.Next()`
`79`	`84`	`}`
Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`ctx.Locals("isRoot", authData.Access == root.Access)`
	`79`	`+ ctx.Locals("rootAccess", root.Access)`
`79`	`80`
`80`	`81`	`account, err := acct.getAccount(authData.Access)`
`81`	`82`	`if err == auth.ErrNoSuchUser {`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,8 @@ func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, logger`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`ctx.Locals("isRoot", authData.Access == root.Access)`
	`46`	`+ ctx.Locals("rootAccess", root.Access)`
	`47`	`+`
`46`	`48`	`account, err := acct.getAccount(authData.Access)`
`47`	`49`	`if err == auth.ErrNoSuchUser {`
`48`	`50`	`return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger, mm)`