Merge remote-tracking branch 'origin/w/7.70/bugfix/CLDSRV-616' into w…

…/8.8/bugfix/CLDSRV-616
scality · Feb 25, 2025 · e9441c6 · e9441c6
2 parents 07dbf67 + c144a8c
commit e9441c6
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/lib/api/apiUtils/authorization/permissionChecks.js b/lib/api/apiUtils/authorization/permissionChecks.js
@@ -293,6 +293,10 @@ function _checkPrincipal(requester, principal) {
     if (principal === '*') {
         return true;
     }
+    // User in unauthenticated (anonymous request)
+    if (requester === undefined) {
+        return false;
+    }
     if (principal === requester) {
         return true;
     }

diff --git a/tests/unit/api/bucketPolicyAuth.js b/tests/unit/api/bucketPolicyAuth.js
@@ -1,5 +1,6 @@
 const assert = require('assert');
 const { BucketInfo, BucketPolicy } = require('arsenal').models;
+const AuthInfo = require('arsenal').auth.AuthInfo;
 const constants = require('../../../constants');
 const { isBucketAuthorized, isObjAuthorized, validatePolicyResource }
     = require('../../../lib/api/apiUtils/authorization/permissionChecks');
@@ -35,6 +36,9 @@ const basePolicyObj = {
 };
 const bucketName = 'matchme';
 const log = new DummyRequestLogger();
+const publicUserAuthInfo = new AuthInfo({
+    canonicalID: constants.publicId,
+});
 
 const authTests = [
     {
@@ -292,11 +296,21 @@ describe('bucket policy authorization', () => {
         it('should allow access to public user if principal is set to "*"',
         done => {
             const allowed = isBucketAuthorized(bucket, bucAction,
-                constants.publicId, null, log);
+                constants.publicId, publicUserAuthInfo, log);
             assert.equal(allowed, true);
             done();
         });
 
+        it('should deny access to public user if principal is not set to "*"', function itFn(done) {
+            const newPolicy = this.test.basePolicy;
+            newPolicy.Statement[0].Principal = { AWS: authInfo.getArn() };
+            bucket.setBucketPolicy(newPolicy);
+            const allowed = isBucketAuthorized(bucket, bucAction,
+                constants.publicId, publicUserAuthInfo, log);
+            assert.equal(allowed, false);
+            done();
+        });
+
         authTests.forEach(t => {
             it(`${t.name}bucket owner`, function itFn(done) {
                 const newPolicy = this.test.basePolicy;
@@ -376,7 +390,7 @@ describe('bucket policy authorization', () => {
         it('should allow access to public user if principal is set to "*"',
         done => {
             const allowed = isObjAuthorized(bucket, object, objAction,
-                constants.publicId, null, log);
+                constants.publicId, publicUserAuthInfo, log);
             assert.equal(allowed, true);
             done();
         });