Properly enforce allow_create_bucket #447
3 changed files with 39 additions and 0 deletions
|
@ -161,6 +161,15 @@ pub async fn handle_create_bucket(
|
||||||
return Err(CommonError::BucketAlreadyExists.into());
|
return Err(CommonError::BucketAlreadyExists.into());
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
// Check user is allowed to create bucket
|
||||||
|
if !key_params.allow_create_bucket.get() {
|
||||||
|
return Err(CommonError::Forbidden(format!(
|
||||||
|
"Access key {} is not allowed to create buckets",
|
||||||
|
api_key.key_id
|
||||||
|
))
|
||||||
|
.into());
|
||||||
|
}
|
||||||
|
|
||||||
// Create the bucket!
|
// Create the bucket!
|
||||||
if !is_valid_bucket_name(&bucket_name) {
|
if !is_valid_bucket_name(&bucket_name) {
|
||||||
return Err(Error::bad_request(format!(
|
return Err(Error::bad_request(format!(
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
use crate::common;
|
use crate::common;
|
||||||
|
use crate::common::ext::CommandExt;
|
||||||
use aws_sdk_s3::model::BucketLocationConstraint;
|
use aws_sdk_s3::model::BucketLocationConstraint;
|
||||||
use aws_sdk_s3::output::DeleteBucketOutput;
|
use aws_sdk_s3::output::DeleteBucketOutput;
|
||||||
|
|
||||||
|
@ -8,6 +9,27 @@ async fn test_bucket_all() {
|
||||||
let bucket_name = "hello";
|
let bucket_name = "hello";
|
||||||
|
|
||||||
{
|
{
|
||||||
|
// Check bucket cannot be created if not authorized
|
||||||
|
ctx.garage
|
||||||
|
.command()
|
||||||
|
.args(["key", "deny"])
|
||||||
|
.args(["--create-bucket", &ctx.garage.key.id])
|
||||||
|
.quiet()
|
||||||
|
.expect_success_output("Could not deny key to create buckets");
|
||||||
|
|
||||||
|
// Try create bucket, should fail
|
||||||
|
let r = ctx.client.create_bucket().bucket(bucket_name).send().await;
|
||||||
|
assert!(r.is_err());
|
||||||
|
}
|
||||||
|
{
|
||||||
|
// Now allow key to create bucket
|
||||||
|
ctx.garage
|
||||||
|
.command()
|
||||||
|
.args(["key", "allow"])
|
||||||
|
.args(["--create-bucket", &ctx.garage.key.id])
|
||||||
|
.quiet()
|
||||||
|
.expect_success_output("Could not deny key to create buckets");
|
||||||
|
|
||||||
// Create bucket
|
// Create bucket
|
||||||
//@TODO check with an invalid bucket name + with an already existing bucket
|
//@TODO check with an invalid bucket name + with an already existing bucket
|
||||||
let r = ctx
|
let r = ctx
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
|
|
||||||
use crate::common;
|
use crate::common;
|
||||||
|
use crate::common::ext::CommandExt;
|
||||||
use common::custom_requester::BodySignature;
|
use common::custom_requester::BodySignature;
|
||||||
use hyper::Method;
|
use hyper::Method;
|
||||||
|
|
||||||
|
@ -105,6 +106,13 @@ async fn test_create_bucket_streaming() {
|
||||||
let ctx = common::context();
|
let ctx = common::context();
|
||||||
let bucket = "createbucket-streaming";
|
let bucket = "createbucket-streaming";
|
||||||
|
|
||||||
|
ctx.garage
|
||||||
|
.command()
|
||||||
|
.args(["key", "allow"])
|
||||||
|
.args(["--create-bucket", &ctx.garage.key.id])
|
||||||
|
.quiet()
|
||||||
|
.expect_success_output("Could not allow key to create buckets");
|
||||||
|
|
||||||
{
|
{
|
||||||
// create bucket
|
// create bucket
|
||||||
let _ = ctx
|
let _ = ctx
|
||||||
|
|
Loading…
Reference in a new issue