test case fix

naveenpaul1 · naveenpaul1 · commit 033bcf150b74 · 2025-11-12T11:39:25.000+05:30
diff --git a/src/endpoint/s3/s3_rest.js b/src/endpoint/s3/s3_rest.js
@@ -307,7 +307,7 @@ async function authorize_request_policy(req) {
     }
     if (permission_by_id === "DENY") throw new S3Error(S3Error.AccessDenied);
 
-    if (!account_identifier_id || permission_by_id !== "DENY") {
+    if ((!account_identifier_id || permission_by_id !== "DENY") && !req.object_sdk.nsfs_config_root) {
         permission_by_name = await s3_bucket_policy_utils.has_bucket_policy_permission(
             s3_policy, arn, method, arn_path, req, public_access_block?.restrict_public_buckets
         );
diff --git a/src/server/system_services/bucket_server.js b/src/server/system_services/bucket_server.js
@@ -40,6 +40,7 @@ const bucket_semaphore = new KeysSemaphore(1);
 const Quota = require('../system_services/objects/quota');
 const { STORAGE_CLASS_GLACIER_IR } = require('../../endpoint/s3/s3_utils');
 const noobaa_s3_client = require('../../sdk/noobaa_s3_client/noobaa_s3_client');
+const string_utils = require('../../util/string_utils');
 
 const VALID_BUCKET_NAME_REGEXP =
     /^(([a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])$/;
@@ -516,26 +517,25 @@ async function get_bucket_policy(req) {
 /* 
     validate ARN principle 
     1. validate basic ARN, like arn prefix `arn:aws:iam::`
-    2. If principal ARN end with `root sufix its a account and get account with id eg : aws:arn:${account_id}:root
+    2. If principal ARN end with `root sufix its a account and get account with id eg : arn:aws:iam::${account_id}:root
     3. if principle ARN contains `user` its a IAM user and get account with username and id 
-        eg : aws:arn:${account_id}:user/${iam_path}/${use_name}
+        eg : arn:aws:iam::${account_id}:user/${iam_path}/${use_name}
         account email = ${iam_user_name}:${account_id}
 */
 async function principal_validation_handler(principal) {
     const principal_as_string = principal instanceof SensitiveString ? principal.unwrap() : principal;
-    const arn_prefix = 'arn:aws:iam::';
     const root_sufix = 'root';
     const user_sufix = 'user';
     const arn_parts = principal_as_string.split(':');
-    if (!principal_as_string.startsWith(arn_prefix) || arn_parts.length < 6) {
+    if (!string_utils.AWS_ARN_REGEXP.test(principal_as_string)) {
         return;
     }
     const account_id = arn_parts[4];
     if (principal_as_string.endsWith(root_sufix)) {
         return system_store.data.accounts.find(account => account._id.toString() === account_id);
-    } else if (principal_as_string.includes(user_sufix)) {
+    } else if (arn_parts[5] && arn_parts[5].startsWith(user_sufix)) {
         const arn_path_parts = principal_as_string.split('/');
-        const iam_user_name = arn_path_parts[arn_path_parts.length - 1];
+        const iam_user_name = arn_path_parts[arn_path_parts.length - 1].trim();
         return system_store.get_account_by_email(new SensitiveString(`${iam_user_name}:${account_id}`));
     }
 }
diff --git a/src/test/integration_tests/nsfs/test_nsfs_integration.js b/src/test/integration_tests/nsfs/test_nsfs_integration.js
@@ -205,7 +205,8 @@ mocha.describe('bucket operations - namespace_fs', function() {
     mocha.it('list buckets without uid, gid', async function() {
         this.timeout(600000); // eslint-disable-line no-invalid-this
         // Give s3_owner access to the required buckets
-        const generated = generate_s3_policy(EMAIL, first_bucket, ['s3:*']);
+        const account_info_admin = await rpc_client.account.read_account({ email: EMAIL });
+        const generated = generate_s3_policy(`arn:aws:iam::${account_info_admin._id.toString()}:root`, first_bucket, ['s3:*']);
         await rpc_client.bucket.put_bucket_policy({ name: first_bucket, policy: generated.policy });
 
         const res = await s3_owner.listBuckets({});
diff --git a/src/util/string_utils.js b/src/util/string_utils.js
@@ -18,6 +18,7 @@ const AWS_IAM_ACCESS_KEY_INPUT_REGEXP = /^[\w]+$/;
 const AWS_IAM_TAG_KEY_AND_VALUE_REGEXP = /^[\p{L}\p{Z}\p{N}_.:/=+\-@]+$/u;
 const AWS_POLICY_NAME_REGEXP = /^[\w+=,.@-]+$/;
 const AWS_POLICY_DOCUMENT_REGEXP = /^[\u0009\u000A\u000D\u0020-\u00FF]+$/;
+const AWS_ARN_REGEXP = /^arn:aws:iam::\w{10,}:(?:user|root)(?:\/[\w\d\-\_\.\/]+$)?/;
 
 function crypto_random_string(len, charset = ALPHA_NUMERIC_CHARSET) {
     // In order to not favor any specific chars over others we limit the maximum random value
@@ -171,3 +172,4 @@ exports.AWS_IAM_ACCESS_KEY_INPUT_REGEXP = AWS_IAM_ACCESS_KEY_INPUT_REGEXP;
 exports.AWS_IAM_TAG_KEY_AND_VALUE_REGEXP = AWS_IAM_TAG_KEY_AND_VALUE_REGEXP;
 exports.AWS_POLICY_NAME_REGEXP = AWS_POLICY_NAME_REGEXP;
 exports.AWS_POLICY_DOCUMENT_REGEXP = AWS_POLICY_DOCUMENT_REGEXP;
+exports.AWS_ARN_REGEXP = AWS_ARN_REGEXP;

Original file line number	Diff line number	Diff line change
`@@ -307,7 +307,7 @@ async function authorize_request_policy(req) {`
`307`	`307`	`}`
`308`	`308`	`if (permission_by_id === "DENY") throw new S3Error(S3Error.AccessDenied);`
`309`	`309`
`310`		`- if (!account_identifier_id \|\| permission_by_id !== "DENY") {`
	`310`	`+ if ((!account_identifier_id \|\| permission_by_id !== "DENY") && !req.object_sdk.nsfs_config_root) {`
`311`	`311`	`permission_by_name = await s3_bucket_policy_utils.has_bucket_policy_permission(`
`312`	`312`	`s3_policy, arn, method, arn_path, req, public_access_block?.restrict_public_buckets`
`313`	`313`	`);`