add S3 rest changes

Author: naveenpaul1

src/api/account_api.js

@@ -620,6 +620,7 @@ module.exports = {
             type: 'object',
             required: ['name', 'email', 'has_s3_access'],
             properties: {
+                _id: { type: 'string'},
                 name: { $ref: 'common_api#/definitions/account_name' },
                 email: { $ref: 'common_api#/definitions/email' },
                 is_support: {
@@ -661,6 +662,12 @@ module.exports = {
                 bucket_claim_owner: {
                     $ref: 'common_api#/definitions/bucket_name',
                 },
+                owner: {
+                    type: 'string',
+                },
+                iam_path: {
+                    type: 'string',
+                },
                 external_connections: {
                     type: 'object',
                     properties: {

src/endpoint/iam/iam_utils.js

@@ -46,6 +46,15 @@ function create_arn_for_user(account_id, username, iam_path) {
     return `${basic_structure}/${username}`;
 }
 
+/**
+ * create_arn_for_account creates the AWS ARN for account
+ * see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
+ * @param {string} account_id (the root user account id)
+ */
+function create_arn_for_account(account_id) {
+    return `arn:aws:iam::${account_id}:root`;
+}
+
 /**
  * get_action_message_title returns the full action name
  * @param {string} action (The action name as it is in AccountSpace)
@@ -815,6 +824,7 @@ function validate_list_user_tags_params(params) {
 // EXPORTS
 exports.format_iam_xml_date = format_iam_xml_date;
 exports.create_arn_for_user = create_arn_for_user;
+exports.create_arn_for_account = create_arn_for_account;
 exports.create_arn_for_root = create_arn_for_root;
 exports.get_action_message_title = get_action_message_title;
 exports.check_iam_path_was_set = check_iam_path_was_set;

src/endpoint/s3/s3_rest.js

@@ -12,6 +12,7 @@ const s3_logging = require('./s3_bucket_logging');
 const time_utils = require('../../util/time_utils');
 const http_utils = require('../../util/http_utils');
 const signature_utils = require('../../util/signature_utils');
+const iam_utils = require('../../endpoint/iam/iam_utils');
 const config = require('../../../config');
 const s3_utils = require('./s3_utils');
 
@@ -254,6 +255,8 @@ async function authorize_request_policy(req) {
     const account = req.object_sdk.requesting_account;
     const account_identifier_name = req.object_sdk.nsfs_config_root ? account.name.unwrap() : account.email.unwrap();
     const account_identifier_id = req.object_sdk.nsfs_config_root ? account._id : undefined;
+    const arn = account.owner ? iam_utils.create_arn_for_user(account.owner, account.name.unwrap().split(':')[0], account.iam_path) :
+                                    iam_utils.create_arn_for_account(account._id);
 
     // deny delete_bucket permissions from bucket_claim_owner accounts (accounts that were created by OBC from openshift\k8s)
     // the OBC bucket can still be delete by normal accounts according to the access policy which is checked below
@@ -304,9 +307,9 @@ async function authorize_request_policy(req) {
     }
     if (permission_by_id === "DENY") throw new S3Error(S3Error.AccessDenied);
 
-    if ((!account_identifier_id || permission_by_id !== "DENY") && account.owner === undefined) {
+    if (!account_identifier_id || permission_by_id !== "DENY") {
         permission_by_name = await s3_bucket_policy_utils.has_bucket_policy_permission(
-            s3_policy, account_identifier_name, method, arn_path, req, public_access_block?.restrict_public_buckets
+            s3_policy, arn, method, arn_path, req, public_access_block?.restrict_public_buckets
         );
         dbg.log3('authorize_request_policy: permission_by_name', permission_by_name);
     }

src/server/common_services/auth_server.js

@@ -15,6 +15,7 @@ const addr_utils = require('../../util/addr_utils');
 const kube_utils = require('../../util/kube_utils');
 const jwt_utils = require('../../util/jwt_utils');
 const config = require('../../../config');
+const iam_utils = require('../../endpoint/iam/iam_utils');
 const s3_bucket_policy_utils = require('../../endpoint/s3/s3_bucket_policy_utils');
 
 
@@ -548,10 +549,11 @@ async function has_bucket_action_permission(bucket, account, action, req_query,
     if (!action) {
         throw new Error('has_bucket_action_permission: action is required');
     }
-
+    const arn = account.owner ? iam_utils.create_arn_for_user(account.owner._id.toString(), account.name.unwrap().split(':')[0], account.iam_path) :
+                                    iam_utils.create_arn_for_account(account._id);
     const result = await s3_bucket_policy_utils.has_bucket_policy_permission(
         bucket_policy,
-        account.email.unwrap(),
+        arn,
         action,
         `arn:aws:s3:::${bucket.name.unwrap()}${bucket_path}`,
         req_query

src/server/system_services/account_server.js

@@ -988,7 +988,7 @@ function get_account_info(account, include_connection_cache) {
         'has_login',
         'allowed_ips',
     );
-
+    info._id = account._id.toString();
     if (account.is_support) {
         info.is_support = true;
         info.has_login = true;
@@ -998,7 +998,8 @@ function get_account_info(account, include_connection_cache) {
             secret_key: 'Not Accesible'
         }];
     }
-
+    info.owner = account.owner?._id.toString();
+    info.iam_path = account.iam_path;
     if (account.next_password_change) {
         info.next_password_change = account.next_password_change.getTime();
     }