Skip to content

Commit 6000672

Browse files
naveenpaul1naveenpaul1
committed
IAM | Bucket policy Principal validation
1 parent b83a047 commit 6000672

File tree

1 file changed

+28
-1
lines changed

1 file changed

+28
-1
lines changed

src/server/system_services/bucket_server.js

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ const GoogleStorage = require('../../util/google_storage_wrap');
1111

1212
const P = require('../../util/promise');
1313
const dbg = require('../../util/debug_module')(__filename);
14+
const SensitiveString = require('../../util/sensitive_string');
1415
const config = require('../../../config');
1516
const MDStore = require('../object_services/md_store').MDStore;
1617
const BucketStatsStore = require('../analytic_services/bucket_stats_store').BucketStatsStore;
@@ -512,12 +513,38 @@ async function get_bucket_policy(req) {
512513
};
513514
}
514515

516+
/*
517+
validate ARN principle
518+
1. validate basic ARN, like arn prefix `arn:aws:iam::`
519+
2. If principal ARN end with `root sufix its a account and get account with id eg : aws:arn:${account_id}:root
520+
3. if principle ARN contains `user` its a IAM user and get account with username and id
521+
eg : aws:arn:${account_id}:user/${iam_path}/${use_name}
522+
account email = ${iam_user_name}:${account_id}
523+
*/
524+
async function principal_validation_handler(principal) {
525+
const principal_as_string = principal instanceof SensitiveString ? principal.unwrap() : principal;
526+
const arn_prefix = 'arn:aws:iam::';
527+
const root_sufix = 'root';
528+
const user_sufix = 'user';
529+
const arn_parts = principal_as_string.split(':');
530+
if (!principal_as_string.startsWith(arn_prefix) || arn_parts.length < 6) {
531+
return;
532+
}
533+
const account_id = arn_parts[4];
534+
if (principal_as_string.endsWith(root_sufix)) {
535+
return system_store.data.accounts.find(account => account._id.toString() === account_id);
536+
} else if (principal_as_string.includes(user_sufix)) {
537+
const arn_path_parts = principal_as_string.split('/');
538+
const iam_user_name = arn_path_parts[arn_path_parts.length - 1];
539+
return system_store.get_account_by_email(new SensitiveString(`${iam_user_name}:${account_id}`));
540+
}
541+
}
515542

516543
async function put_bucket_policy(req) {
517544
dbg.log0('put_bucket_policy:', req.rpc_params);
518545
const bucket = find_bucket(req, req.rpc_params.name);
519546
await bucket_policy_utils.validate_s3_policy(req.rpc_params.policy, bucket.name,
520-
principal => system_store.get_account_by_email(principal));
547+
principal => principal_validation_handler(principal));
521548

522549
if (
523550
bucket.public_access_block?.block_public_policy &&

0 commit comments

Comments
 (0)