Fix - list_buckets allowing unauthorized bucket access

Signed-off-by: Aayush Chouhan <achouhan@redhat.com>

Author: aayushchouhan09

src/server/common_services/auth_server.js

@@ -536,7 +536,12 @@ function _get_auth_info(account, system, authorized_by, role, extra) {
  * @returns  {Promise<boolean>} true if the account has permission to perform the action on the bucket
  */
 async function has_bucket_action_permission(bucket, account, action, req_query, bucket_path = "") {
+    if (!account || !account.email) {
+        dbg.warn('has_bucket_action_permission: account or account.email is missing');
+        return false;
+    }
     dbg.log1('has_bucket_action_permission:', bucket.name, account.email, bucket.owner_account.email);
+
     // If the system owner account wants to access the bucket, allow it
     if (bucket.system.owner.email.unwrap() === account.email.unwrap()) return true;
 
@@ -558,7 +563,9 @@ async function has_bucket_action_permission(bucket, account, action, req_query,
     );
 
     if (result === 'DENY') return false;
-    return is_owner || result === 'ALLOW';
+    if (result === 'ALLOW') return true;
+
+    return is_owner;
 }
 
 /**

src/server/system_services/bucket_server.js

@@ -1062,8 +1062,13 @@ async function list_buckets(req) {
     let continuation_token = req.rpc_params?.continuation_token;
     const max_buckets = req.rpc_params?.max_buckets;
 
-    const accessible_bucket_list = system_store.data.buckets.filter(
-        async bucket => await req.has_s3_bucket_permission(bucket, "s3:ListBucket", req) && !bucket.deleting
+    const accessible_bucket_list = [];
+    await Promise.all(
+        system_store.data.buckets.map(async bucket => {
+            if (bucket.deleting) return;
+            const has_permission = await req.has_s3_bucket_permission(bucket, "s3:ListBucket");
+            if (has_permission) accessible_bucket_list.push(bucket);
+        })
     );
 
     accessible_bucket_list.sort((a, b) => a.name.unwrap().localeCompare(b.name.unwrap()));