Restructure the code and removed iam policy checks

Signed-off-by: Aayush Chouhan <achouhan@redhat.com>

Author: aayushchouhan09

src/server/common_services/auth_server.js

@@ -497,8 +497,8 @@ function _prepare_auth_request(req) {
         return has_bucket_action_permission(bucket, req.account, action, req_query, bucket_path);
     };
 
-    req.has_list_bucket_permission = function(bucket) {
-        return has_list_bucket_permission(bucket, req.account, req.system);
+    req.has_bucket_ownership_permission = function(bucket) {
+        return has_bucket_ownership_permission(bucket, req.account);
     };
 }
 
@@ -526,12 +526,12 @@ function _get_auth_info(account, system, authorized_by, role, extra) {
 
 /**
  * is_system_owner checks if the account is the system owner
- * @param {Record<string, any>} system
+ * @param {Record<string, any>} bucket
  * @param {Record<string, any>} account
  * @returns {boolean}
  */
-function is_system_owner(system, account) {
-    return system?.owner?.email?.unwrap() === account?.email?.unwrap();
+function is_system_owner(bucket, account) {
+    return bucket.system.owner.email.unwrap() === account.email.unwrap();
 }
 
 /**
@@ -541,79 +541,47 @@ function is_system_owner(system, account) {
  * @returns {boolean}
  */
 function is_bucket_owner(bucket, account) {
-    return bucket?.owner_account?.email?.unwrap() === account?.email?.unwrap();
+    return bucket.owner_account.email.unwrap() === account.email.unwrap();
 }
 
 /**
- * has_iam_list_buckets_permission checks if the account has IAM policy granting s3:ListAllMyBuckets
- * for buckets owned by their root account
+ * is_bucket_claim_owner checks if the account is the OBC (ObjectBucketClaim) owner of the bucket
  * @param {Record<string, any>} bucket
  * @param {Record<string, any>} account
- * @returns {Promise<boolean>}
+ * @returns {boolean}
  */
-async function has_iam_list_buckets_permission(bucket, account) {
-    if (!account?.owner) return false;
-
-    const iam_policies = account.iam_user_policies || [];
-    if (iam_policies.length === 0) return false;
-
-    // check each IAM policy for s3:ListAllMyBuckets permission
-    for (const iam_policy of iam_policies) {
-        const result = await s3_bucket_policy_utils.has_bucket_policy_permission(
-            iam_policy.policy_document,
-            undefined,
-            's3:ListAllMyBuckets',
-            'arn:aws:s3:::*',
-            undefined,
-            { should_pass_principal: false }
-        );
-
-        if (result === 'DENY') return false;
-
-        if (result === 'ALLOW') {
-            const bucket_owner_id = bucket.owner_account?._id;
-            const account_owner_id = account.owner?._id;
-            const ownership_match = account_owner_id !== undefined && bucket_owner_id !== undefined &&
-                                   String(bucket_owner_id) === String(account_owner_id);
-
-            // special case: check if root is OBC account and this is the claimed bucket
-            const root_claimed_bucket = account.owner?.bucket_claim_owner?.name?.unwrap();
-            const obc_claim_match = root_claimed_bucket && root_claimed_bucket === bucket.name?.unwrap();
-
-            if (ownership_match || obc_claim_match) return true;
-        }
-    }
-
-    return false;
+function is_bucket_claim_owner(bucket, account) {
+    return account.bucket_claim_owner && account.bucket_claim_owner.name.unwrap() === bucket.name.unwrap();
 }
 
 /**
- * has_list_bucket_permission returns true if the account can list the bucket in ListBuckets operation
+ * has_bucket_ownership_permission returns true if the account can list the bucket in ListBuckets operation
  *
  * aws-compliant behavior:
  * - System owner can list all the buckets
  * - Root accounts can list buckets they own
- * - IAM users CANNOT inherit ListBuckets visibility from root
- * - IAM users need explicit IAM policy with s3:ListAllMyBuckets to list buckets
+ * - OBC owner can list their buckets
+ * - IAM users can list their owner buckets
  *
  * @param {Record<string, any>} bucket
  * @param {Record<string, any>} account
- * @param {Record<string, any>} system
  * @returns {Promise<boolean>}
  */
-async function has_list_bucket_permission(bucket, account, system) {
+async function has_bucket_ownership_permission(bucket, account) {
     // system owner can list all the buckets
-    if (is_system_owner(bucket.system, account)) return true;
+    if (is_system_owner(bucket, account)) return true;
 
     // check direct ownership
     if (is_bucket_owner(bucket, account)) return true;
 
     // special case: check bucket claim ownership (OBC)
-    if (account.bucket_claim_owner?.name?.unwrap() === bucket.name.unwrap()) return true;
+    if (is_bucket_claim_owner(bucket, account)) return true;
 
-    // check IAM policy for s3:ListAllMyBuckets
-    // Note: IAM users need this policy to list buckets owned by their root account
-    if (await has_iam_list_buckets_permission(bucket, account)) return true;
+    // special case: iam user can list the buckets of their owner
+    if (account.owner) {
+        const account_owner = system_store.data.get_by_id(account.owner._id);
+        if (is_bucket_owner(bucket, account_owner)) return true;
+    }
 
     return false;
 }
@@ -640,14 +608,8 @@ async function has_bucket_action_permission(bucket, account, action, req_query,
     // system owner can access all buckets
     if (is_system_owner(bucket.system, account)) return true;
 
-    // check ownership: direct owner, IAM user inheritance, or OBC
-    const is_owner = is_bucket_owner(bucket, account);
-    const bucket_owner_id = bucket.owner_account?._id;
-    const account_owner_id = account.owner?._id;
-    const has_iam_access = account_owner_id !== undefined && bucket_owner_id !== undefined &&
-                           String(bucket_owner_id) === String(account_owner_id);
-    const has_obc_access = account.bucket_claim_owner?.name?.unwrap() === bucket.name.unwrap();
-    const owner = is_owner || has_iam_access || has_obc_access;
+    // check ownership: direct owner or OBC
+    const has_owner_access = is_bucket_owner(bucket, account) || is_bucket_claim_owner(bucket, account);
 
     const bucket_policy = bucket.s3_policy;
 
@@ -656,7 +618,7 @@ async function has_bucket_action_permission(bucket, account, action, req_query,
         // we allow IAM account to access a bucket that that is owned by their root account
         const is_iam_and_same_root_account_owner = account.owner !== undefined &&
             account.owner._id.toString() === bucket.owner_account._id.toString();
-        return is_owner || is_iam_and_same_root_account_owner;
+        return has_owner_access || is_iam_and_same_root_account_owner;
     }
     if (!action) {
         throw new Error('has_bucket_action_permission: action is required');
@@ -673,7 +635,7 @@ async function has_bucket_action_permission(bucket, account, action, req_query,
 
     if (result === 'DENY') return false;
 
-    return owner || result === 'ALLOW';
+    return has_owner_access || result === 'ALLOW';
 }
 
 /**

src/server/system_services/bucket_server.js

@@ -1096,10 +1096,10 @@ async function list_buckets(req) {
     let continuation_token = req.rpc_params?.continuation_token;
     const max_buckets = req.rpc_params?.max_buckets;
 
-    // filter buckets based on ownership (async to support IAM policy checks)
+    // filter buckets based on ownership
     const bucket_permissions = await P.map(system_store.data.buckets, async bucket => {
         if (bucket.deleting) return null;
-        const has_permission = await req.has_list_bucket_permission(bucket);
+        const has_permission = await req.has_bucket_ownership_permission(bucket);
         return has_permission ? bucket : null;
     });
     const accessible_bucket_list = bucket_permissions.filter(bucket => bucket !== null);