Improvement/cldsrv-426-ACL-Implicit-Deny

[benzekrimaha]

PR opened after closing : #5323

Bucket policies are not correctly interpreted, this is part of the following epic to fix that: scality/Arsenal#2181

This PR is aiming to update ACL checks for APIs with multiple permission , ticket linked to this issue here : https://scality.atlassian.net/browse/CLDSRV-426

PRs providing implicit Deny logic to CS for processing in this PR
scality/Arsenal#2181
https://github.com/scality/Vault/pull/2135
#5322

Tests have also been added.

I'm not bumping a new CLDSRV version since a new version has been created in this merged PR : #5322 , Please let me know if it needs to be done anyways.

[bert-e]

Hello benzekrimaha,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Status report is not available.

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-426 contains:

• 7.10.31

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 7.10.33

• 7.70.30

• 8.6.12

• 8.7.31

• 8.8.5

Please check the Fix Version/s of CLDSRV-426, or the target
branch of this pull request.

[benzekrimaha]

ping

[bert-e]

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

[benzekrimaha]

/create_integration_branches

[bert-e]

Conflict

A conflict has been raised during the creation of
integration branch w/8.6/improvement/CLDSRV-426-acl-impl-deny with contents from w/7.70/improvement/CLDSRV-426-acl-impl-deny
and development/8.6.

I have not created the integration branch.

Here are the steps to resolve this conflict:

 $ git fetch
 $ git checkout -B w/8.6/improvement/CLDSRV-426-acl-impl-deny origin/development/8.6
 $ git merge origin/w/7.70/improvement/CLDSRV-426-acl-impl-deny
 $ # <intense conflict resolution>
 $ git commit
 $ git push -u origin w/8.6/improvement/CLDSRV-426-acl-impl-deny

The following options are set: create_integration_branches

[benzekrimaha]

ping

[bert-e]

Integration data created

I have created the integration data for the additional destination branches.

• this pull request will merge improvement/CLDSRV-426-acl-impl-deny into
  development/7.10
• w/7.70/improvement/CLDSRV-426-acl-impl-deny will be merged into development/7.70
• w/8.6/improvement/CLDSRV-426-acl-impl-deny will be merged into development/8.6
• w/8.7/improvement/CLDSRV-426-acl-impl-deny will be merged into development/8.7
• w/8.8/improvement/CLDSRV-426-acl-impl-deny will be merged into development/8.8

The following branches will NOT be impacted:

• development/7.4

You can set option create_pull_requests if you need me to create
integration pull requests in addition to integration branches, with:

@bert-e create_pull_requests

The following options are set: create_integration_branches

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

The following options are set: create_integration_branches

[williamlardier]

For this PR I believe we should keep this logic for the bucketDelete API, as it seems we remove it with the changes. It may be a miss from the PoC

[williamlardier]

We can also have a test for this one

[benzekrimaha]

this can actually be removed since we have this condition

cloudserver/lib/api/apiUtils/authorization/permissionChecks.js

Line 15 in 32227f6

if (bucket.getOwner() === canonicalID) {

[benzekrimaha]

for the test it's already here :

cloudserver/tests/unit/auth/permissionChecks.js

Line 22 in 32227f6

description: 'should return true if bucket owner matches canonicalID',

[williamlardier]

Right, it was a dead code, looks good

[nicolas2bert]

I am not sure where the mainApiCall comes from and where it is set. JSDOC might be helpful.

[benzekrimaha]

JSDOC has been added , let me know if it's still not clear enough

[nicolas2bert]

I do not see it defined here:

cloudserver/lib/api/apiUtils/authorization/permissionChecks.js

Line 315 in e0eab95

const aclPermission = checkBucketAcls(bucket, requestType, canonicalID);

Is it on purpose?

[benzekrimaha]

As it's not effecting the current behavior , it's defined on this PR ( which is aiming to update the functions calling the acl checks) : https://github.com/scality/cloudserver/pull/5432/files#diff-773344fcfc0f64145ff95eb6eccd556588c19449dc2c263a2532d4030bf00dffR360

[bert-e]

Conflict

A conflict has been raised during the update of
integration branch w/8.6/improvement/CLDSRV-426-acl-impl-deny with contents from w/7.70/improvement/CLDSRV-426-acl-impl-deny
and development/8.6.

Please resolve the conflict on the integration branch (w/8.6/improvement/CLDSRV-426-acl-impl-deny).

Here are the steps to resolve this conflict:

 $ git fetch
 $ git checkout w/8.6/improvement/CLDSRV-426-acl-impl-deny
 $ git pull  # or "git reset --hard origin/w/8.6/improvement/CLDSRV-426-acl-impl-deny"
 $ git merge origin/development/8.6
 $ # <intense conflict resolution>
 $ git commit
 $ git merge origin/w/7.70/improvement/CLDSRV-426-acl-impl-deny
 $ # <intense conflict resolution>
 $ git commit
 $ git push -u origin w/8.6/improvement/CLDSRV-426-acl-impl-deny

The following options are set: create_pull_requests, create_integration_branches

[bert-e]

History mismatch

Merge commit #fbb0de94b2d0901a610b6e26fd0351e01ac286b0 on the integration branch
w/7.70/improvement/CLDSRV-426-acl-impl-deny is merging a branch which is neither the current
branch improvement/CLDSRV-426-acl-impl-deny nor the development branch
development/7.70.

It is likely due to a rebase of the branch improvement/CLDSRV-426-acl-impl-deny and the
merge is not possible until all related w/* branches are deleted or updated.

Please use the reset command to have me reinitialize these branches.

The following options are set: create_pull_requests, create_integration_branches

[benzekrimaha]

ping

[bert-e]

Integration data created

I have created the integration data for the additional destination branches.

• this pull request will merge improvement/CLDSRV-426-acl-impl-deny into
  development/7.10
• w/7.70/improvement/CLDSRV-426-acl-impl-deny will be merged into development/7.70 (pull request INTEGRATION [PR#5420 > development/7.70] Improvement/cldsrv-426-ACL-Implicit-Deny #5433)
• w/8.6/improvement/CLDSRV-426-acl-impl-deny will be merged into development/8.6 (pull request INTEGRATION [PR#5420 > development/8.6] Improvement/cldsrv-426-ACL-Implicit-Deny #5434)
• w/8.7/improvement/CLDSRV-426-acl-impl-deny will be merged into development/8.7 (pull request INTEGRATION [PR#5420 > development/8.7] Improvement/cldsrv-426-ACL-Implicit-Deny #5435)
• w/8.8/improvement/CLDSRV-426-acl-impl-deny will be merged into development/8.8 (pull request INTEGRATION [PR#5420 > development/8.8] Improvement/cldsrv-426-ACL-Implicit-Deny #5436)

The following branches will NOT be impacted:

• development/7.4

Follow integration pull requests if you would like to be notified of
build statuses by email.

The following options are set: create_pull_requests, create_integration_branches

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

The following options are set: create_pull_requests, create_integration_branches

[benzekrimaha]

/approve

[bert-e]

In the queue

The changeset has received all authorizations and has been added to the
relevant queue(s). The queue(s) will be merged in the target development
branch(es) as soon as builds have passed.

The changeset will be merged in:

• ✔️ development/7.10

• ✔️ development/7.70

• ✔️ development/8.6

• ✔️ development/8.7

• ✔️ development/8.8

The following branches will NOT be impacted:

• development/7.4

There is no action required on your side. You will be notified here once
the changeset has been merged. In the unlikely event that the changeset
fails permanently on the queue, a member of the admin team will
contact you to help resolve the matter.

IMPORTANT

Please do not attempt to modify this pull request.

• Any commit you add on the source branch will trigger a new cycle after the
  current queue is merged.
• Any commit you add on one of the integration branches will be lost.

If you need this pull request to be removed from the queue, please contact a
member of the admin team now.

The following options are set: approve, create_pull_requests, create_integration_branches

[bert-e]

I have successfully merged the changeset of this pull request
into targetted development branches:

• ✔️ development/7.10

• ✔️ development/7.70

• ✔️ development/8.6

• ✔️ development/8.7

• ✔️ development/8.8

The following branches have NOT changed:

• development/7.4

Please check the status of the associated issue CLDSRV-426.

Goodbye benzekrimaha.