use super::*;
impl BucketWarden {
pub fn get_bucket_accelerate_configuration(
&mut self,
principal: &str,
bucket: &str,
) -> Result<BucketAccelerateConfiguration, RuntimeError> {
self.authorize(
principal,
S3Action::GetBucketAccelerateConfiguration,
bucket,
)?;
let status = if self.require_bucket(bucket)?.accelerate_enabled {
"Enabled"
} else {
"Suspended"
}
.to_string();
self.audit_allowed(
principal,
S3Action::GetBucketAccelerateConfiguration,
bucket,
Some(status.clone()),
);
Ok(BucketAccelerateConfiguration {
bucket: bucket.to_string(),
status,
})
}
pub fn put_bucket_accelerate_configuration(
&mut self,
principal: &str,
bucket: &str,
status: String,
) -> Result<BucketAccelerateConfiguration, RuntimeError> {
self.authorize(
principal,
S3Action::PutBucketAccelerateConfiguration,
bucket,
)?;
let accelerate_enabled = match status.as_str() {
"Enabled" => true,
"Suspended" => false,
other => {
return Err(RuntimeError::InvalidAccelerateConfiguration(
other.to_string(),
))
}
};
self.require_bucket_mut(bucket)?.accelerate_enabled = accelerate_enabled;
self.audit_allowed(
principal,
S3Action::PutBucketAccelerateConfiguration,
bucket,
Some(status.clone()),
);
Ok(BucketAccelerateConfiguration {
bucket: bucket.to_string(),
status,
})
}
pub fn get_bucket_policy(
&mut self,
principal: &str,
bucket: &str,
) -> Result<BucketPolicyResult, RuntimeError> {
self.authorize(principal, S3Action::GetBucketPolicy, bucket)?;
let policy_json = self
.require_bucket(bucket)?
.policy
.as_ref()
.ok_or_else(|| RuntimeError::NoSuchBucketPolicy(bucket.to_string()))?
.json
.clone();
self.audit_allowed(principal, S3Action::GetBucketPolicy, bucket, None);
Ok(BucketPolicyResult {
bucket: bucket.to_string(),
policy_json,
})
}
pub fn put_bucket_policy(
&mut self,
principal: &str,
request: BucketPolicyRequest,
) -> Result<BucketPolicyResult, RuntimeError> {
self.authorize(principal, S3Action::PutBucketPolicy, &request.bucket)?;
let policy = parse_bucket_policy_json(&request.policy_json)?;
self.require_bucket_mut(&request.bucket)?.policy = Some(BucketPolicyState {
json: request.policy_json.clone(),
policy,
});
self.audit_allowed(principal, S3Action::PutBucketPolicy, &request.bucket, None);
Ok(BucketPolicyResult {
bucket: request.bucket,
policy_json: request.policy_json,
})
}
pub fn get_bucket_policy_status(
&mut self,
principal: &str,
bucket: &str,
) -> Result<BucketPolicyStatus, RuntimeError> {
self.authorize(principal, S3Action::GetBucketPolicyStatus, bucket)?;
let is_public = self
.require_bucket(bucket)?
.policy
.as_ref()
.ok_or_else(|| RuntimeError::NoSuchBucketPolicy(bucket.to_string()))?
.policy
.analyze()
.iter()
.any(|finding| finding.code == "allow-wildcard-principal");
self.audit_allowed(
principal,
S3Action::GetBucketPolicyStatus,
bucket,
Some(is_public.to_string()),
);
Ok(BucketPolicyStatus {
bucket: bucket.to_string(),
is_public,
})
}
pub fn delete_bucket_policy(
&mut self,
principal: &str,
bucket: &str,
) -> Result<(), RuntimeError> {
self.authorize(principal, S3Action::DeleteBucketPolicy, bucket)?;
let bucket_state = self.require_bucket_mut(bucket)?;
if bucket_state.policy.is_none() {
return Err(RuntimeError::NoSuchBucketPolicy(bucket.to_string()));
}
bucket_state.policy = None;
self.audit_allowed(principal, S3Action::DeleteBucketPolicy, bucket, None);
Ok(())
}
pub fn get_bucket_acl(
&mut self,
principal: &str,
bucket: &str,
) -> Result<AclResult, RuntimeError> {
self.authorize(principal, S3Action::GetBucketAcl, bucket)?;
let owner = bucket_owner(self.require_bucket(bucket)?);
self.audit_allowed(principal, S3Action::GetBucketAcl, bucket, None);
Ok(owner_acl_result(bucket, None, None, owner))
}
pub fn put_bucket_acl(
&mut self,
principal: &str,
bucket: &str,
) -> Result<AclResult, RuntimeError> {
self.authorize(principal, S3Action::PutBucketAcl, bucket)?;
let owner = bucket_owner(self.require_bucket(bucket)?);
self.audit_allowed(
principal,
S3Action::PutBucketAcl,
bucket,
Some("BucketOwnerEnforced".to_string()),
);
Ok(owner_acl_result(bucket, None, None, owner))
}
pub fn get_object_acl(
&mut self,
principal: &str,
bucket: &str,
key: &str,
version_id: Option<&str>,
) -> Result<AclResult, RuntimeError> {
let resource = object_resource(bucket, key);
self.authorize(principal, S3Action::GetObjectAcl, &resource)?;
let (owner, actual_version_id) =
self.object_acl_owner_and_version(bucket, key, version_id)?;
self.audit_allowed(
principal,
S3Action::GetObjectAcl,
&resource,
Some(actual_version_id.clone()),
);
Ok(owner_acl_result(
bucket,
Some(key.to_string()),
Some(actual_version_id),
owner,
))
}
pub fn put_object_acl(
&mut self,
principal: &str,
bucket: &str,
key: &str,
version_id: Option<&str>,
) -> Result<AclResult, RuntimeError> {
let resource = object_resource(bucket, key);
self.authorize(principal, S3Action::PutObjectAcl, &resource)?;
let (owner, actual_version_id) =
self.object_acl_owner_and_version(bucket, key, version_id)?;
self.audit_allowed(
principal,
S3Action::PutObjectAcl,
&resource,
Some("BucketOwnerEnforced".to_string()),
);
Ok(owner_acl_result(
bucket,
Some(key.to_string()),
Some(actual_version_id),
owner,
))
}
}