use super::*;
impl BucketWarden {
pub fn get_bucket_ownership_controls(
&mut self,
principal: &str,
bucket: &str,
) -> Result<BucketOwnershipControls, RuntimeError> {
self.authorize(principal, S3Action::GetBucketOwnershipControls, bucket)?;
let object_ownership = self
.require_bucket(bucket)?
.ownership
.object_ownership
.clone();
self.audit_allowed(
principal,
S3Action::GetBucketOwnershipControls,
bucket,
Some(object_ownership.clone()),
);
Ok(BucketOwnershipControls {
bucket: bucket.to_string(),
object_ownership,
})
}
pub fn put_bucket_ownership_controls(
&mut self,
principal: &str,
bucket: &str,
object_ownership: String,
) -> Result<BucketOwnershipControls, RuntimeError> {
self.authorize(principal, S3Action::PutBucketOwnershipControls, bucket)?;
validate_object_ownership(&object_ownership)?;
self.require_bucket_mut(bucket)?.ownership = BucketOwnershipState {
object_ownership: object_ownership.clone(),
};
self.audit_allowed(
principal,
S3Action::PutBucketOwnershipControls,
bucket,
Some(object_ownership.clone()),
);
Ok(BucketOwnershipControls {
bucket: bucket.to_string(),
object_ownership,
})
}
pub fn delete_bucket_ownership_controls(
&mut self,
principal: &str,
bucket: &str,
) -> Result<(), RuntimeError> {
self.authorize(principal, S3Action::DeleteBucketOwnershipControls, bucket)?;
self.require_bucket_mut(bucket)?.ownership = BucketOwnershipState::default();
self.audit_allowed(
principal,
S3Action::DeleteBucketOwnershipControls,
bucket,
Some("BucketOwnerEnforced".to_string()),
);
Ok(())
}
pub fn get_bucket_tagging(
&mut self,
principal: &str,
bucket: &str,
) -> Result<BucketTaggingResult, RuntimeError> {
self.authorize(principal, S3Action::GetBucketTagging, bucket)?;
let tags = self.require_bucket(bucket)?.tags.clone();
if tags.is_empty() {
return Err(RuntimeError::NoSuchTagSet(bucket.to_string()));
}
self.audit_allowed(
principal,
S3Action::GetBucketTagging,
bucket,
Some(tags.len().to_string()),
);
Ok(BucketTaggingResult {
bucket: bucket.to_string(),
tags,
})
}
pub fn put_bucket_tagging(
&mut self,
principal: &str,
request: BucketTaggingRequest,
) -> Result<BucketTaggingResult, RuntimeError> {
self.authorize(principal, S3Action::PutBucketTagging, &request.bucket)?;
validate_tags(&request.tags)?;
self.require_bucket_mut(&request.bucket)?.tags = request.tags.clone();
self.audit_allowed(
principal,
S3Action::PutBucketTagging,
&request.bucket,
Some(request.tags.len().to_string()),
);
Ok(BucketTaggingResult {
bucket: request.bucket,
tags: request.tags,
})
}
pub fn delete_bucket_tagging(
&mut self,
principal: &str,
bucket: &str,
) -> Result<(), RuntimeError> {
self.authorize(principal, S3Action::DeleteBucketTagging, bucket)?;
self.require_bucket_mut(bucket)?.tags.clear();
self.audit_allowed(principal, S3Action::DeleteBucketTagging, bucket, None);
Ok(())
}
pub fn get_bucket_request_payment(
&mut self,
principal: &str,
bucket: &str,
) -> Result<BucketRequestPaymentConfiguration, RuntimeError> {
self.authorize(principal, S3Action::GetBucketRequestPayment, bucket)?;
let payer = self.require_bucket(bucket)?.request_payment_payer.clone();
self.audit_allowed(
principal,
S3Action::GetBucketRequestPayment,
bucket,
Some(payer.clone()),
);
Ok(BucketRequestPaymentConfiguration {
bucket: bucket.to_string(),
payer,
})
}
pub fn put_bucket_request_payment(
&mut self,
principal: &str,
bucket: &str,
payer: String,
) -> Result<BucketRequestPaymentConfiguration, RuntimeError> {
self.authorize(principal, S3Action::PutBucketRequestPayment, bucket)?;
if payer != "BucketOwner" && payer != "Requester" {
return Err(RuntimeError::InvalidRequestPaymentConfiguration(
payer.to_string(),
));
}
self.require_bucket_mut(bucket)?.request_payment_payer = payer.clone();
self.audit_allowed(
principal,
S3Action::PutBucketRequestPayment,
bucket,
Some(payer.clone()),
);
Ok(BucketRequestPaymentConfiguration {
bucket: bucket.to_string(),
payer,
})
}
pub fn get_public_access_block(
&mut self,
principal: &str,
bucket: &str,
) -> Result<PublicAccessBlockConfiguration, RuntimeError> {
self.authorize(principal, S3Action::GetPublicAccessBlock, bucket)?;
let state = self
.require_bucket(bucket)?
.public_access_block
.clone()
.ok_or_else(|| {
RuntimeError::NoSuchPublicAccessBlockConfiguration(bucket.to_string())
})?;
self.audit_allowed(
principal,
S3Action::GetPublicAccessBlock,
bucket,
Some(format!(
"{}/{}/{}/{}",
state.block_public_acls,
state.ignore_public_acls,
state.block_public_policy,
state.restrict_public_buckets
)),
);
Ok(PublicAccessBlockConfiguration {
bucket: bucket.to_string(),
block_public_acls: state.block_public_acls,
ignore_public_acls: state.ignore_public_acls,
block_public_policy: state.block_public_policy,
restrict_public_buckets: state.restrict_public_buckets,
})
}
pub fn put_public_access_block(
&mut self,
principal: &str,
request: PublicAccessBlockConfiguration,
) -> Result<PublicAccessBlockConfiguration, RuntimeError> {
self.authorize(principal, S3Action::PutPublicAccessBlock, &request.bucket)?;
self.require_bucket_mut(&request.bucket)?
.public_access_block = Some(BucketPublicAccessBlockState {
block_public_acls: request.block_public_acls,
ignore_public_acls: request.ignore_public_acls,
block_public_policy: request.block_public_policy,
restrict_public_buckets: request.restrict_public_buckets,
});
self.audit_allowed(
principal,
S3Action::PutPublicAccessBlock,
&request.bucket,
Some(format!(
"{}/{}/{}/{}",
request.block_public_acls,
request.ignore_public_acls,
request.block_public_policy,
request.restrict_public_buckets
)),
);
Ok(request)
}
pub fn delete_public_access_block(
&mut self,
principal: &str,
bucket: &str,
) -> Result<(), RuntimeError> {
self.authorize(principal, S3Action::DeletePublicAccessBlock, bucket)?;
self.require_bucket_mut(bucket)?.public_access_block = None;
self.audit_allowed(principal, S3Action::DeletePublicAccessBlock, bucket, None);
Ok(())
}
pub fn get_bucket_object_lock_configuration(
&mut self,
principal: &str,
bucket: &str,
) -> Result<BucketObjectLockConfiguration, RuntimeError> {
self.authorize(
principal,
S3Action::GetBucketObjectLockConfiguration,
bucket,
)?;
let state = self.require_bucket(bucket)?.object_lock.clone();
self.audit_allowed(
principal,
S3Action::GetBucketObjectLockConfiguration,
bucket,
Some(state.enabled.to_string()),
);
Ok(BucketObjectLockConfiguration {
bucket: bucket.to_string(),
enabled: state.enabled,
default_retention: state.default_retention,
})
}
pub fn put_bucket_object_lock_configuration(
&mut self,
principal: &str,
bucket: &str,
default_retention: Option<ObjectLockDefaultRetention>,
) -> Result<BucketObjectLockConfiguration, RuntimeError> {
self.authorize(
principal,
S3Action::PutBucketObjectLockConfiguration,
bucket,
)?;
validate_default_retention(&default_retention)?;
self.require_bucket_mut(bucket)?.object_lock = BucketObjectLockState {
enabled: true,
default_retention: default_retention.clone(),
};
self.audit_allowed(
principal,
S3Action::PutBucketObjectLockConfiguration,
bucket,
Some(default_retention.is_some().to_string()),
);
Ok(BucketObjectLockConfiguration {
bucket: bucket.to_string(),
enabled: true,
default_retention,
})
}
pub fn get_bucket_encryption(
&mut self,
principal: &str,
bucket: &str,
) -> Result<BucketEncryptionConfiguration, RuntimeError> {
self.authorize(principal, S3Action::GetBucketEncryption, bucket)?;
let default_encryption = self
.require_bucket(bucket)?
.encryption
.clone()
.ok_or_else(|| RuntimeError::NoSuchBucketEncryption(bucket.to_string()))?;
self.audit_allowed(principal, S3Action::GetBucketEncryption, bucket, None);
Ok(BucketEncryptionConfiguration {
bucket: bucket.to_string(),
default_encryption,
})
}
pub fn put_bucket_encryption(
&mut self,
principal: &str,
bucket: &str,
default_encryption: ServerSideEncryption,
) -> Result<BucketEncryptionConfiguration, RuntimeError> {
self.authorize(principal, S3Action::PutBucketEncryption, bucket)?;
let default_encryption = self.normalize_encryption(default_encryption)?;
self.require_bucket_mut(bucket)?.encryption = Some(default_encryption.clone());
self.audit_allowed(
principal,
S3Action::PutBucketEncryption,
bucket,
Some(default_encryption.algorithm.clone()),
);
Ok(BucketEncryptionConfiguration {
bucket: bucket.to_string(),
default_encryption,
})
}
pub fn delete_bucket_encryption(
&mut self,
principal: &str,
bucket: &str,
) -> Result<(), RuntimeError> {
self.authorize(principal, S3Action::DeleteBucketEncryption, bucket)?;
self.require_bucket_mut(bucket)?.encryption = None;
self.audit_allowed(principal, S3Action::DeleteBucketEncryption, bucket, None);
Ok(())
}
}