def get_acl(self, headers, body, bucket_owner, object_owner=None): """ Get ACL instance from S3 (e.g. x-amz-grant) headers or S3 acl xml body. """ acl = ACL.from_headers(headers, bucket_owner, object_owner, as_private=False) if acl is None: # Get acl from request body if possible. if not body: raise MissingSecurityHeader(missing_header_name='x-amz-acl') try: elem = fromstring(body, ACL.root_tag) acl = ACL.from_elem(elem, True, self.req.allow_no_owner) except (XMLSyntaxError, DocumentInvalid): raise MalformedACLError() except Exception as e: exc_type, exc_value, exc_traceback = sys.exc_info() self.logger.error(e) raise exc_type, exc_value, exc_traceback else: if body: # Specifying grant with both header and xml is not allowed. raise UnexpectedContent() return acl
def PUT(self, req): """ Handles PUT Bucket acl and PUT Object acl. """ if req.is_object_request: # Handle Object ACL raise S3NotImplemented() else: # Handle Bucket ACL xml = req.xml(MAX_ACL_BODY_SIZE) if all(['HTTP_X_AMZ_ACL' in req.environ, xml]): # S3 doesn't allow to give ACL with both ACL header and body. raise UnexpectedContent() elif not any(['HTTP_X_AMZ_ACL' in req.environ, xml]): # Both canned ACL header and xml body are missing raise MissingSecurityHeader(missing_header_name='x-amz-acl') else: # correct ACL exists in the request if xml: # We very likely have an XML-based ACL request. # let's try to translate to the request header try: translated_acl = swift_acl_translate(xml, xml=True) except ACLError: raise MalformedACLError() for header, acl in translated_acl: req.headers[header] = acl resp = req.get_response(self.app, 'POST') resp.status = HTTP_OK resp.headers.update({'Location': req.container_name}) return resp
def from_elem(elem): type = elem.get('{%s}type' % XMLNS_XSI) if type == 'CanonicalUser': value = elem.find('./ID').text return User(value) elif type == 'Group': value = elem.find('./URI').text subclass = get_group_subclass_from_uri(value) return subclass() elif type == 'AmazonCustomerByEmail': raise S3NotImplemented() else: raise MalformedACLError()
def swift_acl_translate(acl, group='', user='', xml=False): """ Takes an S3 style ACL and returns a list of header/value pairs that implement that ACL in Swift, or "NotImplemented" if there isn't a way to do that yet. """ swift_acl = {} swift_acl['public-read'] = [['X-Container-Read', '.r:*,.rlistings']] # Swift does not support public write: # https://answers.launchpad.net/swift/+question/169541 swift_acl['public-read-write'] = [['X-Container-Write', '.r:*'], ['X-Container-Read', '.r:*,.rlistings']] # TODO: if there's a way to get group and user, this should work for # private: # swift_acl['private'] = \ # [['HTTP_X_CONTAINER_WRITE', group + ':' + user], \ # ['HTTP_X_CONTAINER_READ', group + ':' + user]] swift_acl['private'] = [['X-Container-Write', '.'], ['X-Container-Read', '.']] if xml: # We are working with XML and need to parse it try: elem = fromstring(acl, 'AccessControlPolicy') except (XMLSyntaxError, DocumentInvalid): raise MalformedACLError() acl = 'unknown' for grant in elem.findall('./AccessControlList/Grant'): permission = grant.find('./Permission').text grantee = grant.find('./Grantee').get('{%s}type' % XMLNS_XSI) if permission == "FULL_CONTROL" and grantee == 'CanonicalUser' and\ acl != 'public-read' and acl != 'public-read-write': acl = 'private' elif permission == "READ" and grantee == 'Group' and\ acl != 'public-read-write': acl = 'public-read' elif permission == "WRITE" and grantee == 'Group': acl = 'public-read-write' else: acl = 'unsupported' if acl == 'authenticated-read': raise S3NotImplemented() elif acl not in swift_acl: raise ACLError() return swift_acl[acl]