def wrapper(*args, **kwargs):
req = args[1]
# If there is no callback, IAM is disabled,
# thus we let everything pass through.
rules_cb = req.environ.get(IAM_RULES_CALLBACK)
if rules_cb is None:
return func(*args, **kwargs)
# Maybe ACLs authorized the request.
acl_allow = req.environ.get(ACL_EXPLICIT_ALLOW)
# IAM rules will be checked. We don't know yet if they allow
# the request, thus we consider they don't.
req.environ[IAM_EXPLICIT_ALLOW] = False
# FIXME(IAM): refine the callback parameters
matcher = rules_cb(req)
if matcher:
# FIXME(IAM): a * must be used as object name,
# not as wildcard in Resource below
if req.object_name:
rsc = IamResource(req.container_name + '/' +
req.object_name)
elif req.container_name:
rsc = IamResource(req.container_name)
else:
rsc = None
effect, _sid = matcher(rsc, action, req)
# TODO(IAM): log sid, the ID of the matched rule statement
# An IAM rule explicitly denies the request.
if effect == EXPLICIT_DENY:
raise AccessDenied()
# No IAM rule matched, and ACLs do not allow the request.
if effect is None and acl_allow is False:
raise AccessDenied()
req.environ[IAM_EXPLICIT_ALLOW] = effect == EXPLICIT_ALLOW
# If there is no rule for this user, and ACLs did not grant
# access rights, don't let anything pass through.
elif acl_allow is False:
raise AccessDenied()
# else:
# # acl_allow is None -> ACLs were not checked yet.
return func(*args, **kwargs)
def check_owner(self, user_id):
"""
Check that the user is an owner.
"""
if not self.s3_acl:
# Ignore S3api ACL.
return
if not self.owner.id:
if self.allow_no_owner:
# No owner means public.
return
raise AccessDenied()
if user_id != self.owner.id:
raise AccessDenied()
def PUT(self, app):
req_acl = ACL.from_headers(self.req.headers,
Owner(self.user_id, self.user_id))
if not self.req.environ.get('swift_owner'):
raise AccessDenied()
# To avoid overwriting the existing bucket's ACL, we send PUT
# request first before setting the ACL to make sure that the target
# container does not exist.
self.req.get_acl_response(app, 'PUT', self.container)
# update metadata
self.req.bucket_acl = req_acl
# FIXME If this request is failed, there is a possibility that the
# bucket which has no ACL is left.
return self.req.get_acl_response(app, 'POST')
def check_permission(self, user_id, permission):
"""
Check that the user has a permission.
"""
if not self.s3_acl:
# Ignore S3api ACL.
return
try:
# owners have full control permission
self.check_owner(user_id)
return
except AccessDenied:
pass
if permission in PERMISSIONS:
for g in self.grants:
if g.allow(user_id, 'FULL_CONTROL') or \
g.allow(user_id, permission):
return
raise AccessDenied()