IAM | Bucket policy Principal validation

Signed-off-by: Naveen Paul <napaul@redhat.com>

Author: naveenpaul1

src/api/account_api.js

@@ -620,6 +620,7 @@ module.exports = {
             type: 'object',
             required: ['name', 'email', 'has_s3_access'],
             properties: {
+                _id: { type: 'string'},
                 name: { $ref: 'common_api#/definitions/account_name' },
                 email: { $ref: 'common_api#/definitions/email' },
                 is_support: {
@@ -661,6 +662,12 @@ module.exports = {
                 bucket_claim_owner: {
                     $ref: 'common_api#/definitions/bucket_name',
                 },
+                owner: {
+                    type: 'string',
+                },
+                iam_path: {
+                    type: 'string',
+                },
                 external_connections: {
                     type: 'object',
                     properties: {

src/endpoint/iam/iam_utils.js

@@ -46,6 +46,15 @@ function create_arn_for_user(account_id, username, iam_path) {
     return `${basic_structure}/${username}`;
 }
 
+/**
+ * create_arn_for_account creates the AWS ARN for account
+ * see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
+ * @param {string} account_id (the root user account id)
+ */
+function create_arn_for_account(account_id) {
+    return `arn:aws:iam::${account_id}:root`;
+}
+
 /**
  * get_action_message_title returns the full action name
  * @param {string} action (The action name as it is in AccountSpace)
@@ -815,6 +824,7 @@ function validate_list_user_tags_params(params) {
 // EXPORTS
 exports.format_iam_xml_date = format_iam_xml_date;
 exports.create_arn_for_user = create_arn_for_user;
+exports.create_arn_for_account = create_arn_for_account;
 exports.create_arn_for_root = create_arn_for_root;
 exports.get_action_message_title = get_action_message_title;
 exports.check_iam_path_was_set = check_iam_path_was_set;

src/endpoint/s3/s3_rest.js

@@ -12,6 +12,7 @@ const s3_logging = require('./s3_bucket_logging');
 const time_utils = require('../../util/time_utils');
 const http_utils = require('../../util/http_utils');
 const signature_utils = require('../../util/signature_utils');
+const iam_utils = require('../../endpoint/iam/iam_utils');
 const config = require('../../../config');
 const s3_utils = require('./s3_utils');
 
@@ -254,6 +255,8 @@ async function authorize_request_policy(req) {
     const account = req.object_sdk.requesting_account;
     const account_identifier_name = req.object_sdk.nsfs_config_root ? account.name.unwrap() : account.email.unwrap();
     const account_identifier_id = req.object_sdk.nsfs_config_root ? account._id : undefined;
+    const arn = account.owner ? iam_utils.create_arn_for_user(account.owner, account.name.unwrap().split(':')[0], account.iam_path) :
+                                    iam_utils.create_arn_for_account(account._id);
 
     // deny delete_bucket permissions from bucket_claim_owner accounts (accounts that were created by OBC from openshift\k8s)
     // the OBC bucket can still be delete by normal accounts according to the access policy which is checked below
@@ -292,6 +295,7 @@ async function authorize_request_policy(req) {
     // in case we have bucket policy
     let permission_by_id;
     let permission_by_name;
+    let permission_by_arn;
 
     // In NC, we allow principal to be:
     // 1. account name (for backwards compatibility)
@@ -303,15 +307,20 @@ async function authorize_request_policy(req) {
         dbg.log3('authorize_request_policy: permission_by_id', permission_by_id);
     }
     if (permission_by_id === "DENY") throw new S3Error(S3Error.AccessDenied);
-
     if ((!account_identifier_id || permission_by_id !== "DENY") && account.owner === undefined) {
         permission_by_name = await s3_bucket_policy_utils.has_bucket_policy_permission(
             s3_policy, account_identifier_name, method, arn_path, req, public_access_block?.restrict_public_buckets
         );
         dbg.log3('authorize_request_policy: permission_by_name', permission_by_name);
     }
     if (permission_by_name === "DENY") throw new S3Error(S3Error.AccessDenied);
-    if ((permission_by_id === "ALLOW" || permission_by_name === "ALLOW") || is_owner) return;
+    if (!account_identifier_id) {
+        permission_by_arn = await s3_bucket_policy_utils.has_bucket_policy_permission(
+            s3_policy, arn, method, arn_path, req, public_access_block?.restrict_public_buckets
+        );
+        dbg.log3('authorize_request_policy: permission_by_arn', permission_by_arn);
+    }
+    if ((permission_by_id === "ALLOW" || permission_by_name === "ALLOW" || permission_by_arn === "ALLOW") || is_owner) return;
 
     throw new S3Error(S3Error.AccessDenied);
 }

src/server/common_services/auth_server.js

@@ -15,6 +15,7 @@ const addr_utils = require('../../util/addr_utils');
 const kube_utils = require('../../util/kube_utils');
 const jwt_utils = require('../../util/jwt_utils');
 const config = require('../../../config');
+const iam_utils = require('../../endpoint/iam/iam_utils');
 const s3_bucket_policy_utils = require('../../endpoint/s3/s3_bucket_policy_utils');
 
 
@@ -548,10 +549,11 @@ async function has_bucket_action_permission(bucket, account, action, req_query,
     if (!action) {
         throw new Error('has_bucket_action_permission: action is required');
     }
-
+    const arn = account.owner ? iam_utils.create_arn_for_user(account.owner._id.toString(), account.name.unwrap().split(':')[0], account.iam_path) :
+                                    iam_utils.create_arn_for_account(account._id);
     const result = await s3_bucket_policy_utils.has_bucket_policy_permission(
         bucket_policy,
-        account.email.unwrap(),
+        arn,
         action,
         `arn:aws:s3:::${bucket.name.unwrap()}${bucket_path}`,
         req_query

src/server/system_services/account_server.js

@@ -988,7 +988,7 @@ function get_account_info(account, include_connection_cache) {
         'has_login',
         'allowed_ips',
     );
-
+    info._id = account._id.toString();
     if (account.is_support) {
         info.is_support = true;
         info.has_login = true;
@@ -998,7 +998,8 @@ function get_account_info(account, include_connection_cache) {
             secret_key: 'Not Accesible'
         }];
     }
-
+    info.owner = account.owner?._id.toString();
+    info.iam_path = account.iam_path;
     if (account.next_password_change) {
         info.next_password_change = account.next_password_change.getTime();
     }

src/server/system_services/bucket_server.js

@@ -11,6 +11,7 @@ const GoogleStorage = require('../../util/google_storage_wrap');
 
 const P = require('../../util/promise');
 const dbg = require('../../util/debug_module')(__filename);
+const SensitiveString = require('../../util/sensitive_string');
 const config = require('../../../config');
 const MDStore = require('../object_services/md_store').MDStore;
 const BucketStatsStore = require('../analytic_services/bucket_stats_store').BucketStatsStore;
@@ -39,6 +40,7 @@ const bucket_semaphore = new KeysSemaphore(1);
 const Quota = require('../system_services/objects/quota');
 const { STORAGE_CLASS_GLACIER_IR } = require('../../endpoint/s3/s3_utils');
 const noobaa_s3_client = require('../../sdk/noobaa_s3_client/noobaa_s3_client');
+const string_utils = require('../../util/string_utils');
 
 const VALID_BUCKET_NAME_REGEXP =
     /^(([a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*([a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])$/;
@@ -512,12 +514,37 @@ async function get_bucket_policy(req) {
     };
 }
 
+/* 
+    validate ARN principle 
+    1. validate basic ARN, like arn prefix `arn:aws:iam::`
+    2. If principal ARN end with `root sufix its a account and get account with id eg : arn:aws:iam::${account_id}:root
+    3. if principle ARN contains `user` its a IAM user and get account with username and id 
+        eg : arn:aws:iam::${account_id}:user/${iam_path}/${use_name}
+        account email = ${iam_user_name}:${account_id}
+*/
+async function principal_validation_handler(principal) {
+    const principal_as_string = principal instanceof SensitiveString ? principal.unwrap() : principal;
+    const root_sufix = 'root';
+    const user_sufix = 'user';
+    const arn_parts = principal_as_string.split(':');
+    if (!string_utils.AWS_ARN_REGEXP.test(principal_as_string)) {
+        return;
+    }
+    const account_id = arn_parts[4];
+    if (principal_as_string.endsWith(root_sufix)) {
+        return system_store.data.accounts.find(account => account._id.toString() === account_id);
+    } else if (arn_parts[5] && arn_parts[5].startsWith(user_sufix)) {
+        const arn_path_parts = principal_as_string.split('/');
+        const iam_user_name = arn_path_parts[arn_path_parts.length - 1].trim();
+        return system_store.get_account_by_email(new SensitiveString(`${iam_user_name}:${account_id}`));
+    }
+}
 
 async function put_bucket_policy(req) {
     dbg.log0('put_bucket_policy:', req.rpc_params);
     const bucket = find_bucket(req, req.rpc_params.name);
     await bucket_policy_utils.validate_s3_policy(req.rpc_params.policy, bucket.name,
-        principal => system_store.get_account_by_email(principal));
+        principal => principal_validation_handler(principal));
 
     if (
         bucket.public_access_block?.block_public_policy &&