From 4ed6b584e22eb332bfdc61112a625d49c772bafb Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Sat, 22 Feb 2020 21:34:18 -0800
Subject: [PATCH] s3: access control limited by bucket

---
 weed/command/s3.go             | 13 +++++++++++++
 weed/s3api/auth_credentials.go | 34 +++++++++++++++++++++++++---------
 2 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/weed/command/s3.go b/weed/command/s3.go
index 4dc4b82f6..5fb59fcca 100644
--- a/weed/command/s3.go
+++ b/weed/command/s3.go
@@ -87,6 +87,19 @@ var cmdS3 = &Command{
         "Read",
         "Write"
       ]
+    },
+    {
+      "name": "user_limited_to_bucket1",
+      "credentials": [
+        {
+          "accessKey": "some_access_key4",
+          "secretKey": "some_secret_key4"
+        }
+      ],
+      "actions": [
+        "Read:bucket1",
+        "Write:bucket1"
+      ]
     }
   ]
 }
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 6d3363232..c1e8dff1e 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/golang/protobuf/jsonpb"
+	"github.com/gorilla/mux"
 
 	"github.com/chrislusf/seaweedfs/weed/glog"
 	"github.com/chrislusf/seaweedfs/weed/pb/iam_pb"
@@ -101,14 +102,14 @@ func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identi
 	return nil, nil, false
 }
 
-func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, actions ...Action) http.HandlerFunc {
+func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, action Action) http.HandlerFunc {
 
 	if len(iam.identities) == 0 {
 		return f
 	}
 
 	return func(w http.ResponseWriter, r *http.Request) {
-		errCode := iam.authRequest(r, actions)
+		errCode := iam.authRequest(r, action)
 		if errCode == ErrNone {
 			f(w, r)
 			return
@@ -118,7 +119,7 @@ func (iam *IdentityAccessManagement) Auth(f http.HandlerFunc, actions ...Action)
 }
 
 // check whether the request has valid access keys
-func (iam *IdentityAccessManagement) authRequest(r *http.Request, actions []Action) ErrorCode {
+func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) ErrorCode {
 	var identity *Identity
 	var s3Err ErrorCode
 	switch getRequestAuthType(r) {
@@ -152,7 +153,10 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, actions []Acti
 
 	glog.V(3).Infof("user name: %v actions: %v", identity.Name, identity.Actions)
 
-	if !identity.canDo(actions) {
+	vars := mux.Vars(r)
+	bucket := vars["bucket"]
+
+	if !identity.canDo(action, bucket) {
 		return ErrAccessDenied
 	}
 
@@ -160,12 +164,24 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, actions []Acti
 
 }
 
-func (identity *Identity) canDo(actions []Action) bool {
+func (identity *Identity) canDo(action Action, bucket string) bool {
 	for _, a := range identity.Actions {
-		for _, b := range actions {
-			if a == b {
-				return true
-			}
+		if a == "Admin" {
+			return true
+		}
+	}
+	for _, a := range identity.Actions {
+		if a == action {
+			return true
+		}
+	}
+	if bucket == "" {
+		return false
+	}
+	limitedByBucket := string(action) + ":" + bucket
+	for _, a := range identity.Actions {
+		if string(a) == limitedByBucket {
+			return true
 		}
 	}
 	return false