From 67b402469437f357fbd864c7b7674cc801252e5e Mon Sep 17 00:00:00 2001
From: Ole Markus With <o.with@sportradar.com>
Date: Fri, 13 Aug 2021 11:01:52 +0200
Subject: [PATCH] Reconcile if managedFile is public or not

---
 upup/pkg/fi/fitasks/managedfile.go | 16 +++++++++++++++-
 util/pkg/vfs/s3fs.go               | 21 +++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/upup/pkg/fi/fitasks/managedfile.go b/upup/pkg/fi/fitasks/managedfile.go
index d964a00e40794..b6138d2936165 100644
--- a/upup/pkg/fi/fitasks/managedfile.go
+++ b/upup/pkg/fi/fitasks/managedfile.go
@@ -52,7 +52,9 @@ func (e *ManagedFile) Find(c *fi.Context) (*ManagedFile, error) {
 		return nil, nil
 	}
 
-	existingData, err := managedFiles.Join(location).ReadFile()
+	filePath := managedFiles.Join(location)
+
+	existingData, err := filePath.ReadFile()
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, nil
@@ -67,6 +69,18 @@ func (e *ManagedFile) Find(c *fi.Context) (*ManagedFile, error) {
 		Contents: fi.NewBytesResource(existingData),
 	}
 
+	if s3file, ok := filePath.(*vfs.S3Path); ok {
+		public, err := s3file.IsPublic()
+		if err != nil {
+			return nil, err
+		}
+		actual.Public = &public
+
+		if e.Public == nil {
+			e.Public = fi.Bool(false)
+		}
+	}
+
 	// Avoid spurious changes
 	actual.Lifecycle = e.Lifecycle
 
diff --git a/util/pkg/vfs/s3fs.go b/util/pkg/vfs/s3fs.go
index 2318ca552ac91..c8aeb2f13a315 100644
--- a/util/pkg/vfs/s3fs.go
+++ b/util/pkg/vfs/s3fs.go
@@ -481,6 +481,27 @@ func (p *S3Path) GetHTTPsUrl() (string, error) {
 	return strings.TrimSuffix(url, "/"), nil
 }
 
+func (p *S3Path) IsPublic() (bool, error) {
+	client, err := p.client()
+	if err != nil {
+		return false, err
+	}
+	acl, err := client.GetObjectAcl(&s3.GetObjectAclInput{
+		Bucket: &p.bucket,
+		Key:    &p.key,
+	})
+	if err != nil {
+		return false, fmt.Errorf("failed to get grant for key %q in bucket %q: %w", p.key, p.bucket, err)
+	}
+
+	for _, grant := range acl.Grants {
+		if aws.StringValue(grant.Grantee.URI) == "http://acs.amazonaws.com/groups/global/AllUsers" {
+			return aws.StringValue(grant.Permission) == "READ", nil
+		}
+	}
+	return false, nil
+}
+
 type terraformS3File struct {
 	Bucket  string                   `json:"bucket" cty:"bucket"`
 	Key     string                   `json:"key" cty:"key"`