11 changes: 5 additions & 6 deletions pkg/gateway/operations/deleteobject.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"errors"
"net/http"

"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/block"
"github.com/treeverse/lakefs/pkg/catalog"
gatewayerrors "github.com/treeverse/lakefs/pkg/gateway/errors"
Expand All @@ -14,12 +15,10 @@ import (

type DeleteObject struct{}

func (controller *DeleteObject) RequiredPermissions(_ *http.Request, repoID, _, path string) ([]permissions.Permission, error) {
return []permissions.Permission{
{
Action: permissions.DeleteObjectAction,
Resource: permissions.ObjectArn(repoID, path),
},
func (controller *DeleteObject) RequiredPermissions(_ *http.Request, repoID, _, path string) (auth.PermissionNode, error) {
return &auth.OnePermission{
Action: permissions.DeleteObjectAction,
Resource: permissions.ObjectArn(repoID, path),
}, nil
}

Expand Down
10 changes: 4 additions & 6 deletions pkg/gateway/operations/deleteobjects.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import (

type DeleteObjects struct{}

func (controller *DeleteObjects) RequiredPermissions(_ *http.Request, _ string) ([]permissions.Permission, error) {
func (controller *DeleteObjects) RequiredPermissions(_ *http.Request, _ string) (auth.PermissionNode, error) {
return nil, nil
}

Expand Down Expand Up @@ -44,11 +44,9 @@ func (controller *DeleteObjects) Handle(w http.ResponseWriter, req *http.Request
// authorize this object deletion
authResp, err := o.Auth.Authorize(req.Context(), &auth.AuthorizationRequest{
Username: o.Principal,
RequiredPermissions: []permissions.Permission{
{
Action: permissions.DeleteObjectAction,
Resource: permissions.ObjectArn(o.Repository.Name, resolvedPath.Path),
},
RequiredPermissions: &auth.OnePermission{
Action: permissions.DeleteObjectAction,
Resource: permissions.ObjectArn(o.Repository.Name, resolvedPath.Path),
},
})
if err != nil || !authResp.Allowed {
Expand Down
11 changes: 5 additions & 6 deletions pkg/gateway/operations/getobject.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"net/http"
"time"

"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/block"
"github.com/treeverse/lakefs/pkg/catalog"
gatewayerrors "github.com/treeverse/lakefs/pkg/gateway/errors"
Expand All @@ -18,12 +19,10 @@ import (

type GetObject struct{}

func (controller *GetObject) RequiredPermissions(_ *http.Request, repoID, _, path string) ([]permissions.Permission, error) {
return []permissions.Permission{
{
Action: permissions.ReadObjectAction,
Resource: permissions.ObjectArn(repoID, path),
},
func (controller *GetObject) RequiredPermissions(_ *http.Request, repoID, _, path string) (auth.PermissionNode, error) {
return &auth.OnePermission{
Action: permissions.ReadObjectAction,
Resource: permissions.ObjectArn(repoID, path),
}, nil
}

Expand Down
11 changes: 5 additions & 6 deletions pkg/gateway/operations/headbucket.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,16 @@ package operations
import (
"net/http"

"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/permissions"
)

type HeadBucket struct{}

func (controller *HeadBucket) RequiredPermissions(_ *http.Request, repoID string) ([]permissions.Permission, error) {
return []permissions.Permission{
{
Action: permissions.ReadRepositoryAction,
Resource: permissions.RepoArn(repoID),
},
func (controller *HeadBucket) RequiredPermissions(_ *http.Request, repoID string) (auth.PermissionNode, error) {
return &auth.OnePermission{
Action: permissions.ReadRepositoryAction,
Resource: permissions.RepoArn(repoID),
}, nil
}

Expand Down
11 changes: 5 additions & 6 deletions pkg/gateway/operations/headobject.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"fmt"
"net/http"

"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/catalog"
gatewayerrors "github.com/treeverse/lakefs/pkg/gateway/errors"
"github.com/treeverse/lakefs/pkg/httputil"
Expand All @@ -13,12 +14,10 @@ import (

type HeadObject struct{}

func (controller *HeadObject) RequiredPermissions(_ *http.Request, repoID, _, path string) ([]permissions.Permission, error) {
return []permissions.Permission{
{
Action: permissions.ReadObjectAction,
Resource: permissions.ObjectArn(repoID, path),
},
func (controller *HeadObject) RequiredPermissions(_ *http.Request, repoID, _, path string) (auth.PermissionNode, error) {
return &auth.OnePermission{
Action: permissions.ReadObjectAction,
Resource: permissions.ObjectArn(repoID, path),
}, nil
}

Expand Down
11 changes: 5 additions & 6 deletions pkg/gateway/operations/listbuckets.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package operations
import (
"net/http"

"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/permissions"

"github.com/treeverse/lakefs/pkg/gateway/errors"
Expand All @@ -11,12 +12,10 @@ import (

type ListBuckets struct{}

func (controller *ListBuckets) RequiredPermissions(_ *http.Request) ([]permissions.Permission, error) {
return []permissions.Permission{
{
Action: permissions.ListRepositoriesAction,
Resource: "*",
},
func (controller *ListBuckets) RequiredPermissions(_ *http.Request) (auth.PermissionNode, error) {
return &auth.OnePermission{
Action: permissions.ListRepositoriesAction,
Resource: "*",
}, nil
}

Expand Down
19 changes: 8 additions & 11 deletions pkg/gateway/operations/listobjects.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"strconv"
"strings"

"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/catalog"
gatewayerrors "github.com/treeverse/lakefs/pkg/gateway/errors"
"github.com/treeverse/lakefs/pkg/gateway/path"
Expand All @@ -21,26 +22,22 @@ const (

type ListObjects struct{}

func (controller *ListObjects) RequiredPermissions(req *http.Request, repoID string) ([]permissions.Permission, error) {
func (controller *ListObjects) RequiredPermissions(req *http.Request, repoID string) (auth.PermissionNode, error) {
// check if we're listing files in a branch, or listing branches
params := req.URL.Query()
delimiter := params.Get("delimiter")
prefix := params.Get("prefix")
if delimiter == "/" && !strings.Contains(prefix, "/") {
return []permissions.Permission{
{
Action: permissions.ListBranchesAction,
Resource: permissions.RepoArn(repoID),
},
return &auth.OnePermission{
Action: permissions.ListBranchesAction,
Resource: permissions.RepoArn(repoID),
}, nil
}

// otherwise, we're listing objects within a branch
return []permissions.Permission{
{
Action: permissions.ListObjectsAction,
Resource: permissions.RepoArn(repoID),
},
return &auth.OnePermission{
Action: permissions.ListObjectsAction,
Resource: permissions.RepoArn(repoID),
}, nil
}

Expand Down
11 changes: 5 additions & 6 deletions pkg/gateway/operations/postobject.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"time"

"github.com/google/uuid"
"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/block"
gatewayErrors "github.com/treeverse/lakefs/pkg/gateway/errors"
"github.com/treeverse/lakefs/pkg/gateway/multiparts"
Expand All @@ -29,12 +30,10 @@ const (

type PostObject struct{}

func (controller *PostObject) RequiredPermissions(_ *http.Request, repoID, _, path string) ([]permissions.Permission, error) {
return []permissions.Permission{
{
Action: permissions.WriteObjectAction,
Resource: permissions.ObjectArn(repoID, path),
},
func (controller *PostObject) RequiredPermissions(_ *http.Request, repoID, _, path string) (auth.PermissionNode, error) {
return &auth.OnePermission{
Action: permissions.WriteObjectAction,
Resource: permissions.ObjectArn(repoID, path),
}, nil
}

Expand Down
17 changes: 8 additions & 9 deletions pkg/gateway/operations/putbucket.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package operations
import (
"net/http"

"github.com/treeverse/lakefs/pkg/auth"
gatewayerrors "github.com/treeverse/lakefs/pkg/gateway/errors"
"github.com/treeverse/lakefs/pkg/permissions"
)
Expand All @@ -12,15 +13,13 @@ import (
// create a new repo), but *does* detect whether the repo already exists.
type PutBucket struct{}

func (controller *PutBucket) RequiredPermissions(_ *http.Request, repoID string) ([]permissions.Permission, error) {
return []permissions.Permission{
{
// Mimic S3, which requires s3:CreateBucket to call
// create-bucket, even if we only want to receive
// 409.
Action: permissions.CreateRepositoryAction,
Resource: permissions.RepoArn(repoID),
},
func (controller *PutBucket) RequiredPermissions(_ *http.Request, repoID string) (auth.PermissionNode, error) {
return &auth.OnePermission{
// Mimic S3, which requires s3:CreateBucket to call
// create-bucket, even if we only want to receive
// 409.
Action: permissions.CreateRepositoryAction,
Resource: permissions.RepoArn(repoID),
}, nil
}

Expand Down
32 changes: 28 additions & 4 deletions pkg/gateway/operations/putobject.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"strings"
"time"

"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/block"
"github.com/treeverse/lakefs/pkg/catalog"
gatewayErrors "github.com/treeverse/lakefs/pkg/gateway/errors"
Expand All @@ -31,11 +32,34 @@ const (

type PutObject struct{}

func (controller *PutObject) RequiredPermissions(_ *http.Request, repoID, _, path string) ([]permissions.Permission, error) {
return []permissions.Permission{
{
func (controller *PutObject) RequiredPermissions(req *http.Request, repoID, _, destPath string) (auth.PermissionNode, error) {
// TODO(Eden): use the get copy source code and ResolveAbsolutePath function only once (extractEntryFromCopyReq)
copySource := req.Header.Get(CopySourceHeader)
copySourceDecoded, err := url.QueryUnescape(copySource)
if err != nil {
copySourceDecoded = copySource
}

if len(copySourceDecoded) == 0 {
return &auth.OnePermission{
Action: permissions.WriteObjectAction,
Resource: permissions.ObjectArn(repoID, path),
Resource: permissions.ObjectArn(repoID, destPath),
}, nil
}
// check this is a copy operation
p, err := path.ResolveAbsolutePath(copySourceDecoded)
if err != nil {
logging.Default().WithError(err).Error("could not parse copy source path")
return nil, gatewayErrors.ErrInvalidCopySource
}
return &auth.AndPermission{
&auth.OnePermission{
Action: permissions.WriteObjectAction,
Resource: permissions.ObjectArn(repoID, destPath),
},
&auth.OnePermission{
Action: permissions.ReadObjectAction,
Resource: permissions.ObjectArn(p.Repo, p.Path),
},
}, nil
}
Expand Down