fix: check PutObjectTagging/LegalHold/Retention permissions on PutObject and CreateMultipartUpload

auth/access-control.go

@@ -61,7 +61,7 @@ func VerifyObjectCopyAccess(ctx context.Context, be backend.Backend, copySource
 		Acc:           opts.Acc,
 		Bucket:        srcBucket,
 		Object:        srcObject,
-		Action:        GetObjectAction,
+		Actions:       []Action{GetObjectAction},
 	}); err != nil {
 		return err
 	}
@@ -76,7 +76,7 @@ type AccessOptions struct {
 	Acc             Account
 	Bucket          string
 	Object          string
-	Action          Action
+	Actions         []Action
 	Readonly        bool
 	IsPublicRequest bool
 	DisableACL      bool
@@ -105,7 +105,7 @@ func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) e
 			return policyErr
 		}
 	} else {
-		return VerifyBucketPolicy(policy, opts.Acc.Access, opts.Bucket, opts.Object, opts.Action)
+		return VerifyBucketPolicy(policy, opts.Acc.Access, opts.Bucket, opts.Object, opts.Actions...)
 	}
 
 	if err := verifyACL(opts.Acl, opts.Acc.Access, opts.AclPermission, opts.DisableACL); err != nil {

auth/bucket_policy.go

@@ -234,7 +234,7 @@ func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) err
 	return nil
 }
 
-func VerifyBucketPolicy(policy []byte, access, bucket, object string, action Action) error {
+func VerifyBucketPolicy(policy []byte, access, bucket, object string, actions ...Action) error {
 	var bucketPolicy BucketPolicy
 	if err := json.Unmarshal(policy, &bucketPolicy); err != nil {
 		return fmt.Errorf("failed to parse the bucket policy: %w", err)
@@ -245,8 +245,10 @@ func VerifyBucketPolicy(policy []byte, access, bucket, object string, action Act
 		resource += "/" + object
 	}
 
-	if !bucketPolicy.isAllowed(access, action, resource) {
-		return s3err.GetAPIError(s3err.ErrAccessDenied)
+	for _, action := range actions {
+		if !bucketPolicy.isAllowed(access, action, resource) {
+			return s3err.GetAPIError(s3err.ErrAccessDenied)
+		}
 	}
 
 	return nil

s3api/controllers/bucket-delete.go

@@ -37,7 +37,7 @@ func (c S3ApiController) DeleteBucketTagging(ctx *fiber.Ctx) (*Response, error)
 			IsRoot:          isRoot,
 			Acc:             acct,
 			Bucket:          bucket,
-			Action:          auth.PutBucketTaggingAction,
+			Actions:         []auth.Action{auth.PutBucketTaggingAction},
 			IsPublicRequest: IsBucketPublic,
 			DisableACL:      c.disableACL,
 		})
@@ -72,7 +72,7 @@ func (c S3ApiController) DeleteBucketOwnershipControls(ctx *fiber.Ctx) (*Respons
 			IsRoot:        isRoot,
 			Acc:           acct,
 			Bucket:        bucket,
-			Action:        auth.PutBucketOwnershipControlsAction,
+			Actions:       []auth.Action{auth.PutBucketOwnershipControlsAction},
 			DisableACL:    c.disableACL,
 		})
 	if err != nil {
@@ -106,7 +106,7 @@ func (c S3ApiController) DeleteBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
 			IsRoot:        isRoot,
 			Acc:           acct,
 			Bucket:        bucket,
-			Action:        auth.DeleteBucketPolicyAction,
+			Actions:       []auth.Action{auth.DeleteBucketPolicyAction},
 			DisableACL:    c.disableACL,
 		})
 	if err != nil {
@@ -141,7 +141,7 @@ func (c S3ApiController) DeleteBucketCors(ctx *fiber.Ctx) (*Response, error) {
 			IsRoot:          isRoot,
 			Acc:             acct,
 			Bucket:          bucket,
-			Action:          auth.PutBucketCorsAction,
+			Actions:         []auth.Action{auth.PutBucketCorsAction},
 			IsPublicRequest: IsBucketPublic,
 			DisableACL:      c.disableACL,
 		})
@@ -177,7 +177,7 @@ func (c S3ApiController) DeleteBucket(ctx *fiber.Ctx) (*Response, error) {
 			IsRoot:          isRoot,
 			Acc:             acct,
 			Bucket:          bucket,
-			Action:          auth.DeleteBucketAction,
+			Actions:         []auth.Action{auth.DeleteBucketAction},
 			IsPublicRequest: IsBucketPublic,
 			DisableACL:      c.disableACL,
 		})

s3api/controllers/bucket-get.go

@@ -39,7 +39,7 @@ func (c S3ApiController) GetBucketTagging(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketTaggingAction,
+		Actions:         []auth.Action{auth.GetBucketTaggingAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -92,7 +92,7 @@ func (c S3ApiController) GetBucketOwnershipControls(ctx *fiber.Ctx) (*Response,
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketOwnershipControlsAction,
+		Actions:         []auth.Action{auth.GetBucketOwnershipControlsAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -133,7 +133,7 @@ func (c S3ApiController) GetBucketVersioning(ctx *fiber.Ctx) (*Response, error)
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketVersioningAction,
+		Actions:         []auth.Action{auth.GetBucketVersioningAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -176,7 +176,7 @@ func (c S3ApiController) GetBucketCors(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketCorsAction,
+		Actions:         []auth.Action{auth.GetBucketCorsAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -220,7 +220,7 @@ func (c S3ApiController) GetBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketPolicyAction,
+		Actions:         []auth.Action{auth.GetBucketPolicyAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -255,7 +255,7 @@ func (c S3ApiController) GetBucketPolicyStatus(ctx *fiber.Ctx) (*Response, error
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketPolicyStatusAction,
+		Actions:         []auth.Action{auth.GetBucketPolicyStatusAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -317,7 +317,7 @@ func (c S3ApiController) ListObjectVersions(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.ListBucketVersionsAction,
+		Actions:         []auth.Action{auth.ListBucketVersionsAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -371,7 +371,7 @@ func (c S3ApiController) GetObjectLockConfiguration(ctx *fiber.Ctx) (*Response,
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketObjectLockConfigurationAction,
+		Actions:         []auth.Action{auth.GetBucketObjectLockConfigurationAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -417,7 +417,7 @@ func (c S3ApiController) GetBucketAcl(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketAclAction,
+		Actions:         []auth.Action{auth.GetBucketAclAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -469,7 +469,7 @@ func (c S3ApiController) ListMultipartUploads(ctx *fiber.Ctx) (*Response, error)
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.ListBucketMultipartUploadsAction,
+		Actions:         []auth.Action{auth.ListBucketMultipartUploadsAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -531,7 +531,7 @@ func (c S3ApiController) ListObjectsV2(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.ListBucketAction,
+		Actions:         []auth.Action{auth.ListBucketAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -604,7 +604,7 @@ func (c S3ApiController) ListObjects(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.ListBucketAction,
+		Actions:         []auth.Action{auth.ListBucketAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -667,7 +667,7 @@ func (c S3ApiController) GetBucketLocation(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.GetBucketLocationAction,
+		Actions:         []auth.Action{auth.GetBucketLocationAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})

s3api/controllers/bucket-head.go

@@ -40,7 +40,7 @@ func (c S3ApiController) HeadBucket(ctx *fiber.Ctx) (*Response, error) {
 			IsRoot:          isRoot,
 			Acc:             acct,
 			Bucket:          bucket,
-			Action:          auth.ListBucketAction,
+			Actions:         []auth.Action{auth.ListBucketAction},
 			IsPublicRequest: isPublicBucket,
 			DisableACL:      c.disableACL,
 		})

s3api/controllers/bucket-post.go

@@ -48,7 +48,7 @@ func (c S3ApiController) DeleteObjects(ctx *fiber.Ctx) (*Response, error) {
 			IsRoot:          isRoot,
 			Acc:             acct,
 			Bucket:          bucket,
-			Action:          auth.DeleteObjectAction,
+			Actions:         []auth.Action{auth.DeleteObjectAction},
 			IsPublicRequest: IsBucketPublic,
 			DisableACL:      c.disableACL,
 		})
@@ -130,7 +130,7 @@ func (c S3ApiController) POSTObject(ctx *fiber.Ctx) (*Response, error) {
 			IsRoot:          isRoot,
 			Acc:             acct,
 			Bucket:          bucket,
-			Action:          auth.PutObjectAction,
+			Actions:         []auth.Action{auth.PutObjectAction},
 			IsPublicRequest: IsBucketPublic,
 			DisableACL:      c.disableACL,
 		})

s3api/controllers/bucket-put.go

@@ -45,7 +45,7 @@ func (c S3ApiController) PutBucketTagging(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.PutBucketTaggingAction,
+		Actions:         []auth.Action{auth.PutBucketTaggingAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -88,7 +88,7 @@ func (c S3ApiController) PutBucketOwnershipControls(ctx *fiber.Ctx) (*Response,
 		IsRoot:        isRoot,
 		Acc:           acct,
 		Bucket:        bucket,
-		Action:        auth.PutBucketOwnershipControlsAction,
+		Actions:       []auth.Action{auth.PutBucketOwnershipControlsAction},
 		DisableACL:    c.disableACL,
 	}); err != nil {
 		return &Response{
@@ -143,7 +143,7 @@ func (c S3ApiController) PutBucketVersioning(ctx *fiber.Ctx) (*Response, error)
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.PutBucketVersioningAction,
+		Actions:         []auth.Action{auth.PutBucketVersioningAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -198,7 +198,7 @@ func (c S3ApiController) PutObjectLockConfiguration(ctx *fiber.Ctx) (*Response,
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.PutBucketObjectLockConfigurationAction,
+		Actions:         []auth.Action{auth.PutBucketObjectLockConfigurationAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	}); err != nil {
@@ -240,7 +240,7 @@ func (c S3ApiController) PutBucketCors(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:          isRoot,
 		Acc:             acct,
 		Bucket:          bucket,
-		Action:          auth.PutBucketCorsAction,
+		Actions:         []auth.Action{auth.PutBucketCorsAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -296,7 +296,7 @@ func (c S3ApiController) PutBucketPolicy(ctx *fiber.Ctx) (*Response, error) {
 		IsRoot:        isRoot,
 		Acc:           acct,
 		Bucket:        bucket,
-		Action:        auth.PutBucketPolicyAction,
+		Actions:       []auth.Action{auth.PutBucketPolicyAction},
 		DisableACL:    c.disableACL,
 	})
 	if err != nil {
@@ -349,7 +349,7 @@ func (c S3ApiController) PutBucketAcl(ctx *fiber.Ctx) (*Response, error) {
 			IsRoot:        isRoot,
 			Acc:           acct,
 			Bucket:        bucket,
-			Action:        auth.PutBucketAclAction,
+			Actions:       []auth.Action{auth.PutBucketAclAction},
 			DisableACL:    c.disableACL,
 		})
 	if err != nil {

s3api/controllers/object-delete.go

@@ -50,7 +50,7 @@ func (c S3ApiController) DeleteObjectTagging(ctx *fiber.Ctx) (*Response, error)
 			Acc:             acct,
 			Bucket:          bucket,
 			Object:          key,
-			Action:          action,
+			Actions:         []auth.Action{action},
 			IsPublicRequest: isBucketPublic,
 			DisableACL:      c.disableACL,
 		})
@@ -103,7 +103,7 @@ func (c S3ApiController) AbortMultipartUpload(ctx *fiber.Ctx) (*Response, error)
 			Acc:             acct,
 			Bucket:          bucket,
 			Object:          key,
-			Action:          auth.AbortMultipartUploadAction,
+			Actions:         []auth.Action{auth.AbortMultipartUploadAction},
 			IsPublicRequest: isBucketPublic,
 			DisableACL:      c.disableACL,
 		})
@@ -158,7 +158,7 @@ func (c S3ApiController) DeleteObject(ctx *fiber.Ctx) (*Response, error) {
 			Acc:             acct,
 			Bucket:          bucket,
 			Object:          key,
-			Action:          action,
+			Actions:         []auth.Action{action},
 			IsPublicRequest: isBucketPublic,
 			DisableACL:      c.disableACL,
 		})

s3api/controllers/object-get.go

@@ -53,7 +53,7 @@ func (c S3ApiController) GetObjectTagging(ctx *fiber.Ctx) (*Response, error) {
 		Acc:             acct,
 		Bucket:          bucket,
 		Object:          key,
-		Action:          action,
+		Actions:         []auth.Action{action},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -120,7 +120,7 @@ func (c S3ApiController) GetObjectRetention(ctx *fiber.Ctx) (*Response, error) {
 		Acc:             acct,
 		Bucket:          bucket,
 		Object:          key,
-		Action:          auth.GetObjectRetentionAction,
+		Actions:         []auth.Action{auth.GetObjectRetentionAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -177,7 +177,7 @@ func (c S3ApiController) GetObjectLegalHold(ctx *fiber.Ctx) (*Response, error) {
 		Acc:             acct,
 		Bucket:          bucket,
 		Object:          key,
-		Action:          auth.GetObjectLegalHoldAction,
+		Actions:         []auth.Action{auth.GetObjectLegalHoldAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -224,7 +224,7 @@ func (c S3ApiController) GetObjectAcl(ctx *fiber.Ctx) (*Response, error) {
 		Acc:             acct,
 		Bucket:          bucket,
 		Object:          key,
-		Action:          auth.GetObjectAclAction,
+		Actions:         []auth.Action{auth.GetObjectAclAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -267,7 +267,7 @@ func (c S3ApiController) ListParts(ctx *fiber.Ctx) (*Response, error) {
 		Acc:             acct,
 		Bucket:          bucket,
 		Object:          key,
-		Action:          auth.ListMultipartUploadPartsAction,
+		Actions:         []auth.Action{auth.ListMultipartUploadPartsAction},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -339,7 +339,7 @@ func (c S3ApiController) GetObjectAttributes(ctx *fiber.Ctx) (*Response, error)
 		Acc:             acct,
 		Bucket:          bucket,
 		Object:          key,
-		Action:          action,
+		Actions:         []auth.Action{action},
 		IsPublicRequest: isPublicBucket,
 		DisableACL:      c.disableACL,
 	})
@@ -473,7 +473,7 @@ func (c S3ApiController) GetObject(ctx *fiber.Ctx) (*Response, error) {
 		Acc:             acct,
 		Bucket:          bucket,
 		Object:          key,
-		Action:          action,
+		Actions:         []auth.Action{action},
 		IsPublicRequest: isPublicBucketRequest,
 		DisableACL:      c.disableACL,
 	})

s3api/controllers/object-head.go

@@ -84,7 +84,7 @@ func (c S3ApiController) HeadObject(ctx *fiber.Ctx) (*Response, error) {
 			Acc:             acct,
 			Bucket:          bucket,
 			Object:          key,
-			Action:          action,
+			Actions:         []auth.Action{action},
 			IsPublicRequest: isPublicBucket,
 			DisableACL:      c.disableACL,
 		})