Merge pull request from GHSA-28q9-9c3g-v3f9

* S3 gateway delete-objects should block unauthorized access

* Test delete objects without credentials should fail

* Add missing func

Author: nopcoder

esti/delete_objects_test.go

@@ -1,12 +1,16 @@
 package esti
 
 import (
+	"net/http"
 	"strconv"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/treeverse/lakefs/pkg/api"
+	"github.com/treeverse/lakefs/pkg/testutil"
 )
 
 func TestDeleteObjects(t *testing.T) {
@@ -50,3 +54,53 @@ func TestDeleteObjects(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Len(t, listOut.Contents, 0)
 }
+
+func TestDeleteObjects_Viewer(t *testing.T) {
+	ctx, _, repo := setupTest(t)
+	defer tearDownTest(repo)
+
+	// setup data
+	const filename = "delete-me"
+	_, _ = uploadFileRandomData(ctx, t, repo, mainBranch, filename, false)
+
+	// setup user with only view rights - create user, add to group, generate credentials
+	uid := "del-viewer"
+	resCreateUser, err := client.CreateUserWithResponse(ctx, api.CreateUserJSONRequestBody{
+		Id: uid,
+	})
+	require.NoError(t, err, "Admin failed while creating user")
+	require.Equal(t, http.StatusCreated, resCreateUser.StatusCode(), "Admin unexpectedly failed to create user")
+
+	resAssociateUser, err := client.AddGroupMembershipWithResponse(ctx, "Viewers", "del-viewer")
+	require.NoError(t, err, "Failed to add user to Viewers group")
+	require.Equal(t, http.StatusCreated, resAssociateUser.StatusCode(), "AddGroupMembershipWithResponse unexpectedly status code")
+
+	resCreateCreds, err := client.CreateCredentialsWithResponse(ctx, "del-viewer")
+	require.NoError(t, err, "Failed to create credentials")
+	require.Equal(t, http.StatusCreated, resCreateCreds.StatusCode(), "CreateCredentials unexpectedly status code")
+
+	// client with viewer user credentials
+	creds := resCreateCreds.JSON201
+	svcViewer := testutil.SetupTestS3Client(creds.AccessKeyId, creds.SecretAccessKey)
+
+	// delete objects using viewer
+	deleteOut, err := svcViewer.DeleteObjects(&s3.DeleteObjectsInput{
+		Bucket: aws.String(repo),
+		Delete: &s3.Delete{
+			Objects: []*s3.ObjectIdentifier{{Key: api.StringPtr(mainBranch + "/" + filename)}},
+		},
+	})
+	// make sure we got an error we fail to delete the file
+	assert.NoError(t, err)
+	assert.Len(t, deleteOut.Errors, 1, "error we fail to delete")
+	assert.Len(t, deleteOut.Deleted, 0, "no file should be deleted")
+
+	// verify that viewer can't delete the file
+	listOut, err := svc.ListObjects(&s3.ListObjectsInput{
+		Bucket: aws.String(repo),
+		Prefix: aws.String(mainBranch + "/"),
+	})
+	assert.NoError(t, err)
+	assert.Len(t, listOut.Contents, 1, "list should find 'delete-me' file")
+	assert.Equal(t, aws.StringValue(listOut.Contents[0].Key), mainBranch+"/"+filename)
+}

pkg/testutil/setup.go

@@ -104,6 +104,13 @@ func SetupTestingEnv(params *SetupTestingEnvParams) (logging.Logger, api.ClientW
 		logger.WithError(err).Fatal("could not initialize API client with security provider")
 	}
 
+	key := viper.GetString("access_key_id")
+	secret := viper.GetString("secret_access_key")
+	svc := SetupTestS3Client(key, secret)
+	return logger, client, svc
+}
+
+func SetupTestS3Client(key, secret string) *s3.S3 {
 	s3Endpoint := viper.GetString("s3_endpoint")
 	awsSession := session.Must(session.NewSession())
 	svc := s3.New(awsSession,
@@ -114,11 +121,10 @@ func SetupTestingEnv(params *SetupTestingEnvParams) (logging.Logger, api.ClientW
 			WithCredentials(credentials.NewCredentials(
 				&credentials.StaticProvider{
 					Value: credentials.Value{
-						AccessKeyID:     viper.GetString("access_key_id"),
-						SecretAccessKey: viper.GetString("secret_access_key"),
+						AccessKeyID:     key,
+						SecretAccessKey: secret,
 					}})))
-
-	return logger, client, svc
+	return svc
 }
 
 // ParseEndpointURL parses the given endpoint string