cleanup permission naming

sa7mon · Sep 8, 2024 · 05dbe68 · 05dbe68
1 parent 8752506
commit 05dbe68
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 27 deletions.
diff --git a/bucket/bucket.go b/bucket/bucket.go
@@ -24,18 +24,8 @@ var PermissionAllowed = uint8(1)
 var PermissionDenied = uint8(0)
 var PermissionUnknown = uint8(2)
 
-// var bucketReIP = regexp.MustCompile(`^[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}$`)
 var bucketRe = regexp.MustCompile(`[^.\-a-z0-9]`)
 
-const authUsersGroup = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
-const allUsersGroup = "http://acs.amazonaws.com/groups/global/AllUsers"
-
-// Pattern from https://blogs.easydynamics.com/2016/10/24/aws-s3-bucket-name-validation-regex/
-// Missing:
-// No xn-- prefix
-// No -s3alias suffix
-// https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
-
 type Bucket struct {
 	//gorm.Model
 	ID                uint           `gorm:"primarykey" json:",omitempty"`
@@ -195,11 +185,12 @@ func (bucket *Bucket) ParseAclOutputv2(aclOutput *s3.GetBucketAclOutput) error {
 	if aclOutput.Owner.DisplayName != nil {
 		bucket.OwnerDisplayName = *aclOutput.Owner.DisplayName
 	}
-
+	// Since we can read the permissions, there should be no unknowns. Set all to denied, then read each grant and
+	// set the corresponding permission to allowed.
 	bucket.DenyAll()
 
 	for _, b := range aclOutput.Grants {
-		if b.Grantee != nil && b.Grantee.Type == "Group" && *b.Grantee.URI == allUsersGroup {
+		if b.Grantee != nil && b.Grantee.Type == "Group" && *b.Grantee.URI == groups.AllUsersGroup {
 			switch b.Permission {
 			case types.PermissionRead:
 				bucket.PermAllUsersRead = PermissionAllowed
@@ -215,7 +206,7 @@ func (bucket *Bucket) ParseAclOutputv2(aclOutput *s3.GetBucketAclOutput) error {
 				break
 			}
 		}
-		if b.Grantee != nil && b.Grantee.Type == "Group" && *b.Grantee.URI == authUsersGroup {
+		if b.Grantee != nil && b.Grantee.Type == "Group" && *b.Grantee.URI == groups.AuthUsersGroup {
 			switch b.Permission {
 			case types.PermissionRead:
 				bucket.PermAuthUsersRead = PermissionAllowed

diff --git a/groups/groups.go b/groups/groups.go
@@ -5,13 +5,16 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 )
 
+const AuthUsersGroup = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+const AllUsersGroup = "http://acs.amazonaws.com/groups/global/AllUsers"
+
 var AllUsersv2 = &types.Grantee{
 	Type: types.TypeGroup,
-	URI:  aws.String("http://acs.amazonaws.com/groups/global/AllUsers")}
+	URI:  aws.String(AllUsersGroup)}
 
 var AuthenticatedUsersv2 = &types.Grantee{
 	Type: types.TypeGroup,
-	URI:  aws.String("http://acs.amazonaws.com/groups/global/AuthenticatedUsers")}
+	URI:  aws.String(AuthUsersGroup)}
 
-const ALL_USERS_URI = "uri=http://acs.amazonaws.com/groups/global/AllUsers"
-const AUTH_USERS_URI = "uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+const AllUsersUri = "uri=" + AllUsersGroup
+const AuthUsersUri = "uri=" + AuthUsersGroup
diff --git a/permission/permission.go b/permission/permission.go
@@ -46,35 +46,35 @@ func CheckPermWriteAcl(svc *s3.Client, b *Bucket) (bool, error) {
 
 	grants := map[string][]string{}
 	if b.PermAuthUsersFullControl == PermissionAllowed {
-		grants["FULL_CONTROL"] = append(grants["FULL_CONTROL"], AUTH_USERS_URI)
+		grants["FULL_CONTROL"] = append(grants["FULL_CONTROL"], AuthUsersUri)
 	}
 	if b.PermAuthUsersWriteACL == PermissionAllowed {
-		grants["WRITE_ACP"] = append(grants["WRITE_ACP"], AUTH_USERS_URI)
+		grants["WRITE_ACP"] = append(grants["WRITE_ACP"], AuthUsersUri)
 	}
 	if b.PermAuthUsersWrite == PermissionAllowed {
-		grants["WRITE"] = append(grants["WRITE"], AUTH_USERS_URI)
+		grants["WRITE"] = append(grants["WRITE"], AuthUsersUri)
 	}
 	if b.PermAuthUsersReadACL == PermissionAllowed {
-		grants["READ_ACP"] = append(grants["READ_ACP"], AUTH_USERS_URI)
+		grants["READ_ACP"] = append(grants["READ_ACP"], AuthUsersUri)
 	}
 	if b.PermAuthUsersRead == PermissionAllowed {
-		grants["READ"] = append(grants["READ"], AUTH_USERS_URI)
+		grants["READ"] = append(grants["READ"], AuthUsersUri)
 	}
 
 	if b.PermAllUsersFullControl == PermissionAllowed {
-		grants["FULL_CONTROL"] = append(grants["FULL_CONTROL"], ALL_USERS_URI)
+		grants["FULL_CONTROL"] = append(grants["FULL_CONTROL"], AllUsersUri)
 	}
 	if b.PermAllUsersWriteACL == PermissionAllowed {
-		grants["WRITE_ACP"] = append(grants["WRITE_ACP"], ALL_USERS_URI)
+		grants["WRITE_ACP"] = append(grants["WRITE_ACP"], AllUsersUri)
 	}
 	if b.PermAllUsersWrite == PermissionAllowed {
-		grants["WRITE"] = append(grants["WRITE"], ALL_USERS_URI)
+		grants["WRITE"] = append(grants["WRITE"], AllUsersUri)
 	}
 	if b.PermAllUsersReadACL == PermissionAllowed {
-		grants["READ_ACP"] = append(grants["READ_ACP"], ALL_USERS_URI)
+		grants["READ_ACP"] = append(grants["READ_ACP"], AllUsersUri)
 	}
 	if b.PermAllUsersRead == PermissionAllowed {
-		grants["READ"] = append(grants["READ"], ALL_USERS_URI)
+		grants["READ"] = append(grants["READ"], AllUsersUri)
 	}
 
 	_, err := svc.PutBucketAcl(context.TODO(), &s3.PutBucketAclInput{