fix: check bucket owner permission

aws · Apr 9, 2024 · 51d06a1 · 51d06a1
1 parent 5580dd1
commit 51d06a1
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/api/src/gmsa_service.cpp b/api/src/gmsa_service.cpp
@@ -2582,9 +2582,20 @@ std::string retrieve_credspec_from_s3(std::string s3_arn, std::string region, Aw
                 return dummy_credspec;
             }
 
+            // regex for callerId
+            std::regex callerIdRegex("^\\d{12}$");
+            std::string callerId = GetCallerIdentity();
+            if(callerId.empty() &&  !std::regex_match( callerId, callerIdRegex))
+            {
+                std::cout << getCurrentTime() << '\t' << "ERROR: Unable to get caller information"
+                          << std::endl;
+                return std::string("");
+            }
+
             Aws::S3::S3Client s3Client (credentials,Aws::MakeShared<Aws::S3::S3EndpointProvider>
                 (Aws::S3::S3Client::ALLOCATION_TAG), clientConfig);
             Aws::S3::Model::GetObjectRequest request;
+            request.SetExpectedBucketOwner(callerId);
             request.SetBucket(s3Bucket);
             request.SetKey(objectName);
             Aws::S3::Model::GetObjectOutcome outcome =
@@ -2667,4 +2678,5 @@ std::tuple<std::string, std::string,
     }
     return {"","",""};
 }
+
 #endif
diff --git a/auth/kerberos/src/krb.cpp b/auth/kerberos/src/krb.cpp
@@ -1228,4 +1228,26 @@ void clearString(std::string& str) {
     }
     // Clear the string content
     str.clear();
+}
+
+
+// get caller identity - accountId
+std::string GetCallerIdentity()
+{
+    std::string command =
+        install_path_for_aws_cli + " sts get-caller-identity --query Account";
+    // /usr/bin/aws aws sts get-caller-identity --query Account
+    std::pair<int, std::string> result = exec_shell_cmd( command );
+
+    std::string callerId = result.second;
+    ltrim( callerId );
+    rtrim( callerId );
+
+    // remove quotes if they are present
+    if ( callerId.front() == '"' ) {
+        callerId.erase( 0, 1 ); // erase the first character
+        callerId.erase( callerId.size() - 1 ); // erase the last character
+    }
+
+    return callerId;
 }
diff --git a/common/daemon.h b/common/daemon.h
@@ -223,6 +223,8 @@ std::string generate_lease_id();
 
 void clearString(std::string& str);
 
+std::string GetCallerIdentity();
+
 #if AMAZON_LINUX_DISTRO
 std::string retrieve_credspec_from_s3(std::string s3_arn, std::string region, Aws::Auth::AWSCredentials credentials,  bool test);
 bool check_file_size_s3(std::string s3_arn, std::string region,