From 51d06a18f5ec510282b1a15764109d7116df68e5 Mon Sep 17 00:00:00 2001
From: EC2 Default User <ec2-user@EC2AMAZ-Ll40tS.contoso.com>
Date: Tue, 9 Apr 2024 22:56:08 +0000
Subject: [PATCH] fix: check bucket owner permission

---
 api/src/gmsa_service.cpp  | 12 ++++++++++++
 auth/kerberos/src/krb.cpp | 22 ++++++++++++++++++++++
 common/daemon.h           |  2 ++
 3 files changed, 36 insertions(+)

diff --git a/api/src/gmsa_service.cpp b/api/src/gmsa_service.cpp
index 5cb2ee6d..33d0c0b3 100644
--- a/api/src/gmsa_service.cpp
+++ b/api/src/gmsa_service.cpp
@@ -2582,9 +2582,20 @@ std::string retrieve_credspec_from_s3(std::string s3_arn, std::string region, Aw
                 return dummy_credspec;
             }
 
+            // regex for callerId
+            std::regex callerIdRegex("^\\d{12}$");
+            std::string callerId = GetCallerIdentity();
+            if(callerId.empty() &&  !std::regex_match( callerId, callerIdRegex))
+            {
+                std::cout << getCurrentTime() << '\t' << "ERROR: Unable to get caller information"
+                          << std::endl;
+                return std::string("");
+            }
+
             Aws::S3::S3Client s3Client (credentials,Aws::MakeShared<Aws::S3::S3EndpointProvider>
                 (Aws::S3::S3Client::ALLOCATION_TAG), clientConfig);
             Aws::S3::Model::GetObjectRequest request;
+            request.SetExpectedBucketOwner(callerId);
             request.SetBucket(s3Bucket);
             request.SetKey(objectName);
             Aws::S3::Model::GetObjectOutcome outcome =
@@ -2667,4 +2678,5 @@ std::tuple<std::string, std::string,
     }
     return {"","",""};
 }
+
 #endif
diff --git a/auth/kerberos/src/krb.cpp b/auth/kerberos/src/krb.cpp
index 944343c1..657d68c9 100644
--- a/auth/kerberos/src/krb.cpp
+++ b/auth/kerberos/src/krb.cpp
@@ -1228,4 +1228,26 @@ void clearString(std::string& str) {
     }
     // Clear the string content
     str.clear();
+}
+
+
+// get caller identity - accountId
+std::string GetCallerIdentity()
+{
+    std::string command =
+        install_path_for_aws_cli + " sts get-caller-identity --query Account";
+    // /usr/bin/aws aws sts get-caller-identity --query Account
+    std::pair<int, std::string> result = exec_shell_cmd( command );
+
+    std::string callerId = result.second;
+    ltrim( callerId );
+    rtrim( callerId );
+
+    // remove quotes if they are present
+    if ( callerId.front() == '"' ) {
+        callerId.erase( 0, 1 ); // erase the first character
+        callerId.erase( callerId.size() - 1 ); // erase the last character
+    }
+
+    return callerId;
 }
\ No newline at end of file
diff --git a/common/daemon.h b/common/daemon.h
index 4de02d16..940b8fb8 100644
--- a/common/daemon.h
+++ b/common/daemon.h
@@ -223,6 +223,8 @@ std::string generate_lease_id();
 
 void clearString(std::string& str);
 
+std::string GetCallerIdentity();
+
 #if AMAZON_LINUX_DISTRO
 std::string retrieve_credspec_from_s3(std::string s3_arn, std::string region, Aws::Auth::AWSCredentials credentials,  bool test);
 bool check_file_size_s3(std::string s3_arn, std::string region,