enforce s3 acls

2017-09-16 06:08:27 -07:00 · 2017-09-16 06:08:27 -07:00 · 2055bb62f5
commit 2055bb62f5
parent 35feb9feb7
3 changed files with 72 additions and 3 deletions
--- a/moto/s3/responses.py
+++ b/moto/s3/responses.py
@ -373,9 +373,8 @@ class ResponseObject(_TemplateEnvironmentMixin):
            self.backend.set_bucket_policy(bucket_name, body)
            return 'True'
        elif 'acl' in querystring:
-            acl = self._acl_from_headers(request.headers)
            # TODO: Support the XML-based ACL format
-            self.backend.set_bucket_acl(bucket_name, acl)
+            self.backend.set_bucket_acl(bucket_name, self._acl_from_headers(request.headers))
            return ""
        elif "tagging" in querystring:
            tagging = self._bucket_tagging_from_xml(body)
@ -407,6 +406,11 @@ class ResponseObject(_TemplateEnvironmentMixin):
                    new_bucket = self.backend.get_bucket(bucket_name)
                else:
                    raise
+
+            if 'x-amz-acl' in request.headers:
+                # TODO: Support the XML-based ACL format
+                self.backend.set_bucket_acl(bucket_name, self._acl_from_headers(request.headers))
+
            template = self.response_template(S3_BUCKET_CREATE_RESPONSE)
            return 200, {}, template.render(bucket=new_bucket)

@ -536,6 +540,17 @@ class ResponseObject(_TemplateEnvironmentMixin):
        key_name = self.parse_key_name(request, parsed_url.path)
        bucket_name = self.parse_bucket_name_from_url(request, full_url)

+        # Because we patch the requests library the boto/boto3 API
+        # requests go through this method but so do
+        # `requests.get("https://bucket-name.s3.amazonaws.com/file-name")`
+        # Here we deny public access to private files by checking the
+        # ACL and checking for the mere presence of an Authorization
+        # header.
+        if 'Authorization' not in request.headers:
+            key = self.backend.get_key(bucket_name, key_name)
+            if key and not key.acl.public_read:
+                return 403, {}, ""
+
        if hasattr(request, 'body'):
            # Boto
            body = request.body
@ -725,7 +740,7 @@ class ResponseObject(_TemplateEnvironmentMixin):
        if grants:
            return FakeAcl(grants)
        else:
-            return None
+            return get_canned_acl('private')

    def _tagging_from_headers(self, headers):
        if headers.get('x-amz-tagging'):