Access Denied error when putting a file to a bucket with the same name

[trociny]

If a file name and name of the bucket where it is going to be put are the same, the operation fails with the error "Access Denied".

Example:

PUT http://test.s3.amazonaws.com/test HTTP/1.1
Host: test.s3.amazonaws.com
...
HTTP/1.1 403 Forbidden
connection: keep-alive
date: Tue, 12 Aug 2014 19:50:50 GMT
content-length: 163
server: LeoFS

<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>test/test</Resource><RequestId></RequestId></Error>

This is because in leo_gateway_s3_api:auth(), when preparing SignParams, uri obtained from cowboy_req:path(Req) (RawUri) is used (i.e. /test for the example above), but in leo_s3_auth module this uri is processed by remove_dup_bucket to remove /${Bucket}/ pattern. As a result uri becomes just / and the request fails.

Below is my approach to solve this problem: use Path instead of RawUri, which comes from gen_key()->leo_http:key(), i.e. always contains bucket name (test/test for the case above):

diff --git a/src/leo_gateway_s3_api.erl b/src/leo_gateway_s3_api.erl
index fbb1160..0573037 100644
--- a/src/leo_gateway_s3_api.erl
+++ b/src/leo_gateway_s3_api.erl
@@ -770,7 +770,7 @@ auth(Req, HTTPMethod, Path, TokenLen, Bucket, ACLs, ReqParams) when TokenLen > 1
             auth(next, Req, HTTPMethod, Path, TokenLen, Bucket, ACLs, ReqParams)
     end.

-auth(next, Req, HTTPMethod, _Path, TokenLen, Bucket, _ACLs, #req_params{is_acl = IsACL}) ->
+auth(next, Req, HTTPMethod, Path, TokenLen, Bucket, _ACLs, #req_params{is_acl = IsACL}) ->
     %% bucket operations must be needed to auth
     %% AND alter object operations as well
     case cowboy_req:header(?HTTP_HEAD_AUTHORIZATION, Req) of
@@ -778,7 +778,6 @@ auth(next, Req, HTTPMethod, _Path, TokenLen, Bucket, _ACLs, #req_params{is_acl =
             {error, undefined};
         {AuthorizationBin, _} ->
             IsCreateBucketOp = (TokenLen == 1 andalso HTTPMethod == ?HTTP_PUT andalso not IsACL),
-            {RawUri,  _} = cowboy_req:path(Req),
             {QStr1,   _} = cowboy_req:qs(Req),
             {Headers, _} = cowboy_req:headers(Req),

@@ -806,7 +805,7 @@ auth(next, Req, HTTPMethod, _Path, TokenLen, Bucket, _ACLs, #req_params{is_acl =
                                       content_type = ?http_header(Req, ?HTTP_HEAD_CONTENT_TYPE),
                                       date         = ?http_header(Req, ?HTTP_HEAD_DATE),
                                       bucket       = Bucket,
-                                      uri          = RawUri,
+                                      uri          = <<"/", Path/binary>>,
                                       query_str    = QStr3,
                                       amz_headers  = leo_http:get_amz_headers4cow(Headers)},
             leo_s3_auth:authenticate(AuthorizationBin, SignParams, IsCreateBucketOp)

[osier]

Nice，I encounted the same problem. It should report "bucket exists" error instead of "access denied".

[trociny]

Osier, why "bucket exists" error when putting a file to a bucket with the same name? The operation should succeed.

[osier]

Oh, I misunderstood you, I meant I got same error message when creating a bucket which is already existing.

[yosukehara]

Thank you for your report. I'll check this issue.

[yosukehara]

@trociny Thank you for your contribution. I've checked and fixed this issue, which will be included in LeoFS v1.1.1.