Apply code review suggestion

Author: jatindersingh93

app/src/docs/v1.api-spec.yaml

@@ -1818,7 +1818,7 @@ components:
               example: ac246e31-c807-496c-bc93-cd8bc2f1b2b4
     Query-BucketName:
       in: query
-      name: name
+      name: displayName
       description: A display name given to the bucket on creation
       schema:
         type: string
@@ -2735,7 +2735,7 @@ components:
             status:
               example: 403
             detail:
-              example: The provided S3 credentials do not authorize this operation
+              example: User lacks permission to complete this action
     Response-Gone:
       title: Response Gone
       type: object

app/src/middleware/authentication.js

@@ -58,30 +58,40 @@ const currentUser = async (req, res, next) => {
     // Basic Authorization
     if (authorization.toLowerCase().startsWith('basic ')) {
       currentUser.authType = AuthType.BASIC;
-      if (getConfigBoolean('basicAuth.s3AccessMode') && req.get('x-amz-endpoint') && req.get('x-amz-bucket')) {
-        try {
-          // This will validate with s3 bucket end point
-          const base64Credentials = authorization.split(' ')[1];
-          const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');
-          const [accessKeyId, secretAccessKey] = credentials.split(':');
-
-          const bucketSettings = {
-            accessKeyId: accessKeyId,
-            bucket: req.get('x-amz-bucket'),
-            endpoint: req.get('x-amz-endpoint'),
-            key: req.get('x-amz-key') ? req.get('x-amz-key') : '/',
-            region: credentials.region || DEFAULTREGION,
-            secretAccessKey: secretAccessKey,
-          };
-          const bucketHeader = await storageService.headBucket(bucketSettings);
-
-          if (bucketHeader?.$metadata?.httpStatusCode === 200) {
-            currentUser.authType = AuthType.BASIC;
-            delete bucketSettings.secretAccessKey;
-            currentUser.bucketSettings = bucketSettings;
+      if (getConfigBoolean('basicAuth.s3AccessMode')) {
+        const amzEndpoint = req.get('x-amz-endpoint');
+        const amzBucket = req.get('x-amz-bucket');
+
+        // Ensure both 'x-amz-endpoint' and 'x-amz-bucket' are either both provided or both missing
+        if ((amzEndpoint && !amzBucket) || (!amzEndpoint && amzBucket)) {
+          return next(new Problem(400,
+            { detail: 'Both x-amz-endpoint and x-amz-bucket must be provided together', instance: req.originalUrl }));
+        }
+
+        if (amzEndpoint && amzBucket) {
+          try {
+            // This will validate with s3 bucket endpoint
+            const base64Credentials = authorization.split(' ')[1];
+            const credentials = Buffer.from(base64Credentials, 'base64').toString('utf-8');
+            const [accessKeyId, secretAccessKey] = credentials.split(':');
+
+            const bucketSettings = {
+              accessKeyId: accessKeyId,
+              bucket: amzBucket,
+              endpoint: amzEndpoint,
+              region: credentials.region || DEFAULTREGION,
+              secretAccessKey: secretAccessKey,
+            };
+            const bucketHeader = await storageService.headBucket(bucketSettings);
+
+            if (bucketHeader?.$metadata?.httpStatusCode === 200) {
+              await storageService.headBucket(bucketSettings);
+              delete bucketSettings.secretAccessKey;
+              currentUser.bucketSettings = bucketSettings;
+            }
+          } catch (err) {
+            return next(new Problem(403, { detail: 'Invalid authorization credentials', instance: req.originalUrl }));
           }
-        } catch (err) {
-          return next(new Problem(403, { detail: 'Invalid authorization credentials', instance: req.originalUrl }));
         }
       }
     }

app/src/middleware/authorization.js

@@ -6,7 +6,7 @@ const {
   getAppAuthMode,
   getCurrentIdentity,
   getConfigBoolean,
-  mixedQueryToArray } = require('../components/utils');
+  mixedQueryToArray, stripDelimit } = require('../components/utils');
 const { NIL: SYSTEM_USER } = require('uuid');
 const {
   bucketPermissionService,
@@ -68,7 +68,8 @@ const checkS3BasicAccess = async (req, _res, next) => {
 
   if (getConfigBoolean('basicAuth.s3AccessMode') && authType === AuthType.BASIC && bucketSettings) {
     // determine which buckets relate to the request
-    let bucketIds = mixedQueryToArray(req.query.bucketId) || mixedQueryToArray(req.params.bucketId) || req.body.bucketId;
+    let bucketIds = mixedQueryToArray(req.query.bucketId)
+      || mixedQueryToArray(req.params.bucketId) || req.body.bucketId;
     const objIds = mixedQueryToArray(req.query.objectId) || mixedQueryToArray(req.params.objectId) || req.body.objectId;
     const versionIds = mixedQueryToArray(req.query.versionId);
     const s3VersionIds = mixedQueryToArray(req.query.s3VersionId);
@@ -87,14 +88,16 @@ const checkS3BasicAccess = async (req, _res, next) => {
       const bucketData = {
         bucketId: bucketIds,
         bucket: bucketSettings.bucket,
-        endpoint: bucketSettings.endpoint,
+        endpoint: stripDelimit(bucketSettings.endpoint),
         accessKeyId: bucketSettings.accessKeyId,
       };
       const buckets = await bucketService.checkBucketBasicAccess(bucketData);
 
       if (buckets.length != 0) {
         //bucketId params will be overwritten with passed or valid access bucketId.
         req.query.bucketId = buckets.length > 1 ? buckets : buckets[0];
+      } else {
+        return next(new Problem(403, { detail: 'Invalid authorization credentials', instance: req.originalUrl }));
       }
     } catch (err) {
       return next(new Problem(403, { detail: err.message, instance: req.originalUrl }));

app/src/routes/v1/user.js

@@ -2,14 +2,14 @@ const router = require('express').Router();
 
 const { userValidator } = require('../../validators');
 const { userController } = require('../../controllers');
-const { checkAppMode } = require('../../middleware/authorization');
+const { checkAppMode, checkS3BasicAccess } = require('../../middleware/authorization');
 const { requireSomeAuth } = require('../../middleware/featureToggle');
 
 router.use(checkAppMode);
 router.use(requireSomeAuth);
 
 /** Search for users */
-router.get('/', userValidator.searchUsers, (req, res, next) => {
+router.get('/', checkS3BasicAccess, userValidator.searchUsers, (req, res, next) => {
   userController.searchUsers(req, res, next);
 });
 

app/tests/unit/middleware/authentication.spec.js

@@ -139,7 +139,7 @@ describe('currentUser', () => {
 
       expect(req.currentUser).toBeTruthy();
       expect(req.currentUser).toHaveProperty('authType', AuthType.BASIC);
-      expect(req.get).toHaveBeenCalledTimes(2);
+      expect(req.get).toHaveBeenCalledTimes(3);
       expect(req.get).toHaveBeenCalledWith('Authorization');
       expect(checkBasicAuthSpy).toHaveBeenCalledTimes(1);
     });

app/tests/unit/services/object.spec.js

@@ -122,7 +122,7 @@ describe('searchObjects', () => {
       objectPermission: [{
         permCode: 'READ',
         userId: 'ae8a58f6-62bc-4dd1-acef-79f123609d48'
-      },{
+      }, {
         permCode: 'UPDATE',
         userId: 'afcbad71-d2d5-4551-bd8b-18634fd8370e'
       }], ...params
@@ -150,9 +150,8 @@ describe('searchObjects', () => {
     expect(ObjectModel.modify).toHaveBeenNthCalledWith(4, 'filterPath', params.path);
     expect(ObjectModel.modify).toHaveBeenNthCalledWith(5, 'filterPublic', params.public);
     expect(ObjectModel.modify).toHaveBeenNthCalledWith(6, 'filterActive', params.active);
-    expect(ObjectModel.modify).toHaveBeenNthCalledWith(
-      7, 'filterVersionAttributes', params.mimeType, params.deleteMarker, params.latest
-    );
+    expect(ObjectModel.modify).toHaveBeenNthCalledWith(7, 'filterVersionAttributes',
+      params.mimeType, params.deleteMarker, params.latest, params.versionId, params.s3VersionId);
     expect(ObjectModel.modify).toHaveBeenNthCalledWith(8, 'filterMetadataTag', {
       metadata: params.metadata,
       tag: params.tag
@@ -197,8 +196,8 @@ describe('searchObjects', () => {
     expect(ObjectModel.modify).toHaveBeenNthCalledWith(4, 'filterPath', params.path);
     expect(ObjectModel.modify).toHaveBeenNthCalledWith(5, 'filterPublic', params.public);
     expect(ObjectModel.modify).toHaveBeenNthCalledWith(6, 'filterActive', params.active);
-    expect(ObjectModel.modify).toHaveBeenNthCalledWith(
-      7, 'filterVersionAttributes', params.mimeType, params.deleteMarker, params.latest
+    expect(ObjectModel.modify).toHaveBeenNthCalledWith(7, 'filterVersionAttributes',
+      params.mimeType, params.deleteMarker, params.latest, params.versionId, params.s3VersionId
     );
     expect(ObjectModel.modify).toHaveBeenNthCalledWith(8, 'filterMetadataTag', {
       metadata: params.metadata,