Implement per-user bucket isolation

Buckets are now transparently namespaced by user ID, allowing multiple users to create buckets with the same name without conflicts. All bucket and object operations in the CLI, core, and API handlers are updated to enforce user-scoped access, creation, deletion, and listing. Documentation and tests are updated to reflect and verify multi-tenant isolation, ensuring users cannot access or see other users' buckets or objects.

Author: ehsan6sha

Cargo.lock

@@ -44,6 +44,8 @@ base64 = { workspace = true }
 md-5 = { workspace = true }
 blake3 = { workspace = true }
 hex = { workspace = true }
+jsonwebtoken = { workspace = true }
+serde = { workspace = true }
 
 [[example]]
 name = "basic_usage"

Cargo.toml

@@ -325,6 +325,7 @@ assert_eq!(shared_secret, recovered);
 - **Storage nodes are untrusted**: All sensitive data is encrypted client-side
 - **Gateway is trusted for routing**: But never sees encryption keys
 - **Keys never leave the client**: HPKE ensures end-to-end encryption
+- **Per-user bucket isolation**: Each user's buckets are automatically namespaced - multiple users can have buckets with the same name without conflicts
 
 ### Key Management
 

README.md

@@ -22,7 +22,8 @@ pub async fn delete_objects(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));
     }
 
-    let mut bucket = state.bucket_manager.open_bucket(&bucket_name).await?;
+    // User-scoped bucket access
+    let mut bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await?;
 
     // Parse the delete request XML
     let body_str = String::from_utf8_lossy(&body);

crates/fula-cli/src/handlers/batch.rs

@@ -26,7 +26,12 @@ pub async fn create_bucket(
     let owner = Owner::new(&session.hashed_user_id)
         .with_display_name(session.display_name.clone().unwrap_or_default());
 
-    state.bucket_manager.create_bucket(bucket.clone(), owner).await?;
+    // User-scoped bucket creation (each user has isolated namespace)
+    state.bucket_manager.create_bucket_for_user(
+        &session.hashed_user_id,
+        bucket.clone(),
+        owner,
+    ).await?;
 
     Ok((
         StatusCode::OK,
@@ -45,26 +50,20 @@ pub async fn delete_bucket(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));
     }
 
-    // Check ownership (Security audit fix A3: compare hashed IDs)
-    let metadata = state.bucket_manager.get_bucket_metadata(&bucket)
-        .ok_or_else(|| ApiError::s3(S3ErrorCode::NoSuchBucket, "Bucket not found"))?;
-    
-    if !session.can_access_bucket(&metadata.owner_id) {
-        return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Not bucket owner"));
-    }
-
-    state.bucket_manager.delete_bucket(&bucket).await?;
+    // User-scoped bucket deletion (user can only delete their own buckets)
+    state.bucket_manager.delete_bucket_for_user(&session.hashed_user_id, &bucket).await?;
 
     Ok(StatusCode::NO_CONTENT.into_response())
 }
 
 /// HEAD /{bucket} - Check if bucket exists
 pub async fn head_bucket(
     State(state): State<Arc<AppState>>,
-    Extension(_session): Extension<UserSession>,
+    Extension(session): Extension<UserSession>,
     Path(bucket): Path<String>,
 ) -> Result<Response, ApiError> {
-    if !state.bucket_manager.bucket_exists(&bucket) {
+    // User-scoped bucket check (user can only see their own buckets)
+    if !state.bucket_manager.bucket_exists_for_user(&session.hashed_user_id, &bucket) {
         return Err(ApiError::s3(S3ErrorCode::NoSuchBucket, "Bucket not found"));
     }
 
@@ -99,13 +98,9 @@ pub async fn list_objects(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Read access required"));
     }
 
-    let bucket = state.bucket_manager.open_bucket(&bucket_name).await?;
-    
-    // Verify bucket ownership (security audit fix #1)
-    if !session.can_access_bucket(&bucket.metadata().owner_id) {
-        return Err(ApiError::s3(S3ErrorCode::AccessDenied, "You do not have access to this bucket"));
-    }
-    
+    // User-scoped bucket access (user can only access their own buckets)
+    let bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await?;
+
     let result = bucket.list_objects(
         params.prefix.as_deref(),
         params.delimiter.as_deref(),
@@ -140,9 +135,11 @@ pub async fn list_objects(
 /// GET /{bucket}?location - Get bucket location
 pub async fn get_bucket_location(
     State(state): State<Arc<AppState>>,
+    Extension(session): Extension<UserSession>,
     Path(bucket): Path<String>,
 ) -> Result<Response, ApiError> {
-    if !state.bucket_manager.bucket_exists(&bucket) {
+    // User-scoped bucket check
+    if !state.bucket_manager.bucket_exists_for_user(&session.hashed_user_id, &bucket) {
         return Err(ApiError::s3(S3ErrorCode::NoSuchBucket, "Bucket not found"));
     }
 

crates/fula-cli/src/handlers/bucket.rs

@@ -37,8 +37,8 @@ pub async fn create_multipart_upload(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));
     }
 
-    // Verify bucket exists
-    if !state.bucket_manager.bucket_exists(&bucket) {
+    // Verify bucket exists for this user
+    if !state.bucket_manager.bucket_exists_for_user(&session.hashed_user_id, &bucket) {
         return Err(ApiError::s3(S3ErrorCode::NoSuchBucket, "Bucket not found"));
     }
 
@@ -196,8 +196,8 @@ pub async fn complete_multipart_upload(
         metadata = metadata.with_user_metadata(k, v);
     }
 
-    // Store in bucket
-    let mut bucket_handle = state.bucket_manager.open_bucket(&bucket).await?;
+    // Store in bucket (user-scoped)
+    let mut bucket_handle = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket).await?;
     bucket_handle.put_object(key.clone(), metadata).await?;
     let bucket_root_cid = bucket_handle.flush().await?;
 

crates/fula-cli/src/handlers/multipart.rs

@@ -72,19 +72,14 @@ pub async fn put_object(
         }
     }
 
-    // Store in bucket
-    tracing::debug!(bucket = %bucket_name, "Opening bucket");
-    let mut bucket = state.bucket_manager.open_bucket(&bucket_name).await
+    // Store in bucket (user-scoped)
+    tracing::debug!(bucket = %bucket_name, "Opening user-scoped bucket");
+    let mut bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await
         .map_err(|e| {
             tracing::error!(error = %e, bucket = %bucket_name, "Failed to open bucket");
             e
         })?;
-    
-    // Verify bucket ownership (security audit fix #1)
-    if !session.can_access_bucket(&bucket.metadata().owner_id) {
-        return Err(ApiError::s3(S3ErrorCode::AccessDenied, "You do not have access to this bucket"));
-    }
-    
+
     tracing::debug!(key = %key, "Storing object metadata");
     bucket.put_object(key.clone(), metadata).await
         .map_err(|e| {
@@ -142,13 +137,9 @@ pub async fn get_object(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Read access required"));
     }
 
-    let bucket = state.bucket_manager.open_bucket(&bucket_name).await?;
-    
-    // Verify bucket ownership (security audit fix #1)
-    if !session.can_access_bucket(&bucket.metadata().owner_id) {
-        return Err(ApiError::s3(S3ErrorCode::AccessDenied, "You do not have access to this bucket"));
-    }
-    
+    // User-scoped bucket access
+    let bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await?;
+
     let metadata = bucket.get_object(&key).await?
         .ok_or_else(|| ApiError::s3_with_resource(
             S3ErrorCode::NoSuchKey,
@@ -301,13 +292,9 @@ pub async fn head_object(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Read access required"));
     }
 
-    let bucket = state.bucket_manager.open_bucket(&bucket_name).await?;
-    
-    // Verify bucket ownership (security audit fix #1)
-    if !session.can_access_bucket(&bucket.metadata().owner_id) {
-        return Err(ApiError::s3(S3ErrorCode::AccessDenied, "You do not have access to this bucket"));
-    }
-    
+    // User-scoped bucket access
+    let bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await?;
+
     let metadata = bucket.get_object(&key).await?
         .ok_or_else(|| ApiError::s3_with_resource(
             S3ErrorCode::NoSuchKey,
@@ -343,13 +330,9 @@ pub async fn delete_object(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));
     }
 
-    let mut bucket = state.bucket_manager.open_bucket(&bucket_name).await?;
-    
-    // Verify bucket ownership (security audit fix #1)
-    if !session.can_access_bucket(&bucket.metadata().owner_id) {
-        return Err(ApiError::s3(S3ErrorCode::AccessDenied, "You do not have access to this bucket"));
-    }
-    
+    // User-scoped bucket access
+    let mut bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await?;
+
     bucket.delete_object(&key).await?;
     bucket.flush().await?;
 
@@ -390,33 +373,23 @@ pub async fn copy_object(
         .split_once('/')
         .ok_or_else(|| ApiError::s3(S3ErrorCode::InvalidArgument, "Invalid copy source format"))?;
 
-    // Get source object
-    let source_bucket_handle = state.bucket_manager.open_bucket(source_bucket).await?;
-    
-    // Verify source bucket ownership (security audit fix #1)
-    if !session.can_access_bucket(&source_bucket_handle.metadata().owner_id) {
-        return Err(ApiError::s3(S3ErrorCode::AccessDenied, "You do not have access to the source bucket"));
-    }
-    
+    // Get source object (user-scoped)
+    let source_bucket_handle = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, source_bucket).await?;
+
     let source_metadata = source_bucket_handle.get_object(source_key).await?
         .ok_or_else(|| ApiError::s3_with_resource(
             S3ErrorCode::NoSuchKey,
             "Source object not found",
             copy_source,
         ))?;
 
-    // Copy to destination
-    // Security audit fix A3: Use hashed user ID
+    // Copy to destination (user-scoped)
     let mut dest_metadata = source_metadata.clone();
     dest_metadata.last_modified = chrono::Utc::now();
     dest_metadata.owner_id = Some(session.hashed_user_id.clone());
 
-    let mut dest_bucket_handle = state.bucket_manager.open_bucket(&dest_bucket).await?;
-    
-    // Verify destination bucket ownership (security audit fix #1)
-    if !session.can_access_bucket(&dest_bucket_handle.metadata().owner_id) {
-        return Err(ApiError::s3(S3ErrorCode::AccessDenied, "You do not have access to the destination bucket"));
-    }
+    let mut dest_bucket_handle = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &dest_bucket).await?;
+
     dest_bucket_handle.put_object(dest_key, dest_metadata.clone()).await?;
     dest_bucket_handle.flush().await?;
 

crates/fula-cli/src/handlers/object.rs

@@ -15,17 +15,15 @@ pub async fn list_buckets(
     State(state): State<Arc<AppState>>,
     Extension(session): Extension<UserSession>,
 ) -> Result<Response, ApiError> {
-    let buckets = state.bucket_manager.list_buckets();
-    
-    // Filter to buckets owned by this user (or show all for admin)
-    // Security audit fix A3: Compare using hashed user IDs
+    // User-scoped bucket listing (returns only this user's buckets)
+    let buckets = state.bucket_manager.list_buckets_for_user(&session.hashed_user_id);
+
     let user_buckets: Vec<_> = buckets
         .into_iter()
-        .filter(|b| session.can_access_bucket(&b.owner_id))
         .map(|b| (b.name, b.created_at))
         .collect();
 
-    // Return hashed user ID in XML for privacy (Security audit fix A3)
+    // Return hashed user ID in XML for privacy
     let xml_response = xml::list_all_my_buckets_result(
         &session.hashed_user_id,
         session.display_name.as_deref().unwrap_or("User"),

crates/fula-cli/src/handlers/service.rs

@@ -20,7 +20,8 @@ pub async fn get_object_tagging(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Read access required"));
     }
 
-    let bucket = state.bucket_manager.open_bucket(&bucket_name).await?;
+    // User-scoped bucket access
+    let bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await?;
 
     let metadata = bucket.get_object(&key).await?
         .ok_or_else(|| ApiError::s3_with_resource(
@@ -68,7 +69,8 @@ pub async fn put_object_tagging(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));
     }
 
-    let mut bucket = state.bucket_manager.open_bucket(&bucket_name).await?;
+    // User-scoped bucket access
+    let mut bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await?;
 
     let mut metadata = bucket.get_object(&key).await?
         .ok_or_else(|| ApiError::s3_with_resource(
@@ -100,7 +102,8 @@ pub async fn delete_object_tagging(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));
     }
 
-    let mut bucket = state.bucket_manager.open_bucket(&bucket_name).await?;
+    // User-scoped bucket access
+    let mut bucket = state.bucket_manager.open_bucket_for_user(&session.hashed_user_id, &bucket_name).await?;
 
     let mut metadata = bucket.get_object(&key).await?
         .ok_or_else(|| ApiError::s3_with_resource(

crates/fula-cli/src/handlers/tagging.rs

@@ -82,7 +82,7 @@ async fn bucket_or_list_handler(
     if query.uploads.is_some() {
         handlers::list_multipart_uploads(state, session, path).await
     } else if query.location.is_some() {
-        handlers::get_bucket_location(state, path).await
+        handlers::get_bucket_location(state, session, path).await
     } else {
         let list_params = handlers::ListObjectsParams {
             list_type: query.list_type,