in case of IAM policy not matching throw detailed error

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>

Author: shirady

src/endpoint/iam/iam_utils.js

@@ -66,6 +66,32 @@ function get_iam_username(requested_account_name) {
     return requested_account_name.split(iam_constants.IAM_SPLIT_CHARACTERS)[0];
 }
 
+/**
+ * _create_detailed_message_for_access_in_s3 returns a detailed message with details needed for user who
+ * tried to perform S3 operation
+ *  - resource_arn is only relevant for operations related to a bucket
+ * @param {object} requesting_account
+ * @param {string|string[]} method
+ * @param {string} resource_arn
+ */
+function _create_detailed_message_for_access_in_s3(requesting_account, method, resource_arn) {
+    const arn_for_requesting_account = create_arn_for_user(requesting_account.owner,
+        get_iam_username(requesting_account.name.unwrap()), requesting_account.iam_path);
+    const full_action_name = Array.isArray(method) && method.length > 1 ? method[1] : method; // special case for get_object_attributes
+
+    const message_start = `User: ${arn_for_requesting_account} is not authorized to perform: ${full_action_name} `;
+    const message_resource = `on resource: ${resource_arn} `;
+    const message_end = `because no identity-based policy allows the ${full_action_name} action`;
+
+    let message_with_details;
+    if (full_action_name === 's3:ListAllMyBuckets') {
+        message_with_details = message_start + message_end;
+    } else {
+        message_with_details = message_start + message_resource + message_end;
+    }
+    return message_with_details;
+}
+
 /**
  * parse_max_items converts the input to the needed type
  * assuming that we've got only sting type
@@ -837,4 +863,5 @@ exports.parse_tag_keys_from_request_body = parse_tag_keys_from_request_body;
 exports.validate_tag_user_params = validate_tag_user_params;
 exports.validate_untag_user_params = validate_untag_user_params;
 exports.validate_list_user_tags_params = validate_list_user_tags_params;
+exports._create_detailed_message_for_access_in_s3 = _create_detailed_message_for_access_in_s3;
 

src/endpoint/s3/s3_rest.js

@@ -14,6 +14,7 @@ const http_utils = require('../../util/http_utils');
 const signature_utils = require('../../util/signature_utils');
 const config = require('../../../config');
 const s3_utils = require('./s3_utils');
+const { _create_detailed_message_for_access_in_s3 } = require('../iam/iam_utils'); // authorize_request for IAM policy
 
 const S3_MAX_BODY_LEN = 4 * 1024 * 1024;
 
@@ -330,7 +331,7 @@ async function authorize_request_policy(req) {
     throw new S3Error(S3Error.AccessDenied);
 }
 
-// TODO - move the function and throw message error with details
+// TODO - move the function
 async function authorize_request_iam_policy(req) {
     const auth_token = req.object_sdk.get_auth_token();
     const is_anonymous = !(auth_token && auth_token.access_key);
@@ -340,11 +341,12 @@ async function authorize_request_iam_policy(req) {
     const is_iam_user = account.owner !== undefined;
     if (!is_iam_user) return; // IAM policy is only on IAM users (account root user is authorized here)
 
-    const resource_arn = _get_arn_from_req_path(req);
+    const resource_arn = _get_arn_from_req_path(req) || '*'; // special case for list all buckets in an account
     const method = _get_method_from_req(req);
     const iam_policies = account.iam_user_policies || [];
     if (iam_policies.length === 0 && req.object_sdk.nsfs_config_root) return; // We do not have IAM policies in NC yet
 
+    const requesting_account = req.object_sdk.requesting_account;
     // parallel policy check
     const promises = [];
     for (const iam_policy of iam_policies) {
@@ -358,14 +360,20 @@ async function authorize_request_iam_policy(req) {
     const permission_result = await Promise.all(promises);
     let has_allow_permission = false;
     for (const permission of permission_result) {
-        if (permission === "DENY") throw new S3Error(S3Error.AccessDenied);
+        if (permission === "DENY") _throw_iam_access_denied_error_for_s3_operation(requesting_account, method, resource_arn);
         if (permission === "ALLOW") {
             has_allow_permission = true;
         }
     }
     if (has_allow_permission) return;
     dbg.log1('authorize_request_iam_policy: user have inline policies but none of them matched the method');
-    throw new S3Error(S3Error.AccessDenied);
+    _throw_iam_access_denied_error_for_s3_operation(requesting_account, method, resource_arn);
+}
+
+function _throw_iam_access_denied_error_for_s3_operation(requesting_account, method, resource_arn) {
+    const message_with_details = _create_detailed_message_for_access_in_s3(requesting_account, method, resource_arn);
+    const { code, http_code } = S3Error.AccessDenied;
+    throw new S3Error({ code, message: message_with_details, http_code});
 }
 
 async function authorize_anonymous_access(s3_policy, method, arn_path, req, public_access_block) {
@@ -398,6 +406,7 @@ function _get_method_from_req(req) {
 }
 
 function _get_arn_from_req_path(req) {
+    if (!req.params.bucket) return;
     const bucket = req.params.bucket;
     const key = req.params.key;
     let arn_path = `arn:aws:s3:::${bucket}`;