Added support for iam user in list_buckets() for containerized

[aayushchouhan09]

Describe the Problem

IAM user not able to list buckets of their owner even with the IAM policy applied.

Explain the Changes

1. Added support for iam user to list buckets of their owner when correct iam policy applied to it.

Issues: Fixed #xxx / Gap #xxx

1. Issue: https://issues.redhat.com/browse/DFBUGS-4449
2. Related PR: Fix - list_buckets allowing unauthorized bucket access #9272

Testing Instructions:

1. Create new account
2. Create new bucket using the aws credentials of that account
3. Create new user and its access key
4. Try listing the buckets (with user credentials)--> should list the owner bucket we created in above step

• Doc added/updated
• Tests added

Summary by CodeRabbit

• Refactor
  • Consolidated duplicate owner/identity verification into a single helper to centralize IAM vs. root-owner checks.
  • Updated permission checks to use the new helper when bucket policy is absent.
  • Minor comment/context updates.
  • No external behavior changes; improves maintainability and consistency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Extracted a new helper is_iam_and_same_root_account_owner(account, bucket) into auth_server.js and replaced inline IAM-vs-root-owner comparisons with calls to that helper from has_bucket_ownership_permission() and has_bucket_action_permission().

Changes

Cohort / File(s)	Change Summary
IAM ownership verification refactor src/server/common_services/auth_server.js	Added is_iam_and_same_root_account_owner(account, bucket) with null checks; updated has_bucket_ownership_permission() to call the helper; updated has_bucket_action_permission() to use the helper when bucket policy is absent; minor comment/context adjustments.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Inspect the new helper for correct null-checks and owner-ARN/account comparisons.
• Verify both call sites pass the correct arguments and that logic parity is preserved when bucket policy exists.
• Check unit tests (if any) or add tests covering IAM account vs bucket root owner cases.

Possibly related PRs

• IAM | Principal validation and S3 permission updated with ID #9309 — touches the same auth_server permission checks and IAM vs bucket-owner handling.
• Fix - list_buckets allowing unauthorized bucket access #9272 — centralizes IAM/root-owner checks in auth_server.js with similar helper usage.
• IAM | put_bucket_policy Principal validation updated with ARN #9277 — updates bucket authorization logic in the same auth_server.js functions.

Suggested reviewers

• liranmauda
• naveenpaul1
• shirady

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title refers to a real aspect of the change (IAM user support in list_buckets), but is overly broad and somewhat incomplete. The actual changes are refactoring helper functions for IAM account owner comparison, not directly about list_buckets() functionality itself.	Consider a more specific title that accurately reflects the core changes, such as: 'Extract IAM owner comparison into helper function for reuse' or clarify the direct connection to list_buckets() implementation changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 85c41c8 and 5bd94e1.

📒 Files selected for processing (1)

• src/server/common_services/auth_server.js (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/server/common_services/auth_server.js

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-jest-unit-tests
• GitHub Check: run-package-lock-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/server/common_services/auth_server.js (1)

560-569: Helper logic looks correct; consider making it slightly more defensive and consistent with other helpers

The implementation correctly captures “IAM user whose root owner matches the bucket owner” and aligns with how account.owner and bucket.owner_account are shaped in this module (both coming from system_store with an ._id field). Based on learnings, this should be safe here.

Two minor nits you may want to address:

• All other is_*_owner helpers are (bucket, account), while this one is (account, bucket). The current call sites are correct, but aligning the parameter order could avoid future confusion.
• If there’s any chance this helper gets reused from endpoint code paths where account.owner is already a string (e.g., req.object_sdk.requesting_account in s3_rest.js), making it tolerant of both shapes would harden it, e.g.:

-function is_iam_and_same_root_account_owner(account, bucket) {
-    if (!account?.owner || !bucket?.owner_account) return false;
-    return account.owner._id.toString() === bucket.owner_account._id.toString();
-}
+function is_iam_and_same_root_account_owner(account, bucket) {
+    if (!account || !bucket?.owner_account) return false;
+    const account_owner_id =
+        typeof account.owner === 'string'
+            ? account.owner
+            : account.owner?._id?.toString();
+    const bucket_owner_id = bucket.owner_account?._id?.toString();
+    if (!account_owner_id || !bucket_owner_id) return false;
+    return account_owner_id === bucket_owner_id;
+}

Not strictly required for this PR but would make the helper safer if reused.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 33924d7 and 85c41c8.

📒 Files selected for processing (1)

• src/server/common_services/auth_server.js (3 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9291
File: src/server/common_services/auth_server.js:548-554
Timestamp: 2025-11-19T15:03:42.260Z
Learning: In src/server/common_services/auth_server.js, account objects are loaded directly from system_store (e.g., system_store.data.get_by_id()), so account.owner is an object ID reference with an ._id property, not a string. This differs from s3_rest.js where account.owner is a string due to RPC serialization.

📚 Learning: 2025-11-12T04:55:42.193Z

Learnt from: naveenpaul1
Repo: noobaa/noobaa-core PR: 9277
File: src/endpoint/s3/s3_rest.js:258-261
Timestamp: 2025-11-12T04:55:42.193Z
Learning: In the context of S3 REST requests (src/endpoint/s3/s3_rest.js), the account.owner field from req.object_sdk.requesting_account is already a string (account ID) because it comes from RPC serialization where owner._id.toString() is applied in account_server.js. No additional .toString() or ._id extraction is needed when passing account.owner to IAM utility functions.

Applied to files:

• src/server/common_services/auth_server.js

📚 Learning: 2025-11-19T15:03:42.260Z

Learnt from: shirady
Repo: noobaa/noobaa-core PR: 9291
File: src/server/common_services/auth_server.js:548-554
Timestamp: 2025-11-19T15:03:42.260Z
Learning: In src/server/common_services/auth_server.js, account objects are loaded directly from system_store (e.g., system_store.data.get_by_id()), so account.owner is an object ID reference with an ._id property, not a string. This differs from s3_rest.js where account.owner is a string due to RPC serialization.

Applied to files:

• src/server/common_services/auth_server.js

🧬 Code graph analysis (1)

src/server/common_services/auth_server.js (2)

src/endpoint/s3/s3_rest.js (4)

• account (252-252)
• account (355-355)
• bucket (431-431)
• bucket (453-453)

src/endpoint/s3/s3_bucket_policy_utils.js (1)

• account (293-293)

🔇 Additional comments (2)

src/server/common_services/auth_server.js (2)

586-603: Ownership check extension for IAM users in ListBuckets looks good

Adding the IAM/root-owner check into has_bucket_ownership_permission aligns with the documented behavior (“IAM users can list their owner buckets”) and reuses the centralized helper. The ordering of checks still prioritizes system owner, operator, direct bucket owner, and OBC owner, so existing semantics remain intact while covering the missing IAM case.

---

621-636: Refactoring IAM/root-owner logic into the helper maintains behavior when no bucket policy

In the !bucket_policy branch, replacing the inline IAM/root-owner computation with is_iam_and_same_root_account_owner(account, bucket) keeps the previous behavior while removing duplication with has_bucket_ownership_permission. Combined with has_owner_access, this correctly allows:

• direct bucket or OBC owners, and
• IAM users whose root account owns the bucket.

No additional edge cases are introduced by this change.