From 474b809b49bb5a6af7f6003a898c6b05e9e452d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20DONNART?= Date: Mon, 26 Jan 2026 09:47:10 +0100 Subject: [PATCH 1/5] Support the new API GetObjectAttributes Issue: ARSN-549 --- lib/policyEvaluator/utils/actionMaps.ts | 2 ++ lib/s3routes/routes/routeGET.ts | 2 ++ tests/unit/s3routes/routeGET.spec.js | 12 ++++++++++++ 3 files changed, 16 insertions(+) diff --git a/lib/policyEvaluator/utils/actionMaps.ts b/lib/policyEvaluator/utils/actionMaps.ts index 8d6b6be5d..6418eccc9 100644 --- a/lib/policyEvaluator/utils/actionMaps.ts +++ b/lib/policyEvaluator/utils/actionMaps.ts @@ -44,6 +44,7 @@ const sharedActionMap = { objectGetLegalHold: 's3:GetObjectLegalHold', objectGetRetention: 's3:GetObjectRetention', objectGetTagging: 's3:GetObjectTagging', + objectGetAttributes: 's3:GetObjectAttributes', objectHead: 's3:GetObject', objectPut: 's3:PutObject', objectPutACL: 's3:PutObjectAcl', @@ -166,6 +167,7 @@ const actionMonitoringMapS3 = { objectGetLegalHold: 'GetObjectLegalHold', objectGetRetention: 'GetObjectRetention', objectGetTagging: 'GetObjectTagging', + objectGetAttributes: 'GetObjectAttributes', objectHead: 'HeadObject', objectPut: 'PutObject', objectPutACL: 'PutObjectAcl', diff --git a/lib/s3routes/routes/routeGET.ts b/lib/s3routes/routes/routeGET.ts index ab70f2aa1..2015923af 100644 --- a/lib/s3routes/routes/routeGET.ts +++ b/lib/s3routes/routes/routeGET.ts @@ -84,6 +84,8 @@ export default function routerGET( call('listParts'); } else if (query.retention !== undefined) { call('objectGetRetention'); + } else if (query.attributes !== undefined) { + call('objectGetAttributes'); } else { // GET object api.callApiMethod('objectGet', request, response, log, diff --git a/tests/unit/s3routes/routeGET.spec.js b/tests/unit/s3routes/routeGET.spec.js index eb106662a..02a22ccf8 100644 --- a/tests/unit/s3routes/routeGET.spec.js +++ b/tests/unit/s3routes/routeGET.spec.js @@ -78,6 +78,18 @@ describe('routerGET', () => { ); }); + it('should call objectGetAttributes when query.attributes is present', () => { + request.bucketName = 'bucketName'; + request.objectKey = 'objectKey'; + request.query = { 'attributes': true }; + + routerGET(request, response, api, log, statsClient, dataRetrievalParams); + + expect(api.callApiMethod).toHaveBeenCalledWith( + 'objectGetAttributes', request, response, log, expect.any(Function), + ); + }); + it('should call objectGetACL when query.acl is present for an object', () => { request.bucketName = 'bucketName'; request.objectKey = 'objectKey'; From ad5c505cde09ff51f3aa2255a8f8c967aa767b89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20DONNART?= Date: Wed, 4 Feb 2026 16:44:58 +0100 Subject: [PATCH 2/5] Add a new permission to retrieve user metadata with getObjectAttributes action Issue: ARSN-549 --- lib/policyEvaluator/utils/actionMaps.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/policyEvaluator/utils/actionMaps.ts b/lib/policyEvaluator/utils/actionMaps.ts index 6418eccc9..7d130c8b1 100644 --- a/lib/policyEvaluator/utils/actionMaps.ts +++ b/lib/policyEvaluator/utils/actionMaps.ts @@ -59,6 +59,10 @@ const actionMapBucketGet = { listObjectsV2OptionalAttributes: 'scality:ListBucketOptionalObjectAttributes', }; +const actionMapObjectGetAttributes = { + objectGetAttributesWithUserMetadata: 'scality:GetObjectAttributes', +}; + const actionMapBucketQuotas = { bucketGetQuota: 'scality:GetBucketQuota', bucketUpdateQuota: 'scality:UpdateBucketQuota', @@ -103,6 +107,7 @@ const actionMapRQ = { ...actionMapBucketQuotas, ...actionMapBucketRateLimit, ...actionMapBucketGet, + ...actionMapObjectGetAttributes, }; // action map used for bucket policies From 41086220981e0d722e54b66f3f5f9e5dfcde8150 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20DONNART?= Date: Wed, 4 Feb 2026 16:45:19 +0100 Subject: [PATCH 3/5] fixup! Support the new API GetObjectAttributes --- lib/policyEvaluator/utils/actionMaps.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/policyEvaluator/utils/actionMaps.ts b/lib/policyEvaluator/utils/actionMaps.ts index 7d130c8b1..dc6fadb5b 100644 --- a/lib/policyEvaluator/utils/actionMaps.ts +++ b/lib/policyEvaluator/utils/actionMaps.ts @@ -45,6 +45,7 @@ const sharedActionMap = { objectGetRetention: 's3:GetObjectRetention', objectGetTagging: 's3:GetObjectTagging', objectGetAttributes: 's3:GetObjectAttributes', + objectGetVersionAttributes: 's3:GetObjectVersionAttributes', objectHead: 's3:GetObject', objectPut: 's3:PutObject', objectPutACL: 's3:PutObjectAcl', From 2f870db1da16af95f247d720d97c2007f64afb91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20DONNART?= Date: Wed, 11 Feb 2026 15:36:44 +0100 Subject: [PATCH 4/5] fixup! Add a new permission to retrieve user metadata with getObjectAttributes action --- lib/policyEvaluator/utils/actionMaps.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/policyEvaluator/utils/actionMaps.ts b/lib/policyEvaluator/utils/actionMaps.ts index dc6fadb5b..891b693bc 100644 --- a/lib/policyEvaluator/utils/actionMaps.ts +++ b/lib/policyEvaluator/utils/actionMaps.ts @@ -61,7 +61,7 @@ const actionMapBucketGet = { }; const actionMapObjectGetAttributes = { - objectGetAttributesWithUserMetadata: 'scality:GetObjectAttributes', + objectGetAttributesCustom: 'scality:GetObjectAttributesCustom', }; const actionMapBucketQuotas = { From f6f41714ec37b792083f8ac2416456102f882ca8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20DONNART?= Date: Thu, 12 Feb 2026 15:53:09 +0100 Subject: [PATCH 5/5] Fix dependencies vulnerabilities Issue: ARSN-549 --- package.json | 2 +- yarn.lock | 65 ++++++++++++++++++++++++++++++---------------------- 2 files changed, 39 insertions(+), 28 deletions(-) diff --git a/package.json b/package.json index 4018c31e6..74adfd849 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "@aws-sdk/credential-providers": "^3.975.0", "@aws-sdk/lib-storage": "^3.975.0", "@azure/identity": "^4.13.0", - "@azure/storage-blob": "^12.28.0", + "@azure/storage-blob": "^12.31.0", "@js-sdsl/ordered-set": "^4.4.2", "@scality/hdclient": "^1.3.1", "@smithy/node-http-handler": "^4.3.0", diff --git a/yarn.lock b/yarn.lock index def9d245b..350634fa8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -908,7 +908,7 @@ "@azure/core-util" "^1.13.0" tslib "^2.6.2" -"@azure/core-client@^1.10.0", "@azure/core-client@^1.9.2", "@azure/core-client@^1.9.3": +"@azure/core-client@^1.9.2", "@azure/core-client@^1.9.3": version "1.10.1" resolved "https://registry.yarnpkg.com/@azure/core-client/-/core-client-1.10.1.tgz#83d78f97d647ab22e6811a7a68bb4223e7a1d019" integrity sha512-Nh5PhEOeY6PrnxNPsEHRr9eimxLwgLlpmguQaHKBinFYA/RU9+kOYVOQqOrTsCL+KSxrLLl1gD8Dk5BFW/7l/w== @@ -922,13 +922,11 @@ tslib "^2.6.2" "@azure/core-http-compat@^2.2.0": - version "2.3.1" - resolved "https://registry.yarnpkg.com/@azure/core-http-compat/-/core-http-compat-2.3.1.tgz#2182e39a31c062800d4e3ad69bcf0109d87713dc" - integrity sha512-az9BkXND3/d5VgdRRQVkiJb2gOmDU8Qcq4GvjtBmDICNiQ9udFmDk4ZpSB5Qq1OmtDJGlQAfBaS4palFsazQ5g== + version "2.3.2" + resolved "https://registry.yarnpkg.com/@azure/core-http-compat/-/core-http-compat-2.3.2.tgz#bb50e23e8f36ec31b582b2d161925c0d29e75b03" + integrity sha512-Tf6ltdKzOJEgxZeWLCjMxrxbodB/ZeCbzzA1A2qHbhzAjzjHoBVSUeSl/baT/oHAxhc4qdqVaDKnc2+iE932gw== dependencies: "@azure/abort-controller" "^2.1.2" - "@azure/core-client" "^1.10.0" - "@azure/core-rest-pipeline" "^1.22.0" "@azure/core-lro@^2.2.0": version "2.7.2" @@ -947,7 +945,7 @@ dependencies: tslib "^2.6.2" -"@azure/core-rest-pipeline@^1.17.0", "@azure/core-rest-pipeline@^1.19.1", "@azure/core-rest-pipeline@^1.22.0": +"@azure/core-rest-pipeline@^1.17.0": version "1.22.1" resolved "https://registry.yarnpkg.com/@azure/core-rest-pipeline/-/core-rest-pipeline-1.22.1.tgz#f47bc02ff9a79f62e6a32aa375420b1b86dcbccd" integrity sha512-UVZlVLfLyz6g3Hy7GNDpooMQonUygH7ghdiSASOOHy97fKj/mPLqgDX7aidOijn+sCMU+WU8NjlPlNTgnvbcGA== @@ -960,6 +958,19 @@ "@typespec/ts-http-runtime" "^0.3.0" tslib "^2.6.2" +"@azure/core-rest-pipeline@^1.19.1", "@azure/core-rest-pipeline@^1.22.0": + version "1.22.2" + resolved "https://registry.yarnpkg.com/@azure/core-rest-pipeline/-/core-rest-pipeline-1.22.2.tgz#7e14f21d25ab627cd07676adb5d9aacd8e2e95cc" + integrity sha512-MzHym+wOi8CLUlKCQu12de0nwcq9k9Kuv43j4Wa++CsCpJwps2eeBQwD2Bu8snkxTtDKDx4GwjuR9E8yC8LNrg== + dependencies: + "@azure/abort-controller" "^2.1.2" + "@azure/core-auth" "^1.10.0" + "@azure/core-tracing" "^1.3.0" + "@azure/core-util" "^1.13.0" + "@azure/logger" "^1.3.0" + "@typespec/ts-http-runtime" "^0.3.0" + tslib "^2.6.2" + "@azure/core-tracing@^1.0.0", "@azure/core-tracing@^1.2.0", "@azure/core-tracing@^1.3.0": version "1.3.1" resolved "https://registry.yarnpkg.com/@azure/core-tracing/-/core-tracing-1.3.1.tgz#e971045c901ea9c110616b0e1db272507781d5f6" @@ -1030,10 +1041,10 @@ jsonwebtoken "^9.0.0" uuid "^8.3.0" -"@azure/storage-blob@^12.28.0": - version "12.28.0" - resolved "https://registry.yarnpkg.com/@azure/storage-blob/-/storage-blob-12.28.0.tgz#a64ce49f0fe9fe08f1f7c1b36164033678d38cf6" - integrity sha512-VhQHITXXO03SURhDiGuHhvc/k/sD2WvJUS7hqhiVNbErVCuQoLtWql7r97fleBlIRKHJaa9R7DpBjfE0pfLYcA== +"@azure/storage-blob@^12.31.0": + version "12.31.0" + resolved "https://registry.yarnpkg.com/@azure/storage-blob/-/storage-blob-12.31.0.tgz#97b09be2bf6ab59739b862edd8124798362ce720" + integrity sha512-DBgNv10aCSxopt92DkTDD0o9xScXeBqPKGmR50FPZQaEcH4JLQ+GEOGEDv19V5BMkB7kxr+m4h6il/cCDPvmHg== dependencies: "@azure/abort-controller" "^2.1.2" "@azure/core-auth" "^1.9.0" @@ -1046,14 +1057,14 @@ "@azure/core-util" "^1.11.0" "@azure/core-xml" "^1.4.5" "@azure/logger" "^1.1.4" - "@azure/storage-common" "^12.0.0-beta.2" + "@azure/storage-common" "^12.3.0" events "^3.0.0" tslib "^2.8.1" -"@azure/storage-common@^12.0.0-beta.2": - version "12.0.0" - resolved "https://registry.yarnpkg.com/@azure/storage-common/-/storage-common-12.0.0.tgz#a652d7daeb252b7827362b4e818f52fee15a1264" - integrity sha512-QyEWXgi4kdRo0wc1rHum9/KnaWZKCdQGZK1BjU4fFL6Jtedp7KLbQihgTTVxldFy1z1ZPtuDPx8mQ5l3huPPbA== +"@azure/storage-common@^12.3.0": + version "12.3.0" + resolved "https://registry.yarnpkg.com/@azure/storage-common/-/storage-common-12.3.0.tgz#5bf257383836e67a426c91d7e9678479afe802a9" + integrity sha512-/OFHhy86aG5Pe8dP5tsp+BuJ25JOAl9yaMU3WZbkeoiFMHFtJ7tu5ili7qEdBXNW9G5lDB19trwyI6V49F/8iQ== dependencies: "@azure/abort-controller" "^2.1.2" "@azure/core-auth" "^1.9.0" @@ -3354,9 +3365,9 @@ eslint-visitor-keys "^4.2.1" "@typespec/ts-http-runtime@^0.3.0": - version "0.3.1" - resolved "https://registry.yarnpkg.com/@typespec/ts-http-runtime/-/ts-http-runtime-0.3.1.tgz#2fa94050f25b4d85d0bc8b9d97874b8d347a9173" - integrity sha512-SnbaqayTVFEA6/tYumdF0UmybY0KHyKwGPBXnyckFlrrKdhWFrL3a2HIPXHjht5ZOElKGcXfD2D63P36btb+ww== + version "0.3.3" + resolved "https://registry.yarnpkg.com/@typespec/ts-http-runtime/-/ts-http-runtime-0.3.3.tgz#62767b88df3ba7fc53bfd66a94c88dfe1dec55bc" + integrity sha512-91fp6CAAJSRtH5ja95T1FHSKa8aPW9/Zw6cta81jlZTUw/+Vq8jM/AfF/14h2b71wwR84JUTW/3Y8QPhDAawFA== dependencies: http-proxy-agent "^7.0.0" https-proxy-agent "^7.0.0" @@ -4796,11 +4807,11 @@ fast-xml-parser@5.2.5: strnum "^2.1.0" fast-xml-parser@^5.0.7: - version "5.3.0" - resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.3.0.tgz#ae388d5a0f6ed31c8ce9e413c1ac89c8e57e7b07" - integrity sha512-gkWGshjYcQCF+6qtlrqBqELqNqnt4CxruY6UVAWWnqb3DQ6qaNFEIKqzYep1XzHLM/QtrHVCxyPOtTk4LTQ7Aw== + version "5.3.5" + resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.3.5.tgz#3e914cb852e636923cb555deaa356f7366e18b49" + integrity sha512-JeaA2Vm9ffQKp9VjvfzObuMCjUYAp5WDYhRYL5LrBPY/jUDlUtOvDfot0vKSkB9tuX885BDHjtw4fZadD95wnA== dependencies: - strnum "^2.1.0" + strnum "^2.1.2" fastq@^1.6.0: version "1.19.1" @@ -7921,10 +7932,10 @@ strip-json-comments@^3.1.1: resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006" integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig== -strnum@^2.1.0: - version "2.1.1" - resolved "https://registry.yarnpkg.com/strnum/-/strnum-2.1.1.tgz#cf2a6e0cf903728b8b2c4b971b7e36b4e82d46ab" - integrity sha512-7ZvoFTiCnGxBtDqJ//Cu6fWtZtc7Y3x+QOirG15wztbdngGSkht27o2pyGWrVy0b4WAy3jbKmnoK6g5VlVNUUw== +strnum@^2.1.0, strnum@^2.1.2: + version "2.1.2" + resolved "https://registry.yarnpkg.com/strnum/-/strnum-2.1.2.tgz#a5e00ba66ab25f9cafa3726b567ce7a49170937a" + integrity sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ== supports-color@^5.5.0: version "5.5.0"