fix: evaluate BypassGov policy action in deletion correctly (#16635)

vadmeste · web-flow · commit a7188bc9d0f0 · 2023-02-17T07:53:34.000+05:30
diff --git a/cmd/bucket-object-lock.go b/cmd/bucket-object-lock.go
@@ -156,11 +156,8 @@ func enforceRetentionBypassForDelete(ctx context.Context, r *http.Request, bucke
 				return ErrNone
 			}
 			// https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html#object-lock-retention-modes
-			// If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention
-			// or s3:GetBucketObjectLockConfiguration permissions, the operation will succeed.
-			govBypassPerms1 := checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName)
-			govBypassPerms2 := checkRequestAuthType(ctx, r, policy.GetBucketObjectLockConfigurationAction, bucket, object.ObjectName)
-			if govBypassPerms1 != ErrNone && govBypassPerms2 != ErrNone {
+			// If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention, the operation will succeed.
+			if checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName) != ErrNone {
 				return ErrAccessDenied
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -156,11 +156,8 @@ func enforceRetentionBypassForDelete(ctx context.Context, r *http.Request, bucke`
`156`	`156`	`return ErrNone`
`157`	`157`	`}`
`158`	`158`	`// https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html#object-lock-retention-modes`
`159`		`- // If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention`
`160`		`- // or s3:GetBucketObjectLockConfiguration permissions, the operation will succeed.`
`161`		`- govBypassPerms1 := checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName)`
`162`		`- govBypassPerms2 := checkRequestAuthType(ctx, r, policy.GetBucketObjectLockConfigurationAction, bucket, object.ObjectName)`
`163`		`- if govBypassPerms1 != ErrNone && govBypassPerms2 != ErrNone {`
	`159`	`+ // If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention, the operation will succeed.`
	`160`	`+ if checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName) != ErrNone {`
`164`	`161`	`return ErrAccessDenied`
`165`	`162`	`}`
`166`	`163`	`}`