fix: consistent RLS access for S3 access token

supabase · Apr 16, 2024 · d519404 · d519404
1 parent 1d45ba0
commit d519404
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 16 deletions.
diff --git a/src/storage/object.ts b/src/storage/object.ts
@@ -361,7 +361,7 @@ export class ObjectStorage {
     await this.db.testPermission((db) => {
       return Promise.all([
         db.findObject(this.bucketId, sourceObjectName, 'id'),
-        db.updateObject(this.bucketId, sourceObjectName, {
+        db.createObject({
           name: destinationObjectName,
           version: newVersion,
           bucket_id: destinationBucket,

diff --git a/src/storage/protocols/s3/s3-handler.ts b/src/storage/protocols/s3/s3-handler.ts
@@ -629,7 +629,7 @@ export class S3ProtocolHandler {
         }
       )
 
-      await this.storage.db.insertUploadPart({
+      await this.storage.db.asSuperUser().insertUploadPart({
         upload_id: UploadId,
         version: multipart.version,
         part_number: PartNumber || 0,
@@ -715,7 +715,25 @@ export class S3ProtocolHandler {
       throw ERRORS.InvalidUploadId()
     }
 
-    const multipart = await this.storage.db.findMultipartUpload(UploadId, 'id,version')
+    if (!Bucket) {
+      throw ERRORS.MissingParameter('Bucket')
+    }
+
+    if (!Key) {
+      throw ERRORS.MissingParameter('Key')
+    }
+
+    const multipart = await this.storage.db
+      .asSuperUser()
+      .findMultipartUpload(UploadId, 'id,version')
+
+    const uploader = new Uploader(this.storage.backend, this.storage.db)
+    await uploader.canUpload({
+      bucketId: Bucket,
+      objectName: Key,
+      owner: this.owner,
+      isUpsert: true,
+    })
 
     await this.storage.backend.abortMultipartUpload(
       storageS3Bucket,
@@ -989,7 +1007,7 @@ export class S3ProtocolHandler {
 
     const maxParts = Math.min(command.MaxParts || 1000, 1000)
 
-    let result = await this.storage.db.asSuperUser().listParts(command.UploadId, {
+    let result = await this.storage.db.listParts(command.UploadId, {
       afterPart: command.PartNumberMarker,
       maxParts: maxParts + 1,
     })
@@ -1103,8 +1121,8 @@ export class S3ProtocolHandler {
     const uploader = new Uploader(this.storage.backend, this.storage.db)
 
     await uploader.canUpload({
-      bucketId: Bucket as string,
-      objectName: Key as string,
+      bucketId: Bucket,
+      objectName: Key,
       owner: this.owner,
       isUpsert: true,
     })
@@ -1133,7 +1151,7 @@ export class S3ProtocolHandler {
       rangeBytes
     )
 
-    await this.storage.db.insertUploadPart({
+    await this.storage.db.asSuperUser().insertUploadPart({
       upload_id: UploadId,
       version: multipart.version,
       part_number: PartNumber,

diff --git a/src/test/rls_tests.yaml b/src/test/rls_tests.yaml
@@ -398,7 +398,7 @@ tests:
   - description: 'Will only able to move objects when authenticated'
     policies:
       - read_only_all_objects
-      - update_only_all_objects
+      - insert_only_all_objects
     asserts:
       - operation: bucket.get
         status: 400
@@ -408,9 +408,12 @@ tests:
         status: 400
         error: 'new row violates row-level security policy'
 
-      - operation: upload
+      - operation: bucket.delete
         status: 400
-        error: 'new row violates row-level security policy'
+        error: 'Bucket not found'
+
+      - operation: upload
+        status: 200
 
       - operation: upload.upsert
         status: 400
@@ -419,8 +422,6 @@ tests:
       - operation: upload
         bucketName: 'bucket_to_move_{{runId}}'
         objectName: 'object_to_move_{{runId}}.txt'
-        policies:
-          - insert_only_all_objects
         status: 200
 
       - operation: object.move
@@ -431,10 +432,6 @@ tests:
       - operation: object.delete
         status: 400
 
-      - operation: bucket.delete
-        status: 400
-        error: 'Bucket not found'
-
   - description: 'Will only able to copy owned objects when authenticated'
     policies:
       - read_only_all_objects