IAM | Bucket policy principal is account ARN - when user sends the request

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>

Author: shirady

src/endpoint/s3/s3_rest.js

@@ -296,6 +296,7 @@ async function authorize_request_policy(req) {
     let permission_by_id;
     let permission_by_name;
     let permission_by_arn;
+    let permission_by_arn_owner;
 
     // In NC, we allow principal to be:
     // 1. account name (for backwards compatibility)
@@ -327,7 +328,18 @@ async function authorize_request_policy(req) {
     }
     if (permission_by_arn === "DENY") throw new S3Error(S3Error.AccessDenied);
 
-    if ((permission_by_id === "ALLOW" || permission_by_name === "ALLOW" || permission_by_arn === "ALLOW") || is_owner) return;
+    // ARN check for users under the account
+    // ARN check is not implemented in NC yet
+     if (!is_nc_deployment && account.owner !== undefined) {
+        const owner_account_identifier_arn = s3_bucket_policy_utils.get_bucket_policy_principal_arn(account.owner);
+        permission_by_arn_owner = await s3_bucket_policy_utils.has_bucket_policy_permission(
+            s3_policy, owner_account_identifier_arn, method, arn_path, req, public_access_block?.restrict_public_buckets
+        );
+        dbg.log3('authorize_request_policy: permission_by_arn_owner', permission_by_arn_owner);
+        if (permission_by_arn_owner === "DENY") throw new S3Error(S3Error.AccessDenied);
+     }
+    if ((permission_by_id === "ALLOW" || permission_by_name === "ALLOW" ||
+        permission_by_arn === "ALLOW" || permission_by_arn_owner === "ALLOW") || is_owner) return;
 
     throw new S3Error(S3Error.AccessDenied);
 }