fix(s3): creating public bucket with object ACL enabled

ctrlc03 · ctrlc03 · commit 12ad715e09cd · 2023-05-18T14:08:01.000+01:00
configuring S3 to allow download of verification transcript
diff --git a/packages/backend/src/functions/circuit.ts b/packages/backend/src/functions/circuit.ts
@@ -494,7 +494,8 @@ export const verifycontribution = functionsV2.https.onCall(
                 await uploadFileToBucket(
                     bucketName,
                     verificationTranscriptStoragePathAndFilename,
-                    verificationTranscriptTemporaryLocalPath
+                    verificationTranscriptTemporaryLocalPath,
+                    true
                 )
 
                 // Compute verification transcript hash.
diff --git a/packages/backend/src/functions/storage.ts b/packages/backend/src/functions/storage.ts
@@ -6,7 +6,9 @@ import {
     UploadPartCommand,
     CompleteMultipartUploadCommand,
     HeadObjectCommand,
-    CreateBucketCommand
+    CreateBucketCommand,
+    PutPublicAccessBlockCommand,
+    PutBucketCorsCommand
 } from "@aws-sdk/client-s3"
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner"
 import dotenv from "dotenv"
@@ -146,7 +148,8 @@ export const createBucket = functions
             Bucket: data.bucketName,
             CreateBucketConfiguration: {
                 LocationConstraint: String(process.env.AWS_REGION)
-            }
+            },
+            ObjectOwnership: "BucketOwnerPreferred"
         })
 
         try {
@@ -156,6 +159,37 @@ export const createBucket = functions
             // Check response.
             if (response.$metadata.httpStatusCode === 200 && !!response.Location)
                 printLog(`The AWS S3 bucket ${data.bucketName} has been created successfully`, LogLevel.LOG)
+
+            const publicBlockCommand = new PutPublicAccessBlockCommand({
+                Bucket: data.bucketName,
+                PublicAccessBlockConfiguration: {
+                    BlockPublicAcls: false,
+                    BlockPublicPolicy: false,
+                }
+            })
+
+            // Allow objects to be public
+            const publicBlockResponse = await S3.send(publicBlockCommand)
+            // Check response.
+            if (publicBlockResponse.$metadata.httpStatusCode === 200)
+                printLog(`The AWS S3 bucket ${data.bucketName} has been set with the PublicAccessBlock disabled.`, LogLevel.LOG)
+        
+            // Set CORS
+            const corsCommand = new PutBucketCorsCommand({
+                Bucket: data.bucketName,
+                CORSConfiguration: {
+                    CORSRules: [
+                        {
+                            AllowedMethods: ["GET"],
+                            AllowedOrigins: ["*"],
+                        }
+                    ]
+                }
+            })
+            const corsResponse = await S3.send(corsCommand)
+            // Check response.
+            if (corsResponse.$metadata.httpStatusCode === 200)
+                printLog(`The AWS S3 bucket ${data.bucketName} has been set with the CORS configuration.`, LogLevel.LOG)
         } catch (error: any) {
             /** * {@link https://docs.aws.amazon.com/simspaceweaver/latest/userguide/troubleshooting_bucket-name-too-long.html | InvalidBucketName} */
             if (error.$metadata.httpStatusCode === 400 && error.Code === `InvalidBucketName`)
@@ -308,7 +342,7 @@ export const startMultiPartUpload = functions
         const S3 = await getS3Client()
 
         // Prepare S3 command.
-        const command = new CreateMultipartUploadCommand({ Bucket: bucketName, Key: objectKey })
+        const command = new CreateMultipartUploadCommand({ Bucket: bucketName, Key: objectKey, ACL: "private" })
 
         try {
             // Execute S3 command.
diff --git a/packages/backend/src/lib/utils.ts b/packages/backend/src/lib/utils.ts
@@ -220,15 +220,15 @@ export const downloadArtifactFromS3Bucket = async (bucketName: string, objectKey
  * @param objectKey <string> - the unique key to identify the object inside the given AWS S3 bucket.
  * @param localFilePath <string> - the local path where the file to be uploaded is stored.
  */
-export const uploadFileToBucket = async (bucketName: string, objectKey: string, localFilePath: string) => {
+export const uploadFileToBucket = async (bucketName: string, objectKey: string, localFilePath: string, isPublic: boolean = false) => {
     // Prepare AWS S3 client instance.
     const client = await getS3Client()
 
     // Extract content type.
     const contentType = mime.lookup(localFilePath) || ""
 
     // Prepare command.
-    const command = new PutObjectCommand({ Bucket: bucketName, Key: objectKey, ContentType: contentType })
+    const command = new PutObjectCommand({ Bucket: bucketName, Key: objectKey, ContentType: contentType, ACL: isPublic ? "public-read" : "private" })
 
     // Generate a pre-signed url for uploading the file.
     const url = await getSignedUrl(client, command, { expiresIn: Number(process.env.AWS_PRESIGNED_URL_EXPIRATION) })

Original file line number	Diff line number	Diff line change
`@@ -494,7 +494,8 @@ export const verifycontribution = functionsV2.https.onCall(`
`494`	`494`	`await uploadFileToBucket(`
`495`	`495`	`bucketName,`
`496`	`496`	`verificationTranscriptStoragePathAndFilename,`
`497`		`- verificationTranscriptTemporaryLocalPath`
	`497`	`+ verificationTranscriptTemporaryLocalPath,`
	`498`	`+ true`
`498`	`499`	`)`
`499`	`500`
`500`	`501`	`// Compute verification transcript hash.`