From 0e6c132ee66abce41b628e4b72005e08fa39a6ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
Date: Mon, 15 Aug 2022 15:16:09 +0200
Subject: [PATCH] awscloud: add option to mark S3 object as public
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

By setting the object's ACL to "public-read", anyone can download the object
even without authenticating with AWS.

The osbuild-upload-generic-s3 command got a new -public argument that
uses this new feature.

Signed-off-by: Ondřej Budai <ondrej@budai.cz>
---
 cmd/osbuild-upload-generic-s3/main.go | 10 ++++++++++
 internal/cloud/awscloud/awscloud.go   | 15 +++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/cmd/osbuild-upload-generic-s3/main.go b/cmd/osbuild-upload-generic-s3/main.go
index 624ff67b8..cc8855f13 100644
--- a/cmd/osbuild-upload-generic-s3/main.go
+++ b/cmd/osbuild-upload-generic-s3/main.go
@@ -21,6 +21,7 @@ func main() {
 	var bucketName string
 	var keyName string
 	var filename string
+	var public bool
 	flag.StringVar(&accessKeyID, "access-key-id", "", "access key ID")
 	flag.StringVar(&secretAccessKey, "secret-access-key", "", "secret access key")
 	flag.StringVar(&sessionToken, "session-token", "", "session token")
@@ -31,6 +32,7 @@ func main() {
 	flag.StringVar(&bucketName, "bucket", "", "target S3 bucket name")
 	flag.StringVar(&keyName, "key", "", "target S3 key name")
 	flag.StringVar(&filename, "image", "", "image file to upload")
+	flag.BoolVar(&public, "public", false, "if set, the S3 object is marked as public (default: false)")
 	flag.Parse()
 
 	a, err := awscloud.NewForEndpoint(endpoint, region, accessKeyID, secretAccessKey, sessionToken, caBundle, skipSSLVerification)
@@ -45,5 +47,13 @@ func main() {
 		os.Exit(1)
 	}
 
+	if public {
+		err := a.MarkS3ObjectAsPublic(bucketName, keyName)
+		if err != nil {
+			fmt.Println(err.Error())
+			os.Exit(1)
+		}
+	}
+
 	fmt.Printf("file uploaded to %s\n", aws.StringValue(&uploadOutput.Location))
 }
diff --git a/internal/cloud/awscloud/awscloud.go b/internal/cloud/awscloud/awscloud.go
index d0353be15..a58a85da2 100644
--- a/internal/cloud/awscloud/awscloud.go
+++ b/internal/cloud/awscloud/awscloud.go
@@ -581,3 +581,18 @@ func (a *AWS) S3ObjectPresignedURL(bucket, objectKey string) (string, error) {
 	logrus.Info("[AWS] 🎉 S3 Presigned URL ready")
 	return url, nil
 }
+
+func (a *AWS) MarkS3ObjectAsPublic(bucket, objectKey string) error {
+	logrus.Infof("[AWS] 👐 Making S3 object public %s/%s", bucket, objectKey)
+	_, err := a.s3.PutObjectAcl(&s3.PutObjectAclInput{
+		Bucket: aws.String(bucket),
+		Key:    aws.String(objectKey),
+		ACL:    aws.String(s3.BucketCannedACLPublicRead),
+	})
+	if err != nil {
+		return err
+	}
+	logrus.Info("[AWS] ✔️ Making S3 object public successful")
+
+	return nil
+}