b2: for a bucket limited application key check the bucket name

Before this fix rclone would just use the authorised bucket regardless of what bucket you put on the command line. This uses the new `bucketName` response in the API and checks that the user is using the correct bucket name to avoid accidents. Fixes #2839
2018-12-14 10:10:13 +00:00 · 2018-12-14 10:10:13 +00:00 · 3de7ad5223
commit 3de7ad5223
parent 9cb3a68c38
2 changed files with 8 additions and 0 deletions
--- a/backend/b2/api/types.go
+++ b/backend/b2/api/types.go
@ -136,6 +136,7 @@ type AuthorizeAccountResponse struct {
 	AccountID               string   `json:"accountId"`               // The identifier for the account.
 	Allowed                 struct { // An object (see below) containing the capabilities of this auth token, and any restrictions on using it.
 		BucketID     string      `json:"bucketId"`     // When present, access is restricted to one bucket.
+		BucketName   string      `json:"bucketName"`   // When present, name of bucket - may be empty
 		Capabilities []string    `json:"capabilities"` // A list of strings, each one naming a capability the key has.
 		NamePrefix   interface{} `json:"namePrefix"`   // When present, access is restricted to files whose names start with the prefix
 	} `json:"allowed"`
--- a/backend/b2/b2.go
+++ b/backend/b2/b2.go
@ -368,6 +368,13 @@ func NewFs(name, root string, m configmap.Mapper) (fs.Fs, error) {
 	}
 	// If this is a key limited to a single bucket, it must exist already
 	if f.bucket != "" && f.info.Allowed.BucketID != "" {
+		allowedBucket := f.info.Allowed.BucketName
+		if allowedBucket == "" {
+			return nil, errors.New("bucket that application key is restricted to no longer exists")
+		}
+		if allowedBucket != f.bucket {
+			return nil, errors.Errorf("you must use bucket %q with this application key", allowedBucket)
+		}
 		f.markBucketOK()
 		f.setBucketID(f.info.Allowed.BucketID)
 	}