Guess S3 canned ACL from an ACL object

guessCannedACL.go

// This is experimental.

// guessCannedACL try to guess the canned ACL from an ACL object.
//
// Canned ACL table: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
func guessCannedACL(acl *s3.GetBucketAclOutput) (string, error) {
	if acl.Owner == nil || acl.Owner.ID == nil {
		return "", fmt.Errorf("no owner")
	}
	ownerID := *acl.Owner.ID

	ownerHasFullControl := false
	allUsersRead := false
	allUsersWrite := false
	authenticatedUsersRead := false

	for _, grant := range acl.Grants {
		grantee := grant.Grantee
		// Owner has FULL_CONTROL
		if grantee.ID != nil && *grantee.ID == ownerID && *grant.Permission == s3.PermissionFullControl {
			ownerHasFullControl = true
		}

		// Predefined groups
		if grantee.URI != nil {
			// All users
			if *grantee.URI == allUsersKey {
				if *grant.Permission == s3.PermissionRead {
					allUsersRead = true
				}
				if *grant.Permission == s3.PermissionWrite {
					allUsersWrite = true
				}
			}

			// Authenticated users
			if *grantee.URI == authenticatedUsersKey && *grant.Permission == s3.PermissionRead {
				authenticatedUsersRead = true
			}
		}
	}

	if ownerHasFullControl {
		switch {
		case len(acl.Grants) == 1 && authenticatedUsersRead:
			return s3.ObjectCannedACLAuthenticatedRead, nil
		case len(acl.Grants) == 1 && !authenticatedUsersRead:
			return s3.ObjectCannedACLPrivate, nil
		case len(acl.Grants) == 2 && allUsersRead:
			return s3.ObjectCannedACLPublicRead, nil
		case len(acl.Grants) == 3 && allUsersRead && allUsersWrite:
			return s3.ObjectCannedACLPublicReadWrite, nil
		}
	}

	return "", fmt.Errorf("cannot find canned ACL")
}