[Hackathon] Add extension method: verifyBucketOwnership (#3076)

* [Hackathon] Add extension method: verifyBucketOwnership

Author: Bennett Lynch

services/s3/src/it/java/software/amazon/awssdk/services/s3/extensions/DefaultS3ExtensionIntegrationTest.java

@@ -16,13 +16,16 @@
 package software.amazon.awssdk.services.s3.extensions;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static software.amazon.awssdk.testutils.service.S3BucketUtils.temporaryBucketName;
 
 import java.io.File;
 import java.io.IOException;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.services.s3.S3IntegrationTestBase;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.testutils.RandomTempFile;
@@ -86,4 +89,17 @@ public void objectDoesNotExistSync() {
     public void objectDoesNotExistAsync() {
         assertThat(s3Async.doesObjectExist(BUCKET, "noexist").join()).isFalse();
     }
+
+    @Test
+    public void verifyBucketOwnership_userOwnsBucket() {
+        assertThatCode(() -> s3.verifyBucketOwnership(BUCKET)).doesNotThrowAnyException();
+    }
+
+    @Test
+    public void verifyBucketOwnership_userDoesNotOwnBucket() {
+        assertThatThrownBy(() -> s3.verifyBucketOwnership(temporaryBucketName("noexist")))
+            .isInstanceOf(SdkClientException.class)
+            .hasMessage("Bucket ownership verification failed.");
+    }
+
 }

services/s3/src/main/java/software/amazon/awssdk/services/s3/extensions/S3ClientSdkExtension.java

@@ -124,4 +124,22 @@ default URL getUrl(Consumer<GetUrlRequest.Builder> getUrlRequest) {
     default S3Presigner presigner() {
         return S3Presigner.create();
     }
+
+    /**
+     * Validate that the currently configured AWS Account is the owner of a given S3 bucket. Because Amazon S3 identifies buckets
+     * based on their names, an application that uses an incorrect bucket name in a request could inadvertently perform operations
+     * against a different bucket than expected.
+     * <p>
+     * Because buckets can be deleted and re-created at any time, this method should only be used when you know that the bucket in
+     * question will not be deleted after its ownership is verified. For more robust protection, you should include the {@code
+     * expectedBucketOwner} parameter with all eligible requests. For more information, see:
+     * <p>
+     * https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html
+     *
+     * @param bucket the bucket to verify ownership
+     */
+    @SdkExtensionMethod
+    default void verifyBucketOwnership(String bucket) {
+        new DefaultS3ClientSdkExtension((S3Client) this).verifyBucketOwnership(bucket);
+    }
 }

services/s3/src/main/java/software/amazon/awssdk/services/s3/internal/extensions/DefaultS3ClientSdkExtension.java

@@ -16,8 +16,10 @@
 package software.amazon.awssdk.services.s3.internal.extensions;
 
 import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.extensions.S3ClientSdkExtension;
+import software.amazon.awssdk.services.s3.model.Bucket;
 import software.amazon.awssdk.services.s3.model.NoSuchBucketException;
 import software.amazon.awssdk.services.s3.model.NoSuchKeyException;
 import software.amazon.awssdk.utils.Validate;
@@ -53,4 +55,17 @@ public boolean doesObjectExist(String bucket, String key) {
             return false;
         }
     }
+
+    @Override
+    public void verifyBucketOwnership(String bucket) {
+        Validate.notEmpty(bucket, "bucket");
+        boolean isBucketOwner = s3.listBuckets()
+                                  .buckets()
+                                  .stream()
+                                  .map(Bucket::name)
+                                  .anyMatch(b -> b.equals(bucket));
+        if (!isBucketOwner) {
+            throw SdkClientException.create("Bucket ownership verification failed.");
+        }
+    }
 }