S3 - HeadObject should authenticate requests (#4240)

moto/s3/responses.py

@@ -122,6 +122,7 @@ ACTION_MAP = {
         },
     },
     "KEY": {
+        "HEAD": {"DEFAULT": "HeadObject",},
         "GET": {
             "uploadId": "ListMultipartUploadParts",
             "acl": "GetObjectAcl",
@@ -1517,6 +1518,9 @@ class ResponseObject(_TemplateEnvironmentMixin, ActionAuthenticatorMixin):
         return 200, response_headers, ""
 
     def _key_response_head(self, bucket_name, query, key_name, headers):
+        self._set_action("KEY", "HEAD", query)
+        self._authenticate_and_authorize_s3_action()
+
         response_headers = {}
         version_id = query.get("versionId", [None])[0]
         part_number = query.get("partNumber", [None])[0]

tests/test_s3/test_s3_auth.py

@@ -0,0 +1,26 @@
+import boto3
+import pytest
+
+from botocore.exceptions import ClientError
+from moto import mock_s3, settings
+from moto.core import set_initial_no_auth_action_count
+from unittest import SkipTest
+
+
+@mock_s3
+@set_initial_no_auth_action_count(0)
+def test_load_unexisting_object_without_auth_should_return_403():
+    if settings.TEST_SERVER_MODE:
+        raise SkipTest("Auth decorator does not work in server mode")
+
+    """Head an S3 object we should have no access to."""
+    resource = boto3.resource("s3", region_name="us-east-1")
+
+    obj = resource.Object("myfakebucket", "myfakekey")
+    with pytest.raises(ClientError) as ex:
+        obj.load()
+    err = ex.value.response["Error"]
+    err["Code"].should.equal("InvalidAccessKeyId")
+    err["Message"].should.equal(
+        "The AWS Access Key Id you provided does not exist in our records."
+    )