sinatra-s3 0.98

data/lib/sinatra-s3/base.rb

@@ -0,0 +1,526 @@
+module S3
+
+  def self.config
+    @config ||= YAML.load_file("s3.yml")[S3::Application.environment] rescue { :db => { :adapter => 'sqlite3', :database => "db/s3.db" } }
+  end
+
+  class Application < Sinatra::Base
+
+    enable :static
+    disable :raise_errors, :show_exceptions
+    set :environment, :production
+    set :public, PUBLIC_PATH
+
+    helpers do
+      include S3::Helpers
+      include S3::TrackerHelper
+    end
+
+    configure do
+      ActiveRecord::Base.establish_connection(S3.config[:db]) 
+    end
+
+    before do
+      run_callback_for :when => 'before'
+
+      @meta, @amz = {}, {}
+      @env.each do |k,v|
+	k = k.downcase.gsub('_', '-')
+	@amz[$1] = v.strip if k =~ /^http-x-amz-([-\w]+)$/
+	@meta[$1] = v if k =~ /^http-x-amz-meta-([-\w]+)$/
+      end
+
+      auth, key_s, secret_s = *env['HTTP_AUTHORIZATION'].to_s.match(/^AWS (\w+):(.+)$/)
+      date_s = env['HTTP_X_AMZ_DATE'] || env['HTTP_DATE']
+      if request.params.has_key?('Signature') and Time.at(request['Expires'].to_i) >= Time.now
+	key_s, secret_s, date_s = request['AWSAccessKeyId'], request['Signature'], request['Expires']
+      end
+      uri = env['PATH_INFO']
+      uri += "?" + env['QUERY_STRING'] if RESOURCE_TYPES.include?(env['QUERY_STRING'])
+      canonical = [env['REQUEST_METHOD'], env['HTTP_CONTENT_MD5'], env['CONTENT_TYPE'],
+	date_s, uri]
+      @amz.sort.each do |k, v|
+	canonical[-1,0] = "x-amz-#{k}:#{v}"
+      end
+
+      @user = User.find_by_key key_s
+      if (@user and secret_s != hmac_sha1(@user.secret, canonical.map{|v|v.to_s.strip} * "\n")) || (@user and @user.deleted == 1)
+	raise BadAuthentication
+      end
+
+      @request_id = Time.now.to_i
+      headers 'x-amz-request-id' => @request_id.to_s
+    end
+
+    def call(env)
+      begin
+        return if env['PATH_INFO'] =~ /^\/control/
+        super(env)
+      ensure
+	ActiveRecord::Base.connection_pool.release_connection
+      end
+    end
+
+    get '/' do
+      only_authorized
+      buckets = Bucket.user_buckets(@user.id)
+
+      xml do |x|
+	x.ListAllMyBucketsResult :xmlns => "http://s3.amazonaws.com/doc/2006-03-01/" do
+	  x.Owner do
+	    x.ID @user.key
+	    x.DisplayName @user.login
+	  end
+	  x.Buckets do
+	    buckets.each do |b|
+	      x.Bucket do
+		x.Name b.name
+		x.CreationDate b.created_at.getgm.iso8601
+	      end
+	    end
+	  end
+	end
+      end
+    end
+
+
+    # get bucket
+    get %r{^/([^\/]+)/?$} do
+      bucket = Bucket.find_root(params[:captures].first)
+      acl_response_for(bucket) and return if params.has_key?('acl')
+      versioning_response_for(bucket) and return if params.has_key?('versioning')
+      only_can_read bucket
+
+      params['prefix'] ||= ''
+      params['marker'] ||= ''
+
+      query = bucket.items(params['marker'],params['prefix'])
+      slot_count = query.count
+      contents = query.find(:all, :include => :owner, 
+	:limit => params['max-keys'].blank? ? 1000 : params['max-keys'])
+
+      if params['delimiter']
+	# Build a hash of { :prefix => content_key }. The prefix will not include the supplied params['prefix'].
+	prefixes = contents.inject({}) do |hash, c|
+	  prefix = get_prefix(c).to_sym
+	  hash[prefix] = [] unless hash[prefix]
+	  hash[prefix] << c.name
+	  hash
+	end
+
+	# The common prefixes are those with more than one element
+	common_prefixes = prefixes.inject([]) do |array, prefix|
+	  array << prefix[0].to_s if prefix[1].size > 1
+	  array
+	end
+
+	# The contents are everything that doesn't have a common prefix
+	contents = contents.reject do |c|
+	  common_prefixes.include? get_prefix(c)
+	end
+      end
+
+      xml do |x|
+	x.ListBucketResult :xmlns => "http://s3.amazonaws.com/doc/2006-03-01/" do
+	  x.Name bucket.name
+	  x.Prefix params['prefix']
+	  x.Marker params['marker']
+	  x.Delimiter params['delimiter'] if params['delimiter']
+	  x.MaxKeys params['max-keys'].blank? ? 1000 : params['max-keys']
+	  x.IsTruncated slot_count > contents.length
+	  contents.each do |c|
+	    x.Contents do
+	      x.Key c.name
+	      x.LastModified c.updated_at.getgm.iso8601
+	      x.ETag c.etag
+	      x.Size c.obj.size
+	      x.StorageClass "STANDARD"
+	      x.Owner do
+		x.ID c.owner.key
+		x.DisplayName c.owner.login
+	      end
+	    end
+	  end
+	  unless common_prefixes.nil?
+	    common_prefixes.each do |p|
+	      x.CommonPrefixes do
+		x.Prefix p
+	      end
+	    end
+	  end
+	end
+      end
+    end
+
+    # create bucket
+    put %r{^/([^\/]+)/?$} do
+      begin
+	only_authorized
+	bucket = Bucket.find_root(params[:captures].first)
+	only_owner_of bucket
+	if params.has_key?('acl')
+	  bucket.grant(requested_acl(bucket))
+	elsif params.has_key?('versioning')
+	  manage_versioning(bucket)
+	else
+	  raise BucketAlreadyExists
+	end
+	headers 'Location' => env['PATH_INFO'], 'Content-Length' => 0.to_s
+	body ""
+      rescue NoSuchBucket
+	Bucket.create(:name => params[:captures].first, :owner_id => @user.id).grant(requested_acl)
+	headers 'Location' => env['PATH_INFO'], 'Content-Length' => 0.to_s
+	body ""
+      end
+    end
+
+    # delete bucket
+    delete %r{^/([^\/]+)/?$} do
+      bucket = Bucket.find_root(params[:captures].first)
+      only_owner_of bucket
+
+      raise BucketNotEmpty if Slot.count(:conditions => ['deleted = 0 AND parent_id = ?', bucket.id]) > 0
+
+      bucket.remove_from_filesystem
+      bucket.destroy
+      status 204
+      body ""
+    end
+
+    # get slot (head)
+    head %r{^/(.+?)/(.+)$} do
+      slot_head
+      body ""
+    end
+
+    def slot_head
+      bucket = Bucket.find_root(params[:captures].first)
+
+      h = {}
+      if params.has_key?('version-id')
+	@revision = bucket.git_repository.gcommit(params['version-id'])
+	h.merge!({ 'x-amz-version-id' => @revision.sha })
+	@slot = Slot.find_by_version(@revision.sha)
+	@revision_file = @revision.gtree.blobs[File.basename(@slot.fullpath)].contents { |f| f.read }
+      else
+	@slot = bucket.find_slot(params[:captures].last)
+	git_object = @slot.git_object
+	h.merge!({ 'x-amz-version-id' => git_object.objectish }) if git_object
+      end
+
+      if params.has_key? 'acl'
+	only_can_read_acp @slot
+      else
+	only_can_read @slot
+      end
+
+      etag = @slot.etag
+      since = Time.httpdate(env['HTTP_IF_MODIFIED_SINCE']) rescue nil
+      raise NotModified if since and @slot.updated_at <= since
+      since = Time.httpdate(env['HTTP_IF_UNMODIFIED_SINCE']) rescue nil
+      raise PreconditionFailed if since and @slot.updated_at > since
+      raise PreconditionFailed if env['HTTP_IF_MATCH'] and etag != env['HTTP_IF_MATCH']
+      raise NotModified if env['HTTP_IF_NONE_MATCH'] and etag == env['HTTP_IF_NONE_MATCH']
+
+      @slot.meta.each { |k, v|
+	h.merge!({ "x-amz-meta-#{k}" => v })
+      }
+
+      if @slot.obj.is_a? FileInfo
+	h.merge!({ 'Content-Disposition' => (@slot.obj.disposition.nil? ? "inline" : @slot.obj.disposition), 'Content-Length' => (@revision_file.nil? ? 
+	  @slot.obj.size : @revision_file.length).to_s, 'Content-Type' => @slot.obj.mime_type })
+      end
+      h['Content-Type'] ||= 'binary/octet-stream'
+      h.merge!('ETag' => etag, 'Last-Modified' => @slot.updated_at.httpdate) if @revision_file.nil?
+      headers h
+    end
+
+    # get slot
+    get %r{^/(.+?)/(.+)$} do
+      slot_head
+      acl_response_for(@slot) and return if params.has_key?('acl')
+
+      if params.has_key?('torrent')
+	torrent @slot
+      elsif @slot.obj.kind_of?(FileInfo) && env['HTTP_RANGE'] =~ /^bytes=(\d+)?-(\d+)?$/ # yay, parse basic ranges
+	range_start = $1
+	range_end = $2
+	raise NotImplemented unless range_start || range_end # Need at least one or the other.
+	file_path = File.join(STORAGE_PATH, @slot.obj.path)
+	file_size = File.size(file_path)
+	f = File.open(file_path)
+	if range_start # "Bytes N through ?" mode
+	  range_end = (file_size - 1) if range_end.nil?
+	  content_length = (range_end.to_i - range_start.to_i + 1)
+	  headers['Content-Range'] = "bytes #{range_start.to_i}-#{range_end.to_i}/#{file_size}"
+	else # "Last N bytes of file" mode.
+	  range_start = file_size - range_end.to_i
+	  content_length = range_end.to_i
+	  headers['Content-Range'] = "bytes #{range_start.to_i}-#{file_size - 1}/#{file_size}"
+	end
+	f.seek(range_start.to_i)
+	status 206
+	headers['Content-Length'] = ([content_length,0].max).to_s
+	body f
+      elsif env['HTTP_RANGE']  # ugh, parse ranges
+	raise NotImplemented
+      else
+	case @slot.obj
+	when FileInfo
+	  body params.has_key?('version-id') ? @revision_file : open(File.join(STORAGE_PATH, @slot.obj.path))
+          run_callback_for :mime_type => @slot.obj.mime_type
+	else
+	  body @slot.obj
+	end
+      end
+    end
+
+    # create slot
+    post %r{^/(.+?)/(.+)$} do
+      params.each do |k,v|
+	case
+	when k =~ /^x-amz-meta-(.*)$/
+	  @meta[$1] = v
+	when k =~ /content-type/i
+	  env['CONTENT_TYPE'] = v
+	when k =~ /content-disposition/i
+	  env['CONTENT_DISPOSITION'] = v
+	end
+      end
+      env['rack.input'] = params[:file].instance_of?(File) ? params[:file] : StringIO.new(params[:file])
+      env['CONTENT_LENGTH'] = env['rack.input'].length
+      create_slot
+    end
+
+    # create slot
+    put %r{^/(.+?)/(.+)$} do
+      create_slot
+    end
+
+    def create_slot
+      bucket = Bucket.find_root(params[:captures].first)
+      begin
+        slot = bucket.find_slot(params[:captures].last)
+        only_can_write slot unless slot.nil?
+      rescue NoSuchKey
+        only_can_write bucket
+      end
+
+      raise MissingContentLength unless env['CONTENT_LENGTH']
+
+      if params.has_key?('acl')
+	slot = bucket.find_slot(oid)
+	slot.grant(requested_acl(slot))
+	headers 'ETag' => slot.etag, 'Content-Length' => 0.to_s
+	body ""
+      elsif env['HTTP_X_AMZ_COPY_SOURCE'].to_s =~ /\/(.+?)\/(.+)/
+	source_bucket_name = $1
+	source_oid = $2
+
+	source_slot = Bucket.find_root(source_bucket_name).find_slot(source_oid)
+	@meta = source_slot.meta unless !env['HTTP_X_AMZ_METADATA_DIRECTIVE'].nil? && env['HTTP_X_AMZ_METADATA_DIRECTIVE'].upcase == "REPLACE"
+	only_can_read source_slot
+
+	unless env['HTTP_X_AMZ_COPY_SOURCE_IF_MATCH'].blank?
+	  raise PreconditionFailed if source_slot.obj.etag != env['HTTP_X_AMZ_COPY_SOURCE_IF_MATCH']
+	end
+	unless env['HTTP_X_AMZ_COPY_SOURCE_IF_NONE_MATCH'].blank?
+	  raise PreconditionFailed if source_slot.obj.etag == env['HTTP_X_AMZ_COPY_SOURCE_IF_NONE_MATCH']
+	end
+	unless env['HTTP_X_AMZ_COPY_SOURCE_IF_UNMODIFIED_SINCE'].blank?
+	  raise PreconditionFailed if Time.httpdate(env['HTTP_X_AMZ_COPY_SOURCE_IF_UNMODIFIED_SINCE']) > source_slot.updated_at
+	end
+	unless env['HTTP_X_AMZ_COPY_SOURCE_IF_MODIFIED_SINCE'].blank?
+	  raise PreconditionFailed if Time.httpdate(env['HTTP_X_AMZ_COPY_SOURCE_IF_MODIFIED_SINCE']) < source_slot.updated_at
+	end
+
+	temp_path = File.join(STORAGE_PATH, source_slot.obj.path)
+	fileinfo = source_slot.obj
+	fileinfo.path = File.join(params[:captures].first, rand(10000).to_s(36) + '_' + File.basename(temp_path))
+	fileinfo.path.succ! while File.exists?(File.join(STORAGE_PATH, fileinfo.path))
+	file_path = File.join(STORAGE_PATH,fileinfo.path)
+      else
+	temp_path = env['rack.input'][:path] rescue nil
+	readlen = 0
+	md5 = MD5.new
+
+	Tempfile.open(File.basename(params[:captures].last)) do |tmpf|
+	  temp_path ||= tmpf.path
+	  tmpf.binmode
+	  while part = env['rack.input'].read(BUFSIZE)
+	    readlen += part.size
+	    md5 << part
+	    tmpf << part unless env['rack.input'].is_a?(Tempfile)
+	  end
+	end
+
+	fileinfo = FileInfo.new
+	fileinfo.mime_type = env['CONTENT_TYPE'] || "binary/octet-stream"
+	fileinfo.disposition = env['CONTENT_DISPOSITION']
+	fileinfo.size = readlen
+	fileinfo.md5 = Base64.encode64(md5.digest).strip
+	fileinfo.etag = '"' + md5.hexdigest + '"'
+
+	raise IncompleteBody if env['CONTENT_LENGTH'].to_i != readlen
+	if env['HTTP_CONTENT_MD5']
+	  b64cs = /[0-9a-zA-Z+\/]/
+	    re = /
+	    ^
+	  (?:#{b64cs}{4})*       # any four legal chars
+	    (?:#{b64cs}{2}        # right-padded by up to two =s
+	     (?:#{b64cs}|=){2})?
+	     $
+	  /ox
+
+	  raise InvalidDigest unless env['HTTP_CONTENT_MD5'] =~ re
+	  raise BadDigest unless fileinfo.md5 == env['HTTP_CONTENT_MD5']
+	end
+      end
+
+      mdata = {}
+
+      slot = nil
+      meta = @meta.nil? || @meta.empty? ? {} : {}.merge(@meta)
+      owner_id = @user ? @user.id : bucket.owner_id
+
+      begin
+	slot = bucket.find_slot(params[:captures].last)
+	if slot.versioning_enabled?
+	  nslot = slot.clone()
+	  slot.update_attributes(:deleted => true)
+	  slot = nslot
+	end
+	if source_slot.nil?
+	  fileinfo.path = slot.obj.path
+	  file_path = File.join(STORAGE_PATH,fileinfo.path)
+	  FileUtils.mv(temp_path, file_path,{ :force => true })
+	else
+	  FileUtils.cp(temp_path, file_path)
+	end
+	slot.update_attributes(:owner_id => owner_id, :meta => meta, :obj => fileinfo, :size => fileinfo.size)
+      rescue NoSuchKey
+	if source_slot.nil?
+	  fileinfo.path = File.join(params[:captures].first, rand(10000).to_s(36) + '_' + File.basename(temp_path))
+	  fileinfo.path.succ! while File.exists?(File.join(STORAGE_PATH, fileinfo.path))
+	  file_path = File.join(STORAGE_PATH,fileinfo.path)
+	  FileUtils.mkdir_p(File.dirname(file_path))
+	  FileUtils.mv(temp_path, file_path)
+	else
+	  FileUtils.cp(temp_path, file_path)
+	end
+	slot = Slot.create(:name => params[:captures].last, :owner_id => owner_id, :meta => meta, :obj => fileinfo, :size => fileinfo.size)
+	bucket.add_child(slot)
+      end
+      slot.grant(requested_acl(slot))
+
+      h = { 'Content-Length' => 0.to_s, 'ETag' => slot.etag }
+      if slot.versioning_enabled?
+	begin
+	  slot.git_repository.add(File.basename(fileinfo.path))
+	  tmp = slot.git_repository.commit("Added #{slot.name} to the Git repository.")
+	  slot.git_update
+	  slot.update_attributes(:version => slot.git_object.objectish)
+	  h.merge!({ 'x-amz-version-id' => slot.git_object.objectish })
+	rescue Git::GitExecuteError => error_message
+	  puts "[#{Time.now}] GIT: #{error_message}"
+	end
+      end
+
+      if env['HTTP_X_AMZ_COPY_SOURCE'].blank?
+	redirect_url = (params[:success_action_redirect] || params[:redirect])
+	redirect redirect_url unless redirect_url.blank?
+	status params[:success_action_status].to_i if params[:success_action_status]
+	headers h
+        body ""
+      else
+	h['Content-Length'] = nil
+	headers h
+	xml do |x|
+	  x.CopyObjectResult do
+	    x.LastModified slot.updated_at.httpdate
+	    x.Etag slot.etag
+	  end
+	end
+      end
+    end
+
+    # delete slot
+    delete %r{^/(.+?)/(.+)$} do
+      bucket = Bucket.find_root(params[:captures].first)
+      only_can_write bucket
+
+      begin
+	@slot = bucket.find_slot(params[:captures].last)
+	if @slot.versioning_enabled?
+	  begin
+	    @slot.git_repository.remove(File.basename(@slot.obj.path))
+	    @slot.git_repository.commit("Removed #{@slot.name} from the Git repository.")
+	    @slot.git_update
+	  rescue Git::GitExecuteError => error_message
+	    puts "[#{Time.now}] GIT: #{error_message}"
+	  end
+	end
+
+	@slot.remove_from_filesystem
+	@slot.destroy
+	status 204
+	body ""
+      rescue NoSuchKey
+	status 204
+	body ""
+      end
+    end
+
+    error do
+      error = Builder::XmlMarkup.new
+      error.instruct! :xml, :version=>"1.0", :encoding=>"UTF-8"
+
+      error.Error do
+	error.Code request.env['sinatra.error'].code
+	error.Message request.env['sinatra.error'].message
+	error.Resource env['PATH_INFO']
+	error.RequestId @request_id
+      end
+
+      status request.env['sinatra.error'].status.nil? ? 500 : request.env['sinatra.error'].status
+      content_type 'application/xml'
+      body error.target!
+      run_callback_for :error => request.env['sinatra.error'].code
+    end
+
+    def self.callback(args = {}, &block)
+      @@callbacks ||= {}
+      if args[:mime_type]
+        @@callbacks[:mime_type] ||= {}
+        @@callbacks[:mime_type][args[:mime_type]] = block
+      elsif args[:error]
+        @@callbacks[:error] ||= {}
+        @@callbacks[:error][args[:error]] = block
+      elsif args[:when]
+	@@callbacks[:when] ||= {}
+	@@callbacks[:when][args[:when]] = block
+      end
+    end
+
+    protected
+    def run_callback_for(args = {})
+      @@callbacks ||= {}
+      block = nil
+
+      if args[:mime_type]
+        return if @@callbacks[:mime_type].nil?
+        block = @@callbacks[:mime_type][args[:mime_type]]
+      elsif args[:error]
+        return if @@callbacks[:error].nil?
+        block = @@callbacks[:error][args[:error]]
+      elsif args[:when]
+	return if @@callbacks[:when].nil?
+	block = @@callbacks[:when][args[:when]]
+      end
+
+      self.instance_eval(&block) unless block.nil?
+    end
+
+  end
+
+end

data/lib/sinatra-s3/errors.rb

@@ -0,0 +1,51 @@
+module S3
+
+  # All errors are derived from ServiceError.  It's never actually raised itself, though.
+  class ServiceError < Exception; end
+     
+  # A factory for building exception classes.
+  YAML::load(<<-END).
+      AccessDenied: [403, Access Denied]
+      AllAccessDisabled: [401, All access to this object has been disabled.]
+      AmbiguousGrantByEmailAddress: [400, The e-mail address you provided is associated with more than one account.]
+      BadAuthentication: [401, The authorization information you provided is invalid. Please try again.]
+      BadDigest: [400, The Content-MD5 you specified did not match what we received.]
+      BucketAlreadyExists: [409, The named bucket you tried to create already exists.]
+      BucketNotEmpty: [409, The bucket you tried to delete is not empty.]
+      CredentialsNotSupported: [400, This request does not support credentials.]
+      EntityTooLarge: [400, Your proposed upload exceeds the maximum allowed object size.]
+      IncompleteBody: [400, You did not provide the number of bytes specified by the Content-Length HTTP header.]
+      InternalError: [500, We encountered an internal error. Please try again.]
+      InvalidArgument: [400, Invalid Argument]
+      InvalidBucketName: [400, The specified bucket is not valid.]
+      InvalidDigest: [400, The Content-MD5 you specified was an invalid.]
+      InvalidRange: [416, The requested range is not satisfiable.]
+      InvalidSecurity: [403, The provided security credentials are not valid.]
+      InvalidSOAPRequest: [400, The SOAP request body is invalid.]
+      InvalidStorageClass: [400, The storage class you specified is not valid.]
+      InvalidURI: [400, Couldn't parse the specified URI.]
+      MalformedACLError: [400, The XML you provided was not well-formed or did not validate against our published schema.]
+      MethodNotAllowed: [405, The specified method is not allowed against this resource.]
+      MissingContentLength: [411, You must provide the Content-Length HTTP header.]
+      MissingSecurityElement: [400, The SOAP 1.1 request is missing a security element.]
+      MissingSecurityHeader: [400, Your request was missing a required header.]
+      NoSuchBucket: [404, The specified bucket does not exist.]
+      NoSuchKey: [404, The specified key does not exist.]
+      NotImplemented: [501, A header you provided implies functionality that is not implemented.]
+      NotModified: [304, The request resource has not been modified.]
+      PreconditionFailed: [412, At least one of the pre-conditions you specified did not hold.]
+      RequestTimeout: [400, Your socket connection to the server was not read from or written to within the timeout period.]
+      RequestTorrentOfBucketError: [400, Requesting the torrent file of a bucket is not permitted.]
+      TooManyBuckets: [400, You have attempted to create more buckets than allowed.]
+      UnexpectedContent: [400, This request does not support content.]
+      UnresolvableGrantByEmailAddress: [400, The e-mail address you provided does not match any account on record.]
+  END
+  each do |code, (status, msg)|
+    const_set(code, Class.new(ServiceError) {
+      {:code=>code, :status=>status, :message=>msg}.each do |k,v|
+        define_method(k) { v }
+      end
+    })
+  end
+
+end

data/lib/sinatra-s3/ext.rb

@@ -0,0 +1,20 @@
+class Dir
+  def empty?
+    Dir.glob("#{ path }/*", File::FNM_DOTMATCH) do |e|
+      return false unless %w( . .. ).include?(File::basename(e))
+    end
+    return true
+  end
+  def self.empty? path
+    new(path).empty?
+  end
+end
+
+class String
+  def to_hex_s
+    unpack("H*").first
+  end
+  def from_hex_s
+    [self].pack("H*")
+  end
+end

data/lib/sinatra-s3/helpers/acp.rb

@@ -0,0 +1,100 @@
+module S3
+  module Helpers
+    module ACP
+
+      # Kick out any users which do not have acp read access to a certain resource.
+      def only_can_read_acp bit; raise S3::AccessDenied unless bit.acp_readable_by? @user end
+      # Kick out any users which do not have acp write access to a certain resource.
+      def only_can_write_acp bit; raise S3::AccessDenied unless bit.acp_writable_by? @user end
+
+      def acl_response_for(bit)
+        only_can_read_acp(bit)
+
+        xml do |x|
+          x.AccessControlPolicy :xmlns => "http://s3.amazonaws.com/doc/2006-03-01/" do
+            x.Owner do
+              x.ID bit.owner.key
+              x.DisplayName bit.owner.login
+            end
+            x.AccessControlList do
+              bit.acl_list.each_pair do |key,acl|
+                x.Grant do
+                  x.Grantee "xmlns:xsi" => "http://www.w3.org/2001/XMLSchema-instance", "xsi:type" => acl[:type] do
+                    if acl[:type] == "CanonicalUser"
+                      x.ID acl[:id]
+                      x.DisplayName acl[:name]
+                    else
+                      x.URI acl[:uri]
+                    end
+                  end
+                  x.Permission acl[:access]
+                end
+              end
+            end
+          end
+        end
+      end
+
+      def update_user_access(slot,user,access)
+        if slot.acl_list[user.key]
+          unless access == slot.acl_list[user.key][:access]
+            BitsUser.update_all("access = #{access}", ["bit_id = ? AND user_id = ?", slot.id, user.id ])
+          end
+        else
+          BitsUser.create(:bit_id => slot.id, :user_id => user.id, :access => access)
+        end
+      end
+
+      # Parse any ACL requests which have come in.
+      def requested_acl(slot=nil)
+        if slot && params.has_key?('acl')
+          only_can_write_acp slot
+          env['rack.input'].rewind
+          data = env['rack.input'].read
+          xml_request = REXML::Document.new(data).root
+          xml_request.each_element('//Grant') do |element|
+            new_perm = element.elements['Permission'].text
+            new_access = "#{Bit.acl_text.invert[new_perm]}00".to_i(8)
+            grantee = element.elements['Grantee']
+
+            case grantee.attributes["type"]
+            when "CanonicalUser"
+              user_check = User.find_by_key(grantee.elements["ID"].text)
+              unless user_check.nil? || slot.owner.id == user_check.id
+                update_user_access(slot,user_check,new_access)
+              end
+            when "Group"
+              if grantee.elements['URI'].text =~ /AuthenticatedUsers/
+                slot.access &= ~(slot.access.to_s(8)[1,1].to_i*10)
+                slot.access |= (Bit.acl_text.invert[new_perm]*10).to_s.to_i(8)
+              end
+              if grantee.elements['URI'].text =~ /AllUsers/
+                slot.access &= ~slot.access.to_s(8)[2,1].to_i
+                slot.access |= Bit.acl_text.invert[new_perm].to_s.to_i(8)
+              end
+              slot.save()
+            when "AmazonCustomerByEmail"
+              user_check = User.find_by_email(grantee.elements["EmailAddress"].text)
+              unless user_check.nil? || slot.owner.id == user_check.id
+                update_user_access(slot,user_check,new_access)
+              end
+            when ""
+            else
+              raise NotImplemented
+            end
+          end
+          {}
+        else
+	  if @amz['acl'].nil?
+	    access = slot.access unless slot.nil?
+	    access ||= slot.parent.access unless slot.nil? || slot.parent.nil?
+	  else
+	    access = CANNED_ACLS[@amz['acl']]
+	  end
+	  { :access => access.nil? ? CANNED_ACLS['private'] : access }
+        end
+      end
+
+    end
+  end
+end