From dafad69e23fd4b90c2921f2fd76f7b7504168098 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Thu, 4 Apr 2024 21:39:31 -0700
Subject: [PATCH] s3-credentials debug-bucket name, closes #86

---
 docs/other-commands.md | 42 +++++++++++++++++++++++++++++++++++++++++
 s3_credentials/cli.py  | 43 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)

diff --git a/docs/other-commands.md b/docs/other-commands.md
index e7a5c54..77f9e62 100644
--- a/docs/other-commands.md
+++ b/docs/other-commands.md
@@ -503,3 +503,45 @@ The following example allows GET and PUT methods from code running on `https://w
       --allowed-origin https://www.example.com/ \
       --expose-header ETag \
       --max-age-seconds 60
+
+## debug-bucket
+
+The `debug-bucket` command is useful for diagnosing issues with a bucket:
+
+    s3-credentials debug-bucket my-bucket
+
+Example output:
+```
+Bucket ACL:
+{
+    "Owner": {
+        "DisplayName": "username",
+        "ID": "cc8ca3a037c6a7c1fa7580076bf7cd1949b3f2f58f01c9df9e53c51f6a249910"
+    },
+    "Grants": [
+        {
+            "Grantee": {
+                "DisplayName": "username",
+                "ID": "cc8ca3a037c6a7c1fa7580076bf7cd1949b3f2f58f01c9df9e53c51f6a249910",
+                "Type": "CanonicalUser"
+            },
+            "Permission": "FULL_CONTROL"
+        }
+    ]
+}
+Bucket policy status:
+{
+    "PolicyStatus": {
+        "IsPublic": true
+    }
+}
+Bucket public access block:
+{
+    "PublicAccessBlockConfiguration": {
+        "BlockPublicAcls": false,
+        "IgnorePublicAcls": false,
+        "BlockPublicPolicy": false,
+        "RestrictPublicBuckets": false
+    }
+}
+```
\ No newline at end of file
diff --git a/s3_credentials/cli.py b/s3_credentials/cli.py
index ebe5b65..76f9510 100644
--- a/s3_credentials/cli.py
+++ b/s3_credentials/cli.py
@@ -1329,6 +1329,49 @@ def get_cors_policy(bucket, **boto_options):
     click.echo(json.dumps(response["CORSRules"], indent=4, default=str))
 
 
+def without_response_metadata(data):
+    return dict(
+        (key, value) for key, value in data.items() if key != "ResponseMetadata"
+    )
+
+
+@cli.command()
+@click.argument("bucket")
+@common_boto3_options
+def debug_bucket(bucket, **boto_options):
+    """
+    Run a bunch of diagnostics to help debug a bucket
+
+       s3-credentials debug-bucket my-bucket
+    """
+    s3 = make_client("s3", **boto_options)
+
+    try:
+        bucket_acl = s3.get_bucket_acl(Bucket=bucket)
+        click.echo("Bucket ACL:")
+        click.echo(json.dumps(without_response_metadata(bucket_acl), indent=4))
+    except Exception as ex:
+        print(f"Error checking bucket ACL: {ex}")
+
+    try:
+        bucket_policy_status = s3.get_bucket_policy_status(Bucket=bucket)
+        click.echo("Bucket policy status:")
+        click.echo(
+            json.dumps(without_response_metadata(bucket_policy_status), indent=4)
+        )
+    except Exception as ex:
+        print(f"Error checking bucket policy status: {ex}")
+
+    try:
+        bucket_public_access_block = s3.get_public_access_block(Bucket=bucket)
+        click.echo("Bucket public access block:")
+        click.echo(
+            json.dumps(without_response_metadata(bucket_public_access_block), indent=4)
+        )
+    except Exception as ex:
+        print(f"Error checking bucket public access block: {ex}")
+
+
 @cli.command()
 @click.argument("bucket")
 @click.argument(