gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3tables: Use policy_engine wildcard matcher for complete IAM compatibility

Browse Source 
Replace the custom suffix-only wildcard implementation in matchesActionPattern
and matchesPrincipal with the policy_engine.MatchesWildcard function from
PR #8052. This enables full wildcard support including:

- Middle wildcards: s3tables:Get*Table matches GetTable
- Question mark wildcards: Get? matches any single character
- Combined patterns: s3tables:*Table* matches any action containing 'Table'

Benefits:
- Code reuse: eliminates duplicate wildcard logic
- Complete IAM compatibility: supports all AWS wildcard patterns
- Performance: uses efficient O(n) backtracking algorithm
- Consistency: same wildcard behavior across S3 API and S3 Tables

Add comprehensive unit tests covering exact matches, suffix wildcards,
middle wildcards, question marks, and combined patterns for both action
and principal matching.
This commit is contained in:
Chris Lu
2026-01-28 16:37:31 -08:00
parent dbf6465b0e
commit 3e8d2a0a71
2 changed files with 106 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
weed/s3api/s3tables/permissions.go
View File

@@ -2,7 +2,8 @@ package s3tables
import (
"encoding/json"
"strings"
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
)
// Permission represents a specific action permission
@@ -80,7 +81,11 @@ func matchesPrincipal(principalSpec interface{}, principal string) bool {
switch p := principalSpec.(type) {
case string:
// Direct string match or wildcard
return p == "*" || p == principal
if p == "*" || p == principal {
return true
}
// Support wildcard matching for principals (e.g., "arn:aws:iam::*:user/admin")
return policy_engine.MatchesWildcard(p, principal)
case []interface{}:
// Array of principals
for _, item := range p {
@@ -88,6 +93,10 @@ func matchesPrincipal(principalSpec interface{}, principal string) bool {
if str == "*" || str == principal {
return true
}
// Support wildcard matching
if policy_engine.MatchesWildcard(str, principal) {
return true
}
}
}
case map[string]interface{}:
@@ -126,6 +135,8 @@ func matchesAction(actionSpec interface{}, action string) bool {
}
// matchesActionPattern checks if an action matches a pattern (supports wildcards)
// This uses the policy_engine.MatchesWildcard function for full wildcard support,
// including middle wildcards (e.g., "s3tables:Get*Table") for complete IAM compatibility.
func matchesActionPattern(pattern, action string) bool {
if pattern == "*" {
return true
@@ -136,13 +147,9 @@ func matchesActionPattern(pattern, action string) bool {
return true
}
// Wildcard match (e.g., "s3tables:*" matches "s3tables:GetTable")
if strings.HasSuffix(pattern, "*") {
prefix := strings.TrimSuffix(pattern, "*")
return strings.HasPrefix(action, prefix)
}
return false
// Wildcard match using policy engine's wildcard matcher
// Supports both * (any sequence) and ? (single character) anywhere in the pattern
return policy_engine.MatchesWildcard(pattern, action)
}
// Helper functions for specific permissions