s3tables: Consolidate getPrincipalFromRequest and getAccountID into single method
Both methods had identical implementations - they return the account ID from request header or fall back to handler's default. Remove the duplicate getPrincipalFromRequest and use getAccountID throughout, with updated comment explaining its dual role as both caller identity and principal for permission checks.
This commit is contained in:
Chris Lu
@@ -157,19 +157,9 @@ func (h *S3TablesHandler) HandleRequest(w http.ResponseWriter, r *http.Request,
|
|||||||
|
|
||||||
// Principal/authorization helpers
|
// Principal/authorization helpers
|
||||||
|
|
||||||
func (h *S3TablesHandler) getPrincipalFromRequest(r *http.Request) string {
|
// getAccountID returns the authenticated account ID from the request or the handler's default.
|
||||||
// Prefer the authenticated account ID from the request header. This is the same
|
// This is also used as the principal for permission checks, ensuring alignment between
|
||||||
// identifier used as the "owner" in permission checks, so keeping them aligned
|
// the caller identity and ownership verification when IAM is enabled.
|
||||||
// avoids mismatches (e.g. username vs. account ID) when IAM is enabled.
|
|
||||||
if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" {
|
|
||||||
return accountID
|
|
||||||
}
|
|
||||||
|
|
||||||
// Default to handler's configured account ID
|
|
||||||
return h.accountID
|
|
||||||
}
|
|
||||||
|
|
||||||
// getAccountID returns the authenticated account ID from the request or the handler's default
|
|
||||||
func (h *S3TablesHandler) getAccountID(r *http.Request) string {
|
func (h *S3TablesHandler) getAccountID(r *http.Request) string {
|
||||||
if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" {
|
if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" {
|
||||||
return accountID
|
return accountID
|
||||||
|
|||||||
Reference in New Issue
Block a user