gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add session policy support to IAM (#8338)

Browse Source 
* Add session policy support to IAM

- Implement policy evaluation for session tokens in policy_engine.go
- Add session_policy field to session claims for tracking applied policies
- Update STS service to include session policies in token generation
- Add IAM integration tests for session policy validation
- Update IAM manager to support policy attachment to sessions
- Extend S3 API STS endpoint to handle session policy restrictions

* fix: optimize session policy evaluation and add documentation

* sts: add NormalizeSessionPolicy helper for inline session policies

* sts: support inline session policies for AssumeRoleWithWebIdentity and credential-based flows

* s3api: parse and normalize Policy parameter for STS HTTP handlers

* tests: add session policy unit tests and integration tests for inline policy downscoping

* tests: add s3tables STS inline policy integration

* iam: handle user principals and validate tokens

* sts: enforce inline session policy size limit

* tests: harden s3tables STS integration config

* iam: clarify principal policy resolution errors

* tests: improve STS integration endpoint selection
This commit is contained in:
Chris Lu
2026-02-13 13:58:22 -08:00
committed by GitHub
parent beeb375a88
commit 49a64f50f1
12 changed files with 682 additions and 275 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
weed/iam/sts/session_policy.go Normal file
View File

@@ -0,0 +1,35 @@
package sts
import (
"encoding/json"
"fmt"
"strings"
"github.com/seaweedfs/seaweedfs/weed/iam/policy"
)
// NormalizeSessionPolicy validates and normalizes inline session policy JSON.
// It returns an empty string if the input is empty or whitespace.
func NormalizeSessionPolicy(policyJSON string) (string, error) {
trimmed := strings.TrimSpace(policyJSON)
if trimmed == "" {
return "", nil
}
const maxSessionPolicySize = 2048
if len(trimmed) > maxSessionPolicySize {
return "", fmt.Errorf("session policy exceeds maximum size of %d characters", maxSessionPolicySize)
}
var policyDoc policy.PolicyDocument
if err := json.Unmarshal([]byte(trimmed), &policyDoc); err != nil {
return "", fmt.Errorf("invalid session policy JSON: %w", err)
}
if err := policy.ValidatePolicyDocument(&policyDoc); err != nil {
return "", fmt.Errorf("invalid session policy document: %w", err)
}
normalized, err := json.Marshal(&policyDoc)
if err != nil {
return "", fmt.Errorf("failed to normalize session policy: %w", err)
}
return string(normalized), nil
}