S3: Enforce bucket policy (#7471)

* evaluate policies during authorization * cache bucket policy * refactor * matching with regex special characters * Case Sensitivity, pattern cache, Dead Code Removal * Fixed Typo, Restored []string Case, Added Cache Size Limit * hook up with policy engine * remove old implementation * action mapping * validate * if not specified, fall through to IAM checks * fmt * Fail-close on policy evaluation errors * Explicit `Allow` bypasses IAM checks * fix error message * arn:seaweed => arn:aws * remove legacy support * fix tests * Clean up bucket policy after this test * fix for tests * address comments * security fixes * fix tests * temp comment out
2025-11-12 22:14:50 -08:00
parent 50f067bcfd
commit 508d06d9a5
47 changed files with 1104 additions and 749 deletions
--- a/weed/iam/sts/cross_instance_token_test.go
+++ b/weed/iam/sts/cross_instance_token_test.go
@@ -153,7 +153,7 @@ func TestCrossInstanceTokenUsage(t *testing.T) {
 		mockToken := createMockJWT(t, "http://test-mock:9999", "test-user")

 		assumeRequest := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/CrossInstanceTestRole",
+			RoleArn:          "arn:aws:iam::role/CrossInstanceTestRole",
 			WebIdentityToken: mockToken, // JWT token for mock provider
 			RoleSessionName:  "cross-instance-test-session",
 			DurationSeconds:  int64ToPtr(3600),
@@ -198,7 +198,7 @@ func TestCrossInstanceTokenUsage(t *testing.T) {
 		mockToken := createMockJWT(t, "http://test-mock:9999", "test-user")

 		assumeRequest := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/RevocationTestRole",
+			RoleArn:          "arn:aws:iam::role/RevocationTestRole",
 			WebIdentityToken: mockToken,
 			RoleSessionName:  "revocation-test-session",
 		}
@@ -240,7 +240,7 @@ func TestCrossInstanceTokenUsage(t *testing.T) {

 		// Try to assume role with same token on different instances
 		assumeRequest := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/ProviderTestRole",
+			RoleArn:          "arn:aws:iam::role/ProviderTestRole",
 			WebIdentityToken: testToken,
 			RoleSessionName:  "provider-consistency-test",
 		}
@@ -452,7 +452,7 @@ func TestSTSRealWorldDistributedScenarios(t *testing.T) {
 		mockToken := createMockJWT(t, "http://test-mock:9999", "production-user")

 		assumeRequest := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/ProductionS3User",
+			RoleArn:          "arn:aws:iam::role/ProductionS3User",
 			WebIdentityToken: mockToken, // JWT token from mock provider
 			RoleSessionName:  "user-production-session",
 			DurationSeconds:  int64ToPtr(7200), // 2 hours
@@ -470,7 +470,7 @@ func TestSTSRealWorldDistributedScenarios(t *testing.T) {
 		sessionInfo2, err := gateway2.ValidateSessionToken(ctx, sessionToken)
 		require.NoError(t, err, "Gateway 2 should validate session from Gateway 1")
 		assert.Equal(t, "user-production-session", sessionInfo2.SessionName)
-		assert.Equal(t, "arn:seaweed:iam::role/ProductionS3User", sessionInfo2.RoleArn)
+		assert.Equal(t, "arn:aws:iam::role/ProductionS3User", sessionInfo2.RoleArn)

 		// Simulate S3 request validation on Gateway 3
 		sessionInfo3, err := gateway3.ValidateSessionToken(ctx, sessionToken)
--- a/weed/iam/sts/session_policy_test.go
+++ b/weed/iam/sts/session_policy_test.go
@@ -47,7 +47,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) {
 		testToken := createSessionPolicyTestJWT(t, "test-issuer", "test-user")

 		request := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/TestRole",
+			RoleArn:          "arn:aws:iam::role/TestRole",
 			WebIdentityToken: testToken,
 			RoleSessionName:  "test-session",
 			DurationSeconds:  nil,            // Use default
@@ -69,7 +69,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) {
 		testToken := createSessionPolicyTestJWT(t, "test-issuer", "test-user")

 		request := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/TestRole",
+			RoleArn:          "arn:aws:iam::role/TestRole",
 			WebIdentityToken: testToken,
 			RoleSessionName:  "test-session",
 			DurationSeconds:  nil, // Use default
@@ -93,7 +93,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) {
 		testToken := createSessionPolicyTestJWT(t, "test-issuer", "test-user")

 		request := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/TestRole",
+			RoleArn:          "arn:aws:iam::role/TestRole",
 			WebIdentityToken: testToken,
 			RoleSessionName:  "test-session",
 			Policy:           nil, // ← Explicitly nil
@@ -113,7 +113,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy(t *testing.T) {
 		emptyPolicy := "" // Empty string, but still a non-nil pointer

 		request := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/TestRole",
+			RoleArn:          "arn:aws:iam::role/TestRole",
 			WebIdentityToken: createSessionPolicyTestJWT(t, "test-issuer", "test-user"),
 			RoleSessionName:  "test-session",
 			Policy:           &emptyPolicy, // ← Non-nil pointer to empty string
@@ -160,7 +160,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy_ErrorMessage(t *testing.T) {
 	testToken := createSessionPolicyTestJWT(t, "test-issuer", "test-user")

 	request := &AssumeRoleWithWebIdentityRequest{
-		RoleArn:          "arn:seaweed:iam::role/TestRole",
+		RoleArn:          "arn:aws:iam::role/TestRole",
 		WebIdentityToken: testToken,
 		RoleSessionName:  "test-session-with-complex-policy",
 		Policy:           &complexPolicy,
@@ -196,7 +196,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy_EdgeCases(t *testing.T) {
 		malformedPolicy := `{"Version": "2012-10-17", "Statement": [` // Incomplete JSON

 		request := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/TestRole",
+			RoleArn:          "arn:aws:iam::role/TestRole",
 			WebIdentityToken: createSessionPolicyTestJWT(t, "test-issuer", "test-user"),
 			RoleSessionName:  "test-session",
 			Policy:           &malformedPolicy,
@@ -215,7 +215,7 @@ func TestAssumeRoleWithWebIdentity_SessionPolicy_EdgeCases(t *testing.T) {
 		whitespacePolicy := "   \t\n   " // Only whitespace

 		request := &AssumeRoleWithWebIdentityRequest{
-			RoleArn:          "arn:seaweed:iam::role/TestRole",
+			RoleArn:          "arn:aws:iam::role/TestRole",
 			WebIdentityToken: createSessionPolicyTestJWT(t, "test-issuer", "test-user"),
 			RoleSessionName:  "test-session",
 			Policy:           &whitespacePolicy,
@@ -260,7 +260,7 @@ func TestAssumeRoleWithCredentials_NoSessionPolicySupport(t *testing.T) {
 	// This is the expected behavior since session policies are typically only
 	// supported with web identity (OIDC/SAML) flows in AWS STS
 	request := &AssumeRoleWithCredentialsRequest{
-		RoleArn:         "arn:seaweed:iam::role/TestRole",
+		RoleArn:         "arn:aws:iam::role/TestRole",
 		Username:        "testuser",
 		Password:        "testpass",
 		RoleSessionName: "test-session",
@@ -269,7 +269,7 @@ func TestAssumeRoleWithCredentials_NoSessionPolicySupport(t *testing.T) {

 	// The struct should compile and work without a Policy field
 	assert.NotNil(t, request)
-	assert.Equal(t, "arn:seaweed:iam::role/TestRole", request.RoleArn)
+	assert.Equal(t, "arn:aws:iam::role/TestRole", request.RoleArn)
 	assert.Equal(t, "testuser", request.Username)

 	// This documents that credential-based assume role does NOT support session policies
--- a/weed/iam/sts/sts_service.go
+++ b/weed/iam/sts/sts_service.go
@@ -683,7 +683,7 @@ func (s *STSService) validateRoleAssumptionForWebIdentity(ctx context.Context, r
 	}

 	// Basic role ARN format validation
-	expectedPrefix := "arn:seaweed:iam::role/"
+	expectedPrefix := "arn:aws:iam::role/"
 	if len(roleArn) < len(expectedPrefix) || roleArn[:len(expectedPrefix)] != expectedPrefix {
 		return fmt.Errorf("invalid role ARN format: got %s, expected format: %s*", roleArn, expectedPrefix)
 	}
@@ -720,7 +720,7 @@ func (s *STSService) validateRoleAssumptionForCredentials(ctx context.Context, r
 	}

 	// Basic role ARN format validation
-	expectedPrefix := "arn:seaweed:iam::role/"
+	expectedPrefix := "arn:aws:iam::role/"
 	if len(roleArn) < len(expectedPrefix) || roleArn[:len(expectedPrefix)] != expectedPrefix {
 		return fmt.Errorf("invalid role ARN format: got %s, expected format: %s*", roleArn, expectedPrefix)
 	}
--- a/weed/iam/sts/sts_service_test.go
+++ b/weed/iam/sts/sts_service_test.go
@@ -95,7 +95,7 @@ func TestAssumeRoleWithWebIdentity(t *testing.T) {
 	}{
 		{
 			name:             "successful role assumption",
-			roleArn:          "arn:seaweed:iam::role/TestRole",
+			roleArn:          "arn:aws:iam::role/TestRole",
 			webIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user-id"),
 			sessionName:      "test-session",
 			durationSeconds:  nil, // Use default
@@ -104,21 +104,21 @@ func TestAssumeRoleWithWebIdentity(t *testing.T) {
 		},
 		{
 			name:             "invalid web identity token",
-			roleArn:          "arn:seaweed:iam::role/TestRole",
+			roleArn:          "arn:aws:iam::role/TestRole",
 			webIdentityToken: "invalid-token",
 			sessionName:      "test-session",
 			wantErr:          true,
 		},
 		{
 			name:             "non-existent role",
-			roleArn:          "arn:seaweed:iam::role/NonExistentRole",
+			roleArn:          "arn:aws:iam::role/NonExistentRole",
 			webIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user"),
 			sessionName:      "test-session",
 			wantErr:          true,
 		},
 		{
 			name:             "custom session duration",
-			roleArn:          "arn:seaweed:iam::role/TestRole",
+			roleArn:          "arn:aws:iam::role/TestRole",
 			webIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user"),
 			sessionName:      "test-session",
 			durationSeconds:  int64Ptr(7200), // 2 hours
@@ -182,7 +182,7 @@ func TestAssumeRoleWithLDAP(t *testing.T) {
 	}{
 		{
 			name:        "successful LDAP role assumption",
-			roleArn:     "arn:seaweed:iam::role/LDAPRole",
+			roleArn:     "arn:aws:iam::role/LDAPRole",
 			username:    "testuser",
 			password:    "testpass",
 			sessionName: "ldap-session",
@@ -190,7 +190,7 @@ func TestAssumeRoleWithLDAP(t *testing.T) {
 		},
 		{
 			name:        "invalid LDAP credentials",
-			roleArn:     "arn:seaweed:iam::role/LDAPRole",
+			roleArn:     "arn:aws:iam::role/LDAPRole",
 			username:    "testuser",
 			password:    "wrongpass",
 			sessionName: "ldap-session",
@@ -231,7 +231,7 @@ func TestSessionTokenValidation(t *testing.T) {

 	// First, create a session
 	request := &AssumeRoleWithWebIdentityRequest{
-		RoleArn:          "arn:seaweed:iam::role/TestRole",
+		RoleArn:          "arn:aws:iam::role/TestRole",
 		WebIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user"),
 		RoleSessionName:  "test-session",
 	}
@@ -275,7 +275,7 @@ func TestSessionTokenValidation(t *testing.T) {
 				assert.NoError(t, err)
 				assert.NotNil(t, session)
 				assert.Equal(t, "test-session", session.SessionName)
-				assert.Equal(t, "arn:seaweed:iam::role/TestRole", session.RoleArn)
+				assert.Equal(t, "arn:aws:iam::role/TestRole", session.RoleArn)
 			}
 		})
 	}
@@ -289,7 +289,7 @@ func TestSessionTokenPersistence(t *testing.T) {

 	// Create a session first
 	request := &AssumeRoleWithWebIdentityRequest{
-		RoleArn:          "arn:seaweed:iam::role/TestRole",
+		RoleArn:          "arn:aws:iam::role/TestRole",
 		WebIdentityToken: createSTSTestJWT(t, "test-issuer", "test-user"),
 		RoleSessionName:  "test-session",
 	}
--- a/weed/iam/sts/token_utils.go
+++ b/weed/iam/sts/token_utils.go
@@ -207,11 +207,11 @@ func GenerateSessionId() (string, error) {
 // generateAssumedRoleArn generates the ARN for an assumed role user
 func GenerateAssumedRoleArn(roleArn, sessionName string) string {
 	// Convert role ARN to assumed role user ARN
-	// arn:seaweed:iam::role/RoleName -> arn:seaweed:sts::assumed-role/RoleName/SessionName
+	// arn:aws:iam::role/RoleName -> arn:aws:sts::assumed-role/RoleName/SessionName
 	roleName := utils.ExtractRoleNameFromArn(roleArn)
 	if roleName == "" {
 		// This should not happen if validation is done properly upstream
-		return fmt.Sprintf("arn:seaweed:sts::assumed-role/INVALID-ARN/%s", sessionName)
+		return fmt.Sprintf("arn:aws:sts::assumed-role/INVALID-ARN/%s", sessionName)
 	}
-	return fmt.Sprintf("arn:seaweed:sts::assumed-role/%s/%s", roleName, sessionName)
+	return fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleName, sessionName)
 }