gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

S3: Enforce bucket policy (#7471)

Browse Source 
* evaluate policies during authorization

* cache bucket policy

* refactor

* matching with regex special characters

* Case Sensitivity, pattern cache, Dead Code Removal

* Fixed Typo, Restored []string Case, Added Cache Size Limit

* hook up with policy engine

* remove old implementation

* action mapping

* validate

* if not specified, fall through to IAM checks

* fmt

* Fail-close on policy evaluation errors

* Explicit `Allow` bypasses IAM checks

* fix error message

* arn:seaweed => arn:aws

* remove legacy support

* fix tests

* Clean up bucket policy after this test

* fix for tests

* address comments

* security fixes

* fix tests

* temp comment out
This commit is contained in:
Chris Lu
2025-11-12 22:14:50 -08:00
committed by GitHub
parent 50f067bcfd
commit 508d06d9a5
47 changed files with 1104 additions and 749 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
weed/s3api/policy_engine/engine.go
View File

@@ -109,7 +109,7 @@ func (engine *PolicyEngine) evaluateCompiledPolicy(policy *CompiledPolicy, args
// AWS Policy evaluation logic:
// 1. Check for explicit Deny - if found, return Deny
// 2. Check for explicit Allow - if found, return Allow
// 3. If no explicit Allow is found, return Deny (default deny)
// 3. If no matching statements, return Indeterminate (fall through to IAM)
hasExplicitAllow := false
@@ -128,7 +128,9 @@ func (engine *PolicyEngine) evaluateCompiledPolicy(policy *CompiledPolicy, args
return PolicyResultAllow
}
return PolicyResultDeny // Default deny
// No matching statements - return Indeterminate to fall through to IAM
// This allows IAM policies to grant access even when bucket policy doesn't mention the action
return PolicyResultIndeterminate
}
// evaluateStatement evaluates a single policy statement

8
weed/s3api/policy_engine/engine_test.go
View File

@@ -76,8 +76,8 @@ func TestPolicyEngine(t *testing.T) {
}
result = engine.EvaluatePolicy("test-bucket", args)
if result != PolicyResultDeny {
t.Errorf("Expected Deny for non-matching action, got %v", result)
if result != PolicyResultIndeterminate {
t.Errorf("Expected Indeterminate for non-matching action (should fall through to IAM), got %v", result)
}
// Test GetBucketPolicy
@@ -471,8 +471,8 @@ func TestPolicyEvaluationWithConditions(t *testing.T) {
// Test non-matching IP
args.Conditions["aws:SourceIp"] = []string{"10.0.0.1"}
result = engine.EvaluatePolicy("test-bucket", args)
if result != PolicyResultDeny {
t.Errorf("Expected Deny for non-matching IP, got %v", result)
if result != PolicyResultIndeterminate {
t.Errorf("Expected Indeterminate for non-matching IP (should fall through to IAM), got %v", result)
}
}