S3: Enforce bucket policy (#7471)

* evaluate policies during authorization * cache bucket policy * refactor * matching with regex special characters * Case Sensitivity, pattern cache, Dead Code Removal * Fixed Typo, Restored []string Case, Added Cache Size Limit * hook up with policy engine * remove old implementation * action mapping * validate * if not specified, fall through to IAM checks * fmt * Fail-close on policy evaluation errors * Explicit `Allow` bypasses IAM checks * fix error message * arn:seaweed => arn:aws * remove legacy support * fix tests * Clean up bucket policy after this test * fix for tests * address comments * security fixes * fix tests * temp comment out
2025-11-12 22:14:50 -08:00
parent 50f067bcfd
commit 508d06d9a5
47 changed files with 1104 additions and 749 deletions
--- a/weed/s3api/s3api_bucket_policy_arn_test.go
+++ b/weed/s3api/s3api_bucket_policy_arn_test.go
@@ -0,0 +1,126 @@
+package s3api
+
+import (
+	"testing"
+	
+	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
+)
+
+// TestBuildResourceARN verifies that resource ARNs use the AWS-compatible format
+func TestBuildResourceARN(t *testing.T) {
+	tests := []struct {
+		name     string
+		bucket   string
+		object   string
+		expected string
+	}{
+		{
+			name:     "bucket only",
+			bucket:   "my-bucket",
+			object:   "",
+			expected: "arn:aws:s3:::my-bucket",
+		},
+		{
+			name:     "bucket with slash",
+			bucket:   "my-bucket",
+			object:   "/",
+			expected: "arn:aws:s3:::my-bucket",
+		},
+		{
+			name:     "bucket and object",
+			bucket:   "my-bucket",
+			object:   "path/to/object.txt",
+			expected: "arn:aws:s3:::my-bucket/path/to/object.txt",
+		},
+		{
+			name:     "bucket and object with leading slash",
+			bucket:   "my-bucket",
+			object:   "/path/to/object.txt",
+			expected: "arn:aws:s3:::my-bucket/path/to/object.txt",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := buildResourceARN(tt.bucket, tt.object)
+			if result != tt.expected {
+				t.Errorf("buildResourceARN(%q, %q) = %q, want %q", tt.bucket, tt.object, result, tt.expected)
+			}
+		})
+	}
+}
+
+// TestBuildPrincipalARN verifies that principal ARNs use the AWS-compatible format
+func TestBuildPrincipalARN(t *testing.T) {
+	tests := []struct {
+		name     string
+		identity *Identity
+		expected string
+	}{
+		{
+			name:     "nil identity (anonymous)",
+			identity: nil,
+			expected: "*",
+		},
+		{
+			name: "anonymous user by name",
+			identity: &Identity{
+				Name: s3_constants.AccountAnonymousId,
+				Account: &Account{
+					Id: "123456789012",
+				},
+			},
+			expected: "*",
+		},
+		{
+			name: "anonymous user by account ID",
+			identity: &Identity{
+				Name: "test-user",
+				Account: &Account{
+					Id: s3_constants.AccountAnonymousId,
+				},
+			},
+			expected: "*",
+		},
+		{
+			name: "identity with account and name",
+			identity: &Identity{
+				Name: "test-user",
+				Account: &Account{
+					Id: "123456789012",
+				},
+			},
+			expected: "arn:aws:iam::123456789012:user/test-user",
+		},
+		{
+			name: "identity without account ID",
+			identity: &Identity{
+				Name: "test-user",
+				Account: &Account{
+					Id: "",
+				},
+			},
+			expected: "arn:aws:iam::000000000000:user/test-user",
+		},
+		{
+			name: "identity without name",
+			identity: &Identity{
+				Name: "",
+				Account: &Account{
+					Id: "123456789012",
+				},
+			},
+			expected: "arn:aws:iam::123456789012:user/unknown",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := buildPrincipalARN(tt.identity)
+			if result != tt.expected {
+				t.Errorf("buildPrincipalARN() = %q, want %q", result, tt.expected)
+			}
+		})
+	}
+}
+