gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

S3: Enforce bucket policy (#7471)

Browse Source 
* evaluate policies during authorization

* cache bucket policy

* refactor

* matching with regex special characters

* Case Sensitivity, pattern cache, Dead Code Removal

* Fixed Typo, Restored []string Case, Added Cache Size Limit

* hook up with policy engine

* remove old implementation

* action mapping

* validate

* if not specified, fall through to IAM checks

* fmt

* Fail-close on policy evaluation errors

* Explicit `Allow` bypasses IAM checks

* fix error message

* arn:seaweed => arn:aws

* remove legacy support

* fix tests

* Clean up bucket policy after this test

* fix for tests

* address comments

* security fixes

* fix tests

* temp comment out
This commit is contained in:
Chris Lu
2025-11-12 22:14:50 -08:00
committed by GitHub
parent 50f067bcfd
commit 508d06d9a5
47 changed files with 1104 additions and 749 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
weed/s3api/s3api_server.go
View File

@@ -59,6 +59,7 @@ type S3ApiServer struct {
bucketRegistry *BucketRegistry
credentialManager *credential.CredentialManager
bucketConfigCache *BucketConfigCache
policyEngine *BucketPolicyEngine // Engine for evaluating bucket policies
}
func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer *S3ApiServer, err error) {
@@ -97,8 +98,12 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
cb: NewCircuitBreaker(option),
credentialManager: iam.credentialManager,
bucketConfigCache: NewBucketConfigCache(60 * time.Minute), // Increased TTL since cache is now event-driven
policyEngine: NewBucketPolicyEngine(), // Initialize bucket policy engine
}
// Link IAM back to server for bucket policy evaluation
iam.s3ApiServer = s3ApiServer
// Initialize advanced IAM system if config is provided
if option.IamConfig != "" {
glog.V(0).Infof("Loading advanced IAM configuration from: %s", option.IamConfig)
@@ -157,6 +162,20 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
return s3ApiServer, nil
}
// syncBucketPolicyToEngine syncs a bucket policy to the policy engine
// This helper method centralizes the logic for loading bucket policies into the engine
// to avoid duplication and ensure consistent error handling
func (s3a *S3ApiServer) syncBucketPolicyToEngine(bucket string, policyDoc *policy.PolicyDocument) {
if policyDoc != nil {
if err := s3a.policyEngine.LoadBucketPolicyFromCache(bucket, policyDoc); err != nil {
glog.Errorf("Failed to sync bucket policy for %s to policy engine: %v", bucket, err)
}
} else {
// No policy - ensure it's removed from engine if it was there
s3a.policyEngine.DeleteBucketPolicy(bucket)
}
}
// classifyDomainNames classifies domains into path-style and virtual-host style domains.
// A domain is considered path-style if:
// 1. It contains a dot (has subdomains)