s3: support s3:x-amz-server-side-encryption policy condition (#8806)
* s3: support s3:x-amz-server-side-encryption policy condition (#7680) - Normalize x-amz-server-side-encryption header values to canonical form (aes256 → AES256, aws:kms mixed-case → aws:kms) so StringEquals conditions work regardless of client capitalisation - Exempt UploadPart and UploadPartCopy from SSE Null conditions: these actions inherit SSE from the initial CreateMultipartUpload request and do not re-send the header, so Deny/Null("true") should not block them - Add sse_condition_test.go covering StringEquals, Null, case-insensitive normalisation, and multipart continuation action exemption * s3: address review comments on SSE condition support - Replace "inherited" sentinel in injectSSEForMultipart with "AES256" so that StringEquals/Null conditions evaluate against a meaningful value; add TODO noting that KMS multipart uploads need the actual algorithm looked up from the upload state - Rewrite TestSSECaseInsensitiveNormalization to drive normalisation through EvaluatePolicyForRequest with a real *http.Request so regressions in the production code path are caught; split into AES256 and aws:kms variants to cover both normalisation branches * s3: plumb real inherited SSE from multipart upload state into policy eval Instead of injecting a static "AES256" sentinel for UploadPart/UploadPartCopy, look up the actual SSE algorithm from the stored CreateMultipartUpload entry and pass it through the evaluation chain. Changes: - PolicyEvaluationArgs gains InheritedSSEAlgorithm string; set by the BucketPolicyEngine wrapper for multipart continuation actions - injectSSEForMultipart(conditions, inheritedSSE) now accepts the real algorithm; empty string means no SSE → Null("true") fires correctly - IsMultipartContinuationAction exported so the s3api wrapper can use it - BucketPolicyEngine gets a MultipartSSELookup callback (set by S3ApiServer) that fetches the upload entry and reads SeaweedFSSSEKMSKeyID / SeaweedFSSSES3Encryption to determine the algorithm - S3ApiServer.getMultipartSSEAlgorithm implements the lookup via getEntry - Tests updated: three multipart cases (AES256, aws:kms, no-SSE-must-deny) plus UploadPartCopy coverage
This commit is contained in:
Chris Lu
@@ -210,7 +210,15 @@ func (engine *PolicyEngine) evaluateStatement(stmt *CompiledStatement, args *Pol
|
||||
|
||||
// Check conditions
|
||||
if len(stmt.Statement.Condition) > 0 {
|
||||
match := EvaluateConditions(stmt.Statement.Condition, args.Conditions, args.ObjectEntry, args.Claims)
|
||||
condCtx := args.Conditions
|
||||
// Multipart continuation actions (UploadPart, UploadPartCopy) inherit SSE
|
||||
// from CreateMultipartUpload and do not carry their own SSE header.
|
||||
// Inject the real inherited algorithm so Null/StringEquals conditions
|
||||
// evaluate against the value that was set at upload initiation.
|
||||
if IsMultipartContinuationAction(args.Action) {
|
||||
condCtx = injectSSEForMultipart(args.Conditions, args.InheritedSSEAlgorithm)
|
||||
}
|
||||
match := EvaluateConditions(stmt.Statement.Condition, condCtx, args.ObjectEntry, args.Claims)
|
||||
if !match {
|
||||
return false
|
||||
}
|
||||
@@ -435,9 +443,62 @@ func ExtractConditionValuesFromRequest(r *http.Request) map[string][]string {
|
||||
}
|
||||
}
|
||||
|
||||
// Normalize s3:x-amz-server-side-encryption value to canonical form.
|
||||
// AWS accepts "AES256" case-insensitively; normalise so that policy
|
||||
// StringEquals conditions work regardless of client capitalisation.
|
||||
const sseKey = "s3:x-amz-server-side-encryption"
|
||||
if sseVals, ok := values[sseKey]; ok {
|
||||
normalized := make([]string, len(sseVals))
|
||||
for i, v := range sseVals {
|
||||
switch strings.ToUpper(v) {
|
||||
case "AES256":
|
||||
normalized[i] = "AES256"
|
||||
case "AWS:KMS":
|
||||
normalized[i] = "aws:kms"
|
||||
default:
|
||||
normalized[i] = v
|
||||
}
|
||||
}
|
||||
values[sseKey] = normalized
|
||||
}
|
||||
|
||||
return values
|
||||
}
|
||||
|
||||
// IsMultipartContinuationAction returns true for actions that do not carry
|
||||
// their own SSE header because SSE is inherited from CreateMultipartUpload.
|
||||
func IsMultipartContinuationAction(action string) bool {
|
||||
return action == "s3:UploadPart" || action == "s3:UploadPartCopy"
|
||||
}
|
||||
|
||||
// injectSSEForMultipart returns a condition context augmented with the
|
||||
// inherited SSE algorithm for multipart continuation actions.
|
||||
//
|
||||
// UploadPart and UploadPartCopy do not re-send the SSE header because
|
||||
// encryption is set once at CreateMultipartUpload. The caller supplies
|
||||
// inheritedSSE (the canonical algorithm, e.g. "AES256" or "aws:kms") so
|
||||
// that Null/StringEquals conditions on s3:x-amz-server-side-encryption
|
||||
// evaluate against the real value.
|
||||
//
|
||||
// If inheritedSSE is empty (no SSE was requested at initiation), the
|
||||
// conditions map is returned unchanged so Null("true") will correctly
|
||||
// match and deny the request.
|
||||
func injectSSEForMultipart(conditions map[string][]string, inheritedSSE string) map[string][]string {
|
||||
const sseKey = "s3:x-amz-server-side-encryption"
|
||||
if inheritedSSE == "" {
|
||||
return conditions // no SSE at upload initiation; let Null("true") fire
|
||||
}
|
||||
if _, exists := conditions[sseKey]; exists {
|
||||
return conditions // SSE header was actually sent on this request
|
||||
}
|
||||
modified := make(map[string][]string, len(conditions)+1)
|
||||
for k, v := range conditions {
|
||||
modified[k] = v
|
||||
}
|
||||
modified[sseKey] = []string{inheritedSSE}
|
||||
return modified
|
||||
}
|
||||
|
||||
// extractSourceIP returns the best-effort client IP address for condition evaluation.
|
||||
// Preference order: X-Forwarded-For (first valid IP), X-Real-Ip, then RemoteAddr.
|
||||
// IMPORTANT: X-Forwarded-For and X-Real-Ip are trusted without validation.
|
||||
|
||||
Reference in New Issue
Block a user