s3api/policy_engine: use forwarded client IP for aws:SourceIp (#8304)

* s3api: honor forwarded source IP for policy conditions Prefer X-Forwarded-For/X-Real-Ip before RemoteAddr when populating aws:SourceIp in policy condition evaluation. Also avoid noisy parsing behavior for unix socket markers and add coverage for precedence/fallback paths.\n\nFixes #8301. * s3api: simplify remote addr parsing * s3api: guard aws:SourceIp against DNS hosts * s3api: simplify remote addr fallback * s3api: simplify remote addr parsing * Update weed/s3api/policy_engine/engine.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Fix TestExtractConditionValuesFromRequestSourceIPPrecedence using trusted private IP * Refactor extractSourceIP to use R-to-L XFF parsing and net.IP.IsPrivate --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-02-11 12:47:03 -08:00
parent 7151181d54
commit 8b5d31e5eb
2 changed files with 179 additions and 9 deletions
--- a/weed/s3api/policy_engine/engine.go
+++ b/weed/s3api/policy_engine/engine.go
@@ -381,15 +381,7 @@ func ExtractConditionValuesFromRequest(r *http.Request) map[string][]string {
 	values := make(map[string][]string)

 	// AWS condition keys
-	// Extract IP address without port for proper IP matching
-	host, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil {
-		// Log a warning if splitting fails
-		glog.Warningf("Failed to parse IP address from RemoteAddr %q: %v", r.RemoteAddr, err)
-		// If splitting fails, use the original RemoteAddr (might be just IP without port)
-		host = r.RemoteAddr
-	}
-	values["aws:SourceIp"] = []string{host}
+	values["aws:SourceIp"] = []string{extractSourceIP(r)}
 	values["aws:SecureTransport"] = []string{fmt.Sprintf("%t", r.TLS != nil)}
 	// Use AWS standard condition key for current time
 	values["aws:CurrentTime"] = []string{time.Now().Format(time.RFC3339)}
@@ -445,6 +437,101 @@ func ExtractConditionValuesFromRequest(r *http.Request) map[string][]string {
 	return values
 }

+// extractSourceIP returns the best-effort client IP address for condition evaluation.
+// Preference order: X-Forwarded-For (first valid IP), X-Real-Ip, then RemoteAddr.
+// IMPORTANT: X-Forwarded-For and X-Real-Ip are trusted without validation.
+// When the service is exposed directly, clients can spoof aws:SourceIp unless a
+// reverse proxy overwrites these headers.
+
+// isPrivateIP returns true if the given IP is considered a "trusted proxy"
+// address, such as loopback, link-local, or RFC1918 private ranges.
+// isPrivateIP returns true if the given IP is considered a "trusted proxy"
+// address, such as loopback, link-local, or private ranges.
+func isPrivateIP(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+	return ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsPrivate()
+}
+
+func extractSourceIP(r *http.Request) string {
+	if r == nil {
+		return ""
+	}
+
+	remoteAddr := strings.TrimSpace(r.RemoteAddr)
+	if remoteAddr == "" {
+		return ""
+	}
+
+	// Fall back to unix socket markers or other non-IP placeholders.
+	if remoteAddr == "@" {
+		return remoteAddr
+	}
+
+	host := remoteAddr
+	if h, _, err := net.SplitHostPort(remoteAddr); err == nil {
+		host = h
+	}
+
+	remoteIP := net.ParseIP(host)
+	if remoteIP == nil {
+		// Do not return DNS names or unparseable values.
+		return ""
+	}
+
+	// Only trust forwarding headers when the connection appears to come from
+	// a trusted proxy (e.g., private/loopback address).
+	if isPrivateIP(remoteIP) {
+		if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+			// Iterate right-to-left to find the first non-trusted (public) IP
+			entries := strings.Split(xff, ",")
+			for i := len(entries) - 1; i >= 0; i-- {
+				candidate := strings.TrimSpace(entries[i])
+				if candidate == "" {
+					continue
+				}
+
+				ip := net.ParseIP(candidate)
+				if ip == nil {
+					continue
+				}
+
+				// If the IP is trusted/private, we treat it as another proxy in the chain and continue
+				if isPrivateIP(ip) {
+					continue
+				}
+
+				// Found a public/non-trusted IP, return it as the client IP
+				return ip.String()
+			}
+
+			// If we exhausted the list (all were private/trusted) or found no valid IPs,
+			// fallback related logic could go here.
+			// For now, if all are private, we continue to check X-Real-Ip or return RemoteIP?
+			// The prompt implies we should prefer the extracted IP.
+			// If all in XFF are private, likely the original client IS private (internal network).
+			// The best guess for "original client" in a fully trusted chain is the left-most valid IP.
+			for _, candidate := range entries {
+				candidate = strings.TrimSpace(candidate)
+				if ip := net.ParseIP(candidate); ip != nil {
+					return ip.String()
+				}
+			}
+		}
+
+		if xRealIP := strings.TrimSpace(r.Header.Get("X-Real-Ip")); xRealIP != "" {
+			if ip := net.ParseIP(xRealIP); ip != nil {
+				return ip.String()
+			}
+		}
+	}
+
+	// Default to the actual peer IP when no trusted proxy is detected or the
+	// forwarding headers are absent/invalid.
+	return remoteIP.String()
+}
+
 // BuildResourceArn builds an ARN for the given bucket and object
 func BuildResourceArn(bucketName, objectName string) string {
 	if objectName == "" {
--- a/weed/s3api/policy_engine/engine_test.go
+++ b/weed/s3api/policy_engine/engine_test.go
@@ -458,6 +458,89 @@ func TestExtractConditionValuesFromRequest(t *testing.T) {
 	}
 }

+func TestExtractConditionValuesFromRequestSourceIPPrecedence(t *testing.T) {
+	tests := []struct {
+		name       string
+		header     map[string][]string
+		remoteAddr string
+		expectedIP string
+	}{
+		{
+			name: "uses right-most public X-Forwarded-For entry",
+			header: map[string][]string{
+				"X-Forwarded-For": {"bad-ip, 203.0.113.10, 198.51.100.5"},
+			},
+			remoteAddr: "192.168.1.100:12345",
+			expectedIP: "198.51.100.5",
+		},
+		{
+			name: "falls back to X-Real-Ip when X-Forwarded-For has no valid ip",
+			header: map[string][]string{
+				"X-Forwarded-For": {"bad-ip"},
+				"X-Real-Ip":       {"198.51.100.7"},
+			},
+			remoteAddr: "192.168.1.100:12345",
+			expectedIP: "198.51.100.7",
+		},
+		{
+			name:       "uses RemoteAddr ip when no forwarding headers",
+			header:     map[string][]string{},
+			remoteAddr: "192.168.1.100:12345",
+			expectedIP: "192.168.1.100",
+		},
+		{
+			name:       "keeps unix socket marker when RemoteAddr is not an ip",
+			header:     map[string][]string{},
+			remoteAddr: "@",
+			expectedIP: "@",
+		},
+		{
+			name: "uses IPv6 X-Forwarded-For entry",
+			header: map[string][]string{
+				"X-Forwarded-For": {"2001:db8::8, 198.51.100.7"},
+			},
+			remoteAddr: "192.168.1.100:12345",
+			expectedIP: "198.51.100.7",
+		},
+		{
+			name: "ignores spoofed IP when real client is public",
+			header: map[string][]string{
+				"X-Forwarded-For": {"8.8.8.8, 203.0.113.10, 10.0.0.1"},
+			},
+			remoteAddr: "192.168.1.100:12345",
+			expectedIP: "203.0.113.10",
+		},
+		{
+			name:       "handles bracketed IPv6 remote address",
+			header:     map[string][]string{},
+			remoteAddr: "[2001:db8::1]:12345",
+			expectedIP: "2001:db8::1",
+		},
+		{
+			name:       "avoids returning DNS host names",
+			header:     map[string][]string{},
+			remoteAddr: "example.com:9000",
+			expectedIP: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := &http.Request{
+				Method:     "GET",
+				URL:        &url.URL{Path: "/"},
+				Header:     tt.header,
+				RemoteAddr: tt.remoteAddr,
+			}
+
+			values := ExtractConditionValuesFromRequest(req)
+			if len(values["aws:SourceIp"]) != 1 || values["aws:SourceIp"][0] != tt.expectedIP {
+				t.Errorf("Expected SourceIp %q, got %v", tt.expectedIP, values["aws:SourceIp"])
+			}
+		})
+	}
+}
+
 func TestPolicyEvaluationWithConditions(t *testing.T) {
 	engine := NewPolicyEngine()