gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3: enable auth when IAM integration is configured (#7726)

Browse Source 
When only IAM integration is configured (via -s3.iam.config) without
traditional S3 identities, the isAuthEnabled flag was not being set,
causing the Auth middleware to bypass all authentication checks.

This fix ensures that when SetIAMIntegration is called with a non-nil
integration, isAuthEnabled is set to true, properly enforcing
authentication for all requests.

Added negative authentication tests:
- TestS3AuthenticationDenied: tests rejection of unauthenticated,
  invalid, and expired JWT requests
- TestS3IAMOnlyModeRejectsAnonymous: tests that IAM-only mode
  properly rejects anonymous requests

Fixes #7724
This commit is contained in:
Chris Lu
2025-12-12 13:37:31 -08:00
committed by GitHub
parent e8b7347031
commit b0e0c5aaab
2 changed files with 158 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
weed/s3api/auth_credentials.go
View File

@@ -771,6 +771,11 @@ func (iam *IdentityAccessManagement) SetIAMIntegration(integration *S3IAMIntegra
iam.m.Lock()
defer iam.m.Unlock()
iam.iamIntegration = integration
// When IAM integration is configured, authentication must be enabled
// to ensure requests go through proper auth checks
if integration != nil {
iam.isAuthEnabled = true
}
}
// authenticateJWTWithIAM authenticates JWT tokens using the IAM integration