s3api: fix static IAM policy enforcement after reload (#8532)

* s3api: honor attached IAM policies over legacy actions * s3api: hydrate IAM policy docs during config reload * s3api: use policy-aware auth when listing buckets * credential: propagate context through filer_etc policy reads * credential: make legacy policy deletes durable * s3api: exercise managed policy runtime loader * s3api: allow static IAM users without session tokens * iam: deny unmatched attached policies under default allow * iam: load embedded policy files from filer store * s3api: require session tokens for IAM presigning * s3api: sync runtime policies into zero-config IAM * credential: respect context in policy file loads * credential: serialize legacy policy deletes * iam: align filer policy store naming * s3api: use authenticated principals for presigning * iam: deep copy policy conditions * s3api: require request creation in policy tests * filer: keep ReadInsideFiler as the context-aware API * iam: harden filer policy store writes * credential: strengthen legacy policy serialization test * credential: forward runtime policy loaders through wrapper * s3api: harden runtime policy merging * iam: require typed already-exists errors
2026-03-06 12:35:08 -08:00
parent 338be16254
commit f9311a3422
30 changed files with 1903 additions and 168 deletions
--- a/weed/credential/filer_etc/filer_etc_policy_test.go
+++ b/weed/credential/filer_etc/filer_etc_policy_test.go
@@ -0,0 +1,369 @@
+package filer_etc
+
+import (
+	"context"
+	"net"
+	"sort"
+	"strconv"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/seaweedfs/seaweedfs/weed/filer"
+	"github.com/seaweedfs/seaweedfs/weed/pb"
+	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
+	"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
+	"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/proto"
+)
+
+type policyTestFilerServer struct {
+	filer_pb.UnimplementedSeaweedFilerServer
+	mu                   sync.RWMutex
+	entries              map[string]*filer_pb.Entry
+	contentlessListEntry map[string]struct{}
+	beforeLookup         func(context.Context, string, string) error
+	afterListEntry       func(string, string)
+	beforeDelete         func(string, string) error
+	beforeUpdate         func(string, string) error
+}
+
+func newPolicyTestFilerServer() *policyTestFilerServer {
+	return &policyTestFilerServer{
+		entries:              make(map[string]*filer_pb.Entry),
+		contentlessListEntry: make(map[string]struct{}),
+	}
+}
+
+func (s *policyTestFilerServer) LookupDirectoryEntry(ctx context.Context, req *filer_pb.LookupDirectoryEntryRequest) (*filer_pb.LookupDirectoryEntryResponse, error) {
+	s.mu.RLock()
+	beforeLookup := s.beforeLookup
+	s.mu.RUnlock()
+	if beforeLookup != nil {
+		if err := beforeLookup(ctx, req.Directory, req.Name); err != nil {
+			return nil, err
+		}
+	}
+
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	entry, found := s.entries[filerEntryKey(req.Directory, req.Name)]
+	if !found {
+		return nil, status.Error(codes.NotFound, filer_pb.ErrNotFound.Error())
+	}
+
+	return &filer_pb.LookupDirectoryEntryResponse{Entry: cloneEntry(entry)}, nil
+}
+
+func (s *policyTestFilerServer) ListEntries(req *filer_pb.ListEntriesRequest, stream grpc.ServerStreamingServer[filer_pb.ListEntriesResponse]) error {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	names := make([]string, 0)
+	for key := range s.entries {
+		dir, name := splitFilerEntryKey(key)
+		if dir != req.Directory {
+			continue
+		}
+		names = append(names, name)
+	}
+	sort.Strings(names)
+
+	for _, name := range names {
+		entry := cloneEntry(s.entries[filerEntryKey(req.Directory, name)])
+		if _, found := s.contentlessListEntry[filerEntryKey(req.Directory, name)]; found {
+			entry.Content = nil
+		}
+		if err := stream.Send(&filer_pb.ListEntriesResponse{Entry: entry}); err != nil {
+			return err
+		}
+		if s.afterListEntry != nil {
+			s.afterListEntry(req.Directory, name)
+		}
+	}
+
+	return nil
+}
+
+func (s *policyTestFilerServer) CreateEntry(_ context.Context, req *filer_pb.CreateEntryRequest) (*filer_pb.CreateEntryResponse, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.entries[filerEntryKey(req.Directory, req.Entry.Name)] = cloneEntry(req.Entry)
+	return &filer_pb.CreateEntryResponse{}, nil
+}
+
+func (s *policyTestFilerServer) UpdateEntry(_ context.Context, req *filer_pb.UpdateEntryRequest) (*filer_pb.UpdateEntryResponse, error) {
+	s.mu.RLock()
+	beforeUpdate := s.beforeUpdate
+	s.mu.RUnlock()
+	if beforeUpdate != nil {
+		if err := beforeUpdate(req.Directory, req.Entry.Name); err != nil {
+			return nil, err
+		}
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.entries[filerEntryKey(req.Directory, req.Entry.Name)] = cloneEntry(req.Entry)
+	return &filer_pb.UpdateEntryResponse{}, nil
+}
+
+func (s *policyTestFilerServer) DeleteEntry(_ context.Context, req *filer_pb.DeleteEntryRequest) (*filer_pb.DeleteEntryResponse, error) {
+	s.mu.RLock()
+	beforeDelete := s.beforeDelete
+	s.mu.RUnlock()
+	if beforeDelete != nil {
+		if err := beforeDelete(req.Directory, req.Name); err != nil {
+			return nil, err
+		}
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	key := filerEntryKey(req.Directory, req.Name)
+	if _, found := s.entries[key]; !found {
+		return nil, status.Error(codes.NotFound, filer_pb.ErrNotFound.Error())
+	}
+
+	delete(s.entries, key)
+	return &filer_pb.DeleteEntryResponse{}, nil
+}
+
+func newPolicyTestStore(t *testing.T) *FilerEtcStore {
+	store, _ := newPolicyTestStoreWithServer(t)
+	return store
+}
+
+func newPolicyTestStoreWithServer(t *testing.T) (*FilerEtcStore, *policyTestFilerServer) {
+	t.Helper()
+
+	lis, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	server := newPolicyTestFilerServer()
+	grpcServer := pb.NewGrpcServer()
+	filer_pb.RegisterSeaweedFilerServer(grpcServer, server)
+	go func() {
+		_ = grpcServer.Serve(lis)
+	}()
+
+	t.Cleanup(func() {
+		grpcServer.Stop()
+		_ = lis.Close()
+	})
+
+	store := &FilerEtcStore{}
+	host, portString, err := net.SplitHostPort(lis.Addr().String())
+	require.NoError(t, err)
+	grpcPort, err := strconv.Atoi(portString)
+	require.NoError(t, err)
+	store.SetFilerAddressFunc(func() pb.ServerAddress {
+		return pb.NewServerAddress(host, 1, grpcPort)
+	}, grpc.WithTransportCredentials(insecure.NewCredentials()))
+
+	return store, server
+}
+
+func TestFilerEtcStoreListPolicyNamesIncludesLegacyPolicies(t *testing.T) {
+	ctx := context.Background()
+	store := newPolicyTestStore(t)
+
+	legacyPolicies := newPoliciesCollection()
+	legacyPolicies.Policies["legacy-only"] = testPolicyDocument("s3:GetObject", "arn:aws:s3:::legacy-only/*")
+	legacyPolicies.Policies["shared"] = testPolicyDocument("s3:GetObject", "arn:aws:s3:::shared/*")
+	require.NoError(t, store.saveLegacyPoliciesCollection(ctx, legacyPolicies))
+
+	require.NoError(t, store.savePolicy(ctx, "multi-file-only", testPolicyDocument("s3:PutObject", "arn:aws:s3:::multi-file-only/*")))
+	require.NoError(t, store.savePolicy(ctx, "shared", testPolicyDocument("s3:DeleteObject", "arn:aws:s3:::shared/*")))
+
+	names, err := store.ListPolicyNames(ctx)
+	require.NoError(t, err)
+
+	assert.ElementsMatch(t, []string{"legacy-only", "multi-file-only", "shared"}, names)
+}
+
+func TestFilerEtcStoreDeletePolicyRemovesLegacyManagedCopy(t *testing.T) {
+	ctx := context.Background()
+	store := newPolicyTestStore(t)
+
+	inlinePolicy := testPolicyDocument("s3:PutObject", "arn:aws:s3:::inline-user/*")
+	legacyPolicies := newPoliciesCollection()
+	legacyPolicies.Policies["legacy-only"] = testPolicyDocument("s3:GetObject", "arn:aws:s3:::legacy-only/*")
+	legacyPolicies.InlinePolicies["inline-user"] = map[string]policy_engine.PolicyDocument{
+		"PutOnly": inlinePolicy,
+	}
+	require.NoError(t, store.saveLegacyPoliciesCollection(ctx, legacyPolicies))
+
+	managedPolicies, err := store.LoadManagedPolicies(ctx)
+	require.NoError(t, err)
+	assert.Equal(t, []string{"legacy-only"}, managedPolicyNames(managedPolicies))
+
+	require.NoError(t, store.DeletePolicy(ctx, "legacy-only"))
+
+	managedPolicies, err = store.LoadManagedPolicies(ctx)
+	require.NoError(t, err)
+	assert.Empty(t, managedPolicies)
+
+	inlinePolicies, err := store.LoadInlinePolicies(ctx)
+	require.NoError(t, err)
+	assertInlinePolicyPreserved(t, inlinePolicies, "inline-user", "PutOnly")
+
+	loadedLegacyPolicies, foundLegacy, err := store.loadLegacyPoliciesCollection(ctx)
+	require.NoError(t, err)
+	require.True(t, foundLegacy)
+	assert.Empty(t, loadedLegacyPolicies.Policies)
+	assertInlinePolicyPreserved(t, loadedLegacyPolicies.InlinePolicies, "inline-user", "PutOnly")
+}
+
+func TestFilerEtcStoreDeletePolicySerializesLegacyUpdates(t *testing.T) {
+	ctx := context.Background()
+	store, server := newPolicyTestStoreWithServer(t)
+
+	legacyPolicies := newPoliciesCollection()
+	legacyPolicies.Policies["first"] = testPolicyDocument("s3:GetObject", "arn:aws:s3:::first/*")
+	legacyPolicies.Policies["second"] = testPolicyDocument("s3:GetObject", "arn:aws:s3:::second/*")
+	require.NoError(t, store.saveLegacyPoliciesCollection(ctx, legacyPolicies))
+	require.NoError(t, store.savePolicy(ctx, "first", testPolicyDocument("s3:GetObject", "arn:aws:s3:::first/*")))
+	require.NoError(t, store.savePolicy(ctx, "second", testPolicyDocument("s3:GetObject", "arn:aws:s3:::second/*")))
+
+	firstSaveStarted := make(chan struct{})
+	releaseFirstSave := make(chan struct{})
+	secondReachedDelete := make(chan struct{}, 1)
+	var blockOnce sync.Once
+
+	server.mu.Lock()
+	server.beforeUpdate = func(dir string, name string) error {
+		if dir == filer.IamConfigDirectory && name == filer.IamPoliciesFile {
+			blockOnce.Do(func() {
+				close(firstSaveStarted)
+				<-releaseFirstSave
+			})
+		}
+		return nil
+	}
+	server.beforeDelete = func(dir string, name string) error {
+		if dir == filer.IamConfigDirectory+"/"+IamPoliciesDirectory && name == "second.json" {
+			select {
+			case secondReachedDelete <- struct{}{}:
+			default:
+			}
+		}
+		return nil
+	}
+	server.mu.Unlock()
+
+	firstDeleteErr := make(chan error, 1)
+	go func() {
+		firstDeleteErr <- store.DeletePolicy(ctx, "first")
+	}()
+
+	<-firstSaveStarted
+
+	secondDeleteErr := make(chan error, 1)
+	go func() {
+		secondDeleteErr <- store.DeletePolicy(ctx, "second")
+	}()
+
+	select {
+	case <-secondReachedDelete:
+		t.Fatal("second delete reached filer mutation while first delete was still blocked")
+	case <-time.After(300 * time.Millisecond):
+	}
+
+	close(releaseFirstSave)
+
+	require.NoError(t, <-firstDeleteErr)
+	require.NoError(t, <-secondDeleteErr)
+
+	loadedLegacyPolicies, foundLegacy, err := store.loadLegacyPoliciesCollection(ctx)
+	require.NoError(t, err)
+	require.True(t, foundLegacy)
+	assert.Empty(t, loadedLegacyPolicies.Policies)
+}
+
+func TestFilerEtcStoreLoadManagedPoliciesRespectsReadContext(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	store, server := newPolicyTestStoreWithServer(t)
+
+	require.NoError(t, store.savePolicy(context.Background(), "cancel-me", testPolicyDocument("s3:GetObject", "arn:aws:s3:::cancel-me/*")))
+
+	server.mu.Lock()
+	server.contentlessListEntry[filerEntryKey(filer.IamConfigDirectory+"/"+IamPoliciesDirectory, "cancel-me.json")] = struct{}{}
+	server.beforeLookup = func(ctx context.Context, dir string, name string) error {
+		if dir == filer.IamConfigDirectory+"/"+IamPoliciesDirectory && name == "cancel-me.json" {
+			cancel()
+			return status.Error(codes.Canceled, context.Canceled.Error())
+		}
+		return nil
+	}
+	server.mu.Unlock()
+
+	managedPolicies, err := store.LoadManagedPolicies(ctx)
+	require.NoError(t, err)
+	assert.Empty(t, managedPolicies)
+}
+
+func testPolicyDocument(action string, resource string) policy_engine.PolicyDocument {
+	return policy_engine.PolicyDocument{
+		Version: policy_engine.PolicyVersion2012_10_17,
+		Statement: []policy_engine.PolicyStatement{
+			{
+				Effect:   policy_engine.PolicyEffectAllow,
+				Action:   policy_engine.NewStringOrStringSlice(action),
+				Resource: policy_engine.NewStringOrStringSlice(resource),
+			},
+		},
+	}
+}
+
+func managedPolicyNames(policies []*iam_pb.Policy) []string {
+	names := make([]string, 0, len(policies))
+	for _, policy := range policies {
+		names = append(names, policy.Name)
+	}
+	sort.Strings(names)
+	return names
+}
+
+func assertInlinePolicyPreserved(t *testing.T, inlinePolicies map[string]map[string]policy_engine.PolicyDocument, userName string, policyName string) {
+	t.Helper()
+
+	userPolicies, found := inlinePolicies[userName]
+	require.True(t, found)
+
+	policy, found := userPolicies[policyName]
+	require.True(t, found)
+	assert.Equal(t, policy_engine.PolicyVersion2012_10_17, policy.Version)
+	require.Len(t, policy.Statement, 1)
+	assert.Equal(t, policy_engine.PolicyEffectAllow, policy.Statement[0].Effect)
+}
+
+func cloneEntry(entry *filer_pb.Entry) *filer_pb.Entry {
+	if entry == nil {
+		return nil
+	}
+	return proto.Clone(entry).(*filer_pb.Entry)
+}
+
+func filerEntryKey(dir string, name string) string {
+	return dir + "\x00" + name
+}
+
+func splitFilerEntryKey(key string) (dir string, name string) {
+	for idx := 0; idx < len(key); idx++ {
+		if key[idx] == '\x00' {
+			return key[:idx], key[idx+1:]
+		}
+	}
+	return key, ""
+}