gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3api: fix static IAM policy enforcement after reload (#8532)

Browse Source 
* s3api: honor attached IAM policies over legacy actions

* s3api: hydrate IAM policy docs during config reload

* s3api: use policy-aware auth when listing buckets

* credential: propagate context through filer_etc policy reads

* credential: make legacy policy deletes durable

* s3api: exercise managed policy runtime loader

* s3api: allow static IAM users without session tokens

* iam: deny unmatched attached policies under default allow

* iam: load embedded policy files from filer store

* s3api: require session tokens for IAM presigning

* s3api: sync runtime policies into zero-config IAM

* credential: respect context in policy file loads

* credential: serialize legacy policy deletes

* iam: align filer policy store naming

* s3api: use authenticated principals for presigning

* iam: deep copy policy conditions

* s3api: require request creation in policy tests

* filer: keep ReadInsideFiler as the context-aware API

* iam: harden filer policy store writes

* credential: strengthen legacy policy serialization test

* credential: forward runtime policy loaders through wrapper

* s3api: harden runtime policy merging

* iam: require typed already-exists errors
This commit is contained in:
Chris Lu
2026-03-06 12:35:08 -08:00
committed by GitHub
parent 338be16254
commit f9311a3422
30 changed files with 1903 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
weed/iam/integration/iam_manager.go
View File

@@ -6,6 +6,7 @@ import (
"encoding/json"
"fmt"
"strings"
"sync"
"github.com/golang-jwt/jwt/v5"
"github.com/seaweedfs/seaweedfs/weed/iam/policy"
@@ -28,6 +29,8 @@ type IAMManager struct {
userStore UserStore
filerAddressProvider func() string // Function to get current filer address
initialized bool
runtimePolicyMu sync.Mutex
runtimePolicyNames map[string]struct{}
}
// IAMConfig holds configuration for all IAM components
@@ -105,6 +108,57 @@ func (m *IAMManager) SetUserStore(store UserStore) {
m.userStore = store
}
// SyncRuntimePolicies keeps zero-config runtime policies available to the
// in-memory policy engine used by the advanced IAM authorizer.
func (m *IAMManager) SyncRuntimePolicies(ctx context.Context, policies []*iam_pb.Policy) error {
if !m.initialized || m.policyEngine == nil {
return nil
}
if m.policyEngine.StoreType() != sts.StoreTypeMemory {
return nil
}
desiredPolicies := make(map[string]*policy.PolicyDocument, len(policies))
for _, runtimePolicy := range policies {
if runtimePolicy == nil || runtimePolicy.Name == "" {
continue
}
var document policy.PolicyDocument
if err := json.Unmarshal([]byte(runtimePolicy.Content), &document); err != nil {
return fmt.Errorf("failed to parse runtime policy %q: %w", runtimePolicy.Name, err)
}
desiredPolicies[runtimePolicy.Name] = &document
}
m.runtimePolicyMu.Lock()
defer m.runtimePolicyMu.Unlock()
filerAddress := m.getFilerAddress()
for policyName := range m.runtimePolicyNames {
if _, keep := desiredPolicies[policyName]; keep {
continue
}
if err := m.policyEngine.DeletePolicy(ctx, filerAddress, policyName); err != nil {
return fmt.Errorf("failed to delete runtime policy %q: %w", policyName, err)
}
}
for policyName, document := range desiredPolicies {
if err := m.policyEngine.AddPolicy(filerAddress, policyName, document); err != nil {
return fmt.Errorf("failed to sync runtime policy %q: %w", policyName, err)
}
}
m.runtimePolicyNames = make(map[string]struct{}, len(desiredPolicies))
for policyName := range desiredPolicies {
m.runtimePolicyNames[policyName] = struct{}{}
}
return nil
}
// Initialize initializes the IAM manager with all components
func (m *IAMManager) Initialize(config *IAMConfig, filerAddressProvider func() string) error {
if config == nil {
@@ -422,6 +476,7 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest
var baseResult *policy.EvaluationResult
var err error
subjectPolicyCount := 0
if isAdmin {
// Admin always has base access allowed
@@ -454,6 +509,7 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest
policies = roleDef.AttachedPolicies
}
}
subjectPolicyCount = len(policies)
if bucketPolicyName != "" {
// Enforce an upper bound on the number of policies to avoid excessive allocations
@@ -477,6 +533,14 @@ func (m *IAMManager) IsActionAllowed(ctx context.Context, request *ActionRequest
return false, nil
}
// Zero-config IAM uses DefaultEffect=Allow to preserve open-by-default behavior
// for requests without any subject policies. Once a user or role has attached
// policies, "no matching statement" must fall back to deny so the attachment
// actually scopes access.
if subjectPolicyCount > 0 && len(baseResult.MatchingStatements) == 0 {
return false, nil
}
// If there's a session policy, it must also allow the action
if sessionInfo != nil && sessionInfo.SessionPolicy != "" {
var sessionPolicy policy.PolicyDocument

21
weed/iam/policy/policy_engine.go
View File

@@ -353,6 +353,27 @@ func (e *PolicyEngine) AddPolicy(filerAddress string, name string, policy *Polic
return e.store.StorePolicy(context.Background(), filerAddress, name, policy)
}
// DeletePolicy removes a policy from the configured store.
func (e *PolicyEngine) DeletePolicy(ctx context.Context, filerAddress string, name string) error {
if !e.initialized {
return fmt.Errorf("policy engine not initialized")
}
if name == "" {
return fmt.Errorf("policy name cannot be empty")
}
return e.store.DeletePolicy(ctx, filerAddress, name)
}
// StoreType returns the configured backend type for the policy store.
func (e *PolicyEngine) StoreType() string {
if e.config == nil {
return ""
}
return e.config.StoreType
}
// Evaluate evaluates policies against a request context (filerAddress ignored for memory stores)
func (e *PolicyEngine) Evaluate(ctx context.Context, filerAddress string, evalCtx *EvaluationContext, policyNames []string) (*EvaluationResult, error) {
if !e.initialized {

266
weed/iam/policy/policy_store.go
View File

@@ -3,15 +3,19 @@ package policy
import (
"context"
"encoding/json"
"errors"
"fmt"
"strings"
"sync"
"time"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
// MemoryPolicyStore implements PolicyStore using in-memory storage
@@ -134,11 +138,15 @@ func copyPolicyDocument(original *PolicyDocument) *PolicyDocument {
copy(copied.Statement[i].NotResource, stmt.NotResource)
}
// Copy condition map (shallow copy for now)
// Copy condition map
if stmt.Condition != nil {
copied.Statement[i].Condition = make(map[string]map[string]interface{})
for k, v := range stmt.Condition {
copied.Statement[i].Condition[k] = v
for conditionType, conditionValues := range stmt.Condition {
copiedConditionValues := make(map[string]interface{}, len(conditionValues))
for conditionKey, conditionValue := range conditionValues {
copiedConditionValues[conditionKey] = copyPolicyConditionValue(conditionValue)
}
copied.Statement[i].Condition[conditionType] = copiedConditionValues
}
}
}
@@ -146,6 +154,29 @@ func copyPolicyDocument(original *PolicyDocument) *PolicyDocument {
return copied
}
func copyPolicyConditionValue(value interface{}) interface{} {
switch v := value.(type) {
case []string:
copied := make([]string, len(v))
copy(copied, v)
return copied
case []interface{}:
copied := make([]interface{}, len(v))
for i := range v {
copied[i] = copyPolicyConditionValue(v[i])
}
return copied
case map[string]interface{}:
copied := make(map[string]interface{}, len(v))
for key, nestedValue := range v {
copied[key] = copyPolicyConditionValue(nestedValue)
}
return copied
default:
return v
}
}
// FilerPolicyStore implements PolicyStore using SeaweedFS filer
type FilerPolicyStore struct {
grpcDialOption grpc.DialOption
@@ -198,27 +229,13 @@ func (s *FilerPolicyStore) StorePolicy(ctx context.Context, filerAddress string,
// Store in filer
return s.withFilerClient(filerAddress, func(client filer_pb.SeaweedFilerClient) error {
request := &filer_pb.CreateEntryRequest{
Directory: s.basePath,
Entry: &filer_pb.Entry{
Name: s.getPolicyFileName(name),
IsDirectory: false,
Attributes: &filer_pb.FuseAttributes{
Mtime: time.Now().Unix(),
Crtime: time.Now().Unix(),
FileMode: uint32(0600), // Read/write for owner only
Uid: uint32(0),
Gid: uint32(0),
},
Content: policyData,
},
}
glog.V(3).Infof("Storing policy %s at %s", name, policyPath)
_, err := client.CreateEntry(ctx, request)
if err != nil {
if err := s.savePolicyFile(ctx, client, s.getPolicyFileName(name), policyData); err != nil {
return fmt.Errorf("failed to store policy %s: %v", name, err)
}
if err := s.deleteLegacyPolicyFileIfPresent(ctx, client, name); err != nil {
return err
}
return nil
})
@@ -239,23 +256,30 @@ func (s *FilerPolicyStore) GetPolicy(ctx context.Context, filerAddress string, n
var policyData []byte
err := s.withFilerClient(filerAddress, func(client filer_pb.SeaweedFilerClient) error {
request := &filer_pb.LookupDirectoryEntryRequest{
Directory: s.basePath,
Name: s.getPolicyFileName(name),
for _, fileName := range s.getPolicyLookupFileNames(name) {
request := &filer_pb.LookupDirectoryEntryRequest{
Directory: s.basePath,
Name: fileName,
}
glog.V(3).Infof("Looking up policy %s as %s", name, fileName)
response, err := client.LookupDirectoryEntry(ctx, request)
if err != nil {
if isNotFoundPolicyStoreError(err) {
continue
}
return fmt.Errorf("policy lookup failed: %v", err)
}
if response.Entry == nil {
continue
}
policyData = response.Entry.Content
return nil
}
glog.V(3).Infof("Looking up policy %s", name)
response, err := client.LookupDirectoryEntry(ctx, request)
if err != nil {
return fmt.Errorf("policy not found: %v", err)
}
if response.Entry == nil {
return fmt.Errorf("policy not found")
}
policyData = response.Entry.Content
return nil
return fmt.Errorf("policy not found")
})
if err != nil {
@@ -285,31 +309,27 @@ func (s *FilerPolicyStore) DeletePolicy(ctx context.Context, filerAddress string
}
return s.withFilerClient(filerAddress, func(client filer_pb.SeaweedFilerClient) error {
request := &filer_pb.DeleteEntryRequest{
Directory: s.basePath,
Name: s.getPolicyFileName(name),
IsDeleteData: true,
IsRecursive: false,
IgnoreRecursiveError: false,
}
glog.V(3).Infof("Deleting policy %s", name)
resp, err := client.DeleteEntry(ctx, request)
if err != nil {
// Ignore "not found" errors - policy may already be deleted
if strings.Contains(err.Error(), "not found") {
return nil
for _, fileName := range s.getPolicyLookupFileNames(name) {
request := &filer_pb.DeleteEntryRequest{
Directory: s.basePath,
Name: fileName,
IsDeleteData: true,
IsRecursive: false,
IgnoreRecursiveError: false,
}
return fmt.Errorf("failed to delete policy %s: %v", name, err)
}
// Check response error
if resp.Error != "" {
// Ignore "not found" errors - policy may already be deleted
if strings.Contains(resp.Error, "not found") {
return nil
glog.V(3).Infof("Deleting policy %s as %s", name, fileName)
resp, err := client.DeleteEntry(ctx, request)
if err != nil {
if isNotFoundPolicyStoreError(err) {
continue
}
return fmt.Errorf("failed to delete policy %s: %v", name, err)
}
if resp.Error != "" {
return fmt.Errorf("failed to delete policy %s: %s", name, resp.Error)
}
return fmt.Errorf("failed to delete policy %s: %s", name, resp.Error)
}
return nil
@@ -332,7 +352,7 @@ func (s *FilerPolicyStore) ListPolicies(ctx context.Context, filerAddress string
// List all entries in the policy directory
request := &filer_pb.ListEntriesRequest{
Directory: s.basePath,
Prefix: "policy_",
Prefix: "",
StartFromFileName: "",
InclusiveStartFrom: false,
Limit: 1000, // Process in batches of 1000
@@ -353,11 +373,7 @@ func (s *FilerPolicyStore) ListPolicies(ctx context.Context, filerAddress string
continue
}
// Extract policy name from filename
filename := resp.Entry.Name
if strings.HasPrefix(filename, "policy_") && strings.HasSuffix(filename, ".json") {
// Remove "policy_" prefix and ".json" suffix
policyName := strings.TrimSuffix(strings.TrimPrefix(filename, "policy_"), ".json")
if policyName, ok := s.policyNameFromFileName(resp.Entry.Name); ok {
policyNames = append(policyNames, policyName)
}
}
@@ -369,7 +385,17 @@ func (s *FilerPolicyStore) ListPolicies(ctx context.Context, filerAddress string
return nil, err
}
return policyNames, nil
uniquePolicyNames := make([]string, 0, len(policyNames))
seen := make(map[string]struct{}, len(policyNames))
for _, policyName := range policyNames {
if _, found := seen[policyName]; found {
continue
}
seen[policyName] = struct{}{}
uniquePolicyNames = append(uniquePolicyNames, policyName)
}
return uniquePolicyNames, nil
}
// Helper methods
@@ -391,5 +417,115 @@ func (s *FilerPolicyStore) getPolicyPath(policyName string) string {
// getPolicyFileName returns the filename for a policy
func (s *FilerPolicyStore) getPolicyFileName(policyName string) string {
return s.getCanonicalPolicyFileName(policyName)
}
func (s *FilerPolicyStore) getLegacyPolicyFileName(policyName string) string {
return "policy_" + policyName + ".json"
}
func (s *FilerPolicyStore) getCanonicalPolicyFileName(policyName string) string {
return policyName + ".json"
}
func (s *FilerPolicyStore) getPolicyLookupFileNames(policyName string) []string {
return []string{
s.getCanonicalPolicyFileName(policyName),
s.getLegacyPolicyFileName(policyName),
}
}
func (s *FilerPolicyStore) policyNameFromFileName(fileName string) (string, bool) {
if !strings.HasSuffix(fileName, ".json") {
return "", false
}
policyName := strings.TrimSuffix(fileName, ".json")
if strings.HasPrefix(fileName, "policy_") {
policyName = strings.TrimPrefix(policyName, "policy_")
}
if s.isSupportedPolicyName(policyName) {
return policyName, true
}
return "", false
}
func (s *FilerPolicyStore) isSupportedPolicyName(policyName string) bool {
if policyName == "" {
return false
}
// Bucket policies are stored alongside IAM policies but use the internal
// "bucket-policy:<bucket>" naming scheme, which is intentionally outside the
// public IAM policy-name validator.
if strings.HasPrefix(policyName, "bucket-policy:") {
return len(policyName) > len("bucket-policy:")
}
return credential.ValidatePolicyName(policyName) == nil
}
func (s *FilerPolicyStore) deleteLegacyPolicyFileIfPresent(ctx context.Context, client filer_pb.SeaweedFilerClient, policyName string) error {
legacyFileName := s.getLegacyPolicyFileName(policyName)
response, err := client.DeleteEntry(ctx, &filer_pb.DeleteEntryRequest{
Directory: s.basePath,
Name: legacyFileName,
IsDeleteData: true,
IsRecursive: false,
IgnoreRecursiveError: false,
})
if err != nil {
if isNotFoundPolicyStoreError(err) {
return nil
}
return fmt.Errorf("failed to delete legacy policy %s: %v", policyName, err)
}
if response.Error != "" {
return fmt.Errorf("failed to delete legacy policy %s: %s", policyName, response.Error)
}
return nil
}
func (s *FilerPolicyStore) savePolicyFile(ctx context.Context, client filer_pb.SeaweedFilerClient, fileName string, content []byte) error {
now := time.Now().Unix()
entry := &filer_pb.Entry{
Name: fileName,
IsDirectory: false,
Attributes: &filer_pb.FuseAttributes{
Mtime: now,
Crtime: now,
FileMode: uint32(0600),
Uid: uint32(0),
Gid: uint32(0),
FileSize: uint64(len(content)),
},
Content: content,
}
createRequest := &filer_pb.CreateEntryRequest{
Directory: s.basePath,
Entry: entry,
}
if err := filer_pb.CreateEntry(ctx, client, createRequest); err == nil {
return nil
} else if !isAlreadyExistsPolicyStoreError(err) {
return err
}
return filer_pb.UpdateEntry(ctx, client, &filer_pb.UpdateEntryRequest{
Directory: s.basePath,
Entry: entry,
})
}
func isNotFoundPolicyStoreError(err error) bool {
if err == nil {
return false
}
return errors.Is(err, filer_pb.ErrNotFound) || status.Code(err) == codes.NotFound
}
func isAlreadyExistsPolicyStoreError(err error) bool {
if err == nil {
return false
}
return status.Code(err) == codes.AlreadyExists
}

314
weed/iam/policy/policy_store_test.go Normal file
View File

@@ -0,0 +1,314 @@
package policy
import (
"context"
"encoding/json"
"fmt"
"net"
"sort"
"strconv"
"sync"
"testing"
"github.com/seaweedfs/seaweedfs/weed/pb"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials/insecure"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/proto"
)
type policyStoreTestFilerServer struct {
filer_pb.UnimplementedSeaweedFilerServer
mu sync.RWMutex
entries map[string]*filer_pb.Entry
}
func newPolicyStoreTestFilerServer() *policyStoreTestFilerServer {
return &policyStoreTestFilerServer{
entries: make(map[string]*filer_pb.Entry),
}
}
func (s *policyStoreTestFilerServer) LookupDirectoryEntry(_ context.Context, req *filer_pb.LookupDirectoryEntryRequest) (*filer_pb.LookupDirectoryEntryResponse, error) {
s.mu.RLock()
defer s.mu.RUnlock()
entry, found := s.entries[policyStoreTestEntryKey(req.Directory, req.Name)]
if !found {
return nil, status.Error(codes.NotFound, filer_pb.ErrNotFound.Error())
}
return &filer_pb.LookupDirectoryEntryResponse{Entry: clonePolicyStoreEntry(entry)}, nil
}
func (s *policyStoreTestFilerServer) CreateEntry(_ context.Context, req *filer_pb.CreateEntryRequest) (*filer_pb.CreateEntryResponse, error) {
s.mu.Lock()
defer s.mu.Unlock()
key := policyStoreTestEntryKey(req.Directory, req.Entry.Name)
if _, found := s.entries[key]; found {
return nil, status.Error(codes.AlreadyExists, "entry already exists")
}
s.entries[key] = clonePolicyStoreEntry(req.Entry)
return &filer_pb.CreateEntryResponse{}, nil
}
func (s *policyStoreTestFilerServer) UpdateEntry(_ context.Context, req *filer_pb.UpdateEntryRequest) (*filer_pb.UpdateEntryResponse, error) {
s.mu.Lock()
defer s.mu.Unlock()
key := policyStoreTestEntryKey(req.Directory, req.Entry.Name)
if _, found := s.entries[key]; !found {
return nil, status.Error(codes.NotFound, filer_pb.ErrNotFound.Error())
}
s.entries[key] = clonePolicyStoreEntry(req.Entry)
return &filer_pb.UpdateEntryResponse{}, nil
}
func (s *policyStoreTestFilerServer) ListEntries(req *filer_pb.ListEntriesRequest, stream grpc.ServerStreamingServer[filer_pb.ListEntriesResponse]) error {
s.mu.RLock()
defer s.mu.RUnlock()
names := make([]string, 0)
for key := range s.entries {
dir, name := splitPolicyStoreEntryKey(key)
if dir != req.Directory {
continue
}
if req.Prefix != "" && len(name) >= len(req.Prefix) && name[:len(req.Prefix)] != req.Prefix {
continue
}
if req.Prefix != "" && len(name) < len(req.Prefix) {
continue
}
names = append(names, name)
}
sort.Strings(names)
for _, name := range names {
if err := stream.Send(&filer_pb.ListEntriesResponse{
Entry: clonePolicyStoreEntry(s.entries[policyStoreTestEntryKey(req.Directory, name)]),
}); err != nil {
return err
}
}
return nil
}
func (s *policyStoreTestFilerServer) DeleteEntry(_ context.Context, req *filer_pb.DeleteEntryRequest) (*filer_pb.DeleteEntryResponse, error) {
s.mu.Lock()
defer s.mu.Unlock()
key := policyStoreTestEntryKey(req.Directory, req.Name)
if _, found := s.entries[key]; !found {
return nil, status.Error(codes.NotFound, filer_pb.ErrNotFound.Error())
}
delete(s.entries, key)
return &filer_pb.DeleteEntryResponse{}, nil
}
func (s *policyStoreTestFilerServer) putPolicyFile(t *testing.T, dir string, name string, document *PolicyDocument) {
t.Helper()
content, err := json.Marshal(document)
require.NoError(t, err)
s.mu.Lock()
defer s.mu.Unlock()
s.entries[policyStoreTestEntryKey(dir, name)] = &filer_pb.Entry{
Name: name,
Content: content,
}
}
func (s *policyStoreTestFilerServer) hasEntry(dir string, name string) bool {
s.mu.RLock()
defer s.mu.RUnlock()
_, found := s.entries[policyStoreTestEntryKey(dir, name)]
return found
}
func newTestFilerPolicyStore(t *testing.T) (*FilerPolicyStore, *policyStoreTestFilerServer) {
t.Helper()
lis, err := net.Listen("tcp", "127.0.0.1:0")
require.NoError(t, err)
server := newPolicyStoreTestFilerServer()
grpcServer := pb.NewGrpcServer()
filer_pb.RegisterSeaweedFilerServer(grpcServer, server)
go func() {
_ = grpcServer.Serve(lis)
}()
t.Cleanup(func() {
grpcServer.Stop()
_ = lis.Close()
})
host, portString, err := net.SplitHostPort(lis.Addr().String())
require.NoError(t, err)
grpcPort, err := strconv.Atoi(portString)
require.NoError(t, err)
store, err := NewFilerPolicyStore(nil, func() string {
return string(pb.NewServerAddress(host, 1, grpcPort))
})
require.NoError(t, err)
store.grpcDialOption = grpc.WithTransportCredentials(insecure.NewCredentials())
return store, server
}
func TestFilerPolicyStoreGetPolicyPrefersCanonicalFiles(t *testing.T) {
ctx := context.Background()
store, server := newTestFilerPolicyStore(t)
server.putPolicyFile(t, store.basePath, "cli-bucket-access-policy.json", testPolicyDocument("s3:ListBucket", "arn:aws:s3:::cli-allowed-bucket"))
server.putPolicyFile(t, store.basePath, "policy_cli-bucket-access-policy.json", testPolicyDocument("s3:PutObject", "arn:aws:s3:::cli-forbidden-bucket/*"))
document, err := store.GetPolicy(ctx, "", "cli-bucket-access-policy")
require.NoError(t, err)
require.Len(t, document.Statement, 1)
assert.Equal(t, "s3:ListBucket", document.Statement[0].Action[0])
assert.Equal(t, "arn:aws:s3:::cli-allowed-bucket", document.Statement[0].Resource[0])
}
func TestFilerPolicyStoreListPoliciesIncludesCanonicalAndLegacyFiles(t *testing.T) {
ctx := context.Background()
store, server := newTestFilerPolicyStore(t)
server.putPolicyFile(t, store.basePath, "canonical-only.json", testPolicyDocument("s3:GetObject", "arn:aws:s3:::canonical-only/*"))
server.putPolicyFile(t, store.basePath, "policy_legacy-only.json", testPolicyDocument("s3:PutObject", "arn:aws:s3:::legacy-only/*"))
server.putPolicyFile(t, store.basePath, "shared.json", testPolicyDocument("s3:DeleteObject", "arn:aws:s3:::shared/*"))
server.putPolicyFile(t, store.basePath, "policy_shared.json", testPolicyDocument("s3:ListBucket", "arn:aws:s3:::shared"))
server.putPolicyFile(t, store.basePath, "policy_invalid:name.json", testPolicyDocument("s3:GetObject", "arn:aws:s3:::ignored/*"))
server.putPolicyFile(t, store.basePath, "bucket-policy:bucket-a.json", testPolicyDocument("s3:ListBucket", "arn:aws:s3:::bucket-a"))
names, err := store.ListPolicies(ctx, "")
require.NoError(t, err)
assert.ElementsMatch(t, []string{"canonical-only", "legacy-only", "shared", "bucket-policy:bucket-a"}, names)
}
func TestFilerPolicyStoreDeletePolicyRemovesCanonicalAndLegacyFiles(t *testing.T) {
ctx := context.Background()
store, server := newTestFilerPolicyStore(t)
server.putPolicyFile(t, store.basePath, "dual-format.json", testPolicyDocument("s3:GetObject", "arn:aws:s3:::dual-format/*"))
server.putPolicyFile(t, store.basePath, "policy_dual-format.json", testPolicyDocument("s3:PutObject", "arn:aws:s3:::dual-format/*"))
require.NoError(t, store.DeletePolicy(ctx, "", "dual-format"))
assert.False(t, server.hasEntry(store.basePath, "dual-format.json"))
assert.False(t, server.hasEntry(store.basePath, "policy_dual-format.json"))
}
func TestFilerPolicyStoreStorePolicyWritesCanonicalFileAndRemovesLegacyTwin(t *testing.T) {
ctx := context.Background()
store, server := newTestFilerPolicyStore(t)
server.putPolicyFile(t, store.basePath, "policy_dual-format.json", testPolicyDocument("s3:PutObject", "arn:aws:s3:::dual-format/*"))
require.NoError(t, store.StorePolicy(ctx, "", "dual-format", testPolicyDocument("s3:GetObject", "arn:aws:s3:::dual-format/*")))
assert.True(t, server.hasEntry(store.basePath, "dual-format.json"))
assert.False(t, server.hasEntry(store.basePath, "policy_dual-format.json"))
document, err := store.GetPolicy(ctx, "", "dual-format")
require.NoError(t, err)
require.Len(t, document.Statement, 1)
assert.Equal(t, "s3:GetObject", document.Statement[0].Action[0])
}
func TestFilerPolicyStoreStorePolicyUpdatesExistingCanonicalFile(t *testing.T) {
ctx := context.Background()
store, server := newTestFilerPolicyStore(t)
server.putPolicyFile(t, store.basePath, "existing.json", testPolicyDocument("s3:PutObject", "arn:aws:s3:::existing/*"))
require.NoError(t, store.StorePolicy(ctx, "", "existing", testPolicyDocument("s3:GetObject", "arn:aws:s3:::existing/*")))
document, err := store.GetPolicy(ctx, "", "existing")
require.NoError(t, err)
require.Len(t, document.Statement, 1)
assert.Equal(t, "s3:GetObject", document.Statement[0].Action[0])
assert.Equal(t, "arn:aws:s3:::existing/*", document.Statement[0].Resource[0])
}
func TestCopyPolicyDocumentClonesConditionState(t *testing.T) {
original := &PolicyDocument{
Version: "2012-10-17",
Statement: []Statement{
{
Effect: "Allow",
Action: []string{"s3:GetObject"},
Resource: []string{
"arn:aws:s3:::test-bucket/*",
},
Condition: map[string]map[string]interface{}{
"StringEquals": {
"s3:prefix": []string{"public/", "private/"},
},
"Null": {
"aws:PrincipalArn": "false",
},
},
},
},
}
copied := copyPolicyDocument(original)
require.NotNil(t, copied)
original.Statement[0].Condition["StringEquals"]["s3:prefix"] = []string{"mutated/"}
original.Statement[0].Condition["Null"]["aws:PrincipalArn"] = "true"
assert.Equal(t, []string{"public/", "private/"}, copied.Statement[0].Condition["StringEquals"]["s3:prefix"])
assert.Equal(t, "false", copied.Statement[0].Condition["Null"]["aws:PrincipalArn"])
}
func TestIsAlreadyExistsPolicyStoreErrorUsesStatusCode(t *testing.T) {
assert.True(t, isAlreadyExistsPolicyStoreError(status.Error(codes.AlreadyExists, "entry already exists")))
assert.False(t, isAlreadyExistsPolicyStoreError(fmt.Errorf("entry already exists")))
}
func testPolicyDocument(action string, resource string) *PolicyDocument {
return &PolicyDocument{
Version: "2012-10-17",
Statement: []Statement{
{
Effect: "Allow",
Action: []string{action},
Resource: []string{resource},
},
},
}
}
func clonePolicyStoreEntry(entry *filer_pb.Entry) *filer_pb.Entry {
if entry == nil {
return nil
}
return proto.Clone(entry).(*filer_pb.Entry)
}
func policyStoreTestEntryKey(dir string, name string) string {
return dir + "\x00" + name
}
func splitPolicyStoreEntryKey(key string) (string, string) {
for i := 0; i < len(key); i++ {
if key[i] == '\x00' {
return key[:i], key[i+1:]
}
}
return key, ""
}