gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3api: fix static IAM policy enforcement after reload (#8532)

Browse Source 
* s3api: honor attached IAM policies over legacy actions

* s3api: hydrate IAM policy docs during config reload

* s3api: use policy-aware auth when listing buckets

* credential: propagate context through filer_etc policy reads

* credential: make legacy policy deletes durable

* s3api: exercise managed policy runtime loader

* s3api: allow static IAM users without session tokens

* iam: deny unmatched attached policies under default allow

* iam: load embedded policy files from filer store

* s3api: require session tokens for IAM presigning

* s3api: sync runtime policies into zero-config IAM

* credential: respect context in policy file loads

* credential: serialize legacy policy deletes

* iam: align filer policy store naming

* s3api: use authenticated principals for presigning

* iam: deep copy policy conditions

* s3api: require request creation in policy tests

* filer: keep ReadInsideFiler as the context-aware API

* iam: harden filer policy store writes

* credential: strengthen legacy policy serialization test

* credential: forward runtime policy loaders through wrapper

* s3api: harden runtime policy merging

* iam: require typed already-exists errors
This commit is contained in:
Chris Lu
2026-03-06 12:35:08 -08:00
committed by GitHub
parent 338be16254
commit f9311a3422
30 changed files with 1903 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
weed/s3api/s3_presigned_url_iam_test.go
View File

@@ -220,6 +220,35 @@ func TestPresignedURLGeneration(t *testing.T) {
}
}
func TestPresignedURLGenerationUsesAuthenticatedPrincipal(t *testing.T) {
iamManager := setupTestIAMManagerForPresigned(t)
s3iam := NewS3IAMIntegration(iamManager, "localhost:8888")
s3iam.enabled = true
presignedManager := NewS3PresignedURLManager(s3iam)
ctx := context.Background()
setupTestRolesForPresigned(ctx, iamManager)
validJWTToken := createTestJWTPresigned(t, "https://test-issuer.com", "test-user-123", "test-signing-key")
response, err := iamManager.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityRequest{
RoleArn: "arn:aws:iam::role/S3ReadOnlyRole",
WebIdentityToken: validJWTToken,
RoleSessionName: "presigned-read-only-session",
})
require.NoError(t, err)
_, err = presignedManager.GeneratePresignedURLWithIAM(ctx, &PresignedURLRequest{
Method: "PUT",
Bucket: "test-bucket",
ObjectKey: "new-file.txt",
Expiration: time.Hour,
SessionToken: response.Credentials.SessionToken,
}, "http://localhost:8333")
require.Error(t, err)
assert.Contains(t, err.Error(), "IAM authorization failed")
}
// TestPresignedURLExpiration tests URL expiration validation
func TestPresignedURLExpiration(t *testing.T) {
tests := []struct {