s3api: fix static IAM policy enforcement after reload (#8532)

* s3api: honor attached IAM policies over legacy actions * s3api: hydrate IAM policy docs during config reload * s3api: use policy-aware auth when listing buckets * credential: propagate context through filer_etc policy reads * credential: make legacy policy deletes durable * s3api: exercise managed policy runtime loader * s3api: allow static IAM users without session tokens * iam: deny unmatched attached policies under default allow * iam: load embedded policy files from filer store * s3api: require session tokens for IAM presigning * s3api: sync runtime policies into zero-config IAM * credential: respect context in policy file loads * credential: serialize legacy policy deletes * iam: align filer policy store naming * s3api: use authenticated principals for presigning * iam: deep copy policy conditions * s3api: require request creation in policy tests * filer: keep ReadInsideFiler as the context-aware API * iam: harden filer policy store writes * credential: strengthen legacy policy serialization test * credential: forward runtime policy loaders through wrapper * s3api: harden runtime policy merging * iam: require typed already-exists errors
2026-03-06 12:35:08 -08:00
parent 338be16254
commit f9311a3422
30 changed files with 1903 additions and 168 deletions
--- a/weed/s3api/s3api_bucket_handlers_test.go
+++ b/weed/s3api/s3api_bucket_handlers_test.go
@@ -1043,3 +1043,43 @@ func TestListBucketsIssue7796(t *testing.T) {
 			"geoserver should NOT see buckets they neither own nor have permission for")
 	})
 }
+
+func TestListBucketsIssue8516PolicyBasedVisibility(t *testing.T) {
+	iam := &IdentityAccessManagement{}
+	require.NoError(t, iam.PutPolicy("listOnly", `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::policy-bucket"}]}`))
+
+	identity := &Identity{
+		Name:        "policy-user",
+		Account:     &AccountAdmin,
+		PolicyNames: []string{"listOnly"},
+	}
+
+	req := httptest.NewRequest("GET", "http://s3.amazonaws.com/", nil)
+	buckets := []*filer_pb.Entry{
+		{
+			Name:        "policy-bucket",
+			IsDirectory: true,
+			Extended:    map[string][]byte{s3_constants.AmzIdentityId: []byte("admin")},
+			Attributes:  &filer_pb.FuseAttributes{Crtime: time.Now().Unix()},
+		},
+		{
+			Name:        "other-bucket",
+			IsDirectory: true,
+			Extended:    map[string][]byte{s3_constants.AmzIdentityId: []byte("admin")},
+			Attributes:  &filer_pb.FuseAttributes{Crtime: time.Now().Unix()},
+		},
+	}
+
+	var visibleBuckets []string
+	for _, entry := range buckets {
+		isOwner := isBucketOwnedByIdentity(entry, identity)
+		if !isOwner {
+			if errCode := iam.VerifyActionPermission(req, identity, s3_constants.ACTION_LIST, entry.Name, ""); errCode != s3err.ErrNone {
+				continue
+			}
+		}
+		visibleBuckets = append(visibleBuckets, entry.Name)
+	}
+
+	assert.Equal(t, []string{"policy-bucket"}, visibleBuckets)
+}