gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0503311ded74eaac05d217aeb18da49c5ad505bc
seaweedFS/weed/s3api/s3_action_resolver.go
Chris Lu 059bee683f feat(s3): add STS GetFederationToken support (#8891) 
* feat(s3): add STS GetFederationToken support

Implement the AWS STS GetFederationToken API, which allows long-term IAM
users to obtain temporary credentials scoped down by an optional inline
session policy. This is useful for server-side applications that mint
per-user temporary credentials.

Key behaviors:
- Requires SigV4 authentication from a long-term IAM user
- Rejects calls from temporary credentials (session tokens)
- Name parameter (2-64 chars) identifies the federated user
- DurationSeconds supports 900-129600 (15 min to 36 hours, default 12h)
- Optional inline session policy for permission scoping
- Caller's attached policies are embedded in the JWT token
- Returns federated user ARN: arn:aws:sts::<account>:federated-user/<Name>

No performance impact on the S3 hot path — credential vending is a
separate control-plane operation, and all policy data is embedded in
the stateless JWT token.

* fix(s3): address GetFederationToken PR review feedback

- Fix Name validation: max 32 chars (not 64) per AWS spec, add regex
  validation for [\w+=,.@-]+ character whitelist
- Refactor parseDurationSeconds into parseDurationSecondsWithBounds to
  eliminate duplicated duration parsing logic
- Add sts:GetFederationToken permission check via VerifyActionPermission
  mirroring the AssumeRole authorization pattern
- Change GetPoliciesForUser to return ([]string, error) so callers fail
  closed on policy-resolution failures instead of silently returning nil
- Move temporary-credentials rejection before SigV4 verification for
  early rejection and proper test coverage
- Update tests: verify specific error message for temp cred rejection,
  add regex validation test cases (spaces, slashes rejected)

* refactor(s3): use sts.Action* constants instead of hard-coded strings

Replace hard-coded "sts:AssumeRole" and "sts:GetFederationToken" strings
in VerifyActionPermission calls with sts.ActionAssumeRole and
sts.ActionGetFederationToken package constants.

* fix(s3): pass through sts: prefix in action resolver and merge policies

Two fixes:

1. mapBaseActionToS3Format now passes through "sts:" prefix alongside
   "s3:" and "iam:", preventing sts:GetFederationToken from being
   rewritten to s3:sts:GetFederationToken in VerifyActionPermission.
   This also fixes the existing sts:AssumeRole permission checks.

2. GetFederationToken policy embedding now merges identity.PolicyNames
   (from SigV4 identity) with policies from the IAM manager (which may
   include group-attached policies), deduplicated via a map. Previously
   the IAM manager lookup was skipped when identity.PolicyNames was
   non-empty, causing group policies to be omitted from the token.

* test(s3): add integration tests for sts: action passthrough and policy merge

Action resolver tests:
- TestMapBaseActionToS3Format_ServicePrefixPassthrough: verifies s3:, iam:,
  and sts: prefixed actions pass through unchanged while coarse actions
  (Read, Write) are mapped to S3 format
- TestResolveS3Action_STSActionsPassthrough: verifies sts:AssumeRole,
  sts:GetFederationToken, sts:GetCallerIdentity pass through ResolveS3Action
  unchanged with both nil and real HTTP requests

Policy merge tests:
- TestGetFederationToken_GetPoliciesForUser: tests IAMManager.GetPoliciesForUser
  with no user store (error), missing user, user with policies, user without
- TestGetFederationToken_PolicyMergeAndDedup: tests that identity.PolicyNames
  and IAM-manager-resolved policies are merged and deduplicated (SharedPolicy
  appears in both sources, result has 3 unique policies)
- TestGetFederationToken_PolicyMergeNoManager: tests that when IAM manager is
  unavailable, identity.PolicyNames alone are embedded

* test(s3): add end-to-end integration tests for GetFederationToken

Add integration tests that call GetFederationToken using real AWS SigV4
signed HTTP requests against a running SeaweedFS instance, following the
existing pattern in test/s3/iam/s3_sts_assume_role_test.go.

Tests:
- TestSTSGetFederationTokenValidation: missing name, name too short/long,
  invalid characters, duration too short/long, malformed policy, anonymous
  rejection (7 subtests)
- TestSTSGetFederationTokenRejectTemporaryCredentials: obtains temp creds
  via AssumeRole then verifies GetFederationToken rejects them
- TestSTSGetFederationTokenSuccess: basic success, custom 1h duration,
  36h max duration with expiration time verification
- TestSTSGetFederationTokenWithSessionPolicy: creates a bucket, obtains
  federated creds with GetObject-only session policy, verifies GetObject
  succeeds and PutObject is denied using the AWS SDK S3 client
2026-04-02 17:37:05 -07:00

342 lines
12 KiB
Go
Raw Blame History

package s3api
import (
"net/http"
"net/url"
"strings"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
)
// ResolveS3Action determines the specific S3 action from HTTP request context.
// This is the unified implementation used by both the bucket policy engine
// and the IAM integration for consistent action resolution.
//
// It examines the HTTP method, path, query parameters, and headers to determine
// the most specific S3 action string (e.g., "s3:DeleteObject", "s3:PutObjectTagging").
//
// Parameters:
// - r: HTTP request containing method, URL, query params, and headers
// - baseAction: Coarse-grained action constant (e.g., ACTION_WRITE, ACTION_READ)
// - bucket: Bucket name from the request path
// - object: Object key from the request path (may be empty for bucket operations)
//
// Returns:
// - Specific S3 action string (e.g., "s3:DeleteObject")
// - Falls back to base action mapping if no specific resolution is possible
// - Always returns a valid S3 action string (never empty)
func ResolveS3Action(r *http.Request, baseAction string, bucket string, object string) string {
if r == nil || r.URL == nil {
// No HTTP context available: fall back to coarse-grained mapping
// This ensures consistent behavior and avoids returning empty strings
return mapBaseActionToS3Format(baseAction)
}
method := r.Method
query := r.URL.Query()
// Determine if this is an object or bucket operation
// Note: "/" is treated as bucket-level, not object-level
hasObject := object != "" && object != "/"
// Priority 1: Check for specific query parameters that indicate specific actions
// These override everything else because they explicitly indicate the operation type
if action := resolveFromQueryParameters(query, method, hasObject); action != "" {
return action
}
// Priority 2: Handle basic operations based on method and resource type
// Only use the result if a specific action was resolved; otherwise fall through to Priority 3
if hasObject {
if action := resolveObjectLevelAction(method, baseAction); action != "" {
return action
}
} else if bucket != "" {
if action := resolveBucketLevelAction(method, baseAction); action != "" {
return action
}
}
// Priority 3: Fallback to legacy action mapping
return mapBaseActionToS3Format(baseAction)
}
// bucketQueryActions maps bucket-level query parameters to their corresponding S3 actions by HTTP method
var bucketQueryActions = map[string]map[string]string{
"policy": {
http.MethodGet: s3_constants.S3_ACTION_GET_BUCKET_POLICY,
http.MethodPut: s3_constants.S3_ACTION_PUT_BUCKET_POLICY,
http.MethodDelete: s3_constants.S3_ACTION_DELETE_BUCKET_POLICY,
},
"cors": {
http.MethodGet: s3_constants.S3_ACTION_GET_BUCKET_CORS,
http.MethodPut: s3_constants.S3_ACTION_PUT_BUCKET_CORS,
http.MethodDelete: s3_constants.S3_ACTION_DELETE_BUCKET_CORS,
},
"lifecycle": {
http.MethodGet: s3_constants.S3_ACTION_GET_BUCKET_LIFECYCLE,
http.MethodPut: s3_constants.S3_ACTION_PUT_BUCKET_LIFECYCLE,
http.MethodDelete: s3_constants.S3_ACTION_PUT_BUCKET_LIFECYCLE, // DELETE uses same permission as PUT
},
"versioning": {
http.MethodGet: s3_constants.S3_ACTION_GET_BUCKET_VERSIONING,
http.MethodPut: s3_constants.S3_ACTION_PUT_BUCKET_VERSIONING,
},
"notification": {
http.MethodGet: s3_constants.S3_ACTION_GET_BUCKET_NOTIFICATION,
http.MethodPut: s3_constants.S3_ACTION_PUT_BUCKET_NOTIFICATION,
},
"object-lock": {
http.MethodGet: s3_constants.S3_ACTION_GET_BUCKET_OBJECT_LOCK,
http.MethodPut: s3_constants.S3_ACTION_PUT_BUCKET_OBJECT_LOCK,
},
}
// resolveFromQueryParameters checks query parameters to determine specific S3 actions
func resolveFromQueryParameters(query url.Values, method string, hasObject bool) string {
// Multipart upload operations with uploadId parameter (object-level only)
// All multipart operations require an object in the path
if hasObject && query.Has("uploadId") {
switch method {
case http.MethodPut:
if query.Has("partNumber") {
return s3_constants.S3_ACTION_UPLOAD_PART
}
case http.MethodPost:
return s3_constants.S3_ACTION_COMPLETE_MULTIPART
case http.MethodDelete:
return s3_constants.S3_ACTION_ABORT_MULTIPART
case http.MethodGet:
return s3_constants.S3_ACTION_LIST_PARTS
}
}
// Multipart upload operations
// CreateMultipartUpload: POST /bucket/object?uploads (object-level)
// ListMultipartUploads: GET /bucket?uploads (bucket-level)
if query.Has("uploads") {
if method == http.MethodPost && hasObject {
return s3_constants.S3_ACTION_CREATE_MULTIPART
} else if method == http.MethodGet && !hasObject {
return s3_constants.S3_ACTION_LIST_MULTIPART_UPLOADS
}
}
// ACL operations
if query.Has("acl") {
switch method {
case http.MethodGet, http.MethodHead:
if hasObject {
return s3_constants.S3_ACTION_GET_OBJECT_ACL
}
return s3_constants.S3_ACTION_GET_BUCKET_ACL
case http.MethodPut:
if hasObject {
return s3_constants.S3_ACTION_PUT_OBJECT_ACL
}
return s3_constants.S3_ACTION_PUT_BUCKET_ACL
}
}
// Tagging operations
if query.Has("tagging") {
switch method {
case http.MethodGet:
if hasObject {
return s3_constants.S3_ACTION_GET_OBJECT_TAGGING
}
return s3_constants.S3_ACTION_GET_BUCKET_TAGGING
case http.MethodPut:
if hasObject {
return s3_constants.S3_ACTION_PUT_OBJECT_TAGGING
}
return s3_constants.S3_ACTION_PUT_BUCKET_TAGGING
case http.MethodDelete:
if hasObject {
return s3_constants.S3_ACTION_DELETE_OBJECT_TAGGING
}
return s3_constants.S3_ACTION_DELETE_BUCKET_TAGGING
}
}
// GetObjectAttributes (object-level only)
// Must be checked before versionId, because GET /bucket/key?attributes&versionId=xyz
// is a GetObjectAttributes request, not a GetObjectVersion request
if hasObject && query.Has("attributes") && method == http.MethodGet {
return s3_constants.S3_ACTION_GET_OBJECT_ATTRIBUTES
}
// Versioning operations - distinguish between versionId (specific version) and versions (list versions)
// versionId: Used to access/delete a specific version of an object (e.g., GET /bucket/key?versionId=xyz)
if query.Has("versionId") {
if hasObject {
switch method {
case http.MethodGet, http.MethodHead:
return s3_constants.S3_ACTION_GET_OBJECT_VERSION
case http.MethodDelete:
return s3_constants.S3_ACTION_DELETE_OBJECT_VERSION
}
}
}
// versions: Used to list all versions of objects in a bucket (e.g., GET /bucket?versions)
if query.Has("versions") {
if method == http.MethodGet && !hasObject {
return s3_constants.S3_ACTION_LIST_BUCKET_VERSIONS
}
}
// Check bucket-level query parameters using data-driven approach
// These are strictly bucket-level operations, so only apply when !hasObject
if !hasObject {
for param, actions := range bucketQueryActions {
if query.Has(param) {
if action, ok := actions[method]; ok {
return action
}
}
}
}
// Location (GET only, bucket-level)
if query.Has("location") && method == http.MethodGet && !hasObject {
return s3_constants.S3_ACTION_GET_BUCKET_LOCATION
}
// Object retention and legal hold operations (object-level only)
if hasObject {
if query.Has("retention") {
switch method {
case http.MethodGet:
return s3_constants.S3_ACTION_GET_OBJECT_RETENTION
case http.MethodPut:
return s3_constants.S3_ACTION_PUT_OBJECT_RETENTION
}
}
if query.Has("legal-hold") {
switch method {
case http.MethodGet:
return s3_constants.S3_ACTION_GET_OBJECT_LEGAL_HOLD
case http.MethodPut:
return s3_constants.S3_ACTION_PUT_OBJECT_LEGAL_HOLD
}
}
}
// Batch delete - POST request with delete query parameter (bucket-level operation)
// Example: POST /bucket?delete (not POST /bucket/object?delete)
if query.Has("delete") && method == http.MethodPost && !hasObject {
return s3_constants.S3_ACTION_DELETE_OBJECT
}
return ""
}
// resolveObjectLevelAction determines the S3 action for object-level operations
func resolveObjectLevelAction(method string, baseAction string) string {
switch method {
case http.MethodGet, http.MethodHead:
if baseAction == s3_constants.ACTION_READ {
return s3_constants.S3_ACTION_GET_OBJECT
}
case http.MethodPut:
if baseAction == s3_constants.ACTION_WRITE {
// Note: CopyObject operations also use s3:PutObject permission (same as MinIO/AWS)
// Copy requires s3:PutObject on destination and s3:GetObject on source
return s3_constants.S3_ACTION_PUT_OBJECT
}
case http.MethodDelete:
// CRITICAL: Map DELETE method to s3:DeleteObject
// This fixes the architectural limitation where ACTION_WRITE was mapped to s3:PutObject
if baseAction == s3_constants.ACTION_WRITE {
return s3_constants.S3_ACTION_DELETE_OBJECT
}
case http.MethodPost:
// POST without query params is typically multipart or form upload
if baseAction == s3_constants.ACTION_WRITE {
return s3_constants.S3_ACTION_PUT_OBJECT
}
}
return ""
}
// resolveBucketLevelAction determines the S3 action for bucket-level operations
func resolveBucketLevelAction(method string, baseAction string) string {
switch method {
case http.MethodGet, http.MethodHead:
if baseAction == s3_constants.ACTION_LIST || baseAction == s3_constants.ACTION_READ {
return s3_constants.S3_ACTION_LIST_BUCKET
}
case http.MethodPut:
if baseAction == s3_constants.ACTION_WRITE {
return s3_constants.S3_ACTION_CREATE_BUCKET
}
case http.MethodDelete:
if baseAction == s3_constants.ACTION_DELETE_BUCKET {
return s3_constants.S3_ACTION_DELETE_BUCKET
}
case http.MethodPost:
// POST to bucket is typically form upload
if baseAction == s3_constants.ACTION_WRITE {
return s3_constants.S3_ACTION_PUT_OBJECT
}
}
return ""
}
// mapBaseActionToS3Format converts coarse-grained base actions to S3 format
// This is the fallback when no specific resolution is found
func mapBaseActionToS3Format(baseAction string) string {
// Handle actions that already have a known service prefix
if strings.HasPrefix(baseAction, "s3:") || strings.HasPrefix(baseAction, "iam:") || strings.HasPrefix(baseAction, "sts:") {
return baseAction
}
// Map coarse-grained actions to their most common S3 equivalent
// Note: The s3_constants values ARE the string values (e.g., ACTION_READ = "Read")
switch baseAction {
case s3_constants.ACTION_READ: // "Read"
return s3_constants.S3_ACTION_GET_OBJECT
case s3_constants.ACTION_WRITE: // "Write"
return s3_constants.S3_ACTION_PUT_OBJECT
case s3_constants.ACTION_LIST: // "List"
return s3_constants.S3_ACTION_LIST_BUCKET
case s3_constants.ACTION_TAGGING: // "Tagging"
return s3_constants.S3_ACTION_PUT_OBJECT_TAGGING
case s3_constants.ACTION_ADMIN: // "Admin"
return s3_constants.S3_ACTION_ALL
case s3_constants.ACTION_READ_ACP: // "ReadAcp"
return s3_constants.S3_ACTION_GET_OBJECT_ACL
case s3_constants.ACTION_WRITE_ACP: // "WriteAcp"
return s3_constants.S3_ACTION_PUT_OBJECT_ACL
case s3_constants.ACTION_DELETE_BUCKET: // "DeleteBucket"
return s3_constants.S3_ACTION_DELETE_BUCKET
case s3_constants.ACTION_BYPASS_GOVERNANCE_RETENTION:
return s3_constants.S3_ACTION_BYPASS_GOVERNANCE
case s3_constants.ACTION_GET_OBJECT_RETENTION:
return s3_constants.S3_ACTION_GET_OBJECT_RETENTION
case s3_constants.ACTION_PUT_OBJECT_RETENTION:
return s3_constants.S3_ACTION_PUT_OBJECT_RETENTION
case s3_constants.ACTION_GET_OBJECT_LEGAL_HOLD:
return s3_constants.S3_ACTION_GET_OBJECT_LEGAL_HOLD
case s3_constants.ACTION_PUT_OBJECT_LEGAL_HOLD:
return s3_constants.S3_ACTION_PUT_OBJECT_LEGAL_HOLD
case s3_constants.ACTION_GET_BUCKET_OBJECT_LOCK_CONFIG:
return s3_constants.S3_ACTION_GET_BUCKET_OBJECT_LOCK
case s3_constants.ACTION_PUT_BUCKET_OBJECT_LOCK_CONFIG:
return s3_constants.S3_ACTION_PUT_BUCKET_OBJECT_LOCK
default:
// For unknown actions, prefix with s3: to maintain format consistency
return "s3:" + baseAction
}
}
Reference in New Issue View Git Blame Copy Permalink