d6d893c8c3
* s3: add s3:ExistingObjectTag condition support in policy engine
Add support for s3:ExistingObjectTag/<tag-key> condition keys in bucket
policies, allowing access control based on object tags.
Changes:
- Add ObjectEntry field to PolicyEvaluationArgs (entry.Extended metadata)
- Update EvaluateConditions to handle s3:ExistingObjectTag/<key> format
- Extract tag value from entry metadata using X-Amz-Tagging-<key> prefix
This enables policies like:
{
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/status": ["public"]
}
}
}
Fixes: https://github.com/seaweedfs/seaweedfs/issues/7447
* s3: update EvaluatePolicy to accept object entry for tag conditions
Update BucketPolicyEngine.EvaluatePolicy to accept objectEntry parameter
(entry.Extended metadata) for evaluating tag-based policy conditions.
Changes:
- Add objectEntry parameter to EvaluatePolicy method
- Update callers in auth_credentials.go and s3api_bucket_handlers.go
- Pass nil for objectEntry in auth layer (entry fetched later in handlers)
For tag-based conditions to work, handlers should call EvaluatePolicy
with the object's entry.Extended after fetching the entry from filer.
* s3: add tests for s3:ExistingObjectTag policy conditions
Add comprehensive tests for object tag-based policy conditions:
- TestExistingObjectTagCondition: Basic tag matching scenarios
- Matching/non-matching tag values
- Missing tags, no tags, empty tags
- Multiple tags with one matching
- TestExistingObjectTagConditionMultipleTags: Multiple tag conditions
- Both tags match
- Only one tag matches
- TestExistingObjectTagDenyPolicy: Deny policies with tag conditions
- Default allow without tag
- Deny when specific tag present
* s3: document s3:ExistingObjectTag support and feature status
Update policy engine documentation:
- Add s3:ExistingObjectTag/<tag-key> to supported condition keys
- Add 'Object Tag-Based Access Control' section with examples
- Add 'Feature Status' section with implemented and planned features
Planned features for future implementation:
- s3:RequestObjectTag/<key>
- s3:RequestObjectTagKeys
- s3:x-amz-server-side-encryption
- Cross-account access
* Implement tag-based policy re-check in handlers
- Add checkPolicyWithEntry helper to S3ApiServer for handlers to re-check
policy after fetching object entry (for s3:ExistingObjectTag conditions)
- Add HasPolicyForBucket method to policy engine for efficient check
- Integrate policy re-check in GetObjectHandler after entry is fetched
- Integrate policy re-check in HeadObjectHandler after entry is fetched
- Update auth_credentials.go comments to explain two-phase evaluation
- Update documentation with supported operations for tag-based conditions
This implements 'Approach 1' where handlers re-check the policy with
the object entry after fetching it, allowing tag-based conditions to
be properly evaluated.
* Add integration tests for s3:ExistingObjectTag conditions
- Add TestCheckPolicyWithEntry: tests checkPolicyWithEntry helper with various
tag scenarios (matching tags, non-matching tags, empty entry, nil entry)
- Add TestCheckPolicyWithEntryNoPolicyForBucket: tests early return when no policy
- Add TestCheckPolicyWithEntryNilPolicyEngine: tests nil engine handling
- Add TestCheckPolicyWithEntryDenyPolicy: tests deny policies with tag conditions
- Add TestHasPolicyForBucket: tests HasPolicyForBucket method
These tests cover the Phase 2 policy evaluation with object entry metadata,
ensuring tag-based conditions are properly evaluated.
* Address code review nitpicks
- Remove unused extractObjectTags placeholder function (engine.go)
- Add clarifying comment about s3:ExistingObjectTag/<key> evaluation
- Consolidate duplicate tag-based examples in README
- Factor out tagsToEntry helper to package level in tests
* Address code review feedback
- Fix unsafe type assertions in GetObjectHandler and HeadObjectHandler
when getting identity from context (properly handle type assertion failure)
- Extract getConditionContextValue helper to eliminate duplicated logic
between EvaluateConditions and EvaluateConditionsLegacy
- Ensure consistent handling of missing condition keys (always return
empty slice)
* Fix GetObjectHandler to match HeadObjectHandler pattern
Add safety check for nil objectEntryForSSE before tag-based policy
evaluation, ensuring tag-based conditions are always evaluated rather
than silently skipped if entry is unexpectedly nil.
Addresses review comment from Copilot.
* Fix HeadObject action name in docs for consistency
Change 'HeadObject' to 's3:HeadObject' to match other action names.
* Extract recheckPolicyWithObjectEntry helper to reduce duplication
Move the repeated identity extraction and policy re-check logic from
GetObjectHandler and HeadObjectHandler into a shared helper method.
* Add validation for empty tag key in s3:ExistingObjectTag condition
Prevent potential issues with malformed policies containing
s3:ExistingObjectTag/ (empty tag key after slash).
154 lines
5.5 KiB
Go
154 lines
5.5 KiB
Go
package s3api
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
|
"github.com/seaweedfs/seaweedfs/weed/iam/policy"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
|
)
|
|
|
|
// BucketPolicyEngine wraps the policy_engine to provide bucket policy evaluation
|
|
type BucketPolicyEngine struct {
|
|
engine *policy_engine.PolicyEngine
|
|
}
|
|
|
|
// NewBucketPolicyEngine creates a new bucket policy engine
|
|
func NewBucketPolicyEngine() *BucketPolicyEngine {
|
|
return &BucketPolicyEngine{
|
|
engine: policy_engine.NewPolicyEngine(),
|
|
}
|
|
}
|
|
|
|
// LoadBucketPolicy loads a bucket policy into the engine from the filer entry
|
|
func (bpe *BucketPolicyEngine) LoadBucketPolicy(bucket string, entry *filer_pb.Entry) error {
|
|
if entry == nil || entry.Extended == nil {
|
|
return nil
|
|
}
|
|
|
|
policyJSON, exists := entry.Extended[BUCKET_POLICY_METADATA_KEY]
|
|
if !exists || len(policyJSON) == 0 {
|
|
// No policy for this bucket - remove it if it exists
|
|
bpe.engine.DeleteBucketPolicy(bucket)
|
|
return nil
|
|
}
|
|
|
|
// Set the policy in the engine
|
|
if err := bpe.engine.SetBucketPolicy(bucket, string(policyJSON)); err != nil {
|
|
glog.Errorf("Failed to load bucket policy for %s: %v", bucket, err)
|
|
return err
|
|
}
|
|
|
|
glog.V(3).Infof("Loaded bucket policy for %s into policy engine", bucket)
|
|
return nil
|
|
}
|
|
|
|
// LoadBucketPolicyFromCache loads a bucket policy from a cached BucketConfig
|
|
//
|
|
// This function uses a type-safe conversion function to convert between
|
|
// policy.PolicyDocument and policy_engine.PolicyDocument with explicit field mapping and error handling.
|
|
func (bpe *BucketPolicyEngine) LoadBucketPolicyFromCache(bucket string, policyDoc *policy.PolicyDocument) error {
|
|
if policyDoc == nil {
|
|
// No policy for this bucket - remove it if it exists
|
|
bpe.engine.DeleteBucketPolicy(bucket)
|
|
return nil
|
|
}
|
|
|
|
// Convert policy.PolicyDocument to policy_engine.PolicyDocument without a JSON round-trip
|
|
// This removes the prior intermediate marshal/unmarshal and adds type safety
|
|
enginePolicyDoc, err := ConvertPolicyDocumentToPolicyEngine(policyDoc)
|
|
if err != nil {
|
|
glog.Errorf("Failed to convert bucket policy for %s: %v", bucket, err)
|
|
return fmt.Errorf("failed to convert bucket policy: %w", err)
|
|
}
|
|
|
|
// Marshal the converted policy to JSON for storage in the engine
|
|
policyJSON, err := json.Marshal(enginePolicyDoc)
|
|
if err != nil {
|
|
glog.Errorf("Failed to marshal bucket policy for %s: %v", bucket, err)
|
|
return err
|
|
}
|
|
|
|
// Set the policy in the engine
|
|
if err := bpe.engine.SetBucketPolicy(bucket, string(policyJSON)); err != nil {
|
|
glog.Errorf("Failed to load bucket policy for %s: %v", bucket, err)
|
|
return err
|
|
}
|
|
|
|
glog.V(4).Infof("Loaded bucket policy for %s into policy engine from cache", bucket)
|
|
return nil
|
|
}
|
|
|
|
// DeleteBucketPolicy removes a bucket policy from the engine
|
|
func (bpe *BucketPolicyEngine) DeleteBucketPolicy(bucket string) error {
|
|
return bpe.engine.DeleteBucketPolicy(bucket)
|
|
}
|
|
|
|
// HasPolicyForBucket checks if a bucket has a policy configured
|
|
func (bpe *BucketPolicyEngine) HasPolicyForBucket(bucket string) bool {
|
|
return bpe.engine.HasPolicyForBucket(bucket)
|
|
}
|
|
|
|
// EvaluatePolicy evaluates whether an action is allowed by bucket policy
|
|
//
|
|
// Parameters:
|
|
// - bucket: the bucket name
|
|
// - object: the object key (can be empty for bucket-level operations)
|
|
// - action: the action being performed (e.g., "Read", "Write")
|
|
// - principal: the principal ARN or identifier
|
|
// - r: the HTTP request (optional, used for condition evaluation and action resolution)
|
|
// - objectEntry: the object's metadata from entry.Extended (can be nil at auth time,
|
|
// should be passed when available for tag-based conditions like s3:ExistingObjectTag)
|
|
//
|
|
// Returns:
|
|
// - allowed: whether the policy allows the action
|
|
// - evaluated: whether a policy was found and evaluated (false = no policy exists)
|
|
// - error: any error during evaluation
|
|
func (bpe *BucketPolicyEngine) EvaluatePolicy(bucket, object, action, principal string, r *http.Request, objectEntry map[string][]byte) (allowed bool, evaluated bool, err error) {
|
|
// Validate required parameters
|
|
if bucket == "" {
|
|
return false, false, fmt.Errorf("bucket cannot be empty")
|
|
}
|
|
if action == "" {
|
|
return false, false, fmt.Errorf("action cannot be empty")
|
|
}
|
|
|
|
// Convert action to S3 action format
|
|
// ResolveS3Action handles nil request internally (falls back to mapBaseActionToS3Format)
|
|
s3Action := ResolveS3Action(r, action, bucket, object)
|
|
|
|
// Build resource ARN
|
|
resource := buildResourceARN(bucket, object)
|
|
|
|
glog.V(4).Infof("EvaluatePolicy: bucket=%s, resource=%s, action=%s, principal=%s",
|
|
bucket, resource, s3Action, principal)
|
|
|
|
// Evaluate using the policy engine
|
|
args := &policy_engine.PolicyEvaluationArgs{
|
|
Action: s3Action,
|
|
Resource: resource,
|
|
Principal: principal,
|
|
ObjectEntry: objectEntry,
|
|
}
|
|
|
|
result := bpe.engine.EvaluatePolicy(bucket, args)
|
|
|
|
switch result {
|
|
case policy_engine.PolicyResultAllow:
|
|
glog.V(3).Infof("EvaluatePolicy: ALLOW - bucket=%s, action=%s, principal=%s", bucket, s3Action, principal)
|
|
return true, true, nil
|
|
case policy_engine.PolicyResultDeny:
|
|
glog.V(3).Infof("EvaluatePolicy: DENY - bucket=%s, action=%s, principal=%s", bucket, s3Action, principal)
|
|
return false, true, nil
|
|
case policy_engine.PolicyResultIndeterminate:
|
|
// No policy exists for this bucket
|
|
glog.V(4).Infof("EvaluatePolicy: INDETERMINATE (no policy) - bucket=%s", bucket)
|
|
return false, false, nil
|
|
default:
|
|
return false, false, fmt.Errorf("unknown policy result: %v", result)
|
|
}
|
|
}
|