gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5472061231b2fa47be2e543c65bbea1a3fbc048e
seaweedFS/weed
History
Chris Lu 5472061231 Fix: Populate Claims from STS session RequestContext for policy variable substitution (#8082) 
* Fix: Populate Claims from STS session RequestContext for policy variable substitution

When using STS temporary credentials (from AssumeRoleWithWebIdentity) with
AWS Signature V4 authentication, JWT claims like preferred_username were
not available for bucket policy variable substitution (e.g., ${jwt:preferred_username}).

Root Cause:
- STS session tokens store user claims in the req_ctx field (added in PR #8079)
- validateSTSSessionToken() created Identity but didn't populate Claims field
- authorizeWithIAM() created IAMIdentity but didn't copy Claims
- Policy engine couldn't resolve ${jwt:*} variables without claims

Changes:
1. auth_signature_v4.go: Extract claims from sessionInfo.RequestContext
   and populate Identity.Claims in validateSTSSessionToken()
2. auth_credentials.go: Copy Claims when creating IAMIdentity in
   authorizeWithIAM()
3. auth_sts_identity_test.go: Add TestSTSIdentityClaimsPopulation to
   verify claims are properly populated from RequestContext

This enables bucket policies with JWT claim variables to work correctly
with STS temporary credentials obtained via AssumeRoleWithWebIdentity.

Fixes #8037

* Refactor: Idiomatic map population for STS claims
2026-01-21 18:36:24 -08:00
..
admin
copy the aws keys
2026-01-20 18:12:32 -08:00
cluster
fix: add filer fallback after consecutive connection failures (#8000)
2026-01-11 12:14:27 -08:00
command
Support for cacheMetaTtlSec option in fuse command (#8063)
2026-01-19 22:52:47 -08:00
credential
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
filer
filer: auto clean empty implicit s3 folders (#8051)
2026-01-17 22:10:15 -08:00
filer_client
Clean up logs and deprecated functions (#7339)
2025-10-17 22:11:50 -07:00
glog
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
iam
fix: propagate OIDC attributes to STS session token for IAM policies (#8079)
2026-01-21 13:27:33 -08:00
iamapi
IAM: Add Service Account Support (#7744) (#7901)
2025-12-29 20:17:23 -08:00
images
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
kms
S3 API: Add integration with KMS providers (#7152)
2025-08-22 22:10:30 -07:00
mount
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
mq
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
notification
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
operation
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
pb
Prevent split-brain: Persistent ClusterID and Join Validation (#8022)
2026-01-18 14:02:34 -08:00
query
fix: comprehensive go vet error fixes and add CI enforcement (#7861)
2025-12-23 14:48:50 -08:00
remote_storage
fix(gcs): resolve credential conflict in remote storage mount (#8013)
2026-01-12 12:22:42 -08:00
replication
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
s3api
Fix: Populate Claims from STS session RequestContext for policy variable substitution (#8082)
2026-01-21 18:36:24 -08:00
security
feat: Optional path-prefix and method scoping for Filer HTTP JWT (#8014)
2026-01-12 13:21:48 -08:00
sequence
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
server
Prevent split-brain: Persistent ClusterID and Join Validation (#8022)
2026-01-18 14:02:34 -08:00
sftpd
SFTP: support reloading user store on HUP signal (#7651)
2025-12-08 01:24:42 -08:00
shell
Fix #8040: Support '_default' keyword in collectionPattern to match default collection (#8046)
2026-01-16 12:31:48 -08:00
static
Fix Broken Links (#5287)
2024-02-14 08:26:38 -08:00
stats
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
storage
skip md5 validation if Content-MD5 is not provided
2026-01-18 15:04:56 -08:00
telemetry
Prevent split-brain: Persistent ClusterID and Join Validation (#8022)
2026-01-18 14:02:34 -08:00
topology
Prevent split-brain: Persistent ClusterID and Join Validation (#8022)
2026-01-18 14:02:34 -08:00
util
4.07
2026-01-18 15:48:09 -08:00
wdclient
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
worker
Fix maintenance worker panic and add EC integration tests (#8068)
2026-01-20 15:07:43 -08:00
Makefile
Update README and weed/Makefile (#7571)
2025-11-29 11:36:22 -08:00
weed.go
Fix the issue where fuse command on a node cannot specify multiple configuration directory paths (#7874)
2025-12-25 11:36:38 -08:00