diff options
| author | chrislu <chris.lu@gmail.com> | 2025-12-09 08:38:31 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2025-12-09 08:38:31 -0800 |
| commit | 852173f64880a960cecc50c5128f185d1d6ae046 (patch) | |
| tree | 26b7bd0b6285b8548de04da663704d39a039c2a4 | |
| parent | 38e5871c3bc42da13057cfcb015bf49c6308c4dd (diff) | |
| download | seaweedfs-852173f64880a960cecc50c5128f185d1d6ae046.tar.xz seaweedfs-852173f64880a960cecc50c5128f185d1d6ae046.zip | |
Extract recheckPolicyWithObjectEntry helper to reduce duplication
Move the repeated identity extraction and policy re-check logic from
GetObjectHandler and HeadObjectHandler into a shared helper method.
| -rw-r--r-- | weed/s3api/s3api_object_handlers.go | 28 | ||||
| -rw-r--r-- | weed/s3api/s3api_server.go | 21 |
2 files changed, 23 insertions, 26 deletions
diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go index f42e2f3b5..bdd16195a 100644 --- a/weed/s3api/s3api_object_handlers.go +++ b/weed/s3api/s3api_object_handlers.go @@ -642,19 +642,7 @@ func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request) } // Re-check bucket policy with object entry for tag-based conditions (e.g., s3:ExistingObjectTag) - identityRaw := s3_constants.GetIdentityFromContext(r) - var identity *Identity - if identityRaw != nil { - var ok bool - identity, ok = identityRaw.(*Identity) - if !ok { - glog.Errorf("GetObjectHandler: unexpected identity type in context for %s/%s", bucket, object) - s3err.WriteErrorResponse(w, r, s3err.ErrInternalError) - return - } - } - principal := buildPrincipalARN(identity) - if errCode, _ := s3a.checkPolicyWithEntry(r, bucket, object, string(s3_constants.ACTION_READ), principal, objectEntryForSSE.Extended); errCode != s3err.ErrNone { + if errCode := s3a.recheckPolicyWithObjectEntry(r, bucket, object, string(s3_constants.ACTION_READ), objectEntryForSSE.Extended, "GetObjectHandler"); errCode != s3err.ErrNone { s3err.WriteErrorResponse(w, r, errCode) return } @@ -2213,19 +2201,7 @@ func (s3a *S3ApiServer) HeadObjectHandler(w http.ResponseWriter, r *http.Request } // Re-check bucket policy with object entry for tag-based conditions (e.g., s3:ExistingObjectTag) - identityRaw := s3_constants.GetIdentityFromContext(r) - var identity *Identity - if identityRaw != nil { - var ok bool - identity, ok = identityRaw.(*Identity) - if !ok { - glog.Errorf("HeadObjectHandler: unexpected identity type in context for %s/%s", bucket, object) - s3err.WriteErrorResponse(w, r, s3err.ErrInternalError) - return - } - } - principal := buildPrincipalARN(identity) - if errCode, _ := s3a.checkPolicyWithEntry(r, bucket, object, string(s3_constants.ACTION_READ), principal, objectEntryForSSE.Extended); errCode != s3err.ErrNone { + if errCode := s3a.recheckPolicyWithObjectEntry(r, bucket, object, string(s3_constants.ACTION_READ), objectEntryForSSE.Extended, "HeadObjectHandler"); errCode != s3err.ErrNone { s3err.WriteErrorResponse(w, r, errCode) return } diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index ac277f778..94321814e 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -287,6 +287,27 @@ func (s3a *S3ApiServer) checkPolicyWithEntry(r *http.Request, bucket, object, ac return s3err.ErrNone, true } +// recheckPolicyWithObjectEntry performs the second phase of policy evaluation after +// an object's entry is fetched. It extracts identity from context and checks for +// tag-based conditions like s3:ExistingObjectTag/<key>. +// +// Returns s3err.ErrNone if allowed, or an error code if denied or on error. +func (s3a *S3ApiServer) recheckPolicyWithObjectEntry(r *http.Request, bucket, object, action string, objectEntry map[string][]byte, handlerName string) s3err.ErrorCode { + identityRaw := GetIdentityFromContext(r) + var identity *Identity + if identityRaw != nil { + var ok bool + identity, ok = identityRaw.(*Identity) + if !ok { + glog.Errorf("%s: unexpected identity type in context for %s/%s", handlerName, bucket, object) + return s3err.ErrInternalError + } + } + principal := buildPrincipalARN(identity) + errCode, _ := s3a.checkPolicyWithEntry(r, bucket, object, action, principal, objectEntry) + return errCode +} + // classifyDomainNames classifies domains into path-style and virtual-host style domains. // A domain is considered path-style if: // 1. It contains a dot (has subdomains) |