aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/auth_credentials.go
diff options
context:
space:
mode:
authorChris Lu <chrislusf@users.noreply.github.com>2025-11-12 23:46:52 -0800
committerGitHub <noreply@github.com>2025-11-12 23:46:52 -0800
commit2a9d4d1e23a99ddbdd4b99d3ddc3ff78cdfdf7ae (patch)
treefecb24a5439ab69f9b82f79c311305a082457e5e /weed/s3api/auth_credentials.go
parent508d06d9a5c763668ba149a8f1182e8552505c2b (diff)
downloadseaweedfs-2a9d4d1e23a99ddbdd4b99d3ddc3ff78cdfdf7ae.tar.xz
seaweedfs-2a9d4d1e23a99ddbdd4b99d3ddc3ff78cdfdf7ae.zip
Refactor data structure (#7472)
* refactor to avoids circular dependency * converts a policy.PolicyDocument to policy_engine.PolicyDocument * convert numeric types to strings * Update weed/s3api/policy_conversion.go Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * refactoring * not skipping numeric and boolean values in arrays * avoid nil * edge cases * handling conversion failure The handling of unsupported types in convertToString could lead to silent policy alterations. The conversion of map-based principals in convertPrincipal is too generic and could misinterpret policies. * concise * fix doc * adjust warning * recursion * return errors * reject empty principals * better error message --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Diffstat (limited to 'weed/s3api/auth_credentials.go')
-rw-r--r--weed/s3api/auth_credentials.go8
1 files changed, 4 insertions, 4 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 7a6a706ff..85002377b 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -54,8 +54,8 @@ type IdentityAccessManagement struct {
// IAM Integration for advanced features
iamIntegration *S3IAMIntegration
- // Link to S3ApiServer for bucket policy evaluation
- s3ApiServer *S3ApiServer
+ // Bucket policy engine for evaluating bucket policies
+ policyEngine *BucketPolicyEngine
}
type Identity struct {
@@ -511,9 +511,9 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
// - Explicit DENY in bucket policy → immediate rejection
// - Explicit ALLOW in bucket policy → grant access (bypass IAM checks)
// - No policy or indeterminate → fall through to IAM checks
- if iam.s3ApiServer != nil && iam.s3ApiServer.policyEngine != nil && bucket != "" {
+ if iam.policyEngine != nil && bucket != "" {
principal := buildPrincipalARN(identity)
- allowed, evaluated, err := iam.s3ApiServer.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
+ allowed, evaluated, err := iam.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
if err != nil {
// SECURITY: Fail-close on policy evaluation errors
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 10:47:30 +0000