diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-12-12 13:37:31 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-12-12 13:37:31 -0800 |
| commit | b0e0c5aaabd393ca633c9c1e5d24d15d47e05bec (patch) | |
| tree | 53dca39f1cc83397320e4b56aae8f400d9774c77 /weed/s3api/auth_credentials.go | |
| parent | e8b734703128d206305de980988fb5a34f721eef (diff) | |
| download | seaweedfs-b0e0c5aaabd393ca633c9c1e5d24d15d47e05bec.tar.xz seaweedfs-b0e0c5aaabd393ca633c9c1e5d24d15d47e05bec.zip | |
s3: enable auth when IAM integration is configured (#7726)
When only IAM integration is configured (via -s3.iam.config) without
traditional S3 identities, the isAuthEnabled flag was not being set,
causing the Auth middleware to bypass all authentication checks.
This fix ensures that when SetIAMIntegration is called with a non-nil
integration, isAuthEnabled is set to true, properly enforcing
authentication for all requests.
Added negative authentication tests:
- TestS3AuthenticationDenied: tests rejection of unauthenticated,
invalid, and expired JWT requests
- TestS3IAMOnlyModeRejectsAnonymous: tests that IAM-only mode
properly rejects anonymous requests
Fixes #7724
Diffstat (limited to 'weed/s3api/auth_credentials.go')
| -rw-r--r-- | weed/s3api/auth_credentials.go | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 3f4670a7e..eab237b0b 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -771,6 +771,11 @@ func (iam *IdentityAccessManagement) SetIAMIntegration(integration *S3IAMIntegra iam.m.Lock() defer iam.m.Unlock() iam.iamIntegration = integration + // When IAM integration is configured, authentication must be enabled + // to ensure requests go through proper auth checks + if integration != nil { + iam.isAuthEnabled = true + } } // authenticateJWTWithIAM authenticates JWT tokens using the IAM integration |