S3: Enforce bucket policy (#7471)

* evaluate policies during authorization * cache bucket policy * refactor * matching with regex special characters * Case Sensitivity, pattern cache, Dead Code Removal * Fixed Typo, Restored []string Case, Added Cache Size Limit * hook up with policy engine * remove old implementation * action mapping * validate * if not specified, fall through to IAM checks * fmt * Fail-close on policy evaluation errors * Explicit `Allow` bypasses IAM checks * fix error message * arn:seaweed => arn:aws * remove legacy support * fix tests * Clean up bucket policy after this test * fix for tests * address comments * security fixes * fix tests * temp comment out
author: Chris Lu <chrislusf@users.noreply.github.com> 2025-11-12 22:14:50 -0800
committer: GitHub <noreply@github.com> 2025-11-12 22:14:50 -0800
commit: 508d06d9a5c763668ba149a8f1182e8552505c2b (patch)
tree: a34d21d801d2b71dc3c6968cbb4ff8568e0fa8da /weed/s3api/s3_end_to_end_test.go
parent: 50f067bcfd99ecf1821ba2d34fc2f109e90428bb (diff)
download: seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.tar.xz
seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.zip
1 files changed, 13 insertions, 13 deletions
diff --git a/weed/s3api/s3_end_to_end_test.go b/weed/s3api/s3_end_to_end_test.go
index ba6d4e106..c840868fb 100644
--- a/weed/s3api/s3_end_to_end_test.go
+++ b/weed/s3api/s3_end_to_end_test.go
@@ -54,7 +54,7 @@ func TestS3EndToEndWithJWT(t *testing.T) {
 	}{
 		{
 			name:        "S3 Read-Only Role Complete Workflow",
-			roleArn:     "arn:seaweed:iam::role/S3ReadOnlyRole",
+			roleArn:     "arn:aws:iam::role/S3ReadOnlyRole",
 			sessionName: "readonly-test-session",
 			setupRole:   setupS3ReadOnlyRole,
 			s3Operations: []S3Operation{
@@ -69,7 +69,7 @@ func TestS3EndToEndWithJWT(t *testing.T) {
 		},
 		{
 			name:        "S3 Admin Role Complete Workflow",
-			roleArn:     "arn:seaweed:iam::role/S3AdminRole",
+			roleArn:     "arn:aws:iam::role/S3AdminRole",
 			sessionName: "admin-test-session",
 			setupRole:   setupS3AdminRole,
 			s3Operations: []S3Operation{
@@ -83,7 +83,7 @@ func TestS3EndToEndWithJWT(t *testing.T) {
 		},
 		{
 			name:        "S3 IP-Restricted Role",
-			roleArn:     "arn:seaweed:iam::role/S3IPRestrictedRole",
+			roleArn:     "arn:aws:iam::role/S3IPRestrictedRole",
 			sessionName: "ip-restricted-session",
 			setupRole:   setupS3IPRestrictedRole,
 			s3Operations: []S3Operation{
@@ -145,7 +145,7 @@ func TestS3MultipartUploadWithJWT(t *testing.T) {
 
 	// Assume role
 	response, err := iamManager.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityRequest{
-		RoleArn:          "arn:seaweed:iam::role/S3WriteRole",
+		RoleArn:          "arn:aws:iam::role/S3WriteRole",
 		WebIdentityToken: validJWTToken,
 		RoleSessionName:  "multipart-test-session",
 	})
@@ -255,7 +255,7 @@ func TestS3PerformanceWithIAM(t *testing.T) {
 
 	// Assume role
 	response, err := iamManager.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityRequest{
-		RoleArn:          "arn:seaweed:iam::role/S3ReadOnlyRole",
+		RoleArn:          "arn:aws:iam::role/S3ReadOnlyRole",
 		WebIdentityToken: validJWTToken,
 		RoleSessionName:  "performance-test-session",
 	})
@@ -452,8 +452,8 @@ func setupS3ReadOnlyRole(ctx context.Context, manager *integration.IAMManager) {
 				Effect: "Allow",
 				Action: []string{"s3:GetObject", "s3:ListBucket", "s3:HeadObject"},
 				Resource: []string{
-					"arn:seaweed:s3:::*",
-					"arn:seaweed:s3:::*/*",
+					"arn:aws:s3:::*",
+					"arn:aws:s3:::*/*",
 				},
 			},
 			{
@@ -496,8 +496,8 @@ func setupS3AdminRole(ctx context.Context, manager *integration.IAMManager) {
 				Effect: "Allow",
 				Action: []string{"s3:*"},
 				Resource: []string{
-					"arn:seaweed:s3:::*",
-					"arn:seaweed:s3:::*/*",
+					"arn:aws:s3:::*",
+					"arn:aws:s3:::*/*",
 				},
 			},
 			{
@@ -540,8 +540,8 @@ func setupS3WriteRole(ctx context.Context, manager *integration.IAMManager) {
 				Effect: "Allow",
 				Action: []string{"s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject"},
 				Resource: []string{
-					"arn:seaweed:s3:::*",
-					"arn:seaweed:s3:::*/*",
+					"arn:aws:s3:::*",
+					"arn:aws:s3:::*/*",
 				},
 			},
 			{
@@ -584,8 +584,8 @@ func setupS3IPRestrictedRole(ctx context.Context, manager *integration.IAMManage
 				Effect: "Allow",
 				Action: []string{"s3:GetObject", "s3:ListBucket"},
 				Resource: []string{
-					"arn:seaweed:s3:::*",
-					"arn:seaweed:s3:::*/*",
+					"arn:aws:s3:::*",
+					"arn:aws:s3:::*/*",
 				},
 				Condition: map[string]map[string]interface{}{
 					"IpAddress": {
author	Chris Lu <chrislusf@users.noreply.github.com>	2025-11-12 22:14:50 -0800
committer	GitHub <noreply@github.com>	2025-11-12 22:14:50 -0800
commit	508d06d9a5c763668ba149a8f1182e8552505c2b (patch)
tree	a34d21d801d2b71dc3c6968cbb4ff8568e0fa8da /weed/s3api/s3_end_to_end_test.go
parent	50f067bcfd99ecf1821ba2d34fc2f109e90428bb (diff)
download	seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.tar.xz seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.zip