diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-11-12 22:14:50 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-11-12 22:14:50 -0800 |
| commit | 508d06d9a5c763668ba149a8f1182e8552505c2b (patch) | |
| tree | a34d21d801d2b71dc3c6968cbb4ff8568e0fa8da /weed/s3api/s3_iam_middleware.go | |
| parent | 50f067bcfd99ecf1821ba2d34fc2f109e90428bb (diff) | |
| download | seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.tar.xz seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.zip | |
S3: Enforce bucket policy (#7471)
* evaluate policies during authorization
* cache bucket policy
* refactor
* matching with regex special characters
* Case Sensitivity, pattern cache, Dead Code Removal
* Fixed Typo, Restored []string Case, Added Cache Size Limit
* hook up with policy engine
* remove old implementation
* action mapping
* validate
* if not specified, fall through to IAM checks
* fmt
* Fail-close on policy evaluation errors
* Explicit `Allow` bypasses IAM checks
* fix error message
* arn:seaweed => arn:aws
* remove legacy support
* fix tests
* Clean up bucket policy after this test
* fix for tests
* address comments
* security fixes
* fix tests
* temp comment out
Diffstat (limited to 'weed/s3api/s3_iam_middleware.go')
| -rw-r--r-- | weed/s3api/s3_iam_middleware.go | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/weed/s3api/s3_iam_middleware.go b/weed/s3api/s3_iam_middleware.go index 857123d7b..230b2d2cb 100644 --- a/weed/s3api/s3_iam_middleware.go +++ b/weed/s3api/s3_iam_middleware.go @@ -139,7 +139,7 @@ func (s3iam *S3IAMIntegration) AuthenticateJWT(ctx context.Context, r *http.Requ parts := strings.Split(roleName, "/") roleNameOnly = parts[len(parts)-1] } - principalArn = fmt.Sprintf("arn:seaweed:sts::assumed-role/%s/%s", roleNameOnly, sessionName) + principalArn = fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleNameOnly, sessionName) } // Validate the JWT token directly using STS service (avoid circular dependency) @@ -238,11 +238,11 @@ type MockAssumedRoleUser struct { // buildS3ResourceArn builds an S3 resource ARN from bucket and object func buildS3ResourceArn(bucket string, objectKey string) string { if bucket == "" { - return "arn:seaweed:s3:::*" + return "arn:aws:s3:::*" } if objectKey == "" || objectKey == "/" { - return "arn:seaweed:s3:::" + bucket + return "arn:aws:s3:::" + bucket } // Remove leading slash from object key if present @@ -250,7 +250,7 @@ func buildS3ResourceArn(bucket string, objectKey string) string { objectKey = objectKey[1:] } - return "arn:seaweed:s3:::" + bucket + "/" + objectKey + return "arn:aws:s3:::" + bucket + "/" + objectKey } // determineGranularS3Action determines the specific S3 IAM action based on HTTP request details |