Add policy engine (#6970)

1 files changed, 17 insertions, 2 deletions

diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index e5d1ec6ad..ecc6af2ac 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -225,10 +225,11 @@ func (s3a *S3ApiServer) checkBucket(r *http.Request, bucket string) s3err.ErrorC
 }
 
 func (s3a *S3ApiServer) hasAccess(r *http.Request, entry *filer_pb.Entry) bool {
-	isAdmin := r.Header.Get(s3_constants.AmzIsAdmin) != ""
-	if isAdmin {
+	// Check if user is properly authenticated as admin through IAM system
+	if s3a.isUserAdmin(r) {
 		return true
 	}
+
 	if entry.Extended == nil {
 		return true
 	}
@@ -243,6 +244,20 @@ func (s3a *S3ApiServer) hasAccess(r *http.Request, entry *filer_pb.Entry) bool {
 	return true
 }
 
+// isUserAdmin securely checks if the authenticated user is an admin
+// This validates admin status through proper IAM authentication, not spoofable headers
+func (s3a *S3ApiServer) isUserAdmin(r *http.Request) bool {
+	// Use a minimal admin action to authenticate and check admin status
+	adminAction := Action("Admin")
+	identity, errCode := s3a.iam.authRequest(r, adminAction)
+	if errCode != s3err.ErrNone {
+		return false
+	}
+
+	// Check if the authenticated identity has admin privileges
+	return identity != nil && identity.isAdmin()
+}
+
 // GetBucketAclHandler Get Bucket ACL
 // https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html
 func (s3a *S3ApiServer) GetBucketAclHandler(w http.ResponseWriter, r *http.Request) {