diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-11-21 14:46:32 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-11-21 14:46:32 -0800 |
| commit | f125a013a8eefd15cc26b01a1a88a45381a772f9 (patch) | |
| tree | 4102feba79ebbdf5b52f66d1005c1f65c9497492 /weed/s3api/s3api_bucket_handlers.go | |
| parent | a9fefcd22cc7e35afa6c632ea307d1ae28eb7f03 (diff) | |
| download | seaweedfs-f125a013a8eefd15cc26b01a1a88a45381a772f9.tar.xz seaweedfs-f125a013a8eefd15cc26b01a1a88a45381a772f9.zip | |
S3: set identity to request context, and remove obsolete code (#7523)
* list owned buckets
* simplify
* add unit tests
* no-owner buckets
* set identity id
* fallback to request header if iam is not enabled
* refactor to test
* fix comparing
* fix security vulnerability
* Update s3api_bucket_handlers.go
* Update s3api_bucket_handlers.go
* Update s3api_bucket_handlers.go
* set identity to request context
* remove SeaweedFSIsDirectoryKey
* remove obsolete
* simplify
* reuse
* refactor or remove obsolete logic on filer
* Removed the redundant check in GetOrHeadHandler
* surfacing invalid X-Amz-Tagging as a client error
* clean up
* constant
* reuse
* multiple header values
* code reuse
* err on duplicated tag key
Diffstat (limited to 'weed/s3api/s3api_bucket_handlers.go')
| -rw-r--r-- | weed/s3api/s3api_bucket_handlers.go | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index 4222c911e..eaff6d442 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -59,12 +59,9 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques return } - identityId := "" - if identity != nil { - identityId = identity.Name - } - // Note: For unauthenticated requests, identityId remains empty. - // We never read from request headers to prevent reflecting unvalidated user input. + // Get authenticated identity from context (secure, cannot be spoofed) + // For unauthenticated requests, this returns empty string + identityId := s3_constants.GetIdentityNameFromContext(r) var listBuckets ListAllMyBucketsList for _, entry := range entries { @@ -164,7 +161,8 @@ func (s3a *S3ApiServer) PutBucketHandler(w http.ResponseWriter, r *http.Request) } // Check if bucket already exists and handle ownership/settings - currentIdentityId := r.Header.Get(s3_constants.AmzIdentityId) + // Get authenticated identity from context (secure, cannot be spoofed) + currentIdentityId := s3_constants.GetIdentityNameFromContext(r) // Check collection existence first collectionExists := false @@ -247,11 +245,12 @@ func (s3a *S3ApiServer) PutBucketHandler(w http.ResponseWriter, r *http.Request) } fn := func(entry *filer_pb.Entry) { - if identityId := r.Header.Get(s3_constants.AmzIdentityId); identityId != "" { + // Reuse currentIdentityId from above (already retrieved from context) + if currentIdentityId != "" { if entry.Extended == nil { entry.Extended = make(map[string][]byte) } - entry.Extended[s3_constants.AmzIdentityId] = []byte(identityId) + entry.Extended[s3_constants.AmzIdentityId] = []byte(currentIdentityId) } } @@ -576,7 +575,8 @@ func (s3a *S3ApiServer) hasAccess(r *http.Request, entry *filer_pb.Entry) bool { return true } - identityId := r.Header.Get(s3_constants.AmzIdentityId) + // Get authenticated identity from context (secure, cannot be spoofed) + identityId := s3_constants.GetIdentityNameFromContext(r) if id, ok := entry.Extended[s3_constants.AmzIdentityId]; ok { if identityId != string(id) { glog.V(3).Infof("hasAccess: %s != %s (entry.Extended = %v)", identityId, id, entry.Extended) |