diff options
| author | chrislu <chris.lu@gmail.com> | 2025-12-09 00:17:29 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2025-12-09 00:17:29 -0800 |
| commit | 4e6e7b6ac5eaf340a8755882c147fb2d7fac2714 (patch) | |
| tree | e133355e2651d0af1292cae57f264e642534db64 /weed/s3api/s3api_object_handlers.go | |
| parent | 50eba1ecf8fc7ec46fb5f4e410cee4ee835828f5 (diff) | |
| download | seaweedfs-4e6e7b6ac5eaf340a8755882c147fb2d7fac2714.tar.xz seaweedfs-4e6e7b6ac5eaf340a8755882c147fb2d7fac2714.zip | |
Implement tag-based policy re-check in handlers
- Add checkPolicyWithEntry helper to S3ApiServer for handlers to re-check
policy after fetching object entry (for s3:ExistingObjectTag conditions)
- Add HasPolicyForBucket method to policy engine for efficient check
- Integrate policy re-check in GetObjectHandler after entry is fetched
- Integrate policy re-check in HeadObjectHandler after entry is fetched
- Update auth_credentials.go comments to explain two-phase evaluation
- Update documentation with supported operations for tag-based conditions
This implements 'Approach 1' where handlers re-check the policy with
the object entry after fetching it, allowing tag-based conditions to
be properly evaluated.
Diffstat (limited to 'weed/s3api/s3api_object_handlers.go')
| -rw-r--r-- | weed/s3api/s3api_object_handlers.go | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go index 43cc4e5fc..034710c3c 100644 --- a/weed/s3api/s3api_object_handlers.go +++ b/weed/s3api/s3api_object_handlers.go @@ -634,6 +634,16 @@ func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request) } entryFetchTime = time.Since(tEntryFetch) + // Re-check bucket policy with object entry for tag-based conditions (e.g., s3:ExistingObjectTag) + if objectEntryForSSE != nil { + identity, _ := s3_constants.GetIdentityFromContext(r).(*Identity) + principal := buildPrincipalARN(identity) + if errCode, _ := s3a.checkPolicyWithEntry(r, bucket, object, string(s3_constants.ACTION_READ), principal, objectEntryForSSE.Extended); errCode != s3err.ErrNone { + s3err.WriteErrorResponse(w, r, errCode) + return + } + } + // Check if PartNumber query parameter is present (for multipart GET requests) partNumberStr := r.URL.Query().Get("partNumber") if partNumberStr == "" { @@ -2187,6 +2197,14 @@ func (s3a *S3ApiServer) HeadObjectHandler(w http.ResponseWriter, r *http.Request return } + // Re-check bucket policy with object entry for tag-based conditions (e.g., s3:ExistingObjectTag) + identity, _ := s3_constants.GetIdentityFromContext(r).(*Identity) + principal := buildPrincipalARN(identity) + if errCode, _ := s3a.checkPolicyWithEntry(r, bucket, object, string(s3_constants.ACTION_READ), principal, objectEntryForSSE.Extended); errCode != s3err.ErrNone { + s3err.WriteErrorResponse(w, r, errCode) + return + } + // Implicit Directory Handling for s3fs Compatibility // ==================================================== // |