Address code review feedback

- Fix unsafe type assertions in GetObjectHandler and HeadObjectHandler when getting identity from context (properly handle type assertion failure) - Extract getConditionContextValue helper to eliminate duplicated logic between EvaluateConditions and EvaluateConditionsLegacy - Ensure consistent handling of missing condition keys (always return empty slice)
author: chrislu <chris.lu@gmail.com> 2025-12-09 00:36:41 -0800
committer: chrislu <chris.lu@gmail.com> 2025-12-09 00:36:41 -0800
commit: 6079a0ae210ea0648d4a9ca44eafe7df8f40db99 (patch)
tree: 1a784b2676eaa54f8c29b6c3d23a110f5e9fe02c /weed/s3api/s3api_object_handlers.go
parent: d93c90fdb3d6123ad9398bb595fb4bf16d5918a7 (diff)
download: seaweedfs-6079a0ae210ea0648d4a9ca44eafe7df8f40db99.tar.xz
seaweedfs-6079a0ae210ea0648d4a9ca44eafe7df8f40db99.zip
1 files changed, 22 insertions, 2 deletions
diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go
index 034710c3c..e9145aca0 100644
--- a/weed/s3api/s3api_object_handlers.go
+++ b/weed/s3api/s3api_object_handlers.go
@@ -636,7 +636,17 @@ func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request)
 
 	// Re-check bucket policy with object entry for tag-based conditions (e.g., s3:ExistingObjectTag)
 	if objectEntryForSSE != nil {
-		identity, _ := s3_constants.GetIdentityFromContext(r).(*Identity)
+		identityRaw := s3_constants.GetIdentityFromContext(r)
+		var identity *Identity
+		if identityRaw != nil {
+			var ok bool
+			identity, ok = identityRaw.(*Identity)
+			if !ok {
+				glog.Errorf("GetObjectHandler: unexpected identity type in context for %s/%s", bucket, object)
+				s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
+				return
+			}
+		}
 		principal := buildPrincipalARN(identity)
 		if errCode, _ := s3a.checkPolicyWithEntry(r, bucket, object, string(s3_constants.ACTION_READ), principal, objectEntryForSSE.Extended); errCode != s3err.ErrNone {
 			s3err.WriteErrorResponse(w, r, errCode)
@@ -2198,7 +2208,17 @@ func (s3a *S3ApiServer) HeadObjectHandler(w http.ResponseWriter, r *http.Request
 	}
 
 	// Re-check bucket policy with object entry for tag-based conditions (e.g., s3:ExistingObjectTag)
-	identity, _ := s3_constants.GetIdentityFromContext(r).(*Identity)
+	identityRaw := s3_constants.GetIdentityFromContext(r)
+	var identity *Identity
+	if identityRaw != nil {
+		var ok bool
+		identity, ok = identityRaw.(*Identity)
+		if !ok {
+			glog.Errorf("HeadObjectHandler: unexpected identity type in context for %s/%s", bucket, object)
+			s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
+			return
+		}
+	}
 	principal := buildPrincipalARN(identity)
 	if errCode, _ := s3a.checkPolicyWithEntry(r, bucket, object, string(s3_constants.ACTION_READ), principal, objectEntryForSSE.Extended); errCode != s3err.ErrNone {
 		s3err.WriteErrorResponse(w, r, errCode)
author	chrislu <chris.lu@gmail.com>	2025-12-09 00:36:41 -0800
committer	chrislu <chris.lu@gmail.com>	2025-12-09 00:36:41 -0800
commit	6079a0ae210ea0648d4a9ca44eafe7df8f40db99 (patch)
tree	1a784b2676eaa54f8c29b6c3d23a110f5e9fe02c /weed/s3api/s3api_object_handlers.go
parent	d93c90fdb3d6123ad9398bb595fb4bf16d5918a7 (diff)
download	seaweedfs-6079a0ae210ea0648d4a9ca44eafe7df8f40db99.tar.xz seaweedfs-6079a0ae210ea0648d4a9ca44eafe7df8f40db99.zip