diff options
| author | chrislu <chris.lu@gmail.com> | 2025-12-09 00:17:29 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2025-12-09 00:17:29 -0800 |
| commit | 4e6e7b6ac5eaf340a8755882c147fb2d7fac2714 (patch) | |
| tree | e133355e2651d0af1292cae57f264e642534db64 /weed/s3api/s3api_server.go | |
| parent | 50eba1ecf8fc7ec46fb5f4e410cee4ee835828f5 (diff) | |
| download | seaweedfs-4e6e7b6ac5eaf340a8755882c147fb2d7fac2714.tar.xz seaweedfs-4e6e7b6ac5eaf340a8755882c147fb2d7fac2714.zip | |
Implement tag-based policy re-check in handlers
- Add checkPolicyWithEntry helper to S3ApiServer for handlers to re-check
policy after fetching object entry (for s3:ExistingObjectTag conditions)
- Add HasPolicyForBucket method to policy engine for efficient check
- Integrate policy re-check in GetObjectHandler after entry is fetched
- Integrate policy re-check in HeadObjectHandler after entry is fetched
- Update auth_credentials.go comments to explain two-phase evaluation
- Update documentation with supported operations for tag-based conditions
This implements 'Approach 1' where handlers re-check the policy with
the object entry after fetching it, allowing tag-based conditions to
be properly evaluated.
Diffstat (limited to 'weed/s3api/s3api_server.go')
| -rw-r--r-- | weed/s3api/s3api_server.go | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index 939c891c3..ac277f778 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -252,6 +252,41 @@ func (s3a *S3ApiServer) syncBucketPolicyToEngine(bucket string, policyDoc *polic } } +// checkPolicyWithEntry re-evaluates bucket policy with the object entry metadata. +// This is used by handlers after fetching the entry to enforce tag-based conditions +// like s3:ExistingObjectTag/<key>. +// +// Returns: +// - s3err.ErrCode: ErrNone if allowed, ErrAccessDenied if denied +// - bool: true if policy was evaluated (has policy for bucket), false if no policy +func (s3a *S3ApiServer) checkPolicyWithEntry(r *http.Request, bucket, object, action, principal string, objectEntry map[string][]byte) (s3err.ErrorCode, bool) { + if s3a.policyEngine == nil { + return s3err.ErrNone, false + } + + // Skip if no policy for this bucket + if !s3a.policyEngine.HasPolicyForBucket(bucket) { + return s3err.ErrNone, false + } + + allowed, evaluated, err := s3a.policyEngine.EvaluatePolicy(bucket, object, action, principal, r, objectEntry) + if err != nil { + glog.Errorf("checkPolicyWithEntry: error evaluating policy for %s/%s: %v", bucket, object, err) + return s3err.ErrInternalError, true + } + + if !evaluated { + return s3err.ErrNone, false + } + + if !allowed { + glog.V(3).Infof("checkPolicyWithEntry: policy denied access to %s/%s for principal %s", bucket, object, principal) + return s3err.ErrAccessDenied, true + } + + return s3err.ErrNone, true +} + // classifyDomainNames classifies domains into path-style and virtual-host style domains. // A domain is considered path-style if: // 1. It contains a dot (has subdomains) |