aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/s3api_server.go
diff options
context:
space:
mode:
authorchrislu <chris.lu@gmail.com>2025-12-09 08:38:31 -0800
committerchrislu <chris.lu@gmail.com>2025-12-09 08:38:31 -0800
commit852173f64880a960cecc50c5128f185d1d6ae046 (patch)
tree26b7bd0b6285b8548de04da663704d39a039c2a4 /weed/s3api/s3api_server.go
parent38e5871c3bc42da13057cfcb015bf49c6308c4dd (diff)
downloadseaweedfs-852173f64880a960cecc50c5128f185d1d6ae046.tar.xz
seaweedfs-852173f64880a960cecc50c5128f185d1d6ae046.zip
Extract recheckPolicyWithObjectEntry helper to reduce duplication
Move the repeated identity extraction and policy re-check logic from GetObjectHandler and HeadObjectHandler into a shared helper method.
Diffstat (limited to 'weed/s3api/s3api_server.go')
-rw-r--r--weed/s3api/s3api_server.go21
1 files changed, 21 insertions, 0 deletions
diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go
index ac277f778..94321814e 100644
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -287,6 +287,27 @@ func (s3a *S3ApiServer) checkPolicyWithEntry(r *http.Request, bucket, object, ac
return s3err.ErrNone, true
}
+// recheckPolicyWithObjectEntry performs the second phase of policy evaluation after
+// an object's entry is fetched. It extracts identity from context and checks for
+// tag-based conditions like s3:ExistingObjectTag/<key>.
+//
+// Returns s3err.ErrNone if allowed, or an error code if denied or on error.
+func (s3a *S3ApiServer) recheckPolicyWithObjectEntry(r *http.Request, bucket, object, action string, objectEntry map[string][]byte, handlerName string) s3err.ErrorCode {
+ identityRaw := GetIdentityFromContext(r)
+ var identity *Identity
+ if identityRaw != nil {
+ var ok bool
+ identity, ok = identityRaw.(*Identity)
+ if !ok {
+ glog.Errorf("%s: unexpected identity type in context for %s/%s", handlerName, bucket, object)
+ return s3err.ErrInternalError
+ }
+ }
+ principal := buildPrincipalARN(identity)
+ errCode, _ := s3a.checkPolicyWithEntry(r, bucket, object, action, principal, objectEntry)
+ return errCode
+}
+
// classifyDomainNames classifies domains into path-style and virtual-host style domains.
// A domain is considered path-style if:
// 1. It contains a dot (has subdomains)
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 22:29:08 +0000