diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-11-12 22:14:50 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-11-12 22:14:50 -0800 |
| commit | 508d06d9a5c763668ba149a8f1182e8552505c2b (patch) | |
| tree | a34d21d801d2b71dc3c6968cbb4ff8568e0fa8da /weed/s3api/s3api_server.go | |
| parent | 50f067bcfd99ecf1821ba2d34fc2f109e90428bb (diff) | |
| download | seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.tar.xz seaweedfs-508d06d9a5c763668ba149a8f1182e8552505c2b.zip | |
S3: Enforce bucket policy (#7471)
* evaluate policies during authorization
* cache bucket policy
* refactor
* matching with regex special characters
* Case Sensitivity, pattern cache, Dead Code Removal
* Fixed Typo, Restored []string Case, Added Cache Size Limit
* hook up with policy engine
* remove old implementation
* action mapping
* validate
* if not specified, fall through to IAM checks
* fmt
* Fail-close on policy evaluation errors
* Explicit `Allow` bypasses IAM checks
* fix error message
* arn:seaweed => arn:aws
* remove legacy support
* fix tests
* Clean up bucket policy after this test
* fix for tests
* address comments
* security fixes
* fix tests
* temp comment out
Diffstat (limited to 'weed/s3api/s3api_server.go')
| -rw-r--r-- | weed/s3api/s3api_server.go | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go index e21886c57..5a06be720 100644 --- a/weed/s3api/s3api_server.go +++ b/weed/s3api/s3api_server.go @@ -59,6 +59,7 @@ type S3ApiServer struct { bucketRegistry *BucketRegistry credentialManager *credential.CredentialManager bucketConfigCache *BucketConfigCache + policyEngine *BucketPolicyEngine // Engine for evaluating bucket policies } func NewS3ApiServer(router *mux.Router, option *S3ApiServerOption) (s3ApiServer *S3ApiServer, err error) { @@ -97,8 +98,12 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl cb: NewCircuitBreaker(option), credentialManager: iam.credentialManager, bucketConfigCache: NewBucketConfigCache(60 * time.Minute), // Increased TTL since cache is now event-driven + policyEngine: NewBucketPolicyEngine(), // Initialize bucket policy engine } + // Link IAM back to server for bucket policy evaluation + iam.s3ApiServer = s3ApiServer + // Initialize advanced IAM system if config is provided if option.IamConfig != "" { glog.V(0).Infof("Loading advanced IAM configuration from: %s", option.IamConfig) @@ -157,6 +162,20 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl return s3ApiServer, nil } +// syncBucketPolicyToEngine syncs a bucket policy to the policy engine +// This helper method centralizes the logic for loading bucket policies into the engine +// to avoid duplication and ensure consistent error handling +func (s3a *S3ApiServer) syncBucketPolicyToEngine(bucket string, policyDoc *policy.PolicyDocument) { + if policyDoc != nil { + if err := s3a.policyEngine.LoadBucketPolicyFromCache(bucket, policyDoc); err != nil { + glog.Errorf("Failed to sync bucket policy for %s to policy engine: %v", bucket, err) + } + } else { + // No policy - ensure it's removed from engine if it was there + s3a.policyEngine.DeleteBucketPolicy(bucket) + } +} + // classifyDomainNames classifies domains into path-style and virtual-host style domains. // A domain is considered path-style if: // 1. It contains a dot (has subdomains) |