From b0e0c5aaabd393ca633c9c1e5d24d15d47e05bec Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Fri, 12 Dec 2025 13:37:31 -0800 Subject: s3: enable auth when IAM integration is configured (#7726) When only IAM integration is configured (via -s3.iam.config) without traditional S3 identities, the isAuthEnabled flag was not being set, causing the Auth middleware to bypass all authentication checks. This fix ensures that when SetIAMIntegration is called with a non-nil integration, isAuthEnabled is set to true, properly enforcing authentication for all requests. Added negative authentication tests: - TestS3AuthenticationDenied: tests rejection of unauthenticated, invalid, and expired JWT requests - TestS3IAMOnlyModeRejectsAnonymous: tests that IAM-only mode properly rejects anonymous requests Fixes #7724 --- weed/s3api/auth_credentials.go | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'weed/s3api/auth_credentials.go') diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 3f4670a7e..eab237b0b 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -771,6 +771,11 @@ func (iam *IdentityAccessManagement) SetIAMIntegration(integration *S3IAMIntegra iam.m.Lock() defer iam.m.Unlock() iam.iamIntegration = integration + // When IAM integration is configured, authentication must be enabled + // to ensure requests go through proper auth checks + if integration != nil { + iam.isAuthEnabled = true + } } // authenticateJWTWithIAM authenticates JWT tokens using the IAM integration -- cgit v1.2.3