From d6d893c8c374ff78bb7704b4da6666d36939bf1b Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Tue, 9 Dec 2025 09:48:13 -0800 Subject: s3: add s3:ExistingObjectTag condition support for bucket policies (#7677) * s3: add s3:ExistingObjectTag condition support in policy engine Add support for s3:ExistingObjectTag/ condition keys in bucket policies, allowing access control based on object tags. Changes: - Add ObjectEntry field to PolicyEvaluationArgs (entry.Extended metadata) - Update EvaluateConditions to handle s3:ExistingObjectTag/ format - Extract tag value from entry metadata using X-Amz-Tagging- prefix This enables policies like: { "Condition": { "StringEquals": { "s3:ExistingObjectTag/status": ["public"] } } } Fixes: https://github.com/seaweedfs/seaweedfs/issues/7447 * s3: update EvaluatePolicy to accept object entry for tag conditions Update BucketPolicyEngine.EvaluatePolicy to accept objectEntry parameter (entry.Extended metadata) for evaluating tag-based policy conditions. Changes: - Add objectEntry parameter to EvaluatePolicy method - Update callers in auth_credentials.go and s3api_bucket_handlers.go - Pass nil for objectEntry in auth layer (entry fetched later in handlers) For tag-based conditions to work, handlers should call EvaluatePolicy with the object's entry.Extended after fetching the entry from filer. * s3: add tests for s3:ExistingObjectTag policy conditions Add comprehensive tests for object tag-based policy conditions: - TestExistingObjectTagCondition: Basic tag matching scenarios - Matching/non-matching tag values - Missing tags, no tags, empty tags - Multiple tags with one matching - TestExistingObjectTagConditionMultipleTags: Multiple tag conditions - Both tags match - Only one tag matches - TestExistingObjectTagDenyPolicy: Deny policies with tag conditions - Default allow without tag - Deny when specific tag present * s3: document s3:ExistingObjectTag support and feature status Update policy engine documentation: - Add s3:ExistingObjectTag/ to supported condition keys - Add 'Object Tag-Based Access Control' section with examples - Add 'Feature Status' section with implemented and planned features Planned features for future implementation: - s3:RequestObjectTag/ - s3:RequestObjectTagKeys - s3:x-amz-server-side-encryption - Cross-account access * Implement tag-based policy re-check in handlers - Add checkPolicyWithEntry helper to S3ApiServer for handlers to re-check policy after fetching object entry (for s3:ExistingObjectTag conditions) - Add HasPolicyForBucket method to policy engine for efficient check - Integrate policy re-check in GetObjectHandler after entry is fetched - Integrate policy re-check in HeadObjectHandler after entry is fetched - Update auth_credentials.go comments to explain two-phase evaluation - Update documentation with supported operations for tag-based conditions This implements 'Approach 1' where handlers re-check the policy with the object entry after fetching it, allowing tag-based conditions to be properly evaluated. * Add integration tests for s3:ExistingObjectTag conditions - Add TestCheckPolicyWithEntry: tests checkPolicyWithEntry helper with various tag scenarios (matching tags, non-matching tags, empty entry, nil entry) - Add TestCheckPolicyWithEntryNoPolicyForBucket: tests early return when no policy - Add TestCheckPolicyWithEntryNilPolicyEngine: tests nil engine handling - Add TestCheckPolicyWithEntryDenyPolicy: tests deny policies with tag conditions - Add TestHasPolicyForBucket: tests HasPolicyForBucket method These tests cover the Phase 2 policy evaluation with object entry metadata, ensuring tag-based conditions are properly evaluated. * Address code review nitpicks - Remove unused extractObjectTags placeholder function (engine.go) - Add clarifying comment about s3:ExistingObjectTag/ evaluation - Consolidate duplicate tag-based examples in README - Factor out tagsToEntry helper to package level in tests * Address code review feedback - Fix unsafe type assertions in GetObjectHandler and HeadObjectHandler when getting identity from context (properly handle type assertion failure) - Extract getConditionContextValue helper to eliminate duplicated logic between EvaluateConditions and EvaluateConditionsLegacy - Ensure consistent handling of missing condition keys (always return empty slice) * Fix GetObjectHandler to match HeadObjectHandler pattern Add safety check for nil objectEntryForSSE before tag-based policy evaluation, ensuring tag-based conditions are always evaluated rather than silently skipped if entry is unexpectedly nil. Addresses review comment from Copilot. * Fix HeadObject action name in docs for consistency Change 'HeadObject' to 's3:HeadObject' to match other action names. * Extract recheckPolicyWithObjectEntry helper to reduce duplication Move the repeated identity extraction and policy re-check logic from GetObjectHandler and HeadObjectHandler into a shared helper method. * Add validation for empty tag key in s3:ExistingObjectTag condition Prevent potential issues with malformed policies containing s3:ExistingObjectTag/ (empty tag key after slash). --- weed/s3api/policy_engine/engine_test.go | 244 ++++++++++++++++++++++++++++++++ 1 file changed, 244 insertions(+) (limited to 'weed/s3api/policy_engine/engine_test.go') diff --git a/weed/s3api/policy_engine/engine_test.go b/weed/s3api/policy_engine/engine_test.go index 1bb36dc4a..4de537ac1 100644 --- a/weed/s3api/policy_engine/engine_test.go +++ b/weed/s3api/policy_engine/engine_test.go @@ -5,9 +5,23 @@ import ( "net/url" "testing" + "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants" "github.com/seaweedfs/seaweedfs/weed/s3api/s3err" ) +// tagsToEntry converts a map of tag key-value pairs to the entry.Extended format +// used for s3:ExistingObjectTag/ condition evaluation +func tagsToEntry(tags map[string]string) map[string][]byte { + if tags == nil { + return nil + } + entry := make(map[string][]byte) + for k, v := range tags { + entry[s3_constants.AmzObjectTaggingPrefix+k] = []byte(v) + } + return entry +} + func TestPolicyEngine(t *testing.T) { engine := NewPolicyEngine() @@ -714,3 +728,233 @@ type MockLegacyIAM struct{} func (m *MockLegacyIAM) authRequest(r *http.Request, action Action) (Identity, s3err.ErrorCode) { return nil, s3err.ErrNone } + +// TestExistingObjectTagCondition tests s3:ExistingObjectTag/ condition support +func TestExistingObjectTagCondition(t *testing.T) { + engine := NewPolicyEngine() + + // Policy that allows GetObject only for objects with specific tag + policyJSON := `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::test-bucket/*", + "Condition": { + "StringEquals": { + "s3:ExistingObjectTag/status": ["public"] + } + } + } + ] + }` + + err := engine.SetBucketPolicy("test-bucket", policyJSON) + if err != nil { + t.Fatalf("Failed to set bucket policy: %v", err) + } + + tests := []struct { + name string + objectTags map[string]string + expected PolicyEvaluationResult + }{ + { + name: "Matching tag value - should allow", + objectTags: map[string]string{"status": "public"}, + expected: PolicyResultAllow, + }, + { + name: "Non-matching tag value - should be indeterminate", + objectTags: map[string]string{"status": "private"}, + expected: PolicyResultIndeterminate, + }, + { + name: "Missing tag - should be indeterminate", + objectTags: map[string]string{"other": "value"}, + expected: PolicyResultIndeterminate, + }, + { + name: "No tags - should be indeterminate", + objectTags: nil, + expected: PolicyResultIndeterminate, + }, + { + name: "Empty tags - should be indeterminate", + objectTags: map[string]string{}, + expected: PolicyResultIndeterminate, + }, + { + name: "Multiple tags with matching one - should allow", + objectTags: map[string]string{"status": "public", "owner": "admin"}, + expected: PolicyResultAllow, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + args := &PolicyEvaluationArgs{ + Action: "s3:GetObject", + Resource: "arn:aws:s3:::test-bucket/test-object", + Principal: "*", + ObjectEntry: tagsToEntry(tt.objectTags), + } + + result := engine.EvaluatePolicy("test-bucket", args) + if result != tt.expected { + t.Errorf("Expected %v, got %v", tt.expected, result) + } + }) + } +} + +// TestExistingObjectTagConditionMultipleTags tests policies with multiple tag conditions +func TestExistingObjectTagConditionMultipleTags(t *testing.T) { + engine := NewPolicyEngine() + + // Policy that requires multiple tag conditions + policyJSON := `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::test-bucket/*", + "Condition": { + "StringEquals": { + "s3:ExistingObjectTag/status": ["public"], + "s3:ExistingObjectTag/tier": ["free", "premium"] + } + } + } + ] + }` + + err := engine.SetBucketPolicy("test-bucket", policyJSON) + if err != nil { + t.Fatalf("Failed to set bucket policy: %v", err) + } + + tests := []struct { + name string + objectTags map[string]string + expected PolicyEvaluationResult + }{ + { + name: "Both tags match - should allow", + objectTags: map[string]string{"status": "public", "tier": "free"}, + expected: PolicyResultAllow, + }, + { + name: "Both tags match (premium tier) - should allow", + objectTags: map[string]string{"status": "public", "tier": "premium"}, + expected: PolicyResultAllow, + }, + { + name: "Only status matches - should be indeterminate", + objectTags: map[string]string{"status": "public"}, + expected: PolicyResultIndeterminate, + }, + { + name: "Only tier matches - should be indeterminate", + objectTags: map[string]string{"tier": "free"}, + expected: PolicyResultIndeterminate, + }, + { + name: "Neither tag matches - should be indeterminate", + objectTags: map[string]string{"status": "private", "tier": "basic"}, + expected: PolicyResultIndeterminate, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + args := &PolicyEvaluationArgs{ + Action: "s3:GetObject", + Resource: "arn:aws:s3:::test-bucket/test-object", + Principal: "*", + ObjectEntry: tagsToEntry(tt.objectTags), + } + + result := engine.EvaluatePolicy("test-bucket", args) + if result != tt.expected { + t.Errorf("Expected %v, got %v", tt.expected, result) + } + }) + } +} + +// TestExistingObjectTagDenyPolicy tests deny policies with tag conditions +func TestExistingObjectTagDenyPolicy(t *testing.T) { + engine := NewPolicyEngine() + + // Policy that denies access to objects with confidential tag + policyJSON := `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::test-bucket/*" + }, + { + "Effect": "Deny", + "Principal": "*", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::test-bucket/*", + "Condition": { + "StringEquals": { + "s3:ExistingObjectTag/classification": ["confidential"] + } + } + } + ] + }` + + err := engine.SetBucketPolicy("test-bucket", policyJSON) + if err != nil { + t.Fatalf("Failed to set bucket policy: %v", err) + } + + tests := []struct { + name string + objectTags map[string]string + expected PolicyEvaluationResult + }{ + { + name: "No tags - allow by default statement", + objectTags: nil, + expected: PolicyResultAllow, + }, + { + name: "Non-confidential tag - allow", + objectTags: map[string]string{"classification": "public"}, + expected: PolicyResultAllow, + }, + { + name: "Confidential tag - deny", + objectTags: map[string]string{"classification": "confidential"}, + expected: PolicyResultDeny, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + args := &PolicyEvaluationArgs{ + Action: "s3:GetObject", + Resource: "arn:aws:s3:::test-bucket/test-object", + Principal: "*", + ObjectEntry: tagsToEntry(tt.objectTags), + } + + result := engine.EvaluatePolicy("test-bucket", args) + if result != tt.expected { + t.Errorf("Expected %v, got %v", tt.expected, result) + } + }) + } +} -- cgit v1.2.3