From 01e781b1412e3913719b2a66ed9a968eaa42c44a Mon Sep 17 00:00:00 2001 From: chrislu Date: Wed, 12 Nov 2025 21:32:34 -0800 Subject: [PATCH] address comments --- weed/s3api/auth_credentials.go | 4 ++-- weed/s3api/s3_policy_templates_test.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index d38d1d20b..9850122c5 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -63,7 +63,7 @@ type Identity struct { Account *Account Credentials []*Credential Actions []Action - PrincipalArn string // ARN for IAM authorization (e.g., "arn:aws:iam::user/username") + PrincipalArn string // ARN for IAM authorization (e.g., "arn:aws:iam::account-id:user/username") } // Account represents a system user, a system user can @@ -511,7 +511,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) // - Explicit DENY in bucket policy → immediate rejection // - Explicit ALLOW in bucket policy → grant access (bypass IAM checks) // - No policy or indeterminate → fall through to IAM checks - if iam.s3ApiServer != nil && bucket != "" { + if iam.s3ApiServer != nil && iam.s3ApiServer.policyEngine != nil && bucket != "" { principal := buildPrincipalARN(identity) allowed, evaluated, err := iam.s3ApiServer.policyEngine.EvaluatePolicy(bucket, object, string(action), principal) diff --git a/weed/s3api/s3_policy_templates_test.go b/weed/s3api/s3_policy_templates_test.go index 03fa15890..453260c2a 100644 --- a/weed/s3api/s3_policy_templates_test.go +++ b/weed/s3api/s3_policy_templates_test.go @@ -495,7 +495,7 @@ func TestPolicyValidation(t *testing.T) { // Check resource format for _, resource := range stmt.Resource { if resource != "*" { - assert.Contains(t, resource, "arn:aws:s3:::", "Resource should be valid SeaweedFS S3 ARN: %s", resource) + assert.Contains(t, resource, "arn:aws:s3:::", "Resource should be valid AWS S3 ARN: %s", resource) } } }