From 152884eff26ace93d00bc21c312a98a20d75cfd6 Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Tue, 24 Mar 2026 14:04:42 -0700
Subject: [PATCH] S3: add s3: prefix to x-amz-* condition keys for AWS
 compatibility (#8765)

AWS S3 policy conditions reference request headers with the s3: namespace
prefix (e.g., s3:x-amz-server-side-encryption). The extraction code was
storing these headers without the prefix, so bucket policy conditions
using the standard AWS key names would never match.
---
 weed/s3api/policy_engine/engine.go      | 7 ++++---
 weed/s3api/policy_engine/engine_test.go | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/weed/s3api/policy_engine/engine.go b/weed/s3api/policy_engine/engine.go
index d7b4d4758..2432b695c 100644
--- a/weed/s3api/policy_engine/engine.go
+++ b/weed/s3api/policy_engine/engine.go
@@ -427,10 +427,11 @@ func ExtractConditionValuesFromRequest(r *http.Request) map[string][]string {
 	// HTTP method
 	values["s3:RequestMethod"] = []string{r.Method}
 
-	// Extract custom headers
+	// Extract custom headers with s3: prefix for AWS-compatible condition keys
 	for key, headerValues := range r.Header {
-		if strings.HasPrefix(strings.ToLower(key), "x-amz-") {
-			values[strings.ToLower(key)] = headerValues
+		lowerKey := strings.ToLower(key)
+		if strings.HasPrefix(lowerKey, "x-amz-") {
+			values["s3:"+lowerKey] = headerValues
 		}
 	}
 
diff --git a/weed/s3api/policy_engine/engine_test.go b/weed/s3api/policy_engine/engine_test.go
index 7f2da1887..1ad8c434a 100644
--- a/weed/s3api/policy_engine/engine_test.go
+++ b/weed/s3api/policy_engine/engine_test.go
@@ -444,8 +444,8 @@ func TestExtractConditionValuesFromRequest(t *testing.T) {
 		t.Errorf("Expected RequestMethod to be GET, got %v", values["s3:RequestMethod"])
 	}
 
-	if len(values["x-amz-copy-source"]) != 1 || values["x-amz-copy-source"][0] != "source-bucket/source-object" {
-		t.Errorf("Expected X-Amz-Copy-Source header to be extracted, got %v", values["x-amz-copy-source"])
+	if len(values["s3:x-amz-copy-source"]) != 1 || values["s3:x-amz-copy-source"][0] != "source-bucket/source-object" {
+		t.Errorf("Expected X-Amz-Copy-Source header to be extracted with s3: prefix, got %v", values["s3:x-amz-copy-source"])
 	}
 
 	// Check that aws:CurrentTime is properly set