Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

refactor to avoids circular dependency

pull/7472/head
chrislu 1 month ago
parent
508d06d9a5
commit
34fd1e909e
2 changed files with 12 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      weed/s3api/auth_credentials.go
  2. 14
      weed/s3api/s3api_server.go

8
weed/s3api/auth_credentials.go
View File

@ -54,8 +54,8 @@ type IdentityAccessManagement struct {
// IAM Integration for advanced features
iamIntegration *S3IAMIntegration
// Link to S3ApiServer for bucket policy evaluation
s3ApiServer *S3ApiServer
// Bucket policy engine for evaluating bucket policies
policyEngine *BucketPolicyEngine
}
type Identity struct {
@ -511,9 +511,9 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
// - Explicit DENY in bucket policy → immediate rejection
// - Explicit ALLOW in bucket policy → grant access (bypass IAM checks)
// - No policy or indeterminate → fall through to IAM checks
if iam.s3ApiServer != nil && iam.s3ApiServer.policyEngine != nil && bucket != "" {
if iam.policyEngine != nil && bucket != "" {
principal := buildPrincipalARN(identity)
allowed, evaluated, err := iam.s3ApiServer.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
allowed, evaluated, err := iam.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
if err != nil {
// SECURITY: Fail-close on policy evaluation errors

14
weed/s3api/s3api_server.go
View File

@ -86,10 +86,11 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
option.AllowedOrigins = domains
}
var iam *IdentityAccessManagement
iam = NewIdentityAccessManagementWithStore(option, explicitStore)
iam := NewIdentityAccessManagementWithStore(option, explicitStore)
// Initialize bucket policy engine first
policyEngine := NewBucketPolicyEngine()
s3ApiServer = &S3ApiServer{
option: option,
iam: iam,
@ -98,11 +99,12 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
cb: NewCircuitBreaker(option),
credentialManager: iam.credentialManager,
bucketConfigCache: NewBucketConfigCache(60 * time.Minute), // Increased TTL since cache is now event-driven
policyEngine: NewBucketPolicyEngine(), // Initialize bucket policy engine
policyEngine: policyEngine, // Initialize bucket policy engine
}
// Link IAM back to server for bucket policy evaluation
iam.s3ApiServer = s3ApiServer
// Pass policy engine to IAM for bucket policy evaluation
// This avoids circular dependency by not passing the entire S3ApiServer
iam.policyEngine = policyEngine
// Initialize advanced IAM system if config is provided
if option.IamConfig != "" {

Write Preview
Loading…
Cancel
Save