Fail-close on policy evaluation errors

weed/s3api/auth_credentials.go

@@ -516,7 +516,10 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 			allowed, evaluated, err := iam.s3ApiServer.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
 			
 			if err != nil {
-				glog.Errorf("Error evaluating bucket policy: %v", err)
+				// SECURITY: Fail-close on policy evaluation errors
+				// If we can't evaluate the policy, deny access rather than falling through to IAM
+				glog.Errorf("Error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err)
+				return identity, s3err.ErrInternalError
 			} else if evaluated {
 				// A bucket policy exists and was evaluated
 				if allowed {

weed/s3api/s3api_bucket_handlers.go

@@ -608,12 +608,16 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
 				return
 			}
 
-			// Check bucket policy for anonymous access using the policy engine
-			principal := "*" // Anonymous principal
-			allowed, evaluated, err := s3a.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
-			if err != nil {
-				glog.Errorf("AuthWithPublicRead: error evaluating bucket policy: %v", err)
-			} else if evaluated && allowed {
+		// Check bucket policy for anonymous access using the policy engine
+		principal := "*" // Anonymous principal
+		allowed, evaluated, err := s3a.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
+		if err != nil {
+			// SECURITY: Fail-close on policy evaluation errors
+			// If we can't evaluate the policy, deny access rather than falling through to IAM
+			glog.Errorf("AuthWithPublicRead: error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err)
+			s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
+			return
+		} else if evaluated && allowed {
 				glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to bucket %s (bucket policy)", bucket)
 				handler(w, r)
 				return