From 4688ce38326f928fce8d84a9c8e1ba1286f76458 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Mon, 16 Mar 2026 20:15:00 -0700 Subject: [PATCH] Match Go Guard isWriteActive: combine whitelist and signing key check --- seaweed-volume/src/security.rs | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/seaweed-volume/src/security.rs b/seaweed-volume/src/security.rs index dfebaf8a3..c45f346d5 100644 --- a/seaweed-volume/src/security.rs +++ b/seaweed-volume/src/security.rs @@ -116,6 +116,9 @@ pub struct Guard { pub expires_after_sec: i64, pub read_signing_key: SigningKey, pub read_expires_after_sec: i64, + /// Combined flag: true when whitelist is non-empty OR signing key is present. + /// Matches Go's `isWriteActive = !isEmptyWhiteList || len(SigningKey) != 0`. + is_write_active: bool, } impl Guard { @@ -133,6 +136,7 @@ impl Guard { expires_after_sec, read_signing_key, read_expires_after_sec, + is_write_active: false, }; guard.update_whitelist(whitelist); guard @@ -158,11 +162,19 @@ impl Guard { self.whitelist_ips.insert(entry.to_string()); } } + + // Match Go: isWriteActive = !isEmptyWhiteList || len(SigningKey) != 0 + let is_empty_whitelist = self.whitelist_ips.is_empty() && self.whitelist_cidrs.is_empty(); + self.is_write_active = !is_empty_whitelist || !self.signing_key.is_empty(); } /// Check if a remote IP is in the whitelist. - /// Returns true if whitelist is empty (no restriction) or IP matches. + /// Returns true if write security is inactive (no whitelist and no signing key), + /// if the whitelist is empty, or if the IP matches. pub fn check_whitelist(&self, remote_addr: &str) -> bool { + if !self.is_write_active { + return true; + } if self.whitelist_ips.is_empty() && self.whitelist_cidrs.is_empty() { return true; }