Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix: move identity nil check before map lookup and refine hasAttachedPolicies 

Move the nil check on identity before accessing identity.Name to
prevent panic. Also refine hasAttachedPolicies to only consider groups
that are enabled and have actual policies attached, so membership in
a no-policy group doesn't incorrectly trigger IAM authorization.
pull/8560/head
Chris Lu 21 hours ago
parent
afffa9cab9
commit
4f47773cd9
1 changed files with 13 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      weed/s3api/auth_credentials.go

16
weed/s3api/auth_credentials.go
View File

@ -1865,6 +1865,10 @@ func determineIAMAuthPath(sessionToken, principal, principalArn string) iamAuthP
// Returns true if any matching statement explicitly allows the action.
// Uses the cached iamPolicyEngine to avoid re-parsing policy JSON on every request.
func (iam *IdentityAccessManagement) evaluateIAMPolicies(r *http.Request, identity *Identity, action Action, bucket, object string) bool {
if identity == nil {
return false
}
iam.m.RLock()
engine := iam.iamPolicyEngine
groupNames := iam.userGroups[identity.Name]
@ -1872,8 +1876,7 @@ func (iam *IdentityAccessManagement) evaluateIAMPolicies(r *http.Request, identi
iam.m.RUnlock()
// Collect all policy names: user policies + group policies
hasPolicies := len(identity.PolicyNames) > 0 || len(groupNames) > 0
if identity == nil || !hasPolicies {
if len(identity.PolicyNames) == 0 && len(groupNames) == 0 {
return false
}
@ -1947,8 +1950,15 @@ func (iam *IdentityAccessManagement) VerifyActionPermission(r *http.Request, ide
r.URL.Query().Get("X-Amz-Security-Token") != ""
iam.m.RLock()
userGroupNames := iam.userGroups[identity.Name]
groupsHavePolicies := false
for _, gn := range userGroupNames {
if g, ok := iam.groups[gn]; ok && !g.Disabled && len(g.PolicyNames) > 0 {
groupsHavePolicies = true
break
}
}
iam.m.RUnlock()
hasAttachedPolicies := len(identity.PolicyNames) > 0 || len(userGroupNames) > 0
hasAttachedPolicies := len(identity.PolicyNames) > 0 || groupsHavePolicies
if (len(identity.Actions) == 0 || hasSessionToken || hasAttachedPolicies) && iam.iamIntegration != nil {
return iam.authorizeWithIAM(r, identity, action, bucket, object)

Write Preview
Loading…
Cancel
Save