From 4f47773cd95bbc790f90cf380cde0dd5c3a38869 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Sun, 8 Mar 2026 20:51:45 -0700 Subject: [PATCH] fix: move identity nil check before map lookup and refine hasAttachedPolicies Move the nil check on identity before accessing identity.Name to prevent panic. Also refine hasAttachedPolicies to only consider groups that are enabled and have actual policies attached, so membership in a no-policy group doesn't incorrectly trigger IAM authorization. --- weed/s3api/auth_credentials.go | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index d6db8b859..5e1744b6a 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -1865,6 +1865,10 @@ func determineIAMAuthPath(sessionToken, principal, principalArn string) iamAuthP // Returns true if any matching statement explicitly allows the action. // Uses the cached iamPolicyEngine to avoid re-parsing policy JSON on every request. func (iam *IdentityAccessManagement) evaluateIAMPolicies(r *http.Request, identity *Identity, action Action, bucket, object string) bool { + if identity == nil { + return false + } + iam.m.RLock() engine := iam.iamPolicyEngine groupNames := iam.userGroups[identity.Name] @@ -1872,8 +1876,7 @@ func (iam *IdentityAccessManagement) evaluateIAMPolicies(r *http.Request, identi iam.m.RUnlock() // Collect all policy names: user policies + group policies - hasPolicies := len(identity.PolicyNames) > 0 || len(groupNames) > 0 - if identity == nil || !hasPolicies { + if len(identity.PolicyNames) == 0 && len(groupNames) == 0 { return false } @@ -1947,8 +1950,15 @@ func (iam *IdentityAccessManagement) VerifyActionPermission(r *http.Request, ide r.URL.Query().Get("X-Amz-Security-Token") != "" iam.m.RLock() userGroupNames := iam.userGroups[identity.Name] + groupsHavePolicies := false + for _, gn := range userGroupNames { + if g, ok := iam.groups[gn]; ok && !g.Disabled && len(g.PolicyNames) > 0 { + groupsHavePolicies = true + break + } + } iam.m.RUnlock() - hasAttachedPolicies := len(identity.PolicyNames) > 0 || len(userGroupNames) > 0 + hasAttachedPolicies := len(identity.PolicyNames) > 0 || groupsHavePolicies if (len(identity.Actions) == 0 || hasSessionToken || hasAttachedPolicies) && iam.iamIntegration != nil { return iam.authorizeWithIAM(r, identity, action, bucket, object)