From 56e4652938254b3c36b2ebe8717a602a1b4f5ca8 Mon Sep 17 00:00:00 2001 From: chrislu Date: Thu, 13 Nov 2025 11:31:20 -0800 Subject: [PATCH] isAnonymous --- weed/s3api/s3api_bucket_handlers.go | 26 ++++++++++++------------ weed/s3api/s3api_bucket_policy_engine.go | 8 +++++++- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index f808c17ba..0e16bbcde 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -597,16 +597,16 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti glog.V(4).Infof("AuthWithPublicRead: bucket=%s, object=%s, authType=%v, isAnonymous=%v", bucket, object, authType, isAnonymous) - // For anonymous requests, check if bucket allows public read via ACLs or bucket policies - if isAnonymous { - // First check ACL-based public access - isPublic := s3a.isBucketPublicRead(bucket) - glog.V(4).Infof("AuthWithPublicRead: bucket=%s, isPublicACL=%v", bucket, isPublic) - if isPublic { - glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to public-read bucket %s (ACL)", bucket) - handler(w, r) - return - } + // For anonymous requests, check if bucket allows public read via ACLs or bucket policies + if isAnonymous { + // First check ACL-based public access + isPublic := s3a.isBucketPublicRead(bucket) + glog.V(4).Infof("AuthWithPublicRead: bucket=%s, isPublicACL=%v", bucket, isPublic) + if isPublic { + glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to public-read bucket %s (ACL)", bucket) + handler(w, r) + return + } // Check bucket policy for anonymous access using the policy engine principal := "*" // Anonymous principal @@ -632,9 +632,9 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti return } } - // No matching policy statement - fall through to check ACLs and then IAM auth - glog.V(3).Infof("AuthWithPublicRead: no bucket policy match for %s, checking ACLs", bucket) - } + // No matching policy statement - fall through to check ACLs and then IAM auth + glog.V(3).Infof("AuthWithPublicRead: no bucket policy match for %s, checking ACLs", bucket) + } // For all authenticated requests and anonymous requests to non-public buckets, // use normal IAM auth to enforce policies diff --git a/weed/s3api/s3api_bucket_policy_engine.go b/weed/s3api/s3api_bucket_policy_engine.go index 3d91cd2f7..c3276f558 100644 --- a/weed/s3api/s3api_bucket_policy_engine.go +++ b/weed/s3api/s3api_bucket_policy_engine.go @@ -264,6 +264,11 @@ func convertActionToS3Format(action string, r *http.Request) string { // resolveS3ActionFromRequest determines the specific S3 action from HTTP request context // This enables fine-grained action resolution without changing handler registrations +// +// TODO: Consider consolidating with determineGranularS3Action() in s3_iam_middleware.go +// to avoid code duplication. This function is used by the bucket policy engine, while +// determineGranularS3Action is used by the IAM integration. They serve similar purposes +// and could potentially be unified into a single shared utility function. func resolveS3ActionFromRequest(baseAction string, r *http.Request) string { if r == nil { return "" @@ -274,7 +279,8 @@ func resolveS3ActionFromRequest(baseAction string, r *http.Request) string { bucket, object := s3_constants.GetBucketAndObject(r) // Determine if this is an object or bucket operation - hasObject := object != "" + // Note: "/" is treated as bucket-level, not object-level + hasObject := object != "" && object != "/" // Check for specific query parameters that indicate specific actions switch {