Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix for tests

pull/7471/head
chrislu 3 weeks ago
parent
569aa065d2
commit
865e803d3b
4 changed files with 27 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      weed/s3api/auth_credentials.go
  2. 6
      weed/s3api/policy_engine/engine.go
  3. 8
      weed/s3api/policy_engine/engine_test.go
  4. 14
      weed/s3api/s3api_bucket_handlers.go

7
weed/s3api/auth_credentials.go
View File

@ -521,7 +521,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
glog.Errorf("Error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err) glog.Errorf("Error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err)
return identity, s3err.ErrInternalError return identity, s3err.ErrInternalError
} else if evaluated { } else if evaluated {
// A bucket policy exists and was evaluated
// A bucket policy exists and was evaluated with a matching statement
if allowed { if allowed {
// Policy explicitly allows this action - grant access immediately // Policy explicitly allows this action - grant access immediately
// This bypasses IAM checks to support cross-account access and policy-only principals // This bypasses IAM checks to support cross-account access and policy-only principals
@ -529,11 +529,12 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
policyAllows = true policyAllows = true
} else { } else {
// Policy explicitly denies this action - deny access immediately // Policy explicitly denies this action - deny access immediately
glog.V(3).Infof("Bucket policy denies %s to %s on %s/%s", identity.Name, action, bucket, object)
// Note: Explicit Deny in bucket policy overrides all other permissions
glog.V(3).Infof("Bucket policy explicitly denies %s to %s on %s/%s", identity.Name, action, bucket, object)
return identity, s3err.ErrAccessDenied return identity, s3err.ErrAccessDenied
} }
} }
// If not evaluated (no policy), fall through to IAM/identity checks
// If not evaluated (no policy or no matching statements), fall through to IAM/identity checks
} }
// Only check IAM if bucket policy didn't explicitly allow // Only check IAM if bucket policy didn't explicitly allow

6
weed/s3api/policy_engine/engine.go
View File

@ -109,7 +109,7 @@ func (engine *PolicyEngine) evaluateCompiledPolicy(policy *CompiledPolicy, args
// AWS Policy evaluation logic: // AWS Policy evaluation logic:
// 1. Check for explicit Deny - if found, return Deny // 1. Check for explicit Deny - if found, return Deny
// 2. Check for explicit Allow - if found, return Allow // 2. Check for explicit Allow - if found, return Allow
// 3. If no explicit Allow is found, return Deny (default deny)
// 3. If no matching statements, return Indeterminate (fall through to IAM)
hasExplicitAllow := false hasExplicitAllow := false
@ -128,7 +128,9 @@ func (engine *PolicyEngine) evaluateCompiledPolicy(policy *CompiledPolicy, args
return PolicyResultAllow return PolicyResultAllow
} }
return PolicyResultDeny // Default deny
// No matching statements - return Indeterminate to fall through to IAM
// This allows IAM policies to grant access even when bucket policy doesn't mention the action
return PolicyResultIndeterminate
} }
// evaluateStatement evaluates a single policy statement // evaluateStatement evaluates a single policy statement

8
weed/s3api/policy_engine/engine_test.go
View File

@ -76,8 +76,8 @@ func TestPolicyEngine(t *testing.T) {
} }
result = engine.EvaluatePolicy("test-bucket", args) result = engine.EvaluatePolicy("test-bucket", args)
if result != PolicyResultDeny {
t.Errorf("Expected Deny for non-matching action, got %v", result)
if result != PolicyResultIndeterminate {
t.Errorf("Expected Indeterminate for non-matching action (should fall through to IAM), got %v", result)
} }
// Test GetBucketPolicy // Test GetBucketPolicy
@ -471,8 +471,8 @@ func TestPolicyEvaluationWithConditions(t *testing.T) {
// Test non-matching IP // Test non-matching IP
args.Conditions["aws:SourceIp"] = []string{"10.0.0.1"} args.Conditions["aws:SourceIp"] = []string{"10.0.0.1"}
result = engine.EvaluatePolicy("test-bucket", args) result = engine.EvaluatePolicy("test-bucket", args)
if result != PolicyResultDeny {
t.Errorf("Expected Deny for non-matching IP, got %v", result)
if result != PolicyResultIndeterminate {
t.Errorf("Expected Indeterminate for non-matching IP (should fall through to IAM), got %v", result)
} }
} }

14
weed/s3api/s3api_bucket_handlers.go
View File

@ -617,12 +617,22 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
glog.Errorf("AuthWithPublicRead: error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err) glog.Errorf("AuthWithPublicRead: error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err)
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError) s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return return
} else if evaluated && allowed {
} else if evaluated {
// A bucket policy exists and was evaluated with a matching statement
if allowed {
// Policy explicitly allows anonymous access
glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to bucket %s (bucket policy)", bucket) glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to bucket %s (bucket policy)", bucket)
handler(w, r) handler(w, r)
return return
} else {
// Policy explicitly denies anonymous access
glog.V(3).Infof("AuthWithPublicRead: bucket policy explicitly denies anonymous access to %s/%s", bucket, object)
s3err.WriteErrorResponse(w, r, s3err.ErrAccessDenied)
return
}
} }
glog.V(3).Infof("AuthWithPublicRead: bucket %s does not allow public access, falling back to IAM auth", bucket)
// No matching policy statement - fall through to check ACLs and then IAM auth
glog.V(3).Infof("AuthWithPublicRead: no bucket policy match for %s, checking ACLs", bucket)
} }
// For all authenticated requests and anonymous requests to non-public buckets, // For all authenticated requests and anonymous requests to non-public buckets,

Write Preview
Loading…
Cancel
Save