s3: add s3:ExistingObjectTag condition support in policy engine

Add support for s3:ExistingObjectTag/<tag-key> condition keys in bucket policies, allowing access control based on object tags. Changes: - Add ObjectEntry field to PolicyEvaluationArgs (entry.Extended metadata) - Update EvaluateConditions to handle s3:ExistingObjectTag/<key> format - Extract tag value from entry metadata using X-Amz-Tagging-<key> prefix This enables policies like: { "Condition": { "StringEquals": { "s3:ExistingObjectTag/status": ["public"] } } } Fixes: https://github.com/seaweedfs/seaweedfs/issues/7447
1 month ago · c6721bb18d
3 changed files with 54 additions and 9 deletions
--- a/weed/s3api/policy_engine/conditions.go
+++ b/weed/s3api/policy_engine/conditions.go
@ -705,8 +705,15 @@ func GetConditionEvaluator(operator string) (ConditionEvaluator, error) {
 	}
 }

+// ExistingObjectTagPrefix is the prefix for object tag condition keys
+const ExistingObjectTagPrefix = "s3:ExistingObjectTag/"
+
+// ObjectTagMetadataPrefix is the prefix used to store tags in entry.Extended
+const ObjectTagMetadataPrefix = "X-Amz-Tagging-"
+
 // EvaluateConditions evaluates all conditions in a policy statement
-func EvaluateConditions(conditions PolicyConditions, contextValues map[string][]string) bool {
+// objectEntry is the object's metadata from entry.Extended (can be nil)
+func EvaluateConditions(conditions PolicyConditions, contextValues map[string][]string, objectEntry map[string][]byte) bool {
 	if len(conditions) == 0 {
 		return true // No conditions means always true
 	}
@ -719,9 +726,27 @@ func EvaluateConditions(conditions PolicyConditions, contextValues map[string][]
 		}

 		for key, value := range conditionMap {
-			contextVals, exists := contextValues[key]
-			if !exists {
-				contextVals = []string{}
+			var contextVals []string
+
+			// Handle s3:ExistingObjectTag/<tag-key> condition keys
+			// These refer to tags that already exist on the object
+			if strings.HasPrefix(key, ExistingObjectTagPrefix) {
+				// Extract tag value from entry.Extended using the tag prefix
+				tagKey := key[len(ExistingObjectTagPrefix):]
+				metadataKey := ObjectTagMetadataPrefix + tagKey
+				if objectEntry != nil {
+					if tagValue, exists := objectEntry[metadataKey]; exists {
+						contextVals = []string{string(tagValue)}
+					}
+				}
+				// If tag doesn't exist, contextVals remains empty
+			} else {
+				// Regular condition key lookup
+				var exists bool
+				contextVals, exists = contextValues[key]
+				if !exists {
+					contextVals = []string{}
+				}
 			}

 			if !conditionEvaluator.Evaluate(value.Strings(), contextVals) {
@ -734,7 +759,8 @@ func EvaluateConditions(conditions PolicyConditions, contextValues map[string][]
 }

 // EvaluateConditionsLegacy evaluates conditions using the old interface{} format for backward compatibility
-func EvaluateConditionsLegacy(conditions map[string]interface{}, contextValues map[string][]string) bool {
+// objectEntry is the object's metadata from entry.Extended (can be nil)
+func EvaluateConditionsLegacy(conditions map[string]interface{}, contextValues map[string][]string, objectEntry map[string][]byte) bool {
 	if len(conditions) == 0 {
 		return true // No conditions means always true
 	}
@ -753,9 +779,23 @@ func EvaluateConditionsLegacy(conditions map[string]interface{}, contextValues m
 		}

 		for key, value := range conditionMapTyped {
-			contextVals, exists := contextValues[key]
-			if !exists {
-				contextVals = []string{}
+			var contextVals []string
+
+			// Handle s3:ExistingObjectTag/<tag-key> condition keys
+			if strings.HasPrefix(key, ExistingObjectTagPrefix) {
+				tagKey := key[len(ExistingObjectTagPrefix):]
+				metadataKey := ObjectTagMetadataPrefix + tagKey
+				if objectEntry != nil {
+					if tagValue, exists := objectEntry[metadataKey]; exists {
+						contextVals = []string{string(tagValue)}
+					}
+				}
+			} else {
+				var exists bool
+				contextVals, exists = contextValues[key]
+				if !exists {
+					contextVals = []string{}
+				}
 			}

 			if !conditionEvaluator.Evaluate(value, contextVals) {
--- a/weed/s3api/policy_engine/engine.go
+++ b/weed/s3api/policy_engine/engine.go
@ -154,7 +154,7 @@ func (engine *PolicyEngine) evaluateStatement(stmt *CompiledStatement, args *Pol

 	// Check conditions
 	if len(stmt.Statement.Condition) > 0 {
-		if !EvaluateConditions(stmt.Statement.Condition, args.Conditions) {
+		if !EvaluateConditions(stmt.Statement.Condition, args.Conditions, args.ObjectEntry) {
 			return false
 		}
 	}
--- a/weed/s3api/policy_engine/types.go
+++ b/weed/s3api/policy_engine/types.go
@ -106,6 +106,11 @@ type PolicyEvaluationArgs struct {
 	Resource   string
 	Principal  string
 	Conditions map[string][]string
+	// ObjectEntry is the object's metadata from entry.Extended.
+	// Used for evaluating conditions like s3:ExistingObjectTag/<tag-key>.
+	// Tags are stored as "X-Amz-Tagging-<key>" -> value.
+	// Can be nil for bucket-level operations or when object doesn't exist.
+	ObjectEntry map[string][]byte
 }

 // PolicyCache for caching compiled policies