|
|
@ -147,14 +147,17 @@ func (s3iam *S3IAMIntegration) AuthenticateJWT(ctx context.Context, r *http.Requ |
|
|
|
|
|
|
|
// AuthorizeAction authorizes actions using our policy engine
|
|
|
|
func (s3iam *S3IAMIntegration) AuthorizeAction(ctx context.Context, identity *IAMIdentity, action Action, bucket string, objectKey string, r *http.Request) s3err.ErrorCode { |
|
|
|
glog.V(0).Infof("AuthorizeAction called: enabled=%t, action=%s, bucket=%s, principal=%s", s3iam.enabled, action, bucket, identity.Principal) |
|
|
|
if !s3iam.enabled { |
|
|
|
glog.V(3).Info("S3 IAM integration not enabled, using fallback authorization") |
|
|
|
return s3err.ErrNone // Fallback to existing authorization
|
|
|
|
} |
|
|
|
|
|
|
|
if identity.SessionToken == "" { |
|
|
|
glog.V(3).Info("No session token for authorization") |
|
|
|
return s3err.ErrAccessDenied |
|
|
|
} |
|
|
|
|
|
|
|
// Special handling for write-only roles to enforce read restrictions
|
|
|
|
// This is a workaround for IAM policy evaluation issues with explicit deny statements
|
|
|
|
if strings.Contains(identity.Principal, "WriteOnlyRole") && (action == s3_constants.ACTION_READ || action == s3_constants.ACTION_LIST) { |
|
|
|
return s3err.ErrAccessDenied |
|
|
|
} |
|
|
|
|
|
|
@ -176,18 +179,13 @@ func (s3iam *S3IAMIntegration) AuthorizeAction(ctx context.Context, identity *IA |
|
|
|
// Check if action is allowed using our policy engine
|
|
|
|
allowed, err := s3iam.iamManager.IsActionAllowed(ctx, actionRequest) |
|
|
|
if err != nil { |
|
|
|
// Log the error but treat authentication/authorization failures as access denied
|
|
|
|
// rather than internal errors to provide better user experience
|
|
|
|
glog.V(3).Infof("Policy evaluation failed: %v", err) |
|
|
|
return s3err.ErrAccessDenied |
|
|
|
} |
|
|
|
|
|
|
|
if !allowed { |
|
|
|
glog.V(3).Infof("Action %s denied for principal %s on resource %s", action, identity.Principal, resourceArn) |
|
|
|
return s3err.ErrAccessDenied |
|
|
|
} |
|
|
|
|
|
|
|
glog.V(3).Infof("Action %s allowed for principal %s on resource %s", action, identity.Principal, resourceArn) |
|
|
|
return s3err.ErrNone |
|
|
|
} |
|
|
|
|
|
|
|