From d39b2689a5e6e651fadc18ae079bbaf4e74fc5c4 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Sat, 3 Jul 2021 14:50:53 -0700 Subject: [PATCH] S3 authorization: StreamingSigned enforces access control fix https://github.com/chrislusf/seaweedfs/issues/2180 --- weed/s3api/chunked_reader_v4.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/weed/s3api/chunked_reader_v4.go b/weed/s3api/chunked_reader_v4.go index b163ec2f6..ec26f693a 100644 --- a/weed/s3api/chunked_reader_v4.go +++ b/weed/s3api/chunked_reader_v4.go @@ -85,11 +85,17 @@ func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (cr return nil, "", "", time.Time{}, errCode } // Verify if the access key id matches. - _, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey) + identity, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey) if !found { return nil, "", "", time.Time{}, s3err.ErrInvalidAccessKeyID } + bucket, _ := getBucketAndObject(r) + if !identity.canDo("Write", bucket) { + errCode = s3err.ErrAccessDenied + return + } + // Verify if region is valid. region = signV4Values.Credential.scope.region