@ -634,25 +634,30 @@ func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request)
}
entryFetchTime = time . Since ( tEntryFetch )
// Safety check: entry must be valid before tag-based policy evaluation
if objectEntryForSSE == nil {
glog . Errorf ( "GetObjectHandler: objectEntryForSSE is nil for %s/%s (should not happen)" , bucket , object )
s3err . WriteErrorResponse ( w , r , s3err . ErrInternalError )
return
}
// Re-check bucket policy with object entry for tag-based conditions (e.g., s3:ExistingObjectTag)
if objectEntryForSSE != nil {
identityRaw := s3_constants . GetIdentityFromContext ( r )
var identity * Identity
if identityRaw != nil {
var ok bool
identity , ok = identityRaw . ( * Identity )
if ! ok {
glog . Errorf ( "GetObjectHandler: unexpected identity type in context for %s/%s" , bucket , object )
s3err . WriteErrorResponse ( w , r , s3err . ErrInternalError )
return
}
}
principal := buildPrincipalARN ( identity )
if errCode , _ := s3a . checkPolicyWithEntry ( r , bucket , object , string ( s3_constants . ACTION_READ ) , principal , objectEntryForSSE . Extended ) ; errCode != s3err . ErrNone {
s3err . WriteErrorResponse ( w , r , errCode )
identityRaw := s3_constants . GetIdentityFromContext ( r )
var identity * Identity
if identityRaw != nil {
var ok bool
identity , ok = identityRaw . ( * Identity )
if ! ok {
glog . Errorf ( "GetObjectHandler: unexpected identity type in context for %s/%s" , bucket , object )
s3err . WriteErrorResponse ( w , r , s3err . ErrInternalError )
return
}
}
principal := buildPrincipalARN ( identity )
if errCode , _ := s3a . checkPolicyWithEntry ( r , bucket , object , string ( s3_constants . ACTION_READ ) , principal , objectEntryForSSE . Extended ) ; errCode != s3err . ErrNone {
s3err . WriteErrorResponse ( w , r , errCode )
return
}
// Check if PartNumber query parameter is present (for multipart GET requests)
partNumberStr := r . URL . Query ( ) . Get ( "partNumber" )
chrislu
1 month ago