From e8baeb3616bb2ec331abcd3dabbb304f0f0040c1 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Sun, 28 Dec 2025 12:57:01 -0800
Subject: [PATCH] s3api: Allow anonymous access to SOSAPI virtual objects

Enable discovery of SOSAPI capabilities without requiring credentials.

- Modify AuthWithPublicRead to bypass auth for SOSAPI objects if bucket exists
- Supports Veeam's initial discovery phase before full IAM setup
- Validates bucket existence to prevent information disclosure
---
 weed/s3api/s3api_bucket_handlers.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index d7f5aa7b8..9f658aaaa 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -624,6 +624,17 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
 
 		glog.V(4).Infof("AuthWithPublicRead: bucket=%s, object=%s, authType=%v, isAnonymous=%v", bucket, object, authType, isAnonymous)
 
+		// Allow anonymous access for SOSAPI virtual objects (discovery)
+		if isSOSAPIObject(object) {
+			// Ensure the bucket exists anyway
+			_, errCode := s3a.getBucketConfig(bucket)
+			if errCode == s3err.ErrNone {
+				glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to SOSAPI object %s in bucket %s", object, bucket)
+				handler(w, r)
+				return
+			}
+		}
+
 		// For anonymous requests, check if bucket allows public read via ACLs or bucket policies
 		if isAnonymous {
 			// First check ACL-based public access