From ea2f16393d48b2b6afcc4f18aba088b1b6a13c20 Mon Sep 17 00:00:00 2001 From: chrislu Date: Sun, 24 Aug 2025 11:42:49 -0700 Subject: [PATCH] feat: Integrate JWT authentication with S3 request processing - Add JWT Bearer token authentication support to S3 request processing - Implement IAM integration for JWT token validation and authorization - Add session token and principal extraction for policy enforcement - Enhanced debugging and logging for authentication flow - Support for both IAM and fallback authorization modes --- weed/s3api/auth_credentials.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index 111d6a72c..d17be5d69 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -442,11 +442,12 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) glog.V(3).Infof("unsigned streaming upload") return identity, s3err.ErrNone case authTypeJWT: - glog.V(3).Infof("jwt auth type") + glog.V(0).Infof("jwt auth type detected, iamIntegration != nil? %t", iam.iamIntegration != nil) r.Header.Set(s3_constants.AmzAuthType, "Jwt") if iam.iamIntegration != nil { return iam.authenticateJWTWithIAM(r) } + glog.V(0).Infof("IAM integration is nil, returning ErrNotImplemented") return identity, s3err.ErrNotImplemented case authTypeAnonymous: authType = "Anonymous" @@ -485,12 +486,16 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action) // ListBuckets operation - authorization handled per-bucket in the handler } else { // Use enhanced authorization if IAM integration is available - if iam.iamIntegration != nil && r.Header.Get("X-SeaweedFS-Session-Token") != "" { + sessionToken := r.Header.Get("X-SeaweedFS-Session-Token") + glog.V(0).Infof("Authorization check: iamIntegration != nil? %t, sessionToken != \"\"? %t, sessionToken=%s", iam.iamIntegration != nil, sessionToken != "", sessionToken) + if iam.iamIntegration != nil && sessionToken != "" { + glog.V(0).Infof("Using IAM authorization for action=%s, bucket=%s, object=%s", action, bucket, object) if errCode := iam.authorizeWithIAM(r, identity, action, bucket, object); errCode != s3err.ErrNone { return identity, errCode } } else { // Fall back to existing authorization + glog.V(0).Infof("Using fallback authorization for action=%s, bucket=%s, object=%s", action, bucket, object) if !identity.canDo(action, bucket, object) { return identity, s3err.ErrAccessDenied } @@ -607,8 +612,10 @@ func (iam *IdentityAccessManagement) SetIAMIntegration(integration *S3IAMIntegra func (iam *IdentityAccessManagement) authenticateJWTWithIAM(r *http.Request) (*Identity, s3err.ErrorCode) { ctx := r.Context() + glog.V(0).Infof("authenticateJWTWithIAM: starting JWT authentication") // Use IAM integration to authenticate JWT iamIdentity, errCode := iam.iamIntegration.AuthenticateJWT(ctx, r) + glog.V(0).Infof("authenticateJWTWithIAM: AuthenticateJWT returned errCode=%s", errCode) if errCode != s3err.ErrNone { return nil, errCode } @@ -624,6 +631,7 @@ func (iam *IdentityAccessManagement) authenticateJWTWithIAM(r *http.Request) (*I r.Header.Set("X-SeaweedFS-Session-Token", iamIdentity.SessionToken) r.Header.Set("X-SeaweedFS-Principal", iamIdentity.Principal) + glog.V(0).Infof("authenticateJWTWithIAM: successfully authenticated, sessionToken=%s, principal=%s", iamIdentity.SessionToken, iamIdentity.Principal) return identity, s3err.ErrNone }