seaweedfs

Chris Lu 8814c2a07d iam: support ForAnyValue and ForAllValues condition set operators (#8105 ) * iam: support ForAnyValue and ForAllValues condition set operators This implementation adds support for AWS-style IAM condition set operators `ForAnyValue:` and `ForAllValues:`. These are essential for trust policies that evaluate collection-based claims like `oidc:roles` or groups. - Updated EvaluateStringCondition to handle set operators. - Added set operator support to numeric, date, and boolean conditions. - ForAnyValue matches if any request value matches any condition value (default). - ForAllValues matches if every request value matches at least one condition value. * iam: add test suite for condition set operators * iam: ensure ForAllValues is vacuously true for all condition types Aligned Numeric, Date, and Boolean conditions with AWS IAM behavior where ForAllValues returns true when the request context values are empty. * iam: add Date vacuously true test case for ForAllValues * iam: expand policy variables in case-insensitive string conditions Added expandPolicyVariables support to evaluateStringConditionIgnoreCase to ensure consistency with case-sensitive counterparts. * iam: fix negation issues in string set operators Refactored EvaluateStringCondition and evaluateStringConditionIgnoreCase to evaluate operators (including negation) per context value before aggregating. This ensures StringNotEquals and StringNotLike work correctly with ForAllValues and ForAnyValue. * iam: add []string support for Date and Boolean context values Ensures consistency with Numeric conditions by allowing context values to be provided as slices of strings, which is common in JSON/OIDC claims. * iam: simplify redundant type check in policy engine The `evaluateStringConditionIgnoreCase` function had a redundant type check for `string` in the `default` block of a type switch that already handled the `string` case. * iam: remove outdated "currently fails" comment in negation tests * iam: add StringLikeIgnoreCase condition support * iam: explicitly handle empty context sets for ForAnyValue AWS IAM treats empty request sets as "no match" for ForAnyValue. Added an explicit check and comment to make this behavior clear. * iam: refactor EvaluateStringCondition to expand policy variables once Avoid redundant calls to expandPolicyVariables by expanding them once per condition value instead of inside awsIAMMatch or in the exact matching branch. * iam: fix StringLike case sensitivity to match AWS IAM specs StringLike and StringNotLike condition operators are case-sensitive in AWS IAM. Changed the implementation to use filepath.Match for case-sensitive wildcard matching instead of the case-insensitive awsIAMMatch. * iam: integrate StringLike case-sensitivity test into suite Integrated the case-sensitivity verification into condition_set_test.go and updated the consistency test to use StringLikeIgnoreCase to maintain its case-insensitive matching verification. * iam: fix NumericNotEquals logic to follow "not equal to any" semantics Updated evaluateNumericCondition to correctly handle NumericNotEquals by ensuring a context value matches only if it is not equal to ANY of the provided expected values. Also added support for []string expected values. * iam: fix DateNotEquals logic and integrate tests Updated evaluateDateCondition to correctly handle DateNotEquals logic. Integrated the new test cases for NumericNotEquals and DateNotEquals into condition_set_test.go. * iam: fix validation error in integrated NotEquals tests Added missing Resource field to IAM policy statements in condition_set_test.go to satisfy validation requirements. * iam: add set operator support for IP and Null conditions Implemented ForAllValues and ForAnyValue support for IpAddress, NotIpAddress, and Null condition operators. Also added test coverage for ForAnyValue with an empty context to ensure correct behavior. * iam: refine IP condition evaluation to handle multiple policy value types Updated evaluateIPCondition to correctly handle string, []string, and []interface{} values for IP address conditions in policy documents. Added IpAddress:SingleStringValue test case to verify consistency. * iam: refine Null and case-insensitive string conditions - Reverted evaluateNullCondition to standard AWS behavior (no set operators). - Refactored evaluateStringConditionIgnoreCase to use idiomatic helpers (strings.EqualFold and AwsWildcardMatch). - Cleaned up tests in condition_set_test.go. * iam: normalize policy value handling across condition evaluators - Implemented normalizeRanges helper for consistent IP range extraction. - Expanded type switches in IP, Bool, and String condition evaluators to support string, []string, and []interface{} policy values. - Fixed ForAnyValue bool matching to support string slices. - Added targeted tests for []string policy values in condition_set_test.go. * iam: refactor IP condition to support arbitrary context keys Refactored evaluateIPCondition to iterate through all keys in the condition block instead of hardcoding aws:SourceIp. This ensures consistency with other condition types and allows custom context keys. Added IpAddress:CustomContextKey test case to verify the change.	5 days ago
..
css	Fix Broken Links (#5287)	2 years ago
fonts	Change filer UI icon from picture to icon font.	4 years ago

iam: support ForAnyValue and ForAllValues condition set operators (#8105 )

* iam: support ForAnyValue and ForAllValues condition set operators

This implementation adds support for AWS-style IAM condition set operators
`ForAnyValue:` and `ForAllValues:`. These are essential for trust policies
that evaluate collection-based claims like `oidc:roles` or groups.

- Updated EvaluateStringCondition to handle set operators.
- Added set operator support to numeric, date, and boolean conditions.
- ForAnyValue matches if any request value matches any condition value (default).
- ForAllValues matches if every request value matches at least one condition value.

* iam: add test suite for condition set operators

* iam: ensure ForAllValues is vacuously true for all condition types

Aligned Numeric, Date, and Boolean conditions with AWS IAM behavior
where ForAllValues returns true when the request context values are empty.

* iam: add Date vacuously true test case for ForAllValues

* iam: expand policy variables in case-insensitive string conditions

Added expandPolicyVariables support to evaluateStringConditionIgnoreCase
to ensure consistency with case-sensitive counterparts.

* iam: fix negation issues in string set operators

Refactored EvaluateStringCondition and evaluateStringConditionIgnoreCase
to evaluate operators (including negation) per context value before
aggregating. This ensures StringNotEquals and StringNotLike work
correctly with ForAllValues and ForAnyValue.

* iam: add []string support for Date and Boolean context values

Ensures consistency with Numeric conditions by allowing context values
to be provided as slices of strings, which is common in JSON/OIDC claims.

* iam: simplify redundant type check in policy engine

The `evaluateStringConditionIgnoreCase` function had a redundant type
check for `string` in the `default` block of a type switch that
already handled the `string` case.

* iam: remove outdated "currently fails" comment in negation tests

* iam: add StringLikeIgnoreCase condition support

* iam: explicitly handle empty context sets for ForAnyValue

AWS IAM treats empty request sets as "no match" for ForAnyValue.
Added an explicit check and comment to make this behavior clear.

* iam: refactor EvaluateStringCondition to expand policy variables once

Avoid redundant calls to expandPolicyVariables by expanding them once
per condition value instead of inside awsIAMMatch or in the exact
matching branch.

* iam: fix StringLike case sensitivity to match AWS IAM specs

StringLike and StringNotLike condition operators are case-sensitive in
AWS IAM. Changed the implementation to use filepath.Match for
case-sensitive wildcard matching instead of the case-insensitive
awsIAMMatch.

* iam: integrate StringLike case-sensitivity test into suite

Integrated the case-sensitivity verification into condition_set_test.go
and updated the consistency test to use StringLikeIgnoreCase to maintain
its case-insensitive matching verification.

* iam: fix NumericNotEquals logic to follow "not equal to any" semantics

Updated evaluateNumericCondition to correctly handle NumericNotEquals by
ensuring a context value matches only if it is not equal to ANY of the
provided expected values. Also added support for []string expected
values.

* iam: fix DateNotEquals logic and integrate tests

Updated evaluateDateCondition to correctly handle DateNotEquals logic.
Integrated the new test cases for NumericNotEquals and DateNotEquals into
condition_set_test.go.

* iam: fix validation error in integrated NotEquals tests

Added missing Resource field to IAM policy statements in
condition_set_test.go to satisfy validation requirements.

* iam: add set operator support for IP and Null conditions

Implemented ForAllValues and ForAnyValue support for IpAddress,
NotIpAddress, and Null condition operators. Also added test coverage for
ForAnyValue with an empty context to ensure correct behavior.

* iam: refine IP condition evaluation to handle multiple policy value types

Updated evaluateIPCondition to correctly handle string, []string, and
[]interface{} values for IP address conditions in policy documents.
Added IpAddress:SingleStringValue test case to verify consistency.

* iam: refine Null and case-insensitive string conditions

- Reverted evaluateNullCondition to standard AWS behavior (no set operators).
- Refactored evaluateStringConditionIgnoreCase to use idiomatic helpers
  (strings.EqualFold and AwsWildcardMatch).
- Cleaned up tests in condition_set_test.go.

* iam: normalize policy value handling across condition evaluators

- Implemented normalizeRanges helper for consistent IP range extraction.
- Expanded type switches in IP, Bool, and String condition evaluators to
  support string, []string, and []interface{} policy values.
- Fixed ForAnyValue bool matching to support string slices.
- Added targeted tests for []string policy values in condition_set_test.go.

* iam: refactor IP condition to support arbitrary context keys

Refactored evaluateIPCondition to iterate through all keys in the
condition block instead of hardcoding aws:SourceIp. This ensures
consistency with other condition types and allows custom context keys.
Added IpAddress:CustomContextKey test case to verify the change.

5 days ago

css

Fix Broken Links (#5287)

2 years ago

fonts

Change filer UI icon from picture to icon font.

4 years ago