seaweedfs

chrislu 9cbd73aba0 fix: implement proper policy condition evaluation and trust policy validation Fixed the critical issues identified in GitHub PR review that were causing JWT authentication failures in S3 IAM integration tests. ### Problem Identified: - evaluateStringCondition function was a stub that always returned shouldMatch - Trust policy validation was doing basic checks instead of proper evaluation - String conditions (StringEquals, StringNotEquals, StringLike) were ignored - JWT authentication failing with errCode=1 (AccessDenied) ### Solution Implemented: 1. Fixed evaluateStringCondition in policy engine: - Implemented proper string condition evaluation with context matching - Added support for exact matching (StringEquals/StringNotEquals) - Added wildcard support for StringLike conditions using filepath.Match - Proper type conversion for condition values and context values 2. Implemented comprehensive trust policy validation: - Added parseJWTTokenForTrustPolicy to extract claims from web identity tokens - Created evaluateTrustPolicy method with proper Principal matching - Added support for Federated principals (OIDC/SAML) - Implemented trust policy condition evaluation - Added proper context mapping (seaweed:FederatedProvider, etc.) 3. Enhanced IAM manager with trust policy evaluation: - validateTrustPolicyForWebIdentity now uses proper policy evaluation - Extracts JWT claims and maps them to evaluation context - Supports StringEquals, StringNotEquals, StringLike conditions - Proper Principal matching for Federated identity providers ### Technical Details: - Added filepath import for wildcard matching - Added base64, json imports for JWT parsing - Trust policies now check Principal.Federated against token idp claim - Context values properly mapped: idp → seaweed:FederatedProvider - Condition evaluation follows AWS IAM policy semantics ### Addresses GitHub PR Review: This directly fixes the issue mentioned in the PR review about evaluateStringCondition being a stub that doesn't implement actual logic for StringEquals, StringNotEquals, and StringLike conditions. The trust policy validation now properly enforces policy conditions, which should resolve the JWT authentication failures.	2 months ago
..
seaweedfs	Helm Chart: support wildcards for s3-ingress host by quoting value (#7155)	2 months ago
artifacthub-repo.yml	Update artifacthub-repo-stable.yml (#4330)	3 years ago

chrislu 9cbd73aba0 fix: implement proper policy condition evaluation and trust policy validation

Fixed the critical issues identified in GitHub PR review that were causing
JWT authentication failures in S3 IAM integration tests.

### Problem Identified:
- evaluateStringCondition function was a stub that always returned shouldMatch
- Trust policy validation was doing basic checks instead of proper evaluation
- String conditions (StringEquals, StringNotEquals, StringLike) were ignored
- JWT authentication failing with errCode=1 (AccessDenied)

### Solution Implemented:

**1. Fixed evaluateStringCondition in policy engine:**
- Implemented proper string condition evaluation with context matching
- Added support for exact matching (StringEquals/StringNotEquals)
- Added wildcard support for StringLike conditions using filepath.Match
- Proper type conversion for condition values and context values

**2. Implemented comprehensive trust policy validation:**
- Added parseJWTTokenForTrustPolicy to extract claims from web identity tokens
- Created evaluateTrustPolicy method with proper Principal matching
- Added support for Federated principals (OIDC/SAML)
- Implemented trust policy condition evaluation
- Added proper context mapping (seaweed:FederatedProvider, etc.)

**3. Enhanced IAM manager with trust policy evaluation:**
- validateTrustPolicyForWebIdentity now uses proper policy evaluation
- Extracts JWT claims and maps them to evaluation context
- Supports StringEquals, StringNotEquals, StringLike conditions
- Proper Principal matching for Federated identity providers

### Technical Details:
- Added filepath import for wildcard matching
- Added base64, json imports for JWT parsing
- Trust policies now check Principal.Federated against token idp claim
- Context values properly mapped: idp → seaweed:FederatedProvider
- Condition evaluation follows AWS IAM policy semantics

### Addresses GitHub PR Review:
This directly fixes the issue mentioned in the PR review about
evaluateStringCondition being a stub that doesn't implement actual
logic for StringEquals, StringNotEquals, and StringLike conditions.

The trust policy validation now properly enforces policy conditions,
which should resolve the JWT authentication failures.

2 months ago

seaweedfs

Helm Chart: support wildcards for s3-ingress host by quoting value (#7155)

2 months ago

artifacthub-repo.yml

Update artifacthub-repo-stable.yml (#4330)

3 years ago