wildcard prefix to restrict access to directories in s3 bucket

https://github.com/chrislusf/seaweedfs/discussions/2551
2025-09-19 03:29:55 +08:00 · 2022-01-03 15:39:36 -08:00
parent 5799a20f71
commit a7887166cf
4 changed files with 58 additions and 10 deletions
--- a/weed/s3api/auth_credentials_test.go
+++ b/weed/s3api/auth_credentials_test.go
@@ -2,6 +2,7 @@ package s3api

 import (
 	. "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
+	"github.com/stretchr/testify/assert"
 	"testing"

 	"github.com/golang/protobuf/jsonpb"
@@ -67,3 +68,51 @@ func TestIdentityListFileFormat(t *testing.T) {
 	println(text)

 }
+
+func TestCanDo(t *testing.T) {
+	ident1 := &Identity{
+		Name: "anything",
+		Actions: []Action{
+			"Write:bucket1/a/b/c/*",
+			"Write:bucket1/a/b/other",
+		},
+	}
+	// object specific
+	assert.Equal(t, true, ident1.canDo(ACTION_WRITE, "bucket1", "a/b/c/d.txt"))
+	assert.Equal(t, false, ident1.canDo(ACTION_WRITE, "bucket1", "a/b/other/some"), "action without *")
+
+	// bucket specific
+	ident2 := &Identity{
+		Name: "anything",
+		Actions: []Action{
+			"Read:bucket1",
+			"Write:bucket1/*",
+		},
+	}
+	assert.Equal(t, true, ident2.canDo(ACTION_READ, "bucket1", "a/b/c/d.txt"))
+	assert.Equal(t, true, ident2.canDo(ACTION_WRITE, "bucket1", "a/b/c/d.txt"))
+	assert.Equal(t, false, ident2.canDo(ACTION_LIST, "bucket1", "a/b/c/d.txt"))
+
+	// across buckets
+	ident3 := &Identity{
+		Name: "anything",
+		Actions: []Action{
+			"Read",
+			"Write",
+		},
+	}
+	assert.Equal(t, true, ident3.canDo(ACTION_READ, "bucket1", "a/b/c/d.txt"))
+	assert.Equal(t, true, ident3.canDo(ACTION_WRITE, "bucket1", "a/b/c/d.txt"))
+	assert.Equal(t, false, ident3.canDo(ACTION_LIST, "bucket1", "a/b/other/some"))
+
+	// partial buckets
+	ident4 := &Identity{
+		Name: "anything",
+		Actions: []Action{
+			"Read:special_*",
+		},
+	}
+	assert.Equal(t, true, ident4.canDo(ACTION_READ, "special_bucket", "a/b/c/d.txt"))
+	assert.Equal(t, false, ident4.canDo(ACTION_READ, "bucket1", "a/b/c/d.txt"))
+
+}