Skip to content

fix(core,s3): explicit-Deny beats public ACL + strict-mode deny on unmapped action (bug-hunt)#2296

Merged
vieiralucas merged 1 commit into
mainfrom
bh-auth-deny
Jul 16, 2026
Merged

fix(core,s3): explicit-Deny beats public ACL + strict-mode deny on unmapped action (bug-hunt)#2296
vieiralucas merged 1 commit into
mainfrom
bh-auth-deny

Conversation

@vieiralucas

@vieiralucas vieiralucas commented Jul 16, 2026

Copy link
Copy Markdown
Member

Summary

Closes an auth enforcement fail-open in the strict-mode IAM dispatch path (bug-hunt batch 2). Behavior-only; no SDK, docs, or count-surface change. These paths only run when --iam is enabled — off (the default) is unchanged.

Fix 5.2 (MED) — strict-mode fail-open on unmapped enforceable action. When an iam_enforceable() service returns None from iam_action_for for an operation (e.g. S3's s3_detect_action has many _ => return None arms for unrecognized sub-resource forms), dispatch previously logged a warn and fell through to the handler — the op executed with no policy check even under --iam strict. That is fail-open: a signed request to an unmapped S3 sub-resource ran unauthorized. Now, under strict mode, an enforceable service that yields no IamAction is denied by default (AccessDeniedException, matching the existing signed-path deny code). Soft/off modes are unchanged: soft still warns-and-allows so an incomplete mapping surfaces during rollout without blocking traffic. The audit warn is preserved (now carrying mode + request_id).

Fix 5.1 (HIGH) — anonymous explicit-Deny beats public-read ACL was already landed in #2288; this PR adds no code there. Its regression test (anonymous_get_explicit_deny_overrides_public_acl) is confirmed green alongside the new tests.

Test plan

New e2e tests in iam_enforcement.rs:

  • strict_mode_denies_unmapped_enforceable_action — a signed POST /bucket?acl (ACL is GET/PUT only, so s3_detect_action returns None) with an allow-all identity policy is denied 403 under --iam strict. The allow-all policy isolates the deny to the unmapped-action path (not policy evaluation).
  • soft_mode_allows_unmapped_enforceable_action_through — the same request under --iam soft is not denied by the IAM layer (falls through), pinning the strict-only gating.

Verified locally:

  • cargo clippy -p fakecloud-core -p fakecloud-s3 --all-targets -- -D warnings clean; cargo fmt.
  • cargo build --bin fakecloud; cargo nextest run -p fakecloud-e2e -E 'binary(iam_enforcement) | binary(s3_anonymous_access) | binary(sigv4_verification)' -> 62 passed, 0 failed.

Summary by cubic

Fixes a fail-open in strict IAM mode: when a service is iam_enforceable but the operation has no IAM action mapping, we now return 403 AccessDeniedException instead of executing the handler. Soft mode still warns and allows; --iam off is unchanged.

  • Bug Fixes
    • Core (fakecloud-core): in dispatch.rs, deny unmapped enforceable operations under strict and include mode and request_id in the audit log.
    • Tests (fakecloud-e2e): added e2e tests to verify strict-mode deny and soft-mode allow for unmapped actions.

Written for commit 5ca7105. Summary will update on new commits.

Review in cubic

@vieiralucas vieiralucas requested a review from Copilot July 16, 2026 12:03

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@vieiralucas vieiralucas requested a review from Copilot July 16, 2026 13:25

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@vieiralucas vieiralucas requested a review from Copilot July 16, 2026 13:26

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@vieiralucas vieiralucas merged commit 369ae6c into main Jul 16, 2026
155 checks passed
@vieiralucas vieiralucas deleted the bh-auth-deny branch July 16, 2026 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants