fix(core,s3): explicit-Deny beats public ACL + strict-mode deny on unmapped action (bug-hunt)#2296
Merged
Conversation
…mapped action (bug-hunt)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes an auth enforcement fail-open in the strict-mode IAM dispatch path (bug-hunt batch 2). Behavior-only; no SDK, docs, or count-surface change. These paths only run when
--iamis enabled —off(the default) is unchanged.Fix 5.2 (MED) — strict-mode fail-open on unmapped enforceable action. When an
iam_enforceable()service returnsNonefromiam_action_forfor an operation (e.g. S3'ss3_detect_actionhas many_ => return Nonearms for unrecognized sub-resource forms), dispatch previously logged a warn and fell through to the handler — the op executed with no policy check even under--iam strict. That is fail-open: a signed request to an unmapped S3 sub-resource ran unauthorized. Now, under strict mode, an enforceable service that yields noIamActionis denied by default (AccessDeniedException, matching the existing signed-path deny code). Soft/off modes are unchanged: soft still warns-and-allows so an incomplete mapping surfaces during rollout without blocking traffic. The audit warn is preserved (now carryingmode+request_id).Fix 5.1 (HIGH) — anonymous explicit-Deny beats public-read ACL was already landed in #2288; this PR adds no code there. Its regression test (
anonymous_get_explicit_deny_overrides_public_acl) is confirmed green alongside the new tests.Test plan
New e2e tests in
iam_enforcement.rs:strict_mode_denies_unmapped_enforceable_action— a signedPOST /bucket?acl(ACL is GET/PUT only, sos3_detect_actionreturnsNone) with an allow-all identity policy is denied403under--iam strict. The allow-all policy isolates the deny to the unmapped-action path (not policy evaluation).soft_mode_allows_unmapped_enforceable_action_through— the same request under--iam softis not denied by the IAM layer (falls through), pinning the strict-only gating.Verified locally:
cargo clippy -p fakecloud-core -p fakecloud-s3 --all-targets -- -D warningsclean;cargo fmt.cargo build --bin fakecloud;cargo nextest run -p fakecloud-e2e -E 'binary(iam_enforcement) | binary(s3_anonymous_access) | binary(sigv4_verification)'-> 62 passed, 0 failed.Summary by cubic
Fixes a fail-open in strict IAM mode: when a service is
iam_enforceablebut the operation has no IAM action mapping, we now return 403 AccessDeniedException instead of executing the handler. Soft mode still warns and allows;--iam offis unchanged.fakecloud-core): indispatch.rs, deny unmapped enforceable operations under strict and includemodeandrequest_idin the audit log.fakecloud-e2e): added e2e tests to verify strict-mode deny and soft-mode allow for unmapped actions.Written for commit 5ca7105. Summary will update on new commits.