IAM | Authorize requests for IAM users according to IAM user inline policy

shirady · shirady · commit 48d50d3c8389 · 2025-11-17T09:48:19.000+02:00
Signed-off-by: shirady &lt;57721533+shirady@users.noreply.github.com&gt;
diff --git a/src/api/account_api.js b/src/api/account_api.js
@@ -749,6 +749,15 @@ module.exports = {
                 },
                 nsfs_account_config: {
                     $ref: 'common_api#/definitions/nsfs_account_config'
+                },
+                iam_user_policies: {
+                    type: 'array',
+                    items: {
+                        $ref: 'common_api#/definitions/iam_user_policy',
+                    }
+                },
+                owner: {
+                    type: 'string'
                 }
             },
         },
diff --git a/src/endpoint/s3/s3_bucket_policy_utils.js b/src/endpoint/s3/s3_bucket_policy_utils.js
@@ -149,20 +149,21 @@ async function _is_object_version_fit(req, predicate, value) {
     return res;
 }
 
-async function has_bucket_policy_permission(policy, account, method, arn_path, req, disallow_public_access = false) {
+async function has_bucket_policy_permission(policy, account, method, arn_path, req, disallow_public_access = false,
+        should_pass_principal = true) {
     const [allow_statements, deny_statements] = _.partition(policy.Statement, statement => statement.Effect === 'Allow');
 
     // the case where the permission is an array started in op get_object_attributes
     const method_arr = Array.isArray(method) ? method : [method];
 
     // look for explicit denies
     const res_arr_deny = await is_statement_fit_of_method_array(
-        deny_statements, account, method_arr, arn_path, req); // No need to disallow in "DENY"
+        deny_statements, account, method_arr, arn_path, req, undefined, should_pass_principal); // No need to disallow in "DENY"
     if (res_arr_deny.every(item => item)) return 'DENY';
 
     // look for explicit allows
     const res_arr_allow = await is_statement_fit_of_method_array(
-        allow_statements, account, method_arr, arn_path, req, disallow_public_access);
+        allow_statements, account, method_arr, arn_path, req, disallow_public_access, should_pass_principal);
     if (res_arr_allow.every(item => item)) return 'ALLOW';
 
     // implicit deny
@@ -217,15 +218,17 @@ function _is_resource_fit(arn_path, statement) {
     return statement.Resource ? resource_fit : !resource_fit;
 }
 
-async function is_statement_fit_of_method_array(statements, account, method_arr, arn_path, req, disallow_public_access = false) {
+async function is_statement_fit_of_method_array(statements, account, method_arr, arn_path, req,
+    disallow_public_access = false, should_pass_principal = true) {
     return Promise.all(method_arr.map(method_permission =>
-        _is_statements_fit(statements, account, method_permission, arn_path, req, disallow_public_access)));
+        _is_statements_fit(statements, account, method_permission, arn_path, req, disallow_public_access, should_pass_principal)));
 }
 
-async function _is_statements_fit(statements, account, method, arn_path, req, disallow_public_access = false) {
+async function _is_statements_fit(statements, account, method, arn_path, req, disallow_public_access = false,
+        should_pass_principal = true) {
     for (const statement of statements) {
         const action_fit = _is_action_fit(method, statement);
-        const principal_fit = _is_principal_fit(account, statement, disallow_public_access);
+        const principal_fit = should_pass_principal ? _is_principal_fit(account, statement, disallow_public_access) : true;
         const resource_fit = _is_resource_fit(arn_path, statement);
         const condition_fit = await _is_condition_fit(statement, req, method);
 
diff --git a/src/endpoint/s3/s3_rest.js b/src/endpoint/s3/s3_rest.js
@@ -224,7 +224,9 @@ async function authorize_request(req) {
         req.object_sdk.authorize_request_account(req),
         // authorize_request_policy(req) is supposed to
         // allow owners access unless there is an explicit DENY policy
-        authorize_request_policy(req)
+        authorize_request_policy(req),
+        // authorize_request_iam_policy(req) is for users only
+        authorize_request_iam_policy(req),
     ]);
 }
 
@@ -316,6 +318,42 @@ async function authorize_request_policy(req) {
     throw new S3Error(S3Error.AccessDenied);
 }
 
+async function authorize_request_iam_policy(req) {
+    const auth_token = req.object_sdk.get_auth_token();
+    const is_anon = !(auth_token && auth_token.access_key);
+    if (is_anon) return;
+
+    const account = req.object_sdk.requesting_account;
+    const is_iam_user = account.owner !== undefined;
+    if (!is_iam_user) return;
+
+    const resource_arn = _get_arn_from_req_path(req);
+    const method = _get_method_from_req(req);
+    const iam_policies = account.iam_user_policies || [];
+    if (iam_policies.length === 0) return;
+
+    // parallel policy check
+    const promises = [];
+    for (const iam_policy of iam_policies) {
+        // We reusing the bucket policy util function as it is checks the policy document
+        const promise = s3_bucket_policy_utils.has_bucket_policy_permission(
+            iam_policy.policy_document, undefined, method, resource_arn, req, undefined, false
+        );
+        promises.push(promise);
+    }
+    const permission_result = await Promise.all(promises);
+    let has_allow_permission = false;
+    for (const permission of permission_result) {
+        if (permission === "DENY") throw new S3Error(S3Error.AccessDenied);
+        if (permission === "ALLOW") {
+            has_allow_permission = true;
+        }
+    }
+    if (has_allow_permission) return;
+    dbg.log1('authorize_request_iam_policy: user have inline policies but none of them matched the method');
+    throw new S3Error(S3Error.AccessDenied);
+}
+
 async function authorize_anonymous_access(s3_policy, method, arn_path, req, public_access_block) {
     if (!s3_policy) throw new S3Error(S3Error.AccessDenied);
 
diff --git a/src/server/system_services/account_server.js b/src/server/system_services/account_server.js
@@ -1049,6 +1049,14 @@ function get_account_info(account, include_connection_cache) {
     };
     info.role_config = account.role_config;
     info.force_md5_etag = account.force_md5_etag;
+
+    if (account.iam_user_policies) {
+        info.iam_user_policies = account.iam_user_policies;
+    }
+    if (account.owner) {
+        info.owner = account.owner._id.toString();
+    }
+
     return info;
 }
 
