Harden S3 auth boundaries

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
2026-06-04 04:06:47 +00:00 · 2026-05-16 10:11:04 +02:00
parent eac20f7fda
commit 2425cd524e
10 changed files with 477 additions and 6 deletions
--- a/api/api.go
+++ b/api/api.go
@@ -196,6 +196,10 @@ func parseCopySource(raw string) (string, string, error) {
 }

 func (h *Handler) authorizeCopySource(r *http.Request, bucket, key string) error {
+	return h.authorizeObjectAction(r, auth.ActionGetObject, bucket, key)
+}
+
+func (h *Handler) authorizeObjectAction(r *http.Request, action auth.Action, bucket, key string) error {
 	if h.authSvc == nil || !h.authSvc.Config().Enabled {
 		return nil
 	}
@@ -206,7 +210,7 @@ func (h *Handler) authorizeCopySource(r *http.Request, bucket, key string) error
 	}

 	return h.authSvc.Authorize(authCtx.AccessKeyID, auth.RequestTarget{
-		Action: auth.ActionGetObject,
+		Action: action,
 		Bucket: bucket,
 		Key:    key,
 	})
@@ -307,6 +311,10 @@ func (h *Handler) handlePostObject(w http.ResponseWriter, r *http.Request) {
 		r.Body = http.MaxBytesReader(w, r.Body, maxXMLBodyBytes)
 		var req models.CompleteMultipartUploadRequest
 		if err := xml.NewDecoder(r.Body).Decode(&req); err != nil {
+			if errors.Is(err, auth.ErrSignatureDoesNotMatch) {
+				writeMappedS3Error(w, r, err)
+				return
+			}
 			var maxErr *http.MaxBytesError
 			if errors.As(err, &maxErr) {
 				writeS3Error(w, r, s3ErrEntityTooLarge, r.URL.Path)
@@ -664,6 +672,10 @@ func (h *Handler) handlePostBucket(w http.ResponseWriter, r *http.Request) {

 	var req models.DeleteObjectsRequest
 	if err := xml.NewDecoder(bodyReader).Decode(&req); err != nil {
+		if errors.Is(err, auth.ErrSignatureDoesNotMatch) {
+			writeMappedS3Error(w, r, err)
+			return
+		}
 		var maxErr *http.MaxBytesError
 		if errors.As(err, &maxErr) {
 			writeS3Error(w, r, s3ErrEntityTooLarge, r.URL.Path)
@@ -699,6 +711,15 @@ func (h *Handler) handlePostBucket(w http.ResponseWriter, r *http.Request) {
 			})
 			continue
 		}
+		if err := h.authorizeObjectAction(r, auth.ActionDeleteObject, bucket, obj.Key); err != nil {
+			apiErr := mapToS3Error(err)
+			response.Errors = append(response.Errors, models.DeleteError{
+				Key:     obj.Key,
+				Code:    apiErr.Code,
+				Message: apiErr.Message,
+			})
+			continue
+		}
 		keys = append(keys, obj.Key)
 	}

--- a/api/multi_delete_auth_test.go
+++ b/api/multi_delete_auth_test.go
@@ -0,0 +1,165 @@
+package api
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"errors"
+	"io"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"fs/auth"
+	"fs/logging"
+	"fs/metadata"
+	"fs/models"
+	"fs/service"
+	"fs/storage"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func newAuthorizedDeleteHandler(t *testing.T) (*Handler, *service.ObjectService, *auth.Service) {
+	t.Helper()
+
+	root := t.TempDir()
+	md, err := metadata.NewMetadataHandler(filepath.Join(root, "metadata.db"))
+	if err != nil {
+		t.Fatalf("new metadata handler: %v", err)
+	}
+	blob, err := storage.NewBlobStore(root, 1024)
+	if err != nil {
+		t.Fatalf("new blob store: %v", err)
+	}
+	svc := service.NewObjectService(md, blob, time.Hour)
+	t.Cleanup(func() {
+		_ = svc.Close()
+	})
+
+	masterKey := base64.StdEncoding.EncodeToString(make([]byte, 32))
+	authSvc, err := auth.NewService(auth.ConfigFromValues(
+		true,
+		"us-east-1",
+		0,
+		0,
+		masterKey,
+		"",
+		"",
+		"",
+	), md)
+	if err != nil {
+		t.Fatalf("new auth service: %v", err)
+	}
+
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+	handler := NewHandler(svc, logger, logging.Config{}, authSvc, false)
+	return handler, svc, authSvc
+}
+
+func newBucketPostRequest(bucket, body string) *http.Request {
+	req := httptest.NewRequest(http.MethodPost, "/"+bucket+"?delete", strings.NewReader(body))
+	rctx := chi.NewRouteContext()
+	rctx.URLParams.Add("bucket", bucket)
+	return req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
+}
+
+func withAuthContext(req *http.Request, accessKeyID string) *http.Request {
+	authCtx := auth.RequestContext{
+		Authenticated: true,
+		AccessKeyID:   accessKeyID,
+		AuthType:      "test",
+	}
+	return req.WithContext(auth.WithRequestContext(req.Context(), authCtx))
+}
+
+func createDeleteUser(t *testing.T, authSvc *auth.Service, prefix string) {
+	t.Helper()
+	_, err := authSvc.CreateUser(auth.CreateUserInput{
+		AccessKeyID: "delete-user",
+		SecretKey:   "delete-secret-1",
+		Policy: models.AuthPolicy{
+			Statements: []models.AuthPolicyStatement{
+				{
+					Effect:  "allow",
+					Actions: []string{"s3:DeleteObject"},
+					Bucket:  "test-bucket",
+					Prefix:  prefix,
+				},
+			},
+		},
+	})
+	if err != nil {
+		t.Fatalf("create delete user: %v", err)
+	}
+}
+
+func putTestObject(t *testing.T, svc *service.ObjectService, key string) {
+	t.Helper()
+	_, err := svc.PutObject("test-bucket", key, "text/plain", bytes.NewReader([]byte("data")))
+	if err != nil {
+		t.Fatalf("put object %q: %v", key, err)
+	}
+}
+
+func TestMultiDeleteAuthorizesEveryKey(t *testing.T) {
+	handler, svc, authSvc := newAuthorizedDeleteHandler(t)
+	if err := svc.CreateBucket("test-bucket"); err != nil {
+		t.Fatalf("create bucket: %v", err)
+	}
+	createDeleteUser(t, authSvc, "allowed/")
+	putTestObject(t, svc, "allowed/file.txt")
+	putTestObject(t, svc, "private/file.txt")
+
+	body := `<Delete><Object><Key>allowed/file.txt</Key></Object><Object><Key>private/file.txt</Key></Object></Delete>`
+	req := withAuthContext(newBucketPostRequest("test-bucket", body), "delete-user")
+	rec := httptest.NewRecorder()
+
+	handler.handlePostBucket(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("unexpected status: got %d body=%s", rec.Code, rec.Body.String())
+	}
+	responseBody := rec.Body.String()
+	if !strings.Contains(responseBody, "<Deleted>") || !strings.Contains(responseBody, "allowed/file.txt") {
+		t.Fatalf("expected allowed key to be deleted, body=%s", responseBody)
+	}
+	if !strings.Contains(responseBody, "<Error>") || !strings.Contains(responseBody, "private/file.txt") || !strings.Contains(responseBody, "AccessDenied") {
+		t.Fatalf("expected denied key error, body=%s", responseBody)
+	}
+	if _, err := svc.HeadObject("test-bucket", "allowed/file.txt"); !errors.Is(err, metadata.ErrObjectNotFound) {
+		t.Fatalf("allowed object should be deleted, got err=%v", err)
+	}
+	if _, err := svc.HeadObject("test-bucket", "private/file.txt"); err != nil {
+		t.Fatalf("private object should remain: %v", err)
+	}
+}
+
+func TestMultiDeleteAllowsScopedKeys(t *testing.T) {
+	handler, svc, authSvc := newAuthorizedDeleteHandler(t)
+	if err := svc.CreateBucket("test-bucket"); err != nil {
+		t.Fatalf("create bucket: %v", err)
+	}
+	createDeleteUser(t, authSvc, "allowed/")
+	putTestObject(t, svc, "allowed/file.txt")
+
+	body := `<Delete><Object><Key>allowed/file.txt</Key></Object></Delete>`
+	req := withAuthContext(newBucketPostRequest("test-bucket", body), "delete-user")
+	rec := httptest.NewRecorder()
+
+	handler.handlePostBucket(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("unexpected status: got %d body=%s", rec.Code, rec.Body.String())
+	}
+	if strings.Contains(rec.Body.String(), "<Error>") {
+		t.Fatalf("unexpected delete error body=%s", rec.Body.String())
+	}
+	if _, err := svc.HeadObject("test-bucket", "allowed/file.txt"); !errors.Is(err, metadata.ErrObjectNotFound) {
+		t.Fatalf("allowed object should be deleted, got err=%v", err)
+	}
+}