Harden S3 auth boundaries

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
2026-06-04 05:06:46 +00:00 · 2026-05-16 10:11:04 +02:00
parent eac20f7fda
commit 2425cd524e
10 changed files with 477 additions and 6 deletions
--- a/auth/policy_test.go
+++ b/auth/policy_test.go
@@ -0,0 +1,52 @@
+package auth
+
+import (
+	"fs/models"
+	"testing"
+)
+
+func TestListBucketPolicyAppliesPrefix(t *testing.T) {
+	policy := &models.AuthPolicy{
+		Statements: []models.AuthPolicyStatement{
+			{
+				Effect:  "allow",
+				Actions: []string{"s3:ListBucket"},
+				Bucket:  "test-bucket",
+				Prefix:  "allowed/",
+			},
+		},
+	}
+
+	if !isAllowed(policy, RequestTarget{Action: ActionListBucket, Bucket: "test-bucket", Prefix: "allowed/"}) {
+		t.Fatalf("expected matching list prefix to be allowed")
+	}
+	if !isAllowed(policy, RequestTarget{Action: ActionListBucket, Bucket: "test-bucket", Prefix: "allowed/nested/"}) {
+		t.Fatalf("expected nested list prefix to be allowed")
+	}
+	if isAllowed(policy, RequestTarget{Action: ActionListBucket, Bucket: "test-bucket"}) {
+		t.Fatalf("expected empty list prefix to be denied")
+	}
+	if isAllowed(policy, RequestTarget{Action: ActionListBucket, Bucket: "test-bucket", Prefix: "private/"}) {
+		t.Fatalf("expected non-matching list prefix to be denied")
+	}
+}
+
+func TestWildcardListBucketPolicyAllowsAnyPrefix(t *testing.T) {
+	policy := &models.AuthPolicy{
+		Statements: []models.AuthPolicyStatement{
+			{
+				Effect:  "allow",
+				Actions: []string{"s3:ListBucket"},
+				Bucket:  "test-bucket",
+				Prefix:  "*",
+			},
+		},
+	}
+
+	if !isAllowed(policy, RequestTarget{Action: ActionListBucket, Bucket: "test-bucket"}) {
+		t.Fatalf("expected wildcard list policy to allow empty prefix")
+	}
+	if !isAllowed(policy, RequestTarget{Action: ActionListBucket, Bucket: "test-bucket", Prefix: "private/"}) {
+		t.Fatalf("expected wildcard list policy to allow arbitrary prefix")
+	}
+}